In an article in February, Businessweek reported that the Neiman Marcus credit card attacks caused 60,000 alerts, yet nobody appears to have noticed. There have been other reports about the breach as well. While it seems the malware may have deleted and later reinstalled itself each day along with other evasion techniques, it did set off alarms and for whatever reason the alarms were unnoticed or ignored. You can read the articles for different analyses. I don’t have enough information to place blame anywhere, and I’m not going to do that. There are things we can learn from the reports, however.
There are at least partial protections from credit card fraud as I outlined in an earlier post. It is unclear whether or not that would have completely prevented this attack or not. It might and it might not have prevented numbers subsequently being used fraudulently. I don’t know, but I do know (based on these articles and others) is that for three and a half months the alerts went unnoticed or at least there was no action upon them.
We discuss this issue specifically in Learning Tree Course 468, System and Network Security Introduction. The points we make in the class are a) that logging is essential, whether part of an intrusion detection/prevention system or part of another security/operating system subsystem; and b) that no matter how great a software package one has to analyze the logs, a human must look at the results of that analysis.
There are, of course, lots of reasons to log data in a computer system and security is just one of them. In the Neiman Marcus case the logs with the alerts were about anomalous network behavior and possibly about software installations and changes. The point is (and this is made clear in the BusinessWeek article) the company was doing the right things. In fact, they were logging many things and the anomalous network activity was only a small part of what was logged.
That’s why we need to process the logs by humans. The sheer volume of information, even if reduced by log processing software, can be enormous. I don’t know whether or not they looked at those logs and missed the attacks, whether the logs just didn’t make the information clear (not unusual), or what. Regardless of what happened (and again I’m not casting any blame here!) we can learn from this. We can learn that humans must process log data – probably not raw data but some kind of filtered, summarized data. And the humans must be trained what to look for. There is a lot of investigation still to be done (or released), and I hope we get a clear picture of what changes they will make and perhaps others should make to prevent this from happening again.