Like the butler in classic murder mysteries, we’re quick to suspect the person with unfettered access, and that’s often the proverbial “red herring”. The 2011 Verizon Data Breach Investigations Report (DBIR) provides system administrators with a statistical alibi.

“For the second year in a row, it is regular employees and end-users—not highly trusted ones—who are behind the majority of data compromises. This is a good time to remember that users need not be super users to make off with sensitive and/or valuable data.”

Verizon also reports that the internal threat has reached an all-time low of 17%, and notes that regular employees accounted for 85% of the “insider” breaches. Finance/accounting and executive management also represented a fairly healthy percentage of data loss, but the venerable System/Network Administrator was the culprit in only 3% of their investigations. The Verizon team speculated that the while these people do have the “keys to the kingdom,” perhaps someone changed the locks.

Lies, Damn Lies and Statistics
Before we get too excited about these numbers, we need a little context. Verizon is quick to point out that the “all-time low” of illicit insider activity (internal agents) is “not so much a decrease in internal agents as much as a comparatively huge increase in external agents.” In fact, the number of attacks attributed to insiders actually doubled in this year’s report.

While statistically you’re about five times more likely to be breached from the outside, it would be foolish to take your eye off what’s happening on the inside. Regardless of the “origin”, the target is the soft, chewy, center of your network. A common mistake is for organizations to focus exclusively on the perimeter with firewalls, IDS/IPS, WAF, etc. and unwisely conclude that they’re secure.

Real-Time Visibility
We recently blogged on the topic of visibility (“Barracuda: Got SIEM?”) in response to speculation that Barracuda Networks might have been breached because of a lack of layered defenses. Our point was that it’s far more likely the breach was simply a lack of visibility. That’s not to say that getting visibility is simple, but it’s critical to ensuring that your products, policies and procedures are actually working.

So how do you combat the insider threat, or the external threat that has established a beachhead inside your network? Yes, SIEM is the answer. No, this is not a blatant product pitch. Assuming you already have layers of defenses and employ best practices in areas like least privilege, the missing piece is real-time analysis. Let me be clear – I’m not talking about Log Management, and if you have any doubt about that, please read this: “Log Management: Bad News, Good News”

Close the Gap
What a true SIEM solution provides is real-time log “analysis” and event correlation. This is the process that provides context to what’s happening, and it is the only practical way to gain “actionable” insight into the activity on your network. There is simply no other technique, process, policy, procedure or technology that comes anywhere close to SIEM in its ability to close the gap between detection, containment and remediation. Let’s face it, the goal is to detect the break-in, not investigate the murder.

*** This is a Security Bloggers Network syndicated blog from TriGeoSphere authored by Michael Maloof. Read the original post at: http://blog.trigeo.com/2011/the-sys-admin-did-it/