Welcome to SolarWinds Lab. Today, we're going to deep dive into security tools like Patch Manager, Security Event Manager (formerly Log & Event Manager), Network Configuration Manager, and Network Performance Monitor. Oh my [laughs]! All right, so you may already have one, some, or maybe even all of these currently but have struggled a little bit on how to use them to help you have a security posture. In this episode, we're going to show you how to use these types of tools and help clean up or begin a security posture. Joining me is Jamie Hynds, you may have remembered from THWACKcamp, one of my favorite product managers for security tools.
Thanks, Dez! It's always a pleasure to connect with the users and try to help them with their needs.
All right, so Jamie and I are going to show you how to use NCM and Patch Manager and things of these natures for your security policy for our compliance portion. Then I'd like to show them some of the security they have within Network Insight, such as auditing VPN connections. But what are you going to demo today?
I'm going to take it a step further, Dez, and I'm going to show them how to use Patch Manager for tasks such as software inventory, removing of unwanted software, and also patching of third-party updates. I'm also going to walk through how to use LEM to create dashboards, drill into event logs, and creating compliance reports.
Well, this all sounds fantastic. So we really are kind of the dream team of security. I like to think of it that way. You may have remembered us on the THWACKcamp in sessions themselves because of the security rise. You guys loved it because we deep dived into LEM for the first time. And so, while I may be covering the network side of monitoring things, you can cover the, [clears throat] well, you know, that systems side of things! [Laughs] And then we can actually show you guys some more information and deep dive into it. And on THWACKcamp, Jamie showcased ways to protect yourself in real-time monitors and updating procedures, so you can find a link on the THWACKcamp session under the episode's additional resources. Okay. I'm a pretty hands-on person and I know that you are too, especially when we would like to show you guys these demos, so why don't you think that we just go ahead and dive in?
Let's do it!
All right. All right Jamie, so, what I'm going to showcase is the compliance side. I was just at one of the SWUGs that we had and they were actually talking about how a lot of the people there still didn't understand that we had compliance and what that meant in Network Configuration Manager. So, I want to go over here to my dashboard. I'm going to go into Configs, and then I'm going to go into my actual compliance reports. And so, when I'm going into here, what I want to look at is, the available ones that are out of the box, right? So, all of these there, I got asked yesterday about PCI compliance. I got asked about, just in general, like, is there passwords and things like this that I need to look for, and so I was showing them that this is out of box that's actually available for them, and to click on one. I'm going to show one just so you can kind of see it. And this is your basic credit card. You know, it's the CISP reports that they have. And so this is going to check the configurations on the devices of which that I have against the policies that I've chosen, which is also my rules. And it seems fairly simple, right? In that how they go in there and they kind of pyramid scheme and build themselves up. So, when I click on to here, I can actually see what the violation is. And so, it's showing it, and it says that, hey, you're out of compliance, the enabled password encryption rule, and so now I can actually say I want to remediate this script on the node, or I want to do it to all of the nodes that are in violation. Now here's the great thing. On the backside NCM, no matter the devices that are on here, we have the credentials and the scripting login information to implement this script. So, when we say all nodes, we're meaning that, right? We're multi-vendor, too, so, what we're doing is, we're saying, hey. This is the command of which that we need to do. We're going to send it out to these devices so that they can actually be remediated.
And bring it back into compliance.
Exactly. And it's a quick checkbox, and especially now that security scorecards themselves are actually coming out and people are needing to have those done, especially in 2018, I think it's something to bring present. You know? Kind of bring that to light. And so, let's kind of showcase some of the things that you can do within the compliance report. Number two thing on the list for actual security cards and of high importance is the actual log management. And I know you're going to cover the LEM portion here in a little bit--
But I wanted to show you how you can actually engage and set up NetFlow, because that's a logging, and then how to actually go into the compliance and showcase that it was implemented.
So, let's go there. So, to do that, I'm going to first go into the Configs and go into my Config Change Templates. Now, sometimes these can be scary because people wonder, what is it doing on the back side? The great thing that our users have on their side is THWACK community. So, we're able to actually share these config change templates on THWACK, and other people share them as well. You can download them, you can upload them, and there's a lot of great content, because I guarantee that if there's things that you're wanting to implement, somebody else has wanted to implement it, and it may already be there if we don't even have it out of the box, which we have several, right?
Yeah, and I assume you can adjust those templates as needed for you.
Yeah, definitely. Everything is very customizable.
