Insider threat poses a unique challenge to security teams because the risks are so much more nuanced than external attackers, who tend to be malicious and easily identified. Insider threats often result from an employee falling victim to their own tendencies or naivety rather than a malicious attack. Examples range from someone being offered a bribe by an attacker posing as a supplier for sensitive information, to an employee clicking on a link in an email that appears innocuous but is actually malware installed by the attacker. Authentication logs can reveal insider threat red flags that might not have been visible in any other way.
What Are Authentication Logs?
Authentication logs are logs that record every authentication attempt made by a user, whether or not they were successful. This can include factors like device, location, user, application, attempt frequency, and whether or not their identity was verified. Authentication logs can help security teams understand which accounts are being used by users, how often different applications are being used, and which users are performing specific types of activities. Authentication logs are increasingly being offered as a native feature by cloud vendors, such as Amazon Web Services, Microsoft Azure, and Google Cloud. Large organizations will usually export these logs to a log management system or a SIEM, but not every organization has the budget or resources to be able to implement and run those types of tools
How Authentication Logs Reveal Insider Threat Behavior
Authentication logs are an important source of visibility into your organization’s behavior because they often reveal the less obvious insider threat behaviors that could otherwise go unnoticed. Authentication logs provide visibility into user behavior, like what applications they’re accessing, how often, and from where. For example, they can reveal patterns in user behavior that are indicative of a malicious insider. If a user is logging into the same application over and over again, they may be attempting to brute force their way into the system. Or, they may be trying to access a different user’s account. Alternatively, they may be applying a vulnerable credential across multiple applications. For example, if a user’s password is too simple and is also used for their Azure account, they may be accessing other applications with their insecure, easy-to-decrypt password. Authentication logs can reveal these patterns and more.
Discover Users Authenticating to Rare or Unique Applications
Authentication logs can reveal which user accounts are logging into which applications. This can be useful for security teams to discover users who are logging into rare applications. These applications could be sensitive and therefore need a higher level of authentication, like two-factor authentication (or the stronger standard in the future, multi-factor authentication). If you notice that a user is logging into a rare application with their standard authentication, this may indicate that they are being granted access they shouldn’t have. If they don’t have a strong justification for accessing the application, they may be doing so with malicious intent. Authentication logs can also be used to discover users who are logging into unique applications. These applications could be sensitive and therefore need a higher level of authentication, like multi-factor authentication.
Identifying Authentication Activity From Rare Accounts
Authentication logs can also be used to identify authentication activity from rare or unique user accounts. By looking for rare user accounts in your authentication logs, you may be able to uncover malicious activity. For example, if you notice that a user logged into Salesforce, and that is an unusual application for them to access, it may indicate that they are attempting to steal sensitive data or disrupt the application’s functionality. Authentication logs can also be used to highlight user accounts that are frequently logging into a higher than normal number of applications (using standard deviation or historical mean), even if they aren’t doing so from a rare account. Frequent logins from a user account could point to a malicious insider. This could be an attempt to control sensitive data or disrupt a user’s ability to do their job.
Interactive Authentication From Service Accounts
Authentication logs can also be used to identify interactive authentication from service accounts. Service accounts are accounts that have been created to access a specific application. They are less secure than user accounts, which means they require less authentication. By looking for service account authentication in your authentication logs, you can track which applications are using a service account. This can be useful for security teams because service accounts aren’t usually monitored by the same tools that monitor user accounts. If you notice that a service account is logging into sensitive applications, you might want to investigate why they are doing so. Are they to be granted the same access as a user account? Or, are they attempting to disrupt the application?
The Difficulty in Writing Advanced Searches for Authentication Activity in the Cloud
Authentication logs can be challenging to search because they’re unstructured and often include a high volume of data. Authentication logs are unstructured because they can include all data points across different applications. And because each authentication attempt is logged, regardless of whether or not it’s successful, the volume of data can be very large. If you’re searching for authentication activity from application X, you may see thousands or millions of attempts from application X. This can overwhelm you and make it difficult to find what you’re looking for.
How Fletch.ai Can Help You Search Authentication Activity for Insider Risk
Authentication logs can be overwhelming to search yourself, especially across multiple and disparate log sources. It also takes expertise in your search tool, the data generated by authentication sources, and domain expertise to surface malicious behavior. This is why we recommend using a tool that can help you make sense of your authentication logs.
Fletch.ai has built a People Risk and Investigation app that can help you search authentication logs without any expertise. You can use Fletch.ai to perform advanced searches across your authentication logs in plain English. This can help you make sense of your authentication logs and reduce the amount of time you spend searching them.
