Nowadays, IT systems are widely applied by enterprises, and using Windows login as management tool for identity verification is generally accepted. However, this can lead to a security disadvantage; anyone has the Windows account/password can log in, view classified information and verify the system. Brute-force attack becomes one of the most common attacking types. Hackers would invade the devices in user’s Home network, install password cracking software in it, and execute the software to crack the accounts/passwords. To prevent the attack from impacting Home network, IT administrators usually limit the number of login error and block the account with too many errors. IT administrators seem to have no choice but to use the method, but this way, most accounts will be blocked and the real users cannot log in the system as usual; enterprise operation will be badly affected.
N-Partner automatic learning and analysis technology develop intelligent network operations
N-Partner’s big data analysis can do historical data automatic learning. It records Windows AD log, and if there is login failure event explosion, real-time alerts will be sent to IT administrators. The alerts include source IP (attacker) and which account hackers are using to invade the system. Besides login failure alerts, alerts will also be sent when there is login success right after lots of login failure, for it may mean the system is invaded. IT Department has to receive alerts instantly especially when the invaded account has high authority of the system and set new password right away; otherwise, there will be great loss if attackers log in the system successfully.
Correlate AD and SNMP with Flow to get the username and location info
N-Partner has core technology that can correlate SNMP, the health monitoring technique, Flow, the traffic analysis technique, and Syslog, the behavior awareness technique, for IT Department to keep tabs on the network usage. Besides the alert and analysis function for AD login anomaly, it can correlate the username from Windows AD log with other logs and traffic to do analysis to get which source IP is sending abnormal Flow or is used as attacker. Also, it can correlate with SNMP to find out the source IP address’s location, that is, the switch and interface it belongs to.
▲ Use Flow/Syslog/SNMP correlation to find the IP address and location with abnormal traffic