Every security professional's worst nightmare: Being informed by law enforcement or another third-party entity you have suffered a data breach. Unfortunately, this nightmare is common among organizations that suffer an incident. Despite advancements in technological safeguards and other methods of risk mitigation, most victimized organizations are “unaware of ongoing attacks and the exfiltration of sensitive data from their networks for weeks, if not for months."
Why Real-Time Security Detection Matters
Real-time detection and remediation can mean the difference between a security incident and a loss of protected information leading to devastating financial repercussions. Real-time detection also allows organizations to avoid public embarrassment, customer defection, and other side effects of a highly-publicized breach. Join us as we review six signs of a data breach in progress within your company's network and how you can respond with speed to emerging issues.
1. Critical File Changes
Upon gaining entrance to an organization's network, cybercriminals may modify, change, delete, or replace critical system files in an attempt to prolong detection. These changes may be completed very quickly—Verizon indicates the majority of data breaches are completed in "minutes" or even less. Unless your organization is actively monitoring critical system files for negative changes, these clear signs of a data breach can go undetected for long periods of time.
There can be a massive amount of changes to critical files on a daily basis, particularly for large organizations or companies with complex IT infrastructures. Having the ability to distinguish between normal changes and changes indicative of a data breach in progress is crucial. After one major retailer's data breach was publicized, the media reported evidence of the team choosing to disregard unusual activity because they didn't believe it "warranted an immediate follow-up." Your organization needs the technical ability or expertise to distinguish between positive, neutral, and negative changes in real-time.
2. Unusually Slow Internet or Devices
Your security policy and end-user education programs should address immediate reporting and investigation of devices or a company network that suddenly appears to be running more slowly than usual. This can indicate onboard malware or viruses or suspicious outbound traffic. Users should never assume IT isn't receptive to reports of devices running slowly, which certainly bear investigation.
3. Obvious Device Tampering
If a user discovers their device is running after being left turned off, this discovery should be reported immediately to security leadership. This could be a sign of physical access from someone else on-site or remote tampering.
Users should be trained to avoid using devices that may have been tampered with, including sign-in. Other signs of device tampering can include a sudden surge in pop-up messages, fake antivirus warnings, or suspicious browser toolbars. If device tampering is suspected, users should avoid touching the device until IT has had time to inspect it to avoid the risk of credential theft or other issues.
4. Locked User Accounts
If users are suddenly unable to access their accounts using valid credentials, it could be a sign that a cyber-criminal has already compromised the account and locked out the user. It is critical for IT teams to review account access and password changes following user reports of a locked account, especially if users are certain valid credentials were entered correctly. To reduce the risk of unauthorized access with valid user credentials, multi-factor authentication can be a valuable tool.
5. Unusual Outbound Traffic
IT Business Edge notes unusual outbound traffic patterns among "the most telltale signs that something is awry." This high traffic volume can result from criminals using your applications to communicate externally. It may also indicate the transfer of data. Monitoring traffic patterns on a regular basis can be a crucial way to detect suspicious activities quickly.
6. Abnormal Administrative User Activity
Privileged user account compromise can be one of the most devastating signs of a data breach. PCI guidelines require logs to be reviewed on a regular basis, including the activities of administrative users. A history of viewing sensitive information, a high volume of database transactions, or sudden permission changes can be indicative of compromise from an external or internal threat.
The most effective organizations view all employees, including super users, with a healthy degree of suspicion. It's crucial to ensure your technical tools, including file integrity monitoring software, prevent your users from modifying logs to cover trails in case you are dealing with an internal threat.
In order to respond to incidents, organizations need to know their networks and have appropriate tools, policies, and procedures for monitoring their assets on a regular basis. This should encompass both human elements, such as training employees to report suspicious device activity, and technological barriers keeping you informed of negative changes, like file integrity monitoring software.
Cimcor offers best-of-class solutions for monitoring security incidents in real-time. CimTrak is an easy-to-use solution that reports changes in real-time and provides administrative users with the full ability to reverse negative changes to file configurations. With fully-locked audit trails, CimTrak can also reduce insider risks significantly. To learn more, check out the Instant Preview.
Want to learn more about PCI Compliance? Download our PCI compliance checklist today.
May 26, 2016