Operationalize security and compliance monitoring
When everything is following the usual patterns
See what assets, users and systems you have and what they are doing.
Then when intrusive activity occurs detect and act swiftly
Get notified of anomalies produced by your environment as the intruder propes, scans, exploits and performs activity out of the norm.
You may find that someone is trying to access sensitive files, a lot
After a breach, go back in time and review how the anomalies happened across the environment over time.
After the fact, don’t forget to tag the data to detect it again
Tie the learnings from incidents, postmortems etc to the data by adding knowns and tags to the data.
Finally, if the hacker reappears, alert the right person.
Notify on anomalies in Slack, forward to SIEM systems or build custom event driven automations by tying actions to events.