Privileged user activitymonitoring and

IntroductionOf all the user accounts in your organization, privileged user accountshave the most bearing on your network security due to theiradministrative power. Your organization's sensitive data stores, criticalservers, and other important network devices are only as secure as theaccounts entrusted with their senetworkadministrators—are prime targets for external attackers looking to gain fullcontrol over your network resources. But external threats aren't the onlyproblem organizations need to worry about. Administrators may exhibitmalicious intent by abusing their privileges, or they may act carelessly withtheir credentials or systems.To add to this, multiple compliance policies such as PCI DSS and SOXmandate the thorough auditing of privileged user activity. This makesprivileged user activity monitoring not just a preference, but a necessity.This guide explains the best practices for privileged user monitoring, aswell as how EventLog Analyzer can be used to report on all your privilegedusers' activities and alert you about any suspicious activity.

Privileged user monitoring best practices1. Perform a regular inventory of critical assets and privileged accounts.In mid to large-size networks, it's important to keep track of newly added critical systems andapplications along with the privileged accounts associated with them. Track newly created users and permission changes to know which accounts' rights have been elevated. This awareness helpsyou maintain complete visibility and control over your network so that no privileged activity getsmissed.2. Enforce strong privileged account security practices.Given that privileged accounts are likely targets for attackers, it helps to enforce tight securityprotocols around them, like password complexity requirements, unique accounts for each user,clearly-defined access policies, and more. You can also track password changes and logon activityto identify any hacking attempts, anomalies in account usage, possible account sharing, and more.3. Provide only necessary permissions.Even privileged users can have too many privileges. A user may be given write access to a sensitivefolder when they only need to read it, or they may be given access to an entire database when theyonly need to work with selected records. When critical resources are accessible by severalunnecessary users, it only increases the chances of a breach. This is why privileged users must onlybe provided the rights they require.4. Maintain a separation of duties between privileged users and those auditing them.The tools and processes used to monitor your privileged users should not be managed by theprivileged users themselves. Your monitoring solution's administrators should be independent ofthe remaining network administrators. This separation of duties helps ensure that privileged userscannot tamper with their audit trails or reports. Entrust your monitoring and security auditingactivities to your security operations center (SOC).5. Report on all privileged activities.It isn't necessary to monitor all the actions of regular employees, but it is important to track allprivileged user activities. Any action taken by a privileged user, like a logon failure or configurationchange, could be an indicator of an ongoing attack, however innocent it may seem. Maintainingdetailed reports will prove useful during compliance audits or forensic investigations.

Auditing privileged user activity with EventLog Analyzer:Important reportsEventLog Analyzer is a comprehensive auditing solution that lets you centrally monitor all yournetwork devices, servers, and applications. The solution helps you constantly monitor yourprivileged users and provides you with detailed audit trails and reports; it also alerts you in case anysuspicious activity is detected.Some key report types include:Logon activity monitoring: Auditing logons helps you understand when and how administrators logon to your network, so you can catch anomalies like possible account sharing, hacking attempts, orirregular logon times.Reports: Unix Logons Unix Logoffs Unix Failed Logons Router Logons Router Failed Logons Firewall Logons Firewall Failed Logons Session Activity Monitoring ReportsUser account changes: Monitoring user account changes helps you stay on top of the variousprivileged accounts in your network as well as the various changes made to account settings.Reports: Unix Added User Accounts Unix Deleted User Accounts Unix Groups Added Unix GroupsDeleted Password Changes Failed Password Changes Special Groups Assigned to New Logon Symantec Endpoint Admins Added Nessus Admin Discovery Report Nessus Elevated AdminPrivilege FailuresSystem and configuration changes: Tracking important configuration changes made by privilegedaccounts is essential as a single change could create a security loophole that allows a hacker togain access to your network.Reports: Software Installed Failed Software Installations Due To Privilege Mismatches WindowsUpdates Installed Registry Changes Windows Backup and Restore Firewall Rule Added FirewallRule Deleted Firewall Settings Changes Router Configuration Changes Router CommandsExecutedSensitive data access: Auditing privileged activity on critical database and file servers helps youprotect sensitive business data from unauthorized access.Reports: DDL Audit Reports Privilege Abuses Admin Authority Changes Permission Changes Owner Changes Database Backup Report Database Permission Denied Access Violation FilePermission Changes

Highlights of EventLog AnalyzerAdvanced Event Correlation: The advanced correlation engine contains over thirty predefinedattack rules, including those for ransomware, brute force, and more. You can correlate logs frommultiple log sources and create rules to suit your business environment.

Dynamic Threat Intelligence: The advanced threat intelligence platform comes with a built-inSTIX/TAXII feed processor. You can get real-time alerts for suspicious inbound and outbound trafficfrom malicious domains and callback servers. Additionally, the advanced threat analytics add-onprovides deeper insights on the malicious source including details on the reputation score of the IP,history on when it was flagged as malicious, geo location of the threat origination, and more.Built-in incident management console: Track the response and resolution process of incidents byautomatically creating tickets from alerts and assigning them to the right administrator based onthe device or device group that generated the alert. Keep track of incident tickets with the built-inticketing option, or raise tickets in external help desk tools - ServiceDesk Plus and ServiceNow. Youcan also choose from the multiple built-in workflows that automatically responds to incidents, likedisabling compromised computers and locking hacked or malicious user accounts.

Comprehensive log management: Collects, analyzes, correlates, searches, and archives log datafrom over 700 log sources. Includes a custom log parser to analyze any human-readable logformat.

In-depth audit reports: Access intuitive reports which can be easily exported or scheduled. Thesereports includeIndependent privileged user activity reports: Get individual reports for various privilegedactivities, such as configuration changes, software installations, sensitive data accesses andchanges, and more.Consolidated reports: Get a consolidated view of all privileged user actions in your Windowsnetwork in the User Activity Overview report. The graph can also be broken down by user inthe User Based Report.Compliance reports: Generate predefined reports for various compliance policies, includingSOX and PCI DSS, which mandate the thorough auditing of privileged user activitySecurity alerts: Receive notification about any anomalous or suspicious activity from privilegedusers in your network. Get alerts for independent events or multiple events correlated across yournetwork. You can also get threat feed-based alerts and identify communication between privilegedusers and known malicious entities.

Forensic investigations: Use the advanced search engine to investigate security incidents anddiscover their root cause. You can save the search results as reports and use them to present anyfindings.Privileged user accounts hold a lot of power over your network. With EventLog Analyzer, you canensure they are used responsibly and are secured against attacksEventLog Analyzer is a web-based, real-time log management and IT compliance solution thatcombats network security attacks. With comprehensive log management capabilities, EventLogAnalyzer helps organizations meet their diverse auditing needs. It also offers out-of-the-boxcompliance reports and alerts that meet stringent IT regulatory mandate requirements with ease.

Privileged user monitoring best practices 1. Perform a regular inventory of critical assets and privileged accounts. In mid to large-size networks, it's important to keep track of newly added critical systems and applications along with the privileged