Skip navigation

Geek Speak

4 Posts authored by: nicole pauls

I was watching a recent webcast titled, “Protecting AD Domain Admins with Logon Restrictions and Windows Security Log” with Randy Franklin Smith where he talked (and demonstrated) at length techniques for protecting and keeping an eye on admin credential usage. As he rightfully pointed out, no matter how many policies and compensating controls you put into place, at some point you really are trusting your fellow IT admins to do their job—but not more—with the level of access we grant and entrust in them.

 

However, there’s a huge catch 22—as an IT admin I want to know you trust me to do my job, but I also have a level of access that could really do some damage (like the San Francisco admin that changed critical  device passwords before he left). On top of that, tools that help me and my fellow admins do my job can be turned into tools that help attackers access my network, like the jump box in Randy’s example from the webcast.

 

Now that I’ve got you all paranoid about your fellow admins (which is part of my job responsibilities as a security person), let’s talk techniques. The name of the game is: “trust, but verify.”

 

  1. Separation of duties: a classic technique which really sets you up for success down the road. Use dedicated domain admin/root access accounts separate from your normal everyday logon. In addition, use jump boxes and portals rather than flat out providing remote access to sensitive resources.
  2. Change management: our recent survey of federal IT admins showed that the more senior you are, the more you crave change management. Use maintenance windows, create and enforce change approval processes, and leave a “paper” trail of what’s changing.
  3. Monitor, monitor, monitor: here’s your opportunity to “verify.” You’ve got event and system logs, use them! Watch for potential misuse of your separation of duties (accidental OR malicious), unexpected access to your privileged accounts, maintenance outside of expected windows, and changes performed that don’t follow procedure.

 

The age old battle of security vs. ease-of-use wages on, but in the real world, it’s crucial to find a middle ground that helps us get our jobs done, but still respects the risks at hand.

 

How do you handle the challenge of dealing with admin privileges in your environment?

 

Recommended Resources

 

REVIEW - UltimateWindowsSecurity Review of Log & Event Manager by Randy Franklin Smith -

 

VIDEO – Actively Defending Your Network with SolarWinds Log & Event Manager

 

RECOMMENDED DOWNLOAD – Log & Event Manager

Recently, the Security Team here at SolarWinds conducted a survey to gather information about security risks you felt would be the most detrimental to your network. While it was clear the reality is the external threat will always be a risk, there was a lot more confidence in your perimeter defense systems, policies, and procedures. On the flipside, there was also a significant increase in the belief that the INTERNAL threat is a much higher risk.


The following infographic provides several simple tips that can help reduce the risk of insider abuse. Below you will also find some additional best practices that you can use to create a more secure user environment.

 

 

 

1. CREATE STRONG PASSWORDS/PRACTICE PASSWORD HYGIENE

  • Configure and enforce the use of strong passwords - while your user/customers may become grumpy, your leadership and compliance auditors breathe a sigh of relief.
  • Educate your users on the importance of passwords to create buy-in. One of the most effective ways to drive a point home is to show them how easy it is to crack simple passwords: get permission from management and run a live attack on sample passwords. The “shock and awe” factor can be a pretty effective method.
  • Use SIEM or Log Management tools to monitor and alert on odd password sets/resets, such as strange times of day or too many accounts being changed at once. This can be an early indicator of both brute force and low and slow attacks.

 

2. KEEP YOUR INBOX SAFE

  • User education is also extremely important when it comes to email.  Providing real-life examples of phishing emails would be a good way to help your user base gain a simple understanding of how emails can be used to gather information.  Most importantly, encourage them to ask questions! The old adage “If it’s too good to be true...it probably is” is a good mantra to remember when preaching email security.
  • Email content scanners are essential for scanning attachments and emails for embedded code, while SIEM and Log Management tools can also be used to monitor logs for suspicious authentications events. Look for someone logging on to another user’s inbox, “send as” events against critical inboxes, port 25 traffic that does NOT source from your email server(s), or an abnormal amount of traffic that is in fact coming from your internal email server(s).

 

3. KEEP SECURITY TOP OF MIND

  • The Department of Defense provides a decent model for creating a security culture with education tools like emailed “Security Tips”, required online or classroom based self-paced security courses, and enforcing a “Clean desk” policy. This type of consistency in education keeps users aware even if they only pay attention to half of the material, and builds accountability - to use an old military quote, users will begin to “police their own” and hold their peers responsible for a secure environment.

 

4. KEEP YOUR DEVICES SECURE

  • It’s absolutely imperative that systems and applications are kept up to date on updates and patches. Take it just a bit further and use the operating system or domain policies to limit a remote user’s capabilities within a system.  Realizing that this is not popular and can be difficult to manage, the alternative is much more frightening. Once a system leaves the mother ship the security risk grows exponentially.  Once again I will mention user education (notice a theme here?).  Hammering the fact that this shiny new, expertly provisioned laptop is not a “personal device” is key to reducing the security risk.

 

5. AUDIT WHO HAS ACCESS

  • Auditing is one of, if not the most crucial tools/features that should be enabled in every environment. Some of the key logs that should be audited are:
    • Access logs – Monitoring successful/failed logons at the domain AND local level can alert you to authentication based attacks by looking for the use of privileged accounts at odd hours or large amounts of failed logon attempts from same account, and can also provide critical information for root cause analysis and forensics.
    • File Activity –Native operating system audit policies, File Integrity Monitoring applications and Content Scanners all create audit trails on file servers and endpoints that can be used to detect data theft and suspicious file changes.  In many cases these tools may also alert you to zero-day viruses and other malware.
    • Network, System and Application logs -  These logs can not only identify perimeter attacks , but also identify outbound FTP traffic which can indicate data theft or malware, and critical error and change information that may alert you to site hacking, malware and denial of service attacks sourcing from INSIDE the network.

 

The risk of attacks and breaches only grows with the introduction of Bring Your Own Device (BYOD) mobile devices so implementing the right tools, policies and procedures now just might create the proper security culture within your business.

 

Avoid some of the cybersecurity pitfalls. Secure your environment with Log & Event Manager. Get started for free.

We caught an article this week over on Bank Info Security's website about The Future of PCI. The PCI Security Standards Council revealed some of their thinking about where PCI needs to go during a recent PCI Community Meeting in Orlando, Florida. Some of the highlights, as we see them:

  1. "We really need to have a risk-based dialogue versus a compliance-based approach" - sounds a little bit like we're all on the same page when it comes to "compliance ≠ security".  He also acknowledges the ongoing challenge that retailers are interested in more prescriptive guidance, but threats are continually evolving: "merchants and the payments industry have to be committed to long-range security planning" and not just focusing on the current big breach. This is tough for the rest of us, who are really heads down in the day to day job. We may need the PCI Council to help us move along the spectrum, otherwise we'll keep focusing on table stakes security with the limited resources (people, money, and time) that we have.
  2. "When it comes to ensuring ongoing PCI compliance, it's critical that organizations regularly track the effectiveness of the controls and technologies they put in place, Leach says." - the reality of audit-driven compliance is that it's a once-a-year kind of deal. It's hard to keep the focus on something year in and year out when there's no pressing need. Theoretically with #1 (compliance better aligned with good security practices) it becomes easier to be able to answer "are we compliant TODAY, not just on audit day?" We see continuous compliance/monitoring becoming a trend across industries and segments, so I'm not surprised to see PCI thinking the same way. They sum it up pretty well: "Ongoing PCI is a challenge. It's very, very complicated and has many situation-specific qualities to it. ... We have to work with these organizations and make them realize the risks and then help them find solutions that work."
  3. "The very old, very basic kind of security flaws still remain - weak passwords, insecure remote access, lack of security patches, things like that that in some cases have been almost deliberately set up to make it easy for that reseller or that POS support person to do the maintenance" - a lot of us really are still fighting common security stuff. The security industry is constantly focusing on detecting the next big threat with new products and services - but the reality is a lot of us still need help making sure that our bases are fully covered in constantly evolving environments where balancing security and convenience is still a huge challenge.

 

There's more over in the article and we'll keep our eyes peeled for more on how the PCI council may turn this into actual material changes.

 

We've talked a little on Thwack before about whether compliance = security (or some variation of that truth - check out the discussion here: Does Compliance Actually Make you More Secure?). Do you think this news will change anything? Are your IT, compliance, and security teams moving toward more ongoing compliance instead of just point in time, or is an audit still a scramble? Let us know what you think about all things PCI in the comments.

Almost every year since Security Information & Event Management (SIEM) became a relatively mature technology, SC Magazine has done one of their Group Tests with SIEM products. All sorts of SIEM and log management vendors are invited to put their products to the test in SC Magazine's lab environment, where the reviewers have spent a lot of time deploying, implementing, and testing all manner of security products. The reviewers not only test core SIEM product features and functionality, but also evaluate the whole package - what about technical support? Documentation? Knowledge base? What is the actual price? Is this a solid, reliable vendor? If I were in the customer's shoes, what would I need to know to make a decision on this product? Many products enter, but few leave without a few dents and dings in their armor (some more than that).

 

The SolarWinds (and previously TriGeo) Log & Event Manager team has elected to participate in SC Magazine's review process each year, and each year we wait with great anticipation as the results are tallied. This year's reviews were released on April 1 and, no foolin', LEM was awarded 5 stars in every category!

 

I don't want to spoil the details of the review for you, so go read SC Magazine's review of Log & Event Manager in the SIEM Group Test for yourself. You can also view the context for the Group Test, more information about SIEM, and the other reviews on the main Group Test information page.

 

LEM is also one of few fully-functional SIEM products in the SC Magazine Group Test (or anywhere, really) where you can download and evaluate the product for 30 days on your own network. They don't give stars for that, but they do polish our stars with a little extra shine.

 

MC900431611[1].pngMC900431611[1].pngMC900431611[1].pngMC900431611[1].png

Filter Blog

By date: By tag: