How to detect a data breach
The challenge with data breaches isn’t to stop them, but to know they ever happened at all. Help detect data breaches through better access monitoring.
)
)
)
)
)
Sometimes the challenge with data breaches is to know they ever happened at all.
Attack types like POS intrusions, privilege misuse (involving either internal or external actors), or cyber-espionage typically take months or longer. According to IBM, it takes an average of 287 days to detect a data breach.
Organizations just like yours are so heads down, focused on the business of doing business, it’s tough to keep tabs on the access to data, looking for signs of misuse. And yet the bad guys — cyber criminal organizations — are busy devising ways to gain access to your network and to exfiltrate data of value such as credit card data or personally identifiable information.
Put those two together, and you have a recipe for disaster, where organizations become unknowing victims, never realizing they’ve had a data breach until it’s way past too late.
How are breaches detected?
The longer your mean time to detect a breach, or MTTD, the longer cyber criminals have to do whatever they want with your data.
So, how do breaches normally get detected?
Every other method besides internal discovery dominates.
IBM's 2023 Cost of a Data Breach Report notes found only one third of breaches were detected internally, compared to 27% disclosed by the attacker. Sadly, third-parties remain the number one method of breach discovery, with 40% discovered by a neutral third-party such as law enforcement.
Given the external nature of the majority of discovery methods, perhaps the question shouldn’t be “How are breaches discovered?”, but instead “Why aren’t beaches discovered internally?”
To that point, the data points to big advantages for organizations that discover a breach themselves. IBM notes nearly $1 million less in breach costs when a breach is discovered internally, and the breach lifecycle is also 80 days shorter compared to breaches disclosed by an attacker.
Getting to internal discovery
The reason why internal discovery doesn’t happen more often is simple: IT organizations simply aren’t watching. You know which data is really, really important, so why aren’t you keeping an eye over access to it?
While it sounds too simple, in reality, it is that simple.
It’s a simple two-step process to put a Data Breach Internal Discovery plan together. At a high level, it looks like this:
Identify data of value: The easy part is identifying those data sets that are part of a business process. The hard part is the presence of any extraneous copies of that data. But you need to find them all.
Watch it: Put some kind of access auditing/monitoring in place, assessing whether current access is normal for your business operations. Over time, you can pretty much tell what “normal” access looks like. Then, anything outside of that is suspect.
)
)
)
)
)
Discover a data breach quicker with file auditing
Most breached organizations aren’t truly negligent (in the sense they just don’t care about security, etc.). It’s far more likely they missed patching a vulnerability or assigned improper permissions that gave external access.
And because those things happen, in some cases, far too often, it’s necessary for IT organizations to put a strategy in place that prioritizes the discovery of data breaches to as an internal process, keeping your organization “in the know.”
If you're an IT admin managing a Windows environment, file monitoring software can help identify and stop a data breach. Admittedly, it's not sexy tech (explaining how it works will not win you points at the weekend BBQ). But it's one of the most effective, ways to detect, respond to, and even stop inappropriate activity quickly.