Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/19/2009
05:49 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Tippett: Use Application Logs To Catch Data Breaches

At CSI/SX, Verizon Business' Peter Tippett talks trends and lessons learned in data breaches

LAS VEGAS -- CSI/SX -- Given the nature of data breaches today, organizations are better off saving money and doing "lightweight" security testing across more of their infrastructure than conducting deep assessments across a few systems, Peter Tippett, vice president of innovation and technology for Verizon Business, told attendees at the Computer Security Institute (CSI) Security Exchange conference here this week.

And Tippett says application logs are the more effective way to monitor breaches than the traditional signature-based network devices like IDSes or even firewall logs: according to data from Verizon's second annual breach report, most attacks came out of the bad guys using stolen passwords. "Signature-based IDS doesn't work -- signatures tend not to happen [in these attacks]," Tippett said. "Most attacks are when the bad guy uses a legitimate password, and we put IDS on the critical machines, but the attack is on these non-critical machines that gets the [bad guy] to the critical machine."

It's those oft-forgotten machines that are more at risk, he said. "They don't attack critical machines. They attack the stupid machines no one pays attention to," Tippett said.

The number one attack method used in most breaches is the old standby, the stolen password, according to Verizon's data, followed by SQL injection and attacks that take advantage of improperly configured Access Control Lists (ACLs). While Web applications are a major attack vector, remote access via SSH, VNC, and PC-Anyware, is as well, Tippett said. "And we don't spend much on that" in security, he said.

Over 80 percent of the time, the application log data that Verizon Business gathers from its clients in its forensic investigations could have stopped an attack had the enterprise been watching those logs. "It turns out, of all the things that you could monitor -- IDS, firewall, etc. -- it's stronger to look at the application logs. 82 percent of the time we showed [the client's] management the log proof that [a breach occurred]. If they had seen that log [initially], it would've stopped it," Tippett said.

And two-thirds of the breaches last year involved stolen data records sitting on less-secure systems -- and the organization hadn't even known they were there. "You don't need to spend a million on data leakage protection. Stick a sniffer where the data should be and see where it goes," Tippett said. "Turn off vulnerability testing and do discovery testing" to locate sensitive data that could be exposed, he said. "That could take care of a significant proportion of data loss."

One-fourth of the breach cases were traced to an unknown network connection. "No one was paying attention," he said. "90 percent of all cases involve one of three unknowns: asset/data, connection, or user privileges."

Although targeted attacks accounted for 28 percent of the breaches in '08 (twice as many as last year), Tippett said most attacks were "opportunistic," and 74 percent came from the outside, not the feared insider attack. One-third were partner-related, he said: "That means people who had permission to use your systems."

Two-thirds of the cases involved hacking, and two-thirds didn't use malware at all, according to Verizon's data.

And the number of breach cases using a zero-day attack over the past five years: zero, Tippett said. "Not a single case that got anyone to the front page involved a vulnerability that was less than six months old," he said.

How long does it take cybercriminals to get in and take data out? According to Verizon's findings, the average is a little over one day. And in most cases, Tippett said, it took over an hour to get in and get the stolen data out of the victim organization.

Even more worrisome is how long it takes the victims to figure it out. More than 50 percent didn't discover their breach for several months, and then it takes them weeks to shut it down, Tippett said.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
10 Notable Security Acquisitions of 2019 (So Far)
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...
CVE-2017-10723
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows it...