Over the last decade, cybercriminals have gained the necessary resources to make it easier and more lucrative for them to attack small-to-medium-sized businesses. The 2019 Cost of a Data Breach Report not only shows the odds of experiencing a data breach have gone up by a third in less than a decade, but the cost of these data breaches is also on the rise. Additionally, small businesses face disproportionately larger costs than their enterprise counterparts when an attack is successful. This report highlights the importance of SMBs being prepared, now more than ever, to quickly identify and respond to potential cyberattacks.

 

One common way businesses increase their security posture is by implementing, and using, a Security Information and Event Management tool—SIEM for short. A SIEM solution at its core, aggregates and normalizes log and event data from across an entire network making it easier to identify and respond to attacks, compromised data, and security threats.

 

However, many SMBs feel a SIEM solution is out of reach for their organizations for three main reasons:

 

  1. Complexity
    The complexity starts right away with most traditional SIEM vendors. Connecting different log sources often requires building parsers or writing (and possibly learning) RegEx to ingest and normalize log data. Once the data has been consolidated, recalling the data adds another layer of complexity. For example, wanting to see logins from a particular user can require writing a query in language created specifically for their SIEM. Additionally, feature bloat often makes it difficult to know how to find answers to simple questions.

  2. Expertise Requirements
    A SIEM is only as effective as the rules put in place to identify, alert on, and respond to potential threats. Without a deep understanding of the types of activities captured by logs, and the behaviors indicating malicious or risky behaviors, setting up the rules can be daunting. Especially if the SIEM doesn’t come with any pre-built rules. With limited time, and a scarcity of available security professionals, setting up a SIEM can seem like too big of a project to take on

  3. Expense
    Aggregating all log and event data in one place is ideal. However, the licensing models of many SIEM solutions can quickly price out SMBs. Many of the most common SIEM solutions on the market are SaaS products. The price changes based on log volume being sent to the product. This leads to two main problems, pricing being unpredictable and/or IT pros needing to cherry pick which logs they will collect and store…hope you pick the right ones.

 

At SolarWinds we understand how important it is for IT pros at SMBs to gain valuable time back and automate as much as possible—including threat detection and response. That’s why we built Security Event Manager (SEM). It’s a SIEM solution built for resource-constrained IT pros needing to advance their organization’s security beyond patching, backups, and firewall configurations. SEM is designed to provide the most essential functions of a SIEM to help improve security posture, more easily meet compliance requirements, and reduce the time and complexity of an audit.

 

How Does SolarWinds Security Event Manager Differ From Other SIEM Products?

  1. Easy to Deploy and Use
    Deployment is flexible via virtual appliance potentially located on-premises or in the public cloud (such as Azure or AWS). Many users report SEM is up and running within fifteen minutes, no professional services required. Log collection and normalization is done by either enabling one or more of the hundreds of pre-built connectors and sending logs to SEM or by deploying the SEM agent.

    It has a simple and clean UI, focused on the features SMBs find most important. Such as the dashboard to help visualize important trends and patterns in log and event data:

    As well as a quick and easy keyword search providing faster log recall without the need to learn specialized query languages:


  2. Provides Expertise and Value Out of the Box
    Finding value with the tool will not be an issue. An integrated threat intelligence feed and hundreds of pre-defined filters, rules, and responses, not only make it faster and easier for users to identify threats, but also automate notifications or corrective actions.

    Beyond identifying and responding to threats, the pre-built reports make demonstrating compliance a breeze.

    The best part is users aren’t confined to out-of-the-box content. As their organizations needs change and grow, or as they become even better acquainted with the tool, the pre-defined content, visualizations, and reports are flexible.

  3. Priced With SMBs in Mind
    SolarWinds® Security Event Manager has a simple licensing model. SEM is licensed by the number of log-emitting sources sent to the tool. No need to pick and choose which logs to send, and no need to worry about a large influx of logs breaking your budget. Users get all the features of SEM and industry leading support for a single price. The pricing model is built to scale with the user’s environment, the price per node dropping at higher tiers. For those looking to monitor workstations, infrastructure, and applications, special discounted pricing is available. Same deal, one price for all features, for each workstation.

 

If you’re an IT pro at an SMB looking to get a better handle on cyber security or compliance reporting, give SEM a shot. You can download a free, 30-day trial here.

Background

 

This blog initially started out as an examination of how SolarWinds uses Database Performance Analyzer (DPA) within our own production environment. It now includes not only how our DBA uses DPA, but how other business units within SolarWinds use it and why. It isn’t surprising to find people in IT operations and application development using DPA, since our own customer studies have shown a high number of people outside of the DBA role use it, too.

 

Recent product-specific studies for DPA showed a high number of DevOps/IT Ops and AppDev roles using the product and an eye-opening, broad customer census exposed even more. In the 2019 THWACK Member Census, we asked over 2,200 IT professionals to select their primary job role and only 2.4% selected DBA. Interestingly, when we asked respondents if they managed or monitored databases, 42.7% said yes.

 

This brings to light the discussion of the “accidental DBA” and some interesting changes in IT organizations. First is the growth in number of DevOps people who handle database-related tasks. Second is the importance of databases as the platform for most mission-critical applications and why everyone has a keen interest in their availability and performance. And last, but not least, the number of DBAs is going down according to Computer Economics, who has seen the percentage of DBAs relative to total IT staff drop to 2.8% in 2017 from 3.3% in 2013. Our own Head Geek, Thomas LaRock, wrote an article pointing out the number of DBA jobs has stagnated for almost 20 years. On the flipside, Gartner pointed out that DBMS (Database Management Systems) revenue grew an astounding 18.4% to $46 billion in 2018.

 

Armed with this information, I decided I’d investigate the SolarWinds DBA team and see if any of these trends held true.

 

Let’s Start With the DBA

 

As I mentioned, I initially thought I’d interview the DBA team here at SolarWinds to see how we “drink our own champagne,” since I knew DPA was used by our internal IT team. As it turns out, the “DBA Team” is one person. I guess for a company that did $833 million in revenue in 2018 I expected an entire DBA organization, not just one hardworking DBA. But maybe this isn’t the exception?

 

I learned a lot from our DBA about how she can keep track of over 250 Microsoft SQL Server databases running on a mix of physical and virtual machines. My biggest takeaway from talking to her was that DBA’s don’t “monitor databases.” They want to be alerted when there are problems and they need a product to help them quickly find and resolve problems when they arise. They also want a product to help them optimize their databases proactively.

 

The first thing we discussed was “what’s important and who is it important to?” Here are the top things SolarWinds uses DPA for and the primary users:

 

  • - Overall database health: DBA and IT Ops
  • - Debugging after deployment: AppDev and DBA
  • - Ad-hoc trouble shooting: DBA and AppDev
  • - Capacity planning: DBA

After I learned about the overall database environment (250+ SQL Server databases), I wanted to understand specific, real-world use cases of DPA in action.

 

DBA Usage Scenarios

 

So how does the DBA at SolarWinds use DPA? First, she sets up alerts, so she can immediately be sent text notifications from DPA if something goes awry. DPA has had alert notification for a while, but the 2019.4 release made it even easier via a “drag and drop” interface, making alert customization simple. Second, DPA is the first place she goes to when she gets notified about something going wrong, whether it’s an alert, phone call, email, or a help desk ticket opened and assigned to her.

 

Scenario 1 of 2

 

In this first real-life scenario, our DBA was alerted to an “assertion check fail” pointing to possible corruption. The SQL Server instance itself created a hard-to-decipher stack dump and the only noticeable thing she could pick out of was the process ID.

With this in hand, she went into DPA to the specific time the event occurred in the SQL Server instance. Since DPA provides both real-time and historical data, she was able to drill down to find 1) the session ID executing this query, and 2) the SQL script running and the database. After speaking with the developer who ran the query, she determined it was a problem with SQL Server itself and asked the developer to refrain from running the query until they got the problem resolved by Microsoft.

 

*Screenshot the SolarWinds DBA used to find the culprit of the stack dump SQL Server generated.

 

Scenario 2 of 2

 

This second use case brings to light how important DPA is for establishing the overall health of a database and for capacity planning. Our DBA could not stress enough how important it was for her to know the baseline of a database instance and associated queries. From the baselines DPA develops, with the help of machine learning, she can know what a typical day looks like and the behavior of typical database activity. This allows her to spot both anomalies and trends.

 

Regarding capacity planning, she uses DPA to monitor the utilization and performance of applications and make note of trends she uses for future capacity requirements such as new or additional servers. Luckily, SolarWinds does a quarterly two-week freeze on new applications and changes, and this two-week period gives her a chance to go through DPA reports and proactively tune the environment. DPA’s anomaly detection powered by machine learning is a great way to graphically see the biggest opportunities for proactive optimization.

 

*This resource tab in DPA is a favorite of our DBA because it gives her a good overview of server resources being used.

 

Our DBA believes DPA will be even more useful as SolarWinds starts to migrate databases to Azure PaaS. As she stated, being on top of performance issues like poorly written SQL and poor performing tables doesn’t go away, and the cost of making mistakes, especially those consuming resources, can lead to spikes in usage charges.

 

Application Development and DPA

 

As I mentioned at the beginning, I learned a lot about how DPA is used at SolarWinds and the various people and departments using it. The application development (AppDev) team is one of the bigger teams in need of the data DPA provides. Why? Because they, along with our DBA, are constantly deploying changes and want to see the difference.

 

For example, is the SQL query running slower or faster than before? As previously mentioned, some people are “accidental DBAs,” so if the query they implemented ran fine on a QA instance but in production performs poorly, they need to know why. Case in point, this exact scenario happened recently and was due to a missing index DPA quickly pointed out. As our DBA stressed, for someone not very experienced with index recommendations, the tuning advisors in DPA can be a life-saver.

