Do You Know Who Has Broken Into Your System?

Norman Marks, CRMA, CPA, is an evangelist for better run business, focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. The views expressed in this blog are his personal views and may not represent those of The IIA.


Traditional information security (or cyber security) is focused on preventing unauthorized access to your network, systems, applications, infrastructure, and data. But, as we all know only too well, the people trying to get in are exposing and exploiting vulnerabilities faster than we can plug the holes.

Information security professionals are always chasing to catch up with the bad guys.

Surveys of security professionals around the globe report that more than 80% of companies know they have been hacked. The roughly 15% who did not say they have been hacked probably don’t know; if they were, they haven’t detected it yet.

And that brings me to a point I first made in my blogs a few years ago: while it is essential to do what you reasonably can to keep hackers out, you also need to be able to know – as rapidly as possible – when somebody has breached your defenses.

A new paper on Security Analytics: A Required Escalation in Cyber Defense expands on this point. The authors advocate for what they call “advanced security analytics”:

“Advance knowledge of the reconnaissance phase, early probes of vulnerable systems, suspicious lateral movement, and attempted exfiltration, can give the cyber defense team the time they need to thwart the attack, and prepare for the follow on attacks.”

The way I understand the concept of security analytics, by monitoring traffic within your network you can detect patterns that may indicate intruders. You can then take action.

I am not going to advocate for any one solution, but suggest you and your management team answer this:

“How will you know when somebody has breached your system? Will you know fast enough to limit the damage to at least an acceptable level of damage or loss?”

Your information security team should also be sensitive to the potential of attacks before they occur. The latest in information security risk assessment solutions analyzes intrusion attempts to highlight areas of greater risk. Organizations can then marshal their forces to the area of the battlements where an attack is most likely to occur.

Until a year or so ago, the volume of intrusion attempts and data about them was so voluminous (truly Big Data) that these cyber risk solutions could only analyze a sample of intrusion attempts. In-memory technology has changed that, with the solutions now able to analyze 100% of the population and provide far more useful information about potential intrusion attempts. For example, the software used to be able to identify IP addresses suspected as being the source of attacks. Now they can go deeper and identify other IP addresses that appear to be related to the first one, and monitor those addresses as well.

Let me close with questions for you:

  1. Do you believe your defenses provide reasonable assurance that intrusions will be prevented?
  2. Will you know, fast enough to respond and limit any damage, should the defenses be breached?
  3. Do you know enough about what is likely to hit you tomorrow?
  4. Is the cost of your information security program commensurate with the potential for loss and its impact on your ability to achieve organizational objectives?

I welcome your comments.

Posted on May 3, 2014 by Norman Marks

Share This Article:    

  1. Norman - this paper is concerned with the risks from external hackers. I still think one of the greatest risks comes from IT staff with high level access to the systems. How carefully are the database administrators monitored? Can they cover their tracks? Are important IT staff contractors or outsourced personnel who haven't gone through the normal HR checks (assuming these are sufficient)?

Leave a Reply