Judging from articles in the press, there appears to be a steady increase in the frequency of cybercrime. Whether it is one country attacking the infrastructure of another, or a payment processor losing credit card data, nearly a day does not pass without a new, scary story about cybercrime. To add some perspective to this issue, let’s examine the categories of cybercrime and how one might deal with each.
Let’s first set aside cross-country “cyberwarfare” – those attacks from one country against another’s information infrastructure. These attacks are really a category of their own, and one that most private organizations rarely have to worry about. Instead, let’s focus on activities not designed to cripple an institution, but instead to seek financial gain though criminal activities, delivered via information technology. In this regard, cybercrime tends to fall into three categories.
The first is some form of identity theft, typically via account takeover. In this scenario, criminals gain access to person’s financial accounts and use that access to withdraw funds directly, to transfer funds out of the account, or to make unauthorized purchases. By the time the account holder discovers what is happening, the funds are gone and it may not be possible to replace them. Even if the bank or merchant has liability for reimbursement, this may be limited and the consumer may simply have to bear the loss. Criminals may gain access via phishing, or via social engineering that tricks a consumer into providing account credentials.
The second category is due to some type of malware, planted on the corporate network. This may be a keylogger that captures account numbers and passwords, or it may be some other form, as in the Heartland Payment Systems data security breach example, that captures payment card numbers as they reside on a server. The malware may in fact be in place for quite some time, operating quietly and regularly sending captured data to an external domain. These attacks can be very difficult to detect, as they do not generate enough traffic at any one time to be noticed.
The third category of cybercrime is due to the malicious insider, the trusted user who has rights to access confidential data, and then uses that access to steal and sell that data. Privileged users can be trusted employees such as database administrators, finance administrators, etc. They can also be trusted outsiders such as IT contractors, outsourcing partners, or distribution or supply chain partners. These activities can also be difficult to detect, because the user does in fact have access to the data or applications in question. The point is to understand the difference between normal and authorized use, and irregular or unauthorized use. Gaining the necessary context can be difficult, though new solutions make this much easier.
Unfortunately, in tough economic conditions all three categories will become more frequent. Banks and merchants will push customers to the web as a means of cutting costs, which increases the number of uses who can fall prey to phishing attacks. Firms will move operations to outsourcers to cut costs, and that opens up more possibilities for someone to quietly plant a keylogger to capture confidential information. And of course, as firms look to layoff employees to save money during difficult times, some of those employees may see an opportunity for gain, via data theft, on the way out the door. Moreover, reduced headcount also means fewer people to detect problems, leading to potentially greater risks.
Given this rather gloomy description, what can be done?
Technologies to address the problems above are fairly mature and provide an automated method for discovering potential “cyber-criminal” activities. Security Information Event Management (SIEM) products were historically focused on analyzing network activities, but recently those same analytical techniques have been applied to monitoring fraudulent activities. The key concepts are the same: collect activity information, evaluate each activity both on its own and in conjunction with others to determine if something seems unusual, and then escalate those events that are worth immediate investigation while filtering out those that are just noise.
If done correctly, SIEM can help detect unauthorized activities, whether on the public e-commerce site or on the internal network, with fewer people and faster response. Modern SIEM products include rules, reports and dashboards tuned to monitor fraudulent activities. One financial services organization implemented such a solution and discovered and prevented $900,000 of wire transfer fraud within the first week of deployment.
Organizations that are considering a SIEM solution should think beyond simple network monitoring; the modern SIEM can do much more.
ArcSight is exhibiting at Infosecurity Europe 2009 held on 28th – 30th April in Earl’s Court, London.