Brian Krebs, WashingtonPost.com, writes:
…far too many sites are compromised each month by hackers and scammers while their owners remain completely oblivious or in denial.
Logging and monitoring are hugely important, especially for catching break-ins and data theft. Data destruction is easy to see, but data theft is just copying data silently.
IT and business are becoming more and more enamored with feeling secure, or rather the attitude of, “We’ll look at the logs when something bad happens or we suspect something bad has happened,” which really means, “If we don’t look at the logs, nothing’s wrong, so let’s just go about our business.” Or a company will throw in an IDS/IPS device or log parser, but not devote the on-going manhours or staff to properly understand the device and be able to accurately monitor/parse while also being given ample time to investigate and acknowledge the various alerts.
Data theft will not necessarily get better soon. Large-scale regulations like PCI and others are really pushing the standards higher, but they are still ambiguous at times, and can make companies look better on paper than they really are in practice. Legislature and laws on disclosure of breaches has only really results in negative reinforcement for business, but a feeding frenzy for media as companies and agencies now have to divulge incidents that have always been happening anyway. This makes it seem like it is on the rise, when in fact we’re just getting the problem more out in the open finally. I don’t see this dying off for at least another 6 years. Once all the big businesses are shored up, we’ll see tons of smaller businesses like those mentioned in the article posted above.
I foresee for a number of years, yet, businesses stepping as lightly as possible on this issue. Doing just enough to avoid negligence and satisfy regulations, but not enough to really have to admit to any problems or divule them. “Yes, we log and monitor, but we don’t see anything, so everything is a-ok! I’m sorry you had your data stolen, but we do what we can, so better luck next time.”
While this may feel good today, this is not a scalable or sustainable approach.
From my vantage point in IT, I can also say that logging and monitoring and even security are not high on the lists of execs to spend money on, managers to raise issues about, or staffers to spend time on. Our #1 priority is making sure the network and systems are up for the company. This can be 100% time utilization. Our #2 priority tends to be projects that either enhance the functionality (not security necessarily) of the current network and systems or projects that are directly related to revenue-generating people or processes or clients.
Security is not yet up there, let alone logging and monitoring and responding to those logs in an ethical fashion. This is true also of software and web application developers. Functionality and deadlines and bottom-lines first, then maybe performance. Security added later (and too often just never added).