Managing the IT infrastructure for your organisation and shielding your network against security threats can be a thankless job. It can require a lot of time and expertise. Below are some key pain points that IT professionals can face on a daily basis when trying to manage a secure network
1. Extracting useful information out of events
Consider the volume of logs in AD or a Firewall, the sheer volume presents many challenges. Every admin wastes a lot of time in trying to extract useful information based on the events logged and trying to understand the root cause. There also may be a situation where IT admins try to track down how many VPN connections happened in the afterhours, top sources for specific firewall ACLs, etc.
Solution: SolarWinds Log & Event Manager (LEM) aggregates all the logs into a single location, thus making troubleshooting, root-cause analysis and forensics much easier. These log entries are processed (or normalised) to extract information and display the data in a common column/field-based format, rather than the complex format that you see in the source data.
These normalised events are processed against your Rules, sent to your Database for archiving, and sent to the LEM Console for monitoring. As there can be millions of events each day, LEM Console uses filters to categorise the type of events in real time.
LEM also helps you detect the source IP of event lock outs and then allows you to enable that account from the web console or automate that process.
2. Event Consolidation & Correlation
Typically security admins spend a lot of time searching their way through the events across their network & systems and it really becomes difficult for them to identify the issue and take a responsive action.
Solution: SolarWinds LEM offers an easy way of searching through millions of events across your network and it gives you the ability to ignore the type of device and focus on behavior patterns. Event correlation is the key to an effective SIEM solution and LEM provides hundreds of pre-built rules with an easy to use interface for customisation, giving LEM a significant advantage over Splunk. Also the real-time, in memory analytics ensures that when there is a security issue, the notification and response are instantaneous.
With LEM’s nDepth visualization techniques, you can examine your log data from several perspectives and respond to events in real time. The nDepth view contains a powerful search engine that lets you search all of the event data and displays the search results with several different visual tools that can also be combined into a customisable dashboard. You can also analyse the root cause of events using historic data and also compare raw data and normalised events in parallel.
3. Workstation Edition Security Issues
Workstation security has been a concern for most security admins considering their vulnerability. Your employees may process content from the Internet and Email and there are chances that they come in contact with infected files, sometimes they may be involved in file sharing or using external mass storage devices, etc. Monitoring this activity becomes very difficult, especially when your IT environment is continuously growing.
Solution: LEM monitors both server logs as well as workstation logs and tracks key information like:
Logon/Logoff attempts, Non-compliant folder sharing, URLs accessed, Insecure file transfer, Unauthorised software installation, Malicious processes, Misappropriation of user privileges
LEM helps you effectively troubleshoot issues by understanding the relationship between various activities using multiple event correlations and alerts you as and when it encounters a security threat. Based on the log information, LEM provides many useful built-in Active Responses that can help combat critical workstation security threats on your network as they react in real time and counter anomalies, threats, policy violations without requiring human intervention to confirm or activate any action.
Some key active responses include:
Delete User Account and User Group, Block IP address, Log Off User, Restart/Shutdown Machine, Disable USB devices