How to Detect a Data Breach


As a small or mid-size company you may feel limited in what you can do to detect a data breach but this week’s discussion in the Back to Basics Series: How to Detect a Data Breach covers concrete steps to implement.

Panel is hosted by SideChannel’s Managing Partner, Brian Haugli and this session’s guests are Adriana Petrillo, J.D., CISSP, Cyber Security Specialist, CISA and SideChannel’s Principal Consultant & vCISO Terry Chapman.

Start with the Basics

It wouldn’t a proper “Back to Basics” if we didn’t start with, well, the basics. A good plan of attack in determining the best way to detect a data breach begins with laying the proper groundwork and NIST provides a solid foundation for this - Identify, Protect, Detect, Respond, Recover.

For organizations that have limited resources in time and money in considering the best approach for detection starting with the people aspect is a must for any size. What security awareness training have they had and the success of that program? What are the people touching (meaning what applications are they using - email, socials, desktop apps)? And what are they using, what devices are they engaging with regularly?

Additionally, assess what type of data the company has and where they are dealing with the biggest threats - is it the finance department; physical systems, etc.?

And of course include your basic asset inventory to be sure you know what all you need to protect to start with.

How to Detect Potential Threats for Mid-Size Businesses?

Once you’ve done your initial assessment of who you’re protecting and what you’re protecting, you need to determine how to detect threats. Of course, there needs to be some level of basic  tech solutions that can monitor and track whether it’s email or URL filtering along with admin controls. Ensuring there is basic Access Management monitoring as well is essential. Adrianna recommended also monitoring for anomalies of data and what that data is being used for that is out of place.

How to Make the Most of a Limited Budget for Detection?

Some practical implementations that are easy on the budget as well as good guidelines for getting the most out of detection and protection include:

  • Training and awareness for company employees. This is relatively low cost with high returns. Along with in-person sessions, there are basic security awareness training solutions that are available. Wizer Training is one such solution that provides free and affordable training solutions that are engaging and effective.

  • Investing in policies and procedures. Low cost in finances but it is an investment in time. The time dedicated to ensuring there are solid policies and procedures laid out will save both time and money through preventing or quickly responding. Creating a user-friendly guide for people in the company to clearly understand how to handle the data they engage with and how to address particular online interactions will provide additional long-term wins.

  • Brian suggested utilizing the low-cost but effective method of establishing canary tokens to give you more insights into possible incidents requiring attention. Create admin users in Active Directory and monitor for any use of accounts with higher importance. Additionally, creating a fake file such as a bogus list of account passwords in a spreadsheet and let it act as a honeypot that notifies admins should any activity be detected is another low cost application for identifying potential threats and provide a start with knowing what additional protections may be needed.
  • Free canary tokens and instructions for use can be found here (Thank you Terry for sharing this resource):

But what about a cloud or SaaS only environment?

Much of the same principles apply including the ability to create Canary files that can be done in OneDrive or AWS buckets as well as other open source products using basic tech. Once you receive an alert, determine what the process from there is to identify what is going on.

Software recommendations for data discovery and inventory unfortunately is mainly geared to enterprise due to the hefty price tag of tech solutions. Verona and Alpide are potential solutions if you’re budget allows for them. Challenges with open source solutions are the many false positives they tend to yield which hinders the goal of optimizing detection with minimal noise so as to maximize human resources and attention.

The main consensus in this area is to focus on understanding where the key data is within your company and concentrate on protecting those vital areas.

Detection can inform response and what to do BUT it should also take a look at and inform what should be done better around specific protections.

What are some other ground rules for SMBs to consider in a Detection plan?

A good detection plan must include an incident response plan because simply detecting is not enough - it should be clear what the next steps are once a detection occurs. This will save time and money and lead to quicker resolution.

  • First, take time to think through likely scenarios for your space. For example, if credential stuffing attack is a real possibility, walk through what will communication look like and how will the response unfold?
  • Play through the risks, and prioritize how likely various ones are to happen and think ahead of time what the responses will look like. This will also help to prioritize where you need to place focus first for people and budgetary resources.

  • Utilize Policy and Procedures to create guidelines and clearly communicate who as a team will be responsible for what specific instances will bring long-term wins. 
    • It’s important to identify teams beforehand and ensure there is a team in place for every aspect of the business. Creating these processes before the fire happens trumps any on-the-fly process done during an actual fire. And like any good firefighting team, practice it (fire drill!) then tweak to improve it.

  • Business Continuity Plan is also critical to implement in addition to the above. Identify which specific systems are critical to business operations and determine what plans should be implemented were these to be completely shut down in order to keep the business operating. 

  • Once the above are in place, it’s build, test, test and test some more until you need it. Then evaluate, adjust and repeat.

What’s one common theme many SMBs miss?

One of the common failings in detection for many organizations includes companies not patching vulnerabilities in a reasonable timeframe which leads to more vulnerabilities and incidents occurring

One recommended solution is investing in understanding how to patch vulns quicker. This takes not only resources but investing in that policy and procedure changes as well. After an incident happens, evaluate how you can prevent having to detect and resolve the same issue from occurring repeatedly. Consider the process behind the patching - identifying, detecting, and closing high vulnerability gaps as efficiently as possible. 

Is focusing on what is top-of-mind for leadership a good rule of thumb to follow?

As usual, it depends. For many in leadership what may be foremost in the news is not necessarily relevant for your company’s space and may take the focus off of what is critical for your industry.

Look at the new pieces in the past year and identify those that occur within your organization’s market vertical as a guideline and use that to help educate your leadership for them to better understand themselves. Ecommerce sites, for example, have the specific challenge of fake websites imitating the legitimate business site is more an issue or credential stuffing attacks are more highly relevant than an API attack that targeted the healthcare industry.

Creating a Threat Profile for Your Organization

Creating a threat profile for your org is an excellent exercise to provide a concrete framework in helping identify which threats to focus on and which to de-prioritize.

Key aspects to consider in creating a threat profile includes:

  • Size
  • Sector
  • Geopolitical Location
  • Economics
  • News headlines from the past two years for your specific industry

A resource to aid in determining attacks for your particular industry vertical is the Verizon Data Breach Investigations Report (DBIR) - this report breaks down the various threats according to sector and is a good starting point to understanding your industry vertical and what threats are most prominent. It’s also a great resource to use in educating leadership as well.

Brick by brick

Creating a solid plan for detecting threats and the subsequent incident response is not a quick process but rather something that is slowly built over time. As each brick is put in place and added to your wall of defence it will strengthen and improve over time. It’s a long-term endeavour with constant maintenance and revisions as situations arise but establishing the basics and building from those will strengthen your business as it grows.


Resources from our Panelists

Brian Haugli - Host, Managing Partner at Side Channel and Founder of, Host of #CISOlife;

Adriana Petrillo, J.D., CISSP Panelist, Cyber Security Specialist, CISA

Terry Chapman Panelist, Principal Consultant & vCISO, Side Channel