BreachBytes

Robert Vamosi has a nice overview of two recent reports on his Defense in Depth blog, the first on data breaches and the second on identity theft. The interesting figures from both reports: 9/10 breaches could have been prevented by following best practices and 57% of identity thieves use the information to open new lines of credit (not too surprising).

A summary of the Verizon report on data breaches is available here while the entire report can be found here as a PDF. Likewise, a summary of the identity theft report can be found here and the full version here as a PDF.

Net/FSE has received coverage from IT Network World Canada posting it to their available downloads.  And in regard to our not returning their call, yes we have returned their call (albeit a little late).

An article written by my partner Ben Uphoff has been published by (IN)SECURE Magazine. Scroll down to page 68 for the full text of the article.

Ben has done a great job of outlining what it takes to perform effective incident investigation using Net/FSE for in-depth alert analysis. I’d like to outline some of the snippets from the article that support the point that network intrusions, breaches and incidents are inevitable and the only way to perform proper incident investigation is to “keep it all.”

A core belief at Packet Analytics is that despite the best efforts of security vendors and practitioners, incidents are inevitable. There are simply too many threats and too many angles of attack. Technology on enterprise networks evolves so quickly that it is nearly impossible to keep up with the ever-changing threat landscape. For this reason, network breaches and security incidents must be seen as part of doing business in a connected world. Enterprises can mitigate the risk of a breach by following best practices and preparing a comprehensive incident response and recovery plan.

One challenge with working with network event data is that you can never be sure what event information is relevant until after the fact. For example, enterprises did not see value in storing DNS logs until DNS exfiltration attacks started appearing. With no historical log of DNS activity, those that fell victim to such attacks had no way of definitively knowing the extent of the data leakage resulting from the breach.

Contrary to the “keep it all” approach, SIMs try to reduce data volume at the collection points by aggregating similar events into statistical summaries that are then fed into the correlation engine, losing potentially valuable information in the process. Summaries are useful for the correlation engine but not for deep analysis of network events

We look forward to starting a dialog on the “keep it all” strategy and how we can improve the effectiveness of security and network operations in performing Network Event Analysis. Please post a comment.

Montego Networks CTO John Peterson has an excellent writeup on enabling NetFlow for visibility into virtualized networks. I talk a lot about network visibility with flow data on BreachBytes, but up until not I was not aware of any company implementing NetFlow for virtual switches. Montego’s technology makes visible some of the “dark space” that had previously existed in networks using virtualization. This looks like promising technology to keep an eye on in the future.

Just when it started to seem that 2008 was going to be a better year than 2007 for data breaches, the Massachusetts Banking Association is notifying its members of a major data breach at an unnamed retailer. Boston Business Journal is reporting on the breach. According to the article, between 60 and 70 banks have been contacted by Visa and Mastercard. As of this time the retailer involved has not been named , although this is sure to change very soon. This smells of last year’s well-documented TJX breach and subsequent fallout. It remains to be seen if this story will pick up steam like TJX did, but if the retailer is a well-known company it could well be TJX2. From the article:

“The MBA estimates that hundreds of thousands of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and it is urging consumers to monitor their accounts,” the statement said.

We will follow up on this story as more details emerge.