Every company struggles to allocate security resources. It’s not that security pros don’t have the tools to improve their risk postures – it’s that they don’t have the time.
Between hackers using a smoke-and-mirrors approach to manipulate enterprise attention and resources, unusual file access activity and user behavior patterns requiring consistent investigations, and account lockout maintenance, security staff members are busy putting out fires when they should be standing back and surveying their risk landscapes.
What are some early warning signs of a breach that security operations centers should have a heightened focus on, in order to help them decrease initial response resources and put more energy toward bigger security initiatives?
Warning Sign No. 1: Distractions
Distractions (like DDoS attacks), help hackers enter networks with malware or stolen credentials. A recent Cybersecurity Ventures report found that DDoS is often the “first wave” of attacks by hackers who use them to distract companies from other more targeted intrusions. While a SOC is dealing with a DDoS attack, hackers can often move in undetected.
SOC teams should have a DDoS mitigation solution ready for a breach, but know that a DDoS attack is likely not the end of a cyberattack. Being prepared to monitor for suspicious activity across a network, even during a cyberattack, is the best approach.
Warning Sign No. 2: Unexpected file activity
Unexpected file activity or unusual log-in patterns from your team.
It’s all about examining the behaviors of your team. Track the relationship between users, activities and the various security products in your ecosystem. Then, go back and reference this data; identify patterns and better recognize the vulnerabilities in your approach. Look at when a file is opened, who opened it, and from where they signed in. Suspicious activity could be a hacker using stolen credentials or warning signs of an employee acting maliciously.
Warning Sign No. 3: Time wasted due to account lockouts
According to FireEye, 37 percent of C-level security professionals face more than 10,000 alerts per month. More than 40 percent of respondents manually review every alert. This abundance of alerts frequently leads to account lockouts, and because these alerts seem unimportant, they are often being unlocked without investigation
Recent research published by IBM’s Emergency Response Team indicates that lockouts were often a key indicator of cyber attacks. However, distinguishing between “fat fingers” and a real security incident takes hours of investigation, and many SOC teams decide to unlock accounts prematurely in an effort to save time. Automating this via behavioral analytics, to gain context around the lockout, can remove the tradeoff between serious response and long delays.[related-posts]
Security professionals are facing more threats than they can logically handle and respond to on a daily basis. If companies want to protect themselves from ongoing industry threats, this dynamic needs to change. Being on the lookout for the early, yet unassuming, warning signs isn’t a way to waste time – it’s a crucial step in keeping pressing security threats from going unnoticed.