Detecting Cyber Anomalies and Unusual Activity in the Business

Intrusion protection software and hardware looks for unusual activity that touch on anomalies and events in the NIST Detect Framework function. An anomaly is something that has taken place which would not usually take place. If the office closes at 5pm and everyone is out the door by 6pm yet at 8pm there is a lot of activity from a machine or machines inside the office, for example, that is something you would probably not expect to be happening.

If you have the right intrusion detection software and the right logging in place you can see that at 8pm these machines are sending out large amounts of data over the network or out to the internet on some random server. Your intrusion detection software, network checking and monitoring checking software should be picking up those anomalies and alerting IT so that the appropriate action can be taken.

It may be nothing anomalous at all, a false positive: it may be that it’s the end of year or end of the month and the finance team are in the office working late into the night so there is a perfectly innocent explanation. Software continuous monitoring is along similar lines but I like to include physical security under this broad security umbrella e.g. when you have electronic passes/badges that are being used that allow entry. Are you able to monitor that?

Are Your Security Levels Appropriate?

Make sure that the security levels are appropriate and that you are monitoring these levels carefully. Is it right, for example that the receptionist’s user ID is suddenly being used to access and log in to a server? To me that would be inappropriate user access but let’s say the receptionist is authorised to do so, for whatever reason. Does he or she normally do that or is this the first time? If so, that should be considered a violation of security to be picked up by a security monitoring tool.

Detection processes ensure that - whether it is monitoring by software or a member of staff – it has been noticed that something is awry. Do you have the processes and procedures to pick those reports up and deal with them with appropriate speed and severity? It doesn’t matter if it is 2am, if the report comes in that your company is under attack your organisation needs to deal with that with the appropriate severity and skills.

There is no point saying OK I will deal with that in the morning. By the time that you’re in the office in the morning, potentially hundreds of GBs of data have been uploaded and shipped offshore, your customers’ personal information, or your company’s intellectual property could be circulating around a number of foreign servers being offered to the highest bidder. Having a combination of the right hardware, software, processes and procedures in place that allow the right actions to be identified and a response plan that can be executed ensures prompt action and mitigation of a threat or attack.

To take an analogy, the IT team build the Detect biceps up but the athlete’s processes and procedures still have little spindly legs which means that the respond and recovery piece is left undone or atrophied. It is important not to forget the holistic regime, which includes the full Identify, Protect, Detect, Respond, and Recover functions.