ACTIONABLE ALERTS – User Provisioning Systems
Unauthorized User ID Creation Monitoring in Windows/Unix systems
One of the largest Multi-national bank with global presence that manages user provisioning activity for its customers uses Splunk to monitor unauthorized User ID creations.
CHALLENGES
- Manual log Aggregation/Analysis: Tedious process for log aggregation involving multiple teams
- Lack of single security platform that could quickly detect ID creation events, aggregate, correlate, analyse data from multiple systems and sources
- Co-ordination issues – Fraud Investigation Workflow process spread across multiple systems/teams; Increased MTTR (Mean time to resolution)
- Timely Analysis – correlating information across different log types was difficult and sometimes log data was overwritten, limiting investigations.
SOLUTIONS
- ID creation events correlated/mapped against matching sources to validate the authenticity of the request
- Any mapping discrepancy triggers a near real time alert to flag the security monitoring team for further investigation
- Splunk based near real-time ID Creation monitoring dashboards and alerts for Windows/Unix platforms
BENEFITS
- Improved security posture – reduced financial/data losses
- A single unified platform for near real-time log search, analysis, and reporting
- Reduced manual efforts/labor costs
- Quicker Troubleshooting & Response: MTTR reduced from days to minutes; quickly identify & block unauthorized accounts
Monitored Systems/Data Sources: Windows/Unix system logs, User Management System logs (Matching Source), User Provisioning Tool logs (Matching Source)
Users: Information Security Team
Product: Splunk Enterprise