Orga­ni­za­tions can do a good job of detect­ing intrud­ers who have infest­ed their data net­work with­out buy­ing and oper­at­ing an expen­sive com­mer­cial net­work intru­sion detec­tion sys­tem. You don’t even have to hire an out­side man­aged net­work secu­ri­ty provider. Check out these three pow­er­ful strate­gies for deal­ing with this cyber risk:

1. The first strat­e­gy is pos­si­bly the most pow­er­ful: Use your exist­ing admin­is­tra­tive tools to pro­duce a dai­ly report that shows all mem­ber­ship changes to all admin­is­tra­tive groups for the past 24 hours. Then assign some­one to val­i­date every change. This will tell you if some­one tries to “sneak in” through a priv­i­lege esca­la­tion.
2. One sign that an attack­er is “bed­ding down” in your net­work to con­duct long-term sur­veil­lance is the unex­pect­ed patch­ing of sys­tems. Why? An attack­er does­n’t want anoth­er attack­er break­ing in and mess­ing up his inside access to your data net­work! So watch your vul­ner­a­bil­i­ty scans for sys­tems that don’t need a patch you nev­er pushed.
3. To detect the stag­ing of data for exfil­tra­tion, mon­i­tor your crit­i­cal data­bas­es for sud­den, unex­plained swells in read activ­i­ty. In addi­tion, mon­i­tor all filesys­tems for large quan­ti­ties of data sud­den­ly or grad­u­al­ly appear­ing in the wrong places.

With each of these tips, I’m sure you’ll get a few false pos­i­tives. And, you’ll have to climb a learn­ing curve that keeps chang­ing as the activ­i­ty of your orga­ni­za­tion trans­forms over time. A new prod­uct launch will cause per­ma­nent changes in what’s con­sid­ered “nor­mal” on your net­work.

These are just the first three on my list. Next week I’ll give you three more. See you then!