Could effective log management and SIEM have prevented the Wyndham Hotels incident?
Last week we covered a story regarding the Wyndham Hotel group that ‘discovered that a sophisticated hacker penetrated the computer systems of one of the Wyndham Hotels and Resorts (WHR) data centres over a three-month period'.
We write plenty of stories about data breaches and accidental losses, and occasionally we will look at network attacks such as the Heartland Payment Systems incident last year or TK Maxx in 2007, but this seemed to be pretty damaging considering that its paying guests would be those affected.
So in the incident, which specific details on how the attack took place are yet to be revealed or published, involved data being moved off-site between late October 2009 and January 2010, when the incident was discovered. Wyndham did state that ‘a hacker intruded on our systems and accessed customer information from a limited number of franchised and managed hotel properties. The hacker was able to move some information to an off-site URL before we discovered the intrusion', but as for the specifics, I guess we will have to wait and see.
As this occurred over a three month period, I wondered if there was a way this could have been prevented? I surveyed the cream of the log management sector for their thoughts on this. Guy Churchward, CEO at LogLogic, got straight to the point, claiming that had Wyndham been using basic log management or a SIEM solution it would have been able to correlate legitimate access with database activity, and the breach would have been flagged almost immediately by alerts that would have been triggered by suspicious activity.
He said: “This could very easily have been another TK Maxx scenario. One wonders if they were fully PCI compliant if it took them three months to act on this and the fact that they found out about this, not because of a systems audit, but because customers told them is really poor.
“Wyndham are clearly a prime candidate for a comprehensive log management strategy. Even if they didn't have a comprehensive log management solution in place, they could install one in two days, and have their answer on the third. By using such a solution it would take them just four minutes to identify those affected, not a matter of months, which is clearly an unacceptable length of time for their customers.”
Reed Henry, senior vice president of marketing at ArcSight, agreed that the potential of this being another TK Maxx was avoided, as this ‘could have kept going and going if it hadn't been for the victims coming forward'.
I asked Henry what would have happened if Wyndham had been examining logs, would this still have gone undetected for three months? He said: “Logs tell the story of what is happening as it is happening. In short, this breach would not have gone on three months. In fact, the intruders would have likely been discovered before they even got to the data.
“The typical path taken to get to the target data starts with any number of initial exploits, such as through a SQL injection attack on a corporate website, or from a hotel worker unknowingly opening a phishing email attachment. In today's world of sophisticated cyber criminals it can be assumed that targets of significance such as a hotel chain with valuable credit card information will have their perimeter breached with relative ease.”
He said that the series of actions will leave behind logs or flow data that can be collected and analysed for abnormal behaviours and the telltale signs of cyber crime.
“During the period prior to data extraction the logs will show unexpected scans, file installations, beacon calls to off-site botnet command and control centres, account privilege escalations, unusual account accesses, etc.,” said Henry.
“It is during this phase that companies employing a security information and event management platform which includes log management capabilities will be in position to rapidly detect and respond to such threats before damage is done.”
Henry also commented that every company will be or already has been hacked, as with the sophistication of cyber criminals they can, and will, get into any company that they target, and should be monitoring for the digital fingerprints of anomalous activity across many data points to protect themselves.
Ross Brewer, vice president and managing director at LogRhythm, agreed with the points made that security breaches are often identified when it is too late, and the process of tracking back can delay rectifying the problem further.
He said: “Centralised logging and security event management platforms take on the function of automatically monitoring and securing all activity logs while reporting and alerting on activities that warrant attention as and when they happen. Of course any security breach that compromises the privacy or integrity of customer information has the potential to be another TK Maxx and that is why we have the growing raft of regulatory and compliance initiatives.
“Moving forward, protective monitoring will become a crucial weapon in IT risk management because without such systems and processes in place, corporate and government organisations have no means of identifying, investigating and preventing malicious behaviour until it is too late.”
In short it seems that my suspicions about whether log management was implemented were very much correct, in fact Wyndham confirmed that it was drafting in PCI DSS experts – perhaps it should have been taking a longer look back at the solutions.
Then again considering what Ross Brewer said about ‘tracking back can delay rectifying the problem further', could be taken as meaning that log management could not solve past problems. Or perhaps we should all be doing it in the first place, and these incidents would be avoided altogether.