How can we improve the odds of finding a criminal hacker in our networks? (My old blogpost in 2017 discusses some threats in your network “Insider Threats: No1 Cybersecurity Problem” in case you want to review)
A great video on this topic is the following Irongeek.com video from BSides Charm2018
In this part of the video they are explaining all the logs and where the logs should be sent. The idea to send the logs to Splunk is to then create a ticket or an SMS alert to a team. After Splunk receives data you have to configure Splunk to create SMS alerts and tickets.
There are specific items to look for in your logs to help you find the criminal hacker.monitoring email
monitor who accesses OWA (Outlook Web Access), monitor the attachments sent out, file transfers.
Web traffic, monitor proxy logs – what sites get accessed? Who is trying to go to dangerous websites.
Create daily reports and then you will see what is normal.
Every environment is different, with varying needs for compliance and other needs (HIPAA compliance is likely not needed from a Flower retailer).
The above diagram in the video is the most important diagram for you to understand and digest:
I.e. most companies and people end up logging everything and thus do not check anything (because you cannot drink from a firehose) OR log very little – nothing. So this is why one must understand what is important in logging to you.
Even though it may be different with every company there will be a specific report that will become a goto report that you will review daily for suspicious behavior. Do not become a statistic which says you do not see the criminal hacker in your network for 100 days, or are told of a breach by law enforcement. That means you will know at that time that IT has not done their job (too late of course).
Get ahead of future problems, and contact us to review your logging environment.