In IT Security we always hear about the importance of time. How frequently can we update our virus database, how quickly can we patch our system, how long does it take to investigate an alert and so on.
Webinar By Duo Security: Securing Apps and Data in the Cloud and On-Premises (March 11, 2015 at 10 am PST / 1 pm EST)
The issue has once again come to the fore following the recent news that Uber – provider of an app that connects drivers with passengers -found that a one-time unauthorised access to one of its databases had occurred last year. There are not many details on the actual breach, but the few details that are available made me think. According to a blog post on their website , the one-time access took place on May 13, 2014. They discovered it on September 17, 2014 and finally announced it on February 27, 2015.
This means that it took them four months to discover the data breach. In some ways it is a miracle that after such a long time they had enough evidence available to finish the forensics analysis and the investigation.
It also took them nine months to publicly announce the breach, which impacted approximately 50,000 driver records. Luckily it is just a “small percentage” of their partners. It is probably not the biggest data breach and the value of the stolen records is probably not that high, but still it took nine months to make a public announcement. It made me think how much time did they spend on post-breach analysis with lawyers, experts and others over the last few months?
We also need to consider if the four months that it took to discover the breach is actually a good, a bad or an average time for organisations? From the time taken, it was definitely not a real-time alert, nor a weekly report that would have identified the anomaly in the system. On the other hand, it did not take years to discover and, at least it was discovered at all, which is definitely not the case for many other organisations.
If the attacker has four months to get the data, hide the traces and very slowly – without any rush – use the stolen information then we have a serious problem. The time of the discovery and the time to respond to an actual attack are probably the most important factors. If we can detect an ongoing attack quickly, then we can stop it from further escalation. We can try to track and possibly identify the attacker and can take the required counter-measures to prevent the attacker from using the stolen information. Four months might be a good average time, but there is a very high price to pay for that.
Of course it is not that easy to spot a one-time unauthorized access. Most attackers – once inside the system – access much more data, given they have the time to do so and that could leave more “visible” traces. The key for timely detection is to have the ability to see those traces. We need to find a needle in a haystack, but we do not have months to do so. Or at least we should be doing it much faster.
Is there a lesson to be learned here?
If there is one lesson to be learned it is that it is better to discover a breach after four months then never to find it.
Seriously. We need to understand the time factor in any detection or discovery. We need to improve our monitoring and detection capabilities. Of course it is important to always apply the latest patches quickly, but that does not solve all of our problems.
Maybe if our patch management strategy is good enough, it is then time to invest in improving our monitoring capabilities to turn that four months discovery time into four hours.
By Márton Illés, Product Evangelist at BalaBit.
BalaBit – headquartered in Luxembourg – is a European IT security innovator, specialized in advanced monitoring technologies. It has sales offices in France, Germany, Hungary, Russia, in the UK and the United States and partners in 40+ countries. The main development centers are based in Hungary. BalaBit has customers all over the world including 23 percent of the Fortune 100 companies. The company is widely-known for syslog-ng™, its open source log management solution, used by more than a million companies worldwide. This significant user base provides a solid ground for the business expansion which is fueled by Shell Control Box™, a pioneering development for the rapidly-growing niche of privileged activity monitoring market.