Indicators of a breach
Jan 2nd, 2014 by Jesper Kråkhede
Remember the days of Melissa and Love letter? When you were breached it very visible and very clear to everyone in the office. Those days are over since long. Nowadays you may not even know that you have a breach and the only way to find it is using different surveillance tools to find anomalies in your traffic or in the users’ behaviours. At Darkreading I found an interesting article with 15 top indicators of a breach. While not all indicators are possible to implement for the small business some sure are easy to implement or easy to purchase as a surveillance service.
Unusual outbound traffic may be a first indicator that something is leaving your network. Large files going outbound in FTP or in HTTPS traffic may indicate something is not right. If your company´s normal network traffic is consisting of small files leaving via email you may have a problem. Getting a surveillance service up and running may be a good investment if you lack in other types of security or if you haven’t got the resources to have a full blown security department with 24/7 monitoring of network traffic.
I have always been a great advocate for context based sign-in and with the proper monitoring and tools you could easily find out when someone is behaving out of the normal. If you would to monitor my behaviour it would be typically normal for me to logon at 3 AM but very seldom at 6 PM. So if I were to logon that time either something out-of-bounds has happened or someone is doing something with my account, especially if the login came from a country I haven´t been in before.
Unexpected patching is another interesting indicator. Patching is good, patching often is better, patching out-of-bounds is worst. Even if you should have short patching cycles patching should not occur without your knowledge. A surveillance application that logs system changes is a very useful tool here.
Get your security services up and running today and you´ll be a lot safer! ?