My friend and IT thought leader, Gene Kim, often refers to high-performing IT shops as “people with good IT kung fu.” What he means by that is that these organizations have good skills, agility, and effective practices.
Lately, the news has been full of reports of botnets and other attacks that have gone unnoticed for looong periods of time. For example, consider the Kneber botnet. As was reported in The Washington Post,
“The attack, which began in late 2008 and was discovered [in January 2010], targeted proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries in 196 countries…”
To use one of Gene’s favorite phrases, “Holy crap!” That means these companies were compromised for over a year before they even noticed! Not good – in fact, totally unacceptable.
Why were these people surprised?
I’d be willing to bet many of these companies had deployed “state of the art” security tools, and the actions leading up to their breaches were still not noticed. Why not?
I think there are several contributing factors:
- More data isn’t better, it’s just more.
- A lot of people decide to try to solve the problem by throwing yet another “sensor” into the mix, which just creates more alerts, more alarms, and more noise. In essence this just creates a big landfill of events.
- External threats and events are only part of the story.
- Lots of security is focused on the baddies “out there.” But lots of exploits happen when trusted insiders do something they shouldn’t – such as clicking on a nasty link, using a weak password, breaking a rule, sharing a password, or misconfiguring something. In other words, “I have seen the enemy, and they are us.”
- It’s about results, not just activity.
- There is a lot of focus on suspicious events, traffic, etc. But that’s only part of the story – you also need to keep an eye on the results of those activities: what’s changed on your systems, how does that compare to your standards & policies, are things configured consistently, etc.
So what does this all mean? I’ll go into that more in the future, but for now – think about these things:
- Virtually all breaches leave evidence – changes in your IT infrastructure that you should be able to notice.
- Many breaches take advantage of misconfigured, weakly configured, or inconsistently configured infrastructure.
- The people you trust on your systems are highly likely to be a source or vector for any compromise you experience.
- Many of the 2,500 companies affected by the Kneber botnet thought they were secure, and had plenty of data in their event landfills. But they still got hit and didn’t find out for a very long time.
So…how good is your IT security kung fu? And how do you know it’s working?