Security, et al

Randy's Blog on Infosec and Other Stuff

«  Crazy Ideas for Combattin... | UltimateWindowsSecurity.c... »

SolarWinds Log & Event Manager Includes My Favorite Feature in a SIEM…

Fri, 29 Jun 2012 14:40:22 GMT

In conjunction with integrating SolarWinds Log and Event Manager (LEM) with my LOGbinder software I had an opportunity to get to know LEM and I thought I’d share some of the highlights of what I discovered.  Click here to download LEM now!

For me, the most important thing about a log management / SIEM tool is its analysis functionality.  How much built-in intelligence does it have about common event logs and how powerful are its capabilities for alerting you to important activity, reporting for compliance and adhoc research?  LEM employs my favorite SIEM feature for increasing maximizing analytical power – normalization. 

Architected for Normalization

With normalization, your SIEM vendor compiles schema of log source agnostic event types that are common to nearly any technology.  These event types include things like:

-          File operations

-          User account maintenance

-          Group membership changes

-          Configuration changes

-          Network traffic events

SolarWinds provides connectors for common log sources that understand how to translate raw events from a specific log source into their equivalent normalized event type.  For instance the screen print below shows a search based on Alert Type New Group Member (in LEM, alerts are any events of interest – that is not discarded). 

When you query for this Alert Type you will get any group membership additions from all monitored log sources.  In the example above you see a member added to a Windows local group as well as a new member added to a group in SharePoint.  That screen print really illustrates the power of normalization.  You no longer need to be an expert in every arcane log format produced within your organization.  (It’s hard enough to learn the Windows event log – much less all the other security logs found on a typical network.)

As raw events come into LEM, the appropriate connector compares the event to its alert criteria and discards unmatched events.  The remaining events are normalized into alerts.  This processing takes place in the local agent which increases efficiency since unimportant events are discarded at their source.  The normalized alerts are then fed to the central LEM manager over an encrypted connection which ensures security and audit integrity.

At the manager, alerts are processed according to the alert distribution policy.  Each alert may be dispatched to one or more of the following:

1.       Alert Correlation Engine

2.       Console for display in dashboard Widgets or in filter views

3.       Storage for future reports and analysis

Automated Response through Rules

The Event Correlation Engine is where Rules are processed.  Rules define automated responses to correlated alerts.  LEM makes it easy to define rules.  You essentially build a graphical flow chart of the rule by dragging and dropping conditions, actions and Boolean logic operators on to the rule canvas; no cryptic data entry here!

The automated responses you can select range from sending emails to your security analyst, to killing offending processes, updating a user defined list or creating an incident.  The latter 2 are particularly interesting. 

Incidents are a special kind of what I would call meta-alert in LEM.  You can define rules to trigger Incidents from any alert that should be followed up on and for which you need to document such follow up.  While LEM documentation suggests printing out a daily incident report and noting your follow up and signoff on the hardcopy, I think it would be more efficient to have the report emailed to a SharePoint document library.  In the document library you could add additional columns or workflows for documenting follow up and signoff.

User defined lists (called custom groups in LEM) allow you to compare alerts against any list of items you define.  For instance, you could create a list of privileged users and then define multiple rules that use that same list to identify activity where the actor or target is a privileged account.  Of course the disadvantage of such lists would be the burden of keeping them up to date.  That’s where the user defined list actions come in so handy.  You can automate the maintenance of user defined lists! 

For instance you could create a rule for new group member alerts where the group is Administrators, Domain Admins or Enterprise Admins.  Then set a response action that adds the new member’s name to a Privileged Accounts list and a rule to handle the opposite case where a user is removed.  Of course to handle nested groups you’d need to handle some additional logic but a couple additional rules for maintaining an Admin-Equivalent Groups list would do the job.

Interactive Analysis

The LEM console provides three levels of interactive analysis.  Starting on the Ops Center tab (see below) you have a pane of customizable dashboards called widgets. 

A Widget is a visualization (e.g. simple table or a pie/bar/line chart) combined with a filter that controls which alerts are represented in the Widget.  This makes it easy to define key security indicators and keep an at-a-glance eye on them.  You can drill down into a Widget which takes you to the next level of analysis – the Monitor tab (see below). 

The monitor tab allows you to select a filter which displays on the right, the alerts matching that filter.  Then when you select an alert, its details are displayed on the bottom pane.  When you enter the Monitor tab via a Widget drilldown back on the Ops Center tab, LEM automatically selects the same filter as the Widget you just came from making it easy to see the activity behind the Widget.

You can select any data value in the Alert’s details and select Explore which takes you to the 3rd level of analysis – the nDepth display on the Explore tab (see very first screen print).

nDepth is a really cool way to do adhoc analysis of security log activity.  At its root, nDepth is a search application that allows you to enter search terms in a single, Google-like search field.  And then of course the matching alerts are displayed in a list underneath.  However the capabilities go far beyond that simple description.

In addition to displaying matching events as a simple list, you can choose to visualize the data in a variety of chart formats, word clouds, tree maps and more.  Whenever you change your search criteria, LEM adds your old criteria to the History list.  Whenever you build a search you like and want to re-use you can save the search and it appears in the Saved Searches list.  This makes it easy and superfast to go back to recent searches or searches you knew you’d want to use again. 

nDepth provides a number of ways to make it easier to refine your search.  In the Refine Fields pane you see a list of all the field names found in the current result set.  Under each field name you find a list of all the values occurring for that field along with their count.  You can drag any of these field names or values to the search terms field and nDepth will automatically add a Boolean expression that further filters the results.

You can highlight DNS names and IP addresses and run lookups like Whois, traceroute, NSlookup.  Or you can on demand have any of the actions available to Rules described above to be executed on the manager or agent system. 

Wrapping Up

Beyond these three highly interactive and progressively deeper analysis tools, you can also schedule reports to be automatically produced and delivered via email.  LEM runs as a physical or virtual Linux appliance, the latter being easy to download and quickly set up to run in your hypervisor.  Being a Linux appliance makes it easy to setup the appliance as a separate isolated log management with access controls to prevent tampering by admins of the systems you are monitoring which is an important architectural consideration if you are depending on your SIEM to provide accountability over admins.  And though it’s a Linux system, you don’t really need to be a Linux guru because the appliance can be almost completely managed via the desktop console which runs on your workstation.

SolarWinds hosts an active user community called Thwack where you can exchange filter, report and rule content, request new features, keep up with new developments and get help from SolarWinds and community members.

SolarWinds Log and Event Manager is a capable SIEM software solution that incorporates my favorite SIEM feature – normalization.  The interface is highly visual with very few instances where you must enter cryptic text and codes.

You can download a trial of LEM from

email this digg reddit dzone
comments (0)references (0)

Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
5 Indicators of Endpoint Evil
Severing the Horizontal Kill Chain: The Role of Micro-Segmentation in Your Virtualization Infrastructure
Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond

Comments disabled

powered by Bloget™


Recent Blogs


Additional Resources