- Azure Purview: Data governance for on-premises, multicloud, and SaaS data - Wed, Feb 17 2021
- The risk of fake OAuth apps in Microsoft 365 and Azure - Fri, Nov 27 2020
- Azure Sentinel: Microsoft's SIEM for the cloud and on-premises - Fri, Oct 30 2020
Managing security in your network has never been harder, with more sophisticated threat actors using a variety of different attacks across different vectors and with different aims. Just leaving it to the security team doesn't really cut it anymore and given the frequency with which businesses keep getting owned, all of us involved in IT (developers, operations, and especially management) need to step up our game.
For the purpose of this review, I installed a free 30-day trial of SEM. SEM comes as a virtual appliance (approximately 1.7 GB in size), either as a Hyper-V virtual machine (VM), a VMware VM, or an Azure VM. You can also run SEM on Amazon Web Services (AWS), but there's currently no download available, and you should contact sales for access. You'll need 250 GB free disk space, 8 GB of memory, and two virtual cores for the VM. It's built on Debian version 9.5, which, apart from being more secure, also removes a 2 TB disk limit, especially important for a SIEM expected to store vast amounts of log data.
After I downloaded the Hyper-V VM and ran the .exe, it unpacked itself to a folder I specified, and an installation guide appeared. I imported the VM, started it, and connected to it so I could see the IP address it had acquired from DHCP. If you want to assign a static address to the appliance instead, it's easy.
Once it's up and running, simply connect to the IP address of the appliance (shown in the VM console) with a browser. There's also a reporting component (built on Crystal Reports) to install on a workstation or host.
For it to be useful, you'll need to set up agents on all systems you want to monitor. You can either do this with a local installation where you'd have to remote to each system, or if they're Windows systems, you can use the remote installer that lets you do mass installation across groups of systems. In a highly segmented network, the option to find available hosts automatically through NetBIOS may not work, and instead you can supply a file with host names.
For Windows, you need to have local administrative privileges, and for Linux you need root access. For VMs, you should not use the USB-Defender option during installation, whereas on physical systems it's a great way to track USB activity. By default, you get security event logs from Windows nodes, but you can gather additional logs easily.
In addition to servers and workstations, you should connect network devices, and SEM supports over 800 different types. If you have a device you need to connect that isn't supported, SolarWinds will help you create a custom connector as part of your support contract. You can see the full list of connectors here.
Using SEM ^
The biggest challenge in any SIEM is finding the signal in the noise, which generally equates to learning a search interface of some kind. SEM uses its own interface called nDepth, which has both a text-based interface and graphical option. You can pick different types of visuals to show your results and use the graphical search builder with either a Boolean AND or OR logic to narrow down your results. As you're building a graphical search, the text-based search matches your operations, teaching you about SEM's search language. You can export search results as a CSV file or as a PDF report with graphics, and you can save searches and (apart from running these when you need them) schedule them to run on a regular basis and email you the results as a CSV attachment.
Speaking of reports, you can access the report library, which includes a lot of reports and industry specific compliance reports (PCI, HIPAA, SOX, NCUA, NERC-CIP, DISA-STIG, and others). It also lets you create custom reports built on your own queries. There are different report types, such as "Top User Log On Failures," master reports, and detailed reports.
Rules are a powerful way to manage alerts and correlation, with many ready-made ones you can customize to your environment. An example is building a rule for contractors only allowed to access certain systems. If they access other systems not on the list, it raises an alert and disables their accounts. A test mode for rules lets you make sure they work as intended before you enforce them.
SEM uses a very efficient compression algorithm, achieving somewhere between 40:1 and 60:1 compression for log data, saving on storage costs. The other big advantage of SEM is the real-time correlation engine. The biggest challenge for security analysts today isn't visibility (provided you have a good SIEM like SEM in place), it's filtering the amount of alerts and figuring out what's important, what's not, and which alert relates to an ongoing issue.
Earlier versions of SEM (called LEM—Log Event Manager) relied heavily on Flash (through Adobe AIR) for the console. This version moves several areas of functionality to HTML 5, such as File Integrity Monitoring (FIM), custom rule creation, filtering and exporting search results to CSV files, and managing licenses. There are several other enhancements in the 6.7.1 version, such as the ability to create custom rules graphically, adding and removing agents from connector profiles (a way to group agents that use the same configuration), filtering and exporting search results to a CSV file, and a handy setup wizard.
Subscribe to 4sysops newsletter!
I found SEM's graphical approach to building rules and searching with nDepth particularly easy to get going with, but there's a lot of power underneath the simplicity. The challenge with any SIEM is that it takes time to customize it to your environment, and it takes expertise to tune it just right. Once that's done, however, a good SIEM is a must-have for any business, and you should definitely consider SolarWinds Security Event Manager because it's cost effective, easy to use, and powerful. SolarWinds offers a 30 day trial for download.