What’s Getting Lost in Your Log Data?

When stories come up in the news about data breaches, if you’re like me, you tend to gloss over them if they seem similar to something you’ve already read.  I almost did that today.  But something in this story really got my attention.

There’s a story this week about Neiman Marcus being hit by hackers who gained access and moved about their systems obtaining about 350,000 credit card numbers over a three-and-a-half month period! First red flag, right? Right.  So after hearing that, the next obvious question is “Didn’t they know about any of this activity?” Surely a company as large as Neiman Marcus would have security logs in place and some kind of alerting system.

Not only does Neiman Marcus have a system to log and alert on security incidents, but that system triggered 60,000 alerts over the same period of time. 60,000???? Why didn’t anyone notice?

A quote from their spokesperson provides some insight: “These 60,000 entries, which occurred over a three-and-a-half month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day.” The math loosely translates to nearly 600 entries a day in a sea of the “tens of thousands of entries every day”.  Neiman Marcus isn’t alone – every IT organization faces the same event log overload.

So what changes to security in your critical IT systems are being missed? Security changes in Active Directory, which is the basis of access to just about everything in the MS world or, closer perhaps to the Neiman Marcus story, changes to security in SQL Server, which can house your company’s most sensitive data are imperative to audit on an ongoing basis. Without auditing IT changes, like the Neiman Marcus breach, you run the risk of security being compromised without ever knowing it… well, at least not until it’s too late.