Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/19/2009
05:49 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Tippett: Use Application Logs To Catch Data Breaches

At CSI/SX, Verizon Business' Peter Tippett talks trends and lessons learned in data breaches

LAS VEGAS -- CSI/SX -- Given the nature of data breaches today, organizations are better off saving money and doing "lightweight" security testing across more of their infrastructure than conducting deep assessments across a few systems, Peter Tippett, vice president of innovation and technology for Verizon Business, told attendees at the Computer Security Institute (CSI) Security Exchange conference here this week.

And Tippett says application logs are the more effective way to monitor breaches than the traditional signature-based network devices like IDSes or even firewall logs: according to data from Verizon's second annual breach report, most attacks came out of the bad guys using stolen passwords. "Signature-based IDS doesn't work -- signatures tend not to happen [in these attacks]," Tippett said. "Most attacks are when the bad guy uses a legitimate password, and we put IDS on the critical machines, but the attack is on these non-critical machines that gets the [bad guy] to the critical machine."

It's those oft-forgotten machines that are more at risk, he said. "They don't attack critical machines. They attack the stupid machines no one pays attention to," Tippett said.

The number one attack method used in most breaches is the old standby, the stolen password, according to Verizon's data, followed by SQL injection and attacks that take advantage of improperly configured Access Control Lists (ACLs). While Web applications are a major attack vector, remote access via SSH, VNC, and PC-Anyware, is as well, Tippett said. "And we don't spend much on that" in security, he said.

Over 80 percent of the time, the application log data that Verizon Business gathers from its clients in its forensic investigations could have stopped an attack had the enterprise been watching those logs. "It turns out, of all the things that you could monitor -- IDS, firewall, etc. -- it's stronger to look at the application logs. 82 percent of the time we showed [the client's] management the log proof that [a breach occurred]. If they had seen that log [initially], it would've stopped it," Tippett said.

And two-thirds of the breaches last year involved stolen data records sitting on less-secure systems -- and the organization hadn't even known they were there. "You don't need to spend a million on data leakage protection. Stick a sniffer where the data should be and see where it goes," Tippett said. "Turn off vulnerability testing and do discovery testing" to locate sensitive data that could be exposed, he said. "That could take care of a significant proportion of data loss."

One-fourth of the breach cases were traced to an unknown network connection. "No one was paying attention," he said. "90 percent of all cases involve one of three unknowns: asset/data, connection, or user privileges."

Although targeted attacks accounted for 28 percent of the breaches in '08 (twice as many as last year), Tippett said most attacks were "opportunistic," and 74 percent came from the outside, not the feared insider attack. One-third were partner-related, he said: "That means people who had permission to use your systems."

Two-thirds of the cases involved hacking, and two-thirds didn't use malware at all, according to Verizon's data.

And the number of breach cases using a zero-day attack over the past five years: zero, Tippett said. "Not a single case that got anyone to the front page involved a vulnerability that was less than six months old," he said.

How long does it take cybercriminals to get in and take data out? According to Verizon's findings, the average is a little over one day. And in most cases, Tippett said, it took over an hour to get in and get the stolen data out of the victim organization.

Even more worrisome is how long it takes the victims to figure it out. More than 50 percent didn't discover their breach for several months, and then it takes them weeks to shut it down, Tippett said.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18923
PUBLISHED: 2019-11-13
Insufficient content type validation of proxied resources in go-camo before 2.1.1 allows a remote attacker to serve arbitrary content from go-camo's origin.
CVE-2010-4664
PUBLISHED: 2019-11-13
In ConsoleKit before 0.4.2, an intended security policy restriction bypass was found. This flaw allows an authenticated system user to escalate their privileges by initiating a remote VNC session.
CVE-2010-4817
PUBLISHED: 2019-11-13
pithos before 0.3.5 allows overwrite of arbitrary files via symlinks.
CVE-2013-3097
PUBLISHED: 2019-11-13
Unspecified Cross-site scripting (XSS) vulnerability in the Verizon FIOS Actiontec MI424WR-GEN3I router.
CVE-2013-3366
PUBLISHED: 2019-11-13
Undocumented TELNET service in TRENDnet TEW-812DRU when a web page named backdoor contains an HTML parameter of password and a value of j78G�DFdg_24Mhw3.