So, I'm going to go into the Flexible NetFlow because that is something that a lot of people are wanting to get started with. They want to have it. They want to engage with it, but maybe they don't understand how to get it placed out, right, on all of their network devices that can handle the NetFlow that goes there. So, this is a template out of the box. I'm going to look at this and I'm going to actually do an advanced, or, I'm going to do an advanced modify first just to show kind of show you what that is, because some people don't like to click on things unless they know. So, when you go into it, it'll actually show you the template basis, and when I go down here, this up top is in every template and that's how you put your variables in. So, if you're wanting to create or adjust, this is what it's going to ask me in the wizard. So when I come down here, you can actually see the CLI commands of which that are going through the configuration terminal. So, that's the, "no IP flow ingress," egress, and then it's the active timeouts which, for me, especially on network, and working with you guys as customers, we've had issues where, like, double the amount of flow is showing for an interface, right? It's like, 10 meg but it's showing me 20 megabytes. You're like, what's going on here? And sometimes, it's because their active is on 15 minutes. So they'll have a long flow and it will actually double that. So, just a little tip for you guys, make sure that you have it on the active one minute so that you don't get that double situation of data and you're thinking that your interface may be out of sorts. And so when we come down here you can see all the information that it's going to lay out very clearly, and it's nice. You can save this if you're wanting to do it one on one with your device. You can save this also and help with new engineers that are coming up and are kind of learning, right? We want them to see what a full script, things that are coming about there. So I'm going to cancel out of this because I just kind of wanted to show what the advanced looks like. And I'm going to click on here and go into the wizard that I was telling you about with the variables. So, at the top of the page, what it's asking you, like, what do I need to grab?
So your NetFlow--
Source device vendor, etc.
Yes. And your advanced engineer in the team can actually set these up, right? Because they're going to be like, this is what I need to do, but now I'm going to let the lower level, or the newbie, that's coming in, right, and the configuration wizard-type actual environment for them to get used to SolarWinds as well as you're verifying from the get-go that the scripting is correct.
And I think that's valid, especially on security. And because there's plenty of times that we've seen, all of us, right, in the media, where there's an accidental config mishap and that can actually cause outages and security concerns.
So, when we come through here, we're going to actually go into the Cisco. I'm just going to choose two devices and I'm going to go, let's choose some routers that I know, just because I'm OCD [laughs]. Like, that wasn't mine! So, and then I'm going to click over to go Next. These are the defining variables. It's going to know what are the WAN interfaces, the NetFlow sources, and you can select them immediately from here. You can set up your actual NetFlow target IP address, and this doesn't have to be SolarWinds' NetFlow target. Right? And I want that to be very clear, especially when we're doing the scripting. We're helping you to set this up and as part of your CIS controls, you have to have more than one just centralized logging, right? And the more that you have, the more of a backup that you have as well. All right. So, I'm going to click on one of these and actually grab it in, and I'm going to go into this NetFlow Source Interface and grab it as well. So now I'm going to actually set up the entities and I'm going to grab my interfaces for the NetFlow source. Once that's done, I'm going to put in my NetFlow target IP address, and like I said, guys, this does not necessarily have to be SolarWinds'. This is any targeting that you need it to be collecting your NetFlow information.
You're not refined to just NTA.
Exactly. And now for the Flow Monitor Name, I'm just going to put that it's the Funtime, because we all love the Funtime there. [Both laugh] All right, so anyway, I'm going to hit ‘Next’ on this and you're going to see a preview of what's going on here. So, once I have this loaded out, it's going to present me with an actual script. The great thing with compliance, now, is that I can take this script and I can run this into a compliance report that I'll show you and it's going to actually replay back, like, has this been implemented? So a lot of times people will run these config-change templates and they get kind of confused on, [groans] how do I check this, or for auditing purposes, you need to be able to know, hey, is this actually out there on here and is that my checkbox?
And so this is a way that we can do that. Okay, so now that that's done, let me show you where you get the script, because sometimes people see here and they're like, oh, what is it going to do? So, I'm going to undo it and actually look at the commands that are in my window, and I can grab this. So, as you can see, this is, it's configuring in. It's going to all these interfaces that I have set up. It did the script for you, and there's things that I'm going to look for. We want to actually see if it's collecting, where it's going to, and where it's being exported at, right? So, I can show that we're actually sending the traffic to where it needs to go to. So, I'm just going to grab this and then I'm going to set it up into a rule. All right, so I'm going to grab this because it has my actual flow monitor name on it and it shows that I'm actually exporting my flow that come across there, and that's my change template. So, that's my way of knowing that I've used my change template. This is what I'm going through. And so, I want that to be in compliance. So, I'm just going to copy that, and then I'm going to go up here and I'm going to go into my configs. I'm going to go to Compliance, and now I'm going to set up a rule that's going to look for this that's within my configurations.
And will let you know if there's any of those configs in violation.
It's going to show if it's there.
So then, if it's there, then that's my checkbox and it's complete. So, once I go into my Manage Rules, I'm going to hit a New Rule because, like I said, it goes rule to policy to the report. And I'm going to call this my Funtime export. Check my Flexible NetFlow that's on here. I'm going to save this into a new folder called testing, and I'm going to say that if this is found, it's informational, because that's what we want to do. But you can change this as well. If this says string is not found, then I would want it to be critical. So, since we're doing security, I'm going to actually leave this as string is not found and I'm going to say critical. Depending on your report, though, is what you need this to reply on. And so then I'm going to go into my string and it's going to look for what I said. On this one, I do not want a remediation because there's a lot more that has to go into it, so I can leave that blank for now. But if I did want to actually implement it, I could take that script and be able to put it in here so that it would know how to go to that. But then you'd have to make sure that you're clicking on the correct devices, obviously. Things of that nature. So, we're trying to look at this from a compliance report from security, and how we can help you verify some of your security protocols are in place within your configurations. And so then I would be able to test this out and submit it, and then I would be able to showcase every time that was not found to alert me and to let me know when I schedule it, and I usually schedule my reports about once a week to be ran, depending on how critical that they are. So, that is how easy it is to take what I need to do to implement a security policy, and then how do I check that that policy is there, and how do I get that report to somebody so that they can have an audit.
Okay, so I'm going to talk a little bit about Network Insight. So, what I'm going to do is, I'm going to go from this page, drop down to the ASA that I know of that is going to have this data, and we're going to populate this and kind of show you what you can do. Now, if you look here on your details page, you can see that it tells you your favorite site-to-site, your overall health, and we've covered this in a previous lab. But if you notice there's a field at phase one that's on here that's actually showing, and I've had a lot of you guys ask me, well, how do I, some of these I want to ignore, some of them I don't. So, let me show you how we actually do that. You have to be, as an admin, you have to go in and you have to change your URL to this one that you see here. The Orion, forward slash admin, forward slash advanced configuration, global. Now there's the great thing that you can also do here, is under the ASA portion, this is where you can also, say, if, you know, change your polling sections, your CLI timeouts--
Things of that nature, but I can also click in here and say "phase" in this global search of awesome, and these are the ones that I want to ignore. So, if it's phase one, if it's phase two. I can say which ones that I actually want to ignore and print these in here so that it won't be read. Right? Because sometimes it's okay. That's normal in our environment. So, we need to be able to get rid of those.
And you could add multiple errors there, not just one particular error.
Exactly! Yeah, you can add as many as you want. You can take the whole phase one or phase two out of there if you wanted to. All right, so, now back to the actual VPN issues that I have found that we like to do, is let's talk about remote access for a second, and, especially, security. So, a lot of the times we have contractors now, because of budget, that are working, but are they working? That's a very good clue-in there, right? So, if you're remote, what we can do is actually see how long have you been connected? Are you actually moving data? Because you could be connected but not doing anything. Right? So, this is a great way that we can actually have that checkbox of, is remote work being done? Are they logged in? And then here is a great one. If you have somebody that's going home as an employee or anybody, and after a certain time period, all of a sudden you have gigabytes of data being transferred and it's at two o'clock in the morning, I need to know what's going on there.
And you have an audit trail.
Yes! We have an audit trail because that makes all things great. So, to showcase some of the VPN connections that we have, a lot of people are like, well, I just need a report to do that on. So, you can come in here and I just do the search for VPN, and I can see the site-to-site history here for the last 30 days. You can manipulate that number, things of that nature, 100%. But what I can do is, I can go into this remote, actually run it, and then I get a detailed version of how many people have checked in, how many people have checked out, what was the data usage that they had, and how long. And so that gives me that automatic audit trail.
I can automatically see what's going on within there, and I have a report audit that I can compare this to on contracting numbers as well as, was there problems, what protocol are they using, and as you can see here, it can tell me their client info. So, if you did, like what you said, you've done your updates on Patch Manager. Say we don't have Patch Manager at this time and we have the Orion Network Insight within NCM as well. What we can do is we can verify that our updates are there because we can run this report as well and see what client info has actually been pushed out and which one is being established, as well as the RAS protocols that's being used, the disconnect times, and the usernames. So for me, it's kind of a wonderful thing because you can use that Network Insight with these tools. And we can help make this, right, on that backside with the advance configuration. That's just some inside tips for you guys because, like we said, everybody's environment is unique. Right? Your use case may be completely different than somebody that's in the same business, but their use case, right? Because I may design something in a network that one of my friends like Leon or Patrick would design completely different, but we still get from A to Z. So, there's ways that we can actually help you guys so that your errors are pertinent to you and what you need to see so that you don't have wasted time or feel like you're missing something because it's constantly down. Now, on the vulnerability side of things, what I like to talk about is the common vulnerabilities database. And, it's just that check mark that we're talking about on the security scorecards. So, you go into the Configs. We can go to the summary and it actually checks at 2 p.m., or, 2 a.m., sorry, every night, and you can change that time. And it checks your actual firmware vulnerabilities and things of that nature that you have out there.
Kind of like Patch Manager for network devices.
Yes! Definitely. So, if you look here, and this is in the summary, as you can see there. When we scroll down, you see Firmware Vulnerabilities. Now, when you're doing those checklists and you need that little box of, have I done it? Am I vulnerable? What are the IOSs? What's going on here? This is the information you can fill out for that scorecard on your remediation, right? Because sometimes it's like, you know, there may be a problem now, but we're doing something about it and that's all they need to get the maintenance in the change request. So you can actually say, hey, this is the vulnerability. Copy, paste this there. You can put in here remediation is planned and you can put this into your change access that you need so that you can get that security posture in place.
