2.2 Using the Identity Tracking Solution Pack

The Identity Tracking Solution Pack provides controls (views and reports) of events associated with users. Through these controls, you can monitor and report on account management activities (creation, deletion, and modification); suspicious user activities such as failed authentication, denied access, denied or increased account privileges, and impersonated account logins; account usage by users; and password management activities. Because of the identity injection provided by the Sentinel driver and Identity Vault Collector, events are associated to individual users.

The Identity Tracking Solution Pack provides high-level, identity-based controls that can help solve management and security problems within even the largest enterprises. Leveraging Novell's years of industry experience in Identity and Access Management, the solution pack integrates data from Novell and third-party applications to give unprecedented visibility into user activities and identity/account management.

2.2.1 Overview of the Identity Tracking Solution Pack

This section provides a brief overview of the components within the Identity Tracking Solution Pack.

The solution pack contains the following categories and controls:

Table 2-1 Solution Pack Controls

Category

Control

Description

Solution Pack Controls

Dashboard Status

Provides an overview of the rollout status of the Solution as a whole.

Implementation Audit Trail

Monitors for state changes for controls in this Solution, with alerting and summary reports that show who changed the state of which controls.

Identity Management Controls

Identity Provisioning

Provides a set of reports to monitor common identity provisioning actions within the enterprise.

Identity De-Provisioning

Provides a set of reports and rules to monitor common identity de-provisioning and access violation actions within the enterprise.

Suspicious Activity Controls

Suspicious Activity Overview

Presents an overview of suspicious activity within the enterprise. It summarizes the other controls for monitoring suspicious activity, not including Rogue Administration.

Authentication Failures

Provides details about identity-based authentication failures across the enterprise.

Access Denials

Provides details about identity-based access denials, for example failures when accessing files or database tables, across all integrated systems. These users may be attempting to access sensitive data to which they have not been granted access.

Privilege Escalation Denials

Provides details about privilege escalation denials across all integrated systems. These users may be attempting to gain a higher level of privilege without authorization.

Affected By Exploits

Provides details about users accessing assets that are likely to have been exploited by attackers detected by Sentinel’s Exploit Detection service. These users may be at risk for having their account information stolen by the attacker that has exploited the asset, which may in turn enable the attacker to compromise other systems.

Privilege Recipients

Provides details about users who have seen growth in their privileges by being granted additional ACLs or being added to new groups. These users may have been granted too broad access to sensitive information.

Rogue Administration

Monitors for attempts to modify or manage accounts outside the control of the Identity Management system.

Account Usage Management Controls

Account Usage

Provides a set of reports to monitor the usage of accounts for each identity. Specifically, the associated report should be run regularly to detect unused accounts that should be disabled or deleted.

Password Management Controls

Password Changes

Provides a set of reports related to password management for accounts.

Recent Activity Controls

Recent Activity

Provides a set of reports to monitor the activity performed by the users in the recent past within the enterprise.

The content provided with the Identity Tracking Solution Pack includes several correlation rules, actions, integrators, and reports.

The reports are described below:

Table 2-2 Solution Pack Reports

Report

Description

Account Usage

Summarizes account usage for each user in the selected department for last 120 days. Accounts that have not been used for over 90 days are considered inactive and should be disabled; non-usage for over 60 days will be flagged with a warning. Note that the data scanned covers 120 days total, so accounts unused for that entire time period or for which Sentinel is not collecting data at all will not be displayed.

Affected by Exploit Activity Overview

Shows an overview of identities accessing assets that are likely to have been exploited by attackers based on Sentinel's Exploit Detection service. These users may be at risk for having their account information stolen by the attacker that has exploited the asset, which may in turn enable the attacker to compromise other systems.

Authentication Failure Activity Overview

Shows an overview of authentication failures across all integrated systems. These users may be attempting to log in to accounts that are disabled or that they do not own.

Employee Termination Violation

Presents any attempts to access enterprise resources by terminated employees within the selected date range, grouped by the incident status.

Identity Provisioning Overview

Displays provisioning information for identities.

Password Changes

Summarizes password change activity for each user in the selected department for last 120 days. If a password is not changed for 90 days it is assumed to be expired and should be reset; passwords over 60 days old will be flagged as old. Note that the data scanned covers 120 days total, so passwords that are not changed for that entire time period or for which Sentinel is not collecting data at all will not be displayed.

Per Identity Account Management

Presents account management activity for an Identity within the selected date range, grouped by the domain within which each account exists and the account name.

Per Identity Affected by Exploit Activity

Shows details for a specific identity, who attempt to access the assets that are likely to have been exploited by attackers based on Sentinel's Exploit Detection service. The details are grouped by the target asset (hostname - IP) against which the attempt was made. These users may be at risk for having their account information stolen by the attacker that has exploited the asset, which may in turn enable the attacker to compromise other systems.

Per Identity Authentication Failure Activity

Lists all the authentication failures for a specific identity across all integrated systems, grouped by the domain within which each account exists. These users may be attempting to log in to accounts that are disabled or that they do not own.

Per Department Authentication Failure Activity

Allows the report administrator to run an authentication failure report for either a single department, or all departments.

Per Identity Provisioning

Presents identity provisioning activity for all the identities within the selected department and date range. Each identity is presented with details of its original creation, if within the search time frame, and additionally a list of all associated account creation, deletion, enablement, and disablement events.

Recent Activity

Summarizes the recent activity for each user in the selected department for the last week, grouped by the event category.

Rogue Administration Attempts

Shows attempts to manage user accounts outside of the approved Identity Management channels. The security system has attempted to disable the rogue administrator and has started an Identity Management workflow to respond to this attempt.

Solution Pack Audit Trail

Shows state changes to all controls in this Solution Pack for the selected date range, grouped by control.

Solution Pack Status Dashboard

Shows the overall deployment status of the Solution Pack. The pie chart shows the percentage of controls in each state for the Pack as a whole, and the horizontal bar chart shows the status of controls in each category.

Suspicious Activity Overview

Shows a global view of suspicious activity.

2.2.2 Solution Samples

This section displays some sample results from the Solution Pack controls. Note that in the customer environment results will vary depending on the local configuration of event sources and control parameters.

  • The Per-Identity Provisioning report presents identity provisioning activity for all the identities within the selected department and date range:

  • The Employee Termination Violation report presents any attempts to access enterprise resources by terminated employees within the selected date range, grouped by the incident status:

  • The Per-Identity Account Management report presents account management activity for an Identity within the selected date range, grouped by the domain within which each account exists and the account name:

2.2.3 Installing the Identity Tracking Solution Pack

To install the Identity Tracking Solution Pack:

  1. Start the Sentinel Control Center and log in as a user with rights to manage Solution Packs.

    The Solution Manager option must be selected for the user, under Permissions > Solution Pack.

  2. Select Tools > Solution Packs from the menu to start the Solution Pack Manager.

  3. Click Add to start the import wizard.

    Starting the import wizard
  4. Select Import a solution Pack plugin file (.zip), then click Next.

  5. Browse to and select the Identity Tracking Solution Pack where you downloaded it, then click Open.

    The filename is Identity-Tracking_6.1r4.spz.zip.

  6. Review the Solution Pack directory, then click Next.

  7. Review the Solution Pack details, then click Finish.

2.2.4 Configuring the Global Setup

The Identity Tracking Solution Pack requires some global configuration that must be completed. This configuration needs to be completed before any additional configuration. The configuration information is contained in the Identity Tracking Solution Pack.

If you have completed these global configuration task for another use case, you can skip the following sections:

Accessing the Global Setup Configuration

To access the Global Setup configuration information:

  1. In the Sentinel Control Center tool bar, click Tools > Solution Packs.

  2. Double-click the Identity Tracking Solution Pack entry in the Solution Packs Manager.

  3. In the left pane, select Identity Tracking Solution Pack > Solution Pack Controls > Global Setup, then click the Implementation tab in the right pane.

    Global Setup Documentation

Installing the Controls

To install the controls included with the solution pack:

  1. Right-click a control (such as Dashboard Status) in the list displayed under Solution Pack Controls.

  2. Click Install from the pop-up menu.

You need to do this for each control you plan to use.

Configuring the Sentinel Data Field

The Sentinel data field must be able to hold Identity Manager attribute data.

  1. Start the Sentinel Control Center, then click the Admin tab.

    Admin tab in Sentinel
  2. Select Admin > Event Configuration from the tool bar

  3. In the left pane, locate the rv43 variable, which may have already been labeled ReservedVar43 or DataValue43.

  4. In the Label field in the right pane, change the display label to Data, then click Apply.

  5. Click Save, then close the Event Configuration window and reopen it to see the changes take place.

Adding SQL Indexes to Speed Up Queries

The performance of queries for certain reports in the Identity Tracking Solution Pack is increased if you add indexes to the database. These indexes increase the speed of queries against the large database. The Identity Tracking Solution Pack provides instructions on how to add the indexes.