The job of IT admins and IT security analysts are, without a doubt, some of the most important jobs in any company. When things are running smoothly, it is easy for everyone to forget they exist. However, the moment things go askew, everyone points fingers at them.
IT security professionals are expected to know everything. Most of them are self-taught and have learned on-the-job. Over time, experience has turned them into battle-hardened soldiers. The pressure is real, as they are responsible for the configuration, administration and, most importantly, the security of the entire infrastructure.
Let’s take a look at a typical day in the life of an IT admin or a security analyst to learn about the common difficulties they face while monitoring their IT environment for security changes, working with security tools, and more. Organizations might have a separate Security Operations Center (SOC) team to monitor security events in the network, but most of the time the responsibilities of a SOC team are handled by IT admins. Regardless of who manages these vital duties, the complexities remain the same.
Why is the timely capture of security change information important?
Here’s an example of a password attack on Windows endpoints in an Active Directory environment. Attackers hide in plain sight by using features and tools that are native to the Windows OS, in this case, PowerShell.
//www.youtube.com/watch?v=zrfPCJKLsUM
The only way to detect password guessing attacks is to monitor the logon events across every server in the network. But there are a high volume of logon events produced as we have already observed. The native auditing tools, such as Windows Event Viewer, do not have the necessary abilities to filter through these events, and cannot give you the insights you need.
Typical security challenges faced by IT admins:
Monday morning (A fresh start to the week):
Let’s take a look at a typical day at work for IT admins, and the challenges they face monitoring security changes in the network. We’ll share details in this blog based on candid interactions we’ve conducted recently with IT admins based throughout the world. This schedule may vary, depending on the IT configuration and the industry the organizations belong to.
When we asked what was checked first thing Monday morning, one IT admin offered, a bit sarcastically: “I discover any changes made on the domain while I was away over the weekend! I typically look for unusual logons on servers now that we’re working remotely, and modifications done by our help desks or authorized department managers.”
For example, the security changes that IT admins are looking for could be anything, such as:
- A simple logon on a server, even a domain controller, or on a cloud directory (like Azure)
- A permission granted on a file and folder
- Attribute changes, such as memberships of security groups, or a manager changed for a security object, like users, groups or computers
To discover all the security events that could have occurred from Friday evening and up until Monday morning, IT admins have to depend primarily on Windows event logs. Unfortunately, this log data is dumped into one location, and the sheer number of events makes it complicated to gain a bird’s-eye view of all changes that occurred in the domain.
Before lunch:
Discovering security changes on the domain is time-consuming and, on a good day, the entire process might take up to three hours. It’s even more time-consuming now as organizations are starting to adopt public cloud services (like Azure AD) alongside traditional on-premises infrastructures.
To maximize available time and resources, IT admins should prioritize and manage the next most crucial tasks of the day by tending to requests and tickets.
Here are examples of some requests that IT admins typically receive, and their internal thought process:
As you can see, although an IT admin tends to the requests and tickets, the skepticism and fear of something unsuitable happening secretly haunts them. Unfortunately, time is not a friend, end users have their job responsibilities and typically can’t wait long for a resolution. After a stressful morning of discovering security changes, handling requests and tickets, it’s finally time for the best part of the day, lunch! (This is probably the only “me time’” IT admins enjoy.)
Afternoon to Evening:
Post-lunch is for confirming if every event that occurred in the network is authorized or not. This is often the most difficult part of the work day as an IT admin needs to survey various components of an IT infrastructure. For example:
- What are the actions performed by privileged users? Was an end user granted an IT admin role?
- Did help desk reset a users password? Alternatively, did a user self-reset their own password?
- Was data inside a file modified? Was a user given access to read or modify a sensitive file or folder?
- Was the manager of a group changed? Did an end user assume ownership of a folder?
It is crucial for all of the changes above to be monitored. However, a malicious actor with a goal will opt to use stealthier and more advanced techniques, including:
- Modifying Windows firewall inbound and outbound rules
- Trying to brute-force a victim’s VPN logon
- Running scripts to obtain domain-rich information, and discover vulnerabilities and possible opportunities for a privileged escalation
- Creating a scheduled task to install malware in the registry keys in the systems
- Introducing malicious executables in core configuration folders (like the SYSVOL folder of group policies) to propagate malware across endpoints
- Granting illicit consent to an application configured in Azure, to maintain backdoor access, and more
Some of the biggest challenges faced by IT security professionals include varying IT environments, the increasing number of users and devices, modified permissions, access, and data spread across infrastructures, and a high volume of logs produced by various devices in the network.
Clearly, an IT admin cannot depend on the native options to detect these security changes. The process involves a lot of manual work. It is error prone and time-consuming, which makes IT security confusing, at best.
It’s the end of the day, and the IT admin leaves work feeling dejected, hoping things remain unchanged so progress can be made tomorrow. Another day, another dollar, right? No. Unfortunately, this is how security incidents happen.
It’s important to collect the log’s security events, filter them, detect issues, and send alerts on suspicious events promptly.
Sometimes, detecting a security change is not sufficient. Your organization should have a real-time alert mechanism, and a mitigation action in position to counter any unauthorized security changes.
Want to improve your security plan? Visit our IT security under attack page, watch live simulations of widely used attack techniques on various IT environments, like Active Directory, Azure AD, Windows environments and more, and build a complete defense strategy with ManageEngine Log360.
