Checking for unusual activity in log and event management data can help admins spot the changes that can compromise network security.
When the Federal Information Security Management Act was passed in 2002, federal agencies received a wake-up call to tighten the reins on information security. Driven by FISMA’s compliance framework that set forth unwavering standards for federal data security, agencies began to adopt new ways to check what was happening on their networks. Log and event managers (LEMs) became a crucial part of that monitoring process.
Now, like coffee in the commissary, LEMs are a staple in agencies, doing their jobs and keeping things up and running. Administrators use them to collect information on network activity, store the data and look for patterns.
In fact, this last point – the constant monitoring of patterns – is key to the life of an administrator. That’s because recognizing patterns is critical to being able to detect threats on the network. Anything that breaks a pattern can be a precursor to suspicious behavior.
Consider an unauthorized user trying to access the network or unexpected changes being made to a system’s configuration. Consider new devices – once foreign to the system – pinging the network or strange database transactions that have never been seen before. These are all breaks in the normal pattern and signposts for potential trouble ahead.
Without network monitoring technology – and knowing where to focus it – it’s often tough to pick up these clues in the thicket of information that administrators deal with on a daily basis. LEMs can help. They are very good at being able to automatically catch and alert administrators to potential network red flags. They are ideal for reporting on potential security, compliance and operations issues. With LEMs, all of it can be done in real time, allowing the administrator to immediately take action on potential threats across the board.
Still, administrators should know what to look out for as they comb through log and event data. They need to be aware of signs that signify a disruption in normal network patterns. Honing in on the following five types of events will go a long way toward helping administrators maintain the security of these networks.
1. User access abnormalities. Administrators must not only look out for unauthorized users accessing the system, but attempts to access it at odd hours,, which could be a sign of trouble.
2. Configuration changes. Hackers sometimes make configuration changes to try and make the network more adaptable to their plans. As a result, changes could signify that someone has tampered with the network – or they could simply be the result of an authorized administrator making adjustments to help the network and its users operate more efficiently. Regardless, it’s better to be cautious and take a close look at any configuration changes the event manager may warn about.
3. Patterns matching threat indicators. Administrators should go the extra mile and compare data in their logs to external sources, such as known blacklists. Simultaneously, they should be aware of specific types of activity that could indicate threats. These can include excessive numbers of failed login attempts or remote logins from unusual locations. They should also be on the lookout for the heightened use of removable storage devices, such as USB flash drives. Hackers sometimes use these devices to store viruses. And workers, with no malicious intent, may use them to take sensitive information beyond the walls of the federal agency, potentially making sensitive information more available to unauthorized users.
4. New device and user combinations. It’s not enough to keep tabs on new devices hitting the network. Even beyond that, administrators will want to link devices directly to users, ensuring that no one who is not authorized to use a device – someone else’s iPad, for example – is doing so.
5. Strange database activities. Federal agencies live on data. As such, databases are components to closely monitor. Any activity that breaks everyday patterns, such as unusual database transactions or rapid, unexpected growth in a database’s size, should be flagged and investigated.
LEMs can help agencies better manage and monitor each of these events. But it helps if administrators also know where to focus their efforts. Doing so can help identify breaks in the pattern and prevent security breakdowns.