SANS Critical Security Controls (CSC) have been getting more attention over the last few years. As security experts come around to focusing on the actual techniques used by hackers, the SANS “offense informs defense” approach is resonating. And now with the2014 Verizon Data Breach Investigations Report (DBIR), it has received a new and important endorsement. The DBIR has for years acknowledged the CSC, but for the first time, the Verizon security team included a direct mapping between common attack patterns and the CSC.

One of the assumptions behind the SANS controls is that the hackers will eventually get past the perimeter defenses, so you need to limit the data that’s available and accessible. And then back that up with secondary defenses to spot unusual patterns that often indicate intruders are present–for example, by monitoring audit logs and account activity.

We’ll be discussing more about the SANS controls in a series of posts that we will be publishing soon. In the meantime, the SANS site has some interesting survey data that’s worth reviewing. In 2012, 600 IT professionals were interviewed about their organizations’ use of event logging technology.

Two results from this SANS survey got my attention and provided additional validation for ideas we’ve been talking about at the Metadata Era. First, the SANS data says that the single greatest challenge in integrating audit logs with other tools was “identification of key events from normal background activity”.

What’s stopping companies from gauging the baseline? It turns out that it’s not that easy—as readers of this blog already know–to establish what are normal patterns using standard technology.  Not easy, but not impossible: Varonis DatAdvantage learns typical file and email usage and then can alert IT staff when anomalies are detected.

The survey suggests that IT pros are overwhelmed by the amount and complexity of data in the logs. The largest group, about 35%, said they spend none to a few hours a week looking at their logs, 10% said one day per week, and 11% said more than one day. By the way, the survey was weighted heavily towards enterprise class companies. This second result tells us that half of the companies in the survey are not conducting log analysis in anything close to real-time.

I’m not surprised by these data points. Our own Red Alert Research Report yielded similar dispiriting survey data, and we learned that only 6% of companies had full automated breach notification alerts.

One of our conclusions was that IT security should limit in the first place the amount of sensitive information available to hackers. Of course, real-time monitoring—the security cameras—are an important SANS control and a critical part of any “plan B” defense.

But organizations still need an enforceable policy in place to prevent users from leaving valuable assets out in the open—IP and other sensitive data in poorly permissioned folders. This can be accomplished by routinely classifying and searching for PII in files, and performing regular monitoring of folders to hunt down and eliminate broad permissions to this data.

It’s a low-hanging security fruit that, by the way, the Varonis IDU Classification Enginewas designed to snatch up and quickly resolve.

Thanks to


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s