Tracking malicious insiders usually gets started at one of 2 points – either during or after the act.
In a future webinar I will discuss what you can do to increase system surveillance on an insider suspected of actively cheating the company or performing other misdeeds.
But in this webinar I will look at the more frequent situation where the crime is over, the individual is terminated and management wants gather all the evidence they can of the his or her actions.
I will show you how to use domain controller, server and workstation logs to document the malicious insider’s actions throughout your network. Yes, workstation logs are important in tracking insiders. You don’t necessarily need to be collecting security logs from workstations but you do need to activate some minimum auditing on workstations ahead of time that doesn’t affect performance and I’ll show you what that is.
We will use events from many categories including Account Logon, Logon/Logoff, Process Tracking and Object Access events to stitch together what the user was up to in the weeks and months leading up to the incident and hopefully corroborate other evidence.
If you are going to use logs for any type of legal or HR action, custody and related evidence issues arise. While I’m not an expert in those matters I will share some important tips and point you in the direction of more information so that you can reduce the chances that your investigation is compromised by some slick attorney.
This will be an action packed, informative and deeply technical webinar that I think you’ll love.