At the end of each calendar year, it seems bloggers (like us) love to gaze into their crystal balls and make predictions about the upcoming year. During the last couple of weeks, as details and speculation about the US Government’s Office of Personnel Management (OPM) hack spread, I thought back to the prediction we made in December 2013. At that time we proclaimed “The Big Network Security Hacks of 2014 Have Already Happened.” Vince Berk did an on-the-air interview about it.
Too bad I couldn’t have fast forwarded that article exactly one year and rewrote the headline with OPM in mind. If I addressed the OPM on December 3, 2014, the headline may have read “Listen OPM: The Big Security Attack of 2015 Has Already Happened.”
OPM announced the cybersecurity intrusion in June 2015. They became aware of it in April 2015. But what struck me most? The intrusion occurred in December 2014, months before. So you see, it’s like we predicted – a major breach is discovered, but unfortunately it happened too long ago. Confidential data was copied, and the forensic trail has potentially been overwritten because the passing of time can impact the integrity and availability due to resource or data storage limitations.
In an interview with ABC News, Ann Barron-DiCamillo of the Department of Homeland Security’s cyber response team said, “Many government computer systems hold onto ‘data logs’ – records that document access to files, specific user activity, system traffic and more – for up to 60 days.”
But, she points out, “These events happened months ago, so a lot of the forensic evidence we need to be able to come up conclusively with those numbers [of victims] is just not there. And so the investigators have a really hard time trying to piece all that information together.”
Regardless of whether you’re operating in the commercial enterprise or public sector, we know that network security departments often share similar problems. Network traffic volumes are increasing, making it hard for individual security analysts to keep a constant eye out for possible security intrusions. Organizations cannot afford to deploy every possible piece of vendor software due to budget limitations. And after they’re alerted, security teams typically focus on intrusion containment and mitigation – which, unfortunately, means that manual detection isn’t practical on a 24×7 basis.
At FlowTraq we typically don’t like the “ambulance chasing” behavior of opportunistic hardware, software and consulting organizations that say, “If you’d been using our products and services you wouldn’t have gotten hacked…”
But, at the risk of joining the pack – you know, I think we probably could have helped prevent or at least alerted to possible intrusion. We felt the same about the recent Anthem breach, too.
Data loss prevention can be aided by network traffic analysis solutions, such as FlowTraq, that are tuned specifically for incident detection. Security specialists must be able to analyze network traffic records on demand, either in real time or forensically. Incident detection is possible by collecting un-sampled NetFlow data or other common network flow formats. Unlike NetFlow analysis tools that monitor networks for traffic congestion or infrastructure planning, a tool tuned for security analysis can detect security threats by analyzing NetFlow traffic records. For instance, when deployed in scalable clusters, FlowTraq can process and alert on network traffic anomalies for up to 100Gbps throughput environments.
Federal agencies and commercial enterprises too often fail to put cost-effective, modern threat recognition tools into place to prevent the theft of personally identifiable information. When combined with the latest off-the-shelf multi-core server hardware and inexpensive storage, a system including FlowTraq security software is more affordable that most people realize. It can be used effectively in security centers that need to handle large traffic volumes, provide detection filters and alerts, and offer high-precision forensic drill down to help security analysts define the nature of threats faster than other methods.
Maybe organizations will finally put in place low-cost tools that find potential data breaches immediately – not months after they happen. Then our 2015 “year-end predictions” blog could be titled: “The Big Network Security Hacks of 2016 Didn’t Happen.”