Monitoring Central

9 Posts authored by: joshberman

Do you know how to protect your organization's sensitive data from today’s cyberthreats? One way is to arm the enterprise with a security information and event management (SIEM) tool. SIEM solutions provide a meaningful contribution to defense-in-depth strategies with their ability to detect, defend against, and conduct post-mortem analysis on cyberattacks and general IT security anomalies. Over the years, they have become a contributing force in meeting, maintaining, and proving a business’ alignment with regulatory compliance frameworks such as HIPAA, PCI DSS, SOX, and more. Let's take a look at how SIEM software works and why it's a must have for your business.

 

What is SIEM?

 

Predecessors of SIEM solutions, security information management (SIM), and security event management (SEM) began merging into one security system over a decade ago. When you run a SIEM tool, all your relevant security data can come from multiple locations, but you can look at all that data from one dashboard. Being able to access data across numerous locations and evaluate it in one location makes it easier to spot unusual patterns and trends, and react and respond quickly to any possible threats.

 

The SIEM software collects information from event logs spanning all your devices, including anti-virus, spam filters, servers, firewalls, and more. It then uses key attributes (IPs, users, event types, memory, processes, ports) that can indicate security incidents or issues to alert and respond quickly—and in many cases, automatically.

 

How Does SIEM Help With Security?

 

The event management portion of a SIEM solution stores and interprets logs in a central location and allows analysis in near real-time, which means IT security personnel can take defensive actions much more rapidly. The information management component provides trend analysis, as well as automated and centralized reporting for compliance by collecting data into a central repository. As a whole, a SIEM tool provides quicker identification and better analysis and recovery of security events by combining these two functions. Another advantage is that compliance managers can confirm they are fulfilling their enterprise's legal compliance requirements with a SIEM tool.

 

Advantages of a SIEM Tool

 

There are many advantages to using a SIEM tool, other than only needing one tool to monitor cybersecurity. SIEM systems can be used for different purposes, so the benefits will vary from one organization to another, but every organization that uses a SIEM tool will experience these main benefits:

 

  1. Streamlined compliance reporting. SIEM solutions leverage the log data from various devices across an organization or enterprise.

 

  1. Better detect incidents that otherwise might be missed. SIEM products enable centralized analysis and reporting for an organization's security events. The IT security analysis may detect attacks that were not found through other means, and some SIEM products have the capabilities to attempt to stop attacks they detect—assuming they are still in progress.

 

  1. Improve their efficiency in handling activities. You can save time and resources with a SIEM tool because you can respond to security incidents more quickly and efficiently. IT professionals can quickly identify an attacker’s route, learn who has been affected, and implement automated mechanisms to stop the attack in its tracks.

 

What to Look for in a SIEM Tool

 

What features should you be looking for when shopping for a SIEM tool? Here are just a few of the important questions to consider when evaluating SIEM solutions:

 

  1. Does the SIEM provide enough native support for all relevant log sources?

 

  1. How well can the SIEM tool enhance current logging abilities?

 

  1. Can the SIEM software effectively use threat intelligence to your advantage?

 

  1. What features does the SIEM product offer to help carry out data analysis?

 

  1. Are the SIEM's automated response capabilities timely, secure, and effective?

 

Stay Protected with SolarWinds Log & Event Manager

 

There are numerous SIEM tools to choose from, but SolarWinds® Log & Event Manager (LEM) offers valuable features that can help you improve both your security and compliance, with relative ease and with limited impact on IT budgets.

 

These are just a few of the features LEM provides:

 

  1. Detect suspicious activity. Eliminate threats faster by instantaneously detecting suspicious activity and sending automated responses.

 

  1. Mitigate security threats. Conduct investigations of any security events and apply forensics for mitigation and compliance.

 

  1. Achieve auditable compliance. Demonstrate compliance with audit-proven reporting for HIPAA, PCI DSS, SOX, and more.

 

  1. Maintain continuous security. Your efforts to protect your business against cyberthreats should extend to the choices of software you employ to do so. LEM is deployed as a hardened virtual appliance with data encryption in transit and at rest, SSO/smart card integration, and more.

 

Purchase SolarWinds Log & Event Manager Software

 

Visit us online today to learn more about Log & Event Manager and get a free 30-day trial of the software. Learn more about the key features we offer in LEM, and watch our informative video explaining how it works. Get answers to frequently asked questions and hear from some of our very satisfied customers. This SIEM tool is clearly an industry favorite. Click here to see how it can help your enterprise or organization stay safe and secure from cyberthreats with the SolarWinds Log & Event Manager software.

In today's landscape of security breaches and cyberattacks, it seems like no company or network is completely immune to cybercrime. In fact, you don’t have to search very hard in the news to read about another cyberattack that has happened to a big corporation. Thankfully, developers are constantly looking out for these threats and building important security patches and updates protect the data. Let's look at some of the major vulnerabilities and attacks that have happened in 2017.

