7 Tips for Early Data Breach Detection
One of the most important principles of enterprise security is the rapid detection of a data breach. Unfortunately, many organizations who experience a breach won’t learn about it for months, or even years. In the meantime, today’s fast-paced cyberattacks can cause significant damage to a company and its customers.
Early Data Breach Detection
Here are seven tips to help enterprises quickly detect a pending or actual data breach before it causes widespread harm:
Get the Right Cybersecurity Expertise
To successfully confront the increased number of cyberattacks, companies need skilled cybersecurity personnel who understand the current and evolving cyberthreat environment. With the right security staff, companies will be better prepared to rapidly detect an attack.
Although there’s a significant shortage of skilled security professionals, there are still plenty of steps an organization can take to fill the gap. Smart companies are increasingly outsourcing at least some of their security needs. Partnering with universities to pick the cream of the crop is another tactic, and using security tools specifically designed to address the shortage will also help (see Lastline’s blog Quality Tools Help Shortage of Cybersecurity Professionals).
Stay Up-to-Date with Cybercrime Evolution
Knowing who is behind the threats you face and understanding their motivations will help you implement security measures to put cybercriminals on the defensive. Hackers are relentless and constantly employing new means to penetrate networks. Studies show that malware authors create five new malware programs every second, and last year’s prevention methods won’t hold up to this year’s attacks.
Unless an organization is constantly striving to stay abreast of the latest cybercrime methods, they will be unable to quickly detect a breach. The first line of defense is to understand where and how cyberattacks occur so enterprises can deploy appropriate controls and resources. That requires staying up to date through active involvement, appropriate education, and having the right security partners.
Deploy Modern Data Breach Detection Tools
In addition to keeping systems, servers, and applications patched and up to date, it’s imperative to deploy modern breach detection tools. Although security budgets have increased during the last few years, many organizations are still purchasing and deploying old technology. Unfortunately, these legacy products are no longer effective at preventing modern breaches. Today’s attackers use new methods that older security systems don’t detect. See Lastline’s blog Security Spending is Up – But on Old Technologies that Don’t Work to learn more.
Today’s advanced breach detection technologies are very effective at spotting cyberattacks that older tools will miss – even those that are only a year old. Modern tools also gather, consolidate and present incident data in an automated and prioritized manner that is easy to understand. This dramatically reduces the time it takes for the security team to recognize a cyberattack and take steps to mitigate it.
Leverage Global Threat Intelligence
No one can successfully defeat today’s cybercrime by themselves. By leveraging threat intelligence generated by other organizations around the world, you will have a huge advantage when it comes to rapidly detecting a breach. A recent report, The SANS State of Cyber Threat Intelligence Survey: CTI Important and Maturing, found that organizations who are effectively using global cyber threat intelligence experience a number of benefits:
- 71% saw improved visibility into new threats
- 48% reduced the number of incidents through early detection and prevention
- 58% experienced faster and more accurate response times
- 54% said it helps detect unknown threats that they were previously unaware of
One challenge of using external threat intelligence is the sheer amount of data to process. Using advanced products that automatically ingest global threat intelligence will help in this area.
Perform Real-Time Monitoring of all Major Portions of the Enterprise
To more efficiently detect and investigate security incidents, security analysts need comprehensive and immediate visibility into key indicators of compromise. In addition to network level telemetry, the security staff need full visibility into logs and events from underlying infrastructure, applications, and security systems. Effective controls for partner or supplier gateways must also be in place.
When dealing with malware, immediate visibility into what is happening on each particular host is critical. Breach detection tools need to prioritize alerts and make it easy for analysts to quickly visualize the entire context of each attack campaign.
Monitor Attack Campaigns – Not Just Individual Alerts
Conventional malware detection products only provide visibility of point-in-time threats. They generate notifications as individual events occur. But this often results in security analysts chasing an endless number of irrelevant alerts. Modern cyberattacks often take place over long periods, progressing through multiple stages of a cyber kill chain. These sustained attacks tend to go undetected in the deluge of daily alerts.
Organizations that focus on detecting attack campaigns and not just individual alerts are more likely to spot a breach early on in the process. They will also spend less time achieving this ideal. Doing so requires advanced threat detection products, but the investment is well worth it.
It’s often human insight that makes the difference in rapid breach detection, and that requires a vigilant training program. Security teams obviously need to stay up to date, but it’s also important to educate other administrators and users so they can identify and report the early warning signs of an attack campaign.
Here are a few conditions that enterprises can teach users to watch for:
- Unusually slow Internet or Devices
- Locked out accounts
- Pop-ups and redirected websites when browsing
- Unexpected software installs
- Unexplained changes to files
- Anomalies in normal network traffic patterns
- Abnormal outbound traffic
- Irregular access locations
- Large number of requests for the same objects or files
- Suspicious activity on the network after-hours
- Multiple failed login attempts
- Unknown/unauthorized IP addresses on wireless networks
- Unexplained system reboots or shutdowns
- Services and applications configured to launch automatically
Don’t assume that your users already know that they should report any of the above conditions. Encouraging them, or even rewarding them to do so will dramatically increase your organization’s propensity and ability to detect a data breach early on.
It’s also important to educate upper management (including the board) about the importance of security and the sustained investment that’s required to effectively combat cybercrime. See our blog Cybersecurity Slowly Making it to the Boardroom to learn more about the importance of involving top-level management.
With a large number of data breaches occurring today and the potential for significant damages, the need for speed is obvious when it comes to detecting a cyberattack. The technology exists to effectively and rapidly fight back against cybercrime, but it’s an ever-changing landscape, and organizations need to diligently stay up to date—constantly deploying new tools and controls. Failing to do so will virtually guarantee a data breach at some point.