The Verizon Business Risk Team publishes a useful Data Breach Investigations Report drawn from over 500 forensic engagements over a four-year period.
The report describes a “Time Span of Breach” event broken into four stages of an attack. These are:
– Pre-Attack Research
– Point of Entry to Compromise
– Compromise to Discovery
– Discovery to Containment
The top two are under control of the attacker but the rest are under the control of the defender. Where log management is particularly useful would be in discovery. So what does the 2008 version of the DBIR show about the time between Compromise to Discovery? Months Sigh. Worse yet, in 70% of the cases, Discovery was the victim being notified by someone else.
Conclusion? Most victims do not have sufficient visibility into their own networks and equipment.
It’s not hard but it is tedious. The tedium can be relieved, for the most part, by a one-time setup and configuration of a log management system. Perhaps not the most exciting project you can think of but hard to beat for effectiveness and return on investment.