Tip

Use SIEM technology to identify unauthorized access attempts

Many organizations have information systems with password authentication exposed to the Internet. Recent research indicates that default credential abuse, guessed passwords and brute-force attacks remain some of the most common methods for compromising organizational networks. Security information and event management (SIEM) technology can help organizations prevent costly data theft due to guessed passwords or misused credentials. Every organization, and especially those with Internet-facing IT assets that support password authentication (such as VPN devices, Web servers,

    Requires Free Membership to View

SSH and other remote access technologies) should leverage their SIEM to help prevent unauthorized access.

A successful login should never, ever be equated with "authorized access" in this day and age of stolen passwords.

Automatic login tracking can help reveal malicious activities from insiders and outsiders. SIEM is uniquely suited to automate this massive task. SIEM technology can aggregate and analyze successful and failed logging records from multiple systems to determine when attackers take over account credentials.

The data SIEM needs to monitor unauthorized access attempts is relatively straightforward. Logs from all platforms that include authentication records need to be collected. It is important to collect both successful and failed login records from all systems, devices and applications. Failed logins indicate that security systems are doing their job, and of course the successful logins reveal that somebody now has access to your systems. A successful login should never, ever be equated with "authorized access" in this day and age of stolen passwords and fast CPUs to crack the encrypted password files.

Correlation and alerting

A SIEM correlation rule can be used to automate parts of the system login and authentication monitoring process. Here are examples of correlation rules that will enable effective access monitoring:

  • Single system attack when the attacker tries all credentials on one system
  • A string of several login failures immediately followed by a success
  • Authentication sweep attack (trying the same credential on all systems)
  • Successful login at unusual times (for the user or for the system)
  • Successful login from unusual locations (for the user or for the system)

Views and reports

Common reports and dashboard views useful for this use case include the following:

  • Top systems with login failures
  • Login failure/success ratio trend
  • Login failure trend
  • Users that failed to login across multiple systems

Note that reports do not replace alerting, whether based on rules or baselines. In many cases, the malicious activity is discovered when a human reviews the report and notices something new, unusual or suspicious. The frequency of report review varies from daily (which is ideal -- and also prescribed by some external mandates, such as PCI DSS) to weekly or even monthly. As long as your organization is satisfied with the "detection gap" (i.e., time between the incident and it being noticed during report review), the frequency is acceptable.

SIEM technology can collect data automatically and issue alerts when attackers guess the passwords. However, the organization must ensure the SIEM supports effective incident-response processes and procedures (which, by the way, implies that they should actually exist!), through both alerting for manual analysis and remediation and in some cases automated response, such as through integration with a DLP or other firewall or data exfiltration product. A robust understanding of normal log baselines and typical activities -- which requires not just SIEM technology but also a skilled SIEM operator -- will be extremely helpful as well. In addition to deploying SIEM technology, collecting logs, running reports and using correlation to trigger alerts, operational procedures need to be in place to have an effective server access monitoring process. For example, what happens when systems administrator notices that the user logs in from two places at once. Does the admin have the power to terminate sessions, disable accounts, communicate with the user's manager and take other actions? Operational procedures make these actions repeatable, fast and effective, and also enable ongoing tracking and improvement.

About the author:
Anton Chuvakin, Ph.D., is a research director at Gartner in the Gartner for Technical Professionals' security and risk management strategies group. He is an author of the books Security Warrior, Log Management and PCI Compliance. Follow him on Twitter @anton_chuvakin.

This was first published in October 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.