Hi Dave,
Thanks for the input.
Actually we had attempted to blow the auditor away with our "automated investigation with Splunk" - A user performs an action (e.g. accesses a customer's account), Splunk then looks up vacation data to see if that user is scheduled to work, then the access control logs to see if they're in the Building or VPN logs if they're not, then checks if the computer they're logged in to with AD is the same as the one corresponding to the account access, then if the user is allowed to access the account in question and then alert as appropriate if one or more items do not comply.
So the auditor asked "what if an account is hijacked and someone deletes the logs from that account" - Which basically throws our investigation abilities out the window. Any user with that option (currently only me) can just say their account was hijacked. It's a "who guards the guards" game.
Regards,
Ken
... View more