Track data activity before "unusual" becomes "dangerous"

3 years ago 337

A information adept raises concerns that a deficiency of identifying and tracking antithetic information enactment tin person unsafe consequences.

shutterstock-1476166208.jpg

Image: Shutterstock/Funtap

There's accustomed information activity, antithetic information activity, and past there's unsafe information activity. Christian Wimpelmann, individuality and entree manager (IAM) astatine Code42, expresses interest that not capable accent is placed connected paying attraction to information enactment astatine the institution level. In the nonfiction When Does Unusual Data Activity Become Dangerous Data Activity?, Wimpelmann looks astatine each benignant of information enactment and offers proposal connected detecting antithetic enactment earlier it becomes dangerous.

Usual information activity

To begin, Wimpelmann defines accustomed information enactment arsenic enactment during mean concern operations. "Sophisticated analytics tools tin bash a large occupation of homing successful connected the trends and patterns successful data," Wimpelmann said. "They assistance information teams get a baseline astir what information is moving done which vectors—and by whom—on an mundane basis."

By utilizing analytics, specialists tin comparison a fixed enactment against:

  • Common enactment patterns of users
  • Normal enactment patterns of a circumstantial record oregon portion of data

Wimpelmann cautions that excessively galore information teams absorption solely connected the user, adding, "It's the information that you attraction about, truthful taking a data-centric attack to monitoring for antithetic information enactment volition assistance defender what matters."

SEE: Checklist: Securing integer information (TechRepublic Premium)

Unusual information activity

Unusual information enactment is the suspicious modification of information connected a resource. An illustration would beryllium the deletion of mission-critical files connected a information retention device. "Unusual information enactment is the earliest informing motion of Insider Risk and a perchance damaging information leak oregon information breach," Wimpelmann said. "Whether malicious oregon unintentional, antithetic information entree and antithetic information traversing networks oregon apps is often a precursor to employees doing thing they shouldn't oregon information ending up determination overmuch much problematic—outside the victimized organization."

What are the signs of antithetic information activity?

Through experience, Wimpelmann has created a database of antithetic information activities (Insider Risk indicators) that thin to crook into unsafe information activities. Below are immoderate of the astir communal indicators:

  • Off-hour activities: When a user's endpoint record enactment takes spot astatine antithetic times.
  • Untrusted domains: When files are emailed oregon uploaded to untrusted domains and URLs, arsenic established by the company.
  • Suspicious record mismatches: When the MIME/Media benignant of a high-value file, specified arsenic a spreadsheet, is disguised with the hold of a low-value record type, specified arsenic a JPEG, it typically indicates an effort to conceal information exfiltration.
  • Remote activities: Activity taking spot off-network whitethorn bespeak accrued risk.
  • File categories: Categories, arsenic determined by analyzing record contents and extensions, that assistance signify a file's sensitivity and value.
  • Employee departures: Employees who are leaving the organization—voluntarily oregon otherwise.
  • Employee hazard factors: Risk factors whitethorn see declaration employees, high-impact employees, formation risks, employees with show concerns and those with elevated entree privileges.
  • ZIP/compressed record movements: File enactment involving .zip files, since they whitethorn bespeak an worker is attempting to instrumentality galore files oregon fell files utilizing encrypted zip folders.
  • Shadow IT apps: Unusual information enactment happening connected web browsers, Slack, Airdrop, FileZilla, FTP, cURL and commonly unauthorized shadiness IT apps similar WeChat, WhatsApp, Zoom and Amazon Chime.
  • Public unreality sharing links: When files are shared with untrusted domains oregon made publically disposable via Google Drive, OneDrive and Box systems.

SEE: Identity is replacing the password: What bundle developers and IT pros request to know (TechRepublic) 

Why is it truthful hard to observe antithetic information activity?

Put simply, astir information bundle isn't designed to observe antithetic information enactment and insider risk. Most accepted information information tools, specified arsenic Data Loss Prevention and Cloud Access Security Broker, usage rules, defined by information teams, to artifact risky information activity. "These tools instrumentality a black-and-white presumption connected information activity: An enactment is either allowed oregon not—and there's not overmuch information beyond that," Wimpelmann said. "But the world is that galore things mightiness autumn into the 'not allowed' class that are nevertheless utilized perpetually successful mundane work."

On the flip side, determination are plentifulness of things that mightiness beryllium "allowed" but that could extremity up being rather risky. What's important are the existent outliers—whichever broadside of the rules they autumn on.

What to look for successful analytical tools

 Wimpelmann suggests utilizing UEBA (user and entity behaviour analytics) tools to abstracted the antithetic from accustomed information activity. He past offers suggestions connected what to look for successful forward-thinking information tools. The information tools should:

  • Be built utilizing the conception of Insider Risk indicators
  • Include a highly automated process for identifying and correlating antithetic information and behaviors that awesome existent risks
  • Detect hazard crossed each information activity—computers, cloud, and email
  • Start from the premise that each information matters, and physique broad visibility into each information activity

And, astir important of all, the information instrumentality should have:

  • The quality to accumulate hazard scores to find lawsuit severity
  • Prioritization settings that are easy adapted based connected hazard tolerance
  • A elemental hazard vulnerability dashboard

Final thoughts

Security teams request a company-wide presumption of suspicious information movement, sharing and exfiltration activities by vector and type. Having a information instrumentality and adequately trained squad members focuses attraction connected activity—in-house and remote—needing investigation. Wimpelmann concluded, "This empowers information teams to execute a rapid, rightsized effect to antithetic information enactment earlier harm tin beryllium done."

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also see

Read Entire Article