The most relevant examples of notifications about non-standard user behavior
Many of our clients and potential customers have installed some kind of activity tracking on file servers, SharePoint sites, Exchange and even Active Directory. And it all seems to even work - you can enter the program, generate reports, view statistics and identify non-standard patterns of behavior. But the devil is in the details - it is necessary to check such things regularly, on an ongoing basis, and not when the data are already in the hands of others. As practice shows, not many do this at all, despite the availability of appropriate technical capabilities.
But there is a fairly simple way out - automation. Adjust everything once, and then sit, drink tea and react only in the event of suspicious situations - what could be better? We can talk about what can and even needs to be automated and for what events to send notifications within the framework of this article.
The most trivial case is a deviation from the average daily activity of a specific user. Vasily Pupkin for the last month worked on average with 30 files on the server and then suddenly acquired a couple of tens of thousands of events? What is it, full-text search, antivirus scanning, fusion of information before the planned dismissal, or someone caught a crypto-fiber? You can find this out only after analyzing the collected logs in detail, but it would not hurt to notify the administrator and the IB in any case.
However, the number of false positives in this case can be quite large. Someone returned from vacation and abruptly joined in the work? The system may mistakenly consider this as a sharp surge in activity, although the algorithms of most monitoring tools are able to automatically ignore jumps from the level of zero activity. Another thing is, if a person sometimes worked remotely - there will already be compared levels of average activity for "vacation" (who is on vacation, then?) And in the days of full-fledged work. Or maybe the user got into the head to clean his inbox - and here you are, please, several thousand events at a time against the background of the week with a stable hundred or two. You can reduce the level of false positives by playing with the notification triggering parameters, but you will still not be able to achieve the ideal - situations may be too different. Therefore, in any case, the decision must be made by the person, and the machine must only report a possible threat.
')
From the monitoring of file resources, it will also be useful to have a notification when mass deleting files — say, more than 100 files in 1 minute. But in fact, one notification here will not be enough - it is better to immediately configure the script to disable the user account or deprive it of access rights to the shared folder. This can be done if the monitoring program supports calling PowerShell when triggered on a given event. In the case when a service account regularly and massively deletes files for technical reasons, it can simply be excluded from the list of objects for which the notification is triggered. It would be a good idea to add administrators to the same list in advance for obvious reasons :) It is worth noting that the idea may fail miserably if the system does not distinguish a file move event and interprets it as a set of opening events, creating a new file and deleting the old one. Someone accidentally dragging a daddy into the nested mouse? Well, sorry ...
If your file servers are already classified , can you create much more interesting notification rules: does someone massively open (copy) files with personal data? Report to the administrator and IB. Persistently trying to gain access to a prohibited folder or a folder with financial information? Report the information security and management at the same time. Someone laid out in the general ball unloading of 1C with the salaries of employees? Wait, you have already left, and in the meantime the file automatically moved to the quarantine zone.
If everything is clear with file servers, then for resources such as SharePoint, Active Directory or Exchange ... you can do everything in the same way! There are lovers of sleep? Conduct an educational conversation. Someone got the rights to someone else's box and sends letters on behalf of another person? Understand the situation, exclude from the list of notifications in the case of the consent of the owner of the box. Is the user account blocked? Find out about this before calling the support service! Is there a new user in the administrators group? Send a letter to the IB and management - just in case.
There are many such examples, and for sure everyone will find their own, most suitable for the business objectives of his company. The main thing is to realize that the capabilities of the software are often not limited to the scheme “opened the program - did what was necessary - forgot before the next case”, but have extensive automation tools with flexible notification settings. This allows you not to perform periodic routine checks, which still would be nice to remember, and trust the automatic rules that require only a little attention during initial setup. And you will always be aware of all changes in the infrastructure of monitored resources.
But there is a fairly simple way out - automation. Adjust everything once, and then sit, drink tea and react only in the event of suspicious situations - what could be better? We can talk about what can and even needs to be automated and for what events to send notifications within the framework of this article.
The most trivial case is a deviation from the average daily activity of a specific user. Vasily Pupkin for the last month worked on average with 30 files on the server and then suddenly acquired a couple of tens of thousands of events? What is it, full-text search, antivirus scanning, fusion of information before the planned dismissal, or someone caught a crypto-fiber? You can find this out only after analyzing the collected logs in detail, but it would not hurt to notify the administrator and the IB in any case.
However, the number of false positives in this case can be quite large. Someone returned from vacation and abruptly joined in the work? The system may mistakenly consider this as a sharp surge in activity, although the algorithms of most monitoring tools are able to automatically ignore jumps from the level of zero activity. Another thing is, if a person sometimes worked remotely - there will already be compared levels of average activity for "vacation" (who is on vacation, then?) And in the days of full-fledged work. Or maybe the user got into the head to clean his inbox - and here you are, please, several thousand events at a time against the background of the week with a stable hundred or two. You can reduce the level of false positives by playing with the notification triggering parameters, but you will still not be able to achieve the ideal - situations may be too different. Therefore, in any case, the decision must be made by the person, and the machine must only report a possible threat.
')
From the monitoring of file resources, it will also be useful to have a notification when mass deleting files — say, more than 100 files in 1 minute. But in fact, one notification here will not be enough - it is better to immediately configure the script to disable the user account or deprive it of access rights to the shared folder. This can be done if the monitoring program supports calling PowerShell when triggered on a given event. In the case when a service account regularly and massively deletes files for technical reasons, it can simply be excluded from the list of objects for which the notification is triggered. It would be a good idea to add administrators to the same list in advance for obvious reasons :) It is worth noting that the idea may fail miserably if the system does not distinguish a file move event and interprets it as a set of opening events, creating a new file and deleting the old one. Someone accidentally dragging a daddy into the nested mouse? Well, sorry ...
If your file servers are already classified , can you create much more interesting notification rules: does someone massively open (copy) files with personal data? Report to the administrator and IB. Persistently trying to gain access to a prohibited folder or a folder with financial information? Report the information security and management at the same time. Someone laid out in the general ball unloading of 1C with the salaries of employees? Wait, you have already left, and in the meantime the file automatically moved to the quarantine zone.
If everything is clear with file servers, then for resources such as SharePoint, Active Directory or Exchange ... you can do everything in the same way! There are lovers of sleep? Conduct an educational conversation. Someone got the rights to someone else's box and sends letters on behalf of another person? Understand the situation, exclude from the list of notifications in the case of the consent of the owner of the box. Is the user account blocked? Find out about this before calling the support service! Is there a new user in the administrators group? Send a letter to the IB and management - just in case.
There are many such examples, and for sure everyone will find their own, most suitable for the business objectives of his company. The main thing is to realize that the capabilities of the software are often not limited to the scheme “opened the program - did what was necessary - forgot before the next case”, but have extensive automation tools with flexible notification settings. This allows you not to perform periodic routine checks, which still would be nice to remember, and trust the automatic rules that require only a little attention during initial setup. And you will always be aware of all changes in the infrastructure of monitored resources.
Source: https://habr.com/ru/post/255619/
All Articles