I have yet to meet a CISO, IT Security Analyst, Security Consultant or equivalent that disputes the importance of ensuring active monitoring of logs is enabled—especially when accessing systems with valuable or sensitive information. After all, if a system or application is compromised, a proper audit trail could be the key differentiator in pinpointing evidence of a breach. So why is it that many organizations still lack proper monitoring for applications and desktops?
Let’s be real for a second. Monitoring is a loose term. I am entirely convinced if you are reading this you have some sort of auditing trail enabled in your organization. Whether that be for system activities, processes, services, antivirus/anti-malware checks, you name it. There are hundreds of thousands of events that can be logged; typically, the important ones are those pesky red alerts. These types of events are great first steps to ensure successful audit trails, but it’s the simple everyday occurrences that often get overlooked.
Take for example a user account is stolen. Even worse, a user account with elevated privileges is compromised. The first step you would probably take is to mitigate the situation by disabling that user account and resolving any potential damage. Then you would identify how and when that account was compromised and what the total impact was to your organization. But how do you do that? The answer is probably smacking you in the face—check your audit logs.
Which server events should be monitored?
As a security specialist, I have spoken with many IT professionals across multiple verticals, and I’m often asked, “What events should I be logging?” Here are a few that I recommend:
- User IDs
- Machine name / workstation identity
- Successful and failed logon attempts
- Date and time of log on and log off to systems
- Files and networks accessed
- Credential(s) used to access systems
However, I always tell my customers that event log files are a great source of useful information, but only if you use them. This makes it imperative to have a logging system to filter, export and view the reports. Even go a step further by using a log analyzer to automate the analysis, discover events of interest and send notifications when any abnormalities are discovered.
The right server events monitoring solution
The first step is to utilize a solution that offers a higher level of visibility. Our DigitalPersona next-gen authentication software can help your organization monitor who logs into a system, when they log in, what device is used and what information is accessed. Of course, it doesn’t hurt to ensure security mechanisms such as multi-factor authentication are active to prevent a breach in the first place. But that’s an entirely different discussion…
All in all, monitoring and auditing work together ensuring users are only performing the activities they are authorized to perform. In addition, the features play a crucial role in preventing, as well as spotting, tracking and stopping unwanted or suspicious activities.
Ryan Friess is a Solutions Engineer for Crossmatch DigitalPersona Composite Authentication. In this role, he is responsible for implementing and demonstrating the Crossmatch’s DigitalPersona® composite authentication solution. Ryan earned a Computer Engineering and Computer Science degree from Florida Atlantic University. He holds over six Citrix certifications in both networking and virtualization, as well as multiple Microsoft Server 2008 and 2012 certifications. Aside from enjoying being a technical engineer, Ryan enjoys spending his eating at his favorite sushi spots or taking a walk on the boardwalk in the sunny Florida weather.