Detect a Data Breach – Questions That Need to be Asked

Naturally, the faster our security teams can identify a data breach, the faster they can move to eradicate and recover from the incident. The problem, however, is that many security incidents unfold in a very covert manner and can take weeks – or even months to discover.

According to the M-Trends annual report by FireEye, the global median “dwell time” is 101 days. The first question we need to ask is, are our security professionals competent enough to detect a security breach in a timely manner? To answer this question, there are other questions that need to be asked…

What are the Most Common Causes of a Data Breach?

Were we to fall victim to a ransomware attack that was able to penetrate our network by exploiting a vulnerability in a legacy version of our operating system, would we consider the threat to be of external or internal origins? Well, the answer is both.

Cyber-criminals are constantly searching for vulnerabilities to exploit – whether it be a piece of legacy software or a naive employee, and it is our responsibility to ensure that these vulnerabilities are kept to a minimum.

According to the following post, approximately 80% of data breaches are caused by human or process error. With this in mind, our focus needs to shift from perimeter-based security to training and monitoring the behavior of our own employees.

How are Data Breaches Typically Discovered?

The unfortunate reality is that most data breaches are discovered by institutions that are external to the breached organization, such as law enforcement and fraud protection agencies, customers and credit card processors – who use advanced algorithms to detect suspicious account usage.

How do we Identify High-Value Data?

It is an obvious fact that in order to protect our sensitive data, we need to know where it resides. High-value data, which includes PII, PCI, PHI, and so on, is worth a lot of money on the open market, hence why such data is a prime target for cyber-criminals. Fortunately, there are a number of data discovery and classification tools available which can automatically discover, classify and encrypt a large range of high-value data types.

How can we Monitor High-Value Data?

Once our most valuable data has been located and classified, we will need to monitor all activities associated with that data. When this data is accessed in a way that is deemed suspicious, our security team must be alerted in real-time, which will enable them to take action to investigate and remediate the problem in a timely manner.

There are a number of data security platforms available that can automatically detect, alert, report and respond to misused account privileges, suspicious file and folder activity, and unauthorized mailbox access. They can also detect events that match a pre-defined threshold condition, such multiple failed login attempts or the bulk encryption of data.

What Steps Can We Take to Ensure Rapid Remediation of a Data Breach?

Should a security incident occur, organizations will be required to notify any customers who were affected by the breach and outline the steps that have been taken to investigate, remediate, recover and restore the affected systems.

While it may be tempting to try to cover up the breach, doing so could make matters a lot worse. Should the breach become exposed via unofficial channels, this could result in a loss of trust in the organization.