I attended the Austin ISSA-sponsored Advanced Splunk Training session on March 6. As always, the ISSA chapter delivered meaty technical training, and it was free! The event was co-sponsored by BSides and Splunk.
While all kinds of interesting Splunk technical info was presented, for me, the most interesting part was hearing from Michael Gough and some other security practitioners at the event about what people really monitor. As a technology provider, we are not always privy to what people are really doing with our tools, so it was an eye-opener for me.
Here are some of the things security guys monitor. Of course they monitor other stuff too, but this is what we can share in mixed company
Administrators / Root logins, successful or failed. "Power corrupts, total power corrupts totally” - even IT administrators.
Login attempts to disabled accounts. Makes sense - there's usually a pretty good reason they're disabled.
Successful logins for certain accounts, such as those with elevated privileges, or accounts given to partner personnel
https accesses, especially to weirdly long URLs, which can be SQL injections
FTP from servers and workstations
Group membership changes and elevation of privilege
Suspicious files being executed
Outlook Web App (OWA) and Remote Desktop Protocol (RDP) logins – looking for suspicious remote access
Servers downloading .exes from the internet. They look for admins surfing for open source tools to keep an eye that malware hasn’t been downloaded
Share drive accesses at workstations and at servers; access to particular, sensitive shares. They watch for shares being seen and crawled inappropriately.
Net.exe use to map and unmap network drives in Windows
Cscript.exe use. Cscript.exe lets you run scripts via command line and can be used in exploits
Services being installed from servers; noisy workstations
And if you are a Security Guy, please check out our SIEM, SolarWinds Log & Event Manager. It's an understated, affordable, full-function SIEM that can help you pwn the bad guys.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community.
More than 150,000 members are here to solve problems, share technology and best practices, and directly
contribute to our product development process.