Endpoint Compliance Reporting
Hopefully your existing endpoint security solutions provide the means for reporting on agents which have stopped communicating or are out of compliance (e.g. running an outdated client, using an old DAT file for AV signatures, or not running the latest policy version). Unfortunately, not only do some products lack in that area already, it can be daunting trying to keep up with endpoint compliance across all of your tools.
In lieu of purchasing yet another point product just for this purpose, LogicHub can be used to collect information on all assets/agents from each of your endpoint tools, grouping them together by host or asset owner, to produce a unified list of all your assets and their status for each of your key controls. This can also be enriched with data from other internal tools, such as Active Directory or your CMDB solution.
Monitor Files Written to USB
Not all corporate environments have the luxury of fully blocking USB storage for all users or perfectly defining the policy that controls what can and cannot be written to a thumb drive or external hard drive. Digging through logs manually is too large a task for even a small environment, and SIEM solutions are limited in what they can detect using real-time logs.
By querying your SIEM or log management tool for Windows “disk write” logs or the logs of a passive endpoint DLP tool, LogicHub can filter out noise by path, file name, and other attributes to reduce the total data. From there, leveraging predefined thresholds and even tracking “normal” activity for each user over time, you can ensure that the more suspicious use of USB storage results is detected. Then you can generate incidents for human investigation or even send an email to the user and his or her manager to verify that the activity is both benign and necessary for your business.
Unauthorized User Account Modifications (Active Directory)
In many large environments it is impossible to review all user administration events to ensure that proper process is being followed. Your SIEM may have rules with thresholds for alerting on user administration events based on specific thresholds and lists, but correlating all activity with approved tickets in an external ticketing solution is not something SIEM was designed for.
By combining logs with an external integration to your company’s ticketing solution for such requests, LogicHub can report on changes made to user accounts -- such as enabling a disabled user, resetting passwords, changing user groups or permissions, or even creating new users -- which do not have corresponding tickets with proper approvals. Additional comparisons can also be performed, such as checking the user groups for each user making changes or determining whether an affected user is a VIP.
These results can be combined as a report or grouped by either the originating or the modified users for individual tickets for your compliance or SOC team, and your internal compliance process can then easily review this activity and determine if compliance actions should be taken or perhaps even that the activity looks malicious in nature.