Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Leveraging Logins and Login Failures to Track Insiders

Leveraging Logins and Login Failures to Track Insiders

I recently had the chance to explain Tenable’s approach to tracking insiders through authentication logs to a new employee. The conversation went something like this:

Q: If I handed you a pile of logs and told you that “Bob” in accounting was an insider threat, what would you do?

A: I’d look through all the logs for accounts that Bob had access to and attempt to audit which systems he accessed and possibly what he did.

Q: Great! Now if I told you that Bob also had access to other company accounts and he may have used those from his system, how would you look for those?

A: I’d look at the logins from Bob’s computer and see if there were any other logins from there that were not Bob.

Q: Also great! Now here is the hard part – we are pretty sure there is an insider on our network, but it could be anybody, even Bob! How would you go about looking for any evidence of someone acting as a malicious insider?

And of course the answer involved a discussion of how Tenable audits accounts and authentications.

Tenable’s approach to this problem has many different components, some provided by Nessus and others provided through log analysis with the Log Correlation Engine (LCE). In the remainder of this blog, we will discuss the various audits, correlations and anomalies that can be used to pinpoint users accessing items in a suspicious manner. We will start out with basic enumeration and tracking of users and then progress to looking for anomalies that could indicate abuse.


Nessus can use credentialed audits to enumerate the active user accounts in the operating system as well as some applications. From this list, an audit can be performed to see if the user accounts are authorized or not.

Nessus also performs many different types of tests on the various accounts, including checking to see if the account has ever been used, if the password has been reset and so on. Below is a screen shot of a SecurityCenter dashboard component that shows a LAN segment with a variety of pass and fail tests for Windows user accounts.

asset password

Tracking User Provisioning

As part of the Log Correlation Engine’s log normalization process, any type of log where a user is added to a system, removed or changed is recognized. This allows long term tracking of new users and data for real-time dashboards.

In the screen shot below, multiple servers have been added to a dashboard and then for each server, indications of users accounts being added, removed or modified in the last 25 days are shown.

servers user added

This same data can be displayed as a continuous graph over the same 25-day period.

servers all at onece

Tracking Account Activity

Both the Nessus audits and the LCE tracking of user provisioning events are very useful to determine when accounts were provisioned, but they don’t specifically tell you when an account was used or has been potentially abused.

The LCE normalizes authentication logs (both authorized and failed attempts) for hundreds of applications and devices. Below is a screen shot of a typical 24-hour window of login activity at a small IT business.

auth logs

This screen shot shows a variety of Windows and Unix login events.

This data is further enhanced by LCE’s anomaly detection.

For any set of events, including logins, LCE will identify normal usage patterns and then generate an alert if there is a change. When computed for logins or login failures, these anomalies provide indicators of large changes in normal authentication activity.

Following is a screen shot of a dashboard that plots logins and login failures above the actual number of logins and login failures that were anomalistic over a one week period.

login anomalies

In the login chart, the daily logins ranged from close to zero to 60,000. Login failures also spanned from close to zero through 20,000. However, looking at the anomalies chart for as many authentication events that were logged, there were only around a dozen anomalies logged each day.

The anomalies don’t directly indicate insider activity, but the potential is there. They could indicate a new user forgetting a password and trying to authenticate many multiple times. The point of the logs is they provide an immediate list of issues to audit and analyze further.

Another very useful report that can be performed by SecurityCenter is to show the list of user accounts per system as reported by Nessus and then show the list of active user accounts observed through logs by the Log Correlation Engine.

For example, on one of my home test Windows 7 laptops, LCE has observed these user names:

win7 users

Combining the report with the account names seen in use along with the system accounts installed can help identify accounts that have not been in use and may not be needed.

Advanced User Tracking

Besides tracking actual authentication events, LCE will learn much more about the local network and where user accounts are used. The following list of events is generated by LCE as it learns about each new user and the unique relations to the network and systems.

  • New_User – LCE has learned about a user account in use on a specific system.
  • New_User_Source – LCE has learned about a source system where an account has originated from for the first time.
  • New-Network-User – LCE has observed an authentication log in which the relationship between a user ID and the IP address associated with it has changed.
  • VPN_Login_From_Unusual_Source – LCE has seen a VPN authentication occur from a source that is not normal for the user ID.

Each of these is a potential event to investigate, but understanding them in context is more important.

For example, if a user’s system was compromised by malware and then their credentials used to login to a new system not normally accessed, the New_User_Source event will fire. Perhaps various systems at the NSA would have had logs like those shown below for the first time that Ed Snowden used his credentials to access these systems:

esnowden new users

Hunting insiders for abuse patterns is very difficult. In the Ed Snowden case above, one would be correct to state that since this account was already created and he logged in with his access, he really wasn’t “hacking”. What really is happened is that his accounts had too much access and once he started walking through all of the available systems, this could have set off an anomaly alert.


Tracking insiders through log analysis and account auditing is a key component of the SecurityCenter Continuous View solution from Tenable. By combining scanning, sniffing and logging into one platform, detecting insider threats and suspicious users is possible through the use of anomaly detection and auditing.

To learn more about Tenable’s ability to watch employees and detect suspicious activity, please contact our sales team.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.