I used to think that Intrusion Detection Systems (IDS) and Managed Security Services (MSS) were a waste of time. After all, most attacks that I had worked on began, and were over, within seconds, and were typically totally automated. In my mind, an IDS alarm going off, or getting a call from the SOC operator, would be like the captain of a ship getting an alarm such as: “Captain, a torpedo passed through engines #2 and #3, and exited the starboard flank. We will be sinking in seven minutes.”

But the Verizon Business 2008 Data Breach Investigations Report tells a very different story.

The successful attacks were almost universally multi-faceted and the various timeframes are truly astounding. The series of pie charts in Figure 21 are the most interesting data.

The first chart shows that more than half of attacks take days, weeks, or months from the point of entry of the attack (the first successful attack step) to the point of data compromise (not simply system compromise, but the point at which the criminal has actually done material harm). 90% take more than hours and over 50% take days or longer. Clearly if an appropriate log was instrumented and being regularly reviewed or an IDS alarm occurred, you would notice and could stop the attack in the vast majority of our cases.

The second pie chart in the series reveals that 63% of companies do not discover the compromise for months and that almost 80% of cases do not learn of attacks for weeks after they occur. In 95% of cases it took the organization longer than days after the compromise to learn of the attack. There are hundreds of cases in which the inside team either didn’t look at the logs (in 82% of the breaches in the study, the evidence was manifested in their logs), or for some other reason (were frustrated, tired, overwhelmed by the logs, found them to be not-interesting, felt they were too noisy after a few days or weeks) simply quit looking.

One of the Verizon Business (nee Cybertrust, nee Ubizen) MSS zealots is Bart Vansevenant. The study surprised him for entirely different reasons: “We in the industry focus on things like correlation engines, security intelligence, and expertise in various platforms, etc … but the simple fact that we as an MSSP will monitor activity consistently around the clock probably is the most compelling reason for MSS. As a CISO, try to get an internal SLA in place that guarantees you that suspicious activity will be seen and followed-up on within 30 minutes; clearly impossible.”

Another significant motivator for MSS is the fact that the majority of attacks required low to moderate skill (not rocket science), and victims were found opportunistically by the criminals. In other words, simply stop yourself being the “low hanging fruit” and you’re likely to significantly reduce the likelihood you’ll have us, or more importantly, the criminals visiting you. MSS definitely accomplishes this, partly by ensuring the best practices have been adhered to, but also by continually ensuring you’re aware of your exposure. Just because a system is connected and lit up shouldn’t mean it is quickly compromised, even if it’s vulnerable, if you’ve defined what should be accessible to your MSSP. Without MSS, systems are frequently exposed inadvertantly, and left exposed for considerable amounts of time without the business being aware.

So what do you think? Torpedo warnings or real value?

Tags: Auditing, Data Breach Report, forensics, Information Security, Managed Security Services

This entry was posted on Tuesday, June 10th, 2008 at 1:57 pm and is filed under Studies & Whitepapers. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.