Skip to content

Call of Duty – Transparent Disclosure: What the ✖ ☐ ∆ O happened at Sony?

May 9, 2011

Sony’s claim at the end of last week that a security breach that resulted in the theft of more than 100m users’ data occurred while it was fighting a DDoS attack by the Anonymous activist group illustrates a fundamental flaw in traditional Enterprise security systems and processes.  In an era of Advanced Persistent Threats [APTs] the truth is that this type of distraction theft is also likely to become increasingly prevalent – while security analysts are focused on repelling an attack in one part of a large distributed network another attack sneaks into another and steals data or causes harm behind their backs.

Over the last few months we’ve talked about Unified Situational Awareness and how we believe it can plug a fundamental gap in existing Enterprise and Federal Information Security activities – the Sony attack suggests that we have a point.  Unified Situational Awareness enables security analysts to see their entire security position via a single console.  It allows them to correlate every piece of security data on their network [often millions of records] in seconds to show them any relationships between anomalies and answer questions like:

▪   Are there an unusually high number of failed logins, that go beyond simple fat-fingering, on any user accounts?

▪   Do any of these accounts have privileged access to critical systems or information?

▪   Have any unauthorized configuration changes been implemented by accounts that have experienced an unusually high number of failed logons?

▪   Are the unauthorized changes on systems that contain sensitive company/customer data?

▪   Is the net flow unusually high for any of the major Enterprise systems? Are they accessed by any of the accounts with an unusually high number of failed logons?

Answering these questions, in real-time, while attacks are occurring can be the difference between taking action at that time to repel and limit damage, or the situation that Sony finds itself in nearly two weeks after the start of an attack: hiring forensic IT experts to, I suspect, comb multiple reports to figure out EXACTLY how somebody was able to gain access to up to 100 million user records.

We call that difference Unified Situational Awareness.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: