Educause Security Discussion mailing list archives
Re: Measures of detecting breached email accounts
From: Valdis Kletnieks <valdis.kletnieks () VT EDU>
Date: Wed, 6 Dec 2017 12:14:41 -0500
On Tue, 05 Dec 2017 16:54:50 -0800, Joseph Tam said:
Sounding the alarm on failed login attempt will have me looking at logs every minute, night and day. Even at my modest installation, this happens far too frequently to be consider a useful trigger for notification: it's not anomolous, it's background radiation.
I did say *exception* analysis, didn't I? Look for stuff that doesn't look like background radiation. ;)
In the context of Email account, here are some anomolous things you could look for: - unusual volume, especially at unusual times - unusual volume of failed deliveries (e.g. unknown user). - unusual login origin (Ukraine? Romania? Tunisia? etc.) The larger and more diverse your userbase, the harder this gets to discern. - number of different successful login locale within a time interval (*) - blacklist monitoring - egress spam filtering/statistics
See? We're on the same page. ;)
Attachment:
_bin
Description:
Current thread:
- Measures of detecting breached email accounts Keenan Martinez (Dec 04)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 04)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 05)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Kevin Crider (Dec 07)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 04)
- <Possible follow-ups>
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 06)
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 07)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 07)
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 08)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 09)
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 13)