Written by:
Anne Gotay An Ounce of Threat Detection Can Save You a Ton of Remediation
No useful data security solution is one hundred percent foolproof. We’ve seen a steady stream of high-profile breaches and attacks this year alone, including some of the biggest names in tech — Microsoft, Okta, Nvidia, and Tesla. Even the Red Cross wasn’t spared.
There’s a certain danger in the notion that we can keep all bad actors out, prevent every insider threat, or stop the “bad guys” at the perimeter. With hybrid environments, cloud migration, and the perpetual human risk factor, building a bigger wall is simply not sufficient. Instead, we need to focus on protecting the prize (data) and controlling the path (access). This ensures the one asset no business can afford to lose is the central focus of our efforts.
Benjamin Franklin quote said, “An ounce of prevention is worth a pound of cure.” Clearly, preventing data theft and exposure is better than dealing with reputational damage, regulatory fines, and productivity loss. Detecting threats before damage occurs is crucial. Identifying data security warning signs is vital to this endeavor. This article touches on several warning signs that can help your security team detect and respond to malicious activity. Knowing the top warning signs can give your organization the advantage in threat detection and bolster your security posture.
Data Security Warning Sign 1:
Obvious Changes in Access Patterns
The simplest warning sign to look for when detecting threats is a change in access patterns. Major geographic changes in data patterns such as access from a different nation or state without any previous notification are a solid indicator that a user’s access needs to be more closely monitored. The less savvy attackers steal credentials without hiding behind a VPN. More cautious ones attempt to shield their presence by using a VPN located in the same country as the target. Unless the criminal is lucky, this will still indicate that the user is coming from a different city or state than they normally would. While this may be a false positive for those traveling on business, remote access still increases risk and warrants greater scrutiny.
Anomalous data access patterns are not purely related to location alone. The devices used by an individual to access data are also an important indicator. Every device has a different signature based upon the operating system version and manufacturer. Users may have a set of different devices they use normally. Seeing a user’s access change from known devices such as a Mac to a PC or mobile device is a warning sign worth investigating.
The other major indicator of an access pattern change is the time of access. Users develop habits of when they normally complete their work. Some may have a strict nine to five approach while others may tend to come in late and burn the midnight oil. Identifying deviations in individual users’ access habits can highlight that there might be a different person using their credentials.
Data Security Warning Sign 2:
Accessing all the things – Abnormal privileged access
Cybercriminals attempting to steal data want to get their hands on as much of it as quickly as possible to optimize their returns before the access gets identified and terminated. On the other hand, normal users generally only access the data set or files they need to work on the task at hand. Seeing a user suddenly accessing large amounts of privileged data is a strong warning that something questionable may be occurring. This is especially so if they are systematically iterating through available resources as quickly as possible.
Identifying this type of behavior early on in the process can facilitate access being cut off before too much data can be accessed. This approach prevents cybercriminals from using stolen credentials and halts insider threats looking to steal data as they leave. This greatly diminishes the potential impact.
Data Security Warning Sign 3:
Access Outside Scope
Normal users in an organization that are not brand new, generally know what resources they have access to. Their normal utilization will generally keep their access within that pool of known acceptable resources. They may have a one-off need every now and then, but that is more the exception than the norm.
Those outside of an organization are often unaware of what any particular user should actually have access to. Instead, they will poke around at what is visible within the access that they have acquired to see what resources can be opened or copied. In the process, they touch numerous resources that they may be able to see, but not access. Multiple failed attempts outside a user’s normal scope are a strong warning that something is amiss and requires further investigation.
Data Security Warning Sign 4:
Excessive File Changes
Much like accessing files, normal users tend to stick to a small set of resources that they currently need for doing their job. Ransomware goes through available resources and encrypts them as quickly as possible to maximize the damage over a period of time. This results in numerous file modification attempts over a short period of time. Seeing a large number of data modifications from a given user can be a warning that a problem is occurring. Detecting these attempts quickly and removing access can stop even a ransomware attack cold.
Automate Your Anomaly Detection
Detecting warning signs such as these is no small feat. A wide range of attack vectors and data points need to be monitored. The normal access patterns of users generate large quantities of information that must be parsed and analyzed quickly to stop an attack effectively. Outlier detection is where automated anomaly detection systems and machine learning come into play. Advanced threat detection and response leverages machine learning to consume large volumes of user access data in real-time and create known access patterns for individuals. With this information, anomaly detection algorithms can be applied to quickly and accurately identify outliers, allowing security teams to find and stop attackers before significant damage is done.
Sotero’s Data Security Platform helps organizations take a proactive approach to protect their data. Sotero delivers top-tier data protection through access controls and full lifecycle encryption, ensuring data is protected everywhere all of the time. Sotero takes this protection to the next level by integrating advanced threat and anomaly detection, it creates unique profiles for individuals to detect attacks before they can get a foothold. Sotero’s protection extends throughout existing infrastructure and the cloud, keeping sensitive data protected while meeting compliance mandates for even the most highly regulated industries.