Monitor Your System › How to Analyze a Metric Spike › Investigate the Cause of the Spike

Investigate the Cause of the Spike

As a security administrator, you investigate metrics that exceed their thresholds. You can investigate metrics directly from the Metrics panel, or you can add them to your dashboard for further monitoring.

In this example, you are investigating the number of signons, which has exceeded the caution threshold and alerted you. If this spike was caused by a hacker, the most logical cause of failed signon attempts would be a high number of invalid user IDs or invalid passwords. You can use several objects in the Investigator to research this potential threat.

Follow these steps:

1. Stop the Metrics panel scrolling by using the panel controls.

   Note: You can hover over the metric to examine the context of the spike more closely.

2. (Optional) Click the metric and click Add to Dashboard to see a larger view of the metric.
3. Click the metric and then click Investigate.

   The Investigator opens.

4. Choose the Security discipline from the drop-down list.
5. Click the object that you want to investigate. The following example looks at Definitions/Users, Events/Data Warehouse, and Events/Data Marts.
6. Click Customize the Tabular Data View (wrench icon) to add relevant columns, or remove irrelevant columns. Click View Filter (magnifying glass icon) to specify range filters, and click Search to limit the amount of data presented.

   Definitions/Users

   Filter the Users table to display rows with alarmingly high counts for relevant columns.

   Example: A high volume of password violations on one or more accounts in a short time could be an indication of a brute-force hacking attempt. Add the Number of Password Violation, Date of Last Invalid Password, and the Suspended Due to Password columns, to investigate these metrics.

   Events/Data Warehouse and Events/Data Marts

   You can use Compliance Policy Administration interface data to identify System Access Events that occur due to signon violations. Filter the list of events by data and time range, System ID, event category, and event type to narrow down the search.

   Example: A large number of signon violations due to invalid passwords for the same user, or violations due to invalid user IDs (IDs that do not exist) could be an indication of a hacking attempt.

   Note: The Data Mart contains Compliance Policy Administration interface data with the same type of events as the Warehouse, and supports the same type of research. The difference is that the Warehouse contains real-time data, whereas a current Data Mart must be created first. You create the Data Mart using a batch utility that extracts the appropriate data from the Compliance Policy Administration interface Logger component.

   The filtered data appears in the Investigator.

7. (Optional) Click the View Charts icon in the Investigator toolbar. Filter and customize your pie chart using the drop-down lists, and click Add.

   The customized pie chart appears in the center pane of the Investigator. You can dynamically filter the data being displayed, and add more charts using the View Filter and View Charts icons.

   Example: Create a pie chart for System Access Events that includes a count of all detail events within that category and time period. Compare the counts of signon violations and successful signons.

8. Analyze the results to determine if a threat exists. Do one of the following:
   • If a threat exists, identify the source of the signon attempt (a terminal or network identifier). Involve the network group to physically locate the source and take it out of service. Consider suspending compromised user IDs to prevent further problems.

     Example: Repeated signon attempts without a valid user ID, or with invalid passwords that cause valid users to be suspended, are a threat to your system.

   • If no threat exists, consider adjusting the thresholds for the metric so the alert does not trigger unnecessarily.

     Example: You know that the number of employees at your company has recently increased because of an acquisition. In this situation, an overall increased number of signons does not represent a threat. Based on your analysis, you adjust the metric threshold to avoid unnecessary warnings in the future.