You might expect an enterprise to be the first to notice its records had been breached. But as a report from Trustwave illustrates, that is rarely the case.
According to a study of more than 200 data breaches that occurred in 2009, Trustwave found that just 9 percent were uncovered by the organization that was attacked. The vast majority-80 percent-were discovered by credit card companies with access to the breached organization's data. According to security pros, the reasons for this vary, but it comes down to the ability of businesses to understand and correlate the massive amounts of data at their fingertips.
The Trustwave study echoes the findings of Verizon's "2009 Data Breach Investigations Report," which reported roughly 70 percent of breaches were found by third parties. To Avivah Litan, an analyst with Gartner, credit card companies have the most incentive to uncover breaches because if financial information is stolen they are often the ones that get stuck with the bill.
"When there is a breach against the retailer or processor, they don't suffer direct losses; they only suffer losses after the card companies discover who they are and then force them to pay them back," Litan said.
Still, cyber-criminals are clever, and many pieces of malware continue to slip by enterprise radars, she said.
"There are too many false-positives in the system, so they don't get noticed," she said, adding that the analytical and predictive modeling capabilities of many intrusion prevention, database monitoring and security information event management tools are weak. "It's kind of like when alarms go off in the parking lot. People just say, -Ah it's another alarm.' ... The vendors in the security area have a lot to learn from the financial services vendors, mainly the fraud detection vendors. They are many, many years ahead in terms of predictive modeling and scoring."
Dwayne Melancon, vice president of strategy for Tripwire, agreed that enterprises have such a large volume of data to grapple with that it can be hard to know what to pay attention to in terms of risk. In addition, many businesses operate without automated, policy-based security controls and lack the ability to enforce configuration standards they decide upon.
"That means they are relying on 'a guy paying attention,' which is not consistent or scalable, and will inevitably lead to undetected security issues," he said. "There are best known methods for securing most IT assets, but many organizations are not employing these best known methods, operate with no documented configuration standards, and/or have no means to systematically evaluate their configurations against those standards. The result is lots of configuration variance, which increases risk, increases management costs and decreases security effectiveness."
Many organizations spend too much time and effort creating database compliance and auditing reports using homegrown scripts, native logs, triggers and stored procedures, said Phil Neray, vice president of security strategy at IBM's Guardium. This isn't an effective way to detect breaches, he explained, because it's not real time and the massive amounts of transaction log data produced by database environments make it easy to miss an incident or the connection between events.
"This is [also] costing them time and money, especially in heterogeneous environments, where each database platform-Oracle, SQL Server, DB2, etc.-requires its own handcrafted approach," he said.
Having proper visibility into all changes, events and configurations is the beginning of a strong defense, Melancon said.
"Once you have all the right data coming in, you have a chance to understand context and manage risk," he explained. "The challenge is that, that results in a huge landfill of data. You then have to make sense of it by using a policy-based method to perform intelligent analysis of the data, in an automated way-the triad of visibility, intelligence and automation are the keys to effective security."
But many data breaches-some 81 percent in the Trustwave study-involve systems managed by a third party that had been compromised. For enterprises, this can add a new layer of challenges. Nicholas Percoco, senior vice president at Trustwave's SpiderLabs, advised businesses to pay close attention to how their partners handle security.
"If they are able to explain what they do from a security standpoint, ask them to produce a report or letter from a third-party security auditor attesting to their policies and procedures," he recommended. "This provides evidence that their actions are in line with the promises made when servicing customers. An SAS-70 audit is a good example, but a penetration test will likely be more revealing."
There is also the option of stipulating in outsourcing contracts that any breach of customer credit card data under the management of the third party, for example, is the third party's responsibility, Litan told eWEEK.
"The rest will take care of itself," she said.