View
474
Download
0
Category
Tags:
Preview:
Citation preview
1
User Activity & File Access Monitoring
© 2013, SolarWinds Worldwide, LLC. All rights reserved.
SolarWinds Log & Event Manager
2
Monitoring User Activity & File Access
» With real-time log analysis, SolarWinds Log & Event Manager (LEM)provides crucial visibility into a user's behavior on the network,including web usage, application usage, file access and more.
» LEM enables admins to easily identify anomalous patterns,unauthorized access, and malicious activity.
» Additionally, LEM provides automated responses to instantlyremediate a security threat or network problem.
SOLARWINDS LOG & EVENT MANAGER
3
Example Scenario 1: User Logon Attempts
While it may not seem intuitive to monitor successful logonattempts, you may want to keep an eye out for a successful logonafter multiple failed attempts or logons occurring after hours, both ofwhich could signal a breach.
SOLARWINDS LOG & EVENT MANAGER
EXAMPLE:If there are 50 failed attempts on a server or router followed by asuccessful logon, does it imply that the user simply rememberedtheir credentials? Or does it mean that a hacker finally broke in andnow has access?
LEM can monitor user logons and provide the necessary correlationto identify a threat vs. normal, everyday user activity. Veryimportantly, it does so in real-time. If a threat is detected, LEM canthen instantly and automatically log the user off.
4
Example Scenario 2: Privileged User Access
Elevated privileges are required by some users to do their job (i.e.network admins, helpdesk support, HR, and Accounting to name a few),but such privileged access can lead to security threats.
SOLARWINDS LOG & EVENT MANAGER
EXAMPLE:A database administrator in charge of maintaining the company’s CRMdatabase starts accessing the HR database containing employees’confidential data. Is this authorized? Malicious? Regardless, it’s out ofthe ordinary for this user’s role and typical file access.
LEM can monitor file access and then correlate the event data todetermine if this is anomalous behavior. So, even though the databaseadministrator has access, it goes against this user’s typical pattern ofonly accessing the CRM database. LEM can then automatically disablethe account or remove the user from a trusted group.
5
Default User Activity Rules
SOLARWINDS LOG & EVENT MANAGER
LEM delivers out-of-the-box activity rules for monitoring key User actions that could pose a risk to the network.
6
Default File Auditing Reports
SOLARWINDS LOG & EVENT MANAGER
LEM provides real-time and historical visibility into file activity.Whether it’s notification of inappropriate file access or searching forthe person who deleted an important document, LEM provides quickand easy access to the event data that reflects file behavior and isessential for protecting sensitive information.
7
Available User-Based Active Responses
SOLARWINDS LOG & EVENT MANAGER
SolarWinds LEM then goes a step further by providing built-in ActiveResponses to automatically respond to a threat, such as logging off asuspicious user or removing a user from a particular group.
8
Monitoring & Managing USB Device Access
» SolarWinds LEM includes built-in USB Defender technology thatprovides real-time notification when USB drives are detected. Thisnotification can be further correlated with network logs to identifypotential malicious attacks coming from USB drives.
» With LEM’s USB Defender technology, you can take automatedactions such as disabling user accounts, quarantining workstations,and automatically or manually ejecting USB devices.
» Additionally, LEM provides built-in reporting to audit USB usageover time.
SOLARWINDS LOG & EVENT MANAGER
9
Adding Authorized USB Devices
» SolarWinds LEM addresses the complexity of providing USB accessto select USB devices with a few simple steps.
• Build a Group of “Authorized” USB Devices
• Identify “Authorized” Devices
• Add “Authorized” USB Devices to a User Defined Group
SOLARWINDS LOG & EVENT MANAGER
10
Adding Authorized USB Devices cont.
» Add the group of “Authorized” devices to SolarWinds LEM rules using the simple drag-and-drop rule builder interface.
SOLARWINDS LOG & EVENT MANAGER
11
Automatically Detaching USB Devices
» With LEM’s Active Responses, you can automatically detach a USBor mass storage device from a workstation. This action is useful forallowing only specific devices to be attached to your Windowscomputers or detaching any device exhibiting suspicious behavior,such as:
• When a computer endpoint gains unauthorized USB access
• When an authorized USB port logs suspicious user activity
• When unwarranted data transfer happens between an enterprise computer and USB drive
• When USB access on a USB port becomes non-compliant with organizational policies
• When a USB endpoint is infected and needs to be quarantined
SOLARWINDS LOG & EVENT MANAGER
12
SolarWinds Log & Event Manager
Log Collection, Analysis, and Real-Time Correlation
Collects log & event data from tens of thousands of devices & performs true real-time, in-memory correlation
Powerful Active Response technology enables you to quickly & automatically take action against threats
Advanced IT Search employs highly effective data visualization tools –word clouds, tree maps, & more
Quickly generates compliance reports for PCI DSS, GLBA, SOX, NERC CIP, HIPAA, & more
Built-in correlation rules, reports, & responses for out-of-the-box visibility and proactive threat protection
SOLARWINDS LOG & EVENT MANAGER
How can SolarWinds Log and Event Manager help?
13
Thank You!
SOLARWINDS LOG & EVENT MANAGER
Recommended