Attackers and auditors realize SharePoint is important; do you?
SharePoint is an ever growing repository of unstructured data in the form of confidential documents and sensitive
workflows. Every kind of information (financial, human resources, health, marketing
plans, legal, trade secrets and intellectual property, to name a few) originates
or ultimately makes its way to documents like Word, spreadsheets, presentations
and PDFs. And SharePoint is where employees collaborate and store these documents.
- Do you know when employees are granted access to SharePoint information?
- Are you alerted if someone downloads an unusual amount of documents?
- If there’s a security breach can you trace back who accessed confidential SharePoint
information and when?
The challenge in getting SharePoint audit activity to your SIEM.
SharePoint has a native audit facility that can track end-user access, security
changes and activity by privileged site collection administrators. But SIEMs cannot
access these audit events through normal log collection means – much less make use
of the cryptic data. Here are the problems:
-
Inaccessible
SharePoint's audit log is buried in SharePoint's SQL server content database. However
in SharePoint, the audit log isn't really a log – it’s intermingled with documents,
lists and other content in the SharePoint database. The only way to access the SharePoint
audit log is through the web interface which which produces Excel spreadsheets stored back
in SharePoint ... neither is an option for SIEMs or with purpose built programming
using the SharePoint API.
-
Unreadable
SharePoint's raw audit events are not understandable or actionable. The audit log does not
provide the names of users or objects – only their ID codes. Unless object IDs are
translated into their actual names you have no idea what object or user to which
a given event refers. Here’s an example event:
Here’s what that event is trying to tell you:
SharePoint group member added
Occurred: 11/22/2011 10:46:34 PM
Site: http://sp2010-sp
User: Randy F. Smith
Group
ID: 22
Name: Customer Information
Member
ID: 26
Name: SP2010\wsmith
A little more readable? That’s the same event rendered by LOGbinder for SharePoint as
event ID 27.
In addition to the above issues, several other factors complicate obtaining application
security intelligence for SharePoint.
-
Vulnerable to tampering
If the audit log remains in SharePoint, it is vulnerable to tampering or destruction
by privileged insiders and attackers. Yet audit logs are crucial to enforcing accountability
over privileged users and for conducting forensic analysis of intrusions. Any informed
auditor will identity this as a risk, because a tenet of information security is
that audit logs must be moved off the system where they are generated and stored
in a separate repository with controls to ensure integrity of audit log data.
-
Audit trail loss and uncontrolled database growth
Some editions of SharePoint provide automatic log trimming of
old events but there is no way to ensure events have been archived first. On the
other hand, without regular purging, SharePoint content databases can become bloated
with audit history leading to storage and performance issues
-
No way to manage audit policy
In a SharePoint farm, each site collection has its own audit policy. Administrators
have no way to enforce consistent audit policy across all site collections. When
a new site collection is created, Administrators must remember to access the Site
Collection's audit settings page and enable auditing or the site will be unmonitored.
This is especially troublesome for farms with self-service site collection enabled
because new sites can be created directly by users without Administrator involvement.
The Solution.
The Solution: LOGbinder for SharePoint – Connecting the
SharePoint audit log to your SIEM
LOGbinder for SharePoint solves all 5 issues with SharePoint auditing without re-inventing the wheel. LOGbinder for SharePoint:
- Makes the SharePoint audit log accessible to your SIEM
- Translates cryptic, raw audit data into meaningful security intelligence
- Protects your audit log from tampering by getting it to your SIEM - where it belongs
- Prevents audit trail loss and saves database storage
- Provides centralized audit policy management for all your site collections
LOGbinder for SharePoint translates cryptic SharePoint audit data into easy-to-understand messages
and sends them to your SIEM – where they belong. LOGbinder for SharePoint does not require an
agent to be installed on your SharePoint servers, nor does it make intrusive changes
to your SharePoint environment. We simply bridge the gap by bringing application
security intelligence on SharePoint to your security operations center.
Learn more about LOGbinder for SharePoint