Attackers and auditors realize SharePoint is important; do you?

SharePoint is an ever growing repository of unstructured data in the form of confidential documents and sensitive workflows. Every kind of information (financial, human resources, health, marketing plans, legal, trade secrets and intellectual property, to name a few) originates or ultimately makes its way to documents like Word, spreadsheets, presentations and PDFs. And SharePoint is where employees collaborate and store these documents.

  • Do you know when employees are granted access to SharePoint information?
  • Are you alerted if someone downloads an unusual amount of documents?
  • If there’s a security breach can you trace back who accessed confidential SharePoint information and when?
The challenge in getting SharePoint audit activity to your SIEM.

SharePoint has a native audit facility that can track end-user access, security changes and activity by privileged site collection administrators. But SIEMs cannot access these audit events through normal log collection means – much less make use of the cryptic data. Here are the problems:

  1. Inaccessible

    SharePoint's audit log is buried in SharePoint's SQL server content database. However in SharePoint, the audit log isn't really a log – it’s intermingled with documents, lists and other content in the SharePoint database. The only way to access the SharePoint audit log is through the web interface which which produces Excel spreadsheets stored back in SharePoint ... neither is an option for SIEMs or with purpose built programming using the SharePoint API.

  2. Unreadable

    SharePoint's raw audit events are not understandable or actionable. The audit log does not provide the names of users or objects – only their ID codes. Unless object IDs are translated into their actual names you have no idea what object or user to which a given event refers. Here’s an example event:

    Here’s what that event is trying to tell you:

    SharePoint group member added
    Occurred: 11/22/2011 10:46:34 PM
    Site: http://sp2010-sp
    User: Randy F. Smith
        ID: 22
        Name: Customer Information
        ID: 26
        Name: SP2010\wsmith

    A little more readable? That’s the same event rendered by LOGbinder for SharePoint as event ID 27.

In addition to the above issues, several other factors complicate obtaining application security intelligence for SharePoint.

  1. Vulnerable to tampering

    If the audit log remains in SharePoint, it is vulnerable to tampering or destruction by privileged insiders and attackers. Yet audit logs are crucial to enforcing accountability over privileged users and for conducting forensic analysis of intrusions. Any informed auditor will identity this as a risk, because a tenet of information security is that audit logs must be moved off the system where they are generated and stored in a separate repository with controls to ensure integrity of audit log data.

  2. Audit trail loss and uncontrolled database growth

    Some editions of SharePoint provide automatic log trimming of old events but there is no way to ensure events have been archived first. On the other hand, without regular purging, SharePoint content databases can become bloated with audit history leading to storage and performance issues

  3. No way to manage audit policy

    In a SharePoint farm, each site collection has its own audit policy. Administrators have no way to enforce consistent audit policy across all site collections. When a new site collection is created, Administrators must remember to access the Site Collection's audit settings page and enable auditing or the site will be unmonitored. This is especially troublesome for farms with self-service site collection enabled because new sites can be created directly by users without Administrator involvement.

The Solution.

The Solution: LOGbinder for SharePoint – Connecting the SharePoint audit log to your SIEM

LOGbinder for SharePoint solves all 5 issues with SharePoint auditing without re-inventing the wheel. LOGbinder for SharePoint:

  1. Makes the SharePoint audit log accessible to your SIEM
  2. Translates cryptic, raw audit data into meaningful security intelligence
  3. Protects your audit log from tampering by getting it to your SIEM - where it belongs
  4. Prevents audit trail loss and saves database storage
  5. Provides centralized audit policy management for all your site collections

LOGbinder for SharePoint translates cryptic SharePoint audit data into easy-to-understand messages and sends them to your SIEM – where they belong. LOGbinder for SharePoint does not require an agent to be installed on your SharePoint servers, nor does it make intrusive changes to your SharePoint environment. We simply bridge the gap by bringing application security intelligence on SharePoint to your security operations center.

Learn more about LOGbinder for SharePoint