 

Microsoft Security Bulletin MS17-010 (March 14, 2017)

 

Although this wasn't exactly a hack, it serves as a great reminder of how scary security vulnerabilities in Microsoft® Windows® software can be. The bulletin detailed several cyber security threats, but the most severe vulnerability was the potential for an attacker to execute code on the target server. This vulnerability was so huge that Microsoft called the security patches “critical for all supported releases of Microsoft Windows.”

 

Imagine the impact this could have had if the cyber threat was not discovered and a security patch was not created.

 

The biggest impact of this bulletin was that it showed how many zero-day level flaws were present in Microsoft products that made users vulnerable to cyberattacks. Essentially, the combination of the delayed rollout of crucial security patches and enterprises’ often slow adoption of patches made all Microsoft users vulnerable to the WannaCry and NotPetya ransomware attacks.

 

WannaCry Ransomware Attack (May 12, 2017)

 

The WannaCry Ransomware attack was one of the most significant cyberattacks in 2017. Seventy-five thousand organizations from 99 countries reported being attacked. How did it happen?

 

A vulnerability called EternalBlue was responsible for spreading the WannaCry attack. This vulnerability was actually addressed in Microsoft’s security patches released in March. Unfortunately, many users had not yet installed these critical patches.

 

Impact of WannaCry

 

As the name implies, many Microsoft users probably did want to cry after being hit by this cyberattack. It created a moment where global internet security reached a state of emergency. WannaCry affected the U.K., Spain, Russia, Ukraine, Taiwan, and even some Chinese and U.S. entities. In many cases, companies were forced to pay $300+ to regain access to their files/system. However, there was another even more severe impact, as sixteen National Health Service organizations were locked out of their systems. Many doctors were unable to pull up patient files and emergency rooms were forced to divert people seeking urgent care.

 

Petrwrap/Petwrap/NotPetya Ransomware Attack (June 27, 2017)

 

This attack was even worse than the WannaCry attack. NotPetya did not act like other ransomware malware. Instead, it rebooted victims’ computers and encrypted their hard drive’s master file table, which rendered the master boot record inoperable. Those who were infected lost full access to their system. Additionally, the cyberattack seized information about the file names, size, and location on the physical disk. NotPetya spread because it used the EternalBlue vulnerability, just like WannaCry.

 

Impact of NotPetya

NotPetya reportedly infected 300,000 systems and servers throughout the world, including some in Russia, Denmark, France, the U.K., the U.S., and Ukraine. Ukraine was hit the hardest. Within just a few hours of the infection starting, the country’s government, top energy companies, private and state banks, the main airport, and metro system all reported hits on their systems.

 

How to Protect Your Business From Cyberattacks

 

The evidence is clear. Hackers are always on the prowl and cyberattacks will happen. The key is to be ready for them so you can prevent an attack from being successful. You must take every step possible to protect your company and your private information. There are several important things you can do, including making sure you always install security patches and updates. For example, if infected organizations had installed the update patches in March, they would have been protected from the WannaCry attack. Therefore, this simple step could be the difference in whether or not a cybercriminal is able to successfully hack into your data.

 

Think Prevention, Not Cure

 

While installing every patch developers make might seem like a hassle, the fact is these patches play a significant role in your cybersecurity efforts. There is great wisdom in the saying of “an ounce of prevention is worth a pound of cure” when you’re dealing with cybersecurity. It’s so much easier to take the necessary steps to prevent a cyberhack than it is to overcome all the problems after a breach occurs. Regularly installing security patches is a must, especially since you might not be aware of the possible threats that could be coming.

 

Let SolarWinds Patch Manager Do the Work for You

 

Although constantly installing these updates and patches can be a pain, and it can feel like you get a new patch almost every other day, patches are a necessary evil. Thanks to the SolarWinds® Patch Manager software, you can now leave this tedious chore to someone else. This intuitive patch management software allows you to quickly address software vulnerabilities in your system. SolarWinds Patch Manager offers several key features, including:

 

  1. Simplified patch management. Automate the patching and reporting process and save time by simplifying patch management on servers and workstations.
  2. Extend the capabilities of WSUS patch management. Decrease service interruptions and lower your security risks by helping ensure patches are applied and controlling what gets patched and when.
  3. Extend the use of Microsoft System Center Configuration Manager. Protect your servers, desktops, laptops, and Virtual Machines (VMs) with the most current patches for third-party apps.
  4. Demonstrate Patch Compliance. Stay up to date on all vulnerabilities and create summary reports to show patching status.

 

Additionally, SolarWinds Patch Manager offers a Patch Status Dashboard. The dashboard tracks who got patched and what still needs to be patched. You will be able to see the most recent available patches, the top patches you are still missing, and the overall general health of your cyber environment. Patch Manager also allows you to build your own packages for many other types of files, including .EXE, .MSI, or .MSL.

