A sin­gle data breach can cost your com­pa­ny a lot of mon­ey. How much? Based on the Net­Dili­gence 2015 Cyber Claims Study of actu­al insur­ance claims data, we know the aver­age cost of a large com­pa­ny data breach is US$4.8 mil­lion.

Want to min­i­mize the cost? Quick­ly iden­ti­fy the data breach.

How do I know that’s the best way? And, how do you do it quick­ly?

Here’s the first answer: Check out this data in the IBM/Ponemon 2015 Cost of Data Breach Study. This graph from page 22 of their report shows the rela­tion­ship between the mean time to iden­ti­fy a data breach and total aver­age cost:

That’s a very clear con­nec­tion, don’t you think?

OK, so how can you quick­ly detect a data breach with­out spend­ing a ton of CapEx for a fan­cy intru­sion detec­tion sys­tem and then a ton of OpEx to run the thing?

Here’s how: Have your serv­er admin­is­tra­tion teams run these two dai­ly checks:

1. Dis­cov­er when­ev­er some­one becomes a priv­i­leged user by ver­i­fy­ing all new accounts that have been added to any admin­is­tra­tor or root groups
2. Iden­ti­fy data being staged for exfil­tra­tion by notic­ing when large amounts of data sud­den­ly show up in unusu­al places

With both these checks, the large major­i­ty of the work can be auto­mat­ed. The way you do it is use exist­ing serv­er man­age­ment tools to com­pare and high­light the major dif­fer­ences between today’s and yes­ter­day’s snap­shot of (1) all your admin/root group mem­bers and (2) the per­cent­age of free serv­er disk space.

The man­u­al work is track­ing down why those changes hap­pened and mak­ing sure it’s a legit busi­ness rea­son. This will take some sleuthing at first to know who to call and what con­sti­tutes nor­mal changes. But with­in a month you will set­tle down into a pro­duc­tive rou­tine.

What oth­er sim­ple tech­niques have you used to detect data breach­es?