Around the world, we see increasing requirements for communications service providers to maintain and provide intelligence about their users. Yesterday, a bill was introduced in the U.S. House of Representatives that would require Internet service providers to retain subscriber IP address information for up to eighteen months. The stated goal of this legislation is to assist federal law enforcement in investigations into online child pornography and child exploitation cases. This is certainly a worthwhile endeavor, but the same effort could also be leveraged to assist in cyber-crime and cyber-terrorism cases.

The European Union has had this form of legislation in place since 2006 (Directive 2006/24/EC), and SenSage has helped more than twenty service providers comply with it by storing call detail record (CDR) data for up to two years as required by law. These systems have profoundly reduced the turnaround time for subpoenaed data pertinent to cyber-crime and cyber-terrorism investigations…in some cases from months to minutes or even seconds. What was a best effort process with unpredictable results, is now a proven process that law enforcement can anticipate and leverage in the context of its established checks and balances such as the subpoena process.

For the largest service providers, this means collecting billions of CDRs per day, managing petabyte-level data stores and processing thousands of queries per month with specific response time requirements. This is no small feat and leverages patented technology from SenSage, but in most cases the companies were keeping this data anyway and are now better organized in the way that they manage it.

Meanwhile, society benefits as the digital age rockets forward and law enforcement keeps pace…without slowing it down.

The newly pending legislation in the U.S. is an encouraging step towards achieving a better balance between digital lifestyles, necessary law enforcement and personal privacy. The U.S. can learn from the example set by the EU…perhaps even leapfrog it!

permalink

In reading the Verizon Business 2011 DBIR, one point stands out for me: relative to last year’s report, attacks are happening faster (point of entry to compromise) and attack recognition is slower (compromise to discovery).

2011 Verizon Business Data Breach Investigations Report

 This is yet another reminder that proactive log analysis is an under-utilized weapon in the fight against data breaches. Real-time consoles are great and represent an important part of any effective SIEM solution. But all of the gray area in the chart above denotes activity that is happening beyond the focus of most real-time consoles. Meaning, there are plenty of attacks that take days, weeks or years to compromise our defenses and that means a broader and deeper log management and review process can help us prevent, contain and/or more quickly discover any given breach.

Zooming in on attack timing from the 2011 report, we see that 44% of the attacks took days from point of entry to compromise. In these cases, daily log data exception filtering and alerts would improve prevention, containment and discovery effectiveness. 9% of the attacks took weeks or months; in these cases, even weekly exception filtering and report reviews would improve prevention, containment and discovery effectiveness.

Zooming in on discovery timing from the 2011 report, we see that only 4% of the breaches were discovered in minutes or hours while 96% took days, weeks, months or years. Zooming in further, 38% took weeks and 36% took years to discover! Clearly, even weekly log analysis could have helped these companies to discover their breach and either contain it or at least begin the damage control process in a timely fashion.

We all know that enterprise-wide log collection, storage, filtering and analysis can be challenging. But the evidence continues to suggest that proactive efforts in this area can significantly reduce IT security risks. In a domain that requires us to depend upon many intangible technologies (best effort algorithms) and skills (craft), proactive log analysis represents a very tangible effort/reward proposition.

permalink

Verizon Business recently published its 2011 Data Breach Investigations Report (DBIR) and I am once again stunned by the apparent correlation between getting breached and myopic log management:

• 69% of the breaches had log evidence available for forensics
• <1% of the breaches were discovered by internal log analysis and/or review

The report makes a halfhearted attempt to look on the bright side: “…discovery through log analysis and review has dwindled down to 0%…so the good news is that things are only looking up from here.” CEOs reading this will not be amused, particularly if they are among the 86% of breached companies whose internal efforts failed and were notified of the breach by a third party.

When I force myself to think about what choices could lead to this miserable outcome, I come up with three types of companies:

• Type 1 companies don’t read these reports and therefore have no clue that they can help themselves (not a great place to be)
• Type 2 companies have deployed log management products and commit real resources to log analysis, but simply haven’t succeeded in this effort (a better place to be, but not great)
• Type 3 companies read these reports, know that they can help themselves, but have failed to act (probably the worst place to be)

If you are a Type 1 or if you know one, perhaps this latest report and my humble rant will help you and yours open your eyes to the reality of modern day threats, the realities of imperfect security and the necessity of log management and analysis as a compensating control. If you are a Type 2, you should challenge your log management vendor to help you succeed. Chances are, you are struggling with a log management technology that lacks flexibility to include all relevant sources, scalability to store all of the relevant data for extended periods of time, and analytical strength to help your finite staff automate exception filtering. If you are a Type 3, I can’t help you yet, but perhaps I will read more about you in the next DBIR.

permalink