Top tips for spotting unusual activity on your network

Time to react

Speed is critical in preventing data loss, yet according our research, UK businesses have estimated that it takes an average of nine hours to spot unusual activity on their organisation’s network. UK firms are the slowest off the mark, coming in two hours behind their US counterparts, who take seven hours to identify abnormal activity, and one hour slower than German businesses, who take an average of eight hours. The UK takes almost double the time it takes for firms in Australia to respond, who average only five hours until they identify something may be wrong. Stay ahead of the problem – follow these top tips to spot unusual activity – faster.

Form a baseline:

The key is to watch for movement of critical information and the frequency of the policy violation. Getting a baseline for this is often hard as there are always exceptions to every rule. For example, what if there is a breach underway when the baseline begins? The numbers would then be artificially high. It is important to be able to run reports and dig into the details of your network activity, looking for what constitutes normal. From an email perspective, you should be able to draft a list of the top 10 senders and from a web perspective, the top 10 sites by the company – these will be critical to help pinpoint where the problem may lie.

Don't shoot the messenger:

Advanced Persistent Threats (APT), are where an unauthorised person gains access to a network and stays there undetected for a long period of time, they, in effect, take over a user in order to transfer information outside the organisation. So while it is important to react to abnormal activity in a quick and effective way, be sure not to ‘shoot the messenger’ as the person who appears to be creating the violations might not be the true culprit. Take your time and investigate fully.

Keep one eye open:

Overall, organisations need to be vigilant and to watch for policy breach events. Using Security Incident Event Management (SIEM) solutions is often the simplest way, using the notifications which come from the products to keep an eye on the network. An event needs to be acted on quickly to ascertain if it is malicious or a mistake.

Have a game plan:

Security shouldn’t just fall to the IT manager. There should be a recognized policy in place for any incidents that happen. Having a company-wide security game plan can ensure each person’s manager has a better context around what an employee is supposed to be doing within the network and can receive an ‘inform’ of policy breaches if and when they happen. As these managers work closer with the individuals, they can more readily tell if it was malicious or not than if it was just detected by the IT department. With this knowledge, action can be more definite and taken more quickly to shut down the problem if it is indeed a problem. 

Act now:

When it comes to breaches, time is of the essence; especially if it is an APT – which can reside in the organisation for weeks / months / years extracting critical information from under the eyes of the business. Unless you have a proactive and adaptive approach to DLP, you will always be starting from the back foot, but as soon as something unusual is spotted, activate your game plan and begin tackling the issues you face.