Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tracking Login Failures By User

by Ron Gula
July 23, 2015

As an organization grows, the need to monitor user logins to internal resources becomes a key security objective. By monitoring login failures, the analyst can track unauthorized login attempts, and can help to identify existing gaps in network security. This dashboard can assist organizations by providing comprehensive 25-day charts, and data on, user login failure anomalies.

Monitoring user activity is one of the first lines of defense against breaches. Attackers will often target privileged user accounts including disabled, expired, and remote accounts to gain entry into a network. Unauthorized user access can lead to loss of data and other security related incidents that can be costly to an organization.  Properly monitoring login attempts can help to improve audits, maintain regulatory compliance, and track current and third-party users that may have access to an organization's network. 

In this dashboard, the Log Correlation Engine (LCE) leverages the ‘login-failure’ event type. Login failure events occur when incorrect or invalid credentials are used to gain access. Never before seen (NBS) events identify logs that are new and haven’t been seen previously on a particular host.  NBS login failures can occur when a new user provides incorrect credentials when attempting to authenticate for the first time. This information can benefit the organization by providing insight into access attempts, changes, and behavior of user logins.

When a login failure anomaly event is triggered, the event is compared to the amount of each normalized event for the current hour to that same hour on previous days for the lifetime of that host. The LCE provides a statistical engine that automatically defines thresholds for events, which provides high accuracy in detecting event spikes.

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Monitoring.

The dashboard requirements are:

  • SecurityCenter 4.8.2
  • LCE 4.4.1

SecurityCenter Continuous View allows for the most comprehensive and integrated view of network health and provides the most complete solution to identify emerging threats. By using the Log Correlation Engine (LCE), the organization can perform deep log analysis detecting possible unauthorized logins and intrusions. Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of a network.

Listed below are the included components:

Authentication Anomalies - Login Failures: This chart displays the trend of login failure events in the last 25 days. A login failure event is any type of authentication log that indicates credentials were presented and were incorrect. This is distinct from application logs that show an IP address was blocked or access to a resource was denied. Those events are logged under event types of 'firewall' or 'access-denied', respectively.

Tracking Login Failures – Users with Login Failures: This component displays Users with Login Failures over the past 7 days, along with their associated counts and trend data. The top 200 users with the highest number of login failures are displayed. Spikes in login failure events may indicate unauthorized access attempts, and should be investigated further.

Authentication Anomalies – Login Failure First Time Events: This chart displays the trend of Never Before Seen (NBS) login failure events in the last 25 days. Never before seen login failure events occur most often when new hosts or servers are added to the network and authentication logs are received from them for the first time. In addition, new types of authentication (such as a user logging in via VNC instead of Windows Terminal Services for the first time) will generate logs that have not been seen before. These never before seen events indicate changes in access patterns and can indicate new behaviors from existing users, or potentially from hackers or insiders.

Tracking Login Failures – Users with NBS Login Failures: This component displays the last 7 days of users with never before seen login failure events, along with their associated counts and trend data. The top 200 users with the highest number of never before seen login failures are presented. Spikes in login failure events may indicate unauthorized access attempts, and should be investigated further.

Authentication Anomalies - Login Failure Anomalies: This chart displays the trend of login failure anomaly events in the last 25 days. A login failure anomaly event is generated by LCE when a large number of login failure events are detected relative to the number of login failure events detected during that hour in previous days. A spike in login failure activity indicates a change in network behavior and may indicate brute force password guessing.

Tracking Login Failures – Users with Login Failures Anomalies: This component displays Users with Login Failures Anomalies over the past 7 days. A login failure anomaly event is triggered when the number of login failures in an hour is substantially different from the number of login failures observed for that hour in previous days. The top 200 users with the highest number of login failures anomalies are presented. All login failure anomalies should be investigated further, as they may indicate unauthorized access attempts into a network.

Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security