Centralized Log Management for Access Monitoring
You’re reading the handwriting on the wall. Your company expanded its cloud infrastructure over the last few years, adding more and more Software-as-a-Service (SaaS) applications to its stack in response to remote work. Like 86% of other companies, you expect that this will continue at the same or an accelerated pace. In response to these IT changes, new laws and industry standards expect you to move toward a zero trust architecture. User identity and access is a fundamental zero trust architecture pillar, but it’s hard to limit user access without getting in the way of people doing their jobs.
Your centralized log management solution can help with access monitoring with security analytics and anomaly detection.
Why does excess privilege cause security risk?
Today, everyone uses cloud-based tools to do their jobs. Even your on-site employees use public internet-facing applications to do their jobs. The only way to protect sensitive information is to limit how people - internal employees and external third parties - interact with information.
Excess privilege, or users with more access than necessary to do their jobs, creates a security risk for several reasons:
- Disgruntled employees can steal sensitive data.
- Employees can accidentally share or download sensitive information.
- Attackers can use credentials to steal sensitive information.
- Attackers can use these privileges as part of lateral movement during an attack.
New security best practices around zero-trust security models start based on a foundation of user identity and access management in response to these risks.
User Access and NIST Zero Trust Architectures (ZTA)
The NIST Special Publication (SP) 800-207 “Zero Trust Architecture” notes that Zero Trust Architectures (ZTA) include the following:
- No implicit trust in assets or user accounts based on physical or network location.
- No implicit trust based on asset ownership (company or personally owned).
- Authentication and authorization (user and device) are discrete functions.
User Access and CISA Zero Trust Maturity Model (ZTMM)
In June 2021, CISA released a draft of its ZTMM, noting that the first pillar of a zero-trust security model is Identity. It stated:
An identity refers to an attribute or set of attributes that uniquely describe an agency user or entity.
Agencies should ensure and enforce that the right users and entities have the right access to the right resources at the right time.
Why is it a good idea to track user activity?
Tracking user activity is about protecting sensitive information, not about sitting over someone’s shoulder to make sure that they do their job. In dynamic environments, users move between low and high-risk applications, so you need to understand how they use their access to protect sensitive information.
At all times, you need to be able to answer the following questions:
- Who is the user?
- Is this person who they say they are?
- Does this person need this resource to do their job?
- Is this person accessing the resource from the right location?
- Is this person accessing this resource at the right time?
Tracking user behavior allows you to answer these questions, giving you a way to understand normal use so that you can detect anomalous use.
Using Centralized Log Management for Access Monitoring
To put it bluntly, access monitoring is hard. Identity governance and access monitoring are increasingly challenging in cloud environments where vendors have different entitlement granularity. Further, visibility becomes even more difficult as users move between SaaS applications.
Since your centralized log management solution takes in the access logs from across your environment. Every user and machine generates log data that tells the story about what they’re doing. Access logs document all requests from people or bots for individual files. Since centralized log management aggregates, parses, normalizes, correlates, and analyzes access, event, and security logs from across your environment, you’re able to get the visibility you need.
Your centralized log management solution ingests event data from your Identity and Access Management (IAM) or Identity Governance and Administration (IGA) tools.
User session monitoring gives real-time visibility into all user activity, including:
- User login
- User logout
- Failed login
- Resources accessed
- Account changes
These event logs enable security functions, like:
- Privileged access management (PAM)
- Password policy compliance
- Abnormal privilege escalation
- Time spent accessing a resource
- Brute force attack detection
Even in a work-from-anywhere world, most people stay within their normal physical location. They’re not going to take a plane just to work from a coffee house in a foreign country for eight hours. On the other hand, a cybercriminal who steals a credential isn’t likely to live in the same town as your employee.
Downloading a database of geolocation information can help you get the visibility you need by mapping IP addresses connected to your networks with physical location. If you don’t have any employees in Brazil, you know that something abnormal is happening that could mean a cybercriminal used a compromised credential.
User and entity behavior
The biggest security challenge you face when trying to monitor user access is understanding whether people are doing what they should be doing when they should be doing it.
You can track user session times and geolocation, but you also need to know whether the behaviors are normal for the individual users. Consider the following two scenarios:
Agatha is one of those people who always works the same hours. She logs in at 9AM and logs off at 5PM. Sometimes, she comes in early or works late, but she’s got a routine she likes to follow.
She uses the same business applications and has standard access.
Bertrand is your proverbial night owl. He’s a developer who gets his work done, and it’s always top-notch. He’s just a free spirit who prefers to do his work in spurts, often logging in after 10PM to finish something.
He has standard access to business applications and privileged access to the development environment.
Each of these users has a different “normal.” If you have alerts set to trigger when anyone accesses resources outside of the typical 9-5 workday, Bertrand is going to set off an alert fairly regularly. Meanwhile, if you don’t set any alerts for behavior and access, you risk missing an alert if a threat actor steals Agatha’s or Bertrand’s credentials.
Machine learning can help you understand your “normal” so that you can identify what’s abnormal. When you use User and Entity Behavior Analytics (UEBA), you’re able to monitor cloud access by aggregating and correlating risky activity spikes like:
- File permission changes
- File modifications
- File deletions
You can also correlate these with download activity across:
- Rare websites
- Email servers
- Removable media
- Rare processes
Maybe your users are working on a special project, but maybe you’re seeing an insider threat or a credential-based attack. In either case, you’ve got the information you need to do your job more efficiently and effectively.
Graylog Anomaly Detection: The Centralized Log Management Purpose-Built for Access Monitoring
Instead of flying blind in the cloud, you can use Graylog Anomaly Detection’s UEBA capabilities, running AI/ML that self-learns with a minimum amount of historical data. Our Anomaly Detection adapts to new data sets, organizational priorities, and custom use cases to have cloud access security monitoring that matches your cloud environment’s evolving risks.
We give you out-of-the-box scenarios based on real-life adversarial examples. All mapped to the MITRE ATT&CK framework. This way, you can identify unusual activity by users and entities with an understanding of why that behavior can indicate a security risk.
With Graylog Anomaly Detection, you get lightning-fast search capabilities with a log analyzer that gives you the power of a security event management tool with a user interface that you already know how to use.