This report supports the VPN Summary Dashboard found here: http://www.tenable.com/sc-dashboards/vpn-summary
Tracking insiders through log analysis and account auditing is a key component of the SecurityCenter Continuous View. This report provides details about VPN event triggers, and provides information on the local network and where user accounts are used. The 5 chapters provide details about VPN specific events, with one chapter providing details on New User and New Network User events.
A VPN allows secure access to your internal network from external sources. Strong passwords, authentication measures, and secure protocols are not enough to protect against every threat. The need to understand where users are connecting from is a critical requirement to maintaining a secure network.
This report gives the analyst a visual representation of VPN use over time, user summaries, advanced user tracking, and logins from unusual sources. Logins from unusual sources is a key feature of this collection. The VPN_Login_From_Unusual_Sources TASL, monitors several VPN login events and tracks users based on the source IP of the login. Triggered events could be the result of VPN users that are moving from location to location, or compromised accounts.
The report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the SecurityCenter Feed under the category Monitoring. The report requirements are:
- SecurityCenter 4.8.1
- LCE 4.4.0
SecurityCenter Continuous View allows for the most comprehensive and integrated view of network health and provides the most complete solution to identify emerging threats. By using the Log Correlation Engine (LCE), the organization can perform deep log analysis detecting possible systems with elevated risk.
Chapters included in this report are:
- Overview - This chapter presents the analyst with a trend of all VPN event activity over the last 25 days. This is accomplished through utilizing a line chart and setting the data type to event. Further filtering utilizes the *VPN* keyword Normalized Event filter, and setting the Time (x-axis) to 25 days. This allows the analyst to have a visual representation of all VPN events that have occurred within the specified timeframe. Unusual spikes in VPN event activity could represent abnormal activity, and should be investigated further. The line chart for advanced user tracking utilizes events generated by the Log Correlation Engine as it learns about each new user and the relations they have with each system. The line graph represents triggered events collected from three events: the New_User, New_User_Source, and New-Network-User. These events are present when the LCE has learned about a new user account on a specific system, the LCE has learned about a source system where an account has originated from the first time, and when LCE has observed an authentication log in which the relationship between a user ID and the IP address associated with it has changed, respectively. Data is presented over the last 30 days.
- Advanced User Tracking - Details - This chapter contains 3 sections that provide a Detailed Summary of events previously presented via the Advanced User Tracking Line Chart. The New_User, New_User_Source, and New-Network-User events are present when the LCE has learned about a new user account on a specific system, the LCE has learned about a source system where an account has originated from the first time, and when LCE has observed an authentication log in which the relationship between a user ID and the IP address associated with it has changed, respectively. Data is presented over the last 7 days.
- Normalized Summary - This chapter presents the analyst with a list of triggered events sorted by time, for the last 7 days. Events that occurred most recently will be listed at the top of the table; the last 50 will be shown. This table is useful to the analyst to see what VPN are currently being triggered in the environment. The table utilized a Detailed Event Summary tool, with the Normalized Event filter of *VPN* and timeframe set to 7 days.
- Logins from Unusual Source - This chapter presents event data from the Tenable Log Correlation engine’s VPN_Login_From_Unusual_Source event where the LCE has seen a VPN authentication occur from a source that is not normal for the user ID. Once the LCE determines a users “Normal Source”, it will alert on any unusual sources of logins for that user. By default, the triggered event occurs if the normal source and the new source are not part of the same class B. This table presents the IP address and number of events for the reported IP address over 7 days.
- User Summary - This chapter presents the analyst with a User Summary of “*VPN*” events over the last 7 days. The top 50 results are displayed, sorted by count, and presents both the user and trend data.