Network security

SolarWinds LEM

Pedro Tavares
August 17, 2018 by
Pedro Tavares

SolarWinds Log & Event Manager (LEM) is a security information and event management (SIEM) system. SolarWinds LEM is an end-to-end SIEM that groups, correlates and normalizes data events and logs in a centralized repository that can be easily managed by an IT team. With LEM functionality, the IT team can quickly scan or search historical event data and put them on a report for further analysis and forensics.

LEM virtual appliances can be deployed in a VMware ESX or Microsoft Hyper-V virtual environment, providing insights into security events and helping with performance monitoring and compliance management.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Figure 1 below illustrates the typical log sources and LEM software's components. The directions in which communication is initiated and network protocols are used are also presented.

Figure 1: LEM architecture – typical data sources, LEM software components, protocols and communication direction

Key Features

This system has the capacity to respond to a great variety of events. Some noteworthy aspects of the tool:

  • Allows a real-time event correlation
  • Allows active response through their agents installed in remote devices
  • IT teams can perform advanced search and forensic analysis
  • Provides USB device monitoring
  • Offers IT compliance reporting

Notice that LEM agents are the primary means used for data collection from remote devices, such as servers, applications and workstations. These agents are responsible for gathering any type of information but also have to promptly respond to an incident when it occurs. This is called Active Response technology.

SolarWinds LEM — Technology Overview

Ops Center Dashboard

This screen provides a completely customizable dashboard which can easily identify trends, node health and alerts in a single place. By clicking on any item, we can obtain more detailed information about it.

Figure 2: Ops Center Dashboard

Real-Time Event Correlation

LEM is designed to receive and process thousands of event log messages generated by network devices. Potential threats or other security issues are identified by applying sophisticated matching engines to correlate events in real-time.

The dashboard presented in Figure 3 displays the alerts as they flood in. They are generated when conditions match the previously-defined rules in the LEM. Thus, notifications can be set for alert types that need instant attention by the security team.

Figure 3: Real-time event correlation (monitor dashboard)

The correlation rules are very flexible and uncomplicated. Rules can be set to correlate events based on time, transactions that occur or even groups of events.

Figure 4: Left side: Rules listing dashboard; Right side: Rule creation dashboard

Active Response

LEM allows the configuration of several automated responses performed by agents when an alert is detected. SolarWinds calls this "Active Response," and LEM includes a large library of possible responses to common situations. These include:

  • Quarantine infected machines, or force shutdowns and restarts
  • Block IP addresses
  • Disable user accounts
  • Kill processes
  • Restart or stop services
  • Force user log-off
  • Reset passwords

However, IT teams can still opt to manually respond to particular alerts with a few clicks on the dashboard. They can select an event from the monitoring windows and click on the "Respond" button to immediately force a specific action.


Figure 5: Automatic response configuration in LEM

USB devices remain a major problem for many organizations. A great amount of sensitive data can be stolen by hackers, as many users aren't aware of the dangers associated with these devices. Fortunately, LEM can identify unauthorized access and copying of sensitive files and enable actions like automatic ejection of USB devices, or quarantine of workstations using USB devices.

Figure 6: LEM can display a message when a USB device is detected (and potentially blocked)

Advanced Search Features

nDepth is a powerful search engine used with the LEM console that allows users to search all of the alert data or the original log messages that pass through a particular agent. nDepth, available in the option "Explore" in LEM, conducts custom searches, allows to users investigate search results with graphical tools and take action for their findings.

The search interface is designed with a drag-and-drop interface such as filters and rules. Executing a search query is now more intuitive.

Figure 7: Advanced search console in LEM

This dashboard presents some visual analytics tools such as:

  • Word Clouds: Keyword phrases that appear in the alert data.

Figure 8: Word Clouds

  • Tree map: Shows the items that frequently appear in the data as a series of categorized boxes.

Figure 9: Tree map.

Other visual widgets are also presented, such as bar, line, pie and bubble charts. It's possible to configure a histogram that summarizes alert activity within a particular period.

Reporting

SolarWinds technology has included a powerful reporting engine with Log and Event Manager. It has over 300 built-in reports that can help to reproduce any type of results, from graphical summaries of activities to detailed threat reporting and compliance.

Compliance reports are specifically designed to show organization's compliance with standards and legislation, like PCI DSS, Sarbanes-Oxley, HIPAA and others. On the other hand, reports can be fully customized to meet the organization's needs.


Figure 10: SolarWinds LEM reports

Conclusion

SolarWinds LEM is a powerful security and compliance operations and reporting system. It provides a log management with security incident response options, delivering a well-priced, versatile and easy-to-use product. Features like Active Response and the search center are excellent tools for administrators as it will help to manage threats in an easy manner.

Sources

SolarWinds Log and Event Manager (Evaluators' Guide), SolarWinds

How to use nDepth in SolarWinds Log and Event Manager, SolarWinds

Free SolarWinds Training Videos, SolarWinds

SolarWinds Log and Event Manager, SC Media

SolarWinds Log and Event Manager: One Powerful Tool, Network Management Software

Why You Need SolarWinds Log and Event Manager, fpweb.net

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

SolarWinds Network Performance Manager, SolarWinds

Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.