I previously outlined three strategies for detecting intruders on your network without the need for a large capital expense for specialized systems. In fact, you don’t even need a managed service provider.
Now, as promised, here are three more ways:
- Using time stamps and the geolocation of the source IP addresses, look for simple irregularities in log-ins and access patterns. The most obvious would be an account that is logging in from two countries so close together in time that it’s unlikely they are both legitimate. You can access geolocation data for free or low cost.
- When the HTML response sizes leaving your network are much larger than usual, that’s a sign you’ve probably been the victim of a SQL injection attack.
- Finally, watch for outbound web traffic where 30 or 40 browser windows are opening all at once. This kind of behavior is more likely a sign of an automated session rather than a human one.
Will you have false positives? Yes. But you’ll also understand what’s considered normal on your network much better than you do today.
Do you have any low-cost, yet automated, strategies for network intrusion detection?
Please note: I reserve the right to delete comments that are offensive or off-topic.