And could you even go a step further and say, what happens if I find a vulnerability on a Cisco device? Is there any way of remediating that in NCM?
Well, if you need an actual upgrade, say, to the firmware--
We now cover you there as well.
So, we can go into the Configs, and we would go into Firmware Upgrades. Multi and single context configs as well are carried over. So, we can actually go through here. We can set up an upgrade. And, it's a wizard, so it's great, and we have the print-out, right, of, did something happen? Did something not happen? Was there an error on there? And we go through a complete checklist that shows you. So, the pre and post, right? People are like, well, what if there's not enough memory? What if there's not anything that's going through there? We have you covered. Don't even worry about it. So, I'm just going to put test here. I'm going to hit ‘Next.’ I just want you guys to kind of see where this goes. We're going to select the firmware image. We can select it from our repository. We click it, we say okay. We're going back across here. Select the nodes, because you have the control. Select the ones that you're wanting to actually do the firmware upgrades to. We'll start collecting the data, and then, next thing you know, we're able to push out or schedule those firmwares.
And then from there you could validate that the vulnerabilities don't exist anymore once we check back in with the vulnerability database.
Because we all need audit trails. But you're right. All right.
So, Dez, with the rise of ransomware attacks in recent times, I think patching has certainly become quite a hot topic.
Given that a lot of these ransomware attacks target vulnerable software on your machines.
And something that I like to always remind people is that we're not the only ones that are watching when new updates come out, right? The bad guys are too, and then you just made yourself an easy target and easier for them to knock off.
Exactly. So, while tools like WSUS or SCCM are great tools for, say, patching Microsoft updates. I want to introduce Patch Manager from SolarWinds that helps you to patch your third-party updates.
Definitely, and scorecards. You keep hearing me say this, but it's something that's coming out with 2018, and so on the scorecards themselves, that's actually a moderate risk, right, is patch management, and we've got to be able to have those. And I see that moving up a little bit, but right now it's still a moderate-high and we need to be able to fix that.
Absolutely. So, SolarWinds provides a catalog of third-party updates which we maintain ourselves, so we keep a close eye on products as you can see on the left-hand side of the screen here. So, products such as, you know, iTunes, Chrome, Java, Firefox. We have a huge list of updates that we maintain. So, this allows you to sync up with our third-party packages, so it saves you the bother of having to create your own packages. We do it for you. And in here, you can see as an example in Google Chrome, I can see all the latest Chrome updates available in our catalog. And with these you can very easily edit them, so we include lots of different logic as part of this, so we'll check to see, is the machine a 64 bit, a 32 bit? Is it applicable on your machines? We can also add additional logic to this. So, we'll say for example, Google Chrome must be installed on Windows Vista or greater, something along those lines. We have this condition in here. We can then add additional logic to this. So if you wanted to even use what we call the Package Boot Helper, and this allows you to do things like stop services before we install the package, you can terminate processes, etc., run the package, and then after the package is installed, restart those services or start new processes, etc. So you can see you can get really quite granular here in the actions you want to take pre- and post-update.
Which is great, because a lot of the times, people are worried about, well, how is this going to apply, and do I have control of this, and do I have control, or to understand that things that have post check afterwards. And a lot of the times, that's a checkbox that you just want to have as a server admin.
Exactly. So, once you have all your logic set up, if you want to apply additional logic, as I said, many of these are pretty much plug and play. We create them for you. You can start deploying them, but test first. So, in here then, we can publish our updates to WSUS. So, worth noting the Patch Manager sits on top of WSUS or SCCM. It doesn't replace them, it integrates with them.
I'm glad you said that because a lot of times I get asked, how does Patch actually work? Do I not need WSUS or any of these things? I'm like, no, it actually works with these. It sits on top. So, you don't need to get rid of those. We actually integrate and go with that.
Exactly. As I'll show you in a second, you can actually see, your WSUS and SCCM service here so you don't have to constantly jump between WSUS, SCCM, and Patch Manager, etc. It's all in one view in Patch. So, if I want to publish that update, then I can literally go to my Google Chrome update here. I can then publish the update. That then downloads the content, and then publish WSUS, where at that point it's treated like any other Microsoft update, whereby you can approve the update, decline the update, within WSUS. All from the Patch Manager.
So, say I published that. I can then come up here to my WSUS server up here and I can then see all the updates that are on that WSUS server. Of course, now that we're in our WSUS view, I can then see my Google Chrome update is now in WSUS.
And as I said, we can approve it, decline it, just like any other Microsoft update. Once approved, what's great about Patch Manager is you have really great control over what updates are published to your machines when it's going to happen, and to which machines it's going to be published on. So you can get really granular in terms of, you know exactly what machine is going to be patched with which updates, and that can all be done from the Update Management Wizard. So, in this view here, I can set up lots of different rules. So, I could say, download and install all needed and approved updates, as an example. But I can then kind of chop and change here and I could say, maybe you're a bit wary of actually updating drivers by WSUS, so you could say, do not include when the classification is equal to drivers, and maybe for some reason you want to add a product rule in there too, so you could say for this group of machines we always have to be on the same version of Java because it's going to cause issues if we update. You could say, if the product contains Java, don't update on this machine.
And when we're talking about security postures, there's going to be levels of which that you're going to allow like Java and versions and things of that nature. Is it allowed? Is it not allowed? And to be able to pinpoint these and to have rules that actually can go against that and make a blanket. Right? We want to be able to have the actual continuity, right, of our servers, so that it's easier for us to patch, it's easier for us to see security concerns and have a baseline.
Correct. So, again, we can come in here and we can see our pre- and post-update options. So if you want to never reboot or always reboot after updates are applied, etc., you can do this here. What I love in this screen here is the planning mode which allows you to assess what updates are going to be installed as part of a task. We're not actually installing them. So, let's say you have a task on a Friday night to patch your machines. You could run this in planning mode, maybe on the Tuesday, and you then get an email report to show you, as part of this task that's going to run on Friday night, what exactly is going to be installed. So if you see any gotchas in there in terms of, that patch should not be installed in that machine or this version of Java should not go there, you could have time to edit your task before the machines actually update it.
And when it actually sends you that, that's also a report of which that you can say these are the ones that are affected. So when you had that change report and you're doing your maintenance filings, this is also a report that you can put with it to say these are the ones that are affected. This is that actual patches that are coming through. That's very important because, especially for somebody that's dealt with support side of things, is, what's changed? Right? So that's something that people are going to say. So if they come in on Monday and there's something that's not running correctly or they're having issues, you know automatically the changes that have been made and to what servers so you can prove or deny that there is anything that affected it.
All about the audit trails.
So, if I come out of this wizard, then, I'm then brought into the UI where I can see what machines I would like to apply these patches to. So this can be based on, you know, an entire domain, if you wish, or what I personally like, is WSUS computer groups. So you could say you have your test machines, maybe, your production servers, your work stations, etc., so I could say that I just want to patch these on my production machines or my test machines. So again, you know exactly what updates are going to be applied and to exactly which machines. So I could say I'd like to patch these three machines, and then from in here, I now know that those updates are on those machines and exactly when it's going to happen. So I could do this ad hoc as a once off or I could say once a week or once a month, and I can also have offset days as well. So, I could say on the third Monday of the month, off that by three days, and then I know at 5 a.m. every third Monday of the month, that patching task is going to take place.
Which is great, because once again, audit trails.
Exactly. At that point, then, you have your reports to show exactly. So, once that task completes, as you can see here, you have your export the results and also an email notification. So, again, you can see what task failed, which ones passed, any problems and updates, etc., you can see them all here.
And there's kind of that gap between management from the top down as well as from the down up, right, of like why patching is so needed. And there's a huge lack right now in the security realm that I think is kind of getting bridged because, unfortunately, of all the security concerns such as ransomware and WannaCries and all these things that are coming out.
But, something that I would like you guys to understand is that these reports that are within here that's explaining the patches and the sheer amount, right, that has to go out that you have to take care of, and it not only helps you on your timeframes to understand the vast majority of your environment to somebody above, it also helps you to relate and have that conversation, right? Like, hey, this is what I'm having to patch. We've got to have that continuity. We need to bring these levels up. We need to, this helps you to get the budget. This helps you to get the timing and the capacity planning.
Mm-hm. And then, so say you have your group of machines patched. You might want to, again, from a compliance perspective, have a report to show me all the various updates out there and their status on each machine. So, we have lots of reports included with Patch Manger. If I come into something like this, I have one here for my update status just for Microsoft updates. If I wish, I can add third-party updates or a particular product in here. But in this case, we can just look at Microsoft updates. And then with this report, I can then see the status of all the various different updates that I've approved and how it looks across my environment. As you can see here in the title rule, I can apply filters to any of these fields here. So, in this case, I want to see my update name, and maybe I just want to see updates that contain the words security. Equally, it could be a product name. It could be a KB article number. Lots of different options. So now you can see, in this case, here is all my security rollup for Server 2012. I can then see all the various different machine names involved, and I can see where it's not installed. So if I want to apply a filter to this field, I could say, I'm okay to see updates have been installed, but how about ones that have failed, or maybe pending a reboot, or download not installed.
Definitely, which is great, because a lot of the time, somebody just needs to see that checkbox. They have no idea what it takes to get that checkbox!
They just need you to produce the checkbox, and that is it.
Exactly. And in the snapshot here, you can straight away see your machines that have all those updates applied.
And you can email that. You can export it. You can do everything which that you need to do, so it's quick and easy. Somebody asked you, come to the screen. Show, no, they were installed, or, no, hey, we got a failure. And then you can actually email this out quickly and then you're addressing the issue.
Exactly. So one other feature of Patch Manger I'd like to drill into for a minute is the ability to scan machines to see what software is actually installed on those machines and even go a step further and actually removing that software off those machines.
Ah! Audit software inventory.
Absolutely. So, I can come into the Computer Explorer here and I can then, via WMI, we also have an agent available for Patch Manager too but we can work agentless via WMI. I can then run a query in that machine to pull back all the installed software on this one machine. So, as you can see, we can see all the installed software. I can have it run through and I can see all the software here. We'll say there's some authorized software on this one machine. I can see WinPcap here as an example. And, provided that has a product ID, you can then actually uninstall that software.
So, this is valid for you guys, especially on those acceptable user policies that we all sign and we all think that we understand. There may be people within your organization that don't. Right? And they are installing things that they don't understand can be a third-party software that they're not allowed to do. You are now able to actually go through here, see it, and uninstall it, so, it prevents them from hurting themselves, and then you can address that. You know whose computer it is. You can then have that conversation, and then you're already helping your weakest link.
Yeah. And not only can you do it on just one machine. You can actually schedule it across your entire environment. In this case, it's on Orion01 WinPcap. What if I want to come in here and say, remove it on all my workstations or all my servers? I can get really granular here in terms of what I want to remove that on. And again, I can schedule that from here. So, I want to wait until tonight to do it. I can schedule that to uninstall at 3 a.m. tonight.
This is awesome.
And then you have your report to back that up to show that this software has been removed from these machines. You get your email alert that--
Because of audit trails.
Exactly. [Laughs] So while the majority of your time with Patch Manager will likely be spent in the MMC where you do your configs and your scheduling, etc., I wanted to point out that there is also a dashboard available within Orion for Patch Summary. So, you can pull data from your Patch Manager MMC right into Orion, so you can get a lovely snapshot, dashboard of your patching summary in Orion.
Which is great, especially for that single pane of glass. Right? We want to be able to showcase where we're at, and a lot of people stay in the Orion dashboards and stay actually with the SolarWinds product on their website.
Yeah. So, at a quick glance here, you can see immediately the top ten missing patches, so I can see this version of Google Chrome here is missing on four nodes and I can then see the four nodes that they're missing on from there.
Which is great too because then we can actually click into those nodes, take us to our node details, and see if maybe it was down and wasn't able to be patched at that time and things of that nature that goes across there that we're monitoring with an MPN and others.
Yeah. So Dez, as you can see, you have your Server Health Node Overview and you have your Desktop Node Health Overview, so I can easily see from here any machines with update errors, any machines needing updates, and unknown status, etc., so at a really quick glance you can see immediately what your patching summary is in your environment.
This sounds great!
You can also see your vulnerable machines. When I say vulnerable, I don't mean we actually run a vulnerability scan. It's more looking for a high number of missing updates, so hence they're vulnerable. So in this case, I can see this particular server here is missing 61 updates, and I can then drill down from there and I can then see all the updates missing on these machines. If I want to go a step further, I can actually see these critical updates. I can click on the update and actually view more information on that one update. So, I can see the category of the update, a description on the update, what machines it's missing on, etc. All that kind of information.
So that kind of brings us to the end of our Patch demo. I hope it makes it clear in terms of inventory of machines--
Removal of software, third-party updates, and also your Orion dashboard.
I enjoyed it.
So Dez, to follow on from the Patch Summary view, I think it's really valuable to have that kind of visualization of your log data. So, in Patch, we went through the summary in terms of missing updates, vulnerable machines, node health overview, etc. In LEM, I think it's really valuable to actual have a dashboard of your visual log data. So as you can see on this screen here, you have all your various different event logs coming in. It can be a bit tricky in terms of keeping up with those event logs and drilling into individual event logs. So for that, we have the Ops Center view in LEM. And this allows you to create a dashboard of what's happening in your environment in terms of your log data, and we include lots of widgets out of the box as well as the ability to create your own. So, in terms of creating these, the dashboard is actually created based on these filters, as you can see on the left-hand side. So, in LEM I have my "All Events," which is literally all my events from all my various different nodes I'm monitoring in LEM. But I can then filter that data very easily. So if I wanted to look at, we'll say, virus attacks, I'm collecting logs from an anti-virus system. I can then see I'm getting some events there to let me know there's some viruses detected on my nodes. So, as we're talking about compliance a bit today, I wanted to talk about the two out-of-the-box compliance filters in LEM, namely the PCI events and the HIPAA events. So what's really useful here is, the PCI events filter will actually filter through all your events as they come in and flag any events relevant to PCI. So as I can see here, such as user lockouts is relevant, any virus attacks, changing of domain members, and other various different logs as they appear in here.
And something that's good to know about this is that this is out of the box that's going to get you there, so it's kind of like that dipping-your-toes-in-the-water thing that we're trying to get you guys to introduce in with the security postures. As you can turn these on and start monitoring and start, kind of, what's the biggest bang for my buck to make myself secure? If you're noticing that there's events that are coming up that maybe you need to address, AD issues, account accesses, and things of that nature, go there! You know that these are events. We're showing you that these are the events that are coming up there, and then you take away that layer. Right? And so then you're starting to have that baseline of, okay, look. Now if there's the events are coming out, there's something out of compliance, we need to look at it. And this is a great way to learn and showcase from what other people have set up, like the PCI and the HIPAA, so that you can base your company off of. Not saying that you are even medical or credit card vendors, but it's something to think of, especially with GDPR that's coming out. I mean, there's things that we're going to be compliant for and responsible in 2018 that we have to jump on board for.
Yeah, and even though it says PCI events, as you'll see, a lot of these are broader security-related logs that are going to be of interest to you even if you are out of scope for PCI compliance. So, you know, the approach I personally take, in terms of log data, is rather than looking at all these individual logs, I think it's really useful to come into the Ops Center view and actually see that data in a chart or a graph or a table and drilling down from there. So as you can see here, we have some various different resources out of the box, and as it happens, we actually have a PCI one. I click PCI events and I can then drag that to my dashboard here. So now, rather than looking at the raw event log data, I can see here, very easily, I can see there's some account lockouts, there's some file audit failures, there's some user modify attributes, and I can then drill into those logs from there. If I prefer to have, let's say, a pie chart or want to look back, maybe, over the last, say, ten minutes versus five minutes, you click and change that to seconds, hours, or days. And I can then see from here a chart to show me all my PCI relevant information.
I'm going to stop you there for a second.
On SWUG, we were just having this conversation with some of the users out there, and they were curious about the different pie charts or bar charts or however that, LEM, that you want to use your data. And they were like, well, I just don't understand why there's so many of them. We were starting to have the conversation. I was like, to me, if I see a pie chart, it may make sense to me to look at something to see that something that's there. A bar graph may be the way that you represent data and actually see things that come out there. The point is that when we're doing this and we're trying to get you in with your data. Right? We need you to be able to understand the data or it's irrelevant what that chart is. And sometimes visually we respect and respond to different ways that we look at data and it makes more sense. We want to let you have the ability to actually be able to do this, and so once we started explaining that, a lot of people in the audience were like, I use bar. And they're like, ooh, I use pie chart. And it made sense, right? So, play with it, because you may not understand it or see something pinpointed, but when you move the graphs around, it makes a difference. It's that finding the needle in the haystack, and sometimes your haystack may be a pie, and sometimes it may be a bar or a line. It's your choice.
It's totally personal preference. As you can see here, there's a number of options here. Even if you want a table, if you prefer that table view, very easy to change. You can also show via count, or maybe instead of going by event name, you want to see it by user name or you want to see it by time, etc. You can chop and change all these charts and options here. So once you have your chart built, as I said, there's a lot out of the box. You can also create your own custom charts as well based on custom filters, so it's totally customizable. Let's say if I drill into this chart here, I can then see it has now filtered the top PCI event filter based on those events. So I can now go from my high level view into my event logs and I can see all my account lockouts from here. If I wanted to, I can actually then look back historically as well. So I could say, send this information to InDepth, and that will then show me all my PCI relevant information over the last ten minutes, the last hour, 30 minutes, whatever the case may be. So now from a compliance perspective, if I want to see all my relevant logs for the last hour, I can see all the event names here on the left hand side and I can then drill in further from there. So let's say I want to see just virus attacks. I can click in here and have LEM just show me virus attacks over the last hour.
So it's that being able to event correlate and segment these out, and when we were talking about the scorecards, once again, log management, it's vital to be able to do the historical and so you actually have the historical information to go back on, because sometimes when we actually get events or attacks that happen to us--
It's a little bit later than when we know they happened. Right? And so we need to be able to go back, manipulate the data that best allows you to find out the cause, so then we can proactively prevent this in the future. So, the historical realm of being able to pull these events and segment them out as well as draw them out so that you can have a prevention detection, like an alert and things like that that we can go to, is very valid, especially when we're knowing how to use the events in our, you want to use a use case. I'll put it that way.
If you are a use case, it's okay. We can stop it as long as we know what to do. The portion that becomes like, don't let it happen to me again, is now that you can go back and see how that event happened, you need to prevent it so that it doesn't spread and you're aware of it from the get-go instead of later.
Yeah. Right to customers as well in terms of the LEM UI. I always think starting from the left to the right kind of tells a story.
So, the Ops Center view is that high level view of your log data in visual form. You then go to the Monitor section and you can then see, drill down into your event logs as they happen or the last few minutes, and then if you want to come into InDepth and see those over a longer timeframe interact more and have your auto-visualizations here included with the InDepth feature. As you can see, lots of visualizations here too. So, kind of starting high level and drilling down.
Definitely! And go back to where the words were on there. Right here. So, the word cloud itself, when I first seen this, I know I talked about this yesterday too, I was like, who is going to use this? Well guess what, guys? If you have trillions, and you can, trillions of events and things that are going to be within there, and there's a new virus or there's a new file or there's a new event, whichever that's coming out, that right there is the view that I look at, because when it starts to come in and intensifies and that word is getting bigger and there's things that are getting hit, that's that manipulation of data that helps you out. And to me, this right here is a place that I look at for new attacks. Right? New things that are happening on the environment. Because I start to see the actual files, the event, the type, that's coming across there, and me, that's vital when I'm trying to figure out what is going on and how is this coming into play.
Yeah, and you can then interact with that word cloud too. So, if I wanted to say, show me all logs that contain the word domain admins, come in here and it'll then show me the domain admins and again, all the event logs related to that, both visually and the actually the event log itself. So, that's kind of the high level view from your visualization, through your event log, through your historical search. Obviously, when it comes to compliance, to be able to report is quite important. So, Destiny, I'd like to talk about LEM reports.
So when it comes to compliance, we have lots of different reports out of the box. So as you can see here on the left hand side, I have just some of the compliance standards which we have templates for with LEM reports. So, I have PCI, SOX, COBIT, I think NCM, and we already talked about CISP.
GPG, HIPAA, many more. So, when I select one of those templates, I can then see all the relevant reports relating to that compliance standard. So, when audit season comes around and your auditor is asking for, show me your failed authentication on a particular day and, what did you do to remediate that? Or maybe, show me all newly created accounts between two dates. You can come into LEM reports and pull that data.
Because it's all about that audit trail.
Absolutely. [Destiny laughs] So, we'll say, for example, if I wanted, we'll say a top user log-on failure by user. Even from a non-compliance perspective, if you just wanted to identify any accounts that have a high number of logon failures, be it a service account or maybe a more critical admin account that for some reason has a high number of logon failures, scrolling through your raw data, it's going to be very hard to spot a trend there in terms of what machines are involved, reason for failure, date, time, etc. So with LEM reports, we can run this report here, and we can then see immediately these number of service accounts here have an incredibly high number of logon failures over the last two days. I might want to then drill into those accounts and potentially see why they're logging on incorrectly. You could have some admin failures here that could be worth investigating too. So I can see the usernames on the left hand side here, drill into my username, and I can then see the event logs that's driving that visualization there.
Which, it comes down to, I just need to be able to figure out what's going on, and being able to run a report back on the historical data, especially if you start pinpointing in what the actual cause was, right? Then you can go back and see, when did it actually take place? Because I can search back in these and then event correlate. What was the repercussions of this? And coming out, and then show everything.
Yeah. And then with these reports here I can see, what I think is quite important is the failure reasons. You could see, is it a bad username or password? Maybe the username doesn't exist. Maybe the account is already disabled. So, you can easily filter this data to look for particular fields, event IDs, usernames, servers, etc. It's a huge amount of customization you can do with these reports in terms of the filtering. You can also schedule these reports, so, on a weekly base or daily basis, you want to have these reports stored in a PDF, ready to bring up at a moment's notice when your auditor comes along. So, very easy to schedule these reports as well. So, I can select which reports I would like to schedule. Here you can select authentication reports, change management reports, there's network events. As you can see, there's a huge range of reports out of the box.
And if you're familiar with NCM, the change management is huge. And so, to have it server-side also as well as on the network side, I mean, it's kind of like we are the dream team, again! [Both laugh]
So in the schedule option here, you can see all the various different options for scheduling the reports. You can add a schedule here. You can, say I want to run it once a week, once a day. What format to export it in. Check Orion reports. There is a ton of customization you can do here in terms of exports, scheduling, etc. So Dez, I hope that kind of gives you an overview of LEM, what we can do with visualization and drilling down into the event logs, and also running the compliance reports.
Wow, this just makes me think that I can check everything I can now! Like, seriously!
Stop laughing, Dez! Security is a serious business. It's definitely easier to use these tools to help you be more compliant and security ready.
And security can be frustrating, and can also be overlooked until it's too late. And I truly hope that after today, you can and will use one or more of these great tools to help you adjust, adhere to, or even just start a security posture within your own IT organization. Okay, I would like to thank Jamie for joining me today. It's always a pleasure to brainstorm with you so that we can impact all of our security greatness. Right? It's always a pleasure!
Any time, Dez. Delighted to be here. I'm always looking for ways we can be more proactive in stopping security threats, especially with SolarWinds tools.
And I hope you have enjoyed this session and you will begin using your security policies with your tools that you currently have. And there's one more thing that I'd like to add.
What's that, Dez?
User training. I cannot express enough the need to talk with your users and help them understand their role in security within your company. We need to be more proactive in helping others to not be the weakest link in our security chains. And conversations need to be taking place at work, as well as, help them have tips for when they're at home. Okay! I'm going to get off of my high horse and thank you all for joining us and let us know if you have any future ideas for episodes. I'm Destiny Bertucci.
And I'm Jamie Hynds, and thanks for watching SolarWinds Lab.