Tracking Login Failures By User

As an organization grows, the need to monitor user logins to internal resources becomes a key security objective. By monitoring login failures, the analyst can track unauthorized login attempts, and can help to identify existing gaps in network security. This dashboard can assist organizations by providing comprehensive 25-day charts, and data on, user login failure anomalies.

Monitoring user activity is one of the first lines of defense against breaches. Attackers will often target privileged user accounts including disabled, expired, and remote accounts to gain entry into a network. Unauthorized user access can lead to loss of data and other security related incidents that can be costly to an organization.  Properly monitoring login attempts can help to improve audits, maintain regulatory compliance, and track current and third-party users that may have access to an organization's network. 

In this dashboard, the Log Correlation Engine (LCE) leverages the ‘login-failure’ event type. Login failure events occur when incorrect or invalid credentials are used to gain access. Never before seen (NBS) events identify logs that are new and haven’t been seen previously on a particular host.  NBS login failures can occur when a new user provides incorrect credentials when attempting to authenticate for the first time. This information can benefit the organization by providing insight into access attempts, changes, and behavior of user logins.

When a login failure anomaly event is triggered, the event is compared to the amount of each normalized event for the current hour to that same hour on previous days for the lifetime of that host. The LCE provides a statistical engine that automatically defines thresholds for events, which provides high accuracy in detecting event spikes.

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Monitoring.

The dashboard requirements are:

• SecurityCenter 4.8.2
• LCE 4.4.1

SecurityCenter Continuous View allows for the most comprehensive and integrated view of network health and provides the most complete solution to identify emerging threats. By using the Log Correlation Engine (LCE), the organization can perform deep log analysis detecting possible unauthorized logins and intrusions. Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of a network.

Listed below are the included components:

Authentication Anomalies - Login Failures: This chart displays the trend of login failure events in the last 25 days. A login failure event is any type of authentication log that indicates credentials were presented and were incorrect. This is distinct from application logs that show an IP address was blocked or access to a resource was denied. Those events are logged under event types of 'firewall' or 'access-denied', respectively.

Tracking Login Failures – Users with Login Failures: This component displays Users with Login Failures over the past 7 days, along with their associated counts and trend data. The top 200 users with the highest number of login failures are displayed. Spikes in login failure events may indicate unauthorized access attempts, and should be investigated further.

Authentication Anomalies – Login Failure First Time Events: This chart displays the trend of Never Before Seen (NBS) login failure events in the last 25 days. Never before seen login failure events occur most often when new hosts or servers are added to the network and authentication logs are received from them for the first time. In addition, new types of authentication (such as a user logging in via VNC instead of Windows Terminal Services for the first time) will generate logs that have not been seen before. These never before seen events indicate changes in access patterns and can indicate new behaviors from existing users, or potentially from hackers or insiders.

Tracking Login Failures – Users with NBS Login Failures: This component displays the last 7 days of users with never before seen login failure events, along with their associated counts and trend data. The top 200 users with the highest number of never before seen login failures are presented. Spikes in login failure events may indicate unauthorized access attempts, and should be investigated further.

Authentication Anomalies - Login Failure Anomalies: This chart displays the trend of login failure anomaly events in the last 25 days. A login failure anomaly event is generated by LCE when a large number of login failure events are detected relative to the number of login failure events detected during that hour in previous days. A spike in login failure activity indicates a change in network behavior and may indicate brute force password guessing.

Tracking Login Failures – Users with Login Failures Anomalies: This component displays Users with Login Failures Anomalies over the past 7 days. A login failure anomaly event is triggered when the number of login failures in an hour is substantially different from the number of login failures observed for that hour in previous days. The top 200 users with the highest number of login failures anomalies are presented. All login failure anomalies should be investigated further, as they may indicate unauthorized access attempts into a network.