Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What Is Anomaly Detection?

Anomaly Detection

An anomaly is anything that deviates from an established baseline, which might include a spike in the number of files being changed, a spike in the number of products sold, a rapid increase in network traffic, or even a spike in the temperature of a server’s CPU.

Anomaly detection is used for a variety of purposes, including monitoring system usage and performance, business analysis, fraud detection, and more.

Having the ability to detect anomalies will help organizations prevent security breaches, determine whether critical systems have failed or are about to fail, and improve the overall integrity of their data.

What Are the Different Types of Anomalies?

There are three types of anomalies, which are as follows:

Global (or point) anomalies

This is a simple type of anomaly where one or more events occur at a rate that is either much higher or lower than average.

Contextual anomalies

This is where one or more events may appear anomalous if taken out of context. Alternatively, the events may seem normal without context, but turn out to be anomalous when the context is determined.

Collective anomalies

These types of anomalies are only visible when observing a collection of data points over time.

Simple (global) anomalies can be detected using basic statistical analysis. However, for contextual or collective anomalies, more advanced methods may be required, which might include the use of artificial intelligence and machine learning techniques.

How Do You Avoid Anomalies?

The truth is, you can’t directly avoid anomalies, as in many cases, without context, they are indistinguishable from regular activities. This means you can’t implement controls to directly prevent anomalies from occurring as doing so will prevent regular users and systems from accessing the resources they need to perform their roles.

That said, there are many things that can be done to detect, alert and respond to anomalies. Before you start, it is a good idea to have a tried and tested incident response plan in place, which can be executed when serious anomalies are detected. It is also a good idea to adopt a zero-trust architecture, which assumes that breaches are inevitable, and that users, services and systems must verify themselves anytime they need access to critical resources.

A well-thought-out zero-trust architecture will help to minimize the number of anomalies that arise. Beyond that, it is a case of classifying data, setting up robust access controls, and monitoring for irregular activity patterns, which are explained in more detail below.

Data Discovery and Classification

Organizations tend to have data scattered around on endpoints, servers, cloud-based storage containers, and more. This will naturally make it harder for them to determine what data they store, where it is located, and how it is being accessed and used. Using an automated data classification software will help organizations discover and classify their critical assets, which will help them set up access controls and derive meaningful insights into how the data is being accessed, thus providing better anomaly detection.

Data-Centric Audit and Protection

A real-time Data-Centric Audit and Protection (DCAP) solution will help organizations detect and respond to anomalies. Most sophisticated Data-Centric Audit and Protection solutions use machine learning techniques to establish a baseline that represents the typical usage patterns for a given organization. The solution will automatically compare the current usage patterns with the baseline in order to determine if the events are anomalous.

If an anomaly is detected, a real-time alert will be sent to the administrator’s inbox or mobile device, and they will also be able to see a list of all events via a single dashboard. This will enable them to make an informed decision about the significance/relevance of the anomaly.

Modern Data-Centric Audit and Protection solutions like Lepide Auditor are able to detect and respond to events that match a pre-defined threshold condition.

Some real-life examples would include multiple failed login attempts, or when multiple files have been encrypted in a short period of time, which may suggest that a ransomware attack is underway. In which case, a custom script can be executed which may disable a user account, stop a specific process, change the firewall settings, or shut down the affected server.

If you’d like to see how the Lepide Data Security Platform can help you detect and respond to anomalies, schedule a demo with one of our engineers.