This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SEM Features to Use When Remote Working Increases

The increase in remote workers due to the Coronavirus is creating some additional challenges for IT, especially in security. I wanted to make sure you were aware of some SolarWindsRegistered Security Event Manager (SEM) features that might help. 

  • VPN Availability: With more remote workers, you’ll see more users accessing your systems through VPNs. SEM can provide real-time visibility into your firewall logs to monitor for any issues with a potential impact on your users’ ability to connect to your corporate VPN. With the sheer volume of logs VPN connections can generate, separating the signal from the noise can be a challenge. However, using the SEM live filtering and correlation rule capabilities, you can easily view and alert on important events affecting your VPN. It’s worth checking the number of concurrent VPN sessions your firewalls are currently configured to handle. You don’t want to see a message like %ASA-3-316001: Denied new tunnel to IP_address. VPN peer limit exceeded. This means your firewall has reached the maximum number of VPN connections and new users will be unable to connect.
  • Authentication: As the number of remote workers rises, it may be difficult to monitor who is authenticating or attempting to authenticate to your network. Brute force attacks to gain access to a corporate network is a common approach for attackers, so keeping a close eye on failed VPN logon attempts is vital. The SEM dashboard can be used to identify anomalies and trends based on these authentication logs. Having a range of near real-time widgets can go a long way in identifying a spike in failed authentication attempts for a particular user.KMSigma_0-1583854839153.png
  • Threat Intelligence: Malicious outsiders may try to slip in to your systems amid the increased access requests. SEM downloads a list of bad known actors from the internet daily. These bad known actors are generally associated with malicious activity including ransomware, malware, and phishing attacks. Correlation rules are provided out of the box to monitor for any connections to or from these bad known actors. If a user falls victim to a phishing email or malware is executed on their machine while working remotely, the SEM cyberthreat intelligence tool will aim to provide some indicators of compromise. 
  • Workstation Monitoring: Just because users aren’t in the office doesn’t mean you should lose visibility into their workstation activity. Deploying the SEM agent to users’ workstations will provide insight into what they’re up to on their machines while working from home. Monitoring USB device usage, file activity, configuration changes, and software installations can help identify unauthorized activity.

Are there other ways you’ve been using SolarWinds SEM to track your infrastructure security as more of your workforce is remote? Post them below.

  • I would also like to mention that waiting for the person to connect to VPN for an agent to upload logs might not be as useful.  I recommend use reverse proxy and forward a public port into sem to access logs from a computer not connected to the VPN.  This will have more semi-real time approach to tracking issues.  If the computer has an internet connection you will have insight into there safety of the computer. Also, great troubleshooting tool if a person is unable to connect to VPN.

  • Both excellent recommendations.  If you can safely place your SEM (or a collector) in a DMZ or utilize a reverse proxy (as you indicated) this is a way to get better details on remote workers.