The system intrusion at the Framingham, Mass.-based retailer occurred last May but wasn't discovered until mid-December -- seven months later. TJX publicly disclosed the breach two weeks ago.
In a similar incident at Ohio University, a server break-in that exposed the personal data of about 137,000 alumni went unnoticed for more than a year before being discovered last spring along with several other security breaches.
The gap between the intrusion at TJX and its discovery isn't entirely surprising, given the myriad ways attackers can gain access to systems and then conceal their tracks, said Drew Maness, a senior security strategist at a large entertainment company that he asked not be named.
"The reason it's so difficult [to discover a data breach] is because it can come at you from any angle," Maness said. "With physical security, it's very rare that someone breaks in through a side wall on the eighth floor. With computer security, they come in through that side wall."
To quickly and consistently detect such intrusions, IT managers need to be able to collect and analyze literally every transaction flowing through their networks in real time, according to Maness. "You've got to know what every single packet on the network is doing, where it's coming from, where it's going and which ones are bad," he said.
That can be a huge challenge, considering the sheer number of transactions and the terabytes of storage space required on a daily basis to store log data about all of them, said David Jordan, chief information security officer for Virginia's Arlington County. It also requires comprehensive modeling of typical network behavior enterprisewide so any abnormal activity can be pinpointed, Jordan said.
Few existing products
For now, at least, there are few out-of-the-box products that can help companies do end-to-end log collection and real-time data correlation and analysis, said Amer Deeba, vice president of marketing at Qualys Inc., a vulnerability management services provider in Redwood Shores, Calif. And the cost of custom-building such capabilities can be prohibitive, added Deeba.
But there are some tools that IT managers can use to address parts of the challenge, Deeba noted. For instance, several logging and monitoring tools are available for quickly detecting unauthorized database activity.
USEC Inc., a US$1.6 billion energy company in Bethesda, Md., uses an appliance from Guardium Inc. to monitor the activities of the administrators who manage the Oracle and SQL Server databases underlying its financial applications. The Guardium device can detect unauthorized changes and other policy violations that could affect the integrity of USEC's financial data, said CIO David Vordick.
The technology also enables USEC to monitor compliance with Sarbanes-Oxley financial reporting regulations and provides the company with a real-time security-alerting capability, Vordick said.
Accor North America, a Carrollton, Texas-based operator of hotel chains such as Red Roof Inns and Sofitel, is using an appliance from Imperva Inc. to detect unusual database activity as it occurs. Such tools let companies move from a "passive security" model to a more aggressive one, said Jaimin Shah, a senior security engineer at Accor.
Being able to do the same kind of monitoring of all network and system assets could help companies detect suspicious activity more quickly, Shah said. "The problem is that monitoring generates a tremendous amount of logs," he said, adding that "getting the right information as quickly as we can" is a challenge.
Vendors such as LogLogic Inc. are beginning to offer more efficient ways to sift through log data, Maness said. But he still expects it to take up to 10 years to develop true end-to-end capabilities for tracking networks.