{"id":254,"date":"2017-03-11T15:44:00","date_gmt":"2017-03-11T15:44:00","guid":{"rendered":"https:\/\/securityeverafter.com\/2017\/03\/11\/unauthorized-change-detected\/"},"modified":"2017-03-11T15:44:00","modified_gmt":"2017-03-11T15:44:00","slug":"unauthorized-change-detected","status":"publish","type":"post","link":"https:\/\/securityeverafter.com\/unauthorized-change-detected\/","title":{"rendered":"Unauthorized Change Detected!"},"content":{"rendered":"


I recently posted the <\/span>below<\/a> on the <\/span>SANS Internet Storm Center<\/a>.<\/span><\/p>\n

How do you detect what has changed in your environment? Is it possible to think beyond the alerts you get from your tools and consider what changes that you absolutely need to know about when they occur? When systems in your environment move from \u201cnormal” to “abnormal”, would you even notice?<\/div>\n
<\/div>\n
\n
Occasionally I have a credit card transaction denied. The most common reason for this is being in a part of the country that is outside my normal travel and spending patterns. When that happens, the panic quickly subsides and I recognize that something in my baseline has changed.<\/div>\n
<\/div>\n
How can pattern and trend analysis apply in monitoring and defending your networks? Consider developing a similar baseline to detect possible unauthorized changes. This practice may very well help you detect changes that occur that do not follow the proper change control process and also give you deeper insight into the activities on your network. A practical step of creating a monthly calendar appointment named \u201cWhat is missing from my baseline?\u201d would help remind you to answer this question on an recurring basis. This will also help you develop a more meaningful relationship with your system administrators and application developers by asking them questions and learning more about these systems – both of which are highly encouraged. <\/div>\n<\/div>\n
<\/div>\n
To detect patterns and trends, consider developing a rolling 30, 60 or 90 day history in a few critical areas to show not only the current status, but also how they compare to recent activity over time. This insight will help identify patterns that exist beyond the point in time alerts that we regularly receive. Not every area requires this extended analysis, but in some cases showing a trend over time reveals pattens that would otherwise go unrecognized and unnoticed.<\/div>\n
<\/div>\n
Consider the following for your baseline<\/u><\/div>\n
\n
Administrative logins after normal business hours<\/div>\n
Administrative logins outside of approved change windows<\/div>\n
Badge access to your building after normal business hours<\/div>\n
Systems that restart outside of approved change windows<\/div>\n<\/div>\n
Services that restart outside approved change windows<\/div>\n
<\/div>\n
Please use the comments area to share what\u2019s in your baseline!<\/div>\n
\n
<\/div>\n
\n
Russell Eubanks<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

