Overview
Glad you’re with us still, this one is a bit shorter.
Why – Why someone tries to access the environment?
Who – Who should be able to access the environment? Can we authenticate the users or identify them in another way?
Where – Where are the users connecting from? From the office network? Some specific country/countries/region? Can we either whitelist or blacklist the locations?
When – Is the environment accessed around the clock? Can we recognize peak usage times?
How – What kind of device they’re using, what possibilities we have locating and authenticating the user?
Breakdown

Your users might be working just in a single timezone and strictly office hours, or then you might have users connecting from several timezones around the clock (and around the globe).
Several organizations run their operations around the clock, some locally, some on “follow the sun” and some on a combination of the above. There are also organizations that only work at office hours.
Knowing your business and combining the “When” with “Who” and/or “Where” can give you really good idea if there’s something to be worried about.
For example; if your user (“Who”) connects the environment usually at 8AM (“When”) from their service provider IP pool (“Where”) and all the sudden from the other side of the globe, you should be at least able to flag such behaviour and see if it needs actions.
Timeline is also one thing to consider here. The faster you’re able to react, the better.
Normal user behavior
The users might have behavioral patterns that they tend to repeat and seeing a deviation in this behavior would be really nice to notice.
Artificial intelligence (AI) and machine learning (ML) can be used against your environment, but when it comes to going through a big volume of data, these tools really come in handy.
Assessing when your environments peak load times are (login and load) can help you to recognize abnormal behavior, but also make sure your environment scales up to the load. If your users are unable to connect due to high load, it can lead to using alternate and possible unsecure ways to connect or even something worse, like users resigning and telling about these problems outside your organization.
Logging
If the users account is stolen and your organization data is exposed/stolen/used for extortion, it’s important to have an audit trail of what has happened.
Making sure the actions are logged is the most important thing here, but an often overlooked aspect is making sure the logging data time stamps are in order, especially when the data is coming from many sources.
Just check you have a network time protocol (NTP) source configured on all your vital components (firewalls, proxies, logging systems etc..) and make sure it’s running smoothly every now and then.
What next?
Check the basics
Make sure your logging data is collected, stored and has the proper timestamps. Do a dry-run to spot possible defiencies with a made up story, like “There’s a suspicion that data was breached at 3AM last Thursday, the CISO has requested you to collect all possible logs and try to form an audit trail to a governmental cyber security organization.”.
If you can’t do this and you should, make sure you have the budget and tools to fill in the gaps. Repeat the exercise regularly to make sure your logs are working and you and your team are prepared.
Who you gonna call?
We’re here for you. Comping’s been working in a lot of different IT environments and seen different challenges with collecting the audit data. We have also participated in analysing the data and I bet we need to do it more in the future.
Our consultancy services might just be what you need to get your logs in order and pushed to the destination of your choosing.
There’s no harm in dropping me a couple of lines over the email either (kari.ruissalo@comping.fi), I’ll try to answer you quickly as possible, because time is of the essence! 🙂
