IT teams deal with security incidents every day, despite investing heavily in the most advanced cybersecurity tools. Whether it’s malicious or well intentioned, your employees, vendors and other trusted users may be actively working in security blind spots that cannot be monitored by the security tools in which you’ve invested.
When malware is accidentally downloaded, or files are deleted, or sensitive information is sent via web mail, how will you know what happened and who did it? Proper visibility into your infrastructure is required to investigate incidents, but, unfortunately, many environments have visibility gaps. Here are 6 areas where you may have blind spots:
Unauthorized Activity on Servers
Organizations typically have a good grasp of server statistics, access logs, performance, uptime, and system events. However, a gap may exist in identifying who has direct access to the server, as well as the actions of unauthorized users doing unauthorized things or tasks that should be done from a workstation or laptop.
Installing/Uninstalling Unauthorized Software
Organizations use virtual desktops, non-persistent images, various software management tools, and account restrictions to know about and limit the volume of software that is installed on machines. In most cases, these application-centric methods tend not to provide enough information as to the real question–why is a user installing or uninstalling software on his/her machine?
Hiding Information and Covering Tracks
Organizations are becoming more and more aware of data exfiltration. However, hiding data and covering up evidence, for example re-naming sensitive files before making copies of them, or making changes in a server and then covering their trail (deleting log files), is a favorite of external attackers who infiltrate a network.
Performing Unauthorized Admin Tasks
A common security practice and a requirement under many compliance regulations, is tracking all administrator actions, both authorized and unauthorized. However, some organizations are not this proactive, and not tracking all admin tasks presents a visibility gap.
Searching for Information
Organizations should have visibility into suspicious search engine searches without relying on a network-based appliance or extensions in browsers. Identifying suspicious search queries will help incident response and investigation teams to obtain the crucial context they need before the organization is exposed to risk.
Non-Permitted Data/Machine Access
Organizations sometimes do not have the time or resources to immediately lock down and restrict access rights. Furthermore, for every restriction, there is usually an exception to the rule. Having visibility into authorized and unauthorized access allows a company to better audit and get a handle on their privilege creep.
These gaps in visibility are a direct result of taking an antiquated approach to cybersecurity. Security and IT teams must adapt to uncover these blind spots if they want to mitigate data loss and ensure a more secure environment.
Do you know where your environment lacks visibility? Proofpoint can help you fill your visibility gaps. Download a FREE 15-day Trial of Proofpoint ITM now.
Subscribe to the Proofpoint Blog