You’ve all heard the often-repeated mantra, “prevention is better than cure,” but is this really reflective of what we’re seeing in the cyber-security industry at the moment? With threats evolving at a faster rate, it’s not realistic to assume that any organization is fully capable of preventing data breaches, especially as a large volume of data breaches originate from within.
Accidental or malicious insider threats are a common cause of data breaches, and prevention tools do little to protect you against these threats. However, just because prevention isn’t a fully viable means of mitigating data breaches, doesn’t mean that there is nothing you can do. Many organizations now are taking the approach that data breaches are inevitable, you just have to be able to spot and react before irreparable damage is done.
So, are you a CISO reading this blog, wanting to know if there’s anything you can do detect cyber-security threats? If you are, then you’re in luck, as I’ll be going through some simple things you can do to speed up investigations and reaction time.
Always Be Watching
Being able to see what users are doing with your most critical files and folders is paramount in detecting and reacting to potentially dangerous changes. To do this involves a number of steps; finding out where your sensitive data is (most importantly – data containing PII), who has access to this data and what changes are taking place.
To find out where your data is, you’ll need to do some discovery and classification. There are numerous solutions on the market that offer this service for a hefty price. However, if you’re using File Server, the File Classification Infrastructure in File Server Resource Manager enables you to get a good level of understanding as to where your sensitive data lies and its criticality. It works using Regular Expressions and will provide you with continuous classification and can generate reports on data and criticality levels.
Once you know where your sensitive data is, find out who has access to it and ensure that you are operating on a policy of least privilege. Ideally, only users with legitimate reasons should be able to access that data, and usually this can be limited to C-level employees. If job roles change, or people leave the business, ensure the relevant permissions are revoked as soon as possible to prevent possible privilege abuse.
Lastly, watch what your employees are doing with your data. Are they moving, deleting, copying or modifying data containing PII in any way? Ensure you have a solution or a method of being able to determine in real time when these changes are taking place. The sooner you can detect an unwanted change and reverse or address it, the less damage you are likely to have.
Speed is Everything
Leading on from the last point, constantly monitoring interactions with data is one thing, but you need to make sure that you react quickly when you do spot a change that could signify a data breach.
In many ways, you should expect a breach to happen every day. You may have been lucky so far and not experienced any significant data breach. But, as history tells us, it’s not a matter of “if” but “when.” When the worst does happen, you can mitigate a lot of the damage through fast reactions. If you’re using native auditing and sifting through raw event logs to determine changes, it’s unlikely you’ll be able to detect and react before the damage is done. Unfortunately, the only way to really be sure that you react quickly enough, is to deploy a change auditing solution that does most of the work for you.
Fortunately, such solutions have become more mainstream over the past years and, as a result, have more competitive price points. The solution you opt for should be able to alert on changes in real time and send through easy-to-understand reports listing those changes so that you know what you need to do.
Spotting the Bad from the Worse
Once you’ve got a change auditing solution in place, the next challenge is assessing which changes are worthy of your attention and which are just noise. Many SIEM solutions will chuck out large volumes of user behaviour related data and you just won’t know which is relevant and which isn’t.
As a general rule, any changes to user permissions surrounding sensitive data should be a red flag, and modifications to data containing PII needs to be tracked, and large volumes of changes over short periods of time should be seen as suspicious. Of course, once you have a solution up and running in your environment you can assess what you determine to be “normal” and then set the alerts and reports to look for the abnormal.
To find out where your most critical data is stored, what changes are being made to it and who has access to it, you will need to deploy a sophisticated File Server auditing solution such as LepideAuditor.
For ransomware attacks, for example, it’s useful to be able to see if suspiciously large volumes of data are being modified (file names being changes, for example) in a very short period of time. The threshold alerting feature in LepideAuditor, allows you to set notifications for this kind of activity and, once detected, automate a response such as shutting down a server.
Learning from the Mistakes
Even if you’ve got everything in place and it’s all running smoothly, you’re going to make mistakes. The important thing is that you learn from them. Attackers are constantly sharing information between themselves of techniques that have worked, tools for them to use, potential common passwords and more. You need to be doing the same!
There are numerous forums you can be a part of where organizations discuss breaches they have been affected by and share intelligence. Learn from these forums. If you’ve been the victim of a breach yourself, share your story with others (anonymously, if you wish) so that they can protect themselves. You should also investigate every breach in depth and take corrective measures to ensure that it doesn’t happen again.
What to do Next
So, now for the pitch. I’ve mentioned a few times in the article that you’re going to need a change auditing solution to ensure that your investigation and reaction times are viable. This wasn’t just because we sell such a solution, this is just a fact. There are many solutions available on the market and you’re going to have to look around to find one that suits your environment the best. Generally though, if the points in this article have hit home with you, then LepideAuditor might be the best solution. Come and take a look for yourself and trial it, for free, in your environment.