As Infosec practitioners, how well do you really know and monitor your IT and business operations? Would you identify a data exfiltration event by a bandwidth increase without attendant malware alerts? Would you identify an employee staying late and attempting to gain physical access to a restricted area? Would you identify a successful VPN login from another country?
We will present effective monitoring methods we utilize and the resulting outputs that teach us what normal operations look like in order to identify suspicious activity. By reviewing these types of reports or tickets on a daily basis you will know your IT and business operations well enough to identify anomalies that may evade detection by your security tools. We will show example reports and tickets from our organization covering a variety of these topics and discuss how we analyze them, as well as how we use the information to better tune our monitoring tools.