Recently, I had the great opportunity to discuss network security over dinner with one of the world’s best security practitioners. I learned that keeping bad actors from eventually getting inside a network is nearly impossible. While we maintain our vigilance at our borders over time we should assume our network would be penetrated, so the key to preventing exfiltration (which generally follows) is to look for networking anomalies.
Look for network uses that are abnormal, unusual, or different in some way from the norm. Techniques for doing this “hunting” are expensive to implement and hard to interpret with frequent false positives but are a necessary evil.