So why aren’t compliance mandates being applied to vendor products? Specifically the audit trail subsystem, which is lacking in most SIEM solutions. When reviewing a SIEM (or any other compliance-related product), don’t overlook this aspect and don’t simply believe that all is good because they “support syslog”. Vendors should ensure their audit trail/log data is readable by almost any means. That it includes the who, what, why, where details, that almost all logs can be tied to a user account vs. system/application account. Moreover, the auditing subsystem should allow for granular tuning to log all or only what is necessary.

Standards for events and log formats are somewhat taking hold, but it will be some time before everyone is on board and adopts this into their products. Some of the above can be achieved through pre-process filtering via scripts or robust syslog daemon, but there should be an “Audit Trail Minimum Requirements Standard” that ensures that any product that has this “seal of approval” can and will log exactly what is needed to better support compliance and simplify the requirement to periodically review these audit trails.

Following my last blog on 01/12/11, the latest European data protection guidelines have finally been revealed and make interesting reading. After some extended debate, the EC data protection directive proposals were made public on Wednesday of last week and have garnered a great deal of media attention. Organisations will have two years to implement them once they are formally adopted by the EC.

Coming from New Zealand I find it fascinating to observe the trials and tribulation involved with implementing European-wide directives. Initial delays to publication were reportedly caused by internal disagreements over issues such as the classification of different types of data. Since being made public the proposals are continuing to prove divisive and have been subject to external criticism. The Information Commissioner’s Office, for example, has announced that it would like to see a number of issues re-examined, including the retention and processing of special or sensitive categories of personal data and the requirement that organisations obtain prior approval for certain types of processing.

So what do the new guidelines entail? One of the biggest changes is the introduction of data breach notification obligations similar to those already in place in the US. Failing to alert both the relevant supervisory authorities and seriously affected individuals to a breach in a timely (the proposals suggest within 24 hours) or complete fashion could result in fines of up to two percent of current revenues.

The main problem many organisations will face in trying to fulfil these obligations is the lack of visibility into IT systems – a shocking number simply don’t have the capability to drill down and monitor network activity in granular detail. In the US this has led to incidents of ‘over-disclosure’, when companies have found themselves forced into issuing blanket notifications, which may overstate the severity of the incident – because they just can’t accurately identify what the breach entailed.

In the face of increasingly sophisticated attacks and growing network complexity, running an IT estate in this way is irresponsible. The new breach notification laws have now made it untenable. In order to protect both reputations and the bottom line it is essential that every piece of data generated by IT is both collected and analysed on a continuous basis. Only by employing a Protective Monitoring approach will organisations acquire the deep insight and traceability required to connect seemingly unrelated incidents and remediate threats in real-time.

Unfortunately the repeated breaches of 2011 and ongoing ‘hacktivist’ activity suggest that data breaches are now an inevitability that we all have to face up to. Rather than keeping threats out, IT security will need to adjust its approach to one that prioritises the detection and remediation of threats before they have a chance to do any damage.

So, what do you think about the new proposals – much needed reform or unhelpfully over-prescriptive? Let us know your views and how you plan to deal with new data breach notification legislation in the comments.

This video describes the steps enterprises should take to catch these types of exploits before any data gets moved out of the network.  These guidelines include, but are not limited to:

• Educate users
• Assume a user in your organization is going to get exploited
• Maintain visibility — look for activity you’re likely to see AFTER the exploit happens
• Identify and target “attractive” data in the enterprise
• Focus on the activity in-and-around “attractive” data
• Move out from this central location, monitoring & investigating accounts and users accessing “attractive” data
• Set up baseline monitoring
• Watch for anomalous activity (after hours, simultaneous authentications from multiple locations, etc.)
• Watch for activity that occurs AROUND the potential exploit.

In short, focus on attempting to find the activity AROUND the exploit, rather than soley focusing on the exploit itself.

These spear phishing attacks will often target specific individuals within an organization with emails that appear to be legitimate. If these email messages look authentic enough, they will often entice the recipient to open a malicious attachment, disguised as a legitimate document or spreadsheet. Once this is done, the attacker may potentially gain access to the recipient’s computer or beyond.

In this day and age, ensuring that your employees are knowledgeable and up to date on relevant security policies and procedures is critical to the reducing the risk of targeted attacks within your organization. This should begin with basic messaging to your employees that outlines your security policy, including acceptable use criteria and specifically outlining what to watch for in a potentially malicious email. In addition, annual or semi-annual testing or certification will also help to ensure that your employees are made aware of your security policies and have confirmed this knowledge.

This may seem like an overly simple and meaningless task, but it’s one that is often overlooked. While logical controls, like your firewalls, routers and IDS/ISP devices, will hopefully mitigate the majority of questionable messages and traffic patterns into your organization, knowledgeable and vigilant employees are often an important last line of defense in protecting your organization’s information assets.

Initially, advertisers placed their trust in search companies such as Google, Yahoo and Microsoft to police fraudulent clicks. In 2006, Google CEO Eric Schmidt compromised that trust when he stated:

“Eventually the price that the advertiser is willing to pay for the conversion will decline because the advertiser will realize that these are bad clicks. In other words, the value of the ad declines. So, over some amount of time, the system is, in fact, self-correcting. In fact, there is a perfect economic solution, which is to let it happen.”

His statement led many companies to question the commitment of their providers to preventing Click Fraud.

At the heart of Click Fraud is the act of simulating a click. This is accomplished through multiple means. The simplest is to employ individuals who spend their time clicking on ads without ever purchasing an item. This act is both costly and time consuming if done inside the United States. In developing countries, this is not the case. In the words of Nir Kshetri, the fraudster “must often decide to employ the seemingly bottomless source of human clickers in developing countries, or use technology.” Kshetri goes on to point out that employing human labor becomes less attractive as PPC providers and advertisers become more adept at employing invalid click detection. Because the IP address of a human clicker is usually consistent, PPC providers can easily block traffic from it.

Another method for performing fraud is to write a program that simulates clicks. To do this, the program must perform many tasks normally undertaken by a web browser. The program must first execute JavaScript code to retrieve the HTML code of a web advertisement. It then parses the HTML code for links and sends an HTTP request to the advertiser’s web server. Since this type of fraud is simple to detect, the perpetrator must distribute the program across the Internet using a botnet. The botnets find their way onto unsuspecting users’ computers through many means. Tempting offers of free software, games or other goods from illegitimate websites lure many consumers into loading botnets unknowingly. Computers can also be infected by visiting legitimate websites that have been compromised by Click Fraudsters.

Unlike many other online crimes, Click Fraud has no offline counterpart. One impact of Click Fraud is that the legal system has not been able to keep pace with it. Online crime is growing at a rapid rate that legislators have been unable to match. Adding to the problem is a lack of regulation across borders. While new antifraud laws are slowly being passed in the United States and the European Union, other countries have little or no regulation. In India in 2006; for example, advertisements looking to hire people to click on ads ran in national newspapers.

As an industry, online advertising is not going away anytime soon. Click Fraud will not be going away either. Given my background in law, it is obvious to me that just like with other legal issues regarding technology, legislators cannot keep up with the rapid pace with which Click Fraudsters change their tactics. Add in the challenges of enforcing laws across international borders and the problem becomes even direr. It is therefore obvious that legal changes will not come soon, so other methods are necessary. With legal recourses lagging behind, it is up to industry to find ways to protect itself.