Incident Response, TDR

Anatomy of a data breach: Security from the inside out

It's a sunny day. You're thousands of miles away from your data center, sipping soothing libations on a breezy sand beach.

Back in the real world, a savvy hacker sits in front of his monitor. He checks the current black market rates for U.S. Social Security and credit card numbers, then runs down his list of potential targets — a major university, a financial services organization, two retail chains and an energy company. The energy company, yours, is of particular interest since he was able to buy some access credentials from a former employee. But he wonders if they're still valid. In many case they are -- and you've been worried about the time it's been taking to de-provision user accounts.

A DBA of a large financial services company is working late. Earlier today he heard about an upcoming merger. People would be let go, and his name was on the list. He's given twenty years to this organization and can't believe that they would do this to him while his kids are still in college. He accesses the customer database and starts downloading information, covers his tracks, then emails the file to his home address.

Midnight in a New York hotel room, an employee of a major retail chain can't sleep. Might as well get some work done. She loaded all of the employee data that she would need onto her laptop before she left for the HR conference. She searches her suitcase and looks around the room. The laptop is gone.

These scenarios describe three categories of data theft:
  1. Database/data center breach – someone accessed or hacked into a data server (database or file server) that stores sensitive data.
  2. Data leakage – email, thumb drive – someone sends sensitive data from the enterprise to another location in an unauthorized way.
  3. Physical loss – a tape or laptop is lost or stolen after sensitive data has been downloaded from the main data servers.
The real questions are: What percentage of data loss incidents fall into each category and which type of data loss causes the most damage to an enterprise?

Data loss data
Privacy Rights Clearinghouse, a consumer rights group that tracks data breaches, estimates that 153,800,715 records containing sensitive personal information have been involved in data security breaches since 2005. To put this into perspective, on May 10, 2007, the entire population of the U.S. weighed in at 301, 809, 994 people. According to this group, the number of data breach incidents from 2004 to 2007 (when the category of data theft was known) was approximately 318. Of these incidents, laptops came in first (frequency of 47 percent, 149 incidents), next were databases (40 percent, 126 incidents), tapes were third (11 percent) and email last (at only 2 percent).  When we quantify data breaches by exposure, it's a different picture. Out of roughly 127 million data losses, databases are the number one point of exposure (64 percent - 84 million), laptops are number two (25 percent - 32 million), tapes take third place (10 percent) and email remains in last place (1 percent). Even though the numbers are approximate, since incidents of data exposure are not always detected or reported, the statistics are very revealing — data breaches are not all equal. The source of data breaches matters.

What a data breach looks like
Based on this data, let's look at the most damaging form of breach, theft of data from data centers/databases by users with credentials. These insider thieves, disgruntled workers or outsiders masquerading as insiders, typically have specific goals and objectives to wreak havoc on systems or steal sensitive data for profit.

Let's get back to our hacker from the first paragraph – the hacker with the insider credentials. First he reaches the VPN, no problem gaining access, he's an insider. There is no way to determine that he is anything but what his credentials identify him as. The IPS or IDS system gives him the once over. Nothing unusual is detected. The IAM waves him on – because IAM, IPS, IDS are essentially badge readers. Once inside the data center, he begins to access data. He'll grab some data to test the waters, a small amount, to see if the download works, then he will go after his main target – the Social Security numbers of the company's five million customers.

What are the security information management (SIM) systems doing at this point? Since the IDS or other edge security systems didn't find anything amiss, the SIM doesn't have anything to analyze. It's possible that the Social Security numbers are encrypted. However, if this intruder has the right credentials, encryption will not protect the data.

This is a scary scenario. Possibly even more frightening is a real insider – not just intruders with fake credentials – who has intimate knowledge of your data center and your business or worse, is a database administrator, a privileged user who can not only make changes to applications but cover his tracks. Even inadvertent mistakes, non-malicious behavior with data, can violate state or federal law and cause costly legal issues for an enterprise.

Stopping data breaches: a new view
When it comes to database breaches, the real issue is lack of real-time insight into what is actually happening to the data. Most data security is about policing at the edges; measures are not close enough to nor do they have any meaningful insight into what is happening to data.

To thwart the insider database breach, enterprises must have the ability to “see” what's going on with data and recognize the difference between:
  • Critical data assets and other data
  • A “genuine” authorized user and a masquerader
  • An employee accessing data in the normal course of business and a malicious insider
This is a new way of thinking about security, and it is dubbed “inside out security.” It comes from the realization that visibility into data centers – databases file servers and mainframes – is required to protect data and achieve data compliance. It requires technologies referred to as database activity monitoring (DAM) solutions. These policy-based monitoring and reporting solutions sit in front of data centers and watch user activity, including privileged user behavior and, using advanced analytics, recognize suspicious activity and send alerts in real-time.

Let's review our database theft scenario in the context of a data auditing system. The thief comes into the VPN, slides by the IDS and past the IAM. Once in the data center, a set policy triggers in the data auditing system – an employee is accessing data that he doesn't typically access, and from an new IP address at a time when he is typically not on the system. A real-time alert is sent to appropriate personnel or other security device, like a SIM/SEM, and the breach is nipped in the bud. The enterprise knows exactly which data is being accessed and from where. A detailed report is automatically sent to appropriate stakeholders.

This is in stark contrast to the way that many recent data/database breaches have been detected – by log analysis, a manual effort that typically happens well after the damage has been done. This after-the-fact discovery and analysis is no longer acceptable.

A real-world experience

One leader in the retail industry was feeling the pressure of multiple initiatives. Compliance with regulations like PCI was a top priority, as was the need to protect the privacy and security of customer data. Saving resources and improving efficiencies through outsourcing was also an important initiative. The goal was to take advantage of the benefits of outsourcing data-related activities while ensuring that the data was secure and the company compliant.

The challenge for this retailer was to retain control over the outsourced data even though the outsourcers would have privileged access to the retailer's sensitive data – including cardholder data. How would the retailer know if data was being mishandled? The outsourcer's employees had credentials that allowed them access. This insider problem is difficult to solve with traditional security because the user is credentialed and traditional security systems don't have the intelligence to discern the difference between acceptable data use and potential data theft. In essence, the retailer needed the ability to “see” what the outsourcers were doing with data and then determine if that activity was secure and compliant. The first option they explored was database logs – examining them on a regular basis to determine what the outsourcers were doing with the data. This option was ruled out quickly because it required a huge manual effort and it was after-the-fact – they received information on user activity too late to catch data/cardholder data theft.

The next option explored was data activity monitoring (DAM) technology. DAM would provide an automated way to obtain insight into data activity. The size and complexity of their data environment was a concern for the retailer, but the DAM solution selected for review covered all of their OS platforms, databases and applications. It included a high-level of behavioral intelligence, which analyzed current user behavior against their past behavior, security policies and compliance requirements, allowing the DAM appliance to generate reports and/or alerts on suspicious activity as it was happening. It could be used to monitor not only the outsourcer activity but also internal user activity with cardholder or other data stored in databases and file shares. Content scanning capabilities made it possible for the solution to recognize cardholder data – which was a major concern for the retailer. And monitoring could be centrally managed by the corporate security department.

While the RFP process was taking place, another major retailer's brand was being splashed across the national news because of a catastrophic data breach. With the stakes high and retailers under considerably more scrutiny, it was decided that a pilot program would be initiated to test the technology before any purchase decision was reached. The retailer brought a DAM solution into the data center with a strict set of requirements and goals for the pilot program. The technology that they chose began the monitoring process in a state called “learning mode”, meaning that databases and file shares were detected, users accessing data from the servers are monitored and data of interest was “discovered,”

During the first few hours of the DAM deployment, it became clear that cardholder data not only existed in databases that were not thought to hold cardholder data, but also that it was being accessed in ways that surprised the security team. While this activity was being watched, someone from the outsourcer began to access and download credit card data – in direct violation of the retailer's policies. The appliance created an alert and the IT security manager called the outsourcer on the phone immediately. Needless to say, the trial was successful. It was obvious that the activity that took place would have gone undetected (at least until after the fact) without DAM technology deployed. In this case, the security people were monitoring the device in real-time. If they hadn't been, they still would have caught the activity via alerts that would have been sent from the appliance immediately.

This is a simplified but colorful example of the power of data/database activity monitoring. The bottom line is that there is a blind spot when it comes to data activity at core data servers and this blind spot creates a hole that critical data assets can pour through. Inside out security practices and technologies are needed to close the hole and DAM is just the technology to stem the data breach flood.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.