The ‘Security Spotlight’ series of blogs is written in accompaniment with the YouTube series of the same name, which is aimed at providing quick visibility and understanding into how you can leverage the LogRhythm platform against a variety of threats.
In this Security Spotlight, we’ll be talking about monitoring disabled or deleted user accounts (MITRE Technique T1098).
What is user account management?
User account creation is undoubtedly a fundamental piece of the IT administration workflow that enables employees to access needed business resources. Contrary to many non-administrators’ beliefs, these accounts aren’t created for just end users: multiple service user accounts are created within enterprises to support a range of specific applications.
With such a variety of purposes, managing these user accounts becomes even more important. This holds especially true when dealing with employee off-boarding. When an employee leaves the company, businesses should utilize a robust Joiners / Movers / Leavers (JML) process that automatically de-activates or deletes the leaving employee’s accounts on the various platforms used by that employee.
However, statistics and reports on Enterprise IT Maturity show that in many environments, this just isn’t the case.
Why is managing disabled or deleted accounts important?
It isn’t difficult to directly link the lack of a robust JML process to some of the major data breaches we hear about year after year. This is because having procedures and automatic control to verify user activity, especially that of disabled and deleted users, plays a critical role in keeping enterprises secure.
When these measures aren’t taken, deprecated user accounts can be reactivated or recreated by an internal employee or attacker, allowing them to escalate privilege or move laterally within environments. Without proper monitoring, these attackers can easily slip through the cracks by masquerading as a valid user profile: a user account attaining access to any company resources will produce valid authentication information. From a security point of view, these will be considered normal activities and not a potential security issue.
How can LogRhythm help you?
To counteract this issue, the LogRhythm Co-Pilot team has expanded on an existing LogRhythm SIEM platform rule. By incorporating multiple rules and LogRhythm SmartResponse™ into a framework of detection, security teams will be able to properly understand the lifecycle of disabled and deleted accounts.
The workflow uses an AI Engine rule that creates an automatically populating list of disabled or deleted accounts, followed by two more rules that then monitor and note any usage of those accounts, whether or not any authentication was successful. It then provides a report that gives a weekly or monthly view of authentication activity for disabled accounts, which can be useful for executive reporting.
Finally, the guide built by the team allows for a degree of customization based on individual business requirements and looks, allowing you to create a set of tools that can fit smoothly into an existing JML process.
For more information on how to enable these rules within your LogRhythm deployment, check out our community page to read more, download, and then import the rules into your platform.
For other Security Spotlight episodes, you can access the full playlist here.