Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Best Way to Track Non-Asset Logins on a Network

Posted on 2014-07-30
3
486 Views
Last Modified: 2014-08-18
Hello Experts!  Hoping I can get a little input for my question.   We use ESM as our SIEM, and I'd like to utilize a report or dashboard from ESM to help better track those logging into our network with non-company asset machines.   Here's a quick scenario of what we'd like to capture or other behavior similar:

Let's say Juan gets into the building after hours.  He plugs in his personal laptop to network drop, and using Jane Doe's password that he obtained by shoulder surfing her earlier, logs in as her.  What would be the best way to track this kind of behavior as well as any non-company asset machine log-ins within an ESM report or a dashboard.  

Any help with this is GREATLY APPRECIATED!
0
Comment
Question by:itsmevic
  • 2
3 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40231487
Couple of resources (by the way, I am not trying to do as selling here but anomalous activities are something any SIEMS should have as baseline and just that ESM itself package it as it is hence I suggest you check that out ... of course there can be other more and lean towards data analytics and machine learning to sieve out the "innocent" activities which is actually not legit).

e.g.  ArcSight Insider Threat Package (or sometimes they termed it as 'ArcSight ThreatDetector') - Addressing Insider Threats with ESM (it has many more example of such insider or similar)
(more descriptive)
http://viewer.media.bitpipe.com/1120682139_877/1297107228_284/Addressing_Insider_Threats_With_ESM.pdf
(brief summary glance)
http://h20195.www2.hp.com/V2/GetPDF.aspx%2F4AA4-3193ENW.pdf

ArcSight can consider operational time – the ability to use a time baseline of network and system usage. For example, the finance team rarely accesses the financial database before 5am or after 8pm, or perhaps outbound email activity is relatively slow during non-business hours. All of these parameters can lead to a powerful correlation capability that renders prioritized events. Based on these prioritized events, automated actions can be taken in the form of generating alerts, firewall rule changes, router ACL changes, creating a case or launching software..

 ArcSight Pattern Discovery product, ArcSight ESM has native anomaly detection that provides the reciprocal of pattern discovery. It will detect statistical anomalies, one-offs and events that don’t appear to be part of normal traffic patterns....

Active lists are extremely valuable for larger organizations because they help track suspicious network activity, such as somebody attacking or scanning the network, devices that have been compromised, users that appear to be malicious, target ports prone to attack or any other parameter of a packet.

Active lists can be built to represent any group the organization finds significant. For example, if a network is experiencing a horizontal port scan, it is likely that it will not be a high priority event. In fact, many organizations regularly experience such high volumes of scanning activity so that when the port scans stop, it is cause for alarm because perhaps the network is experiencing difficulty.

In summary, it can be via using the package for early detection of insider activity based on early warning indicators of suspicious behavior, such as:
- Stale or terminated accounts
- Excessive file printing, unusual printing times and  keywords printed
- Traffic to suspicious destinations
- Unauthorized peripheral device access
- Bypassing security controls
- Attempts to alter or delete system logs
- Installation of malicious software

Best is tracked the super admin or privileged user activities with privileged identity audit log (most commonly from those identity provider and provider such as cyberark, xceedium etc). SIEMS is as intelligent as it can get with the data and w/o the data (or log) it is tougher to derive true positive reliably or statistically.
0
 

Author Comment

by:itsmevic
ID: 40238257
Reviewing.
0
 

Author Closing Comment

by:itsmevic
ID: 40269036
Thank you.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PCI scan - CIFS NULL Session Permitted 10 154
Change administrator password on server 13 93
Windows Restrict installation 11 38
SAP HANA vulnerability threat report. 2 25
Both MMF (multi-mode fiber) and SMF (single-mode fiber) are types of optical fiber that can aid in communication applications. These thin strands of silica or glass will allow communication to occur between devices. The transmission of light between…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question