Jul 20 2020
Do You Have Any Idea Why and How a Data Breach Happened? With Forensics You Do!
Let’s face it. Breaches sometimes bust through the best barriers. And when they do, they wreak havoc – and cost a boatload of money. According to Ponemon’s ‘Cost of a Data Breach’ Survey , the cost of losing a single file is $141. When did you ever lose a single file? And those files add up. The average cost to an enterprise of a breach is a staggering $3.62 million.
Most don’t know they’ve been breached until it is far, far too late. It takes about 191 days on average to figure out that you have had a data breach. Since most IT shops discover the incursion months or even over a year after it happened, how then do you figure out how and why it happened?
Every organization has security events that occur within their IT environment. Finding them quickly and shutting down the problem is a constant challenge for IT administrators and security teams. With millions of activity events from a variety of O365 log file sources, it’s difficult to find relevant data and make sense of it.
The answer is data breach forensics that rely on long-term log data quality and retention so you can perform a proper security audit. Here you discover what happened so you can minimize ongoing damage, and by finding the source, stop it from happening again.
CoreView Forensics Based in Deep Auditing and Analysis
This last point speaks directly to CoreView’s auditing capabilities. “If I do not know what is going on, then how on earth do I investigate issues? One core security pillar is ‘know thyself’,” said CoreView solution architect Matt Smith. “From a Microsoft perspective, they keep application data for 30 days, and just announced that they will increase this to one year, but only for E5 licenses. How can I be effective if I cannot even tell you who signed in a year ago?” The answer is that IT should keep records on access attempts for as long as they have the O365 platform.
Once a data breach or malware infection occurs, you need to find out everything about it. That is where basic security tools fall short. “From a forensic standpoint, anti-virus will tell you that Joe’s PC had a virus on Monday. However, there is no anti-virus platform in the world that shows exactly what he touched since he got that virus,” Smith said.
CoreView, though, quickly gets to the heart of the matter. A CoreView-enabled administrator can choose ‘file access’ and see all the files, the names, and the paths to the files that were accessed after the breach or malware attack. “CoreView can save off these reports as well. The next step is to track where the malware may have spread. For instance, you can see all the files people have accessed within the OneDrive platform where the malware may have landed. These people are now suspected of having malware because one particular user touched this file after he was reported as having malware. The last thing an admin can do is look at OneDrive reports and then external invitations,” Smith argued.
Finding the Smoking Gun by Using Forensic Analysis
CoreView provides an intelligent, crystal ball view using all different log data to help admins locate the corresponding security events and connect the dots to see if valuable information was included, and who was involved. There are simple search methods and information filtering provided to perform forensic analysis on the specific segments of activities/events and zero-in on the smoking gun. Being able to locate where the breach, or security issue, originated and what documents or messages were involved can make a world of difference.
The CoreView web-based interface correlates disparate log file data from different Office 365 workloads into a single repository in order to:
- Reduce the complexity of searching, analyzing and maintaining critical Office 365 log data from different workloads
- Speed security investigations and compliance audits with complete real-time visibility and background, historic log data
- Research and troubleshoot widespread issues should a security breach or compliance event occur
Protect Your O365 Tenant With CoreView
Or sign up for a personalized CoreView demo.
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.