Upload
david-mai
View
27
Download
1
Embed Size (px)
Citation preview
Agenda Why log files may not be enough? How do I know what’s happening? How do I reduce the risk? If something does happen, how do I
troubleshoot? Q&A
Log files Logs are designed for debugging purposes, not with
security in mind Not all OS changes are visible through log files Not all applications have log files, which means lack
of visibility when you most need it Even if you do have logs, it’s terribly difficult to tell
what really happened Inspecting logs requires a lot of effort The time to recover using logs is long
Humans are the weak link Companies are exposed to risk caused by
privileged users – traditionally they are the first to blame
Risk comes not only be these, but also by “regular” users
Potential damage: data loss, service and application downtime, legal actions from regulators and governments, etc.
Mitigate insider threat Discover Identify Alert Educate
Create a plan to reduce human error By using ObserveIT to monitor critical
assets: Servers Desktops used by privileged users Desktops/VDI used by regular users Jump servers used by external vendors Other critical devices
It’s easy Know what users are doing, where else did
they do it, and why Ask users to justify their actions Reduce dependency on log files Efficiently launch an investigation Provide valuable and irrefutable evidence Eliminate finger pointing
Questions