Every security professional's worst nightmare:
Being informed by law enforcement or another third-party entity that you have suffered a data breach.
Unfortunately, this nightmare is common among organizations that suffer an incident. Despite advancements in technological safeguards and other risk mitigation methods, most victimized organizations are unaware of ongoing attacks and the exfiltration of sensitive data from their networks for weeks, if not months.
Why Real-Time Security Detection Matters
Real-time detection and remediation can mean the difference between a security incident and a loss of protected information, leading to devastating financial repercussions. Real-time detection also allows organizations to avoid public embarrassment, customer defection, and other side effects of a highly publicized breach. Join us as we review six signs of a data breach in progress within your company's network and how you can quickly respond to emerging issues.
1. Critical File Changes
Upon gaining entrance to an organization's network, cybercriminals may modify, change, delete, or replace critical system files in an attempt to prolong detection. These changes may be completed very quickly—Verizon indicates that most data breaches are completed in "minutes" or even less. Unless your organization is actively monitoring critical system files for negative changes, these clear signs of a data breach can go undetected for long periods of time.
There can be a massive amount of changes to critical files on a daily basis, particularly for large organizations or companies with complex IT infrastructures. Having the ability to distinguish between normal changes and changes indicative of a data breach in progress is crucial. After the publication of one major retailer's data breach, the media reported evidence of the team choosing to disregard unusual activity because they didn't believe it "warranted an immediate follow-up." Your organization needs the technical ability or expertise to distinguish between positive, neutral, and negative changes in real-time.
2. Unusually Slow Internet or Devices
Your security policy and end-user education programs should address immediate reporting and investigation of devices or a company network that suddenly appears to be running more slowly than usual. This can indicate onboard malware, viruses, or suspicious outbound traffic. Users should never assume IT isn't receptive to reports of devices running slowly, which indeed bear investigation.
3. Obvious Device Tampering
If a user discovers their device is running after being turned off, this discovery should be reported immediately to security leadership. This could be a sign of physical access from someone else on-site or remote tampering.
Users should be trained to avoid using devices that may have been tampered with, including sign-in. Other signs of device tampering can include a sudden surge in pop-up messages, fake antivirus warnings, or suspicious browser toolbars. If device tampering is suspected, users should avoid touching the device until IT has had time to inspect it to prevent the risk of credential theft or other issues.
4. Locked User Accounts
If users are suddenly unable to access their accounts using valid credentials, it could be a sign that a cyber-criminal has already compromised the account and locked out the user. It is critical for IT teams to review account access and password changes following user reports of a locked account, especially if users are certain valid credentials were entered correctly. Multi-factor authentication can be a valuable tool to reduce the risk of unauthorized access with valid user credentials.
5. Unusual Outbound Traffic
Unusual outbound traffic patterns are among the most telltale signs of something wrong. This high traffic volume can result from criminals using your applications to communicate externally. It may also indicate the transfer of data. Monitoring traffic patterns regularly can be a crucial way to detect suspicious activities quickly.
6. Abnormal Administrative User Activity
Privileged user account compromise can be one of the most devastating signs of a data breach. PCI guidelines require logs to be reviewed on a regular basis, including the activities of administrative users. A history of viewing sensitive information, a high volume of database transactions, or sudden permission changes can be indicative of compromise from an external or internal threat.
The most effective organizations view all employees, including super users, with a healthy degree of suspicion. It's crucial to ensure your technical tools, including file integrity monitoring software, prevent your users from modifying logs to cover trails in case you are dealing with an internal threat.
To properly respond to incidents, organizations need to know their networks and have appropriate tools, policies, and procedures for monitoring their assets regularly. The response protocol should encompass both human elements, such as training employees to report suspicious device activity, and technological barriers, keeping you informed of negative changes, like implementing robust file integrity monitoring software.
Cimcor offers best-of-class solutions for monitoring security incidents. CimTrak is an easy-to-use solution that reports changes in real-time and provides administrative users with the full ability to reverse negative changes to file configurations. With fully-locked audit trails, CimTrak can also reduce insider risks significantly. To learn more, check out the Technical Summary.
