Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Feature Request - New spin on NPM - Security

I am busy working on a view for my security folks. It dawned on me that with NPM and modules like NTA you can get a 10,000 foot view of your network easily and when something looks odd you can zero in on it and pull the details.

With the bevy of information that Orion can give you after watching the right resources for a few days you can easily baseline "normal" operational parameters and know when something out of the ordinary happens.

This might sound trivial but I think with the current capabilities this is one of the most useful ways to use the product.

So ultimately I think if modules were built or features were added with some security thought processes in mind the product could go a long way to helping that end of the spectrum.

Furthermore something I have asked for in the past I think would help here big time. Which would be the ability to click on a node and get everything that belongs to that node like netflows and alerts, syslog, traps etc you could look at a node and get a great look at whats going on in a single glance.

Find more posts tagged with

Accepted answers

All comments

MarieB

Hi Donald--

Both this request and the one for DB monitoring have been marked for the PM to review.

Thx for the feedback.

bshopp

Can you elaborate on other security stuff you would like to see?

Donald_Francis

To be honest at this point I do not expect a security module. I do not mean that at all, just more thought for security going into the modules there are given the breadth of info SolarWinds captures.

So in reality maybe just more detail and specificity will allow it to be used for a security tool. So things like NTA alerts, single node view where you can see everything about a node in one place, more detail in NTA.

I would guess ultimately it could all be developed further to the point where there were security profiles that could be alerted on or maybe a traffic report on things out of the ordinary and maybe one day possibly a security module.

byrona

I think I understand what Donald is talking about here and it's difficult to describe in specifics... and Donald, please correct me if I am not understanding correctly...

Basically the Security Profiles that he refers to is the ability to have different sets of events that when correlated together would represent a potential security alert. To accomplish this very good correlation capabilities would be needed and all of Orion's different alerting engines (Advanced Alerts, Syslog, Traps, Netflow, etc) would need to be aware of each other via a correlation engine of some form.

I think this is the type of thing that Donald is talking about.

My thoughts...

When I think of security possibilities for SolarWinds to offer I see two different buckets; one is the tool that scans your systems for potential security vulnerabilities and the second is a tool that is more like the one described above that looks for different sets of events that could represent a security breach (or attempted breach) in progress.

I would love to see either or both of these things eventually make it into the SolarWinds line of offerings, combining the two sets of capabilities would make a very strong security product.

To get a good idea of tools that do some of the things mentioned above check out the following products...

Security Scanner

Security Correlation Engine

jswan

Vulnerability assessment and log correlation are both completely new markets that Solarwinds would be trying to break into. Tough job, and very expensive in terms of upfront investment.

The biggest things I think SW could do with existing products to improve security monitoring are:

1) Vastly improved NetFlow search and drilldown capability. I have already been told by at least one Solarwinds PM that they are not at all interested in the security angle of NetFlow analysis, so I've been looking at other products. If SW is considering changing their collective minds on this, I'm all ears.

2) Improved search & policy features in NCM. I know that a lot of this stuff is slated for near-future releases, and I'm really looking forward to them.

3) Better integration of syslog from node details pages. This was mentioned above. Specifically I'd like to see a web interface to syslog that allows things like last N messages, top/bottom N messages by frequency and time window, top/bottom N messages by type, etc. It's important to have the bottom frequency as well as top frequency for security... see the Splunk "rare" command for an example.

4) Integration of command execution from node details page. Instead of just having a SSH button, a window to enter a command would be great (Cisco's ASDM has this function).

byrona

Vulnerability assessment and log correlation are both completely new markets that Solarwinds would be trying to break into. Tough job, and very expensive in terms of upfront investment.

I realize that this would be a new market for them; however, they are already very established in the System Monitoring market and there is some overlap between the two. I have no expectations that they will move in this direction but I would be very interested if they did.

1) Vastly improved NetFlow search and drilldown capability. I have already been told by at least one Solarwinds PM that they are not at all interested in the security angle of NetFlow analysis, so I've been looking at other products. If SW is considering changing their collective minds on this, I'm all ears.
2) Improved search & policy features in NCM. I know that a lot of this stuff is slated for near-future releases, and I'm really looking forward to them.
3) Better integration of syslog from node details pages. This was mentioned above. Specifically I'd like to see a web interface to syslog that allows things like last N messages, top/bottom N messages by frequency and time window, top/bottom N messages by type, etc. It's important to have the bottom frequency as well as top frequency for security... see the Splunk "rare" command for an example.
4) Integration of command execution from node details page. Instead of just having a SSH button, a window to enter a command would be great (Cisco's ASDM has this function).

I would love to see all of these, and specifically #4. Having the more interactive functionality in the product would be wonderful.