CHALLENGES
- Due to change in remote work model, employees accessing sensitive data is a big concern and the visibility to monitor the user activity has become essential in this work scenario.
- Improve current security posture where they can monitor remote users, security incidents &
check where the risk is happening by using security use cases. - Providing secure remote access to the employees regardless of their location.
SECURITY THREAT
| Account compromise | Reconnaissance |
|---|---|
| Data exfiltration | DDOS attack |
| Insider Threat | Brute force |
| Command and control | Unauthorized access |
| Privilege escalation | Lateral movement |
| Account compromise |
|---|
| Data exfiltration |
| Insider Threat |
| Command and control |
| Privilege escalation |
| Reconnaissance |
| DDOS attack |
| Brute force |
| Unauthorized access |
| Lateral movement |
SOLUTIONS
- Monitoring and analyzing access and authentication logs of various services using Splunk Enterprise.
- Implementation of specific use cases to detect all the user access and authentication activities.
- The detections are intimated(notified) to the organization’s CSIRT team via alerts and reports.
- 25+ use cases are implemented from 9 different types of data sources.
- Some of the implemented Use cases are:
- Brute force detection
- SQL Injection
- User activity after office hours
- Account lockout detection
- Unusual download activity detection
BENEFITS
- Real-time visibility to the CSIRT team on the user access and authentication activities.
- CSIRT team will continuously monitor the alerts(detections) and perform triaging of the alerts.
- Reduction of manual intervention in detecting the unauthorized activity.
Data Sources: FortiGate network logs, Storage application logs, Authentication server logs, RDS services logs.
Users: CSIRT Team
Product: Splunk Enterprise
