Logs To Understand User Activity and Behavior

Logging user activity is a great way to understand what users are doing, and how they are using network and computing resources. Collecting data from the standpoint of a user identity or login is a great way to correlate all kinds of information, too, including client or workstation activity, network and server access, and application usage. This provides a unique opportunity to make use of Logentries’ ability to match and collate information from multiple sources, using user ID as the common thread to tie them all together.

What’s Normal?

From a monitoring standpoint, the first thing to do is to establish a baseline. This lets monitoring construct a picture of what ordinary, everyday behavior and activity looks like from a per-user perspective. The kinds of data that is worth collecting to paint this kind of picture includes such data points as:

  • Typical login/logout times: people usually show up for work around the same time each day and leave to go home around the same time each night. Establishing a profile of normal working hours helps document each user’s daily routine.
  • Applications accessed: people often work with the same set of tools day-in and day-out, punctuated by periodic use of other applications coincident with business, calendar, or reporting cycles. Capturing this kind of information helps document their usual habits and day-to-day activities.
  • Use of privileges: users tend to work primarily with unescalated privileges, where some may make occasional forays into higher-level access – particularly admins or managers who have various valid reasons to exercise such access. Documenting patterns in both kinds of use of privilege helps establish a pattern related to the most dangerous kind (escalated privilege) and to describe the kinds of tasks, assets, and resources likely to be involved in such work. Furthermore, establishing and enunciating a clear policy that all use of escalated privilege will be monitored and audited puts everyone on notice that use of escalated privileges is meant to be an open book, where all such actions should be easy to explain or defend at any time.
  • Resources and assets used: file system access, internet activity – especially uploads and downloads – and collaboration with co-workers, partners, and customers should all be monitored and tracked. Again, clear policies on data loss prevention and export of files and data outside corporate firewalls and security controls should be clearly stated, and carefully monitored. Likewise, users must be prepared to explain and defend their actions any time files or data travel outside the organizational boundary, whether via e-mail attachment, upload, USB stick, and so forth.

All in all this kind of attention to audit, application, and OS logs will let organizations build a nuanced view of individual user behavior and activity. This creates a baseline for what’s normal and expected, and provides a valuable touchstone for assessing and evaluating current behavior and activity, especially if and when it should bump up against or wander past organizational policy limits or requirements.

Watching for Anomalies

The real value of a baseline is, of course, it’s ability to indicate when behavior is out of bounds, out of scope, or against the rules. Employees should understand that looking for anomalies is not a matter of looking for excuses to persecute or pester individuals. Rather, they must understand that it’s an important indicator of potential compromise. Most of the time when anomalies occur, it’s because a user’s identity has been stolen or impersonating, not because that user is up to something evil or criminal. Looking back at our taxonomy of user data points in the baseline, here’s what anomalies can tell us:

  • If Bob is usually at his desk from 7:30 AM to 5:00 PM with an hour break for lunch between 11:30 AM and 1:30 PM, if we see his account active on systems or networks in the middle of the night, that should raise concern about impersonation. Ditto for weekends, except perhaps when the quarterly patches and fixes get pushed out to all corporate clients in the eastern US.
  • If Bob normally works with file management and database utilities, and his account starts working with user account management or accessing HR personnel files, this is a profound clue that somebody (possibly not Bob himself) is wandering outside the normal scope of his activities, perhaps with ill intent.
  • If Bob normally works only on file management and database utilities in the Northeast US organizational units, and his account starts digging into such things in the Southeast region or the west coast, somebody is messing around (again, possibly not Bob) outside his usual sphere or activity.
  • If Bob starts uploading copies of the latest draft sales reports and next quarter’s sales forecasts to a website in Bulgaria, this is almost surely a sign that somebody’s up to no good.

You get the idea: once we know what’s normal on a per-user basis, it’s easy to zoom in and investigate what’s not normal – or worse, flagrantly or obviously suspicious – for that same user. This kind of technique also works to track propagation of malware within an organization, particularly when compromise of one account leads to attempts to compromise other accounts. The applications are legion, but they all rest on knowing the user population and what their normal, day-to-day activity looks like, and how it changes over time.

Start capturing and analyzing all of your log data today with a free Logentries account.

Tagged with: , , ,
Posted in Log Analysis, Security

Leave a Reply