Simplifying security auditing, Part 3: Keeping insider threats in check
1. Logons and logoffs. Several attack variants require a logon at some point in the attack pattern. Tracking and reviewing logon activity on a daily basis is mandatory for detecting suspicious behavior. For example, if an end user has multiple failed logon attempts while trying to access a critical server, this could indicate a brute force attack.
2. Changes, of course! Changes made to users, computers, groups, OUs, and GPOs are all important and must be tracked. In addition to scheduling reports to review these changes periodically, you need to set up alerts so that you're notified about critical changes such as the example mentioned earlier.
3. User behavior. You need to have more than just basic log auditing measures in place to truly stay on top of insider threats. User behavior analytics (UBA), a feature which more SIEM solutions are starting to have, extends the scope of SIEM by using techniques such as machine learning and statistical analysis. For example, if a user normally works from 9am to 5pm but accesses a file server and copies data at 11pm, the UBA module will be able to instantly detect this anomaly and raise an alarm.
While Active Directory logs may be one of the most crucial log sources for SIEM, they don't cover everything of importance. Your cloud platforms such as AWS, Azure, and Office 365 see both changes to and interactions with data, meaning their logs must be audited in order to comprehensively track insider threats.
Stay tuned for part 4 where we will talk about auditing and securing web servers. Also, be sure to register for our free webinar on real-time file server auditing.
Topic: Securing file servers and mitigating ransomwareDate and time: Sep 13th, 3pm IST
Register now
Comments