In my previous post, we looked at how event correlation can be used to deal with advanced persistent threats (APTs). The thing is, an APT is just one ugly face of a much larger epidemic: the data breach. In this blog, we examine this larger problem and the role of event correlation in securing sensitive data.
Hackers are constantly on the lookout for confidential data. From names and email addresses to financial and clinical information, all types of data are valuable to attackers. This is because stolen data can serve a wide variety of purposes, like identity theft, financial fraud, or spear phishing campaigns. Data protection should be the highest priority for any company.
Notable data breaches of 2018
The best way to appreciate the need for data security is to take a look at some of the biggest data breaches discovered just this year:
What data was compromised? Public profile information, location information, page likes, and, in some cases, information from users’ timelines and private messages.
How many data records were affected? Over 87 million.
Possibly the data breach scandal of the year, Facebook came under fire when it was revealed that political consulting firm Cambridge Analytica was able to harvest the personal data of millions of non-consenting users through a Facebook app. Cambridge Analytica also used collected data for purposes other than those presented to consenting users.
What data was compromised? Personal information like names, addresses, and phone numbers as well as personal preferences like interests and habits.
How many data records were affected? Over 340 million.
Marketing research and data aggregation firm Exactis came under the spotlight when a security researcher, Vinny Troia, discovered the company was keeping all the information they collected about American citizens on an unprotected, publicly-accessible server. This is more a case of data exposure than a breach, as it wasn’t clear if the data had been accessed or used for malicious purposes. However, it still caused plenty of public outcry and legal issues for the firm.
What data was compromised? Personal information of passengers, including names, addresses, numbers, and nationalities. The leaked data also included 860,000 passport numbers and 403 expired credit card numbers.
How many data records were affected? Over 9.4 million.
The data breach faced by the Chinese airline Cathay Pacific is one of the worst seen in the airline industry to date. The company’s response to the breach came under serious question because it took seven months to announce the breach to the public post-discovery. Cathay Pacific is currently under investigation by 27 regulators in 15 jurisdictions to determine if the company broke any laws in its response to the breach.
Other organizations which suffered from major data breaches include:
Under Armour: Over 150 million usernames, email addresses, and hashed passwords were compromised from the company’s nutrition and fitness app, MyFitnessPal.
MyHeritage: Over 92 million names, email addresses, and hashed passwords were stolen from online genealogy platform MyHeritage.
Important considerations for data security
While the above list is nowhere close to exhaustive, the diversity in industries and types of data affected certainly drives home the need for stringent security measures surrounding data. In light of this, here are some important considerations in planning data security policies:
- Data breaches can be caused by insiders, too: While most organizations tend to focus on protecting their data from unauthorized external parties, it’s important to recognize the threat posed by insiders as well. It isn’t just a matter of trust; breaches that occur due to careless or unsuspecting employees are also considered insider breaches. In fact, according to the 2018 Verizon Data Breach Investigation Report, companies in the healthcare industry face a higher risk from insider threats.
- Data security isn’t localized to the security of your database or file servers: Regular database auditing and file integrity monitoring is essential to ensure your data stays secure. However, it’s important to take a more comprehensive view of security. Web servers, applications that interface with your databases, and other systems that connect to the data servers in your network are equally likely targets for those looking to get to your data. A single application vulnerability could allow a hacker to access large amounts of information without authorization.
- Improving the accuracy of alerts can greatly reduce attack detection times: Organizations tend to play it safe by checking for all possible data breach scenarios. But every failed login or deleted file isn’t necessarily a sign of attack. Security administrators faced with a sea of alerts may waste precious time ruling out false positives before discovering actual attacks.
Why event correlation is your best friend in ensuring data security
Event correlation is a technique that analyzes logs from all devices in your network and alerts you of any anomalies. By monitoring everything from firewalls to workstations, event correlation helps you secure all access points to your data and can check for both external and internal breaches. Event correlation also generates highly accurate alerts, as it validates suspicious patterns of activity before notifying you.
Some relevant correlation use cases include the detection of:
- Unauthorized SQL backup activity.
- Anomalous mass deletion of data.
- Targeted SQL injection attempts.
- Suspicious changes in data permissions or object audit policies.
Log360, our comprehensive SIEM solution, comes equipped with a strong correlation module, which includes predefined rules to help you detect all of the above and more. You can even customize rules or build new ones suitable for your network environment. Learn more about how event correlation in Log360 works, or sign up for a free, personalized demo.