Monitoring Central Blogs

cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Monitoring Central Blogs

Level 9

The SCAR (See – Change – Audit – Request) framework is designed to help you gain control over user permissions across your IT infrastructure. The framework consists of four steps to enhance your overall security posture and audit permissions to your data and resources at any time—while making access rights management more sustainable, efficient, and transparent.

ARM_rich-client_082019.png

See Your Permissions Infrastructure

Do you know who has access to your most valuable data? A fully transparent access rights structure is crucial for meeting various compliance regulations and audit requirements. To help mitigate threats and reach compliance goals, you need to SEE who has access to specific elements within your systems, data, and files.

Typically, within minutes, SolarWinds® Access Rights Manager (ARM) allows you to generate a report on exactly who has access to what.

 

Report-Who has access where.png

Permissions can often prove complex: Admins leave; new admins rework old structures; employees join, move within the company, and leave. This can get overwhelming quickly, and with companies growing organically, access rights to certain resources, folders, and data are not always as transparent as they need to be.
With ARM, you can analyze your permissions structure based on a single user or resource. Typically, within minutes, you can gain a transparent overview on:

  • Nested group structures
  • Overprivileged users
  • Globally accessible directories
  • List members of different groups
  • Empty or recursive groups
  • Inactive accounts

Easily Change Permissions with ARM

ARM is designed to set new standards in the field of changing user permissions, also known as user provisioning. Not only does ARM allow you to change user permissions, group memberships, and other Active Directory parameters, it simplifies the process by enabling help desk and data owners to do so as well. ARM lets you set permission templates by department, helping increase consistency across the organization and streamlining the entire Joiner-Mover-Leaver process.

ARM-create account in AD-20194.PNG

To learn more about how ARM can help you change your user permissions to demonstrate compliance and gain efficiency, please read our whitepaper, Joiner, Mover, Leaver: User Provisioning with SolarWinds Access Rights Manager.

ARM can help you increase efficiency and demonstrate compliance via access rights delegation to data owners and help desk departments.

Audit Permissions Without the Hassle

We’ve already discussed how ARM allows you to fully SEE your permissions structure and CHANGE access rights (SolarWinds SCAR framework (See – Change – Audit – Request).

When it comes to auditing permissions and user access rights, board tools and scripts often reach their limits. ARM is designed to help you AUDIT your permissions infrastructure anytime and with minimal effort. Whether your audit process is driven by internal requirements from mandates like GDPR, PCI DSS, HIPAA, or SOX (or all four), detailed reporting is critical to demonstrate compliance.

ARM-report-OU members and group memberships-20194.PNG

Read our Top 7 Audit Prep Reports whitepaper to discover what each of the seven reports provides, and how ARM can help you overcome common challenges in the audit process.

These seven reports allow you to audit:

  • User and group access
  • Overprivileged accounts
  • Risky group configurations (empty or recursive groups)
  • Inactive and temporary accounts
  • Insecure account configurations
  • Permissions differences monitoring
  • Historical AD structure

Analyzing Active Directory permissions can quickly become overwhelming. ARM helps IT teams quickly analyze authorizations and access permissions, helping reduce the risk of failed audits and stolen data.

Access Requests Made Simple

We’ve covered how the SolarWinds SCAR framework (See – Change – Audit – Request) and ARM allow you to SEE your permission structure, efficiently CHANGE access rights, and easily AUDIT user access rights.

With SolarWinds Access Rights Manager (ARM), employees can also REQUEST access rights directly from the data owner. Data owners, most often team leads or department heads, know best who should have access to what—and why. With ARM, you can have data owners directly handle access requests from employees with a web-based, self-service permissions portal.

If you already benefit from Microsoft enhanced management and remote controls, ARM can add monitoring, auditing, provisioning, and process optimization.

Want to learn more about ARM? Download a free trial here.

Read more
2 0 370
Product Manager
Product Manager

Over the last decade, cybercriminals have gained the necessary resources to make it easier and more lucrative for them to attack small-to-medium-sized businesses. The 2019 Cost of a Data Breach Report not only shows the odds of experiencing a data breach have gone up by a third in less than a decade, but the cost of these data breaches is also on the rise. Additionally, small businesses face disproportionately larger costs than their enterprise counterparts when an attack is successful. This report highlights the importance of SMBs being prepared, now more than ever, to quickly identify and respond to potential cyberattacks.

One common way businesses increase their security posture is by implementing, and using, a Security Information and Event Management tool—SIEM for short. A SIEM solution at its core, aggregates and normalizes log and event data from across an entire network making it easier to identify and respond to attacks, compromised data, and security threats.

However, many SMBs feel a SIEM solution is out of reach for their organizations for three main reasons:

  1. Complexity
    The complexity starts right away with most traditional SIEM vendors. Connecting different log sources often requires building parsers or writing (and possibly learning) RegEx to ingest and normalize log data. Once the data has been consolidated, recalling the data adds another layer of complexity. For example, wanting to see logins from a particular user can require writing a query in language created specifically for their SIEM. Additionally, feature bloat often makes it difficult to know how to find answers to simple questions.

  2. Expertise Requirements
    A SIEM is only as effective as the rules put in place to identify, alert on, and respond to potential threats. Without a deep understanding of the types of activities captured by logs, and the behaviors indicating malicious or risky behaviors, setting up the rules can be daunting. Especially if the SIEM doesn’t come with any pre-built rules. With limited time, and a scarcity of available security professionals, setting up a SIEM can seem like too big of a project to take on

  3. Expense
    Aggregating all log and event data in one place is ideal. However, the licensing models of many SIEM solutions can quickly price out SMBs. Many of the most common SIEM solutions on the market are SaaS products. The price changes based on log volume being sent to the product. This leads to two main problems, pricing being unpredictable and/or IT pros needing to cherry pick which logs they will collect and store…hope you pick the right ones.

At SolarWinds we understand how important it is for IT pros at SMBs to gain valuable time back and automate as much as possible—including threat detection and response. That’s why we built Security Event Manager (SEM). It’s a SIEM solution built for resource-constrained IT pros needing to advance their organization’s security beyond patching, backups, and firewall configurations. SEM is designed to provide the most essential functions of a SIEM to help improve security posture, more easily meet compliance requirements, and reduce the time and complexity of an audit.

How Does SolarWinds Security Event Manager Differ From Other SIEM Products?

  1. Easy to Deploy and Use
    Deployment is flexible via virtual appliance potentially located on-premises or in the public cloud (such as Azure or AWS). Many users report SEM is up and running within fifteen minutes, no professional services required. Log collection and normalization is done by either enabling one or more of the hundreds of pre-built connectors and sending logs to SEM or by deploying the SEM agent.

    It has a simple and clean UI, focused on the features SMBs find most important. Such as the dashboard to help visualize important trends and patterns in log and event data:
    pastedImage_14.png
    As well as a quick and easy keyword search providing faster log recall without the need to learn specialized query languages:
    pastedImage_15.png

  2. Provides Expertise and Value Out of the Box
    Finding value with the tool will not be an issue. An integrated threat intelligence feed and hundreds of pre-defined filters, rules, and responses, not only make it faster and easier for users to identify threats, but also automate notifications or corrective actions.
    pastedImage_16.png
    Beyond identifying and responding to threats, the pre-built reports make demonstrating compliance a breeze.
    pastedImage_17.png
    The best part is users aren’t confined to out-of-the-box content. As their organizations needs change and grow, or as they become even better acquainted with the tool, the pre-defined content, visualizations, and reports are flexible.

  3. Priced With SMBs in Mind
    SolarWinds® Security Event Manager has a simple licensing model. SEM is licensed by the number of log-emitting sources sent to the tool. No need to pick and choose which logs to send, and no need to worry about a large influx of logs breaking your budget. Users get all the features of SEM and industry leading support for a single price. The pricing model is built to scale with the user’s environment, the price per node dropping at higher tiers. For those looking to monitor workstations, infrastructure, and applications, special discounted pricing is available. Same deal, one price for all features, for each workstation.

If you’re an IT pro at an SMB looking to get a better handle on cyber security or compliance reporting, give SEM a shot. You can download a free, 30-day trial here.

Read more
6 11 1,154
Product Manager
Product Manager

Change control. In theory it works. However, there’s always one person who thinks the process doesn’t apply to them. Their justification for going rogue may sound something like, “There’s no time to wait, this has to be done now,” and, “This is a small change, it won’t impact anything else,” or maybe, “This change will make things better.”

But at the end of the day, those changes inevitably end up crashing a service, slowing application performance, or even worse, opening new vulnerabilities. The call will come in, something’s broken and magically no one will know why on earth it’s happening and, they certainly won’t be able to remember if any changes occurred…or who made a change. There goes the rest of your day, looking for the root cause of an issue created by one of your own coworkers.

Recently, Head Geeks Thomas LaRock sqlrockstar and Leon Adato adatole hosted a THWACKcamp session on this exact topic. In their scenario the culprit was “Brad the DBA.” At SolarWinds, we understand this all-too-common scenario and have a tool designed to help.

