Organizations can do a good job of detecting intruders who have infested their data network without buying and operating an expensive commercial network intrusion detection system. You don’t even have to hire an outside managed network security provider. Check out these three powerful strategies for dealing with this cyber risk:
- The first strategy is possibly the most powerful: Use your existing administrative tools to produce a daily report that shows all membership changes to all administrative groups for the past 24 hours. Then assign someone to validate every change. This will tell you if someone tries to “sneak in” through a privilege escalation.
- One sign that an attacker is “bedding down” in your network to conduct long-term surveillance is the unexpected patching of systems. Why? An attacker doesn’t want another attacker breaking in and messing up his inside access to your data network! So watch your vulnerability scans for systems that don’t need a patch you never pushed.
- To detect the staging of data for exfiltration, monitor your critical databases for sudden, unexplained swells in read activity. In addition, monitor all filesystems for large quantities of data suddenly or gradually appearing in the wrong places.
With each of these tips, I’m sure you’ll get a few false positives. And, you’ll have to climb a learning curve that keeps changing as the activity of your organization transforms over time. A new product launch will cause permanent changes in what’s considered “normal” on your network.
These are just the first three on my list. Next week I’ll give you three more. See you then!