Welcome to Delicate template
Just another WordPress site

The Verizon Business RISK Team released a very interesting study early in June with detailed results and analysis from more than 500 forensic investigations it conducted over a four-year period (2004 to 2007). It claims that this study represents one-fourth of all publicly disclosed data breaches in that time frame. The report is chock full of statistics and percentages. The study examines the age-old question of IT risk-management: who is the largest threat source, insiders or outsiders?

The study weighs the impact of breaches (number of data records compromised) along with the frequency of threat source causing the breach. It also adds a third threat source to the mix: business partners, a sort of blended insider/outsider. One of the interesting results is that, using the classic risk equation (risk = likelihood * impact), business partners represent the greatest threat, followed closely by insiders.

The paper presents statistics but makes no blanket-conclusions on what to do about the problems, instead leaving that up to the individual organization (as it should). Everyone knows that monitoring the insider threat is difficult and time-consuming. It is somewhat easier to monitor business partners since they (should) have limited access via well-defined conduits. Given the results of this study, monitoring business partner interaction with the corporate network data sources may become the new fad in IT risk-management.

Brett Edgar

Brett Edgar

Brett is a Founder and the former Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

More Posts - Twitter

Legitimately bad

February 16th, 2008 | Posted by Dominic Schulte in Logs | Monitoring | Security - (0 Comments)

I have spent a fair amount of time over the last several months analyzing the Security Information Management (SIM) market to see how products like Arcsight[arcsight.com], QRadar[q1labs.com], SecureVue[eiqnetworks.com], and enVision[rsa.com], could benefit us (and our customers) as a Managed Security Service Provider (MSSP)[truedigitalsecurity.com]. I was intrigued, then, when I picked up the December issue of The ISSA Journal and saw an article entitled, “Logs Do Not Lie.”

While there are many advertised benefits to SIM solutions (log management, forensics, threat management, compliance, etc.), one of the take-aways I had from this article regarding the benefits of using a SIM solution was the idea that authorized activity is not always the same thing as safe or legitimate activity.

The two examples provided by the article to illustrate this point involve website mirroring and file transfers. Website mirroring looks a lot like regular web browsing, except it is usually complete (every page is visited) and the pages are viewed in rapid succession. Firewalls and web servers typically log traffic suspected of mirroring the site, but it is not usually treated as actionable information because it is so similar to legitimate activity. Website mirroring is interesting, however, because it could be a precursor to a phishing attack, especially if the source of the mirroring is not a regular client or is located in an interesting geographic region.

The file transfer example is related to Network Behavior Anomaly Detection (NBAD), a feature provided in one form or another by many SIM products. The idea with this illustration is that a given network user may routinely transfer information via external File Transfer Protocol (FTP) servers. If, however, this user’s typical exchanges are around 10K and a 600M exchange is identified, it is noteworthy and probably merits further investigation.

Both examples illustrate the value in collecting information from the various sources on your network (routers, firewalls, servers, IDSs, etc.) in order to analyze and report on that information. Judging by the customer lists on the SIM vendor websites, it would appear that there are quite a few organizations already seeking to take advantage of this information.

Dominic Schulte

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.

More Posts