Lessons from the S.C. breach

In October, the South Carolina Department of Revenue discovered that it had been breached and contacted Mandiant to assist in the investigation and response.  All told, millions of social security numbers and hundreds of thousands of bank/credit card numbers had been stolen.

In November, Mandiant published their findings.  This is exciting.  All we usually get is a news article lacking in technical detail.  This we can actually learn from.

My goal in this blog post is to explore what, in hindsight, the S.C. Department of Revenue could or should have done better. Please read the Mandiant report before you move on.

Is IDS effective?

Network intrusion detection systems are a popularly considered as a crucial component of network defenses and fit well (in concept) with the idea of defense in depth.  One of the common arguments in favor of IDS, which I first read from Richard Bejtlich, is that "prevention eventually fails."   The argument is persuasive and it seems that we should have some sort of monitoring or detection in place to help us discover when an attack has penetrated or evaded our defenses.  Unfortunately, it's not clear that IDS accomplishes that goal.

In the physical world, the benefit of combining detection with prevention seems more clear.  A fence with razor wire will deter a casual intruder or pedestrian from wandering onto a property, but a fence can be cut or climbed even with razor wire.  We could built a stronger or higher barrier, perhaps a large steel wall, but this is expensive.  It's more cost effective to install motion sensors, alarms, and cameras to alert security staff if someone violates the perimeter.  This does not analogize well to network security.