Skip to content

Heartland Proves That You Need Situational Awareness

January 22, 2009

The tech press is all aflutter with news of a new, high profile and potentially large data breach at Heartland Payment Systems. You can check out coverage on InformationWeek, ComputerWorld, SearchSecurity, Security Fix and probably another 50 other books.

So what do we know? We know that Heartland WAS PCI compliant. At least that is their story. They passed their assessment back in April. Not sure how many more times folks have to learn the hard way that compliance DOES NOT equal security. As with the Hannaford Brothers breach last year, this is yet another data point that PCI is a good start, but by no means sufficient to ensure the safety of credit card data.

In terms of the attack, it’s also very similar to Hannaford. The network was breached via the firewall and then a number of servers were compromised on the internal payment network. The attackers loaded up sniffers (where Hannaford’s seemed to be based on key loggers) to snoop the payment traffic on the network. But the concept of the attack was the same.

PCI compliance is no defense against this kind of attack. At least how the PCI-DSS is written now. Logging data (requirement 10) is not going to catch this attack because the firewall was breached (which means the traffic was allowed) and the malware (key logger or sniffer) was installed on a set of devices.

The fact that Heartland was compromised is not the real point. The issue is how to make sure this doesn’t happen again. And not to you. Based on what we know of the attack, there were a number of points where the attack could have been detected.

Of course, since we are in the business of security and compliance management, I’ll feel free to illustrate the importance of looking at a broader data set than just syslog by discussing how SecureVue would have alerted to this attack in NUMEROUS ways.

  1. The malware was installed on a number of devices, which means the configuration was changed in some way shape or form. SecureVue tracks configuration data and report on changes that don’t adhere to the baseline policy.
  2. Key loggers and sniffers are very resource intensive, so the compromised devices would have displayed significant performance anomalies. SecureVue monitors performance characteristics of the devices, so the administrators would have been alerted to these issues.
  3. The malware was some kind of executable, and SecureVue’s asset management capabilities track executables on managed devices, so the attack would have caught that way as well.
  4. Finally, the attackers can’t monetize the stolen credit card data until they send the data outside of the network for mining, so our network flow analysis would have alerted us to the fact that a strange traffic flow was being sent from those devices to a site outside of the network.

Clearly LOG DATA IS NOT ENOUGH, especially since these folks were PCI compliant (or so it seems). It goes back to my ages old mantra that compliance DOES NOT equal security. Traditional SIEM and Log management products do not look at this broad array of data and thus cannot detect this specific attack. If you are not monitoring configuration, asset, performance, and flow data in addition to logs, you are exposed. I

To be clear, there is no guarantee any of these different data types alone would have pinpointed the attack. But if you combine all of these TOGETHER, and correlate across all of these different data types it’s clear that SecureVue would have detected something that needed to be investigated and in many cases, help a savvy administrator prioritize the areas to investigate.

Unfortunately, this won’t be the last time we hear of a successful attack on PCI compliant organizations. Leading organizations won’t wait until they are compromised to put in place a broader and more effective monitoring environment.

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: