1

User Activity & File Access Monitoring

© 2013, SolarWinds Worldwide, LLC. All rights reserved.

SolarWinds Log & Event Manager

2

Monitoring User Activity & File Access

» With real-time log analysis, SolarWinds Log & Event Manager (LEM)provides crucial visibility into a user's behavior on the network,including web usage, application usage, file access and more.

» LEM enables admins to easily identify anomalous patterns,unauthorized access, and malicious activity.

» Additionally, LEM provides automated responses to instantlyremediate a security threat or network problem.

SOLARWINDS LOG & EVENT MANAGER

3

Example Scenario 1: User Logon Attempts

While it may not seem intuitive to monitor successful logonattempts, you may want to keep an eye out for a successful logonafter multiple failed attempts or logons occurring after hours, both ofwhich could signal a breach.

SOLARWINDS LOG & EVENT MANAGER

EXAMPLE:If there are 50 failed attempts on a server or router followed by asuccessful logon, does it imply that the user simply rememberedtheir credentials? Or does it mean that a hacker finally broke in andnow has access?

LEM can monitor user logons and provide the necessary correlationto identify a threat vs. normal, everyday user activity. Veryimportantly, it does so in real-time. If a threat is detected, LEM canthen instantly and automatically log the user off.

4

Example Scenario 2: Privileged User Access

Elevated privileges are required by some users to do their job (i.e.network admins, helpdesk support, HR, and Accounting to name a few),but such privileged access can lead to security threats.

SOLARWINDS LOG & EVENT MANAGER

EXAMPLE:A database administrator in charge of maintaining the company’s CRMdatabase starts accessing the HR database containing employees’confidential data. Is this authorized? Malicious? Regardless, it’s out ofthe ordinary for this user’s role and typical file access.

LEM can monitor file access and then correlate the event data todetermine if this is anomalous behavior. So, even though the databaseadministrator has access, it goes against this user’s typical pattern ofonly accessing the CRM database. LEM can then automatically disablethe account or remove the user from a trusted group.

5

Default User Activity Rules

SOLARWINDS LOG & EVENT MANAGER

LEM delivers out-of-the-box activity rules for monitoring key User actions that could pose a risk to the network.

6

Default File Auditing Reports

SOLARWINDS LOG & EVENT MANAGER

LEM provides real-time and historical visibility into file activity.Whether it’s notification of inappropriate file access or searching forthe person who deleted an important document, LEM provides quickand easy access to the event data that reflects file behavior and isessential for protecting sensitive information.

7

Available User-Based Active Responses

SOLARWINDS LOG & EVENT MANAGER

SolarWinds LEM then goes a step further by providing built-in ActiveResponses to automatically respond to a threat, such as logging off asuspicious user or removing a user from a particular group.

8

Monitoring & Managing USB Device Access

» SolarWinds LEM includes built-in USB Defender technology thatprovides real-time notification when USB drives are detected. Thisnotification can be further correlated with network logs to identifypotential malicious attacks coming from USB drives.

» With LEM’s USB Defender technology, you can take automatedactions such as disabling user accounts, quarantining workstations,and automatically or manually ejecting USB devices.

» Additionally, LEM provides built-in reporting to audit USB usageover time.

SOLARWINDS LOG & EVENT MANAGER

9

Adding Authorized USB Devices

» SolarWinds LEM addresses the complexity of providing USB accessto select USB devices with a few simple steps.

• Build a Group of “Authorized” USB Devices

• Identify “Authorized” Devices

• Add “Authorized” USB Devices to a User Defined Group

SOLARWINDS LOG & EVENT MANAGER

10

Adding Authorized USB Devices cont.

» Add the group of “Authorized” devices to SolarWinds LEM rules using the simple drag-and-drop rule builder interface.

SOLARWINDS LOG & EVENT MANAGER

11

Automatically Detaching USB Devices

» With LEM’s Active Responses, you can automatically detach a USBor mass storage device from a workstation. This action is useful forallowing only specific devices to be attached to your Windowscomputers or detaching any device exhibiting suspicious behavior,such as:

• When a computer endpoint gains unauthorized USB access

• When an authorized USB port logs suspicious user activity

• When unwarranted data transfer happens between an enterprise computer and USB drive

• When USB access on a USB port becomes non-compliant with organizational policies

• When a USB endpoint is infected and needs to be quarantined

SOLARWINDS LOG & EVENT MANAGER

12

SolarWinds Log & Event Manager

Log Collection, Analysis, and Real-Time Correlation

Collects log & event data from tens of thousands of devices & performs true real-time, in-memory correlation

Powerful Active Response technology enables you to quickly & automatically take action against threats

Advanced IT Search employs highly effective data visualization tools –word clouds, tree maps, & more

Quickly generates compliance reports for PCI DSS, GLBA, SOX, NERC CIP, HIPAA, & more

Built-in correlation rules, reports, & responses for out-of-the-box visibility and proactive threat protection

SOLARWINDS LOG & EVENT MANAGER

How can SolarWinds Log and Event Manager help?

13

Thank You!

SOLARWINDS LOG & EVENT MANAGER