SolarWinds® Server Configuration Monitor (SCM) provides an easy-to-use and affordable way to track when server or application configuration changes are being made, who’s making the changes, and what the differences are between the old configuration and the new configuration. It detects, tracks, and alerts on changes to things like hardware, software, operating systems, text and binary files, Window Registry, and script outputs on Windows® and Linux® servers.

pastedImage_0.png

Additionally, SCM is an Orion Platform-based module, meaning you can quickly correlate configuration changes with infrastructure and application performance metrics in a single view. Helping confirm or illuminate the possibility of a configuration change being the culprit.

pastedImage_1.png

These capabilities help provide you with the visibility needed to not only remediate issues faster but, also hold non-process-abiding team members accountable for their actions. If you’re tired of the shenanigans created by your colleagues not following the change control process for your servers and applications, check out a free, 30-day trial of Server Configuration Monitor. And just for fun, if you have a good story of how “Brad” broke your day, feel free to share below!

Read more
4 7 996
Level 9

After all the education, all the measures, there are two almost inevitable truths in IT security: Some users will reuse their passwords and data breaches will happen—leading to exposed and misused credentials.

These two facts combined spell trouble. Account takeover kind of trouble.

Your own password strategy is likely solid. You use strong, unique passwords, enabled multi-factor authentication whenever you could—modern-day table stakes, right?

Do you think everyone in your organization is as careful? You never know whether their Outlook or Salesforce password isn’t the same one they used to sign up for a Smash Mouth fan forum running on vBulletin, last updated in 2011.

We’re not even talking about your organization when it comes to data breaches—the IT pros do their best to ensure breaches won’t happen. But that vBulletin forum is easy pickings. Once breached, the hacker has half of what they need—the password. Even serious services and organizations are regularly breached and pilfered.

Mix these two together, add some credential stuffing tools, and you have an account takeover—using legitimate, but stolen, credentials to access your systems and data.

What to do about it? Other than to think “We’re not an interesting-enough target” (false) or it’s not something to worry about (false).

We’re excited to have a new tool to help you get some power back to your hands: SolarWinds® Identity Monitor. We’ve partnered up with security experts at SpyCloud to give you a chance to act before the bad actors do.

In true SolarWinds fashion, Identity Monitor is an easy-to-use product:

You sign up with your business email address, add any other company email domains to a watchlist and then get notified whenever any of the emails and credentials belonging to your organization have appeared in a data breach. You also have access extensive past breach history for your monitored domains.

With an early notification, you can act and protect your accounts from account takeover attempts, for example forcing a password reset.

Ready to see where you stand? Start with a free check of your email breach exposure and see the stats of how many personal records in your domain were exposed and when. Fingers crossed!

Read more
4 0 400
Level 9

In the past, the importance of access rights management had to wait in line behind trending topics like hybrid infrastructures, digitalization, cloud, and the latest new tools the C-level wants to have and implement. As a result, access rights management in companies often lacks transparency, is organically grown, and doesn’t follow best practices like the principle of least privilege.

Even though managing user access rights is an essential part of every administrator’s work, there are different ways of doing it. However, looking at all the systems, tools, and scripts out there, most admins share the same big pain points.

Earlier this year, we asked our THWACK® community about their biggest pain points when it comes to access rights management and auditing. Turn out the biggest factors are:

pastedImage_1.png

  1. Moving, adding, or changing permissions
  2. Running an audit/proving compliance
  3. Understanding recursive group memberships

1.      Moving, Adding, or Changing Permissions

The flexibility of today’s working world requires a well thought-out user provisioning process. Whether for a new user, a short-term assignment, department changes, or temporary projects, the expectations of an IT group are to accurately and quickly provision users while helping to maintain data security.

IT departments are typically responsible for securing a network, managing access to resources, and keeping an overview of permissions and access rights policies. Therefore, they should use a provisioning framework. SolarWinds® Access Rights Manager (ARM) is designed to help address the user provisioning process across three phases—joiners, movers, and leavers.

SolarWinds Access Rights Manager not only helps automate the joiner or initial provisioning phase, it also allows admins to quickly perform changes and remediate access rights while enabling data owners.

Creating and Moving User Access Permissions

With ARM, you can control the creation of new user accounts, rights management, and account details editing.

Its user provisioning tool allows you to set up new users typically within seconds. Users are generated in a standardized manner and in conformity with the roles in your company. The access rights to file servers, SharePoint sites, and Exchange as defined in the AD groups are issued at the same time. ARM generates a suitable email account so the new colleague can start work immediately. You can schedule the activation to prepare for the event in the future or to limit the access period for project work. Whether help desk or data owner, participants work with a reduced, simple interface in both cases.

All access rights are set up in a few steps.

On the start screen under “User Provisioning,” you can choose from the most important quick links for:

  • Creating a user or a group
  • Editing group memberships
  • Editing access rights for resources

pastedImage_3.png

By choosing “Create new user or group,” ARM allows you to create a user or group based on preset templates. These user and group templates have to be created individually one time after installing ARM.

pastedImage_12.png

pastedImage_17.png

For further information please download our whitepaper: Joiner, Mover, Leaver: User Provisioning With SolarWinds Access Rights Manager

2.      Running an Audit/Proving Compliance

pastedImage_22.png

With ARM, you can either create reports on users/groups or resources along with further filters.

Just looking at reports for Active Directory, you could create views for:

  • Where user and groups have access
  • Employees of manager
  • Display user account details
  • Find inactive accounts
  • OU members and group memberships
  • User and group report
  • Identify local accounts
  • And many more

While creating a report, you can set different selections such as the users or groups you’d like to report on and the resources you would like details about.

pastedImage_33.png

Additionally, you can set up scheduled reports, which you can send directly as email to yourself, your auditor, or direct line if needed.

pastedImage_38.png

To gain more insight on the reporting capabilities of ARM, please see our whitepaper: Top 7 Audit-Prep Reports

3.      Understanding Recursive Group Memberships

Groups can be members of other groups. Active Directory allows "children" to become "parents" within their own family tree. If the nested group structure loops in a circular way, group membership assignments become ineffective and nonsensical. Through these recursions or circular nested groups, every user who is a member of any of the recursive groups is granted all the access rights of all the groups. The consequence is a confusing mess of excessive access rights.

ARM automatically identifies all recursions in your system. We highly recommend removing the recursion by breaking the chain of circular group memberships.

pastedImage_43.png

ARM not only allows you to see circular or recursive groups, but directly correct group memberships and dissolve recursions.

To keep an eye on the most common access-based risk levels, ARM provides a risk assessment dashboard with the eight biggest risk factors and lets you correct your individual risk levels right away.

pastedImage_48.png

Get your free ARM trial and do your risk assessment here.

Read more
3 0 814
Level 14

Hello fellow data geeks! My name is Joshua Biggley and I am an Enterprise Monitoring Engineer for a Fortune 15 company. I’m also fortunate enough to be a remote worker on part of an amazing team. One of my favourite career achievements was to be named Canada’s only SolarWinds THWACK Community MVP in 2014.

I joined the THWACK Community in 2008, shortly after moving to beautiful Prince Edward Island on the East Coast of Canada. I’ve attended THWACKcamp for at least one session since its inception 7 years ago, but have been a regularly attendee for the past 4 years.  Humble brag moment -- I had the opportunity to join Leon Adato (@adatole) and Kate Asaff (@kasaff) for THWACKcamp 2016 in presenting the session Troubleshooting with SolarWinds - The Case of the Elusive Root Cause. Leon has been a friend and (short-lived) colleague since 2014 and Kate has quite literally saved my bacon in one of my biggest challenges as a Monitoring Engineer. Sharing the THWACKcamp stage with these two superheros was beyond awesome!  Last year, I was humbled to have my team and I win the Carmen Sandiego Award at THWACKcamp 2017. Our team is entirely remote engineers and having our work recognized for both the high-performance technical and inter-team collaboration we embrace was a highlight of my year.  Will 2018 be able to top it?

I think these two sessions will give 2017 a run for its money, even if I don’t win another THWACK award!

Day 2

Oct 18 @ 10AM CT

What Does It Take to Become a Practice Leader?

Too many organizations view monitoring, alerting, and event management as a necessary evil. It is often relegated to the “All other duties as assigned by your supervisor” category. As organizations mature, finding monitoring engineers becomes a challenge. It’s not just about someone who knows how to use the SolarWinds products you own (you are using SolarWinds products, aren’t you?) but finding someone who can explain why monitoring, alerting, and event management are so important. They need to explain to their peers, their management, and the business why monitoring needs to be a practice not an afterthought. They need to be a data geek. They need to be a storyteller.

Patrick Hubbard, Phoummala Schmitt, and Theresa MIller bring decades of experience and, more important, are recognized leaders in the industry. Discovering how they went from junior analyst to practice leaders will help me understand explain to others how to make that journey. As a practice leader in my full-time job as well as freelance work, being able to help others understand that they can be leaders is crucial to the health of monitoring as a practice. My colleagues and I have worked very hard to elevate monitoring to the respect it deserves. In 2019, we will be starting an internal Community of Excellence that focusing on monitoring, alerting, and event management plus my very favourite new focus -- observability!

Day 1

Oct 17 @ 12PM CT

Observability: Just A Fancy Word for Monitoring? A Journey From What to Why

Observability and high-cardinality data are sultry words to any data geek. Observability was introduced in the 1960s as part paper written by Rudolf E Kálmán entitled “On the General Theory of Control Systems”. If the status of a system can be known simply by examining the outputs of that system, the system is considered observable. In recent years, the idea of observability has been embraced by systems engineers as applications have moved from bare-metal to virtualized to containerized to serverless. Instead of monitoring the things that allow your system to do what it does, we’re now measuring how the system does what it does without much concern for why.

Of all of the sessions as THWACKcamp 2018, this is the one I would want every engineer, every application developer, every CTO --- OK, pretty much everyone who is involved in building, supporting, and managing any critical application anywhere -- to watch. Application Performance Management is coming to every organization. If you deliver any services through an application, APM provides the insight and observability is the methodology for measuring those insights.

Do I sound a little passionate about observability?  What?!? Only a little?!? Observability is my new passion. I recently wrote a white paper that defined an APM strategy and the foundation was observability. This idea of observability is probably the most important shift in our industry in 20 years. Unnecessary hyperbole? Maybe, but I think there are seminal moments in every industry and this focus on observability is going to be one of them. I’m Canadian, would I steer you wrong?

Read more
4 3 435
Product Manager
Product Manager

Keeping a network up and running is a full-time job, sometimes a full-time job for several team members! But it doesn’t have to feel like a fire drill every day. Managing a network shouldn’t be entirely reactive. There are steps you can take and processes you can put in place to help reduce some of the top causes of network outages and minimize any downtime.

1. The Problem: Human Element

The dreaded “fat finger.” You’ve heard the stories. You may have done it yourself, or been the one working frantically late into the night or over a weekend to try to recover from someone else’s mistake. If you’re really unlucky (like some poor employee at Amazon® last spring), the repercussions can be massive. No one needs that kind of stress.


The Protection:
First, make sure only the appropriate people have access to make changes. Have an approval system built in. And, since even the best of us can make mistakes, ensure you have a system that allows you to roll back changes just in case.

2. The Problem: Security Breaches

Network security is becoming more and more critical every day. People trying to break the system get better, and privacy needs for users gets higher. There are many critical elements to trying to keep your network secure, and it’s important not to miss any. It doesn’t do any good to deadbolt your door when your window is wide open.

The Protection:

Protect your devices from unauthorized changes. Monitor configurations so you can be alerted to any changes, see exactly what was changed, and know what login ID was used to make the change. Also, you should be regularly auditing your device configurations for vulnerabilities. Whether you have custom policies defined for your organization or need to comply with HIPAA, DISA STIG, SOX, or other industry standards, continuously monitoring your devices to help ensure your network stays compliant is one way to help.

3. The Problem: Lack of Routine Maintenance

Over time, networks can become messy and disorganized if there aren’t standards in place, increasing both the risk of errors and the time needed to resolve them.

The Protection:

Network standardization simplifies and focuses your infrastructure, allowing you to become more disciplined with routines and expectations. Naming conventions, standard MOTD banners, and interface names are just a few things you can do to help troubleshoot and keep a balance within your team and devices, allowing for better management and less human error.

4. The Problem: Hardware Failures

It’s not if hardware will fail, but when. Are you ready to make a speedy recovery? When a device unexpectedly goes down, it can have a big impact, depending on which device it is and what redundancies you have in place.

The Protection:

Ensure that you can quickly recover devices or bring a replacement online by having device configurations automatically backed up so you can quickly bring new devices online.

5. The Problem: Firmware Issues / Faults in the Devices

When you support hundreds of devices, required firmware updates can be tedious, and executing commands over and over increases the risk of error.

The Protection:

With network automation, you can easily manage rapid change across complex networks. Bulk deploy configurations to ensure accuracy and speed up deployment times.

Increase your uptime and reduce the challenges of keeping your network running smoothly so you can focus on other projects. With SolarWinds® Network Configuration Manager, you can bulk deploy configuration changes or firmware updates, manage approvals, revert to previous configurations, audit for compliance, and run remediation scripts. Take action today to reduce these five causes of network outages.

Read more
1 0 575
Product Manager
Product Manager

We just can't have anything nice, now can we?  Oh, well. We knew there would be new vulnerabilities and ransomware attacks in 2018. However, this time hardware is the culprit, and patching is not going to be a cure-all for the situation. Consider yourself warned: expect more slowdowns in 2018.

Stop and think about this for a second: as the days progress, we are literally learning how much this new vulnerability impacts us. Anyone who says they have the full solution is not being honest with you or themselves. What I would like to do is help you to see how you can use the tools you likely already have to make you more aware of past, present, and future vulnerabilities and threats. That said, let's move on to the importance of using SolarWinds tools to do just that.

SolarWinds® Patch Manager will allow you to update your Windows® machines to their Microsoft® patches. If you are currently using this product, you should already be scheduling and looking for these. I discovered that there can be some issues with third-party Windows antivirus or you might get the BSOD. Read more here, because the awesome chart helps clarify these issues and how to prevent them from happening to you.

Further, Patch Manager will allow you to schedule and report on your Windows devices regarding updates. The reporting is key to showcase your compliance and, in this case, start your baseline. Plus, just because you update your devices does not mean you are 100% in the clear. Updating your third-party packages is an added bonus with Patch Manager, a fact that is often overlooked though desperately needed.     

SolarWinds® Server & Application Monitoring (SAM) will help you validate your business, yourself, and your vendor support for any degradation that patching may have on your applications. This is something you will want to have in place as soon as possible. It allows you to see any anomalies that may present themselves to your applications after the patching is applied. And because SAM is multi-vendor, you’ll be able to address even broad-scale hardware issues. The avid SAM users among you will likely know even more tricks for using the software, and I encourage you to share your knowledge in the comments to help us all be more aware in terms of application-centric monitoring.

SolarWinds® Network Configuration Manager (NCM) comes helps when there are firmware upgrades\updates that need to be applied to impacted network devices. It also helps you to roll these out. There is a compliance reporting function built into NCM that will assist with audits automatically. Remember, this incident is ongoing, which makes NCM’s ability to import very helpful. In fact, you can plug into firmware vulnerability warnings provided by the National Institute of Standards and Technology (NIST). This puts you even further ahead of future vulnerabilities.

SolarWinds® Network Performance Monitor (NPM) is all about the baseline. If you have ever been to one of our SWUGs, you have heard me preach endlessly about baselines and their extreme importance. However, I understand that sometimes you need black and white in front of you to truly understand this. The mindset I’m currently following regarding this vulnerability looks something like this:

  1. Patched and we have our checkbox
  2. Monitoring our application performances
  3. Ready for updates to needed network devices
  4. Monitoring the common vulnerabilities database
  5. Waiting for any anomaly that may present its ugly face (my favorite)

We can now show that we have implemented the patching to put a Band Aid® on the issues that could present themselves. However, as I’ve already mentioned, this is not a full fix. A hardware option would be the best solution, but is obviously not available to billions of devices at this time. YOU ARE THE THE FIRST RESPONDER!

Using NPM in combination with the other tools that I have outlined allows you to verify the patching and the results. Also, if there are ticks or drops or spikes that do NOT match your current baseline, you can share that solid reporting and documentation with your vendor to work out the possible issue, which makes you part of the solution. Is there anything better than working at the edge of technological advancements to create countermeasures to vulnerabilities? NO. The answer is a solid NO.

If you don’t already have it in place, set up threshold alerting and monitoring on critical devices that are housing your applications. That helps ensure that you are alerted to anything out of the ordinary, allowing you to get things back on track. It also shows your team and other departments that you are fully invested in the integrity of application uptime and performance. Also, if you have DevOps, you really need the documentation and baselines to prove that perhaps the performance issue is not the in-house application, but an actual patching issue. That, right there, can save a lot of unneeded cycles through rabbit holes.

Please let me know if you have additional ways to protect and help through these beginning stages of 2018 vulnerabilities. The ideas we share could literally help the many of you who act as a one-person army fighting your way to the top!

Thank you all for your eyes,

~Dez~

In case you’d like more information on any of the products mentioned above, check these out:

SolarWinds® Patch Manager

SolarWinds® Server & Application Monitor

SolarWinds® Network Performance Monitor

SolarWinds® Network Configuration Manager

Other resources:

https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac....

https://www.nytimes.com/2018/01/03/business/computer-flaws.html

Check out our Security and Compliance LinkedIn® Showcase Page for ideas on how to socialize this content: https://www.linkedin.com/showcase/solarwinds-security-and-compliance/

Follow our Federal LinkedIn page to stay current on federal events and announcements: https://www.linkedin.com/showcase/4799311/

Read more
3 7 2,662
Level 11

Do you know how to protect your organization's sensitive data from today’s cyberthreats? One way is to arm the enterprise with a security information and event management (SIEM) tool. SIEM solutions provide a meaningful contribution to defense-in-depth strategies with their ability to detect, defend against, and conduct post-mortem analysis on cyberattacks and general IT security anomalies. Over the years, they have become a contributing force in meeting, maintaining, and proving a business’ alignment with regulatory compliance frameworks such as HIPAA, PCI DSS, SOX, and more. Let's take a look at how SIEM software works and why it's a must have for your business.

What is SIEM?

Predecessors of SIEM solutions, security information management (SIM), and security event management (SEM) began merging into one security system over a decade ago. When you run a SIEM tool, all your relevant security data can come from multiple locations, but you can look at all that data from one dashboard. Being able to access data across numerous locations and evaluate it in one location makes it easier to spot unusual patterns and trends, and react and respond quickly to any possible threats.

