In the wake of major corporate data breaches of giants like Target and UPS, it is clear that any business that is processing electronic transactions is at risk, no matter how big or small they are. The Backoff malware used to compromise point-of-sale systems and extract customer information exploits maintenance software and takes control of privileged accounts, thus allowing a point of infiltration.
Think of the 1999 film, “Entrapment,” starring Sean Connery and Catherine Zeta-Jones: “Why rob the penthouse when the mailroom is on the ground floor?” Obviously this is an oversimplification of the attack, but one fact remains—the whole thing relies on taking advantage of a less-secure third party and compromising a privileged account. This is where it gets interesting. Privileged account activity monitoring is the primordial use case for machine data management and probably the most common example to illustrate its basics.
Reduce Data Breaches
So how could these titans have avoided all this trouble? Too much trust was placed in third-party entities. Troy Leach, chief technology officer of the PCI Council, said, “recent research has shown that 65 percent of all data breaches involve a third party.” The difficulty lies in the attack, which is perpetrated using valid credentials and what appear to be valid connections. A common mistake is to glaze over what is accepted and focus on what is denied. If you end up in this situation, the best way to detect misuse is to track access times and duration, and compare them to maintenance schedules. Then, assuming the attacker’s software is educated enough to only come in during those times, you must add controls around source and destination connections. Finally, as a safety net, record and baseline the amount of data transferred for a given session and look for deviations from the norm.
Visual Analytics and Advanced Statistics Key in Preventing Breaches
These measures sound simple by themselves, but doing all of it at the same time is the hard part. From purely a security standpoint, traditional security and event management tools struggle with “slow and low” attacks. They simply can’t evaluate data for long enough periods, and they lack visibility into the known unknown. Machine data management platforms are better at this, but lack advanced statistical analytic capabilities, and their visual analytics are basic, at best.
The answer lies in a solution with the following attributes:
- A platform design that allows for the centralization of all data
- The ability to query, correlate, manipulate, and serve data
- Capabilities to add business and operational context in real time
- Functionality to apply visual analytics and advanced statistics
In order to close the loop, you must combine these capabilities with the right data: machine data, performance metrics, network utilization, protocol information, and data configuration.