How to Detect a Data Breach: The Basics

If we look at some of the most high-profile data breaches of the last few years, you will be astonished at how long it took for the organization involved to detect. Companies as big and as well equipped as Verifone, took 6 months to detect the data breach that first started in the middle of 2016. It took Forever 21 around 9 months to detect their data breach that started in March of 2017. There are even suggestions that the now infamous Marriott data breach could have been detected four years before it was discovered in September 2018.

According to the Ponemon Institute, Cost of a Data Breach Study conducted in 2017, breaches that occur as a result of insider threats or privilege abuse take far longer than others to detect – with the average number of days hovering around 191 days. Organizations seem to be so focussed on their bottom line that they are often blind to the signs of insider threats.

Why are so many organizations, particularly large enterprises, struggling to detect data breaches? I believe the answer lies in the fact that data security basics are being routinely ignored. With that in mind, let’s go through some of the basics of data breach detection.

How Data Breaches Are Detected

At this current moment in time, third-parties are the most popular or most common method of data breach detection. For example, fast food operator Sonic only discovered a data breach involving PCI when their credit card processor notified them of unusual activity.

So, asking yourself how data breaches are currently detected will not give you a good idea of how to detect one yourself. The current methods that most organizations use are simply not enough, and the long time between incident and detection reflects that. A better question to ask would be, “how can I detect a data breach internally?”

Detecting a Data Breach Internally in Four Steps

Most organizations do not have enough visibility over their sensitive data and their privileged users. This is the biggest reason why data breaches can go undiscovered for so long. Ask yourself the following four questions and the answers will reveal how good your current strategy is for detecting security threats:

1. Do you know where your sensitive data is?

Would you be able to detect files within your servers that contain information relating to compliance requirements, personally identifiable information or intellectual property? You need to be able to locate and tag any file that contains sensitive data as and when it is created or modified if you have any hope of detecting data breaches. Files containing this kind of data are the ones that both insiders and external actors target. Visibility over where these files are and what they contain is the first step in securing data.

2. Do you know who has access to this data?

Now that you know where your most sensitive data is, you need to find out which of your users have permission to access it. These “privileged” users should become the focus of your security strategy. Users with elevated privileges are the ones that pose the biggest risk to your data security. You might be surprised to find that there are numerous users within your organization with access to sensitive data that really don’t need to have it.

3. Do you know what your users are doing with this data?

Would you know if a privileged user modified, moved, deleted or renamed a file or folder containing PII, for example? Ensure that you have a platform that enables you to monitor the behavior of your users in real time and alerts you when anomalies are spotted. The quicker you are alerted to anomalous or unwanted user behavior, the quicker you can determine if you have been breached.

4. Is your environment as secure as it could be?

Do you currently have a large number of stale users or open shares? You need to do a thorough and regular check of security states and environment changes to ensure that there are no glaring holes in the security of your IT infrastructure.

How to Detect a Data Breach Quickly

If the above four questions sound daunting, don’t worry. Without an intelligent Data Security Platform, it might be impossible to answer these four questions in any satisfactory way. Luckily, Lepide have just the solution for you! If you would like to see how the Lepide Data Security Platform can help you to detect a data breach in seconds, schedule a demo with one of our engineers today.