I recently posted the below on the SANS Internet Storm Center. How do you detect what has changed in your environment? Is it possible to think beyond the alerts you get from your tools and consider what changes that you absolutely need to know about when they occur? When systems in your environment move from \u201cnormal” to “abnormal”, would you […]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[12,18],"tags":[],"jetpack_publicize_connections":[],"yoast_head":"\nUnauthorized Change Detected! - Security Ever After - vCISO<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/securityeverafter.com\/unauthorized-change-detected\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Unauthorized Change Detected! - Security Ever After - vCISO\" \/>\n<meta property=\"og:description\" content=\"I recently posted the below on the SANS Internet Storm Center. How do you detect what has changed in your environment? Is it possible to think beyond the alerts you get from your tools and consider what changes that you absolutely need to know about when they occur? When systems in your environment move from \u201cnormal” to “abnormal”, would you […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/securityeverafter.com\/unauthorized-change-detected\/\" \/>\n<meta property=\"og:site_name\" content=\"Security Ever After - vCISO\" \/>\n<meta property=\"article:published_time\" content=\"2017-03-11T15:44:00+00:00\" \/>\n<meta name=\"author\" content=\"Russell\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@russelleubanks\" \/>\n<meta name=\"twitter:site\" content=\"@russelleubanks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Russell\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/securityeverafter.com\/unauthorized-change-detected\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/securityeverafter.com\/unauthorized-change-detected\/\"},\"author\":{\"name\":\"Russell\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3\"},\"headline\":\"Unauthorized Change Detected!\",\"datePublished\":\"2017-03-11T15:44:00+00:00\",\"dateModified\":\"2017-03-11T15:44:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/securityeverafter.com\/unauthorized-change-detected\/\"},\"wordCount\":374,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/securityeverafter.com\/#organization\"},\"articleSection\":[\"cyber security\",\"SANS\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/securityeverafter.com\/unauthorized-change-detected\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/securityeverafter.com\/unauthorized-change-detected\/\",\"url\":\"https:\/\/securityeverafter.com\/unauthorized-change-detected\/\",\"name\":\"Unauthorized Change Detected! - Security Ever After - vCISO\",\"isPartOf\":{\"@id\":\"https:\/\/securityeverafter.com\/#website\"},\"datePublished\":\"2017-03-11T15:44:00+00:00\",\"dateModified\":\"2017-03-11T15:44:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/securityeverafter.com\/unauthorized-change-detected\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/securityeverafter.com\/unauthorized-change-detected\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/securityeverafter.com\/unauthorized-change-detected\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/securityeverafter.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Unauthorized Change Detected!\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/securityeverafter.com\/#website\",\"url\":\"https:\/\/securityeverafter.com\/\",\"name\":\"Security Ever After - CISO\",\"description\":\"vCISO\",\"publisher\":{\"@id\":\"https:\/\/securityeverafter.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/securityeverafter.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/securityeverafter.com\/#organization\",\"name\":\"Security Ever After\",\"url\":\"https:\/\/securityeverafter.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1\",\"width\":1169,\"height\":826,\"caption\":\"Security Ever After\"},\"image\":{\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/russelleubanks\",\"https:\/\/www.linkedin.com\/in\/russelleubanks\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3\",\"name\":\"Russell\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg\",\"caption\":\"Russell\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Unauthorized Change Detected! - Security Ever After - vCISO","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/securityeverafter.com\/unauthorized-change-detected\/","og_locale":"en_US","og_type":"article","og_title":"Unauthorized Change Detected! - Security Ever After - vCISO","og_description":"I recently posted the below on the SANS Internet Storm Center. How do you detect what has changed in your environment? Is it possible to think beyond the alerts you get from your tools and consider what changes that you absolutely need to know about when they occur? When systems in your environment move from \u201cnormal” to “abnormal”, would you […]","og_url":"https:\/\/securityeverafter.com\/unauthorized-change-detected\/","og_site_name":"Security Ever After - vCISO","article_published_time":"2017-03-11T15:44:00+00:00","author":"Russell","twitter_card":"summary_large_image","twitter_creator":"@russelleubanks","twitter_site":"@russelleubanks","twitter_misc":{"Written by":"Russell","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/securityeverafter.com\/unauthorized-change-detected\/#article","isPartOf":{"@id":"https:\/\/securityeverafter.com\/unauthorized-change-detected\/"},"author":{"name":"Russell","@id":"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3"},"headline":"Unauthorized Change Detected!","datePublished":"2017-03-11T15:44:00+00:00","dateModified":"2017-03-11T15:44:00+00:00","mainEntityOfPage":{"@id":"https:\/\/securityeverafter.com\/unauthorized-change-detected\/"},"wordCount":374,"commentCount":0,"publisher":{"@id":"https:\/\/securityeverafter.com\/#organization"},"articleSection":["cyber security","SANS"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/securityeverafter.com\/unauthorized-change-detected\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/securityeverafter.com\/unauthorized-change-detected\/","url":"https:\/\/securityeverafter.com\/unauthorized-change-detected\/","name":"Unauthorized Change Detected! - Security Ever After - vCISO","isPartOf":{"@id":"https:\/\/securityeverafter.com\/#website"},"datePublished":"2017-03-11T15:44:00+00:00","dateModified":"2017-03-11T15:44:00+00:00","breadcrumb":{"@id":"https:\/\/securityeverafter.com\/unauthorized-change-detected\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/securityeverafter.com\/unauthorized-change-detected\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/securityeverafter.com\/unauthorized-change-detected\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/securityeverafter.com\/"},{"@type":"ListItem","position":2,"name":"Unauthorized Change Detected!"}]},{"@type":"WebSite","@id":"https:\/\/securityeverafter.com\/#website","url":"https:\/\/securityeverafter.com\/","name":"Security Ever After - CISO","description":"vCISO","publisher":{"@id":"https:\/\/securityeverafter.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/securityeverafter.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/securityeverafter.com\/#organization","name":"Security Ever After","url":"https:\/\/securityeverafter.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1","contentUrl":"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1","width":1169,"height":826,"caption":"Security Ever After"},"image":{"@id":"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/russelleubanks","https:\/\/www.linkedin.com\/in\/russelleubanks\/"]},{"@type":"Person","@id":"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3","name":"Russell","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/securityeverafter.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg","caption":"Russell"}}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/posts\/254"}],"collection":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/comments?post=254"}],"version-history":[{"count":0,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/posts\/254\/revisions"}],"wp:attachment":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/media?parent=254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/categories?post=254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/tags?post=254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}