Splunk is using Distributed Ledger Technology to prove your data hasn’t been tampered with. This is a bigger deal than you might think. Read on for details.
The world relies on data to make decisions—number of votes to determine an election, the bank on if they should grant you a loan, and even to link a nation state to a cyber attack. The only thing worse than not having data is having manipulated data. Data sabotage is the latest evolution of data attacks on enterprises.
Evolution of Data Attacks
With data breaches an adversary obtains a copy of data and tries to sell it. You might have already been affected by the Equifax, OPM, or Ashley Madison breaches. The value of this data diminishes quickly as copies of the data are made and sold or credit card companies immediately cancel breached card numbers.
Adversaries sought an attack that didn’t have this time diminishing value; ransomware was the evolution. Attackers hold the data hostage until they are paid. Hopefully you weren’t in a hospital or using public transportation during a ransomware attack. The victims don’t always pay up though; if they had a good backup strategy they could often recover. The attackers sought a method where they could profit without requiring the victim to do anything, or even know they have been attacked.
Data Integrity Attacks emerged. Instead of stealing or encrypting, the adversary tampers with data.
“Rather than merely steal data to sell off, more and more cybercriminals are now looking to steal money through sabotage and falsification of data records or transactions…. a massive cyberattack targeting the financial/banking industry that started with a spear phishing attack. Once they had gained entry to the targeted institutions, the attackers burrowed into the hearts of the accounting systems, inflating account balances and siphoning off money. It is estimated that around $1 billion was stolen from some 100 financial institutions worldwide.” - F. Howarth
Not all Data Integrity attacks will be for financial gain or for manipulating elections. Admiral Rogers, director of the NSA, said data tampering is second only to an attack on critical infrastructure on his list of top 3 things that keep him up at night. These two nightmares could even be one and the same, data tampering can cause critical infrastructure to fail.
“What if someone gets in the system and starts manipulating and changing data, to the point where now as an operator, you no longer believe what you’re seeing in your system?” –Admiral Rogers *
This is what happened with Stuxnet, but it could be something worse such as an attack on public utilities. It’s important to note that the attacker doesn’t have to inflict the damage themselves, they can simply alter the data such that the victim is the one that inflicts damage. Bad data leads to bad decisions. The Director of National Intelligence (James Clapper) wrote a formal letter to Congress stating:
“Decision-making by government officials, corporate executives, investors or others will be impaired if they cannot trust the information they are receiving.” **
This happened to investors when a false tweet from Syrian hackers caused stocks markets to fall.
It won’t always be a human that makes a bad decision, in this case it’s likely that some investors had software automatically take action and sell. Automation and orchestration are becoming integral to an organization’s ability to respond quickly and at scale. Performing an integrity check on data should be standard before using it to make a decision, whether human or machine. Even more so if the data is in the cloud:
“Threats to data integrity are thus of paramount relevance, as tampering with data may maliciously aﬀect crucial business decisions. This issue is especially true in cloud computing environments, where data owners cannot control fundamental data aspects, like the physical storage of data and the control of its accesses.” - ITASEC17
So How Can Organizations Protect Against Data Tampering?
The options have been limited, difficult to use, and don’t scale. Worst of all, many require moving the data to outside of the system used to analyze or alert. Data is often too big to move and too costly to store additional copies that will be subject to the same auditing and compliance requirements.
Organizations already put their data in Splunk, is there a way we can help them by creating a whole new level of data integrity? The answer is yes! Our solution combines Splunk’s existing Data Integrity capability with blockchain and other Distributed Ledger Technologies. As Splunk indexes data it stores hashes of the data on an immutable ledger. If any of the indexed data stored in Splunk is corrupted or tampered with, it will no longer match what is on the distributed ledger. Voilà, now you can prove your data hasn’t been tampered with—while maintaining the ability to analyze it—without moving it!
Early feedback from customers trying it out have said this capability not only helps with security and compliance, such as the SEC’s SCI regulation, NIST 800-53, and even GDPR. They also told us this capability enables a new benefit since they can send atypical data sources such as email, Slack messages, even process methods into Splunk, allowing them to use the information in a court case or to protect IP. There are industry specific examples; in healthcare, data from late-stage clinical phases is sent to regulators before approval and companies have to prove that the data hasn’t been tampered with since originally obtained. This opens up the door to protecting pretty much any type of data. For example, my daughter was born August 23rd and the hour she was born I splunked her birth, parents info, etc and the data was automatically protected using Ethereum Mainnet. This may not be a typical use case of the technology but it begs the question, why not preserve the integrity of your data? Especially if it’s used to make critical decisions.
The key takeaway is organizations rely more and more on data to make critical decisions and data tampering is a rising threat. Your data can be your competitive advantage only if it can be trusted. Data integrity is a big deal, if you already know that and want to get your hands on this solution let us know or check it out in the Innovation Lab next week at .conf18!