Full disclosure: I am still coming up to speed on this. As the news was breaking this morning I received a tweet from Dark Reading behind which was a great summary of what’s known so far. Based on what I know so far, I would say that Citibank demonstrated some great practices in dealing with this breach.

First – Citibank was aware of the problem and came forward with a proactive message before some other source could expose them and create an immediate cycle of reactive statements and backpedaling. When you come forward on your own, you set the tone for the entire story.

Second – Citibank had facts and disclosed them effectively. They were able to state that sensitive information was not breached (no social security numbers, dates of birth, card expiration dates or card security codes CVV were compromised). They put the size of the breach in perspective, taking the potentially high impact of a 200,000 account breach and minimizing it by declaring that it represents only 1% of their North American accounts. Translation: Citibank is huge, we serve lots of customers, and this breach impacted only a tiny portion of those customers.

Third – Citibank noted that routine monitoring of their systems identified the breach so that they could take immediate action. This is the sort of proactive monitoring that I’ve been talking about. Citibank is not a client of SenSage, but that won’t prevent me from recognizing their effective practices in this domain : ) But seriously, this “self discovery” and the way it was disclosed (with the credibility of detailed facts) is critical because it gives us consumers more confidence that Citibank really was using the time between breach and disclosure to understand what was going on, minimize the impact and shift to open communication when the time was right for all parties.

Fourth – Citibank supplied guidance on how to be on the alert for phishing attacks looking to exploit this event with or without actual compromised data. They also made it clear that they are contacting impacted customers and undoubtedly are supplying the usual post-breach benefits such as credit monitoring. This last part is the most mundane and easiest to get right, but it’s only appreciated if you’ve done the harder stuff beforehand as noted above.

Breaches are not good. But there’s a right way and wrong way to handle them. Citibank executed pretty textbook if you ask me. And in this day where breaches are raining down on us almost daily, Citibank could actually gain on this event over time.

permalink

Around the world, we see increasing requirements for communications service providers to maintain and provide intelligence about their users. Yesterday, a bill was introduced in the U.S. House of Representatives that would require Internet service providers to retain subscriber IP address information for up to eighteen months. The stated goal of this legislation is to assist federal law enforcement in investigations into online child pornography and child exploitation cases. This is certainly a worthwhile endeavor, but the same effort could also be leveraged to assist in cyber-crime and cyber-terrorism cases.

The European Union has had this form of legislation in place since 2006 (Directive 2006/24/EC), and SenSage has helped more than twenty service providers comply with it by storing call detail record (CDR) data for up to two years as required by law. These systems have profoundly reduced the turnaround time for subpoenaed data pertinent to cyber-crime and cyber-terrorism investigations…in some cases from months to minutes or even seconds. What was a best effort process with unpredictable results, is now a proven process that law enforcement can anticipate and leverage in the context of its established checks and balances such as the subpoena process.

For the largest service providers, this means collecting billions of CDRs per day, managing petabyte-level data stores and processing thousands of queries per month with specific response time requirements. This is no small feat and leverages patented technology from SenSage, but in most cases the companies were keeping this data anyway and are now better organized in the way that they manage it.

Meanwhile, society benefits as the digital age rockets forward and law enforcement keeps pace…without slowing it down.

The newly pending legislation in the U.S. is an encouraging step towards achieving a better balance between digital lifestyles, necessary law enforcement and personal privacy. The U.S. can learn from the example set by the EU…perhaps even leapfrog it!

permalink

In reading the Verizon Business 2011 DBIR, one point stands out for me: relative to last year’s report, attacks are happening faster (point of entry to compromise) and attack recognition is slower (compromise to discovery).

2011 Verizon Business Data Breach Investigations Report

 This is yet another reminder that proactive log analysis is an under-utilized weapon in the fight against data breaches. Real-time consoles are great and represent an important part of any effective SIEM solution. But all of the gray area in the chart above denotes activity that is happening beyond the focus of most real-time consoles. Meaning, there are plenty of attacks that take days, weeks or years to compromise our defenses and that means a broader and deeper log management and review process can help us prevent, contain and/or more quickly discover any given breach.

Zooming in on attack timing from the 2011 report, we see that 44% of the attacks took days from point of entry to compromise. In these cases, daily log data exception filtering and alerts would improve prevention, containment and discovery effectiveness. 9% of the attacks took weeks or months; in these cases, even weekly exception filtering and report reviews would improve prevention, containment and discovery effectiveness.

Zooming in on discovery timing from the 2011 report, we see that only 4% of the breaches were discovered in minutes or hours while 96% took days, weeks, months or years. Zooming in further, 38% took weeks and 36% took years to discover! Clearly, even weekly log analysis could have helped these companies to discover their breach and either contain it or at least begin the damage control process in a timely fashion.

We all know that enterprise-wide log collection, storage, filtering and analysis can be challenging. But the evidence continues to suggest that proactive efforts in this area can significantly reduce IT security risks. In a domain that requires us to depend upon many intangible technologies (best effort algorithms) and skills (craft), proactive log analysis represents a very tangible effort/reward proposition.

permalink

Verizon Business recently published its 2011 Data Breach Investigations Report (DBIR) and I am once again stunned by the apparent correlation between getting breached and myopic log management:

• 69% of the breaches had log evidence available for forensics
• <1% of the breaches were discovered by internal log analysis and/or review

The report makes a halfhearted attempt to look on the bright side: “…discovery through log analysis and review has dwindled down to 0%…so the good news is that things are only looking up from here.” CEOs reading this will not be amused, particularly if they are among the 86% of breached companies whose internal efforts failed and were notified of the breach by a third party.

When I force myself to think about what choices could lead to this miserable outcome, I come up with three types of companies:

• Type 1 companies don’t read these reports and therefore have no clue that they can help themselves (not a great place to be)
• Type 2 companies have deployed log management products and commit real resources to log analysis, but simply haven’t succeeded in this effort (a better place to be, but not great)
• Type 3 companies read these reports, know that they can help themselves, but have failed to act (probably the worst place to be)

If you are a Type 1 or if you know one, perhaps this latest report and my humble rant will help you and yours open your eyes to the reality of modern day threats, the realities of imperfect security and the necessity of log management and analysis as a compensating control. If you are a Type 2, you should challenge your log management vendor to help you succeed. Chances are, you are struggling with a log management technology that lacks flexibility to include all relevant sources, scalability to store all of the relevant data for extended periods of time, and analytical strength to help your finite staff automate exception filtering. If you are a Type 3, I can’t help you yet, but perhaps I will read more about you in the next DBIR.

permalink

There was much talk about cloud security at the RSA Conference last week. On multiple occasions, I was asked for my opinions about log management in the cloud, so I thought I would repeat my replies here. Note that I see log management in the cloud as more of an outsourcing decision than a technology decision. Overall, I see cloud-based log management services on the rise, but with a few key qualifiers that impact the forecast ahead.

The Choice Comes Down to Personality.
Just as we’ve seen with general outsourcing trends over the years, the companies that are willing to outsource log management are those that have an outsourcing personality type…willing to jettison anything that fails the “core versus context” test. While initiatives related to security have tended to be seen as “sensitive context” and therefore tend to stay in house, tight capital budgets and staffing resources have driven more companies to consider outsourcing log management. On the other side of the coin, I do not see many proactive security organizations outsourcing log management because for them, log management, exception reporting and security data analysis are core to their business or government missions.

The Choice May Be a Short-sighted One.
Some organizations see log management outsourcing as an opportunity to avoid non-compliance risks, hoping to blame the outsourcing provider as a first line of defense in dealing with lapses. This is obviously a short-sighted approach, but it happens and may in some cases deliver the intended benefits.

Outsourcing Works Best in a Vertical Context.
This principle often trumps the first two and creates a situation that makes outsourcing superior to insourcing, even for security functions. This is particularly true in the defense industry, where information access policies (e.g., Unclassified, Classified, Secret, Top Secret) and other control structures (e.g., mission, branch, command) are well established, and where defense integrators have established the individual skill sets and large-scale project management competencies necessary for success. We have also seen this in the health care market, where we have partnered with Cerner to embed our log management, audit and compliance reporting capabilities into their health care IT platform Millennium.

More in the U.S., Less in Europe.
In the U.S., we’ve seen a gradual but persistent warming to the thought of handing security data over to security service providers. Not so much in Europe, where privacy concerns and regulatory obligations make this proposition less attractive. Since the primary drivers in the U.S. are also present in Europe (e.g., compliance mandates amidst staffing and budget pressures), it will be interesting to see if the tendencies shift over time.

In summary, log management in the cloud can make sense in the right situations. Make sure the technology behind your service provider can scale to meet your needs and keeps your data separate from other customers’ data. You should also make sure that the technology will help the service provider reduce costs via data compression and storage optimization, because these advantages will help keep your provider in business or reduce the cost of the service or both. Finally, make sure that you will get standard and custom reports, the latter being delivered via a direct interface of your own. Of course, all of these requirements are satisfied by SenSage SIEM and Log Management solutions for managed security service providers. If you’d like to learn more, send us a note.

permalink