SolarWinds Lab Episode 79: Enterprise Security With Threat Monitoring

In this episode, Security Content Architect Destiny Bertucci and Head Geek™ Thomas LaRock, share their knowledge of SolarWinds® Security Event Manager (formerly Log & Event Manager), as well as Threat Monitor. They outline the architecture design for both tools, walk through demos of each, and discuss how to determine which tool is best for your security needs.

Back to Video Archive

Episode Transcript

Don’t panic! This really is SolarWinds Lab, but you notice things are a little bit different right now. And you might notice that neither of us are wearing lab coats. Now, there’s two reasons why. The first reason is because we’re going to use the light board today. For the first time ever on SolarWinds Lab we’re going to use a light board. But there’s a different reason why Destiny doesn’t have a lab coat. That’s because she’s been promoted to security architect here.

That is correct! So my team is going to help you guys have the content you need that’s going to be structured around the security for the security portfolio.

And that’s why we have the light board. because being the architect, that means we’re going to get boxes and lines. So we’re going to start today jumping right into a demo, you’re going to outline the architecture for two products, Threat Monitor and Security Event Manager.

Yeah, we want to kind of like, show the difference between the two, because a lot of people are still a little confused on what these two SIEM tools can do.

All right, let’s get into it.

All right, let’s go. (marker squeaking)

Boom! And look at that. We have it all up. We kind of filled it in a little early, but that’s all right. We’re going to draw some more, but as you can see, it’s kind of busy here for two people. The light board is a wonderful thing, but I think it’s going to work best maybe if you just take it from here and talk to it, and keep drawing what you need to draw. I’ll just step out of the shot, but I’ll keep my microphone on

That sounds great!

So we can keep having a conversation.

Yeah in case I miss something you can be like, “Hey!”

I’ll just step over here.

All right. All right guys, so on the Threat Monitor itself I wanted to kind of show you the design. So, really getting back to the infrastructure of it you’ll notice that we have a cloud in here already. And what that is, is because you’re actually going to have a lot of things that are in the cloud and then you’re going to have things that are on-prem, and a lot of times it’s like which is what. So, let’s go through here. You’re going to have your agent which this says on-prem, but let’s just make this actually, think of it as the customer. So that’s going to be, this is where you’re going to have the stuff, and we’re going to have collectors. And I say collectors plural because it’s depending upon which things that you’re actually monitoring on the edge of which that you’re wanting to gather. Now why this is important is because this is gathering your network traffic, usually from your firewalls, that are coming across there. It’s showing your intrusion detection, it’s going to do your hosting and everything that’s coming there. Now, this connection that’s going to the cloud don’t worry we’re not just opening doing everything, but we are going to do a little bit of something called open VPN right here. Now what that’s going to do is allow you to have an encrypted connection that’s going to go back and forth. As you can see, we just have the agents and the collectors that you have to have the resources for. Right, so that’s very small and minimal. We’re going to have the laptop that’s going to connect into the cloud too. Now, what’s going to be here is your server archives. You’re going to have your VPN gateway that’s being managed here. You’re going to have your portal. And the portal is what you’re actually connecting to with your laptop. And then we’re also going to have your search cluster.

Right, so the laptop connects to the portal, your open VPN is obviously the VPN gateway, and then there’s two additional things over there.

Definitely. And now, the reason why I have this as a solid line around these is because between these is an actual open VPN connection that’s going to be happening here as well. Now, why this is important is you’re going to go to your laptop instead of it having to open up ports, or to allow a website to come outside of your actual environment what we do is you go into the cloud, gather your data that’s already been collected out here. Now, when you want to monitor things that are in the cloud, like your applications such as like Office 365, or you have your Google Suite, things of that nature, you’re going to have those in the cloud. There is no point in bringing your information from the cloud back into your environment just to put it back out for storage. So, instead of having a lot of that cross traffic that’s going out there that can actually take up a lot of bandwidth, we have Threat Monitor that will be in the cloud. It’s gathering from the cloud into here, you can put your agents, you can put your collectors for your Office 365 in the cloud and keep the traffic here. So then that helps you so that you’re not on-prem trying to do all this searching and function and the resources, the CPU loads, the memories, everything that’s coming across there. That’s what we’re doing on this side. So, when we look at this side, you’re going to have your server archives, so you’re going to have your 10 to 30 days of information which that you’re going to be collecting in there. You have your VPN, everything that’s going to be managed between the agent and collectors and everything that’s coming across. Your portal access is managed by the cloud as well, it’s going to come in there. And you’re also going to have your searching functions in the cloud. And that’s significant because we don’t want to waste the resources that you have on-prem, we want it where the data is. So that’s why we have the data that’s going to be out there. And that’s kind of really where the big difference is with Threat Monitor because a lot of people are like “Well, why do I keep everything in the cloud?” This is why.

So, this is a great overview for Threat Monitor, now maybe show us the difference of how Security Event Manager looks.

