It takes most organizations six months or longer to detect a data breach. Early detection can be critical to ensuring an incident doesn't become a full-scale breach. Security analysts at Gartner recommend real-time monitoring as an essential tool for the "rapid detection and response" necessary for both regulatory compliance and adequate protection.
Verizon has found the majority of data breaches are complete in just minutes or less, which could indicate that real-time detection is the only kind that matters.
Identifying Suspicious Changes
While the information security threat vector is complex and rapidly evolving, certain patterns and types of activity can be signs of unauthorized access to your company's network. In this blog, you'll learn about some early warning signs of negative changes that may indicate you are under active attack. You'll also gain some insight into how to identify red flags before it's too late to protect your organization.
1. Strange User Access Patterns
Log file activity can reveal suspicious user account activity. Spikes and abnormalities in log data can indicate a hacker's attempts to gain access by cracking a user's credentials. Types of unusual access that can be spotted during log audits can include:
- Failed Log-In Attempts,
- Remote access, and
- Odd hours access.
2. Abnormal Database Activities
Your databases are often the lifeline of your company's operations. If you are under attack from an internal or external agent, you may notice a sudden spike in activity that is not related to typical daily operations. Key signs your databases are being used in unusual ways may include:
- Sudden changes in database user or admin permissions,
- Rapid growth in the size of data contents, or
- Unusual database actions.
3. User and Device Mismatches
Sudden account access from a user and device combination could indicate an account has been compromised. GCN recommends "linking devices directly to users" to immediately detect unusual patterns in account activity. These can be detected through scheduled, frequent reviews of logs.
4. File Configuration Changes
Deletion, replacement, or alteration of critical system files may be indicative of a compromised system. In many cases, cybercriminals will modify critical files to avoid detection as soon as they gain access. Since the average data retrieval component of most incidents is complete in minutes or less, real-time detection may be necessary to determine whether you're under active attack.
Common negative file changes can include:
- Deleting Files,
- Altering File Contents or Configurations, and
- Adding or Replacing Files.
5. Changes During Scheduled Patch Updates
Keeping your security patches up-to-date is a critical activity for basic security. However, some cybercriminals and privileged insiders may wait until scheduled patch updates to make negative changes to a system. Depending on the specifications of your existing file integrity monitoring or intrusion detection solution, your tool may require being taken offline during patch updates.
If you're unable to monitor file integrity during scheduled patch updates, you are dealing with regular periods of total vulnerability. Unless your integrity monitoring tool can run continuously and contains the built-in intelligence to differentiate between positive and negative changes, you could risk undetected breaches.
6. Privileged Account Abuse
Verizon reports that privilege abuse is the most common form of insider abuse that results in data loss. Examples of privileged account abuse that can have negative organizational impacts include:
- Unnecessary access to sensitive information,
- Modifying audit trails, and
- Privileged account access sharing.
According to Ponemon Institute research, success in monitoring administrative users requires, among other factors:
- Network intelligence technologies,
- Ability to remediate admin access in case of abuse,
- Background checks on employees before hiring or promotion, and
- Built-in accountability in access governance.
7. User Reports
For organizations with minimal tools for intrusion detection, end users may detect changes first. It's unlikely these changes will be identified as a security incident. More likely, risk-aware end-users could approach IT with complaints of weird device behavior. Some common issues that your users may report which could indicate an incident in progress include:
- "Weird" antivirus warnings,
- Excessive Pop-Ups,
- Unauthorized browser toolbars, and
- Slow device performance.
Even if your change control detection is strong, culture and education can be key to getting your end-users to report suspicious changes. Symantec recommends encouraging employees to "keep an eye out and say something" if noticing suspicious changes. In addition, security administrators should keep users informed of any authorized changes.
8. Unauthorized Port Access
The majority of data breaches caused by insiders are the result of an error or poor knowledge. However, data theft by insiders or intruders does occur, which may be in collusion with external agents. Unauthorized port access can be an indicator that data theft has occurred, or malware has been uploaded to a computer on your network. Fortunately, for Windows users, locking your ports from unauthorized access is as simple as a minor change to your Windows Registry.
How Do I Identify Suspicious Network Changes in Real-Time?
Security incidents can occur 24/7/365. Not only is continual monitoring a best practice, but it's also required by PCI-DSS 10.5.5, 11.5, and other regulations. Selecting agent-based file integrity monitoring allows organizations to access real-time alerts with built-in intelligence to differentiate between positive, neutral, and negative changes. The right integrity monitoring solution will allow you to:
- Continually monitor file configurations and attributes to detect suspicious changes;
- Distinguish between positive, neutral, and negative changes to aid in response; and
- Completely reverse negative changes.
In today's security climate, minutes matter when it comes to reacting to a security incident. To learn more about how CimTrak can enable real-time detection and effective response, please click here to start a conversation today!
June 2, 2016