In my next Security Log Secrets real training (tm) webinar I will focus on how to detect insider abuse with the Windows security log.
As you probably know losses from insider abuse greatly outweigh those from outside attackers. But detecting insider abuse is very different from profiling external attacks.
In this session I'll share ways to detect suspicious behavior by employees both inside and outside the IT department. In some cases it's just a simple matter of looking for a certain event pattern; in other cases we'll need to set up a bit of a trap and/or implement new account controls.
You will discover ways to detect users trying to break into a colleague's account. Users sharing passwords with other users. Terminated users attempting to logon after the fact.
We will discuss ways to detect users snooping around in areas to which they are not authorized, attempts to install unauthorized software, circumvent security controls and more.
I will show which events to look for on which systems in your network for both the Windows Server 2003 and 2008 security logs.
Please join me for this unique session.