Spotting system intrusions a challenge for IT

29.01.2007
Protecting corporate systems against intruders isn't easy. But detecting a breach that has actually happened can sometimes be even harder, IT managers and analysts said last week in the wake of the high-profile data compromise at The TJX Companies Inc.

The system intrusion at the Framingham, Mass.-based retailer occurred last May but wasn't discovered until mid-December -- seven months later. TJX publicly disclosed the breach two weeks ago.

In a similar incident at Ohio University, a server break-in that exposed the personal data of about 137,000 alumni went unnoticed for more than a year before being discovered last spring along with several other security breaches.

The gap between the intrusion at TJX and its discovery isn't entirely surprising, given the myriad ways attackers can gain access to systems and then conceal their tracks, said Drew Maness, a senior security strategist at a large entertainment company that he asked not be named.

"The reason it's so difficult [to discover a data breach] is because it can come at you from any angle," Maness said. "With physical security, it's very rare that someone breaks in through a side wall on the eighth floor. With computer security, they come in through that side wall."

To quickly and consistently detect such intrusions, IT managers need to be able to collect and analyze literally every transaction flowing through their networks in real time, according to Maness. "You've got to know what every single packet on the network is doing, where it's coming from, where it's going and which ones are bad," he said.