CHALLENGES
- Due to change in remote work model, employees accessing sensitive data is a big concern and the visibility to monitor the user activity has become essential in this work scenario.
- Improve current security posture where they can monitor remote users, security incidents &
check where the risk is happening by using security use cases. - Providing secure remote access to the employees regardless of their location.
SECURITY THREAT
Account compromise | Reconnaissance |
---|---|
Data exfiltration | DDOS attack |
Insider Threat | Brute force |
Command and control | Unauthorized access |
Privilege escalation | Lateral movement |
Account compromise |
---|
Data exfiltration |
Insider Threat |
Command and control |
Privilege escalation |
Reconnaissance |
DDOS attack |
Brute force |
Unauthorized access |
Lateral movement |
SOLUTIONS
- Monitoring and analyzing access and authentication logs of various services using Splunk Enterprise.
- Implementation of specific use cases to detect all the user access and authentication activities.
- The detections are intimated(notified) to the organization’s CSIRT team via alerts and reports.
- 25+ use cases are implemented from 9 different types of data sources.
- Some of the implemented Use cases are:
- Brute force detection
- SQL Injection
- User activity after office hours
- Account lockout detection
- Unusual download activity detection
BENEFITS
- Real-time visibility to the CSIRT team on the user access and authentication activities.
- CSIRT team will continuously monitor the alerts(detections) and perform triaging of the alerts.
- Reduction of manual intervention in detecting the unauthorized activity.
Data Sources: FortiGate network logs, Storage application logs, Authentication server logs, RDS services logs.
Users: CSIRT Team
Product: Splunk Enterprise