Friday, May 23, 2014

Servers, Shovels, and On-line Sales

eBay is in the news this week, having been the latest high profile victim of a breach. From the media reports I’ve seen, it appears that the attackers compromised certain eBay employee credentials and then used those credentials to log into internal databases containing information about eBay’s users. While the story has been widely covered, I thought it would be interesting to look at it from a different perspective than I’ve seen in the media coverage.

This breach interests me because it brings together two concepts I’ve written about in the past: “The Forgotten Servers” ( and “Don’t Forget to Dig” (

I won’t rehash the details of those posts here, but in essence, identifying server compromises is extremely difficult. Detecting infected endpoints is much easier in comparison, and because of that, it typically dominates the security operations workflow. As we know though, servers generally contain much more valuable information, but it is much more difficult to detect when they have been compromised. Server compromises generally live in the realm of the unknown unknowns, and they are usually far more serious than endpoint compromises.

This is where digging becomes important. While it may someday be possible to write reliable, high fidelity, low noise alerting for server environments, we’re not quite there as a community yet. No matter how rich and actionable our work queue of alerts is, we still need to dedicate some resources to work outside that linear flow. Those resources should be used to perform intensive analysis and “dig” through the network data using a variety of techniques. Server environments seem, to me at least, to be a great place to begin a digging initiative. Servers are valuable resources with valuable information that is worth keeping an eye on.

Bring your shovels. You’re going to need them.

No comments:

Post a Comment