windows security log monitoring - feb 2010

8/8/2019 Windows Security Log Monitoring - Feb 2010

1/15


2/15


3/15


4/15


5/15


6/15


7/15

Symptai Consulting Limited SymSure Enterprise

SymSure for Windows Log Monitoring

Events can be analysed regardless of source Multiple machines & servers or Log Repositories & Collection Points

Filter and Summarize at initial extraction

Event Context Analysis Evaluate Events Historically

Compare Multiple Events across Machines Correlate Application Events with Security Events

Event / Issue Management Built in work flow to manage distribution and remediation

Compliance Reporting Cumulative database allows for reporting over any period of time


8/15


SymSure for Windows Log Monitoring

ERPSystem(SAP)

Legacy

Application(Requisitions)


9/15


Windows Log Monitoring Cross Process SOD

Sample Scenario Off Hours Logins & SAP Access

SymSure Extracts users who logged in between 6:00pm and 5:00am The extract summarizes according to Group i.e. Procurement Users The user data includes the IP Address

Procurement User Donovan is extracted

He logged into the domain (from IP 64.71.35.16) at 10:24pm and logged out at 11:03pm

SymSure looks for either Donovan or the IP address in SAP User Logs Filters for a Login after 10:24pm or before 11:03pm Donovan is not found However, DHarry logged into SAP from IP 64.71.35.16 She logged in at 10:29pm and logged off at 10:50pm DHarry is not in Procurement but is a GL Adjuster

Why did Donovan log in as a GL Adjuster?


10/15


SymSure Demonstration


11/15


Sample Security Log Monitoring Tests

1. Accounts that have never logged in2. Failed file share access attempts3. New accounts created4. Policy creation and amendments to existing policies5. Radius o/s failed authentication through dial up or vpn access6. Access of system resources by persons on vacation7. Access of system resources at unusual times by persons on vacation

. en y persons a e o spec e groups, e.g. , m ns, onsu an s, sers e c9. Domain Controller added10. Identify computers added by OUs and not placed in Computers/Laptop groups11. Identify ex-employees with active accounts12. Identify users with multiple forced locks in a short period of time13. Identify logon attempts to restricted workstations14. Identify logon attempts with an invalid logon type

15. Identify logon attempt with expired passwords and no password change16. Changes to user accounts17. Identify group changes (other than deletion, creation, or membership change)18. Identify attempted logon using expired accounts


12/15


Sample Security Log Monitoring Tests

19. Logon success using a service account at console20. Identify attempts to logon with default administrator account21. Logon failure with the Administrator username but unknown domain22. Identify change password attempt by someone other than the account holder23. Identify re-enabled accounts24. Check for write access to GPO applied to the computer25. Identifies instances where the log was cleared

.

27. Identify network logons to local computers28. Identify users with write access to GPO applied to the computer they access29. Identify use of privileged rights30. Identify any modification to Enterprise Administrators Group of Forest Domain Controller31. Identify accounts with Remote Access Server Dial-in enabled32. Check for dormant computer accounts33. Identify accounts that will never expire34. Access the auto run capabilities for USB and Jump drives35. Identify Group Policy that applies to each Organizational Unit


13/15


14/15


SymSure Summary Framework Solution

Supports all Enterprise users regardless of technical capability

Supports any Business Process on any system or data store Leverage Existing Scripts, Reports and Information Stores Implement the SymSure Windows Logging Solution or create your own processes

Effective and Immediate Workflow Creation including Issue Escalation Notification via Email, SMS or Desktop Pop-Up

Division of Labour Send Issues and Alerts the people that need to see them

Monitor the review process from anywhere

Do More with Less and Optimize the Process & Revenue Eliminate Manual Reviews. Know exactly where to spend resources. Allow the Business to monitor themselves and still maintain Compliance


15/15

windows security log monitoring - feb 2010

Documents