Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Use SIEM technology to identify unauthorized access attempts

Analyst Anton Chuvakin explains how to use SIEM technology to identify unauthorized access attempts that can lead to data theft.

Many organizations have information systems with password authentication exposed to the Internet. Recent research...

indicates that default credential abuse, guessed passwords and brute-force attacks remain some of the most common methods for compromising organizational networks. Security information and event management (SIEM) technology can help organizations prevent costly data theft due to guessed passwords or misused credentials. Every organization, and especially those with Internet-facing IT assets that support password authentication (such as VPN devices, Web servers, SSH and other remote access technologies) should leverage their SIEM to help prevent unauthorized access.

A successful login should never, ever be equated with authorized access in this day and age of stolen passwords.

Automatic login tracking can help reveal malicious activities from insiders and outsiders. SIEM is uniquely suited to automate this massive task. SIEM technology can aggregate and analyze successful and failed logging records from multiple systems to determine when attackers take over account credentials.

The data SIEM needs to monitor unauthorized access attempts is relatively straightforward. Logs from all platforms that include authentication records need to be collected. It is important to collect both successful and failed login records from all systems, devices and applications. Failed logins indicate that security systems are doing their job, and of course the successful logins reveal that somebody now has access to your systems. A successful login should never, ever be equated with "authorized access" in this day and age of stolen passwords and fast CPUs to crack the encrypted password files.

Correlation and alerting

A SIEM correlation rule can be used to automate parts of the system login and authentication monitoring process. Here are examples of correlation rules that will enable effective access monitoring:

  • Single system attack when the attacker tries all credentials on one system
  • A string of several login failures immediately followed by a success
  • Authentication sweep attack (trying the same credential on all systems)
  • Successful login at unusual times (for the user or for the system)
  • Successful login from unusual locations (for the user or for the system)

Views and reports

Common reports and dashboard views useful for this use case include the following:

  • Top systems with login failures
  • Login failure/success ratio trend
  • Login failure trend
  • Users that failed to login across multiple systems

Note that reports do not replace alerting, whether based on rules or baselines. In many cases, the malicious activity is discovered when a human reviews the report and notices something new, unusual or suspicious. The frequency of report review varies from daily (which is ideal -- and also prescribed by some external mandates, such as PCI DSS) to weekly or even monthly. As long as your organization is satisfied with the "detection gap" (i.e., time between the incident and it being noticed during report review), the frequency is acceptable.

SIEM technology can collect data automatically and issue alerts when attackers guess the passwords. However, the organization must ensure the SIEM supports effective incident-response processes and procedures (which, by the way, implies that they should actually exist!), through both alerting for manual analysis and remediation and in some cases automated response, such as through integration with a DLP or other firewall or data exfiltration product. A robust understanding of normal log baselines and typical activities -- which requires not just SIEM technology but also a skilled SIEM operator -- will be extremely helpful as well. In addition to deploying SIEM technology, collecting logs, running reports and using correlation to trigger alerts, operational procedures need to be in place to have an effective server access monitoring process. For example, what happens when systems administrator notices that the user logs in from two places at once. Does the admin have the power to terminate sessions, disable accounts, communicate with the user's manager and take other actions? Operational procedures make these actions repeatable, fast and effective, and also enable ongoing tracking and improvement.

About the author:
Anton Chuvakin, Ph.D., is a research director at Gartner in the Gartner for Technical Professionals' security and risk management strategies group. He is an author of the books Security Warrior, Log Management and PCI Compliance. Follow him on Twitter @anton_chuvakin.

This was last published in October 2013

Dig Deeper on SIEM, log management and big data security analytics