Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Why Workstation Log Management is Crucial for Network Security?


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Why Workstation Log Management is Crucial for Network Security?

  1. 1. 1Why Workstation LogManagement is Crucial forNetwork Security?© 2013, SolarWinds Worldwide, LLC. All rights reserved.
  2. 2. 2Agenda» Workstations - Vulnerable Endpoints on your Network» Why Workstation Logs are Important?» Workstation Log Management Made Simple – How?» Use Active Responses to Combat Workstation securityThreatsSOLARWINDS LOG & EVENT MANAGER
  3. 3. 3Workstations – Vulnerable Endpoints on yourNetwork» Monitoring server logs is no longer enough» Workstations process content from the Internet and email, they come incontact with infected files, external mass storage devices, and can connectto insecure networks over Wi-Fi.SOLARWINDS LOG & EVENT MANAGER» Workstations are arguably one of the mostvulnerable entities on your network.
  4. 4. 4Why Workstation Logs are Important?» Several security events can be understood only with the helpof workstation log data.» They can be used to monitor end-user activity on enterpriseworkstations, and provide a rich array of security eventinformation.» Workstation log information helps you create:• Enterprise audit trails• Perform forensics and root cause analysis• Detect threats.SOLARWINDS LOG & EVENT MANAGER
  5. 5. 5Reason 1 – System User Logoffs» This information is stored only by a workstation» User logons can be studied from the domain controller(DC)that processes the initial authentication» DC’s don’t have visibility over user activity» Workstation is the only component that logs the user logoffdata.SOLARWINDS LOG & EVENT MANAGER
  6. 6. 6Reason 2 – Local Account Logon/Logoff» Again, Domain Controllers don’t capture these crucial events» These local accounts within a workstation can be prime targets forhackers» Authentication of these local accounts are handled locally by theworkstation» The events are logged locally. Example: Windows ® systems store thisunder event ID 4776SOLARWINDS LOG & EVENT MANAGER
  7. 7. 7Reason 3 – USB Connection to Workstations» Windows doesn’t audit when devices are connected ordisconnected» Only the workstation logs provide information on when a USB ormass storage device was connected, by whom, whether theconnection was authorized, etc.» You can use a security information and event management (SIEM)system to respond to an illegal USB connection, and shut down thedevice, disable the port, or shut down the system.SOLARWINDS LOG & EVENT MANAGER
  8. 8. 8Reason 4 – End-user Desktop Programs» Crucial programs to be monitored on your workstation» When a malicious executable is run by the user on theworkstation, it can lead to potential advanced persistent threats(APT)» The domain controller doesn’t log the programs running on end-user systems.» Workstation logs alone that provide visibility into what programsa user ran and for how longSOLARWINDS LOG & EVENT MANAGER
  9. 9. 9Workstation Log Management Made Simple» SolarWinds Log & Event Manager (LEM) is a full-function SIEM solutionthat extends comprehensive log collection, correlation, analysis, andincident response to both servers and workstations.9SOLARWINDS LOG & EVENT MANAGER
  10. 10. 10Active Responses to Combat WorkstationSecurity Threats» Active Responses are automated and programmed to react in real timeand counter anomalies, threats, policy violations without requiringhuman intervention to confirm or activate any action.» Let’s discuss some useful Active Responses that LEM offers out of the boxfor workstation security and management.SOLARWINDS LOG & EVENT MANAGER
  11. 11. 11Active Response 1 – Kill Suspicious andUnapproved Processes» Alerts you in real time when such suspicious and unauthorized processesare running on the endpoints» LEM Active Response: The Kill Process Active Response enables LEM toautomatically kill a suspicious or unapproved process by name or ID.According to the value in the ProcessID field of the corresponding LEMalert, LEM kills the process• By ID when the ProcessID value is a number• By Name when the ProcessID value is a nameSOLARWINDS LOG & EVENT MANAGER
  12. 12. 12Active Response 2 – Disable Networking onInfected Workstation» An infected workstation, can spread and affect the other systems on thenetwork.» A wise security action would be to disable networking on the infectedworkstation from the network at the NIC card level.» LEM Active Response: Use the Disable Networking Active Response todisable networking on a workstation at the Windows® Device Managerlevel.» This action is useful for isolating network infections and attacks, and canbe automated in a LEM rule, or executed manually from the Respondmenu in the LEM Console.SOLARWINDS LOG & EVENT MANAGER
  13. 13. 13Active Response 3 – Remove Unapproved usersfrom Administrative Group» Based on where the unapproved user is identified, whether at thedomain level, or at the local level, you should be able to remove the userautomatically.» LEM Active Response: LEM uses a Windows Active Response tool basedon where you want to remove the user(s) from – the domain level orlocal level.» This tool configures an actor that enables Windows Active Responsecapabilities on LEM Agents deployed Windows operating systems.SOLARWINDS LOG & EVENT MANAGER
  14. 14. 14Active Response 4 – Detach Unauthorized USBDevices» Some common use cases of dangerous USB activity on the network:• When a computer endpoint gains unauthorized USB access• When an authorized USB port logs suspicious user activity• When unwarranted data transfer happens between an enterprise computerand USB drive• When USB access on a USB port becomes non-compliant with organizationalpolicies• When a USB end point is affected and needs to be quarantined» LEM Active Response: The Detach USB Device Active Response to allowsyou to automatically detach a USB or mass storage device from aworkstation. This action is useful for allowing only specific devices to beattached to your Windows computers or detaching any device exhibitingsuspicious behavior.SOLARWINDS LOG & EVENT MANAGER
  15. 15. 15SolarWinds Log & Event Manager» How can SolarWinds Log and EventManager help? Log Collection, Analysis, and Real-TimeCorrelation Collects log & event data from tens ofthousands of devices & performs truereal-time correlation Powerful Active Response technologyenables you to quickly & automaticallytake action against threats Advanced IT Search employs highlyeffective data visualization tools –word clouds, tree maps, & more Quickly generates compliance reportsfor PCI DSS, GLBA, SOX, NERC CIP,HIPAA, & more Out-of-the-box correlation rules,reports, & responses enable speedydeployment in an hour or lessSOLARWINDS LOG & EVENT MANAGER
  16. 16. 16The All New LEM Workstation Edition» SolarWinds Log & Event Manager (LEM) now offerscomprehensive log management capabilities to all yourworkstations at a much affordable price point.» LEM Workstation Edition is a new pricing model that offersall the SIEM functionality of LEM and allows you to collectand manage logs from more workstation nodes than ever.» LEM Workstation Edition is applicable to all yourworkstations running Windows XP, Vista and 7 operatingsystems.SOLARWINDS LOG & EVENT MANAGER