While there has been at least one article suggesting that hackers could have diverted the Malaysian jet which mysteriously disappeared over the South Pacific, what really unites the jet mystery with the Target breach is the topic of “alarm overload.” Numerous public safety incidents have, over the years, been linked to alarm systems that failed to provide the necessary alert it was designed to produce.
In the case of the BP Oil rig disaster in the Gulf of Mexico in 2010, it was discovered that an alarm to warn of explosive gas has been intentionally disabled. A crash on the Washington Metro system a year earlier, which killed nine people, happened partly because train dispatchers were overwhelmed by extraneous notifications.
Similarly, much has been written about hospitals that are grappling with the massive quantities of alarms that are generated by a wide variety of sensors. Hospital alarms are crucial – they provide notifications of a patient’s condition but only a small percentage of such alarms are issued for new, clinically significant changes.
Alarm overload in the air traffic control system has been documented, as well. Now, according to the New York Times, “the radar blip that was Malaysia Airlines Flight 370 did a wide U-turn over the Gulf of Thailand and then began moving inexorably past at least three military radar arrays… Yet inside a Malaysian Air Force control room on the country’s west coast… a four-person air defense radar crew did nothing about the unauthorized flight. ‘The watch team never noticed the blip,’ said a person with detailed knowledge of the investigation into Flight 370.”
And now we are learning that something similar unfolded at the Target Security Operations Center as hackers were siphoning of millions of credit and debit card numbers. Bloomberg Businessweek published an in-depth report on the Target breach which points to a failure of operators to respond to alarms. According to Bloomberg, “had the company’s security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happened at all.”
As with oil rigs, intensive care units and air traffic control centers, the volume of alerts and alarms that a large corporate data center has to deal with is enormous. In the specific case of computer systems, most of these notifications are culled from ‘syslog’ data which capture thousands of events per second from a wide variety of equipment.
In many organizations syslog events aren’t responded to until after a breach is uncovered. In many, the datasets are so large and overwhelming that they overwritten before they can be analyzed.
What is clear from the Target data breach is that organizations need to take a better approach to manage syslog alerts. Even sophisticated SIEM (Security Incident and Event Management) systems, which were built with the intention of managing the huge volumes of syslog data, need to be tuned, monitored, and re-tuned as the threat landscape changes. Special attention should be paid to events which indicate file transfer traffic such as ftp activity and traffic to cloud-based file storage systems.
Ultimately, it is the human operators who must understand the alerts they are receiving and respond to them in a timely, effective manner. A strong IT Security Governance program must establish the policies and procedures for implementing appropriate alerts and the timely steps to evaluate and respond to them.
About the Author: Ken Leeser’s background blends technical, financial management, business risk, and operations expertise. He has built companies which help organizations and their staffs better understand and implement technology. Most recently, Ken founded Kaliber Data Security and developed the concept of Security Resource Management to better equip organizations to achieve, maintain, and demonstrate security compliance while significantly improving their security posture. He helps businesses improve their Information Risk Management programs with the conviction that IT Security is not merely a technical issue, but rather a process that involves employees at all levels of an organization and is integral to business success. Prior to Kaliber Data Security, Ken led firms which helped organizations automate critical business processes through the selection, implementation and customization of enterprise management software. Ken holds Bachelor and Masters Degrees in Engineering from The Johns Hopkins University. He graduated from the Graduate School of Business Administration at Harvard University with an MBA. For further information please visit www.kaliberdatasecurity.com, follow him @KALDataSecurity – www.linkedin.com/kenleeser or contact Ken directly: firstname.lastname@example.org.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Interrupting a Cyber Attack in Progress
- Target Data Breach: How to Perform Early Detection of a Distributed Attack
- Why the Target Breach Might Be Even Bigger: Big Data Means Big Breach
- Target: The Desolation of Fraud
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock