Endpoint Compliance Reporting
Hopefully your existing endpoint security products report on agents that have stopped communicating or fallen out of compliance (e.g., are running an outdated client, using an old DAT file for AV signatures, or not running the latest policy version). Unfortunately, not only do some endpoint security products lack this reporting capability, but SOCs can find keeping up with endpoint compliance, with or without the aid of endpoint tools, to be especially daunting.
In lieu of purchasing yet another point product just for reporting and compliance, you can use LogicHub to collect information on all assets/agents from each of your endpoint tools, grouping them together by host or asset owner, to produce a unified list of all your assets and their status for each of your key controls. This data set can also be further enriched with data from other internal tools, such as Active Directory or your CMDB solution.
Monitor Files Written to USB
Not all corporate environments have the luxury of fully blocking USB storage for all users or perfectly defining the policy that controls what can and cannot be written to a thumb drive or external hard drive. Digging through logs manually is too large a task for even a small environment, and SIEM solutions are limited in what they can detect using real-time logs.
By querying your SIEM or log management tool for Windows “disk write” logs or the logs of a passive endpoint DLP tool, LogicHub can filter out noise by path, file name, and other attributes to reduce the total data. From there, leveraging predefined thresholds and even tracking “normal” activity for each user over time, you can ensure that the more suspicious use of USB storage results is detected. Then you can generate incidents for human investigation or even send an email to the user and his or her manager to verify that the activity is both benign and necessary for your business.
Unauthorized User Account Modifications (Active Directory)
In many large environments, it’s impossible for security analysts to review all user administration events to ensure that proper processes are always being followed. Your SIEM may have rules with thresholds for alerting on user administration events based on specific thresholds and lists, but correlating all that activity with approved tickets in an external ticketing solution is beyond the scope of any SIEM platform.
By combining logs with an external integration to your company’s ticketing solution for such requests, LogicHub can report on changes made to user accounts -- such as enabling a disabled user, resetting passwords, changing user groups or permissions, or even creating new users -- which do not have corresponding tickets with proper approvals. Additional comparisons can also be performed, such as checking the user groups for each user making changes or determining whether an affected user is a VIP.
These results can be combined as a report or grouped by either the originating or the modified users for individual tickets for your compliance or SOC team, and your internal compliance process can then easily review this activity and determine if compliance actions should be taken or perhaps even that the activity looks malicious in nature.
Customers Tell Our Story Best
SOAR+ is the product of customer feedback. LogicHub would not be here if it wasn’t for our customers and our community of thought leaders that help us every day make our platform the best it can be. We could not ask for more loyal and generous community.