BreachBytes

An article written by my partner Ben Uphoff has been published by (IN)SECURE Magazine. Scroll down to page 68 for the full text of the article.

Ben has done a great job of outlining what it takes to perform effective incident investigation using Net/FSE for in-depth alert analysis. I’d like to outline some of the snippets from the article that support the point that network intrusions, breaches and incidents are inevitable and the only way to perform proper incident investigation is to “keep it all.”

A core belief at Packet Analytics is that despite the best efforts of security vendors and practitioners, incidents are inevitable. There are simply too many threats and too many angles of attack. Technology on enterprise networks evolves so quickly that it is nearly impossible to keep up with the ever-changing threat landscape. For this reason, network breaches and security incidents must be seen as part of doing business in a connected world. Enterprises can mitigate the risk of a breach by following best practices and preparing a comprehensive incident response and recovery plan.

One challenge with working with network event data is that you can never be sure what event information is relevant until after the fact. For example, enterprises did not see value in storing DNS logs until DNS exfiltration attacks started appearing. With no historical log of DNS activity, those that fell victim to such attacks had no way of definitively knowing the extent of the data leakage resulting from the breach.

Contrary to the “keep it all” approach, SIMs try to reduce data volume at the collection points by aggregating similar events into statistical summaries that are then fed into the correlation engine, losing potentially valuable information in the process. Summaries are useful for the correlation engine but not for deep analysis of network events

We look forward to starting a dialog on the “keep it all” strategy and how we can improve the effectiveness of security and network operations in performing Network Event Analysis. Please post a comment.

Our company Packet Analytics will be exhibiting at the 2008 InfoSec World Conference & Expo. You can see live demonstrations of the Net/FSE software and there will be a drawing for an iPod Touch. If you will be attending the conference be sure to stop by booth 414 and say ‘Hi’ and enter the drawing!

A quote by Gartner analyst John Pescatore in a recent article in PC World points out a fact that is becoming more and more common and is of grave concern to security experts:

“…government-funded cyber espionage is minimal in comparison to that carried out by criminals motivated to steal information for financial gain.”

Cybercrimes are no longer fashionable pranks by teenage hackers to get their name in the paper. Cybercrime is now being driven by financial gain and in many cases is the result of organized crime. The San Jose Mercury News did an excellent three-part series called “Ghosts in the Browser” which highlighted the rise of organized crime, particularly overseas, in the cyberworld.

What makes this so scary?

(more…)

Computer security is not a static field. Some people call it job security; others call it life with a beeper that goes off always at the wrong time. However, for a dynamic field the nature of the threats don’t seem to change that much. Back in the day, Script Kiddies earned their name and most were only interested in defacing web sites. Today, these same attacks are coming from a much more educated group, working in unison, to gain personal information or monetary goals. To compound the issue, technology is always changing. Our users demand these technologies in the name of productivity, (I hear a lot of the world’s major issues have been solved with bitTorrent) but early adopters usually get rewarded with the latest zero day attack. The one thing that hasn’t seemed to advance is the savvy of our end users. Phishing and email scams continue to grow because they continue to work.

(more…)