Service Account Initial Anomaly Detection Use Case Process (August 2011)

Summary:

The document "Service Account Initial Anomaly Detection Use Case Process" is a part of Robert Sandoval's series about remote system management services use cases, specifically designed for ArcSight clients managing Unix-based systems in enterprises. It addresses the challenge of securing these systems during hardening by discussing the importance of initial anomaly detection after collecting OS logs from such environments. The process aims to help clients identify: 1. Services running on Unix-based systems 2. User accounts under which these services operate 3. Frequency of service runs 4. Systems that need better security according to industry standards or organizational policies, using only available log information due to specific technical limitations.

Details:

The document titled "Service Account Initial Anomaly Detection Use Case Process.docx" is part of a series by Robert Sandoval related to remote system management services use cases. It focuses on the process for detecting anomalies in Unix-based systems used in enterprise environments, particularly for ArcSight clients. The document highlights that enterprises running predominantly Unix-based environments may face challenges in securing their services during the hardening process due to various reasons such as immaturity in processes, skill gaps, or deliberately accepting risk. It emphasizes the importance of discussing initial anomaly detection with clients who are collecting OS logs from these systems to ensure compliance with enterprise security policies and regulatory requirements. The document suggests that anomalies may not always be immediately noticeable but will become apparent through persistent testing and audit processes to maintain data confidentiality, integrity, and availability in an enterprise setting. The Service Account Initial Anomaly Detection Use Case Process is a method designed to help ArcSight clients use basic log consolidation, query, trend, and reporting capabilities within the ESM (Enterprise Security Manager) to identify various aspects of Unix-based system services. This process aims to discover: 1. Services running on Unix-based systems 2. The systems or user accounts under which these services are operating 3. The frequency at which these services are being run 4. Systems that have not been adequately hardened according to industry standards, organizational policies, etc. This process is intended for use in environments where only the use of operating system logs is feasible due to solution architecture or data obfuscation preventing access to other systems. It emphasizes the importance of initial anomaly detection using available log information and does not cover all possible security solutions but rather focuses on what can be achieved with current tools.