That sound great. [marker squeaking]

OK. So, you got it all drawn out. Especially with a little magic of editing but yeah, you got to see it all happen. Again, kind of a busy screen although I kind of fit there this time. I’m going to step off to the side again. I’m just going to let you carry it from here and I’ll keep my mic hot.

Sounds like fun. All right, so this is your SEM manager which you guys know, previously known as LEM, right? So, this is your Security Event Manager. What this is going to do, is this is the basic setup. Now obviously there’s going to be more complex setups that are out there, but I wanted to show you what a basic one looks at, so we can compare it to the Threat Monitor that we just did. So as you see, you’re going to have your database and your actual server for your SEM manager. And that’s kind of your brain, right? So that’s going to be there. You can integrate this with your VMAN and your Orion, and that’s going to be through an SNMP connection that’s going to come across there. Your network devices, like your switches, your firewalls, things of that nature, routers, those are going to be sending information that’s coming across. So that’s going to be like syslog, traffic flow, traffic things of that nature that’s coming across there. You’re going to have your servers and your SEM agents that are over here. So these are your agents that are going to be on the servers. Because we were talking about that before, like you know do you have to have these on each one within your environment, and that is correct. You also have a report server. Now, you can put that on any Windows server, so you could technically put it on your manager if you wanted to have it there. I like to keep them separated for now, so I would just suggest us do that. And you’re going to have a two-way communication that’s going to come across there. Now, the great thing about this, is that this is kind of your “in the trenches” type of a monitor of which that you’re going to use. So this is a SIEM tool that’s going to be gathering all those Windows events, everything that’s going across with your applications, it’s going to be grabbing all the network devices as well outside of your firewalls that’s happening. It’s more ingrain, and it’s more within your actual environment itself. So by these servers, it’s sending all this information. You have real-time knowledge. So say you have something like ransomware or something like that that’s coming across there, that’s going across, and it’s starting to infiltrate within your servers you’re going to see an influx, right? Like, you’re going to see an influx of an event, you’re going to see an influx of things that are happening on those servers themselves. And so that’s some things that you’re able to drill into and actually showcase like what’s going on. It’s going to interact with your Orion, so that we can feed it the information we can do some alerting and things that are coming across there. Your manager, which we will show you a little bit later, is going to be able to show you real time all these events and filter them in. So you can search it by like the names that come across there a workstation, an area, a group, things of that nature. Like it’s a way to really get in there and get more involved, actually with your environment. Instead of just having security be passive, you can actually do things with your security. Now, a lot of people wonder about agents, and what I always like to tell everybody is that your agents, we know for your security tool itself, you are the admin of that. You should have the security access that’s allowed. With SEM you’re able to actually punch back, right? Like you can react to things that are happening. So say you have a USB that’s on there, you have a standard alert that’s going to say “Hey, they’re putting a USB on our mainframe” or on our actual database servers and we can automatically kick it out, turn off the network, we can send an alert, we can put a pop-up up there. It’s going to be able to interact with that server itself, as well as letting us know what’s happening.

This is all fabulous. So I’ll just come back in. Hi! It’s just like where do you stand? I’m glad that we did the light board, and I think we’re going to use it on future Labs, no question, but for now, you’ve given us this brilliant overview Threat Monitor and the new Security Event Manager. Why don’t we get back behind the desk, and why don’t we show the products?

I would love to.

I’ll put on my lab coat.

I won’t, but I’ll design stuff.

All right! [electronic whirring] There, that feels a little bit better.

I bet.

So, you gave us a nice overview on the light board there of Threat Monitor and SEM. So, maybe we could just take everybody through each of those products. Let’s start with Threat Monitor.

OK, perfect.

What does it look like?

Yeah, cause we’ve already seen kind of the architecture that’s on the backside of it. So, this is where you’re going to be logging in, that portal and everything that we were talking about. So, when you come into it you’re going to be seeing your dashboard you’re going to be able to focus in and be able to say “OK, this is what my current environment is looking like,” right? So, because like, a lot of the times, people want to focus like SEM, like we were talking about earlier, on the environment itself, and this is more like edge and on the cloud and things that are coming across there. So, when we come into here you’re able to see the events by the locations of which that you have displayed. Kind of your basic dashboard that’s going to come across there. Now, what gets you into like more of a more of a kind of a drill down factor is that you’re able to create your own dashboards, and we push out dashboards as well to you as we update them and come across. It’s actually what my team does. So, when we come in here and we can see user login activity, we’re able to actually hone in onto that and filter it. So that’s what we’re doing. We’re creating filters out of the box that are pertinent to the information that you need for your security reference, so whether that be compliance reports maybe it’s your audit reports, things in that nature. As security context, that’s what we’re really wanting to focus in on, and kind of highlight that. That’s mainly what we’re trying to do, is just highlight it so you’re not missing those. So from here you’re able to see your special events, your privileges, which is good, right? Because we want to know like, hey, how many privileged accounts do we really have out there? And why do we have all these out here? So you’re able to log in to those and get into there. We can check out your Windows activity, we can go through your alarm activity, your networks, your AV activity, a lot of people like the reputation that we come across here because we check it against the databases that are known and not known.

