Pratum Blog

Brian Krebs at KrebsOnSecurity is reporting that the P.F. Chang’s breach began in 2013 and went on for nearly nine months. I’ve talked about this issue in the past. Information security breaches are only going to continue to explode. They are getting more complex and are being targeted at organizations for specific reasons. Systems are going to be hacked every day. It’s not going to slow down or get any easier to defend against.

The problem is that these hacks weren’t being discovered when they were unsophisticated and noisy. Why? Organizations simply aren’t looking. Many of these attacks could be discovered if security event logs were being monitored routinely. The reality is they are not. Systems are hacked. The events and logs are there. Nobody is watching. Hackers 1 – Victims 0. Are you keeping score for your organization?

If you manage an information system you have to plan for “the event”. The event will come when you least expect it. It will come from a place you didn’t even know existed. It will happen when no one and everyone is looking. What is this event? It’s the day you get hacked. Actually the system will probably be hacked multiple times over its lifespan.

Some information security events will be worse than others. Some will happen on the inside while others from the outside. The question really is not if you’ll be hacked, but will you even know it? We’ve been involved with many information security breach investigations where the systems have been compromised for months. The warning signs were there. Sometimes they were flashing neon signs with air horns. If you’re not looking and listening you’ll miss those signs and alarms.

Security Information and Event Management (SIEM) can help you find those warning signs. It also helps separate the cries of wolf from the screams of panic. Every organization I’ve seen try to manually sift through logs with tools like simple syslog servers with alert rules to identify information security breaches has failed. The volume of data is too great. Even really smart people get overloaded with information and simply can’t plow through. Others that have implemented SIEM have failed because they don’t assign responsibility to follow up with the events that are discovered or the systems still produce too much information because it’s not tuned and optimized.

SIEM is an essential component to any robust and mature security operation. It’s not a set and forget type of system though. To be truly effective, it has to be constantly monitored and adjusted. When implemented effectively, SIEM is one of the best ways to identify and respond to security threats. Oh, by the way…it also works great for daily operational troubleshooting too. Talk about getting some bang for your buck!

It’s been a while since I touched on this subject but it has come up during a number of audits and information security investigations the team at Pratum has been a part of over the past few weeks.  Egress filtering is a basic principle that should be implemented at every organization to prevent hacking activity from leaving your network.  Granted, you can’t stop everything, but you can at least try.  True information security is based on incremental success.

Here’s how it works.  We always do ingress filtering.  That is, we only allow trusted and known traffic into the firewall from the internet.  This traffic is typically allowed into a DMZ and then traffic from the DMZ is allowed through to the internal network.  This traffic is allowed only from selected IP addresses and specific ports.  Everything else is blocked.

We need to do the same thing on all traffic leaving our network.  We only want known good traffic out.  Everything else is blocked.  There are two main reasons for this.  One, you break a ton of hacker tools when you perform egress filtering.  The second is that you identify which systems are trying to do something that is not expected or allowed through an alert generated at the firewall.  This is invaluable information.

Certainly hackers can and do hide their return traffic in valid HTTP, FTP and other protocols.  Web gateway and proxy filters can help identify this traffic.  By implementing egress filtering, you’ve effectively created a roadblock where every vehicle (packet) will be stopped and inspected.  Any attempts to bypass the roadblock are obvious signs of bad behavior and receive a swift investigation response.

If you want to know what’s happening on your network and be able to identify the source of compromised systems faster, implement egress filtering.  You’ll temporarily break a few things in the process but it’s a small price to pay for identifying the source on internal hacking attempts.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.