windows security log monitoring - feb 2010
TRANSCRIPT
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
1/15
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
2/15
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
3/15
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
4/15
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
5/15
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
6/15
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
7/15
Symptai Consulting Limited SymSure Enterprise
SymSure for Windows Log Monitoring
Events can be analysed regardless of source Multiple machines & servers or Log Repositories & Collection Points
Filter and Summarize at initial extraction
Event Context Analysis Evaluate Events Historically
Compare Multiple Events across Machines Correlate Application Events with Security Events
Event / Issue Management Built in work flow to manage distribution and remediation
Compliance Reporting Cumulative database allows for reporting over any period of time
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
8/15
Symptai Consulting Limited SymSure Enterprise
SymSure for Windows Log Monitoring
ERPSystem(SAP)
Legacy
Application(Requisitions)
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
9/15
Symptai Consulting Limited SymSure Enterprise
Windows Log Monitoring Cross Process SOD
Sample Scenario Off Hours Logins & SAP Access
SymSure Extracts users who logged in between 6:00pm and 5:00am The extract summarizes according to Group i.e. Procurement Users The user data includes the IP Address
Procurement User Donovan is extracted
He logged into the domain (from IP 64.71.35.16) at 10:24pm and logged out at 11:03pm
SymSure looks for either Donovan or the IP address in SAP User Logs Filters for a Login after 10:24pm or before 11:03pm Donovan is not found However, DHarry logged into SAP from IP 64.71.35.16 She logged in at 10:29pm and logged off at 10:50pm DHarry is not in Procurement but is a GL Adjuster
Why did Donovan log in as a GL Adjuster?
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
10/15
Symptai Consulting Limited SymSure Enterprise
SymSure Demonstration
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
11/15
Symptai Consulting Limited SymSure Enterprise
Sample Security Log Monitoring Tests
1. Accounts that have never logged in2. Failed file share access attempts3. New accounts created4. Policy creation and amendments to existing policies5. Radius o/s failed authentication through dial up or vpn access6. Access of system resources by persons on vacation7. Access of system resources at unusual times by persons on vacation
. en y persons a e o spec e groups, e.g. , m ns, onsu an s, sers e c9. Domain Controller added10. Identify computers added by OUs and not placed in Computers/Laptop groups11. Identify ex-employees with active accounts12. Identify users with multiple forced locks in a short period of time13. Identify logon attempts to restricted workstations14. Identify logon attempts with an invalid logon type
15. Identify logon attempt with expired passwords and no password change16. Changes to user accounts17. Identify group changes (other than deletion, creation, or membership change)18. Identify attempted logon using expired accounts
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
12/15
Symptai Consulting Limited SymSure Enterprise
Sample Security Log Monitoring Tests
19. Logon success using a service account at console20. Identify attempts to logon with default administrator account21. Logon failure with the Administrator username but unknown domain22. Identify change password attempt by someone other than the account holder23. Identify re-enabled accounts24. Check for write access to GPO applied to the computer25. Identifies instances where the log was cleared
.
27. Identify network logons to local computers28. Identify users with write access to GPO applied to the computer they access29. Identify use of privileged rights30. Identify any modification to Enterprise Administrators Group of Forest Domain Controller31. Identify accounts with Remote Access Server Dial-in enabled32. Check for dormant computer accounts33. Identify accounts that will never expire34. Access the auto run capabilities for USB and Jump drives35. Identify Group Policy that applies to each Organizational Unit
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
13/15
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
14/15
Symptai Consulting Limited SymSure Enterprise
SymSure Summary Framework Solution
Supports all Enterprise users regardless of technical capability
Supports any Business Process on any system or data store Leverage Existing Scripts, Reports and Information Stores Implement the SymSure Windows Logging Solution or create your own processes
Effective and Immediate Workflow Creation including Issue Escalation Notification via Email, SMS or Desktop Pop-Up
Division of Labour Send Issues and Alerts the people that need to see them
Monitor the review process from anywhere
Do More with Less and Optimize the Process & Revenue Eliminate Manual Reviews. Know exactly where to spend resources. Allow the Business to monitor themselves and still maintain Compliance
-
8/8/2019 Windows Security Log Monitoring - Feb 2010
15/15