CHALLENGES

  • Due to change in remote work model, employees accessing sensitive data is a big concern and the visibility to monitor the user activity has become essential in this work scenario.
  • Improve current security posture where they can monitor remote users, security incidents &
    check where the risk is happening by using security use cases.
  • Providing secure remote access to the employees regardless of their location.

SECURITY THREAT

Account compromise Reconnaissance
Data exfiltration DDOS attack
Insider Threat Brute force
Command and control Unauthorized access
Privilege escalation Lateral movement
Account compromise
Data exfiltration
Insider Threat
Command and control
Privilege escalation
Reconnaissance
DDOS attack
Brute force
Unauthorized access
Lateral movement

SOLUTIONS

  • Monitoring and analyzing access and authentication logs of various services using Splunk Enterprise.
  • Implementation of specific use cases to detect all the user access and authentication activities.
  • The detections are intimated(notified) to the organization’s CSIRT team via alerts and reports.
  • 25+ use cases are implemented from 9 different types of data sources.
  • Some of the implemented Use cases are:
    1. Brute force detection
    2. SQL Injection
    3. User activity after office hours
    4. Account lockout detection
    5. Unusual download activity detection

BENEFITS

  • Real-time visibility to the CSIRT team on the user access and authentication activities.
  • CSIRT team will continuously monitor the alerts(detections) and perform triaging of the alerts.
  • Reduction of manual intervention in detecting the unauthorized activity.

Data Sources: FortiGate network logs, Storage application logs, Authentication server logs, RDS services logs.

Users: CSIRT Team

Product: Splunk Enterprise