Detecting and Monitoring Abnormal Login Activity with a Deterministic Rule-Based Approach

Most organisations focus their threat detection and prevention strategies on external actors, but internal threats can cause just as much harm. These threats are not always launched by malicious employees with intentions of inflicting damage, instead they can be caused unintentionally by accidentally compromising data to threat actors through lack of security awareness.

Access control systems play a vital role in protecting an organisation from insider threats. Being able to identify whether users are attempting to, or even successfully logging on outside of business hours, will help organisations spot threats and effectively identify security risks.

Download Uncovering Insider Threats Use Case

The challenge

Since the pandemic, remote working has become much more widespread worldwide. While working from home brings new flexibility and adaptability into work processes, it also exposes both individuals and businesses to a multitude of cybersecurity risks.

Remote working has opened up access opportunities for users, with employees now being able to log in to devices anytime, anywhere. With a vast number of individual users to manage, it can be hard to monitor dispersed employees and pinpoint unusual behaviours.

To build a full picture of user activity, organisations need to set customised rules to gain visibility into when remote users are accessing the network. Organisations need tailored security rules in place to detect and respond to login activity that has taken place outside of core work hours.

The solution

Detecting a possible incident or anomalous insider activity needs to be a simplified and streamlined process.

Many security teams are running their Security Operations Centre (SOC) with limited resources and need support to maximise their threat hunting activities. They need the support of knowledgeable security professionals to tailor their deployed solutions to their individual security needs and maximise the rules they are setting within their security platforms.

LogRhythm’s Analytic Co-Pilot Services enable organisations to establish behavioural and statistical baselining, and ongoing alarm tuning to better understand potential risks. Through the implementation of a specific rule-based approach, our Co-Pilots enable organisations to take control of their IT environments and match their security needs.

By tracking Authentication Success and setting day and time criteria, organisations can monitor for any access that would be considered suspicious from users that are not expected to login outside of core company hours.

Organisations can also refine their rules to check the logon types of users that are logging on after hours. Logon types describe the ways in which users can log on to a system.

A user that has left their machine logged in would continue to generate logon type 3 (network), where a user accesses a computer from the network, or type 4 (batch), when a scheduled task is about to be started. However, you should not expect to see logon type 2 (interactive), where a user logs on a computer locally, 7 (unlock) when a user unlocks a previously locked workstation, or 10 (remote interactive), where a user logs on to a computer remotely using Terminal Services or Remote Desktop. These logon types would trigger alarms for security teams to investigate whether that user was accessing outside of hours and why.

In addition, organisations can further strengthen their security posture against insider threats by leveraging machine learning (ML) techniques. Security teams can integrate ML within technologies to identify abnormal login patterns in their data, enabling them to make faster and more accurate decisions.

With ML, security teams can gain additional insight with an approach that doesn’t require prior knowledge of known patterns. Security technologies using ML can learn the typical patterns of activity within a networking environment to recognise anonymous behaviours. This can indicate possible threats and identify risks earlier in the Cyber Attack Lifecycle to prevent future incidents and reduce the impact of a breach.

Organisations can stop potential insider threats in their tracks by deploying deterministic rules and ML for identifying abnormal login behaviours. With this holistic approach, they can effectively capture valuable insights into user behaviour and rapidly combat malicious and careless insider activity.

Download Uncovering Insider Threats Use Case

LogRhythm: Your trusted experts

LogRhythm understands that cybersecurity needs to be a priority. Our comprehensive solutions for tackling insider threats can enable organisations to proactively protect their network with tools and technologies that are ready to defend.

Interested in seeing how LogRhythm can help you combat insider threats? Request a demo today!