 

Download SolarWinds Patch Manager now to identify the vulnerabilities in your system and help protect your business.

Security breaches have become a consistent threat, so it is critical to remain aware of the many tools, resources, and protocols available to keep you safe online. To honor and celebrate National Cyber Security Awareness Month (NCSAM), we are offering several opportunities for you to get involved and learn something new.

 

Think you know your cybercrime history?

We have put together a timeline of some of the most notable cybersecurity breaches throughout history. To complement the timeline, we’ve compiled a cybersecurity history quiz to test your knowledge as you travel through the decades. Take the quiz for a chance to win awesome prizes!

 

We need your help!

If you review the Timeline of Cybercrime, you’ll see that it is far from a comprehensive list of all cybersecurity attacks over time. Submit your suggestion of a cyberattack to add to the timeline in the comments below and receive 250 THWACK® points for all valid suggestions!

 

To receive your 250 THWACK points, your submission should include:

  1. The name of a noteworthy breach, vulnerability, or security attack of your choosing (must not already be featured on the timeline of cybercrime)
  2. A sentence or two about the cyberattack of your choosing
  3. A source for your research

 

Submit your suggestion in the comments section below. Limit one entry per THWACKster.

 

THWACKcamp | October 18-19

THWACKcamp is right around the corner! I encourage you to check out one session in particular that’s sure to keep the conversation about cybersecurity top of mind: “Protecting the Business: Creating a Security Maturity Model with SIEM”

RSVP today!

 

Live webcast – Cybercrime: Defending Against the Next Attack | November 2

Following THWACKcamp and to conclude NCSAM, join @dez and @jhynds for a live webcast where they’ll discuss some of the highlights from the Timeline of Cybercrime, as well as tips and tricks to help businesses combat today’s most common cybersecurity threats.

Register now!

 

Enjoy, and stay safe out there!

Like traditional kung fu, in Security Kung Fu, there are two schools of thought. On one side, there are those guided by the industry’s best practices for IT security. On the other side, there are those who use regulatory frameworks like PCI DSS, HIPAA, SOX, and more as the guiding principles for their IT security strategy.

 

In the fourth and final chapter of the Security Kung Fu Series, we discussed these opposing strategies and provided insight into why our Security Kung Fu Masters view them as complementary, but not commensurate with one another.

 

If this subject is of interest, I strongly suggest you watch the on-demand recording of this session for a much deeper dive. Continue onward for a brief recap along with some highlights from the discussion.

 

Watch the On-Demand Recording | Check out the SlideShare®

 

Meet Your Security Kung Fu Masters

For the fourth and final chapter of the Security Kung Fu series, we decided to mix things up a bit. In addition to welcoming Jamie Hynds, Senior Product Manager for SolarWinds Security Portfolio—a featured speaker in some of our previous sessions—we were joined by Destiny Bertucci, Head Geek at SolarWinds.

 

With over 15 years of network management experience spanning healthcare and application engineering (nine of which she served as SolarWinds Senior Application Engineer), @Dez boasts an ever-growing ensemble of degrees and certifications with a slant towards IT security. If it’s not apparent now, you’ll see from this session that she really knows her stuff.

 

Beyond this,  Destiny is a frequent presence on THWACK®, most recently launching a blog/social commentary series on Geek Speak titled “Shields Down.” I strongly encourage you to follow along in her series and get involved in the discussion. Whether you’re an experienced IT security professional or on the lighter side of these skillsets, there is something for everyone. But don’t sit on the sidelines—share your stories and insights for the collective good of us all.

 

Regulatory Compliance

 

Compliance, as it relates to IT, involves adhering to rules and regulations that are meant to protect various types of sensitive data. It can govern everything from IT decision-making and purchasing, to configurations, and the policies and procedures a company must create and enforce to uphold this important task.

 

Rightfully so, many businesses are taking the obligation of compliance very seriously. After all, there is a lot at stake when fines and penalties can be levied against you (among other legal repercussions) for noncompliance.

 

Security vs. Compliance

Though, yes, compliance for many businesses is absolutely critical, it is not the end all be all. We contended throughout this session that taking a compliance-dominated approach to the way you secure your IT operations is not the way to go. In fact, with many of the examples we provided in this session, it can sometimes be a detriment to IT security.

 

On that note, we provided three really solid points to shape your mindset.

 

Compliance is more than a checkbox. Many view compliance as a “must have” to avoid the wrath of auditors. But, like I mentioned before, they let it dominate their IT strategy. Our tip is to not lose sight of the bigger picture. IT compliance should be seen as an opportunity to ensure the right controls are in place to actually keep your network and sensitive data secure.

As an example, it’s choosing between applying encryption for data in transit because it’s an IT best practice, instead of opting out of doing so because the regulations your business faces do not mandate it. If the end game is to ensure the confidentiality, integrity, and availability of sensitive data, you are doing yourself and your business a disservice and leaving yourself susceptible to attack without it.

 

“Compliant” does NOT equate to “secure.” Meeting regulatory compliance alone does not guarantee IT security. In some cases, it can lead you away from this objective. There are countless real-world examples of this, but it should be well-understood that in several cases, following compliance schemes strictly “by the book” can undercut your security responsibility. Why not go beyond what they dictate? For this, think of my earlier example involving encryption.

 

No one solution can make you compliant. The same too can be said for security in general, but simply applying one or more security solutions to your IT arsenal will not inherently make you compliant with any framework. Compliance involves many aspects outside of your software-purchasing decisions down to the very core of how your business operates.

 

In this session, we urged that for the sake of both these objectives, Defense in Depth strategies are applied. If you haven’t caught on yet, this was continually preached throughout the Security Kung Fu webinar series. 

 

According to the SANS Institute, Defense in Depth is “the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack.”

 

This approach has for a long time been a mainstay in the security realm, but it too should play into your approach to compliance.

 

Five Tips for Continuous Compliance (and Security)

 

As we called an end to the Security Kung Fu series, we left our viewers with some concluding thoughts on this subject. In no way does this cover all your needs, but they are all worth considering.

 

  1. Define policies and establish your network security baseline.
  2. Collect, correlate, and securely store all relevant and required log data.
  3. Actively monitor and analyze what’s going on within the IT infrastructure at all times.
  4. Run regularly scheduled compliance reports.
  5. Leverage regulatory requirements and audits as an opportunity to truly assess network risks and help ensure the security of your entire IT infrastructure—from perimeter to endpoint!

 

A final takeaway, however: no matter your objectives, there are a multitude of software offerings from SolarWinds that can assist your business and support an in-depth defense strategy. Visit the IT Security Software page to learn more.

 

Well, I hope you enjoyed not only the webinars that made up this series, but each recap I’ve provided as well. As always, I welcome your feedback or thoughts on any of this subject matter.

While countless companies rely on Active Directory® (AD) to ensure only the right individuals have the right access, hackers still can penetrate, lie in wait, and jump at the next opportunity to elevate their permissions. Each move is calculated, and if undetected, earns them greater and greater access to data and systems to begin the slow siphoning of intelligence or suddenly launch IT security attacks.

 

How the bad guys get in can vary, but the who in this equation matters just as much. Not only do external parties pose a threat, there are also those coming from within your own ranks who can be just as dangerous, whether intentionally or not.

 

It can also be said that AD changes and events, such as unauthorized account provisioning, escalating of privileges, and changing user accounts may not only be indicators of malicious activity on the network, but the very acts themselves can create security holes that may lead to compromises in the future.

 

When threats can manifest from both outside and inside the four walls of your businesses, any practitioner of IT security would agree that sometimes the best offense is a strong defense. In Part Three of the Security Kung Fu Webinar Series, we discuss how monitoring for Active Directory changes using security information and event management solutions (or SIEM) can help you do just that, all while helping you meet certain regulatory compliance requirements in the process.

 

Building on each of the subjects covered in our previous two Security Kung Fu events, we turned our focus inward to cover the IT security threats coming from within. Dive right into this subject using the resources below, or read along for a quick recap of this session to further whet your appetite for some security goodness.

 

Watch the On-Demand Recording | Check out the SlideShare®

 

Meet Your Security Kung Fu Masters

Returning for this session are both Jamie Hynds and Ian Trump, featured speakers from Security Kung Fu: Playing with Fire(wall) Logs. If you missed the recap on this or any of the previous Security Kung Fu webinar sessions, be sure to check them out! And if you want to get deep in the weeds on certain IT security or compliance topics, I strongly encourage you to follow Jamie (@jhynds) on THWACK®. He’s published quite a few articles that are worth a read.

 

The Threats From Within

Though the lion’s share of media attention is placed on external hackers finding an “in,” numerous roads lead to IT security compromise. Insiders remain a very real and substantial threat. Whether by purposefully acting out of malice or enabling external threats through their own negligent actions (or simple inaction), there’s much to consider when turning your IT security focus inward. Here are some examples we highlighted as part of this session that you should definitely consider:

 

  • Malicious intent – Though touched on above, this speaks to the purposeful action on the part of trusted insiders to act in opposition to the interests of an organization. Common IT threats include fraud, sabotage, and theft or loss of confidential information.
  • Not following policies or procedures – Sometimes purposeful, sometimes not, this IT security threat involves acting out of accordance with internal guidelines regarding the use of technology or the handling, disposing, and disclosing of sensitive information to unauthorized parties.
  • Negligent behavior – Whether these actions violate clearly written and enforced policies or procedures, or plainly defy basic logic, this involves your own employees or individuals from the businesses you represent unknowingly putting your IT operations in harm’s way. As simple as falling prey to phishing attacks or some other mode of social engineering, their actions may not have been explicitly forbidden, but they still result in compromise.
  • Integrity of the AD Domain – Though Active Directory is in place to ensure many of the above forms of threats do not either take a foothold or spread, simple actions on the AD Domain can give rise to security issues as well. Despite being a fundamental practice for an IT organization, potential Active Directory security vulnerabilities can be cause for concern when hackers are looking for the keys to the kingdom. If you give them an inch, they’ll take a mile.

 

I should temper this in saying that in no way is this any exhaustive list. In fact, we go into greater detail about other possible internally-caused IT security issues on the webinar itself. The point here is that there are numerous ways a trusted insider can become your weakest link or gravest threat.

 

The Necessity of Monitoring Active Directory

We cover each of these modes of insider threats and signs of abuse with purpose. It highlights the very important need for monitoring and auditing Active Directory changes to at least identify the signs that something has gone awry.

 

A SIEM tool is perfect for that. Not only can you use one to keep close watch of things, but it can also issue alerts when an anomaly is spotted. Further, this software can help enable real-time active responses, such as logging off users, blocking IP addresses, killing processes, and adjusting Active Directory settings at the first sign of threat. SIEM solutions can not only contribute to improving IT security, but also compliance.

 

So, what are among the most pertinent items to look out for when monitoring Active Directory changes? Here are some of the standouts:

 

  • User events
  • Authentication events
  • Group changes
  • Policy changes
  • Password resets

 

Though seemingly harmless, these actions should be reviewed for authenticity. There’s simply too much at stake.

 

Pro Tip: Users of Log & Event Manager (LEM), SolarWinds’ own SIEM solution, should check out this video in the SolarWinds Success Center for guidance on how to leverage LEM to detect privilege changes in Active Directory.

 

A Nod to Compliance

The ability to monitor and respond to threats is so critical to a business’ IT security, and the ultimate goal of maintaining the confidentiality, integrity, and availability of sensitive data, that it’s no wonder many of the top compliance frameworks include provisions that cite the need for monitoring for such Active Directory changes. We spoke about this in depth during an Ultimate Window Security Event we participated in, titled “Monitoring Active Directory Changes for Compliance: Top 32 Security Events IDs to Watch and What They Mean.” SOX, HIPAA, PCI DSS, FISMA, NIST, GLBA—you name any compliance law or standard—all cover, in some way, the need for tracking such actions. There are even certain AD events that can be mapped directly to these frameworks to assist in meeting certain objectives and demonstrate potential IT security vulnerabilities to auditors.

 

Though we only touched on the subject briefly as part of this and our other Security Kung Fu webinars, the fourth and final event in the series covers the topic of compliance in-depth. There, we discussed the two prevailing “schools of thought,” or drivers of IT decision-making and practice: security vs. compliance.

 

I hope you’re finding these session recaps helpful. Stay tuned for my recap of the final session from the Security Kung Fu series.

 

Firewalls are an important first line of defense against a range of security threats. But outside of brute force hacks, countless a firewall has fallen to more sophisticated modes of attack, if not circumvented altogether. The consequence of which means hackers gain access to the network and trouble ensues.

 

Part Two of the Security Kung Fu Webinar Series built upon our previous discussions (check out the Security Kung Fu: SIEM Solutions blog for a recap) to highlight the important role firewalls play in network security and how log messages generated from these devices can provide meaningful insights to either thwart a security incident altogether, or assist in stopping one in its tracks. That is, assuming you’re armed with the right tools.

 

As important as it is to collect logs from these (and other) network devices, just as important is what you do with the data you collect. That’s where SIEM solutions come in. Beyond this, we discussed how NCCM solutions contribute to deeper security and what for many companies is an end-all, be-all: helping them handle a variety of regulatory compliance objectives.

 

If this piques your interest, I encourage you to dive into the resources below or read along to find out all this event had to offer!

 

Watch the On-Demand Recording | Check out the SlideShare®

 

Meet the Security Kung Fu Masters

In addition to Ian Trump, a featured speaker in the first installment of the Security Kung Fu series, we welcomed Jamie Hynds, Senior Product Manager for SolarWinds® Security Portfolio. Jamie has years of experience in a variety of roles such as Sales Engineer for SolarWinds, IT Auditor and Security Consultant for Deloitte®, among others. In each capacity, he has assisted businesses in adopting technologies to enhance security, meet regulatory IT compliance, and pass audits for a broad array of compliance frameworks.

 

Be sure to check out Jamie’s often security-centric posts on THWACK® as well. He posts under the handle @jhynds.

 

Anatomy of an Attack

Once again referencing the Lockheed Martin Cyber Kill Chain®, we reviewed how firewalls protect against outside threats at the “Delivery” stage of this model by enabling certain defensible strategies. But despite the presence of physical/virtual barriers to a network, perimeter defenses are not enough. They can, however, further aid in the detection of threats. As we say in the series “the devil is in the details”… details found in your log data.

 

The Detection Deficit

Avid readers of security reports, like myself, may have grown fond of the Verizon® Data Breach Investigations Report (DBIR). Each year, analysts from Verizon publish the results of the miles of anonymous data they gather on actual security incidents (and breaches) from the prior year.

 

What was once a mainstay of this report tracked an important statistic dubbed the “detection deficit.” The detection deficit refers to the gap between an attacker’s “time to compromise” and the defender’s “time to discover.” Pretty important stuff, huh? Well, in an unfortunate turn of events, this measure was dropped from the 2017 Verizon DBIR that published shortly after the Security Kung Fu: Playing with Fire(wall) Logs webcast took place. Given that all the data collected for the DBIR is based on breaches that actually occurred, there wasn’t a logical need to track this measure moving forward, as it was “unlikely to ever show any improvement.”

 

Still, it’s an important subject. The more time it takes to discover threats on your network, the more damage can be done. Lowering your “mean time to detection” for security incidents is absolutely critical. As we contended in this session, with help from SIEM and NCCM solutions, your firewalls can play a big part in doing so.

 

The Role of SIEM and NCCM Solutions

A lot can be said about SIEM and NCCM solutions outright, but working in tandem with your firewalls, they have the potential for some really neat use cases. @Dez sums it up nicely in this post, which served as a reflection of this Security Kung Fu event. On one hand, a SIEM can help you spot malicious behavior on a firewall, including: malformed packets, unusual traffic patterns, unauthorized access, and unauthorized changes. On the back half (so to speak), using an NCCM solution, you can recover even if unauthorized changes disrupt operations or have some sort of greater impact. (Ringing any bells from Part One of the Security Kung Fu Series?)

 

When it’s all said and done, our Security Kung Fu Masters advised that when it comes to firewalls, you must be able to:

  • Monitor for abnormal activity, unexpected access attempts, and potential threats
  • Eliminate downtime due to misconfigurations—know what changed and when, and have the ability to back up to last known good configuration
  • Automate security audits and reports to not only verify security, but also compliance

 

Just a reminder: in no way is this an exhaustive list. Luckily for you, with a couple of products added to your arsenal, you can cover the bulk of these needs.

 

For more tips on how to improve your IT security posture, check out the entire Security Kung Fu webinar series, now available on-demand.

With a 24-hour news cycle, we are constantly bombarded with headlines detailing the latest data breach, malware infection, email phishing scam, or high-profile compliance violation. Although the source of these incidents often varies, the consequences for businesses of all sizes remain relatively the same: hefty fines, brand damage, loss of customer loyalty, and in more severe cases, criminal penalties and lawsuits.


It’s no wonder nowadays we no longer consider IT security a “nice-to-have,” but a matter of your company’s survival.

 

In each of the Security Kung Fu webcasts, we dedicate at least a portion of the session to discussing the “cyber threatscape” and its impact on business. In many cases, this can be profound, especially if breaches of sensitive information are involved. Be sure to check out the  Security Kung Fu: The Saga Begins blog, where I summarized the perspectives of my colleagues on this very subject. But, enough with the doom and gloom. I’m sure with all this in mind, it begs the question, “What are businesses doing to protect themselves?” For starters, as we learned in Part One of the Security Kung Fu Webinar Series, they’re applying several “security stances” (as we’ve dubbed them) to help the situation.

 

As part of this session, we discussed these security stances in-full and take a deeper look at the role of Security Information and Event Management (SIEM) solutions in assisting with this approach. I encourage you to dive into the resources below to learn more or read along to find out what all this event had to offer!

 

Watch the On-Demand Recording | Check out the SlideShare

 

Meet the Security Kung Fu Masters

For this inaugural session of the Security Kung Fu Series, I welcomed SolarWinds Sales Engineer, Curtis Ingram. You may recognize him under his THWACK® handle (@curtisi), but in case you don’t, Curtis possesses a deep knowledge of IT security, compliance, and the role of SIEM solutions in meeting these important business objectives, which he often shares on THWACK.

 

Along with Curtis, we were joined by Ian Trump, a cybersecurity strategist with over 20 years of experience that all began with a stint in the Canadian Forces, Military Intelligence Branch. Ian’s 2016 in-depth analysis of cybercrime and threats of the future was featured in industry publications, such as SC Magazine®, Infosecurity®, IDG Connect®, CBR, The Times, USA Today®, and The Sunday Herald. He continues to be a well sought-after resource on the topic of cybersecurity, as a thought leader on the subject.

 

Three Security Stances

As noted above, our Security Kung Fu Masters set out to describe the various ways businesses are arming themselves to combat cybersecurity threats. These security strategies classified into three distinct groupings: proactive, detective, and reactive-recovery. Here’s a taste of what we learned.

 

Proactive Security

Proactive security is generally preventative. It involves hardening endpoints, applying things like antivirus software or patch management software, and conducting user awareness training. These are all methods of preventing bad guys from getting on the network.

 

The subject of taking preventative measures has been around in the security industry for ages, and a strong majority of solutions in the security space align with this stance. However, we contend that taking this approach alone is simply not enough. Furthermore, these proactive measures can sometimes give you a sense of over-confidence, which in many cases, is downright dangerous.

 

Detective Security

Due to the growing sophistication of hackers and their ability to identify and bypass common means of defense, detective security is becoming increasingly important. Detective security applies the use of SIEM solutions to help you establish what is “normal” activity and distinguish it from the abnormal. Not all anomalies on the network correspond to security incidents, but having a means of determining the difference is critical. More on the SIEM solutions piece in a bit.

 

Reactive-Recovery Security

The reactive-recovery stance fills an important gap not fully addressed in the previous stances. It involves responding to and recovering from compromise. This often takes the form of a backup service offering, which provides the ability to restore business operations to normal and maintain the availability of data. The most widely understood example of this involves the threat of ransomware. Rather than fronting the bill for recovering an encryption key to unlock their data, businesses will simply restore from backup to minimize its impact and keep IT operations up and running.

 

The Role of SIEM Solutions

As you might have gathered, businesses must do a lot to fully prepare for and guard against the multitude of threats they face. In the absence of time, we honed in on one such solution that contributes to this goal and is the sole-supporter of the detective stance as we described it: SIEM solutions. Here is what we’ve picked up:

 

SIEM solutions have evolved to play a much more critical part in improving a business’ IT security posture and helping to usher in a state of compliance. Looking to the Lockheed Martin Cyber Kill Chain® as a teaching aid, we understand the anatomy of a cyberattack and its various stages. From this, a SIEM solution’s contributions become clear.

 

  • Gives you visibility in an area that is critical to your business “Threat Hunting”
  • Only solution with forensic feature to go back in time to review incidents
  • Assists with compliance and providing evidence for IT security audits
  • Uncovers unauthorized changes in the environment
  • Detects insider threats such as data ex-filtration
  • Provides a record of network layer activity, correlated with machine data and ultimately user behavior

 

Which Security Stance is Best?

Though much can be said for taking a proactive stance, this alone does not allow you the flexibility you need to meet modern IT security threats. If not backed by the detective stance, in particular, you’re in for a hard ride. But the fact of the matter is that you really need them all to complete a well-rounded approach. This means, the application of a variety of security solutions, the training of your employees, and so much more all needs to be present in your security strategy, lest risk security holes that can lead to compromise.

 

Like what you’re reading so far? Be sure to check out the entire Security Kung Fu webinar series on-demand and stay tuned for my next blog recapping Part Two of this series.

I know what you’re thinking… why “kung fu?” and “What does martial arts have to do with IT security and how I protect my network?” Well, kung fu is a Chinese term referring to any study, learning, or practice that requires patience, energy, hard work, discipline, and time to complete. So, really, it’s not just martial arts. Perhaps, by this definition, you’re starting to see the parallels we’ve identified with IT security.

 

Today’s Cybersecurity Climate

According to Forbes®, the cybersecurity marketplace is predicted to be worth $170 billion by 2020—that’s over double its reported size in 2015. But, perhaps most telling of the threats business truly face is the fact that the costs associated with cybercrime are projected to exceed $2 trillion by 2019.

 

What’s fueling this growth? Well, there are certainly a number of factors, but what’s clear is that hacker motives have strongly shifted towards “financial gains,” at least according to SolarWinds Head Geek, Destiny Bertucci. While shock-value/notoriety/entertainment supported hacking in its early rise, money has been a major influence in its more recent uptick. Hackers have a lot to gain, and we all have a lot to lose.

 

Another issue at the root of this rise in cybercrime costs (and the cybersecurity market’s corresponding growth) is the pervasiveness of these crimes. Gone are the days where these modes of attack were reserved for top-notch, tech savvy, and highly motivated individuals. Today, Crime-as-a-Service underpins cybercrime and the technical layman is now being armed with the ability to launch an attack.

 

Whether or not you’re explicitly tasked with upholding IT security for your business, given the current outlook, it is now everyone’s responsibility. It is no longer a matter of if you’ll get hacked, but when. IT security solutions today are about limiting the attack surface, applying defense in-depth strategies, and leveraging a multitude of tools (not just one or a few) to do so.