 

*One of the most popular DPA pages used for before and after is also the one used to look at overall waits and is great for seeing changes in before and after performance.

 

Finally, IT Operations

 

At SolarWinds, IT Operations (IT Ops) is where the buck stops for overall system availably, and just like our DBA, they make extensive use of alerts. Depending on the alert, they may send a priority 3 email when something has reached a certain threshold. But if SQL Server were down, they would send an email as well as page Opsgenie, which then goes to the primary person on call and posts a message on Microsoft Teams. The IT Ops group also has certain alerts integrated with SolarWinds® Service Desk to automatically open tickets.

 

But what about databases and their health…does IT Ops care? The answer is yes because they rely on the DPA integration with SolarWinds Server & Application Monitor (SAM) to find the cause of performance issues on servers or when someone complains about application performance. Since DPA and SAM integrate with the SolarWinds Orion® Platform, you can navigate seamlessly between the products.

 

For example, they used the SAM integration to track a CPU spike on a server to a SQL Server database instance in a critical state. In this case, they immediately reached out to the SolarWinds DBA because they could tell the issue with the server was related to the database. However, if the DBA is unavailable, they rely on the suggestions and recommendations in DPA to diagnose the problem and take action or provide further documentation for either our DBA or AppDev.

 

Just as DBA and AppDev look for signs of abnormality, IT Ops looks at historical trends to find issues that may correlate to database issues. The integration of SAM and DPA makes this simple.

 

*IT Ops uses this page in Server & Application Monitor to see trends and then drill down and isolate the root cause. SAM’s integration with DPA makes this simple.

 

Summary

 

As stated in the introduction, the role of the DBA is changing and many people without a DBA title are involved with the performance of database applications. With the movement of database instances to IaaS and PaaS implementations, the ability to optimize, find, and resolve performance issues doesn’t go away. In some ways it becomes more important due to the potential impact on OpEx (aka your monthly Azure bill).

Change control. In theory it works. However, there’s always one person who thinks the process doesn’t apply to them. Their justification for going rogue may sound something like, “There’s no time to wait, this has to be done now,” and, “This is a small change, it won’t impact anything else,” or maybe, “This change will make things better.”

 

But at the end of the day, those changes inevitably end up crashing a service, slowing application performance, or even worse, opening new vulnerabilities. The call will come in, something’s broken and magically no one will know why on earth it’s happening and, they certainly won’t be able to remember if any changes occurred…or who made a change. There goes the rest of your day, looking for the root cause of an issue created by one of your own coworkers.

 

Recently, Head Geeks Thomas LaRock sqlrockstar and Leon Adato adatole hosted a THWACKcamp session on this exact topic. In their scenario the culprit was “Brad the DBA.” At SolarWinds, we understand this all-too-common scenario and have a tool designed to help.

 

SolarWinds® Server Configuration Monitor (SCM) provides an easy-to-use and affordable way to track when server or application configuration changes are being made, who’s making the changes, and what the differences are between the old configuration and the new configuration. It detects, tracks, and alerts on changes to things like hardware, software, operating systems, text and binary files, Window Registry, and script outputs on Windows® and Linux® servers.

 

Additionally, SCM is an Orion Platform-based module, meaning you can quickly correlate configuration changes with infrastructure and application performance metrics in a single view. Helping confirm or illuminate the possibility of a configuration change being the culprit.

 

These capabilities help provide you with the visibility needed to not only remediate issues faster but, also hold non-process-abiding team members accountable for their actions. If you’re tired of the shenanigans created by your colleagues not following the change control process for your servers and applications, check out a free, 30-day trial of Server Configuration Monitor. And just for fun, if you have a good story of how “Brad” broke your day, feel free to share below!

PASS Summit 2019 is here and SolarWinds will be at the conference, booth #416, November 5 – 8 in Seattle, Washington.

 

We’ll be showcasing the latest release of SolarWinds® Database Performance Analyzer (DPA), including our just announced support for Azure® SQL Managed Database Instance and SQL Server® 2019. No matter if you’re currently using DPA for your cross-platform database performance monitoring, or if you’re a “casual DBA,” stop by our booth for a demo to see the great new features we’ve added to this release.

 

And if you’re currently using any other SolarWinds products capable of integrating with the Orion® Platform, such as Server and Application Manager (SAM) or Virtualization Manager (VMAN), ask us how DPA seamlessly integrates with other products to give you a complete end-to-end view of your database applications.

 

Lastly, we’ve got two SolarWinds-sponsored events at the conference you should put on your calendar. One is the first timer’s reception we’re sponsoring Tuesday, November 5, from 4:45 – 6 p.m. in ballroom 6E at the convention center. The second is our presentation “SQL Server Performance Analysis Powered by Machine Learning,” Wednesday, November 6, at 1:30 p.m. in room 618 at the convention center.

 

Stop by and say hi. In addition to product demos, we’ll be giving away some cool swag.

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.