FireEye, the malware protection and threat intelligence solutions provider, has introduced a free GeoLogonalyzer remote authentication tool.
GeoLogonalyzer enables security analysts to review remote access logs for anomalies such as travel feasibility and data center sources, according to FireEye. That way, security analysts can use GeoLogonalyzer to differentiate legitimate and malicious logins and flag and investigate potentially suspicious logon activity.
GeoLogonalyzer processes authentication logs that contain timestamps, usernames and source IP addresses, FireEye indicated. The tool creates a baseline across an IT environment and allows security analysts to identify authentication activity that deviates from business requirements and patterns.
For example, GeoLogonalyzer can help security analysts identify a change in IP address remote authentication source location over time, according to FireEye. When used in combination with a remote authentication log that records a source IP address, GeoLogonalyzer enables security analysts to estimate the location each logon originated. As a result, security analysts can identify a change in source location and determine if a user could have traveled between two physical locations to legitimately perform the logons.
In addition, applicable GeoLogonalyzer log sources include:
- Virtual private networks (VPNs).
- Email client or web applications.
- Remote desktop environments.
GeoLogonalyzer is now available via GitHub as a free download.
How Can MSSPs Help Organizations Prevent Remote Access Abuse?
FireEye offered the following recommendations to ensure MSSPs can help organizations prevent remote access abuse:
- Identify and limit remote access platforms that allow access to sensitive information from the Internet.
- Deploy a multi-factor authentication solution that generates one-time use tokens for all remote access platforms.
- Record remote access authentication logs for all remote access platforms.
- Use whitelist IP address ranges that are confirmed as legitimate for remote access users based on baselining or physical location registrations.
- Establish a baseline of accounts that legitimately perform unexpected logon activity and identify new anomalies.
No single remote access analysis method is perfect, FireEye pointed out. However, MSSPs can provide security services to help organizations identify remote access abuse and limit the risk of data breaches.
FireEye Business Model Evolution
The free tool arrives as FireEye shifts to a new pricing and packaging model. While not all customers will move to the new pricing model immediately, the early response from customers, channel partners and industry analysts has been very positive, CEO Kevin Mandia said during the company's earnings call earlier this month.
The pricing model encourages broader deployments of FireEye technology, offers the flexibility to mix and match physical and virtual appliances, and allows customers to optimize capacity as needed, Mandia asserted at the time.