The SIEM software collects information from event logs spanning all your devices, including anti-virus, spam filters, servers, firewalls, and more. It then uses key attributes (IPs, users, event types, memory, processes, ports) that can indicate security incidents or issues to alert and respond quickly—and in many cases, automatically.

How Does SIEM Help With Security?

The event management portion of a SIEM solution stores and interprets logs in a central location and allows analysis in near real-time, which means IT security personnel can take defensive actions much more rapidly. The information management component provides trend analysis, as well as automated and centralized reporting for compliance by collecting data into a central repository. As a whole, a SIEM tool provides quicker identification and better analysis and recovery of security events by combining these two functions. Another advantage is that compliance managers can confirm they are fulfilling their enterprise's legal compliance requirements with a SIEM tool.

Advantages of a SIEM Tool

There are many advantages to using a SIEM tool, other than only needing one tool to monitor cybersecurity. SIEM systems can be used for different purposes, so the benefits will vary from one organization to another, but every organization that uses a SIEM tool will experience these main benefits:

  1. Streamlined compliance reporting. SIEM solutions leverage the log data from various devices across an organization or enterprise.

  1. Better detect incidents that otherwise might be missed. SIEM products enable centralized analysis and reporting for an organization's security events. The IT security analysis may detect attacks that were not found through other means, and some SIEM products have the capabilities to attempt to stop attacks they detect—assuming they are still in progress.

  1. Improve their efficiency in handling activities. You can save time and resources with a SIEM tool because you can respond to security incidents more quickly and efficiently. IT professionals can quickly identify an attacker’s route, learn who has been affected, and implement automated mechanisms to stop the attack in its tracks.

What to Look for in a SIEM Tool

What features should you be looking for when shopping for a SIEM tool? Here are just a few of the important questions to consider when evaluating SIEM solutions:

  1. Does the SIEM provide enough native support for all relevant log sources?

  1. How well can the SIEM tool enhance current logging abilities?

  1. Can the SIEM software effectively use threat intelligence to your advantage?

  1. What features does the SIEM product offer to help carry out data analysis?

  1. Are the SIEM's automated response capabilities timely, secure, and effective?

Stay Protected with SolarWinds Log & Event Manager

There are numerous SIEM tools to choose from, but SolarWinds® Log & Event Manager (LEM) offers valuable features that can help you improve both your security and compliance, with relative ease and with limited impact on IT budgets.

These are just a few of the features LEM provides:

  1. Detect suspicious activity. Eliminate threats faster by instantaneously detecting suspicious activity and sending automated responses.

  1. Mitigate security threats. Conduct investigations of any security events and apply forensics for mitigation and compliance.

  1. Achieve auditable compliance. Demonstrate compliance with audit-proven reporting for HIPAA, PCI DSS, SOX, and more.

  1. Maintain continuous security. Your efforts to protect your business against cyberthreats should extend to the choices of software you employ to do so. LEM is deployed as a hardened virtual appliance with data encryption in transit and at rest, SSO/smart card integration, and more.

Purchase SolarWinds Log & Event Manager Software

Visit us online today to learn more about Log & Event Manager and get a free 30-day trial of the software. Learn more about the key features we offer in LEM, and watch our informative video explaining how it works. Get answers to frequently asked questions and hear from some of our very satisfied customers. This SIEM tool is clearly an industry favorite. Click here to see how it can help your enterprise or organization stay safe and secure from cyberthreats with the SolarWinds Log & Event Manager software.

Read more
0 0 1,034
Level 11

In today's landscape of security breaches and cyberattacks, it seems like no company or network is completely immune to cybercrime. In fact, you don’t have to search very hard in the news to read about another cyberattack that has happened to a big corporation. Thankfully, developers are constantly looking out for these threats and building important security patches and updates protect the data. Let's look at some of the major vulnerabilities and attacks that have happened in 2017.

Microsoft Security Bulletin MS17-010 (March 14, 2017)

Although this wasn't exactly a hack, it serves as a great reminder of how scary security vulnerabilities in Microsoft® Windows® software can be. The bulletin detailed several cyber security threats, but the most severe vulnerability was the potential for an attacker to execute code on the target server. This vulnerability was so huge that Microsoft called the security patches “critical for all supported releases of Microsoft Windows.”

Imagine the impact this could have had if the cyber threat was not discovered and a security patch was not created.

The biggest impact of this bulletin was that it showed how many zero-day level flaws were present in Microsoft products that made users vulnerable to cyberattacks. Essentially, the combination of the delayed rollout of crucial security patches and enterprises’ often slow adoption of patches made all Microsoft users vulnerable to the WannaCry and NotPetya ransomware attacks.

WannaCry Ransomware Attack (May 12, 2017)

The WannaCry Ransomware attack was one of the most significant cyberattacks in 2017. Seventy-five thousand organizations from 99 countries reported being attacked. How did it happen?

A vulnerability called EternalBlue was responsible for spreading the WannaCry attack. This vulnerability was actually addressed in Microsoft’s security patches released in March. Unfortunately, many users had not yet installed these critical patches.

Impact of WannaCry

As the name implies, many Microsoft users probably did want to cry after being hit by this cyberattack. It created a moment where global internet security reached a state of emergency. WannaCry affected the U.K., Spain, Russia, Ukraine, Taiwan, and even some Chinese and U.S. entities. In many cases, companies were forced to pay $300+ to regain access to their files/system. However, there was another even more severe impact, as sixteen National Health Service organizations were locked out of their systems. Many doctors were unable to pull up patient files and emergency rooms were forced to divert people seeking urgent care.

Petrwrap/Petwrap/NotPetya Ransomware Attack (June 27, 2017)

This attack was even worse than the WannaCry attack. NotPetya did not act like other ransomware malware. Instead, it rebooted victims’ computers and encrypted their hard drive’s master file table, which rendered the master boot record inoperable. Those who were infected lost full access to their system. Additionally, the cyberattack seized information about the file names, size, and location on the physical disk. NotPetya spread because it used the EternalBlue vulnerability, just like WannaCry.

Impact of NotPetya

NotPetya reportedly infected 300,000 systems and servers throughout the world, including some in Russia, Denmark, France, the U.K., the U.S., and Ukraine. Ukraine was hit the hardest. Within just a few hours of the infection starting, the country’s government, top energy companies, private and state banks, the main airport, and metro system all reported hits on their systems.

How to Protect Your Business From Cyberattacks

The evidence is clear. Hackers are always on the prowl and cyberattacks will happen. The key is to be ready for them so you can prevent an attack from being successful. You must take every step possible to protect your company and your private information. There are several important things you can do, including making sure you always install security patches and updates. For example, if infected organizations had installed the update patches in March, they would have been protected from the WannaCry attack. Therefore, this simple step could be the difference in whether or not a cybercriminal is able to successfully hack into your data.

Think Prevention, Not Cure

While installing every patch developers make might seem like a hassle, the fact is these patches play a significant role in your cybersecurity efforts. There is great wisdom in the saying of “an ounce of prevention is worth a pound of cure” when you’re dealing with cybersecurity. It’s so much easier to take the necessary steps to prevent a cyberhack than it is to overcome all the problems after a breach occurs. Regularly installing security patches is a must, especially since you might not be aware of the possible threats that could be coming.

Let SolarWinds Patch Manager Do the Work for You

Although constantly installing these updates and patches can be a pain, and it can feel like you get a new patch almost every other day, patches are a necessary evil. Thanks to the SolarWinds® Patch Manager software, you can now leave this tedious chore to someone else. This intuitive patch management software allows you to quickly address software vulnerabilities in your system. SolarWinds Patch Manager offers several key features, including:

  1. Simplified patch management. Automate the patching and reporting process and save time by simplifying patch management on servers and workstations.
  2. Extend the capabilities of WSUS patch management. Decrease service interruptions and lower your security risks by helping ensure patches are applied and controlling what gets patched and when.
  3. Extend the use of Microsoft System Center Configuration Manager. Protect your servers, desktops, laptops, and Virtual Machines (VMs) with the most current patches for third-party apps.
  4. Demonstrate Patch Compliance. Stay up to date on all vulnerabilities and create summary reports to show patching status.

Additionally, SolarWinds Patch Manager offers a Patch Status Dashboard. The dashboard tracks who got patched and what still needs to be patched. You will be able to see the most recent available patches, the top patches you are still missing, and the overall general health of your cyber environment. Patch Manager also allows you to build your own packages for many other types of files, including .EXE, .MSI, or .MSL.

Download SolarWinds Patch Manager now to identify the vulnerabilities in your system and help protect your business.

Read more
0 0 257
Level 11

Security breaches have become a consistent threat, so it is critical to remain aware of the many tools, resources, and protocols available to keep you safe online. To honor and celebrate National Cyber Security Awareness Month (NCSAM), we are offering several opportunities for you to get involved and learn something new.

Think you know your cybercrime history?

We have put together a timeline of some of the most notable cybersecurity breaches throughout history. To complement the timeline, we’ve compiled a cybersecurity history quiz to test your knowledge as you travel through the decades. Take the quiz for a chance to win awesome prizes!

We need your help!

If you review the Timeline of Cybercrime, you’ll see that it is far from a comprehensive list of all cybersecurity attacks over time. Submit your suggestion of a cyberattack to add to the timeline in the comments below and receive 250 THWACK® points for all valid suggestions!

To receive your 250 THWACK points, your submission should include:

  1. The name of a noteworthy breach, vulnerability, or security attack of your choosing (must not already be featured on the timeline of cybercrime)
  2. A sentence or two about the cyberattack of your choosing
  3. A source for your research

Submit your suggestion in the comments section below. Limit one entry per THWACKster.

THWACKcamp | October 18-19

THWACKcamp is right around the corner! I encourage you to check out one session in particular that’s sure to keep the conversation about cybersecurity top of mind: “Protecting the Business: Creating a Security Maturity Model with SIEM”

RSVP today!

Live webcast – Cybercrime: Defending Against the Next Attack | November 2

Following THWACKcamp and to conclude NCSAM, join @dez and @jhynds for a live webcast where they’ll discuss some of the highlights from the Timeline of Cybercrime, as well as tips and tricks to help businesses combat today’s most common cybersecurity threats.

Register now!

Enjoy, and stay safe out there!

Read more
2 7 669
Level 11

Like traditional kung fu, in Security Kung Fu, there are two schools of thought. On one side, there are those guided by the industry’s best practices for IT security. On the other side, there are those who use regulatory frameworks like PCI DSS, HIPAA, SOX, and more as the guiding principles for their IT security strategy.

In the fourth and final chapter of the Security Kung Fu Series, we discussed these opposing strategies and provided insight into why our Security Kung Fu Masters view them as complementary, but not commensurate with one another.

If this subject is of interest, I strongly suggest you watch the on-demand recording of this session for a much deeper dive. Continue onward for a brief recap along with some highlights from the discussion.

Watch the On-Demand Recording | Check out the SlideShare®

Meet Your Security Kung Fu Masters

For the fourth and final chapter of the Security Kung Fu series, we decided to mix things up a bit. In addition to welcoming Jamie Hynds, Senior Product Manager for SolarWinds Security Portfolio—a featured speaker in some of our previous sessions—we were joined by Destiny Bertucci, Head Geek at SolarWinds.

With over 15 years of network management experience spanning healthcare and application engineering (nine of which she served as SolarWinds Senior Application Engineer), @Dez boasts an ever-growing ensemble of degrees and certifications with a slant towards IT security. If it’s not apparent now, you’ll see from this session that she really knows her stuff.

Beyond this,  Destiny is a frequent presence on THWACK®, most recently launching a blog/social commentary series on Geek Speak titled “Shields Down.” I strongly encourage you to follow along in her series and get involved in the discussion. Whether you’re an experienced IT security professional or on the lighter side of these skillsets, there is something for everyone. But don’t sit on the sidelines—share your stories and insights for the collective good of us all.

Regulatory Compliance

Compliance, as it relates to IT, involves adhering to rules and regulations that are meant to protect various types of sensitive data. It can govern everything from IT decision-making and purchasing, to configurations, and the policies and procedures a company must create and enforce to uphold this important task.

Rightfully so, many businesses are taking the obligation of compliance very seriously. After all, there is a lot at stake when fines and penalties can be levied against you (among other legal repercussions) for noncompliance.

Security vs. Compliance

Though, yes, compliance for many businesses is absolutely critical, it is not the end all be all. We contended throughout this session that taking a compliance-dominated approach to the way you secure your IT operations is not the way to go. In fact, with many of the examples we provided in this session, it can sometimes be a detriment to IT security.

On that note, we provided three really solid points to shape your mindset.

Compliance is more than a checkbox. Many view compliance as a “must have” to avoid the wrath of auditors. But, like I mentioned before, they let it dominate their IT strategy. Our tip is to not lose sight of the bigger picture. IT compliance should be seen as an opportunity to ensure the right controls are in place to actually keep your network and sensitive data secure.

As an example, it’s choosing between applying encryption for data in transit because it’s an IT best practice, instead of opting out of doing so because the regulations your business faces do not mandate it. If the end game is to ensure the confidentiality, integrity, and availability of sensitive data, you are doing yourself and your business a disservice and leaving yourself susceptible to attack without it.

“Compliant” does NOT equate to “secure.” Meeting regulatory compliance alone does not guarantee IT security. In some cases, it can lead you away from this objective. There are countless real-world examples of this, but it should be well-understood that in several cases, following compliance schemes strictly “by the book” can undercut your security responsibility. Why not go beyond what they dictate? For this, think of my earlier example involving encryption.

No one solution can make you compliant. The same too can be said for security in general, but simply applying one or more security solutions to your IT arsenal will not inherently make you compliant with any framework. Compliance involves many aspects outside of your software-purchasing decisions down to the very core of how your business operates.

In this session, we urged that for the sake of both these objectives, Defense in Depth strategies are applied. If you haven’t caught on yet, this was continually preached throughout the Security Kung Fu webinar series. 

According to the SANS Institute, Defense in Depth is “the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack.”

This approach has for a long time been a mainstay in the security realm, but it too should play into your approach to compliance.

Five Tips for Continuous Compliance (and Security)

As we called an end to the Security Kung Fu series, we left our viewers with some concluding thoughts on this subject. In no way does this cover all your needs, but they are all worth considering.

  1. Define policies and establish your network security baseline.
  2. Collect, correlate, and securely store all relevant and required log data.
  3. Actively monitor and analyze what’s going on within the IT infrastructure at all times.
  4. Run regularly scheduled compliance reports.
  5. Leverage regulatory requirements and audits as an opportunity to truly assess network risks and help ensure the security of your entire IT infrastructure—from perimeter to endpoint!

A final takeaway, however: no matter your objectives, there are a multitude of software offerings from SolarWinds that can assist your business and support an in-depth defense strategy. Visit the IT Security Software page to learn more.

Well, I hope you enjoyed not only the webinars that made up this series, but each recap I’ve provided as well. As always, I welcome your feedback or thoughts on any of this subject matter.

Read more
11 9 5,526
Level 11

While countless companies rely on Active Directory® (AD) to ensure only the right individuals have the right access, hackers still can penetrate, lie in wait, and jump at the next opportunity to elevate their permissions. Each move is calculated, and if undetected, earns them greater and greater access to data and systems to begin the slow siphoning of intelligence or suddenly launch IT security attacks.

How the bad guys get in can vary, but the who in this equation matters just as much. Not only do external parties pose a threat, there are also those coming from within your own ranks who can be just as dangerous, whether intentionally or not.

It can also be said that AD changes and events, such as unauthorized account provisioning, escalating of privileges, and changing user accounts may not only be indicators of malicious activity on the network, but the very acts themselves can create security holes that may lead to compromises in the future.

When threats can manifest from both outside and inside the four walls of your businesses, any practitioner of IT security would agree that sometimes the best offense is a strong defense. In Part Three of the Security Kung Fu Webinar Series, we discuss how monitoring for Active Directory changes using security information and event management solutions (or SIEM) can help you do just that, all while helping you meet certain regulatory compliance requirements in the process.

Building on each of the subjects covered in our previous two Security Kung Fu events, we turned our focus inward to cover the IT security threats coming from within. Dive right into this subject using the resources below, or read along for a quick recap of this session to further whet your appetite for some security goodness.

Watch the On-Demand Recording | Check out the SlideShare®

Meet Your Security Kung Fu Masters

Returning for this session are both Jamie Hynds and Ian Trump, featured speakers from Security Kung Fu: Playing with Fire(wall) Logs. If you missed the recap on this or any of the previous Security Kung Fu webinar sessions, be sure to check them out! And if you want to get deep in the weeds on certain IT security or compliance topics, I strongly encourage you to follow Jamie (@jhynds) on THWACK®. He’s published quite a few articles that are worth a read.

The Threats From Within

Though the lion’s share of media attention is placed on external hackers finding an “in,” numerous roads lead to IT security compromise. Insiders remain a very real and substantial threat. Whether by purposefully acting out of malice or enabling external threats through their own negligent actions (or simple inaction), there’s much to consider when turning your IT security focus inward. Here are some examples we highlighted as part of this session that you should definitely consider:

  • Malicious intent – Though touched on above, this speaks to the purposeful action on the part of trusted insiders to act in opposition to the interests of an organization. Common IT threats include fraud, sabotage, and theft or loss of confidential information.
  • Not following policies or procedures – Sometimes purposeful, sometimes not, this IT security threat involves acting out of accordance with internal guidelines regarding the use of technology or the handling, disposing, and disclosing of sensitive information to unauthorized parties.
  • Negligent behavior – Whether these actions violate clearly written and enforced policies or procedures, or plainly defy basic logic, this involves your own employees or individuals from the businesses you represent unknowingly putting your IT operations in harm’s way. As simple as falling prey to phishing attacks or some other mode of social engineering, their actions may not have been explicitly forbidden, but they still result in compromise.
  • Integrity of the AD Domain – Though Active Directory is in place to ensure many of the above forms of threats do not either take a foothold or spread, simple actions on the AD Domain can give rise to security issues as well. Despite being a fundamental practice for an IT organization, potential Active Directory security vulnerabilities can be cause for concern when hackers are looking for the keys to the kingdom. If you give them an inch, they’ll take a mile.

I should temper this in saying that in no way is this any exhaustive list. In fact, we go into greater detail about other possible internally-caused IT security issues on the webinar itself. The point here is that there are numerous ways a trusted insider can become your weakest link or gravest threat.

The Necessity of Monitoring Active Directory

We cover each of these modes of insider threats and signs of abuse with purpose. It highlights the very important need for monitoring and auditing Active Directory changes to at least identify the signs that something has gone awry.

A SIEM tool is perfect for that. Not only can you use one to keep close watch of things, but it can also issue alerts when an anomaly is spotted. Further, this software can help enable real-time active responses, such as logging off users, blocking IP addresses, killing processes, and adjusting Active Directory settings at the first sign of threat. SIEM solutions can not only contribute to improving IT security, but also compliance.

So, what are among the most pertinent items to look out for when monitoring Active Directory changes? Here are some of the standouts:

  • User events
  • Authentication events
  • Group changes
  • Policy changes
  • Password resets

Though seemingly harmless, these actions should be reviewed for authenticity. There’s simply too much at stake.

Pro Tip: Users of Log & Event Manager (LEM), SolarWinds’ own SIEM solution, should check out this video in the SolarWinds Success Center for guidance on how to leverage LEM to detect privilege changes in Active Directory.

A Nod to Compliance

The ability to monitor and respond to threats is so critical to a business’ IT security, and the ultimate goal of maintaining the confidentiality, integrity, and availability of sensitive data, that it’s no wonder many of the top compliance frameworks include provisions that cite the need for monitoring for such Active Directory changes. We spoke about this in depth during an Ultimate Window Security Event we participated in, titled “Monitoring Active Directory Changes for Compliance: Top 32 Security Events IDs to Watch and What The....” SOX, HIPAA, PCI DSS, FISMA, NIST, GLBA—you name any compliance law or standard—all cover, in some way, the need for tracking such actions. There are even certain AD events that can be mapped directly to these frameworks to assist in meeting certain objectives and demonstrate potential IT security vulnerabilities to auditors.

Though we only touched on the subject briefly as part of this and our other Security Kung Fu webinars, the fourth and final event in the series covers the topic of compliance in-depth. There, we discussed the two prevailing “schools of thought,” or drivers of IT decision-making and practice: security vs. compliance.

I hope you’re finding these session recaps helpful. Stay tuned for my recap of the final session from the Security Kung Fu series.

Read more
3 1 3,367
Level 11

Firewalls are an important first line of defense against a range of security threats. But outside of brute force hacks, countless a firewall has fallen to more sophisticated modes of attack, if not circumvented altogether. The consequence of which means hackers gain access to the network and trouble ensues.

Part Two of the Security Kung Fu Webinar Series built upon our previous discussions (check out the Security Kung Fu: SIEM Solutions blog for a recap) to highlight the important role firewalls play in network security and how log messages generated from these devices can provide meaningful insights to either thwart a security incident altogether, or assist in stopping one in its tracks. That is, assuming you’re armed with the right tools.

As important as it is to collect logs from these (and other) network devices, just as important is what you do with the data you collect. That’s where SIEM solutions come in. Beyond this, we discussed how NCCM solutions contribute to deeper security and what for many companies is an end-all, be-all: helping them handle a variety of regulatory compliance objectives.

If this piques your interest, I encourage you to dive into the resources below or read along to find out all this event had to offer!

Watch the On-Demand Recording | Check out the SlideShare®

Meet the Security Kung Fu Masters

In addition to Ian Trump, a featured speaker in the first installment of the Security Kung Fu series, we welcomed Jamie Hynds, Senior Product Manager for SolarWinds® Security Portfolio. Jamie has years of experience in a variety of roles such as Sales Engineer for SolarWinds, IT Auditor and Security Consultant for Deloitte®, among others. In each capacity, he has assisted businesses in adopting technologies to enhance security, meet regulatory IT compliance, and pass audits for a broad array of compliance frameworks.

Be sure to check out Jamie’s often security-centric posts on THWACK® as well. He posts under the handle @jhynds.

Anatomy of an Attack

Once again referencing the Lockheed Martin Cyber Kill Chain®, we reviewed how firewalls protect against outside threats at the “Delivery” stage of this model by enabling certain defensible strategies. But despite the presence of physical/virtual barriers to a network, perimeter defenses are not enough. They can, however, further aid in the detection of threats. As we say in the series “the devil is in the details”… details found in your log data.

The Detection Deficit

Avid readers of security reports, like myself, may have grown fond of the Verizon® Data Breach Investigations Report (DBIR). Each year, analysts from Verizon publish the results of the miles of anonymous data they gather on actual security incidents (and breaches) from the prior year.

What was once a mainstay of this report tracked an important statistic dubbed the “detection deficit.” The detection deficit refers to the gap between an attacker’s “time to compromise” and the defender’s “time to discover.” Pretty important stuff, huh? Well, in an unfortunate turn of events, this measure was dropped from the 2017 Verizon DBIR that published shortly after the Security Kung Fu: Playing with Fire(wall) Logs webcast took place. Given that all the data collected for the DBIR is based on breaches that actually occurred, there wasn’t a logical need to track this measure moving forward, as it was “unlikely to ever show any improvement.”

Still, it’s an important subject. The more time it takes to discover threats on your network, the more damage can be done. Lowering your “mean time to detection” for security incidents is absolutely critical. As we contended in this session, with help from SIEM and NCCM solutions, your firewalls can play a big part in doing so.

The Role of SIEM and NCCM Solutions

A lot can be said about SIEM and NCCM solutions outright, but working in tandem with your firewalls, they have the potential for some really neat use cases. @Dez sums it up nicely in this post, which served as a reflection of this Security Kung Fu event. On one hand, a SIEM can help you spot malicious behavior on a firewall, including: malformed packets, unusual traffic patterns, unauthorized access, and unauthorized changes. On the back half (so to speak), using an NCCM solution, you can recover even if unauthorized changes disrupt operations or have some sort of greater impact. (Ringing any bells from Part One of the Security Kung Fu Series?)

When it’s all said and done, our Security Kung Fu Masters advised that when it comes to firewalls, you must be able to:

  • Monitor for abnormal activity, unexpected access attempts, and potential threats
  • Eliminate downtime due to misconfigurations—know what changed and when, and have the ability to back up to last known good configuration
  • Automate security audits and reports to not only verify security, but also compliance

Just a reminder: in no way is this an exhaustive list. Luckily for you, with a couple of products added to your arsenal, you can cover the bulk of these needs.

For more tips on how to improve your IT security posture, check out the entire Security Kung Fu webinar series, now available on-demand.

Read more
4 1 3,389
Level 11

With a 24-hour news cycle, we are constantly bombarded with headlines detailing the latest data breach, malware infection, email phishing scam, or high-profile compliance violation. Although the source of these incidents often varies, the consequences for businesses of all sizes remain relatively the same: hefty fines, brand damage, loss of customer loyalty, and in more severe cases, criminal penalties and lawsuits.


It’s no wonder nowadays we no longer consider IT security a “nice-to-have,” but a matter of your company’s survival.

In each of the Security Kung Fu webcasts, we dedicate at least a portion of the session to discussing the “cyber threatscape” and its impact on business. In many cases, this can be profound, especially if breaches of sensitive information are involved. Be sure to check out the  Security Kung Fu: The Saga Begins blog, where I summarized the perspectives of my colleagues on this very subject. But, enough with the doom and gloom. I’m sure with all this in mind, it begs the question, “What are businesses doing to protect themselves?” For starters, as we learned in Part One of the Security Kung Fu Webinar Series, they’re applying several “security stances” (as we’ve dubbed them) to help the situation.

As part of this session, we discussed these security stances in-full and take a deeper look at the role of Security Information and Event Management (SIEM) solutions in assisting with this approach. I encourage you to dive into the resources below to learn more or read along to find out what all this event had to offer!

Watch the On-Demand Recording | Check out the SlideShare

Meet the Security Kung Fu Masters

For this inaugural session of the Security Kung Fu Series, I welcomed SolarWinds Sales Engineer, Curtis Ingram. You may recognize him under his THWACK® handle (@curtisi), but in case you don’t, Curtis possesses a deep knowledge of IT security, compliance, and the role of SIEM solutions in meeting these important business objectives, which he often shares on THWACK.

Along with Curtis, we were joined by Ian Trump, a cybersecurity strategist with over 20 years of experience that all began with a stint in the Canadian Forces, Military Intelligence Branch. Ian’s 2016 in-depth analysis of cybercrime and threats of the future was featured in industry publications, such as SC Magazine®, Infosecurity®, IDG Connect®, CBR, The Times, USA Today®, and The Sunday Herald. He continues to be a well sought-after resource on the topic of cybersecurity, as a thought leader on the subject.

Three Security Stances

As noted above, our Security Kung Fu Masters set out to describe the various ways businesses are arming themselves to combat cybersecurity threats. These security strategies classified into three distinct groupings: proactive, detective, and reactive-recovery. Here’s a taste of what we learned.

Proactive Security

Proactive security is generally preventative. It involves hardening endpoints, applying things like antivirus software or patch management software, and conducting user awareness training. These are all methods of preventing bad guys from getting on the network.

The subject of taking preventative measures has been around in the security industry for ages, and a strong majority of solutions in the security space align with this stance. However, we contend that taking this approach alone is simply not enough. Furthermore, these proactive measures can sometimes give you a sense of over-confidence, which in many cases, is downright dangerous.

Detective Security

Due to the growing sophistication of hackers and their ability to identify and bypass common means of defense, detective security is becoming increasingly important. Detective security applies the use of SIEM solutions to help you establish what is “normal” activity and distinguish it from the abnormal. Not all anomalies on the network correspond to security incidents, but having a means of determining the difference is critical. More on the SIEM solutions piece in a bit.

Reactive-Recovery Security

The reactive-recovery stance fills an important gap not fully addressed in the previous stances. It involves responding to and recovering from compromise. This often takes the form of a backup service offering, which provides the ability to restore business operations to normal and maintain the availability of data. The most widely understood example of this involves the threat of ransomware. Rather than fronting the bill for recovering an encryption key to unlock their data, businesses will simply restore from backup to minimize its impact and keep IT operations up and running.

The Role of SIEM Solutions

As you might have gathered, businesses must do a lot to fully prepare for and guard against the multitude of threats they face. In the absence of time, we honed in on one such solution that contributes to this goal and is the sole-supporter of the detective stance as we described it: SIEM solutions. Here is what we’ve picked up:

SIEM solutions have evolved to play a much more critical part in improving a business’ IT security posture and helping to usher in a state of compliance. Looking to the Lockheed Martin Cyber Kill Chain® as a teaching aid, we understand the anatomy of a cyberattack and its various stages. From this, a SIEM solution’s contributions become clear.

  • Gives you visibility in an area that is critical to your business “Threat Hunting”
  • Only solution with forensic feature to go back in time to review incidents
  • Assists with compliance and providing evidence for IT security audits
  • Uncovers unauthorized changes in the environment
  • Detects insider threats such as data ex-filtration
  • Provides a record of network layer activity, correlated with machine data and ultimately user behavior

Which Security Stance is Best?

Though much can be said for taking a proactive stance, this alone does not allow you the flexibility you need to meet modern IT security threats. If not backed by the detective stance, in particular, you’re in for a hard ride. But the fact of the matter is that you really need them all to complete a well-rounded approach. This means, the application of a variety of security solutions, the training of your employees, and so much more all needs to be present in your security strategy, lest risk security holes that can lead to compromise.

Like what you’re reading so far? Be sure to check out the entire Security Kung Fu webinar series on-demand and stay tuned for my next blog recapping Part Two of this series.

Read more
3 1 2,870
Level 11

I know what you’re thinking… why “kung fu?” and “What does martial arts have to do with IT security and how I protect my network?” Well, kung fu is a Chinese term referring to any study, learning, or practice that requires patience, energy, hard work, discipline, and time to complete. So, really, it’s not just martial arts. Perhaps, by this definition, you’re starting to see the parallels we’ve identified with IT security.

Today’s Cybersecurity Climate

According to Forbes®, the cybersecurity marketplace is predicted to be worth $170 billion by 2020—that’s over double its reported size in 2015. But, perhaps most telling of the threats business truly face is the fact that the costs associated with cybercrime are projected to exceed $2 trillion by 2019.

What’s fueling this growth? Well, there are certainly a number of factors, but what’s clear is that hacker motives have strongly shifted towards “financial gains,” at least according to SolarWinds Head Geek, Destiny Bertucci. While shock-value/notoriety/entertainment supported hacking in its early rise, money has been a major influence in its more recent uptick. Hackers have a lot to gain, and we all have a lot to lose.

Another issue at the root of this rise in cybercrime costs (and the cybersecurity market’s corresponding growth) is the pervasiveness of these crimes. Gone are the days where these modes of attack were reserved for top-notch, tech savvy, and highly motivated individuals. Today, Crime-as-a-Service underpins cybercrime and the technical layman is now being armed with the ability to launch an attack.

Whether or not you’re explicitly tasked with upholding IT security for your business, given the current outlook, it is now everyone’s responsibility. It is no longer a matter of if you’ll get hacked, but when. IT security solutions today are about limiting the attack surface, applying defense in-depth strategies, and leveraging a multitude of tools (not just one or a few) to do so.

We recently opened our cyber-dojo to allow our very own Security Kung Fu Masters to bestow their wisdom and teachings unto the larger IT community. Black belts in white hat hacking, industry mavens, scholars of security, and even former compliance auditors joined ranks to discuss these very subjects in a four-part webinar series aptly named “Security Kung Fu.” If you missed the live versions of these sessions, no need to worry—we have made them all available on-demand for your viewing pleasure. Read along to see what each stage in this journey had to offer.

Watch the Security Kung Fu Series On-Demand

SIEM Solutions

In Part 1, we took an in-depth look at the cybersecurity climate businesses are currently facing and educated ourselves on the cybercrime industry as a whole. Using the Lockheed Martin Cyber Kill Chain® as an example, we discussed the role SIEM solutions play in identifying security threats and discussed the unique capabilities of such solutions to allow users to go back in time to conduct forensic analysis of security incidents and verified threats.

Playing With Fire(wall) Logs

Part 2 of the series turned our attention to the periphery of a network to focus on how firewalls serve as a first line of defense against security threats. In addition to discussing the patterns of attack that have been demonstrated countless times by hackers, we showed how firewall log data can give notice of network infiltration attempts, data exfiltration, and more. Beyond that, we discussed how Network Configuration and Change Management (NCCM) solutions can contribute to a deeper IT security solution by helping to alert you to config changes on firewalls (and other network devices), in addition to a host of other capabilities.

The Security Threats From Within

In Part 3, we took an introspective look to discuss the threats coming from within, or at least identified from within a business' own network. We looked at how Active Directory® changes such as adding users to privileged groups, escalating privileges, and changing user accounts may not only be indicators of malicious activity on the network, but the very acts themselves can create security holes that may lead to future compromises. We discussed the need to track these changes appropriately in order to give critical insight into anomalous activity and promote the long-term security health of an IT operation.

Two Schools of Thought: Security vs. Compliance

Part 4, the final chapter of the Security Kung Fu Series, we covered a subject that had only served as an undertone in our previous sessions: compliance. We discussed why letting compliance rule the security strategy for a business can ultimately lead to pitfalls that compromise both objectives.

Read more
12 9 5,096
Level 10

It seems DevOps is the new cool thing in IT. Sometimes it feels like DevOps is an amorphous thing that only cloud people can play with. For many of us who come from the client-server era, it can be intimidating.

We know DevOps can be defined in many ways. It can be thought of as a mindset, a methodology, or a set of tools. In this post, I offer a definition of DevOps by breaking the concept down into seven fundamental principles.

Implementing DevOps is very complex, requires new tools, new skills, and new processes. It’s often only possible for development and operation teams who are working together on cloud architecture software. I am excited about these seven principles because they can be applied in any IT organization.

Embracing these seven principles might enable your team to grow more agile, more responsive to business needs, and better able to meet expectations. The combination of these principles represents the mindset that companies are trying to hire for, and the mindset that is required to make the best use of cloud technologies, too.

These are the seven principles that define DevOps that you can integrate into your IT operations team:

  1. 1. Application and End-user Focus – Everyone on the team is focused on how their end-users and applications are impacted. The infrastructure is only there to make the application work.
  2. 2. Collaboration – Because the focus is on the end-user, silos do not work. If the app is down, everyone has failed. There are no virtualization problems or isolated storage issues. There is only one team: the one responsible for the app to work. This requires transparency, visibility, a consistent set of tools, and teamwork that supports applications across the entire technology stack.
  3. 3. Performance Orientation – Performance is a requirement and a core skill across the team. Performance is measured, all the time, everywhere. Bottlenecks and contentions are well understood. Performance is an SLA. It’s critical to the end-user experience. Everyone understands the direct relationship between performance, resource utilization, and cost.
  4. 4. Speed – Taking agile one step further, shorter, iterative processes allow teams to move faster, innovate, and serve the business more effectively.
  5. 5. Service orientation – No monolithic apps. Everything is a service, from application components to infrastructure. Everything is flexible and ready to scale or change.
  6. 6. Automation - To move faster, code, deployments, tests, monitoring, alerts; everything is automated. That includes IT services. Embrace self-service for your users and focus on what matters.
  7. 7. Monitor everything – Visibility is critical for speed and collaboration. Monitoring is a requirement and a discipline. Everything is tested, the impact of every change is known.

For more details, I invite you to read the full presentation:

The 7 Principles of DevOps and Cloud Applications

[slideshare id=56581871&doc=the7disciplinesofdevopsandcloudaplications2-151231191647]

Read more
3 0 756
Level 10

The term “cloud” has stopped being useful as a description of a specific technology and business model. Everything, it seems, has some element of cloudiness. The definition of cloud versus on-premises has blurred.

It’s only been eight years since Gartner® defined the five attributes of cloud computing: scalable and elastic, service-based, shared, metered by use, uses internet technologies. Shortly after that, Forrester® defined the cloud as standard IT delivered via internet technologies on a pay per use, self-service model.

What we call on-premises is most often virtualized, dynamically provisioned infrastructure on a co-location hosting facility, programmable by software. Clouds now offer long-term, bare-metal, prepaid-for-the-year infrastructure, and private/dedicated infrastructure.

Organizations have learned that there is a place for cloud-hosted resources and a place for on-premises resources. The best analogy I have is this: there is a time when you want to buy a car and there is a time when you want to rent a car (or get a taxi). As Lew Moorman, president of Rackspace® told me many years ago, “the cloud is for everyone, but not for everything.”

It’s undeniable that every IT department is adopting the cloud, but it is also becoming increasingly clear that on-premises IT is not going away. Most companies will end up with a combination of the two. But how?

For the near future, there are mainly three broad ways to consume cloud by IT departments:

  • SaaS – From SalesForce® to Netsuite® and Office 365®
  • “Lift and Shift” – Where the architecture stays the same, and you only migrate the workloads to be hosted on a cloud
  • “Cloud first,” which takes full advantage of cloud architecture and services. This model is only viable for net new projects and for those where it makes sense to invest in writing or re-writing apps from the ground up.

The reason I bring this up is because when it comes to monitoring, application architecture is more important than where things are hosted.

A standard three-tier architecture application like SharePoint® on AWS® needs to be monitored essentially the same way it is monitored on-premises, or in a co-location environment. Conversely, a cloud-architected application (service-oriented, dynamically provisioned, horizontally scaled, etc.) will require a different monitoring approach, whether it is hosted on a public or a private cloud.

The key point is that cloud is quickly becoming irrelevant as a term. No one says they have an electronic calculator or a digital computer anymore.

We need to start using more specific terms that are more meaningful and useful, such as cloud services, cloud architecture, or cloud hosting – not just cloud.

Read more
0 2 582
Product Manager
Product Manager

If your organization is based in the EU, or provide goods or services to the EU, you’ve probably heard a lot about the General Data Protection Regulation (GDPR) compliance lately. In this post, I’d like to educate the THWACK® community on some of the GDPR requirements and how SolarWinds products such as Log & Event Manager (LEM) can assist with GDPR compliance.

Why the need for GDPR?

In December 2015, the EU announced that the GDPR was being implemented in place of the Data Protection Directive (DPD), the current EU data laws. The DPD was first established over 20 years ago, but it has not kept up with the seismic changes in information technology and is no longer sufficient for today’s technologies and threats. The shortcomings of the DPD have become apparent and the EU saw the need to replace it.

The shift from directive to regulation

A defining change which comes with the launch of GDPR is a shift from a directive to a regulation. DPD was a directive, meaning a set of rules issued to member states, but each country can interpret and implement the rules differently. GDPR is a regulation, which requires countries to implement the regulation without any scope for varying interpretations. It removes any ambiguities on organizations’ data protection responsibilities. GDPR paves the way for data privacy as a fundamental right for EU citizens. The implementation deadline for the regulation is May 25, 2018, so organizations are certainly against the clock to implement the necessary policies, procedures, and systems to ensure they are compliant.

What exactly is personal data?

GDPR defines a very broad spectrum of personal data. Personal data is no longer limited to information such as name, email, address, phone number, etc. GDPR also classifies online identifiers such as IP addresses, web cookies, and unique device identifiers such as personal data. Even pseudonymous data is included. This is personal data which has been technically modified in some way, such as hashed or encrypted. Worth noting that the rules are slightly relaxed for data that is pseudonymized, which provides an incentive for organizations to encrypt or hash their data. GDPR defines personal data as “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.” (GDPR Article 9, page 124)

My organization is not based in the EU—why should I care about GDPR?

Although it is an EU regulation, it is not limited to the EU. GDPR will affect organizations on a global scale. The regulation will apply to any organization that offers goods or services to EU citizens. If a company based outside the EU is storing, managing, or processing personal data belonging to EU citizens, they will need to ensure GDPR compliance (GDPR Article 3, page 110). According to a recent PwC study, a staggering 92% of US multinational companies have listed GDPR compliance as data-privacy priority. A significant percentage of those organization plan to spend $1 million or more on GDPR.

Data controllers vs. data processors

Controller – “The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

Processor – “A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.”  (Article 4, GDPR page 112)

Under the DPD, data processers had very little responsibilities to company, whereas GDPR places joint responsibility for both data controllers and data processors to comply with the regulation. As an example, if an organization (controller) outsources its payroll to an external payroll company (processor), even though the payroll company is managing and storing data on behalf of the controller, they are now required to comply with GDPR. This will impact controllers and processors alike. Controllers will have to conduct reviews to ensure their processors have a framework in place to comply with GDPR. Processors will have to ensure they are compliant. 

Data breach notification – GDPR Article 33 (page 53)

The Data Protection Directive didn’t require organizations to notify authorities of any data breaches. GDPR defines a personal data breach as the “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.” It’s worth remembering that personal data now includes IP addresses, web cookies, unique devices identifiers, and more. The GDPR also now requires organizations (or controllers, as they are known in GDPR) to report data breaches within 72 hours. If this deadline is not met, you will have to explain the reasons for the delay. If you are a data processor, you must report the breach to the controller. The controller then notifies the “supervisory authority.”  Data subjects must also be informed when a breach poses a high risk to their rights and freedoms. However, if the controller had implemented protection measures such as encryption on the data, then the data subject’s rights and freedoms are unlikely to be at risk.

Individual rights

GDPR provides EU citizens with increase personal data rights. Just some of these individual rights include Consent (Article 7) , Right to Erasure (Article 17), and Data Portability (Article 20).

Organizations will require consent when collecting personal data of EU citizens. The type of data and retention period will need to be stated in plain language that citizens can clearly understand. Data controllers will be required to prove that consent has been provided by the subject.

Individuals also have the right to erasure, meaning subjects can request controllers to delete all information about them, provided the controller has no reason to further process the data. There are exceptions if the data is used for legal obligations—for example, financial institutions are legally obliged to retain data for a certain period of time. If a data controller has shared personal data with third parties, the onus is on the controller to inform those third parties of the data subjects request to erase the data.

Data Portability allows data subjects to receive the personal data they provided to a data controller in a structured, “machine-readable” format. This portability facilitates data subjects’ ability to move, copy, or transmit data easily from one service provider to another.

What happens if we don’t comply?

If your organization is not compliant with GDPR, it can receive fines of up to €20 million or 4% of global annual turnover for the preceding financial year (whichever is greater). These penalties apply to both data controllers and processors. (Article 83, section 5)

How can SolarWinds help?

GDPR will likely require organizations to implement new policies, procedures, controls, and technologies—it may even require you to hire a Data Protection Officer, in certain cases. While no single technology can meet all the requirements of GDPR, SolarWinds can certainly assist with some of the requirements.

Article 32: Security of processing

This section of GDPR requires organizations to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” SolarWinds® Patch Manager can be used to identify and update missing patches and outdated third-party software on your Windows® servers and workstations. Patch Manager also enables you to inventory your Windows® machines and report on unauthorized software installations on your network.

Article 32 also requires “regular testing the effectiveness of technical measures for ensuring security of the processing.” SolarWinds LEM can be used to validate the controls you have put in place.

Please see here for more information: Article 32

Article 33 and 34: Notification of a personal data breach to the supervisory authority and communication of a personal data breach to the data subject

SolarWinds Risk Intelligence (RI) is a product that performs a scan to discover personally identifiable information across your systems and points out potential vulnerabilities that could lead to a data breach. RI can audit PII data to help ensure it is being stored, in accordance to the requirements of GDPR. The reports from RI can be helpful in providing evidence of due diligence when it comes to the storage and security of PII data.

As mentioned previously, if a personal data breach occurs, the controller must notify the supervisory authority within 72 hours. It is vital that breaches and threats are identified as quickly as possible.

LEM can assist with the detection of potential breaches thanks to features such as correlation rules and Threat Feed Intelligence. LEM’s File Integrity Monitoring and USB Defender® can monitor for any suspicious file activity and also the detect the use of unauthorized USB removable media. If an incident occurs, LEM’s nDepth feature can be leveraged to perform historical analysis. LEM also includes best practice reporting templates to assist with compliance reporting.

Please see here for more information: Article 33 and Article 34

“The implementation deadline for the regulation is May 25, 2018.”

The GDPR deadline is fast approaching. GDPR compliance will require significant effort from both data controllers and processors. There are several steps required to get started with GDPR, which include (but are not limited to) performing an analysis of what personal data your organization stores and where it’s stored, reviewing existing IT security policies and procedures, and ensuring you have the necessary technological and organizational procedures in place to detect, report, and investigate personal data breaches.

I am very interested in hearing opinions and how members of the THWACK community are preparing for GDPR. Please feel free to provide comments below.

To learn about SolarWinds portfolio of IT security software, please see here.

Read more
12 10 6,317
Level 10

SolarWinds THWACK® community has grown to become one of the largest and most active communities for IT professionals, expecting about two million unique visitors this year alone.

We see it as a great opportunity to have a conversation and to connect.

IT is changing all the time. That’s what makes it such an interesting industry. SolarWinds® solutions have been changing, too. In addition to our traditional product line, powered by the Orion® Platform, SolarWinds now offers a remote monitoring product line for MSPs, and a portfolio of cloud monitoring products for DevOps teams building cloud-first applications.

This makes it more important than ever that we have a space to connect with customers and with the IT industry. This is that space.

Monitoring Central complements our two other blog communities on THWACK: Geek Speak, where you can read opinions from industry thought leaders, and the Product Blog, where you find out about product updates and new releases.

Monitoring Central is a new space to talk about all things monitoring.

We invite you to participate, ask questions, voice your opinions, and actively participate in this blog. For example, write a comment below suggesting any topics you would like to hear about.

We look forward to the conversation.

Read more
18 16 2,243