2. 2
Agenda
» Workstations - Vulnerable Endpoints on your Network
» Why Workstation Logs are Important?
» Workstation Log Management Made Simple – How?
» Use Active Responses to Combat Workstation security
Threats
SOLARWINDS LOG & EVENT MANAGER
3. 3
Workstations – Vulnerable Endpoints on your
Network
» Monitoring server logs is no longer enough
» Workstations process content from the Internet and email, they come in
contact with infected files, external mass storage devices, and can connect
to insecure networks over Wi-Fi.
SOLARWINDS LOG & EVENT MANAGER
» Workstations are arguably one of the most
vulnerable entities on your network.
4. 4
Why Workstation Logs are Important?
» Several security events can be understood only with the help
of workstation log data.
» They can be used to monitor end-user activity on enterprise
workstations, and provide a rich array of security event
information.
» Workstation log information helps you create:
• Enterprise audit trails
• Perform forensics and root cause analysis
• Detect threats.
SOLARWINDS LOG & EVENT MANAGER
5. 5
Reason 1 – System User Logoffs
» This information is stored only by a workstation
» User logons can be studied from the domain controller(DC)
that processes the initial authentication
» DC’s don’t have visibility over user activity
» Workstation is the only component that logs the user logoff
data.
SOLARWINDS LOG & EVENT MANAGER
6. 6
Reason 2 – Local Account Logon/Logoff
» Again, Domain Controllers don’t capture these crucial events
» These local accounts within a workstation can be prime targets for
hackers
» Authentication of these local accounts are handled locally by the
workstation
» The events are logged locally. Example: Windows ® systems store this
under event ID 4776
SOLARWINDS LOG & EVENT MANAGER
7. 7
Reason 3 – USB Connection to Workstations
» Windows doesn’t audit when devices are connected or
disconnected
» Only the workstation logs provide information on when a USB or
mass storage device was connected, by whom, whether the
connection was authorized, etc.
» You can use a security information and event management (SIEM)
system to respond to an illegal USB connection, and shut down the
device, disable the port, or shut down the system.
SOLARWINDS LOG & EVENT MANAGER
8. 8
Reason 4 – End-user Desktop Programs
» Crucial programs to be monitored on your workstation
» When a malicious executable is run by the user on the
workstation, it can lead to potential advanced persistent threats
(APT)
» The domain controller doesn’t log the programs running on end-
user systems.
» Workstation logs alone that provide visibility into what programs
a user ran and for how long
SOLARWINDS LOG & EVENT MANAGER
9. 9
Workstation Log Management Made Simple
» SolarWinds Log & Event Manager (LEM) is a full-function SIEM solution
that extends comprehensive log collection, correlation, analysis, and
incident response to both servers and workstations.
9
SOLARWINDS LOG & EVENT MANAGER
10. 10
Active Responses to Combat Workstation
Security Threats
» Active Responses are automated and programmed to react in real time
and counter anomalies, threats, policy violations without requiring
human intervention to confirm or activate any action.
» Let’s discuss some useful Active Responses that LEM offers out of the box
for workstation security and management.
SOLARWINDS LOG & EVENT MANAGER
11. 11
Active Response 1 – Kill Suspicious and
Unapproved Processes
» Alerts you in real time when such suspicious and unauthorized processes
are running on the endpoints
» LEM Active Response: The Kill Process Active Response enables LEM to
automatically kill a suspicious or unapproved process by name or ID.
According to the value in the ProcessID field of the corresponding LEM
alert, LEM kills the process
• By ID when the ProcessID value is a number
• By Name when the ProcessID value is a name
SOLARWINDS LOG & EVENT MANAGER
12. 12
Active Response 2 – Disable Networking on
Infected Workstation
» An infected workstation, can spread and affect the other systems on the
network.
» A wise security action would be to disable networking on the infected
workstation from the network at the NIC card level.
» LEM Active Response: Use the Disable Networking Active Response to
disable networking on a workstation at the Windows® Device Manager
level.
» This action is useful for isolating network infections and attacks, and can
be automated in a LEM rule, or executed manually from the Respond
menu in the LEM Console.
SOLARWINDS LOG & EVENT MANAGER
13. 13
Active Response 3 – Remove Unapproved users
from Administrative Group
» Based on where the unapproved user is identified, whether at the
domain level, or at the local level, you should be able to remove the user
automatically.
» LEM Active Response: LEM uses a Windows Active Response tool based
on where you want to remove the user(s) from – the domain level or
local level.
» This tool configures an actor that enables Windows Active Response
capabilities on LEM Agents deployed Windows operating systems.
SOLARWINDS LOG & EVENT MANAGER
14. 14
Active Response 4 – Detach Unauthorized USB
Devices
» Some common use cases of dangerous USB activity on the network:
• When a computer endpoint gains unauthorized USB access
• When an authorized USB port logs suspicious user activity
• When unwarranted data transfer happens between an enterprise computer
and USB drive
• When USB access on a USB port becomes non-compliant with organizational
policies
• When a USB end point is affected and needs to be quarantined
» LEM Active Response: The Detach USB Device Active Response to allows
you to automatically detach a USB or mass storage device from a
workstation. This action is useful for allowing only specific devices to be
attached to your Windows computers or detaching any device exhibiting
suspicious behavior.
SOLARWINDS LOG & EVENT MANAGER
15. 15
SolarWinds Log & Event Manager
» How can SolarWinds Log and Event
Manager help?
Log Collection, Analysis, and Real-Time
Correlation
Collects log & event data from tens of
thousands of devices & performs true
real-time correlation
Powerful Active Response technology
enables you to quickly & automatically
take action against threats
Advanced IT Search employs highly
effective data visualization tools –
word clouds, tree maps, & more
Quickly generates compliance reports
for PCI DSS, GLBA, SOX, NERC CIP,
HIPAA, & more
Out-of-the-box correlation rules,
reports, & responses enable speedy
deployment in an hour or less
SOLARWINDS LOG & EVENT MANAGER
16. 16
The All New LEM Workstation Edition
» SolarWinds Log & Event Manager (LEM) now offers
comprehensive log management capabilities to all your
workstations at a much affordable price point.
» LEM Workstation Edition is a new pricing model that offers
all the SIEM functionality of LEM and allows you to collect
and manage logs from more workstation nodes than ever.
» LEM Workstation Edition is applicable to all your
workstations running Windows XP, Vista and 7 operating
systems.
SOLARWINDS LOG & EVENT MANAGER