This month is Cyber Security Awareness month, and Weaver is participating with a series of blog posts and Insights documents dedicated to making the web a more secure, safe place. This is the fourth blog post in the series.
Massive data security breaches continue to surface against well-known businesses. Similar trends, as in prior years, include point-of-sale intrusions, payment card skimmers, phishing attacks and hacking and malware activity. Top industries targeted were purported to be public sector, finance, professional services and healthcare.
Preventing data security attacks is ideal, but if breached, rapid detection is essential. Analytics can play a vital role in helping organizations take a risk-based approach toward identifying security breach attempts. Consider these three steps to ensure early detection:
1. Ask the right questions: Understanding the initial questions helps to determine whether the required data is available. Consider whether the network activity captures:
- Remote access attempts (to identify potentially inappropriate afterhours activity)
- Failed log-in attempts (to identify password cracking or hacking attempts)
- Interactive system/service account usage (to identify exploited accounts usage or inappropriate account usage)
- Network protocol traffic (i.e., TCP/IP, UDP) (to identify inappropriate traffic on non-standard protocols
2. Log and store adequate data: Not only should the nature and frequency of the activity be logged, but the appropriate detail of the activity needs to be assessed to ensure that the data that is maintained will be useful in analysis. Organizations should assess what initial information can be gleaned from the data, and then determine retention periods to insure that appropriate trend conclusions can be drawn from the data.
3. Cleanse data and determine anomalies: Once the data is in a state ready for analysis, it needs to be analyzed to determine anomalies. The analysis can done by executing analytical procedures on the data – whether through developing scripts or utilizing standard reporting/summary functionality within the IT tools to provide initial information. The results will then need to be analyzed to determine if there are any correlations or causations within the data.
Following these three steps, results must be thoroughly analyzed. For more information on our recommendation for analyzing results, download our new Insights, Tackling Cybersecurity with Data Analytics.