Insider threats are on the rise. In fact, both administrators and average employees are among the biggest security threats in an organization. When it comes to security auditing, there are two areas you need to focus on: Active Directory changes and individual user activity, particularly administrator activity.
Changes have the potential to create security loopholes. A single change can break your security systems—one example is if a regular user in your organization is added to a group with administrator privilege. If that user is added to the Domain Admins group, they’ll have unrestricted privileged access, which would violate your security policy. Unintended or unapproved changes of this magnitude need to be reverted immediately, which highlights the importance of real-time log auditing. Furthermore, because individual users are constantly interacting with systems that store sensitive data, it’s important to watch over their daily activities, including which systems they log in to, the files and folders they access, and other operations they perform.
Let’s look at a few important things that need to be tracked:
1. Logons and logoffs. Several attack variants require a logon at some point in the attack pattern. Tracking and reviewing logon activity on a daily basis is mandatory for detecting suspicious behavior. For example, if an end user has multiple failed logon attempts while trying to access a critical server, this could indicate a brute force attack.
2. Changes, of course! Changes made to users, computers, groups, OUs, and GPOs are all important and must be tracked. In addition to scheduling reports to review these changes periodically, you need to set up alerts so that you’re notified about critical changes such as the example mentioned earlier.
3. User behavior. You need to have more than just basic log auditing measures in place to truly stay on top of insider threats. User behavior analytics (UBA), a feature which more SIEM solutions are starting to have, extends the scope of SIEM by using techniques such as machine learning and statistical analysis. For example, if a user normally works from 9am to 5pm but accesses a file server and copies data at 11pm, the UBA module will be able to instantly detect this anomaly and raise an alarm.
While Active Directory logs may be one of the most crucial log sources for SIEM, they don’t cover everything of importance. Your cloud platforms such as AWS, Azure, and Office 365 see both changes to and interactions with data, meaning their logs must be audited in order to comprehensively track insider threats.
Stay tuned for part 4 where we will talk about auditing and securing web servers. Also, be sure to register for our free webinar on real-time file server auditing.
Topic: Securing file servers and mitigating ransomware
Date and time: Sep 13th, 3pm IST