Say you spend a couple of weeks in remediation and recovery after a data breach. “Finally got it all cleaned up,” you tell yourself. “We’re back to normal.”
Better not let your guard down just yet. The next insider threat you’ll face is probably lurking on a server on your network right now. In fact, research by the Ponemon Institute shows that average dwell time – the time between infection and attack – is more than three months for financial services firms. Worse yet, retail firms, with their enormous attack surface, have dwell times of more than six months.
That brings a few choice words to mind about the things insider attacks do on your network.
Lie in wait.
Knowing that burglars have been in your house is a drag. But knowing that burglars are in your house, with no idea when in the next few months they’ll strike – that’s a lot worse.
Deep Forensic Analysis of Security Breaches
I don’t get paid for scaring you, but I do get paid for helping you enforce governance, mitigate risk and assure compliance (GRC) on your network. That’s why we’ve released a new white paper by Alexey Korotich called Tick! Tock! Have You Detected the Intruder Inside Your Network Yet? The paper focuses on several aspects of insider threats:
- What attackers want
- How they access your network and what they do once they’re inside
- Quick detection and containment
- Securing Active Directory
- The four pillars of governance, risk and compliance
- Deep forensic analysis of security breaches
I’ll focus on that last aspect because once you know that an attack has resulted in a breach, forensic analysis helps you prevent the burglars from doing more harm.
You may reach for security information and event management (SIEM) tools, but they operate mostly on the data in event logs. Look beyond that to the things that made the attack possible in the first place, like user permissions and group memberships.
The burglars will probably turn out to have user accounts on your network. What privileges do they have? How did they get them? Where else have they been going on the network lately? Once you have the answers to those questions, you can take corrective action like restoring group membership to a previously known good state and disabling the account the attacker is using.
New White Paper on Detecting Insider Threats
Forensic analysis is not just a push-button function. But then, neither is getting rid of a lurking burglar.
Have a look at our new white paper, Tick! Tock! Have You Detected the Intruder Inside Your Network Yet? for background, insights and practices that will help you shave months off the dwell time of insider threats in your organization.
Burglars could be the new normal in your company. The more you know about them, the better you can protect your network and meet your goals for GRC.