The general procedure explained so far in this guide of discovering, analyzing, and addressing security vulnerabilities with rules, is a process that must be repeated regularly to both respond to network security risks, and to ensure reports yield the most valuable data.
The following actions will help improve your Exit Point Manager implementation:
- Run reports in regular intervals. Rechecking report data regularly, and for select intervals, will help you validate your initial rule set and identify previously missed data points.
- Confirm the users accessing the system are the ones expected. After auditing for all service profiles has been disabled, you will see only activity for real users.
- Confirm system accesses by users are correct for their needs. A user accessing the system should be doing so in a prescribed manner pertaining to their jobs description. For example, if the application they use daily is an SQL or ODBC based application, and you discover access by that user over the FTP server, additional research may be warranted. Also consider the time of day and the point or origin of the access - identify events that occur at unusual or unexpected times and from unexpected locations (IP addresses).
- Watch for new service accounts used by new applications and user profiles added for new hires.
Previous 