Successfully reported this slideshow.

Monitoring User Activity and File Access


Published on

With real-time log analysis, SolarWinds Log & Event Manager (LEM) provides crucial visibility into a user's behavior on the network, including web usage, application usage, file access and more. Learn how.

Published in: Technology
  • Be the first to comment

Monitoring User Activity and File Access

  1. 1. 1 User Activity & File Access Monitoring © 2013, SolarWinds Worldwide, LLC. All rights reserved. SolarWinds Log & Event Manager
  2. 2. 2 Monitoring User Activity & File Access » With real-time log analysis, SolarWinds Log & Event Manager (LEM) provides crucial visibility into a user's behavior on the network, including web usage, application usage, file access and more. » LEM enables admins to easily identify anomalous patterns, unauthorized access, and malicious activity. » Additionally, LEM provides automated responses to instantly remediate a security threat or network problem. SOLARWINDS LOG & EVENT MANAGER
  3. 3. 3 Example Scenario 1: User Logon Attempts While it may not seem intuitive to monitor successful logon attempts, you may want to keep an eye out for a successful logon after multiple failed attempts or logons occurring after hours, both of which could signal a breach. SOLARWINDS LOG & EVENT MANAGER EXAMPLE: If there are 50 failed attempts on a server or router followed by a successful logon, does it imply that the user simply remembered their credentials? Or does it mean that a hacker finally broke in and now has access? LEM can monitor user logons and provide the necessary correlation to identify a threat vs. normal, everyday user activity. Very importantly, it does so in real-time. If a threat is detected, LEM can then instantly and automatically log the user off.
  4. 4. 4 Example Scenario 2: Privileged User Access Elevated privileges are required by some users to do their job (i.e. network admins, helpdesk support, HR, and Accounting to name a few), but such privileged access can lead to security threats. SOLARWINDS LOG & EVENT MANAGER EXAMPLE: A database administrator in charge of maintaining the company’s CRM database starts accessing the HR database containing employees’ confidential data. Is this authorized? Malicious? Regardless, it’s out of the ordinary for this user’s role and typical file access. LEM can monitor file access and then correlate the event data to determine if this is anomalous behavior. So, even though the database administrator has access, it goes against this user’s typical pattern of only accessing the CRM database. LEM can then automatically disable the account or remove the user from a trusted group.
  5. 5. 5 Default User Activity Rules SOLARWINDS LOG & EVENT MANAGER LEM delivers out-of-the-box activity rules for monitoring key User actions that could pose a risk to the network.
  6. 6. 6 Default File Auditing Reports SOLARWINDS LOG & EVENT MANAGER LEM provides real-time and historical visibility into file activity. Whether it’s notification of inappropriate file access or searching for the person who deleted an important document, LEM provides quick and easy access to the event data that reflects file behavior and is essential for protecting sensitive information.
  7. 7. 7 Available User-Based Active Responses SOLARWINDS LOG & EVENT MANAGER SolarWinds LEM then goes a step further by providing built-in Active Responses to automatically respond to a threat, such as logging off a suspicious user or removing a user from a particular group.
  8. 8. 8 Monitoring & Managing USB Device Access » SolarWinds LEM includes built-in USB Defender technology that provides real-time notification when USB drives are detected. This notification can be further correlated with network logs to identify potential malicious attacks coming from USB drives. » With LEM’s USB Defender technology, you can take automated actions such as disabling user accounts, quarantining workstations, and automatically or manually ejecting USB devices. » Additionally, LEM provides built-in reporting to audit USB usage over time. SOLARWINDS LOG & EVENT MANAGER
  9. 9. 9 Adding Authorized USB Devices » SolarWinds LEM addresses the complexity of providing USB access to select USB devices with a few simple steps. • Build a Group of “Authorized” USB Devices • Identify “Authorized” Devices • Add “Authorized” USB Devices to a User Defined Group SOLARWINDS LOG & EVENT MANAGER
  10. 10. 10 Adding Authorized USB Devices cont. » Add the group of “Authorized” devices to SolarWinds LEM rules using the simple drag-and-drop rule builder interface. SOLARWINDS LOG & EVENT MANAGER
  11. 11. 11 Automatically Detaching USB Devices » With LEM’s Active Responses, you can automatically detach a USB or mass storage device from a workstation. This action is useful for allowing only specific devices to be attached to your Windows computers or detaching any device exhibiting suspicious behavior, such as: • When a computer endpoint gains unauthorized USB access • When an authorized USB port logs suspicious user activity • When unwarranted data transfer happens between an enterprise computer and USB drive • When USB access on a USB port becomes non-compliant with organizational policies • When a USB endpoint is infected and needs to be quarantined SOLARWINDS LOG & EVENT MANAGER
  12. 12. 12 SolarWinds Log & Event Manager  Log Collection, Analysis, and Real-Time Correlation  Collects log & event data from tens of thousands of devices & performs true real-time, in-memory correlation  Powerful Active Response technology enables you to quickly & automatically take action against threats  Advanced IT Search employs highly effective data visualization tools – word clouds, tree maps, & more  Quickly generates compliance reports for PCI DSS, GLBA, SOX, NERC CIP, HIPAA, & more  Built-in correlation rules, reports, & responses for out-of-the-box visibility and proactive threat protection SOLARWINDS LOG & EVENT MANAGER How can SolarWinds Log and Event Manager help?
  13. 13. 13 Thank You! SOLARWINDS LOG & EVENT MANAGER