ACTIONABLE ALERTS – User Provisioning Systems

Unauthorized User ID Creation Monitoring in Windows/Unix systems

One of the largest Multi-national bank with global presence that manages user provisioning activity for its customers uses Splunk to monitor unauthorized User ID creations.

CHALLENGES

• Manual log Aggregation/Analysis: Tedious process for log aggregation involving multiple teams
• Lack of single security platform that could quickly detect ID creation events, aggregate, correlate, analyse data from multiple systems and sources
• Co-ordination issues – Fraud Investigation Workflow process spread across multiple systems/teams; Increased MTTR (Mean time to resolution)
• Timely Analysis – correlating information across different log types was difficult and sometimes log data was overwritten, limiting investigations.

SOLUTIONS

• ID creation events correlated/mapped against matching sources to validate the authenticity of the request
• Any mapping discrepancy triggers a near real time alert to flag the security monitoring team for further investigation
• Splunk based near real-time ID Creation monitoring dashboards and alerts for Windows/Unix platforms

BENEFITS

• Improved security posture – reduced financial/data losses
• A single unified platform for near real-time log search, analysis, and reporting
• Reduced manual efforts/labor costs
• Quicker Troubleshooting & Response: MTTR reduced from days to minutes; quickly identify & block unauthorized accounts

Monitored Systems/Data Sources: Windows/Unix system logs, User Management System logs (Matching Source), User Provisioning Tool logs (Matching Source)

Users: Information Security Team

Product: Splunk Enterprise