On September 18th 2014, Home Depot published a press release (pdf) about their recent data breach. In this document, they let us know, that the "cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards".
The press release was published on day 16 of the investigation. But yet, they still had no idea how many records where actually affected. This tells us that Home Depot did not have an effective auditing strategy in place.
You clearly do not want to be in a position after a breach in which you can only tell that something bad happened, but you cannot get detailed information about what exactly happened. One of the regulations around PCI compliance is that you have to notify each affected customer individually. Most of the recent breaches also resulted in the affected company offering identity theft protection to those individuals. That amounts to a significant per person expense. If you could prove that only 10% of all customers were actually affected, you could probably save not only money but also reduce the damage to your reputation.
Without adequate auditing in place, you will not be able to get to this information.
However, there are actually more tangible advantages to an effective audit strategy. For example, you can use a well-designed audit trail to detect an active thread very early on, before it becomes a nightmare. An exploit based on SQL Injection for example in many cases requires a high number of queries to be executed. Depending on your company's size, that should show as a significant spike in your audit log. If blind injection is involved, you might even see an unusually high number of queries taking unusually long. Keep in mind that to be able to react to these signals, it is important to not only record the audit information but also review it regularly.
You also might find yourself in a situation where having a proven audit strategy is not only a best practice, it is an actual regulatory requirement. For example, both Sarbanes-Oxley and HIPPA require that every action be traceable, back to the individual who initiated it.
Finally, as with many other security mechanisms, auditing helps to keep the honest honest. A large number of attacks are executed by employees and contractors. If people know that their bad actions will be recorded, they are that much less likely to engage in any malicious activity in the first place.
Auditing is not a wonder weapon against cyber-attacks. However, it has a deterrent effect not to be underestimated. It might allow you to identify a problem early on and it definitely makes the investigation after the fact a lot simpler.
Get your auditing strategy in place now. Do not wait until after something bad happened and you are struggling to find the root cause and assess the extent of the damage. Remember: Only proactive auditing is effective auditing.
A weak (or non-existent) audit trail is one of the most commonly encountered database vulnerabilities. In this series of posts, I discuss 10 of them. Below are the ones that are published so far: