Extreme Archiving, Part 2: Understanding the ‘Normal’

You are a security analyst, sitting in the SOC, and you receive an alert that the user on machine 65.43.55.01 is accessing the customer database and initiating a backup. Should you worry?It seems like an easy question to solve; either this user is supposed to be taking backups of the customer database and all is well, or else we have a security problem. Unfortunately, in many instances today, it’s quite difficult to answer the simple question: is this normal behavior, or not?While no security professional secretly pines for the days of viruses and SQL injections, there was a certain simplicity to cyber-attacks a decade ago. That is, it was usually easy to see that a particular action was unwanted and unpleasant. Attacks were transactional: a bad guy enters a certain…


Link to Full Article: Extreme Archiving, Part 2: Understanding the ‘Normal’