As a security administrator, you are alerted to an issue. One of your production systems has been experiencing a serious slowdown since 2:00 a.m. last night, disrupting key applications. The following example shows how you can use CA Chorus to troubleshoot and resolve the situation.
The Knowledge Center contains CA Technologies documentation and much more. It also preserves expertise from other security administrators, by incorporating Notes and Investigator comments. You use the Knowledge Center to see if a colleague has written anything that can help you resolve this problem.
After searching the Knowledge Center for the system ID, you discover another administrator has written instructions to troubleshoot a similar issue. The saved note says to perform the following procedure:
You add key metrics to the Metrics panel. Examining the sparklines, you discover a spike in RACROUTE VERIFY and RACROUTE VERIFYX counts, indicating an increase in signon attempts and signon violations. You add this metric to your Dashboard and examine the timeline in more detail. This research confirms that the spike began at 2:00 a.m.
Because your site policy is to record signon violations to a Warehouse repository, you are able to examine these violations in the Investigator. You see that the violations are coming from a variety of user IDs, many of which do not match your corporate naming standards. From this data point, you deduce that someone is attempting a denial of service attack.
You note the attacker’s application name and TCP/IP addresses, then use your external security manager to block the offending jobname. You also modify your firewall rules to block the addresses that were used in the attack.
Returning to the Metrics Panel, you verify that RACROUTE VERIFY and RACROUTE VERIFYX counts have returned to normal. Using CA Chorus, you have stopped the attack. You contact the appropriate authorities and begin a more detailed investigation.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|