Cybersecurity: Track data activity before

A security expert expresses concern that failure to identify and track unusual data activity can have dangerous consequences.

Image: Shutterstock / Funtap

There’s regular data activity, unusual data activity, and then there’s dangerous data activity. Christian Wimpelmann, Identity and Access Manager (IAM) at Code42, expresses concern that insufficient emphasis is placed on paying attention to data activity at the enterprise level. In the article When does unusual data activity turn into dangerous data activity?, Wimpelmann analyzes each type of data activity and offers tips for detecting unusual activities before they become dangerous.

What is typical data activity?

For starters, Wimpelmann defines typical data activity as activity during normal business operations. “Sophisticated analysis tools can do a great job of locating trends and patterns in the data,” said Wimpelmann. “They help security teams get a baseline of what data is moving through which vectors, and by whom, every day.”

Using analytics, specialists can compare a given action with:

  • Common user activity patterns
  • Normal activity patterns of a specific file or piece of data

Wimpelmann cautions that too many security teams are solely focused on the user, adding: “It’s the data that matters to you, so taking a data-centric approach to monitoring unusual data activity will help protect what matters.” .

WATCH: Checklist: protecting digital information (TechRepublic Premium)

What is unusual data activity?

Unusual data activity is the suspicious modification of data on a resource. An example would be the deletion of mission critical files on a data storage device. “Unusual data activity is the first warning sign of Internal risk and a potentially damaging data leak or data breach, “Wimpelmann said.” Whether malicious or unintentional, unusual data access and unusual data traversing networks or applications is often a precursor to employees doing something they shouldn’t or the data ending up somewhere much more problematic —Outside the victimized organization “.

What are the signs of unusual data activity?

Through experience, Wimpelmann has created a list of unusual data activities (indicators of internal risk) that tend to turn into dangerous data activities. Here are some of the most common indicators:

  • Activities after hours: When a user’s endpoint file activity occurs at unusual times.
  • Untrusted domains: When files are emailed or uploaded to untrusted URLs and domains, as established by the company.
  • Suspicious file discrepancies: When the MIME / Media type of a high-value file, such as a spreadsheet, is disguised as the extension of a low-value file type, such as JPEG, it usually indicates an attempt to hide data exfiltration.
  • Remote activities: Activity that takes place outside of the network may indicate increased risk.
  • File categories: Categories, determined by analyzing the content and file extensions, that help identify the sensitivity and value of a file.
  • Employee departures: Employees who leave the organization, voluntarily or not.
  • Employee risk factorsRisk factors can include contract employees, high-impact employees, flight hazards, employees with performance issues, and those with elevated access privileges.
  • ZIP / compressed file movements: Archive activity that involves .zip files, as they may indicate that an employee is trying to grab a lot of files or hide files using encrypted zip folders.
  • Shadow IT applications: Unusual data activity that occurs on web browsers, Slack, Airdrop, FileZilla, FTP, cURL, and commonly unauthorized shadow IT apps like WeChat, WhatsApp, Zoom, and Amazon Chime.
  • Links to share in the public cloud: When files are shared with untrusted domains or made available to the public through Google Drive, OneDrive and Box systems.

WATCH: Identity is replacing password: what software developers and IT professionals need to know (TechRepublic)

Why is it so difficult to detect unusual data activity?

Simply put, most security software is not designed to detect unusual data activity and internal risk. Most mainstream data security tools, such as Data Loss Prevention and Cloud Access Security Broker, use rules, defined by security teams, to block risky data activity. “These tools have a black and white view of data activity – an action is allowed or not, and there isn’t much consideration beyond that,” Wimpelmann said. “But the reality is that many things can fall into the ‘not allowed’ category that are nevertheless constantly used in daily work.”

On the other hand, there are many things that could be “allowed” but that could end up being quite risky. What is important is the true outliers, whatever side of the rules they are on.

What to look for in analytical tools

Wimpelmann suggests using UEBA (user and entity behavior analysis) tools to separate unusual data activity from usual. It then offers suggestions on what to look for in forward-thinking security tools. Security tools must:

  • Built using the concept of internal risk indicators.
  • Include a highly automated process to identify and correlate unusual data and behaviors that point to real risks.
  • Detect risks in all data activity: computers, cloud and email.
  • Start with the premise that all data matters and create complete visibility into all data activity.

And, most important of all, the security tool should have:

  • The ability to accumulate risk scores to determine the severity of the event.
  • Easily adapt prioritization settings based on risk tolerance.
  • A simple risk exposure panel.

Final thoughts

Security teams need a company-wide view of suspicious data movement, exchange activities, and exfiltration by vector and type. Having a properly trained security tool and team members focuses on the activity, internal and remote, that needs investigation. Wimpelmann concluded: “This enables security teams to execute a rapid and appropriate response to unusual data activity before corruption occurs.”

See also

Leave a Comment