Anomaly detection in a timely manner and the potential impact of events is understood.
Statistical anomalies: If a measured, important value crosses a threshold or deviates from any type of mathematical norm, this can be used as an indicator or malicious activity. For example, if a user typically sends 2GB of data a day, but is sending 2TB, this might be a sign of data exfiltration.
Heuristic anomalies: These are general, suspicious behaviors that are related to actions a malicious actor takes during an attack cycle. For example, if an organization is seeing many open connections to a country where they don’t conduct business, this should be a warning sign. Likewise, if a point of sale system only ever runs a known group of processes, but then suddenly a new one appears, it should be treated as highly suspect.