Thursday, February 26, 2009
Rothman pointed to a nice discussion on how to prevent the extrusion (borrowing the term from Bejtlich) of stolen data in cases like Heartland, where credit card data was sent to Russia over clear text connections. Rothman post references a nice post from Richard Mogull on the subject.Well, I'm an old advocate of analyzing outbound traffic to detect suspect behaviour. Mogull mentions DLP tools and Rothman reminds us about netflow.They are all valid options and they are quite right on their opinions. I just want to add some thoughts on how to deploy those technologies in a way that they can really do the job. By mentioning specific technologies we may reinforce the perception that tools can solve the problem. Again, that's not about the tools. This is about monitoring. You should have something (i.e. a process) in place to monitor your outbound traffic and also an understanding of what should be flowing from and to each part of your network. If we think about Heartland, hey, there was a communication from cardholder data environment (PCI lingo) to a highly suspect network location (sorry Russia), should it really be allowed? If yes, wasn't it something so different from standard flows that would be easily spotted by a anomaly detection system?(by the way, cardholder data is a very good example of a case where honeytokens can be deployed.)Organizations should start thinking more seriously about security monitoring. Today it is basically done with IDSes, Antimalware (AV, etc) and basic event correlation rules (basic = almost stupid), things that will trigger an alert if something bad is spotted. They should also invest on having people looking at uncommon stuff, like unusual destinations, protocols and traffic volumes. You can easily detect (and block) some bad stuff by the old methods, but you need to go forward if you want to detect more dangerous stuff, elaborated and targeted attacks.Good places to start thinking about how to do that: Argus, Netwitness, Arbor, Richard Bejtlich books and blog. Maybe it's time to have some "Network security monitoring analysts" working and producing network security intelligence.
Posted by Augusto Barros at 7:18 PM