The Telecom Service Utility has been facing the challenge of monitoring and analyzing the access and authentication activities of its users while they are working remotely. This problem is due to a change in the work model, where employees accessing sensitive data is a big concern and visibility to monitor the user activity has become essential in this work scenario.
CHALLENGES
- Due to the change in the remote work model, employees accessing sensitive data is a big concern and the visibility to monitor the user activity has become essential in this work scenario.
- Improve current security posture where they can monitor remote users, security incidents &
- check where the risk is happening by using security use cases.
- Providing secure remote access to the employees regardless of their location.
SECURITY THREAT
| Account compromise | Reconnaissance |
| Data exfiltration | DDOS attack |
| Insider Threat | Brute force |
| Command and control | Unauthorized access |
| Privilege escalation | Lateral movement |
SOLUTIONS
- Monitoring and analyzing access and authentication logs of various services using Splunk Enterprise.
- Implementation of specific use cases to detect all the user access and authentication activities.
- The detections are intimated(notified) to the organization’s CSIRT team via alerts and reports.
- 25+ use cases are implemented from 9 different types of data sources.
- Some of the implemented Use cases are:
- Brute force detection
- SQL Injection
- User activity after office hours
- Account lockout detection
- Unusual download activity detection
BENEFITS
- Real-time visibility to the CSIRT team on user access and authentication activities.
- CSIRT team will continuously monitor the alerts(detections) and perform triaging of the alerts.
- Reduction of manual intervention in detecting unauthorized activity.
Data Sources: FortiGate network logs, Storage application logs, Authentication server logs, and RDS services logs.
Users: CSIRT Team
Product: Splunk Enterprise
