Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tracking Login Failures By User

by Ron Gula
July 23, 2015

Tracking Login Failures By User

As an organization grows, the need to monitor user logins to internal resources becomes a key security objective. By monitoring login failures, the analyst can track unauthorized login attempts, and can help to identify existing gaps in network security. This dashboard can assist organizations by providing comprehensive 25-day charts, and data on, user login failure anomalies.

Monitoring user activity is one of the first lines of defense against breaches. Attackers will often target privileged user accounts including disabled, expired, and remote accounts to gain entry into a network. Unauthorized user access can lead to loss of data and other security related incidents that can be costly to an organization.  Properly monitoring login attempts can help to improve audits, maintain regulatory compliance, and track current and third-party users that may have access to an organization's network. 

In this dashboard, the Log Correlation Engine (LCE) leverages the ‘login-failure’ event type. Login failure events occur when incorrect or invalid credentials are used to gain access. Never before seen (NBS) events identify logs that are new and haven’t been seen previously on a particular host.  NBS login failures can occur when a new user provides incorrect credentials when attempting to authenticate for the first time. This information can benefit the organization by providing insight into access attempts, changes, and behavior of user logins.

When a login failure anomaly event is triggered, the event is compared to the amount of each normalized event for the current hour to that same hour on previous days for the lifetime of that host. The LCE provides a statistical engine that automatically defines thresholds for events, which provides high accuracy in detecting event spikes.

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Monitoring.

The dashboard requirements are:

  • SecurityCenter 4.8.2
  • LCE 4.4.1

SecurityCenter Continuous View allows for the most comprehensive and integrated view of network health and provides the most complete solution to identify emerging threats. By using the Log Correlation Engine (LCE), the organization can perform deep log analysis detecting possible unauthorized logins and intrusions. Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of a network.

Listed below are the included components:

Authentication Anomalies - Login Failures: This chart displays the trend of login failure events in the last 25 days. A login failure event is any type of authentication log that indicates credentials were presented and were incorrect. This is distinct from application logs that show an IP address was blocked or access to a resource was denied. Those events are logged under event types of 'firewall' or 'access-denied', respectively.

Tracking Login Failures – Users with Login Failures: This component displays Users with Login Failures over the past 7 days, along with their associated counts and trend data. The top 200 users with the highest number of login failures are displayed. Spikes in login failure events may indicate unauthorized access attempts, and should be investigated further.

Authentication Anomalies – Login Failure First Time Events: This chart displays the trend of Never Before Seen (NBS) login failure events in the last 25 days. Never before seen login failure events occur most often when new hosts or servers are added to the network and authentication logs are received from them for the first time. In addition, new types of authentication (such as a user logging in via VNC instead of Windows Terminal Services for the first time) will generate logs that have not been seen before. These never before seen events indicate changes in access patterns and can indicate new behaviors from existing users, or potentially from hackers or insiders.

Tracking Login Failures – Users with NBS Login Failures: This component displays the last 7 days of users with never before seen login failure events, along with their associated counts and trend data. The top 200 users with the highest number of never before seen login failures are presented. Spikes in login failure events may indicate unauthorized access attempts, and should be investigated further.

Authentication Anomalies - Login Failure Anomalies: This chart displays the trend of login failure anomaly events in the last 25 days. A login failure anomaly event is generated by LCE when a large number of login failure events are detected relative to the number of login failure events detected during that hour in previous days. A spike in login failure activity indicates a change in network behavior and may indicate brute force password guessing.

Tracking Login Failures – Users with Login Failures Anomalies: This component displays Users with Login Failures Anomalies over the past 7 days. A login failure anomaly event is triggered when the number of login failures in an hour is substantially different from the number of login failures observed for that hour in previous days. The top 200 users with the highest number of login failures anomalies are presented. All login failure anomalies should be investigated further, as they may indicate unauthorized access attempts into a network.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training