 

We recently opened our cyber-dojo to allow our very own Security Kung Fu Masters to bestow their wisdom and teachings unto the larger IT community. Black belts in white hat hacking, industry mavens, scholars of security, and even former compliance auditors joined ranks to discuss these very subjects in a four-part webinar series aptly named “Security Kung Fu.” If you missed the live versions of these sessions, no need to worry—we have made them all available on-demand for your viewing pleasure. Read along to see what each stage in this journey had to offer.

 

Watch the Security Kung Fu Series On-Demand

 

SIEM Solutions

In Part 1, we took an in-depth look at the cybersecurity climate businesses are currently facing and educated ourselves on the cybercrime industry as a whole. Using the Lockheed Martin Cyber Kill Chain® as an example, we discussed the role SIEM solutions play in identifying security threats and discussed the unique capabilities of such solutions to allow users to go back in time to conduct forensic analysis of security incidents and verified threats.

 

Playing With Fire(wall) Logs

Part 2 of the series turned our attention to the periphery of a network to focus on how firewalls serve as a first line of defense against security threats. In addition to discussing the patterns of attack that have been demonstrated countless times by hackers, we showed how firewall log data can give notice of network infiltration attempts, data exfiltration, and more. Beyond that, we discussed how Network Configuration and Change Management (NCCM) solutions can contribute to a deeper IT security solution by helping to alert you to config changes on firewalls (and other network devices), in addition to a host of other capabilities.

 

The Security Threats From Within

In Part 3, we took an introspective look to discuss the threats coming from within, or at least identified from within a business' own network. We looked at how Active Directory® changes such as adding users to privileged groups, escalating privileges, and changing user accounts may not only be indicators of malicious activity on the network, but the very acts themselves can create security holes that may lead to future compromises. We discussed the need to track these changes appropriately in order to give critical insight into anomalous activity and promote the long-term security health of an IT operation.

 

Two Schools of Thought: Security vs. Compliance

Part 4, the final chapter of the Security Kung Fu Series, we covered a subject that had only served as an undertone in our previous sessions: compliance. We discussed why letting compliance rule the security strategy for a business can ultimately lead to pitfalls that compromise both objectives.

Software Advice (a Gartner® company) recently published their FrontRunners™ quadrant, an assessment of the best help desk software for 2017. I’m excited to announce that SolarWinds® Web Help Desk® not only made the list, but was identified as a leader when compared to the total 460 help desk and IT service management solutions that were evaluated. That’s right—Web Help Desk was recognized as one of only three leaders in this category, and to top things off, it was positioned as the greatest value for small businesses among the entire field!

 

About the FrontRunners Quadrant

The FrontRunners quadrant for help desk software, which is powered by Gartner Methodology, offers a data-driven, comparative assessment of the capabilities and value these products provide for North American small businesses. In true form, the outputs of this assessment are displayed in a “sister” quadrant to that of the iconic Magic Quadrant, which is synonymous with the Gartner name. The top 20-25 solutions fall into one of the following four categories: Leaders, Masters, Pacesetters, and Contenders. Chief among them, however, are the Leaders, which offer the greatest breadth of functionality and serve the widest variety of customers.

 

Independent research, by companies such Software Advice, is key to helping small businesses make informed decisions about the right choice in software. These types of decisions become critical to supporting business needs and driving productivity.

 

A Special Thanks to Web Help Desk Customers

Software Advice’s evaluation of Web Help Desk relied heavily on the reviews and ratings from our customers as part of its scoring system, which in my mind, makes this achievement so much more meaningful. Take a look at some of the comments we received that helped us land such high marks.

 

“Simple, quick setup. Very easy to use. Found nothing it's lacking.”

    - Perry Johnson, Network Administrator, Periscope

 

“It has the potential to be the best helpdesk software on the market, and currently is really good”

    - Jeremy Mayfield, IT Director, American Cement Company

 

“Web Help Desk has the features we need to make our support experience painless for our end users.”

    - Ross Burdick, Network Support Specialist, Aberdeen Public Schools

 

“A helpdesk product that integrates with SolarWinds? Yes, please!”

    - David Whittaker, Systems Administrator, Bird Stairs

 

“A very robust ticketing system, with a lot of customizable options.”

    - Erik Stallings, End User Support Manager, World Travel Holdings

 

“Web Help Desk has really taken our ticket and tracking system to a whole new level!”

    - Jon Billiau, Sys Admin, Industrial Control Repair

 

Follow the leader

Interested in seeing firsthand why Web Help Desk is a leader in the space? Download a free, fully functional 14-day trial today and see for yourself!

 

The content for the FrontRunners quadrant is derived from actual end-user reviews and ratings as well as vendor-supplied and publicly available product and company information that gets applied against a documented methodology; the results neither represent the views of, nor constitute an endorsement by, Gartner or any of its affiliates.

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.