Skip navigation

Now that Virtualization Manager (VMAN) 6.3 includes new management actions, alert remediation, and more, we’ve moved full steam ahead on the next release. We are continuing the evolution into a complete monitoring and management tool for virtualization environment. Here are the highlights of what we have we are currently working on:

 

  • Continued integration into the SolarWinds Orion platform
  • Orion Global Search
  • Recommendations - Recommended actions to take to ensure performance, optimal capacity, avoid potential issues, and improve uptime.
  • Red Hat Enterprise Virtualization (KVM) support
  • Citrix XenServer Support
  • Cloud Monitoring and Management
  • VMware vCenter and Microsoft Hyper-V Events

 

Disclaimer:  Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are base on the product teams intentions, but those plans can change at any time.

 

If you don't see what you are looking for here, you can always add your idea(s) and vote on features in our Virtualization Manager Feature Requests forum.

Over the last few months, the Log & Event Manager (LEM) team has been working hard on a not so short list of features. I'm excited to announce that a major feature of the upcoming release of LEM 6.2 will be something that you all have asked for time and again: Threat Intelligence Feed integration. And so, I decided to take a moment to show off a bit of what the feature will look like and provide a chance to test the new functionality.

 

So before I get started, feel free to click below to be included in the LEM 6.2 beta program to test out new features such as the Threat Intelligence Feed and more.

 

download button.png

 

What's in the Threat Intelligence Feed for me?

The concept of Threat Intelligence is one that has been covered in the world of security news for some time now. Problem is that, generally speaking, the term opens itself to a broad range of implementations and thus can mean something different to any vendor. So why should you care about the feature as it applies to SolarWinds? LEM 6.2's Threat Intelligence Feed will allow your organization to be prepared to recognize and handle already known and proven threats. With LEM analyzing your environment for activity against a list of known malicious threats, you will be able to easily incorporate the shared knowledge of top, reputable threat lists into your own workflows to prevent yourself from the risk these threats pose. Since that is a lot of words, let's jump into some screenshots that will help to better clarify what the new feature brings.

 

 

From Reactive to Proactive

LEM's new Threat Intelligence Feed is what allows your organization to move from reactive detection, looking around your environment as best you can hoping to surface suspicious activity, to the world of proactive detection - creating workflows that will ensure you know right away when known bad actors have made the way to your own environment.

 

We've all been there before - pulling down a list of threat indicators and manually searching for traces of them throughout our environment. Well with the Threat Intelligence Feed, that won't be necessary because the part that we know our customers will delight in most is the ease of implementation. All you have to do is check a box in your LEM console's Appliances Properties screen and you've enabled automatic coverage of some of the top threat lists available today.

 

threat_intelligence_enable.png

 

Search and Filters and Rules - Oh my!

Once enabled, LEM will automatically begin detecting threats in your environment. And if it finds something, it's readily available to you throughout LEM. The first place you'll be able to find it is through an nDepth search (see below - the highlighted event has been flagged by LEM as a known threat).

ndepth.png

 

Of course we know that search isn't the ideal way to consume such critical security information, so of course we will include out-of-the-box functionality that will help you get the most value out of this feature. This includes pre-built Filters, such as the one for All Threat Events seen in the screenshot below.

filters.png

 

And, finally, who would we be if we didn't provide out-of-the-box correlation rules, allowing you to take action and alert whenever a threat event is found in your environment (just in case you don't spend your whole day in the LEM console - which is how I spend mine). See the image below for a rule to take action on a potential threat flagged by the Threat Intelligence Feed.

ootb correlation rule.png

 

In summary

While there's more in store for the release of LEM 6.2, the Threat Intelligence Feed is a feature we are excited about and hope that you are excited about too. As such, we want to get this into your hands ASAP so we can get your thoughts on it while we still have time to make fixes and improvements.

 

So if you're a current LEM customer interested in testing out LEM 6.2 and getting your hands on new features such as the Threat Intelligence Feed, sign up for the beta here.

Since the release on NPM 11.5 we've been hard at working building the next round of exciting functionality and improvements in existing functionality.  I'm excited to share the following list of items we're working on:

 


Ongoing Initiatives:

  • Increased scalability per SolarWinds instance (target of 250k elements / instance)
  • Improved performance and decreased resource load times via analysis with SolarWinds DPA
  • Increased number of pollers possible per instance

 

You can always access the most up to date version of this information here: What We're Working on for NPM (Updated March 17th, 2017)

 

Disclaimer:  Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are base on the product teams intentions, but those plans can change at any time.

I’ve got a question for you:  "If Orion were a car, what kind of car would it be?"

current.png

 

We recently asked customers this question during feedback sessions.  The responses were quite consistent, and very telling. One user said:

 

“A Ram 1500 work truck; it’s got lots of compartments for tools but sometimes I just can’t find that wrench I need even though I know it’s in there somewhere! It’s not as luxurious or attractive as some of its competitors”

 

Agreed - Orion certainly is a workhorse! In addition to comments about the attractiveness of the design, there is a deeper theme in this quote that many other users echoed.  We can do better in terms of findability and usability. To address these concerns, we are working on a series of user experience (UX) improvements that we plan to release in addition to our normal features and functionality.

 

Catching up with the times

 

As a first step, we've been working to modernize and refresh the UI.  While these changes may appear to be a basic facelift, our primary goal is to set the stage for the future.

 

We focused on a few key areas that we've heard loud and clear from you:

  • Minimize space used by the header and make more room for data.  The current header takes up a lot of space, the tabs can be difficult to navigate (try hovering over a tab and then clicking on the last item in the menu bar), and that big yellow notification banner? No, thank you. The content on the page should be front-and-center.
  • Eliminate visual noise to help you focus on what is important.  The current visual design uses a mixture of colors, styles and iconography which are pretty on their own, but make it hard to parse the UI when they are shown all together. Taking a step back, the UI should highlight status, exceeded thresholds and alerts.  The big red things should draw your attention.
  • Simplify, but support density of information. There is a delicate balance between creating a roomy, clean visual design and showing data in proximity with other necessary pieces of information. Our goal is to stop the "pogo stick" effect, which requires you to jump around the page to find what you need. We haven't fully addressed this issue with the UI refresh, but we have taken baby steps.

 

You tell us, "If this version of Orion was a car, what kind of car would it be?"

new.png

 

Rome Wasn’t Built in a Day!

 

We’re putting the final touches on the modern UI, and now we’re kicking off deeper UX improvements.  Joel Dolisy, our CTO, recently referenced these efforts during the thwackCamp keynote address (1min 26sec).

 

Here is a sneak-peek at some the ideas we’re investigating:

  • Re-building the front-end using browser UI frameworks and HTML5 - AngularJS, CSS3, and some cool visualization engines for those of your who really want to geek out. Here’s looking at you, wanine39!
  • Pulling data from multiple sources to create powerful visualizations.  For example, stacking performance metrics on a single timeline for easy correlation (see a conceptual design below).
  • Improving user interactions to keep up with excellent browser applications - Google Maps, Photos, etc. More exciting interactions should take our products beyond useful, and in to the realm of delightful.

stack.png

 

 

Become an active partner in UI and UX design

 

Input from you, our users, has helped to shape the direction we’ve taken.  Keep the feedback coming to ensure that we stay on track! There are a couple ways to stay involved:

 

  • Get a sneak peak and share feedback on the UI refresh through the SAM 6.3 beta

button.png?t=Sign+up+to+download+the+SAM+6.3+beta&f=Calibri&ts=20&tc=fff&tshs=0&tshc=000&hp=20&vp=8&c=9&bgt=unicolored&bgc=e69138&bs=1&bc=fff

  • Give us early feedback on ideas, designs and builds by signing up to participate in walkthroughs and feedback sessions with our research team (Hi Kellie!):

button.png?t=Sign+up+to+participate+in+UX+feedback+sessions&f=Calibri&ts=20&tc=fff&tshs=0&tshc=000&hp=20&vp=8&c=9&bgt=unicolored&bgc=3d85c6&bs=1&bc=fff

 

SolarWinds Time Machine

 

And now, for some fun, here's a brief history of the Orion UI! Which is the earliest version that you remember?

1.png

2.png

3.png

4.png

5.png

6.png

7.png

8.png

 

Disclaimer:  Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are base on the product teams intentions, but those plans can change at any time.

It's been a while since we talked SolarWinds Patch Manager and patching in general here on the Product Blog, but with VMWorld 2015 right around the corner all things virtual are on our minds. Here's a few quick considerations to make when thinking about patching and maintaining virtual systems.

 

Is patching virtual (guest) systems really different? Yes, and no.

 

At the most fundamental level, patching virtual guest systems isn't really different than patching physical systems. You back the system up (hopefully), you install patches (which you tested first, right?), and if necessary, finish with a reboot. Seems simple enough, but there's points along the way where we can really take advantage of virtual systems - and virtual systems can help back us up when we're being lazy (or hasty).

 

  1. Backing up the system: here we can take advantage of the virtual environment's ability to take snapshots, either by integration with our backup system, integration with our patching system, or by hand. Snapshots can really cover your assets when it comes to making a mistake, or if a patch has unintended consequences (not that vendors ever make a mistake, right?). If a system fails to come back after a patch or you need time to diagnose an issue, reverting to snapshot while you clone and re-test is much more simple than the old school "revert from a backup? sigh..." or relying on Windows' ability to take reliable system restore points.
  2. Testing patches: with snapshots and a virtual environment (or even a hybrid or cloud environment), you can clone a live system into a testbed relatively easily. Gone are the days of drive imaging and system cloning, or having standby hardware in a test environment just because it's identical to production. Now, you can clone a snapshot of a production system, tweak its network and VM configuration to move it over to your test environment, and install and test patches pretty easily.
  3. Installing and rebooting: while systems are patching and rebooting, virtual environment HA configurations can help plug some of the holes of down systems without dealing with operating system clustering technologies directly. Both can be admittedly cumbersome to set up the first time, but virtual HA can save your bacon and minimize impact to your downstream users.

 

Don't forget your hypervisor!

 

When it comes to Hyper-V, patching your hypervisor really is all about patching your OS. Tools like Patch Manager are going to make it easy to stay up to date with Windows patches (AND third party patches, too). With Patch Manager on top of WSUS or SCCM, you can make intelligent groupings of systems, both for status and reporting details and for patching.

 

For vSphere (ESXi)-based systems, patching your hypervisor is a little more complex, and patches have been coming about monthly. There's actually a handy table of build numbers to patches published in their Knowledgebase that shows the patch history, and VMware has a Patch Portal to help you find and download updates that apply to you, plus see which KB articles patches resolve. I'd recommend showing the "Severity", "Category", and "System Impact" columns to help you understand which patches are most critical (keep a keen eye on security updates) and what the impact will be to running systems.

 

VMwarePatchPortal.PNG

 

 

Patching utilities for host<->guest communication is important, too

 

Within virtual guest systems, there are usually utilities that establish good host to guest (and vice versa) communication. These tools let you perform clean maintenance tasks like shutdown, reboot, and snapshot; provide time synchronization (very useful if you're doing any log analysis, troubleshooting, or anything certificate-based where time can matter a lot); and provide insight into what's on a guest or host OS.

 

When it comes to VMware Tools specifically, you won't get the tools "for free" when you bring up a clean guest OS until you install them, though thankfully most modern Linux distributions include open-vm-tools by default (or easily added). For those of you tired of this deployment process on Windows, though, we've got good news! Patch Manager now includes VMware Tools packages in our third party update catalog.  With Patch Manager, you can now automatically download and deploy VMware Tools updates just like Windows (and other third party) updates.

 

For existing Patch Manager customers, you can add the VMware Tools library to your patching catalog by following a few steps:

1. Use the Third Party Updates Configuration Wizard to synchronize available updates from SolarWinds

Administration & Reporting > Software Publishing > Patch Manager Update Configuration Wizard

SynchronizingWizard.PNG

2. Click "Next" when the Wizard completes to see the full list of available updates from all vendors.

DoneSynchronizingWizard.PNG
3. Scroll down and make sure "VMware Tools" and "VMware Tools (Upgrade)" are selected from the list of subscriptions.SelectWizard.PNG
4. Click next and finish to confirm your package synchronization schedule, then Finish.PackageSynchronizationSchedule.PNG
5. To see the available packages and versions, go to Administration and Reporting > Software Publishing, then right click and select "Refresh". After doing so, you should see "VMware, Inc" appear in the list, and see the respective packages.PackagesinList.PNG
6. From here, you can select to publish the packages to your WSUS/SCCM server (click "Publish Packages" on the right). Select x86 if you've got any 32-bit systems out there, otherwise select x64, then click Next.PublishingWizard.PNG
7. You'll watch an awesome progress bar for a little bit as it downloads and pushes the packages... then click Next to continue.DownloadingPackages.PNG
8. What do you know, more awesome progress bars as it pushes the packages to the Patch Manager server... (there will be two at first as it pushes the files, then one warning you to be patient as it publishes.). Once it's done, you can hit "finish" to finish the publishing step.

PublishingWizardtoPAM.PNG

DonePublishing.PNG

9. If you head back up to your Updates view, you'll see the new packages in the list.

Update Services > <your server> > Updates > Third Party Updates (you might have to right click on "Updates" and click "Refresh" first).

UpdatesView.PNG
10. From here, you can do your standard Patch Manager tasks, such as Approve the package for distribution and decide which systems should receive the package/update. Click "Approve", then click on each group to approve to and click the "Approved for Install" button (in my example, I approved the update for my Servers group), then click OK. You'll see another fancy progress bar while things finish, then confirm.ApproveUpdate.PNG

You can also automatically download and approve future versions with the new-in-Patch Manager 2.1 auto-approval feature, if you check out our GA blog post there's a bunch of details on that feature - Announcing General Availability of Patch Manager v2.1 - Automated 3rd Party Patches & More!.

 

What's Next for Patching Virtual Systems?

 

If you check out the Patch Manager What We're Working On, you'll see specific mention of more features we're looking at adding regarding patching virtual systems - including the automated snapshotting (and potentially reverting) mentioned above.

 

What big issues do you have with patching virtual systems? What can we do to help?

Since the release of Server & Application Monitor (SAM) 6.2, the team has been busily plugging away on a long list of new features and general product enhancements.  Chief among them are improvements to the aesthetics and overall design of the Orion web interface. While not the primary focus of this blog post, it is near impossible to post screenshots for some of what we've been working on without divulging some sneak peeks into the very early stages of this interface design refresh. A follow-up blog post is currently in the works that will go into detail and explain our multi-phased approach for delivering a fresh, clean, and modernized interface for all products that run atop the Orion platform. Suffice it to say, it is our aim to accelerate overall Orion web interface performance, dramatically improve usability for many of the most common tasks, as well as refine and enhance the product's visual appearance as part of this endeavor. Continue watching the Product Blog for more specifics surrounding the Orion UI redesign, as well as opportunities to provide feedback to members of our user experience team regarding these improvements. Your feedback might just earn you some much deserved Thwack points that can be redeemed for some cool SolarWinds SWAG!

 

With that prologue out of the way, it's time to run through a few notable new features we've been working on that are sure to put a smile on your face. As always, your feedback on features such as these is essential; and the absolute best time to provide that feedback is during betas. So if you're anything like me and would rather try out the new features yourself rather than simply read about them, then short circuit this post entirely and click the big red button below. Otherwise strap in, adorn your reading glasses (if you need them) and soak in the geek goodness below as I walk through some of the new features planned for this release and expose a few glimpses of the web interface redesign.

 

SAM 6.3 Beta button.png

 

Active Directory Discovery

One of the many aspects we wanted to focus our attention on improving within this release is how servers are discovered in SAM. Network subnets, IP address ranges, and lists of individual IP addresses might seem like natural options for those of us who come from a network centric background. However, for those possibly unfamiliar with the networks design or IP addressing schema, Active Directory in many instances provides much or all of the information needed about the servers residing on the network.

 

Active Directory discovery can be added as an additional discovery method to any new or previously existing discovery profile and used in conjunction with the three previously available methods for complete coverage across the environment. 

 

Similar to the other three methods of discovery, multiple Active Directory domains may be used in the discovery profile. This is especially handy for large organizations that may have multiple domains running in their environment due to mergers and acquisitions, separation of internal business units, or even lab vs. production systems. Also, unlike Active Directory authentication to the Orion web console, there is no requirement for the Orion server to be in the same Active Directory domain as the domain controllers used for discovery.

Discovery 2 - Add Domain Controller.png

 

Active Directory has the distinct advantage of allowing for more precise and targeted discovery within the environment. Instead of using a very broad discovery technique such as subnets or IP address ranges, you can more surgically discover only those items you wish to monitor, such as servers and/or workstations. This is particularly useful for organizations using class B "/16" (65,534 IP address) or class A "/8" (16,277,214 ip addresses) subnets, where sequential network scanning techniques may take hours or even days to complete successfully. In environments such as these, much of that IP address space is unused, but it still must be swept to determine which IP addresses are in use and are not part of the discovery process. Active Directory however, has a complete database of all hosts on the network which are members of the domain. Leveraging that database allows for a much more rapid scan of servers and workstations running on the network that could be monitored by SAM.

 

Discovery 3 - Add Domain Controller.png

Discovery 4 - Select OUs.png

Once you've added the Active Directory domain you wish to discover and click "Next" you are shown a complete listing of all Containers and Organizational Units (OUs) in the domain hierarchy. By default all OUs and Containers are selected, including any future Organizational Units that may be created after the discovery profile creation process is complete. Selecting the root level domain object toggles between select/deselect all, and the individual checkboxes on the left allow you to select the specific OUs to include or exclude from this discovery profile. The checkbox to the right of each OU listed designates whether to include any sub-OUs that may be created under that Organizational Unit in the future. For example: you have a root level Organizational Unit named "California" because you have only one office in that region today, located in Los Angeles. Later a new office is brought online in San Francisco. As a result you may decide to create two sub-OUs under California named "LA" and "SF" to manage group policy separately for each of those offices. The "Include Future OUs" option allows for these types of changes to occur within an OU, sub-OU, or domain without the need to update SAM's discovery profiles that are used for recurring nightly scheduled rediscovery of new devices in the environment. If not applicable or desirable in your organization, this option can of course be disabled.

 

Automatic Monitoring

Another primary area we focused on for this release is reducing or outright eliminating the maintenance overhead required to keep SAM up to date as new systems are brought online. Too many of us have been in similar situations where a new critical business system is brought up in the environment, and the first time there's a reported problem or issue with the system there's immediately an exchange of finger pointing that occurs amongst the responsible parties attempting to assign blame for why the system wasn't being monitored. As a result many organizations have implemented rigid policies and processes surrounding the provisioning of new systems in an attempt to mitigate these blind spots on the network. Unfortunately even the best laid plans aren't immune from human fallacy, even those with the best of intentions.

 

With that in mind we aimed to provide a mechanism that would ensure that as new systems were brought up in the environment that they would be monitored without relying on someone in the organization to manually add them to SAM for monitoring; or dig through the nightly Network Sonar Discovery Results to select which new items should be monitored. If adding individual devices manually is more your speed, or thumbing through the Network Discovery Results is how you enjoy spending your morning "me" time, those options continue to remain intact and unchanged in this release.

Discovery 5 - Automatic Monitoring.png

 

When selecting "Automatically Monitor" from the "Monitoring Settings" step of the Network Sonar Discovery Wizard you may continue on by clicking "Next" and accept the recommended defaults (only "Up" interfaces, non-removable media volumes, etc.) or use your own preferences by clicking the "Define Monitoring Settings" button. Clicking this button takes you through a mini-wizard where you are given the ability to define what you'd like automatically monitored should they be found during the Sonar discovery process. These options include, but are not limited to, interface type (trunk, non-trunk) , state (up/down/shutdown/etc.) upon discovery, interface name (contains, does not contain), interface description (contains, does not contain), volume type (Fixed Disk, Mount Points, etc), and AppInsight Applications. Additional steps may appear within the mini-wizard depending upon which Orion modules are also installed alongside SAM.

 

The next time the Network Sonar Discovery runs, either at the completion of creating the new Discovery Profile or its next scheduled run, any items found meeting the criteria defined within the profile not already monitored in Orion, will be automatically monitored by SAM.

 

For nodes managed via the optional Agent that was included as part of the SAM 6.2 release, these automatically become managed nodes in Orion by default when they first register with the Orion server or additional polling engine using Agent Initiated mode. Monitoring of these hosts however is limited to status, response time, CPU, and memory, without taking some additional step to select the specific items you'd like monitored on those hosts. The new automatic monitoring option shown here allows you to predefine those items just for agent managed nodes, agentlessly managed nodes, or all nodes in the environment depending upon the settings defined within the discovery profile.

Discovery 6 - Automatic Monitoring - Select Volumes.png

 

There's still more in store for this release, but we are eager and anxious to get your feedback on some of the features already starting to near completion. Please note that the absolute best time to provide feedback is during the beta, as things are still very fluid and there's plenty of time to fix bugs, make adjustments, and alter the design before release. That's right, betas are intended not only as a mechanism for finding bugs, visual defects, or other things broken in the code, but also to address usability issues and design flaws as well. If you are interested in taking SAM 6.3 for a spin and kicking the tires on some of these (and other) features, simply sign-up here. The only requirement for participation in the beta is that you own an existing license of Server & Application Monitor which is currently under active maintenance.

We've seen time and again that dividing your security attention between the inside and the outside threat (and unfortunately the blend of both - when outsider leverages or becomes an insider) is an ongoing challenge. If you check out our last 1-2 years of Federal IT Security Surveys, you'll see the insider is still a pretty big concern that's far less understood and harder to solve (more on that - Internal Federal Cybersecurity Threats Nearly as Prevalent as External, SolarWinds Survey Reveals), spreading from training to actual technical controls to the challenges of monitoring. In the interest of giving you a bit of a head start, here's some insight into some ways you can monitor for malicious insiders with Log & Event Manager (LEM).

 

(Note: Anywhere you see a screenshot below, be sure to click to see a full version - they might look fuzzy otherwise.)


Endpoint Monitoring with File Integrity Monitoring (FIM) and USB-Defender

Out of the box, LEM includes both built-in File Integrity Monitoring (FIM) - which can audit for file and registry access/changes - and USB-Defender - which monitors USB device access. On systems where you may have potential exposure - think kiosks, systems with access to confidential data, servers, and shared workstations - deploying FIM and USB-Defender will allow you to:

  • Monitor for unexpected copying of files and data to USB devices that can indicate data is being exfiltrated
  • Attempts to bypass application installation and access policies by running applications directly from USB devices that can put systems at risk
  • Changes to system settings and files that can indicate potential unexpected modifications, either due to malware, policy bypassing, or intentional abuse

 

Out of the box, you'll want to look at the following LEM content:

  • Default FIM Monitors - the Windows Server template can also be applied to workstations as a place to start

FIM Monitors.PNG

  • Filters of interest:
    • Endpoint Monitoring > USB-Defender
    • Change Management > USB File Auditing, All File Audit Activity

EndpointFilters.png

  • Rules of interest can be found in the categories:
    • Activity Types > USB Device Monitoring, File Auditing

EndpointRules.png


System and Endpoint Monitoring for Authentication and Change Events

Beyond tracking files and USB Devices, on servers and workstations alike authentication and changes can offer unique insights into what's happening on the network, and provide critical clues when it comes time to investigate. Windows does not audit the mechanism a user used to log on, or changes made to local system accounts, at a domain controller, so without insight into the actual workstations and member servers directly you'll be missing pieces of the puzzle. Deploy agents to all your critical member servers and that same pool of workstations you need insight into and get to tracking the local Event Logs. With this data, you can see:

  • Users logging on unexpectedly - unused accounts suddenly being used, service accounts being used to access the wrong systems, admin accounts being used incorrectly
  • Remote access - usage of remote desktop vs. interactive logins, access from VPN accounts/addresses, contractors authenticating to unexpected systems
  • Additional users & privileges - users being added to local or domain admins, local users being created

 

Out of the box, you'll want to look for the following LEM content:

  • Filters of interest in these categories:
    • Change Management
    • Authentication
    • Endpoint Monitoring

AuthFilters.png

  • Rules of interest in the following categories:
    • Change Management
    • Authentication
    • Activity Types > Inappropriate Usage

AuthRules.png


Network Device Traffic Monitoring


If we move off of the systems themselves, we should also be able to detect behavior patterns that look abnormal using network traffic events, too. Sometimes putting agents on all workstations is infeasible, not to mention accounting for transient or new devices, and BYOD if you've got that in the mix as well. Log activity from all the devices you can that can monitor traffic patterns and connectivity - IDS/IPS, firewalls, wireless APs/WLAN controllers, routers, switches, VPNs, etc. With network traffic data, we can look for:

  • If you've got a proxy or similar policy in place, users attempting to bypass proxy policies with direct communication on port 80 (i.e. network traffic that's not outbound from your proxy server)
  • Network traffic to/from unexpected hosts or ports - your servers/workstations will generally communicate to a smaller subset of known hosts, traffic outside of this pattern would be unexpected
  • Excessive network traffic - sometimes traffic patterns can become clear without utilizing netflow or deep packet inspection based on sheer event numbers, types, or behavior patterns alone

 

Out of the box, you'll want to look for the following LEM content:

  • Filters of interest:
    • Start from the out of the box filters in IT Operations and Security and build from them, especially the traffic filters

NetworkFilters.png

  • Rules of interest in the following categories:
    • Activity Types > Network
    • Devices > Firewalls

NetworkRules.png

 

Check out our thwackCamp session on using firewall log data, too - thwackCamp 2015 - Digging for Security Gold: Using Firewall Logs to Find Security Issues.


Traditional Malware and Security Event Detection

You can definitely put your existing investments in pure security technology to work for you here, too. The name of the game is defense in depth, and while traditional malware detection, IDS and IPS, and other tools might not be enough alone, each one of them can play an important part in helping detect potential abuse or piecing together fingerprints during an investigation. Infected endpoints are a gateway to the interior of the network and not all of us are victims of zero-days but rather some kind of combination of existing malware and other techniques that gives us a good chance of detecting it somewhere along the way. With these feeds, you'll see things like:

  • Antivirus/anti-malware technology cleaning or having trouble cleaning potential infections
  • IDS and IPS systems detecting potentially unwanted payloads or symptoms of infections or even exfiltration
  • Triggers from any other security systems you've got to put to work for you that generate event streams - wireless security, data leak prevention, etc
  • System errors and crash reports - potential malware causing leaks to affect the system in unexpected ways

 

Out of the box, you'll want to look for the following LEM content:

  • Filters of interest include:
    • Security > Virus Attacks, IDS
    • IT Operations > Windows Error Events

MalwareFilters.png

  • Rules of interest in the following categories:
    • Security > Malware
    • Devices > IDS and IPS (and related device types for your systems)

MalwareRules.png


Threat Intelligence and Dynamic Feeds to Detect Malicious Traffic

Thinking forward, if you've seen our LEM What We're Working on page, you'll note we're talking a little bit about Threat Intelligence Feeds. We're working on adding the capability for LEM to dynamically download a list of known bad actors - potentially infected hosts, botnets, command and control networks, spammers, and general IPs up to no good - and automatically use that to detect communication on your network. This will be a really good way to see:

  • When someone internal is communicating with a potentially malicious host, which can indicate they've already been infected
  • When you're being probed, attacked, or otherwise communicated with externally by a potentially malicious host, which can indicate an incoming attempt
  • Communication to/from spam, denial of service, or similar hosts that can indicate phishing attempts, zombies on your network, or other security issues

 

Watch for more on that here - when we've got more to discuss we'll update this post with how to use it to detect malicious insiders more specifically.

 

Manually, you can create and import lists of potentially unwanted IPs and ports and compare those to traffic as well. If you've got a list of known good ports that should be used to communicate on your network (especially inside>outside), or known applications if you're using Next-Gen firewalls, or known IP addresses when we're talking servers and controlled communication, build User-Defined Groups and rules/filters that compare to them.


What About Other SolarWinds Products? How Can They Help, Too?

Sure! Here are some ideas on using other products to help you detect potential malicious behavior internally:

  • Network Performance Monitor: monitor for unexpected firewall/network performance issues and high bandwidth utilization that can indicate an outbreak or single host is infected
  • Netflow Traffic Analyzer: building on the above unknown traffic patterns, look for possible unexpected hosts, ports, or communication patterns that might give you an idea something is wrong
  • User Device Tracker: useful when tracking and potentially detecting issues at endpoints - the "who" to go with the "where"
  • Server & Application Monitor and even Virtualization Manager: look for systems & applications performing unexpectedly or becoming unstable, these can be early warnings for security issues, too
  • Database Performance Analyzer: building on that, look for batch transactions, long-running queries, and sudden performance issues, identify their sources
  • Network Configuration Manager and Firewall Security Manager: as always, cover your bases with configuration first!
  • Patch Manager: track systems out of compliance with patching policies, out of date systems are MUCH more likely to be victims of malware and other security issues

 

Feel free to let us know if you've got any content you're interested in seeing around detecting malicious insiders, any ideas or successful stories yourselves, or any other questions we can help with in the comments!

Filter Blog

By date: By tag: