SlideShare ist ein Scribd-Unternehmen logo

Why Workstation Log Management is Crucial for Network Security?

SolarWinds
SolarWinds
Technologie
1 von 17
1 Why Workstation Log Management is Crucial for Network Security? © 2013, SolarWinds Worldwide, LLC. All rights reserved.
2 Agenda » Workstations - Vulnerable Endpoints on your Network » Why Workstation Logs are Important? » Workstation Log Management Made Simple – How? » Use Active Responses to Combat Workstation security Threats SOLARWINDS LOG & EVENT MANAGER
3 Workstations – Vulnerable Endpoints on your Network » Monitoring server logs is no longer enough » Workstations process content from the Internet and email, they come in contact with infected files, external mass storage devices, and can connect to insecure networks over Wi-Fi. SOLARWINDS LOG & EVENT MANAGER » Workstations are arguably one of the most vulnerable entities on your network.
4 Why Workstation Logs are Important? » Several security events can be understood only with the help of workstation log data. » They can be used to monitor end-user activity on enterprise workstations, and provide a rich array of security event information. » Workstation log information helps you create: • Enterprise audit trails • Perform forensics and root cause analysis • Detect threats. SOLARWINDS LOG & EVENT MANAGER
5 Reason 1 – System User Logoffs » This information is stored only by a workstation » User logons can be studied from the domain controller(DC) that processes the initial authentication » DC’s don’t have visibility over user activity » Workstation is the only component that logs the user logoff data. SOLARWINDS LOG & EVENT MANAGER
6 Reason 2 – Local Account Logon/Logoff » Again, Domain Controllers don’t capture these crucial events » These local accounts within a workstation can be prime targets for hackers » Authentication of these local accounts are handled locally by the workstation » The events are logged locally. Example: Windows ® systems store this under event ID 4776 SOLARWINDS LOG & EVENT MANAGER
7 Reason 3 – USB Connection to Workstations » Windows doesn’t audit when devices are connected or disconnected » Only the workstation logs provide information on when a USB or mass storage device was connected, by whom, whether the connection was authorized, etc. » You can use a security information and event management (SIEM) system to respond to an illegal USB connection, and shut down the device, disable the port, or shut down the system. SOLARWINDS LOG & EVENT MANAGER
8 Reason 4 – End-user Desktop Programs » Crucial programs to be monitored on your workstation » When a malicious executable is run by the user on the workstation, it can lead to potential advanced persistent threats (APT) » The domain controller doesn’t log the programs running on end- user systems. » Workstation logs alone that provide visibility into what programs a user ran and for how long SOLARWINDS LOG & EVENT MANAGER
9 Workstation Log Management Made Simple » SolarWinds Log & Event Manager (LEM) is a full-function SIEM solution that extends comprehensive log collection, correlation, analysis, and incident response to both servers and workstations. 9 SOLARWINDS LOG & EVENT MANAGER
10 Active Responses to Combat Workstation Security Threats » Active Responses are automated and programmed to react in real time and counter anomalies, threats, policy violations without requiring human intervention to confirm or activate any action. » Let’s discuss some useful Active Responses that LEM offers out of the box for workstation security and management. SOLARWINDS LOG & EVENT MANAGER
11 Active Response 1 – Kill Suspicious and Unapproved Processes » Alerts you in real time when such suspicious and unauthorized processes are running on the endpoints » LEM Active Response: The Kill Process Active Response enables LEM to automatically kill a suspicious or unapproved process by name or ID. According to the value in the ProcessID field of the corresponding LEM alert, LEM kills the process • By ID when the ProcessID value is a number • By Name when the ProcessID value is a name SOLARWINDS LOG & EVENT MANAGER
12 Active Response 2 – Disable Networking on Infected Workstation » An infected workstation, can spread and affect the other systems on the network. » A wise security action would be to disable networking on the infected workstation from the network at the NIC card level. » LEM Active Response: Use the Disable Networking Active Response to disable networking on a workstation at the Windows® Device Manager level. » This action is useful for isolating network infections and attacks, and can be automated in a LEM rule, or executed manually from the Respond menu in the LEM Console. SOLARWINDS LOG & EVENT MANAGER
13 Active Response 3 – Remove Unapproved users from Administrative Group » Based on where the unapproved user is identified, whether at the domain level, or at the local level, you should be able to remove the user automatically. » LEM Active Response: LEM uses a Windows Active Response tool based on where you want to remove the user(s) from – the domain level or local level. » This tool configures an actor that enables Windows Active Response capabilities on LEM Agents deployed Windows operating systems. SOLARWINDS LOG & EVENT MANAGER
14 Active Response 4 – Detach Unauthorized USB Devices » Some common use cases of dangerous USB activity on the network: • When a computer endpoint gains unauthorized USB access • When an authorized USB port logs suspicious user activity • When unwarranted data transfer happens between an enterprise computer and USB drive • When USB access on a USB port becomes non-compliant with organizational policies • When a USB end point is affected and needs to be quarantined » LEM Active Response: The Detach USB Device Active Response to allows you to automatically detach a USB or mass storage device from a workstation. This action is useful for allowing only specific devices to be attached to your Windows computers or detaching any device exhibiting suspicious behavior. SOLARWINDS LOG & EVENT MANAGER
15 SolarWinds Log & Event Manager » How can SolarWinds Log and Event Manager help?  Log Collection, Analysis, and Real-Time Correlation  Collects log & event data from tens of thousands of devices & performs true real-time correlation  Powerful Active Response technology enables you to quickly & automatically take action against threats  Advanced IT Search employs highly effective data visualization tools – word clouds, tree maps, & more  Quickly generates compliance reports for PCI DSS, GLBA, SOX, NERC CIP, HIPAA, & more  Out-of-the-box correlation rules, reports, & responses enable speedy deployment in an hour or less SOLARWINDS LOG & EVENT MANAGER
16 The All New LEM Workstation Edition » SolarWinds Log & Event Manager (LEM) now offers comprehensive log management capabilities to all your workstations at a much affordable price point. » LEM Workstation Edition is a new pricing model that offers all the SIEM functionality of LEM and allows you to collect and manage logs from more workstation nodes than ever. » LEM Workstation Edition is applicable to all your workstations running Windows XP, Vista and 7 operating systems. SOLARWINDS LOG & EVENT MANAGER
17 Thank You! SOLARWINDS LOG & EVENT MANAGER

Empfohlen

Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
AlienVault
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Priyanka Aash
 
Daddy Thwane. CV
Daddy Thwane. CVDaddy Thwane. CV
Daddy Thwane. CV
Daddy Jonathan Thwane
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
Owny IT Desktop Monitoring Featurelist
Owny IT Desktop Monitoring FeaturelistOwny IT Desktop Monitoring Featurelist
Owny IT Desktop Monitoring Featurelist
NCS Computech Ltd.
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
Digital Bond
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 

Empfohlen

Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
AlienVault
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Priyanka Aash
 
Daddy Thwane. CV
Daddy Thwane. CVDaddy Thwane. CV
Daddy Thwane. CV
Daddy Jonathan Thwane
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
Owny IT Desktop Monitoring Featurelist
Owny IT Desktop Monitoring FeaturelistOwny IT Desktop Monitoring Featurelist
Owny IT Desktop Monitoring Featurelist
NCS Computech Ltd.
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
Digital Bond
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
Room alert introduction
Room alert introductionRoom alert introduction
Room alert introduction
Tod Richardson
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint Security
Burak DAYIOGLU
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
Qualys
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 
Stop Attacks and Mitigate Risk with Application and Device Control
Stop Attacks and Mitigate Risk with Application and Device ControlStop Attacks and Mitigate Risk with Application and Device Control
Stop Attacks and Mitigate Risk with Application and Device Control
Symantec
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint Security
Lumension
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
AlienVault
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
AlienVault
 
Saner 2.0 product sheet
Saner 2.0 product sheetSaner 2.0 product sheet
Saner 2.0 product sheet
SecPod Technologies
 
Fault management presentation
Fault management presentationFault management presentation
Fault management presentation
ardhita banu adji
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
Lisa Niles
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
AlienVault
 
SureLog intelligent response
SureLog intelligent responseSureLog intelligent response
SureLog intelligent response
Ertugrul Akbas
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
Lisa Niles
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
AlienVault
 
B sep ds-21194634.en-us
B sep ds-21194634.en-usB sep ds-21194634.en-us
B sep ds-21194634.en-us
Pelos TCHIKAYA
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
Lisa Niles
 
EMBEDDED SYSTEMS 1
EMBEDDED SYSTEMS 1EMBEDDED SYSTEMS 1
EMBEDDED SYSTEMS 1
PRADEEP
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 
Introduction to Network and System Administration
Introduction to Network and System AdministrationIntroduction to Network and System Administration
Introduction to Network and System Administration
Duressa Teshome
 
endpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfendpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdf
Olufemi37
 

Weitere ähnliche Inhalte

Was ist angesagt?

Room alert introduction
Room alert introductionRoom alert introduction
Room alert introduction
Tod Richardson
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
Qualys
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
AlienVault
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
AlienVault
 
B sep ds-21194634.en-us
B sep ds-21194634.en-usB sep ds-21194634.en-us
B sep ds-21194634.en-us
Pelos TCHIKAYA
 
EMBEDDED SYSTEMS 1
EMBEDDED SYSTEMS 1EMBEDDED SYSTEMS 1
EMBEDDED SYSTEMS 1
PRADEEP
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 

Was ist angesagt? (20)

Room alert introduction
Room alert introductionRoom alert introduction
Room alert introduction
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint Security
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
 
Stop Attacks and Mitigate Risk with Application and Device Control
Stop Attacks and Mitigate Risk with Application and Device ControlStop Attacks and Mitigate Risk with Application and Device Control
Stop Attacks and Mitigate Risk with Application and Device Control
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint Security
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Saner 2.0 product sheet
Saner 2.0 product sheetSaner 2.0 product sheet
Saner 2.0 product sheet
 
Fault management presentation
Fault management presentationFault management presentation
Fault management presentation
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
 
SureLog intelligent response
SureLog intelligent responseSureLog intelligent response
SureLog intelligent response
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
 
B sep ds-21194634.en-us
B sep ds-21194634.en-usB sep ds-21194634.en-us
B sep ds-21194634.en-us
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
 
EMBEDDED SYSTEMS 1
EMBEDDED SYSTEMS 1EMBEDDED SYSTEMS 1
EMBEDDED SYSTEMS 1
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 

Ähnlich wie Why Workstation Log Management is Crucial for Network Security?

Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
karlhennesey
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation
Maytal Levi
 
McAfee CDCR Case Study
McAfee CDCR Case StudyMcAfee CDCR Case Study
McAfee CDCR Case Study
joepanora
 
TM - product overview
TM - product overviewTM - product overview
TM - product overview
Jason Pears
 
[White paper] detecting problems in industrial networks though continuous mon...
[White paper] detecting problems in industrial networks though continuous mon...[White paper] detecting problems in industrial networks though continuous mon...
[White paper] detecting problems in industrial networks though continuous mon...
TI Safe
 

Ähnlich wie Why Workstation Log Management is Crucial for Network Security? (20)

Introduction to Network and System Administration
Introduction to Network and System AdministrationIntroduction to Network and System Administration
Introduction to Network and System Administration
 
endpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfendpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdf
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overview
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​
 
SIEM 1 solution .pptx
SIEM 1 solution .pptxSIEM 1 solution .pptx
SIEM 1 solution .pptx
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
 
McAfee CDCR Case Study
McAfee CDCR Case StudyMcAfee CDCR Case Study
McAfee CDCR Case Study
 
ISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdf
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014Securing with Sophos - Sophos Day Belux 2014
Securing with Sophos - Sophos Day Belux 2014
 
Intellinx.z watch
Intellinx.z watchIntellinx.z watch
Intellinx.z watch
 
TM - product overview
TM - product overviewTM - product overview
TM - product overview
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Comparison Review Forticlient x Kaspersky.pdf
Comparison Review Forticlient x Kaspersky.pdfComparison Review Forticlient x Kaspersky.pdf
Comparison Review Forticlient x Kaspersky.pdf
 
[White paper] detecting problems in industrial networks though continuous mon...
[White paper] detecting problems in industrial networks though continuous mon...[White paper] detecting problems in industrial networks though continuous mon...
[White paper] detecting problems in industrial networks though continuous mon...
 
Spikes Security Isla Isolation
Spikes Security Isla IsolationSpikes Security Isla Isolation
Spikes Security Isla Isolation
 

Mehr von SolarWinds

Government and Education Webinar: SolarWinds Orion Platform: Audit and Stream...
Government and Education Webinar: SolarWinds Orion Platform: Audit and Stream...Government and Education Webinar: SolarWinds Orion Platform: Audit and Stream...
Government and Education Webinar: SolarWinds Orion Platform: Audit and Stream...
SolarWinds
 
Government and Education Webinar: Leverage Automation to Improve IT Operations
Government and Education Webinar: Leverage Automation to Improve IT OperationsGovernment and Education Webinar: Leverage Automation to Improve IT Operations
Government and Education Webinar: Leverage Automation to Improve IT Operations
SolarWinds
 
SolarWinds Government and Education Webinar: Virtual Technology Briefing 08.0...
SolarWinds Government and Education Webinar: Virtual Technology Briefing 08.0...SolarWinds Government and Education Webinar: Virtual Technology Briefing 08.0...
SolarWinds Government and Education Webinar: Virtual Technology Briefing 08.0...
SolarWinds
 
Government and Education Webinar: Optimize Performance With Advanced Host Mon...
Government and Education Webinar: Optimize Performance With Advanced Host Mon...Government and Education Webinar: Optimize Performance With Advanced Host Mon...
Government and Education Webinar: Optimize Performance With Advanced Host Mon...
SolarWinds
 
Government and Education Webinar: Conquering Remote Work IT Challenges
Government and Education Webinar: Conquering Remote Work IT Challenges Government and Education Webinar: Conquering Remote Work IT Challenges
Government and Education Webinar: Conquering Remote Work IT Challenges
SolarWinds
 

Mehr von SolarWinds (20)

SolarWinds Government and Education Webinar: Greatest SolarWinds Features I N...
SolarWinds Government and Education Webinar: Greatest SolarWinds Features I N...SolarWinds Government and Education Webinar: Greatest SolarWinds Features I N...
SolarWinds Government and Education Webinar: Greatest SolarWinds Features I N...
 
SolarWinds Government and Education Webinar: Gaps Exist in Your Monitoring In...
SolarWinds Government and Education Webinar: Gaps Exist in Your Monitoring In...SolarWinds Government and Education Webinar: Gaps Exist in Your Monitoring In...
SolarWinds Government and Education Webinar: Gaps Exist in Your Monitoring In...
 
Government Webinar: Alerting and Reporting in the Age of Observability
Government Webinar: Alerting and Reporting in the Age of ObservabilityGovernment Webinar: Alerting and Reporting in the Age of Observability
Government Webinar: Alerting and Reporting in the Age of Observability
 
Government and Education Webinar: Full Stack Observability
Government and Education Webinar: Full Stack ObservabilityGovernment and Education Webinar: Full Stack Observability
Government and Education Webinar: Full Stack Observability
 
Government and Education Webinar: Public Sector Cybersecurity Survey - What I...
Government and Education Webinar: Public Sector Cybersecurity Survey - What I...Government and Education Webinar: Public Sector Cybersecurity Survey - What I...
Government and Education Webinar: Public Sector Cybersecurity Survey - What I...
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
 
Government and Education Webinar: Real-Time Mission, CIO, and Command Dashboards
Government and Education Webinar: Real-Time Mission, CIO, and Command DashboardsGovernment and Education Webinar: Real-Time Mission, CIO, and Command Dashboards
Government and Education Webinar: Real-Time Mission, CIO, and Command Dashboards
 
Government and Education Webinar: Simplify Your Database Performance Manageme...
Government and Education Webinar: Simplify Your Database Performance Manageme...Government and Education Webinar: Simplify Your Database Performance Manageme...
Government and Education Webinar: Simplify Your Database Performance Manageme...
 
Government and Education Webinar: SolarWinds Orion Platform: Audit and Stream...
Government and Education Webinar: SolarWinds Orion Platform: Audit and Stream...Government and Education Webinar: SolarWinds Orion Platform: Audit and Stream...
Government and Education Webinar: SolarWinds Orion Platform: Audit and Stream...
 
Government and Education Webinar: Leverage Automation to Improve IT Operations
Government and Education Webinar: Leverage Automation to Improve IT OperationsGovernment and Education Webinar: Leverage Automation to Improve IT Operations
Government and Education Webinar: Leverage Automation to Improve IT Operations
 
Government and Education Webinar: Improving Application Performance
Government and Education Webinar: Improving Application PerformanceGovernment and Education Webinar: Improving Application Performance
Government and Education Webinar: Improving Application Performance
 
Government and Education: IT Tools to Support Your Hybrid Workforce
Government and Education: IT Tools to Support Your Hybrid WorkforceGovernment and Education: IT Tools to Support Your Hybrid Workforce
Government and Education: IT Tools to Support Your Hybrid Workforce
 
Government and Education Webinar: There's More Than One Way to Monitor SQL Da...
Government and Education Webinar: There's More Than One Way to Monitor SQL Da...Government and Education Webinar: There's More Than One Way to Monitor SQL Da...
Government and Education Webinar: There's More Than One Way to Monitor SQL Da...
 
SolarWinds Government and Education Webinar: Virtual Technology Briefing 08.0...
SolarWinds Government and Education Webinar: Virtual Technology Briefing 08.0...SolarWinds Government and Education Webinar: Virtual Technology Briefing 08.0...
SolarWinds Government and Education Webinar: Virtual Technology Briefing 08.0...
 
Government and Education Webinar: Zero-Trust Panel Discussion
Government and Education Webinar: Zero-Trust Panel Discussion Government and Education Webinar: Zero-Trust Panel Discussion
Government and Education Webinar: Zero-Trust Panel Discussion
 
Government and Education: Leveraging The SolarWinds Orion Assistance Program ...
Government and Education: Leveraging The SolarWinds Orion Assistance Program ...Government and Education: Leveraging The SolarWinds Orion Assistance Program ...
Government and Education: Leveraging The SolarWinds Orion Assistance Program ...
 
Government and Education Webinar: SQL Server—Advanced Performance Tuning
Government and Education Webinar: SQL Server—Advanced Performance Tuning Government and Education Webinar: SQL Server—Advanced Performance Tuning
Government and Education Webinar: SQL Server—Advanced Performance Tuning
 
Government and Education Webinar: Recovering IP Addresses on Your Network
Government and Education Webinar: Recovering IP Addresses on Your NetworkGovernment and Education Webinar: Recovering IP Addresses on Your Network
Government and Education Webinar: Recovering IP Addresses on Your Network
 
Government and Education Webinar: Optimize Performance With Advanced Host Mon...
Government and Education Webinar: Optimize Performance With Advanced Host Mon...Government and Education Webinar: Optimize Performance With Advanced Host Mon...
Government and Education Webinar: Optimize Performance With Advanced Host Mon...
 
Government and Education Webinar: Conquering Remote Work IT Challenges
Government and Education Webinar: Conquering Remote Work IT Challenges Government and Education Webinar: Conquering Remote Work IT Challenges
Government and Education Webinar: Conquering Remote Work IT Challenges
 

Kürzlich hochgeladen

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Kürzlich hochgeladen (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Why Workstation Log Management is Crucial for Network Security?

  • 1. 1 Why Workstation Log Management is Crucial for Network Security? © 2013, SolarWinds Worldwide, LLC. All rights reserved.
  • 2. 2 Agenda » Workstations - Vulnerable Endpoints on your Network » Why Workstation Logs are Important? » Workstation Log Management Made Simple – How? » Use Active Responses to Combat Workstation security Threats SOLARWINDS LOG & EVENT MANAGER
  • 3. 3 Workstations – Vulnerable Endpoints on your Network » Monitoring server logs is no longer enough » Workstations process content from the Internet and email, they come in contact with infected files, external mass storage devices, and can connect to insecure networks over Wi-Fi. SOLARWINDS LOG & EVENT MANAGER » Workstations are arguably one of the most vulnerable entities on your network.
  • 4. 4 Why Workstation Logs are Important? » Several security events can be understood only with the help of workstation log data. » They can be used to monitor end-user activity on enterprise workstations, and provide a rich array of security event information. » Workstation log information helps you create: • Enterprise audit trails • Perform forensics and root cause analysis • Detect threats. SOLARWINDS LOG & EVENT MANAGER
  • 5. 5 Reason 1 – System User Logoffs » This information is stored only by a workstation » User logons can be studied from the domain controller(DC) that processes the initial authentication » DC’s don’t have visibility over user activity » Workstation is the only component that logs the user logoff data. SOLARWINDS LOG & EVENT MANAGER
  • 6. 6 Reason 2 – Local Account Logon/Logoff » Again, Domain Controllers don’t capture these crucial events » These local accounts within a workstation can be prime targets for hackers » Authentication of these local accounts are handled locally by the workstation » The events are logged locally. Example: Windows ® systems store this under event ID 4776 SOLARWINDS LOG & EVENT MANAGER
  • 7. 7 Reason 3 – USB Connection to Workstations » Windows doesn’t audit when devices are connected or disconnected » Only the workstation logs provide information on when a USB or mass storage device was connected, by whom, whether the connection was authorized, etc. » You can use a security information and event management (SIEM) system to respond to an illegal USB connection, and shut down the device, disable the port, or shut down the system. SOLARWINDS LOG & EVENT MANAGER
  • 8. 8 Reason 4 – End-user Desktop Programs » Crucial programs to be monitored on your workstation » When a malicious executable is run by the user on the workstation, it can lead to potential advanced persistent threats (APT) » The domain controller doesn’t log the programs running on end- user systems. » Workstation logs alone that provide visibility into what programs a user ran and for how long SOLARWINDS LOG & EVENT MANAGER
  • 9. 9 Workstation Log Management Made Simple » SolarWinds Log & Event Manager (LEM) is a full-function SIEM solution that extends comprehensive log collection, correlation, analysis, and incident response to both servers and workstations. 9 SOLARWINDS LOG & EVENT MANAGER
  • 10. 10 Active Responses to Combat Workstation Security Threats » Active Responses are automated and programmed to react in real time and counter anomalies, threats, policy violations without requiring human intervention to confirm or activate any action. » Let’s discuss some useful Active Responses that LEM offers out of the box for workstation security and management. SOLARWINDS LOG & EVENT MANAGER
  • 11. 11 Active Response 1 – Kill Suspicious and Unapproved Processes » Alerts you in real time when such suspicious and unauthorized processes are running on the endpoints » LEM Active Response: The Kill Process Active Response enables LEM to automatically kill a suspicious or unapproved process by name or ID. According to the value in the ProcessID field of the corresponding LEM alert, LEM kills the process • By ID when the ProcessID value is a number • By Name when the ProcessID value is a name SOLARWINDS LOG & EVENT MANAGER
  • 12. 12 Active Response 2 – Disable Networking on Infected Workstation » An infected workstation, can spread and affect the other systems on the network. » A wise security action would be to disable networking on the infected workstation from the network at the NIC card level. » LEM Active Response: Use the Disable Networking Active Response to disable networking on a workstation at the Windows® Device Manager level. » This action is useful for isolating network infections and attacks, and can be automated in a LEM rule, or executed manually from the Respond menu in the LEM Console. SOLARWINDS LOG & EVENT MANAGER
  • 13. 13 Active Response 3 – Remove Unapproved users from Administrative Group » Based on where the unapproved user is identified, whether at the domain level, or at the local level, you should be able to remove the user automatically. » LEM Active Response: LEM uses a Windows Active Response tool based on where you want to remove the user(s) from – the domain level or local level. » This tool configures an actor that enables Windows Active Response capabilities on LEM Agents deployed Windows operating systems. SOLARWINDS LOG & EVENT MANAGER
  • 14. 14 Active Response 4 – Detach Unauthorized USB Devices » Some common use cases of dangerous USB activity on the network: • When a computer endpoint gains unauthorized USB access • When an authorized USB port logs suspicious user activity • When unwarranted data transfer happens between an enterprise computer and USB drive • When USB access on a USB port becomes non-compliant with organizational policies • When a USB end point is affected and needs to be quarantined » LEM Active Response: The Detach USB Device Active Response to allows you to automatically detach a USB or mass storage device from a workstation. This action is useful for allowing only specific devices to be attached to your Windows computers or detaching any device exhibiting suspicious behavior. SOLARWINDS LOG & EVENT MANAGER
  • 15. 15 SolarWinds Log & Event Manager » How can SolarWinds Log and Event Manager help?  Log Collection, Analysis, and Real-Time Correlation  Collects log & event data from tens of thousands of devices & performs true real-time correlation  Powerful Active Response technology enables you to quickly & automatically take action against threats  Advanced IT Search employs highly effective data visualization tools – word clouds, tree maps, & more  Quickly generates compliance reports for PCI DSS, GLBA, SOX, NERC CIP, HIPAA, & more  Out-of-the-box correlation rules, reports, & responses enable speedy deployment in an hour or less SOLARWINDS LOG & EVENT MANAGER
  • 16. 16 The All New LEM Workstation Edition » SolarWinds Log & Event Manager (LEM) now offers comprehensive log management capabilities to all your workstations at a much affordable price point. » LEM Workstation Edition is a new pricing model that offers all the SIEM functionality of LEM and allows you to collect and manage logs from more workstation nodes than ever. » LEM Workstation Edition is applicable to all your workstations running Windows XP, Vista and 7 operating systems. SOLARWINDS LOG & EVENT MANAGER
  • 17. 17 Thank You! SOLARWINDS LOG & EVENT MANAGER