Biggest threat in today’s world is not a massive attack but a sekvence of small invasions which could be seen as harmless individually. Also, such are usually spread throughout more systems which do not cooperate hence they do not possess a threat per se. What is more, they are generated either in a really short or a long time period hence they are not easy to recognize.
Each login could possible be an invasion. Credentials such as name and password are the first and the last barrier between the invader and the network. This is how anyone can access the network and gain a control over assets or obtain important data for business.
Current solutions take care of only one of two areas:
- Credentials management: creating, changing and deleting login credentials from one place
- Gathering the data regarding login attempts
Phase 1: Logging
Applications, servers and other systems produce a lot of information regarding their logging (how they work). The logs are not unified so it is not easy to understand them and work with them.
Phase 2: Log unification
SIEM and similar systems deal with this issue, they group the logs and unify their format. That enables them to aggregate, look for correlations, search through them and create warnings regarding simple situations which can be described using use case.
Therefore SIEM is able to detect those attacks whose scenario is given beforehand and which are not dependant on state changes in time.
Phase 3: Data analysis
Systems such as ElasticSearch, Splunk and others save historical data and enable for the data analysts to search through them. Those tools could be used to explore the data and they excel in situations, when we know what we are looking for.
Centralised log gathering is insufficient
It is only a reactive solution to assemble all the logs at one place and then to search through them. This solution has major deficits:
- the connections between actions within one system or more systems are non-existent,
- the user does not know what he/she can seek afte,
- the search itself is extremely time-consuming,
- logos missing links to the real world around.
Credentials monitoring with ALTWORX platform
No one-off search, but keeping track of events in real-time and space is the way how Credential Monitoring scenario within ALTWORX works and deals with all the above-mentioned barriers.
ALTWORX watches the way how credentials are used, creates profiles of the behaviour in real-time and detect possible threats. All is enriched with the knowledge of the environment structure.
This solution helps our significant client O2 Czech Republic a.s.