Executive Monitoring Use Case 1

Summary:

The document outlines a method for monitoring high-risk systems such as executives' PCs to detect unauthorized intrusions. Key steps include configuring audit settings on the PC to log various events (success/failure) and setting up detailed file-level auditing for identified admin users. This is crucial for maintaining security standards in roles with privileged access, particularly within financial services companies. The document specifies that certain audit policies must be set up on the monitored PCs, including auditing account logon events, management activities, object access, policy changes, privilege use, and process tracking. Additionally, it mentions configuring permissions specifically for each user to monitor their actions at a detailed level. Finally, the document introduces an ArcSight ESM Executive Monitoring Package containing rules for detecting unauthorized activities such as audit logs being cleared, initial file accesses after remote connections, interactive logins by unauthorized users, and network connection attempts mapping drives remotely.

Details:

The provided document outlines a use case for monitoring unauthorized intrusions into high-risk user systems, such as executives' PCs in a company setting. The main objective of this use case is to detect unauthorized access via interactive login, remote desktop, or network share login by administrative users who have access to the PC. This is particularly important for roles like those within the workstation team, domain administration, and other high-level administrators with privileged access. **Use Case Overview:** The document explains that this use case has been developed during an engagement with a financial services company using HP ArcSight SOC tools. It claims to have successfully tested and demonstrated effectiveness in detecting unauthorized access to executive PCs by configuring audit settings on the PC, including:

• Audit account logon events (success/failure)

• Audit account management (success/failure)

• Audit directory service access (no auditing)

• Audit logon events (success/failure)

• Audit object access (success/failure)

• Audit policy change (success/failure)

• Audit privilege use (success/failure)

• Audit process tracking (success/failure)

**PC Configuration Requirements:** To ensure the effectiveness of this monitoring, certain audit policies must be set up on the monitored PCs. These include:

• **Audit Policy**: Ensure that all relevant logon and management events are audited for both success and failure. Directory service access should not be audited, while other listed areas (object access, policy change, privilege use, process tracking) should be audited under similar conditions.

**File Level Auditing:** Detailed instructions on how to configure detailed file level auditing for identified admin users are provided in the document but are not summarized here due to space constraints. The document also mentions an ArcSight ESM Executive Monitoring Package and discusses its components like Active Lists, Rules, and a bundled package named .ARB. In summary, this use case provides a method for monitoring high-risk PCs with administrative access to detect potential unauthorized intrusions, which is crucial in maintaining security standards within sensitive organizational roles such as executive management. The document outlines specific audit settings that must be configured on the monitored systems to support effective detection of these incidents. To provide more effective auditing and alerting for a system monitored PC, follow these steps: 1. Identify Admin Users on the System: First, determine which users are part of the local "Administrators" group, including both local and domain accounts. This list will be used for configuring detailed file-level auditing. 2. Configure Detailed File-Level Auditing:

• Open Windows Explorer, right-click on the C:\ drive, select "Sharing and Security."

• Click on the "Security" tab, then choose the "Advanced" button at the bottom of the dialog box.

• In the advanced security settings editor, go to the "Auditing" tab.

• Add users identified in Step 1 by clicking the "Add" button and entering their names while specifying the computer name (e.g., ATLCHENDERSON). Verify the user's identity through a check.

• Repeat this process for each admin user found, ensuring they are included under the Auditing tab to monitor their access and actions on files at a detailed level.

By following these steps, you can set up specific auditing for administrative users while excluding the main system user, thus enhancing the effectiveness of your audit trails and alert mechanisms. To summarize this information, here's a brief overview of what needs to be done and why: 1. **Setting Permissions for Users:**

• Open a new window to set permissions specifically for each user.

• Select "Successful" and "Failed" under "Full Control."

• Click OK to confirm the settings.

• Repeat these steps for all domain users and any local users.

• For domain users, ensure to change the Locations button back to "Entire Directory" to check against the entire domain.

2. **ArcSight ESM Executive Monitoring Package:**

• Configure systems to log all required events.

• Review the package containing use case rules.

• Note that none of the rules have predefined actions; actions must be defined based on customer requirements.

3. **Active Lists:**

• Two active lists need to be populated:

• **Executive Machines Monitored:** List the hostname of monitored systems (e.g., ATLCHENDERSON, not fully qualified).

• **Executive Accounts Mapped to Machines:** Include basic usernames and DOMAIN\username for approved users; also include all service accounts used by these users.

4. **Rules:**

• Define actions for the following rules:

• **Audit Log cleared on Exec Machine:** Detects when an audit log is cleared on a monitored system.

• **Files accessed on Exec Machine:** Detects the initial file access after remote connection, showing only that files are viewed remotely.

• **Interactive Login to Exec Machine:** Detects logins by unauthorized admin users at the keyboard.

• **Network Connection Attempt to Exec Machine – Remotely Mapping Drive:** Detects attempts to connect and map drives remotely to the system.

This summary captures the essential steps for configuring user permissions, reviewing monitoring rules, and ensuring that all necessary lists are populated for effective executive machine monitoring using ArcSight ESM Executive Monitoring Package. The text discusses a network security monitoring tool that detects various activities on an "Exec Machine" through different methods such as failed login attempts, remote desktop connections, user account creations, and group memberships changes. It states that these detections can provide insights into potential unauthorized or suspicious activities requiring further review. Additionally, it mentions the existence of an ARB (Automated Reasoning Bundle) bundled package containing all the discussed rules, which should be imported to a specific folder in the Navigator folder tree upon importation.