How to Stop Insider Data Theft And Protect Privileged Access Management (PAM) Using SIEM?
♦ Using LogSentinel SIEM for Protecting Privileged Access Management ♦
Highlights 💡 In this video, we will demonstrate how LogSentinel SIEM is the perfect solution for monitoring and identifying when a privileged user attempts to modify data which would impact the trustworthiness of the information. LogSentinel's #SIEM software will alert you in real-time for any changes made by privileged users.
LogSentinel #PAM Protects From Log Tampering,
There's a significant risk for a privileged #Linux user to tamper with company data and try to avoid being detected by clearing logs.
Such log tampering may potentially threaten one’s business continuity.
That’s why we developed LogSentinel PAM, which can be implemented in just a few steps.
Here's how it works:
🔹 First, log in to your LogSentinel account and open your dashboard
🔹 Then log in to the #Database server
🔹You have the PAM Module installed on the database server level. This module does not allow one to log in unless there is an outgoing connection and the certificate matches the one of a preconfigured list of servers (i.e. protects from connection limitation and MITM attacks)
🔹 It sends information to LogSentinel about who has access into the system and immediately notifies external sources (Etherium, email, qualified timestamp provider)
🔹 We check the /var/log/secure log where it's clear that the module had been activated, the checks were successful and sent to LogSentinel
🔹 We open the configuration to see where the module sends the information and which certificates it checks
🔹 We can see that we receive an email with the sent hash, which is corresponding to the login one
🔹 Then we open a #hash generator and we generate it on “user action” (in this case: bozho:SYSTEM_LOGIN)
You need the data to be hashed because the information could be sent to third parties (e.g. Etherium) and it shouldn’t be obvious what it is about.
🔹Open the received email and compare the hash with the one received in the generator.
If they match, this is the exact user who has made the action.
The same hash could be sent to Etherium where it will be checked in a public chain explorer
The hashes in this demo have two different symbols which is a result of the Base64 encoding, not the hashes themselves.
🔹Let’s open LogSentinel and make sure that the action was received and saved
In case that the admin who has access to the servers (where LogSentinel is installed), tries to tamper with data, the automated check will identify that some data has been manipulated; using the login information logs sent to external systems, verifying its reliability, you can identify who has accessed the systems in the defined period
Read more about PAM protection: https://logsentinel.com/on-premise-audit-trail-pam/