enabling it audits with data analytics · proactive security monitoring 2 24 • non-badged user...
TRANSCRIPT
![Page 1: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/1.jpg)
Enabling IT Audits with Data Analytics
Michael Kano, Senior Manager Data Analytics
FCCC March 2017
![Page 2: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/2.jpg)
About Your Speaker
Michael Kano, ACDA
Michael is a Senior Manager with Focal Point’s national data analytics practice. Michael has over 20 years of experience in data analytics and internal audit with organizations in the USA, Canada, and Kuwait. He has more than two decades of experience with ACL software, including 8 years as the leader of ACL Services Ltd.’s global training team. He is an ACL Certified Data Analyst (ACDA).
Prior to joining Focal Point in 2015, Michael spent four years with eBay, Inc.’s internal audit team as Manager, Audit Analysis. He was tasked with integrating data analytics into the audit workflow on strategic and tactical levels. This included developing quality and documentation standards, training users, and providing analytics support on numerous audits in the IT, PayPal, and eBay marketplaces business areas.
2
![Page 3: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/3.jpg)
OBJECTIVES
▸Raise awareness of the contribution data analytics can make to mitigate risks in IT
▸ Identify key risk areas that can be tested with data analytics tools
▸Describe data analytics tests for key high-risk areas
3
![Page 4: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/4.jpg)
AGENDA
▸Why data analytics for IT?
▸Risks to mitigate
▸Specific risk areas
▸DA tools
▸Proactive security monitoring
4
![Page 5: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/5.jpg)
Why data analytics for IT?
5
![Page 6: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/6.jpg)
2014 Data Breach Statistics
▸ $3.8 million per organization*
▸ $154 per record*
▸ Increases in
▸ Cyberattack frequency
▸ Remediation costs
▸ Business impact
▸ Detection/escalation costs
*IBM/Ponemon 2015 Cost of Data Breach Study
6
![Page 7: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/7.jpg)
The Environment
▸High-risk area
▸Abundance of data
▸Multiple platforms/formats
▸Complex
▸Decentralized
▸Proliferation of unencrypted devices
7
![Page 8: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/8.jpg)
DA enables…
▸High-frequency automated testing
▸ Development of metrics
▸ Operational performance
▸ Call centers
▸Cybersecurity
▸Close to real-time monitoring/reporting of risks
▸Comprehensive overview
8
![Page 9: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/9.jpg)
Output
▸Dashboarding of trends/metrics
▸Drill-down capabilities for supporting data
▸User-friendly formats
9
![Page 10: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/10.jpg)
Risks
10
![Page 11: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/11.jpg)
Risks
▸Unauthorized activity
▸Loss of revenue
▸Data corruption
▸Data leakage (accidental)
▸Data theft (intentional –internal or external)
11
▸System downtime
▸Loss of confidentiality
▸Erosion of process integrity
▸Decreased performance
▸Malfunctioning hardware
![Page 12: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/12.jpg)
Risk Areas
12
![Page 13: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/13.jpg)
Key Risk Areas
▸Access
▸Change logs
▸Segregation of duties
▸Change management
▸Physical access
▸General Computer Controls/ITGC
▸Application controls
▸ Improper user of company assets (Policies)
13
![Page 14: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/14.jpg)
Access
▸Elevated access review
▸Usage of Admin/Super user accounts
▸Compare access to position description
▸Compare to previous review results
▸Flip flop access privileges
▸Segregation of duties
▸Access to contractors
▸HR payroll records vs Active Directory user listing
14
![Page 15: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/15.jpg)
Change Logs
▸Review major changes
▸ Identify change/reversion (“flip-flop”)
▸Frequency distribution by individual or department
▸Audit logs for application and database changes
15
![Page 16: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/16.jpg)
Change Management
▸Compare to ITAF standards
▸Proper categorization
▸UAT results
▸Test all environments to ensure proper change management (Dev, Test, Prod)
▸Use DA tools for Code Review
▸SOX controls for Vendor Master / Customer Master changes
16
![Page 17: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/17.jpg)
Physical Access
▸Review entries/exits to data centers (who)
▸Review entry times vs exit times (duration)
▸Cross-reference with HR data for departing employees
▸Compare against logs for suspect events
▸Review temporary access passes for approvals
▸Review failed attempted access logs
17
![Page 18: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/18.jpg)
General Computer Controls/ITGC
▸Configuration vs Policies▸ Default accounts
▸ Passwords
▸ Inactivity
▸ Failed logins
▸ Time out settings
▸Security▸ Firewall configuration settings/changes
18
![Page 19: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/19.jpg)
Application Controls
▸Password settings
▸Account settings
▸Time out settings
▸User access reports (compare time periods)
Compare all of the above with policies and procedures
19
![Page 20: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/20.jpg)
Applications
▸Active Directory
▸UNIX
▸Mainframe
▸Oracle
▸Other Databases
▸HRMS
20
![Page 21: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/21.jpg)
Proactive Security Monitoring
21
![Page 22: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/22.jpg)
DA Tools for IT
▸Standard data analytic tools▸ ACL, Arbutus, IDEA, Alteryx
▸PowerShell▸ Scripts to access Active Directory
▸ Run through EXECUTE & RUN commands
▸ Creates CSV (or other formats) files to import into above tools
▸Forensic Software for data examination (emails)
▸Cyber Security tools
22
![Page 23: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/23.jpg)
Proactive Security Monitoring 1
▸ Login Velocity – logging into multiple assets from a single source
▸ Previously Unseen Origin – Remote logging in from a location not previously seen
▸ Previously Unseen Process – Identify a previously unseen process running on critical machines
▸ Impossible Traveler – logging in from different locations that can not be achieved through normal travel means
▸ Cross User Login – same user account being logged on to multiple assets at the same time
23
![Page 24: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/24.jpg)
Proactive Security Monitoring 2
24
• Non-Badged User Login – identifying when an on-site login does not have a corresponding badge entry into the building
• Proxy Beaconing – looking for machines reaching out to uncommon domains and IP’s
• Timewheel – identifying machines performing beaconing during hours of the day when the user or system isn’t typically active.
• Snowflake – analysis to find process/software that has not been seen in the environment before, across the fleet
• Concerning Connections – assess network data to automatically generate network maps from which undesired, or unexpected, connections can be identified.
![Page 25: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/25.jpg)
The End
▸Questions / Comments?
25
![Page 26: Enabling IT Audits with Data Analytics · Proactive Security Monitoring 2 24 • Non-Badged User Login –identifying when an on-site login does not have a corresponding badge entry](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76f798d3e1c0603f144da9/html5/thumbnails/26.jpg)
Contact Information
For additional information on Focal Point’s services, visit our website at www.focal-point.com or contact:
26
Michael Kano
Senior Manager
(408) 887-4843