Simplifying security auditing, Part 2: Auditing systems that store sensitive data
You need to know who accessed an object, which object was accessed, when the object was accessed, and what the changed values are. These are some events you should be tracking on your file servers:
File accesses
File creations
File movements
File deletions
File renamings
File modifications
File permission changes
SACL changes
Remember, while reviewing these events, you need to track both successful and failed attempts. We also recommend generating granular reports based on specific users and processes so that you get in-depth insight into file server activity. You can also configure alerts for indicators of compromise (IOCs) such as the occurrence of several file modifications within a short period of time, which could indicate ransomware activity in your environment.
When it comes to databases, you need to track:
DML events such as selections and updates made to tables.
DDL events such as the creation, dropping, or alteration of databases, tables, and procedures.
Server activity such as startups and shutdowns.
User account activity including the creation and modification of users and roles.
Advanced SIEM solutions can go a step further and correlate activity in your file servers, databases, and other parts of your network to detect complex attack patterns. They can also detect anomalies using machine learning, a feature known as UBA (user behavior analytics).
Stay tuned for part 3 where we'll dive into auditing Active Directory in real-time. In the meantime, download our 10 crucial audit reports for IT security e-book.
Comments