What does reputation mean?

So that’s like, the ones that are going to be whitelisted, blacklisted, that’s going to actually tell you like, hey these are known bad areas and sites that you’re accessing or trying to access you, and so that we actually bring those forward to you. It’s kind of like a little layer of security on top of it. We can do intrusion detection that we do. We also do host detection, so that comes across there. So we kind of let you know like, hey like maybe there’s something that’s going on here, like, maybe there’s an election or something that’s happening and we’re like, hey, all of a sudden there’s a little bit more activity that’s popping up over here.


So, that’s the basics of the dashboards that come across here fully customizable, you’re able to change these and do. We can go to the event logs themselves and now, this is where we can actually analyze the results and normalize things quickly. So we can go into the Analyze Results, it’s going to say, hey this is the information. Now, like me and you are playing around with this earlier, this is where you’re doing your filtering. So I can drill into these, and if a lot of people have asked, “Hey, I want to be able to see these in kind of a more pie chart donut chart type of a thing.”

Everybody loves a donut, right?

Right? I love donuts. We come across here and we can look at them, so that we can actually drill in and see what’s going on. We can add these filters that you see here, we can click on that, and it’ll change the whole page of the summarization to that as you see in the top left-hand side here. So when we go through here, it’s just another way to filter in, so if you’re doing like root cause analysis or you’re trying to get ahead of something that you think is coming out there that’s where you’re able to do that. And so then we have that setup default is everything then we have it, kind of subcategories, right so things that we think are pertinent to you. So that’s your firewalls, like your tops fives, so you know like your FortiGates, things of that nature that’s coming across. We have the Windows event logs as well, and same thing you can analyze these on each one of these. We’re just already a layer into it in filtering out the information so that you can be pertinent into what you need to do. And we have the Office 365, we have the file monitoring as well. And then on your alarms, you can categorize these up. So we have like Cisco ASA alerts, we have some of your reputation alarms. They’re very easy to edit you just edit to them and then, since it’s multi-tendency, so a lot of people use these with different departments within their organization, or if they’re an MSP or an MSSP, then you have different companies that you’re using. So we can say, “Hey, I want to make this. I’m going to make it global,” which means it’s going to go to everybody, or I can uncheck that and be like, “No I just need it for this company.” And you’re able to actually pick those companies that come across there.

Oh, great.

Now, on the reports themselves, we’re able to go in and see like, the Windows login summaries for failed attempts. We can see these and run these, you can copy the report, you can edit it because we’re always trying to use these, and see what’s happening across there, but that doesn’t necessarily mean that it’s the same information that you need. And then we can open these reports up, and then you’re able to see and then categorize then what’s happening and ship these off if you’re wanting to send them off to a manager, or be able to like say, “Hey, we implemented a new compliance and so now all of a sudden these are lessened or these are more, this is some of the things that are coming across there.” So that’s how we’re able to see it. You’re able to see the reason for it, and able to see how many of the counts are for there. So you can categorize them obviously. Now when we’re looking at the assets we’re able to see like your network, your assets, your aliases, things of that nature. So this is just mainly saying this is everything in which that we’re monitoring on the outskirts. This is what we have, this is what we’re looking at, this is what we have for there. And we can edit those if we need to and say, “Hey, this is the MAC address,” or “We need to add a description,” we can do things across there very easy that comes across there. We can do policies, which you can actually test these out, and edit them as well, as you can see. we can put the queue types, we can change the source, the destination, the SID filters, that’s what a lot people do a little bit of regex on, so that you can actually change some of the plugin information. And when I say change the plugin information, it’s because a lot of the times, when we’re looking at plugins and collectors, people want the ones that they have here. So, we have like the WHS sensor, well there may be a different one that you’re wanting, like a different health sensor or something else that’s out there. Cool, add it in here. All it takes is a little bit of regex, you can add it in here, check it, now you don’t have those failed events.

Just a little bit of regex.

Well and that’s the thing. So, a lot of times people are like, “Ah, this event’s not fitting into a filter.” Use your plugin. So, you can change your plugin and actually manipulate it, and now you’re catching the event in the desired location and the ability of which you want to do. So, for the greater scheme of thing about Threat Monitor, when you’re monitoring things like Office 365 or you’re doing the cloud, like we’d said earlier, the main focus point is that keep your logs in the cloud, quit shipping them on-prem and then back out to something if you’ll add a cloud source out there. So, keep it all in the cloud, connect to it, be able to monitor it from there, and then you’re having less of surface area for someone to attack or gather those events and use them against you.

This looks amazing because it’s really kind of the first time I’ve been seeing it, and everything that Dez walked me through earlier, before we got on camera, I’m fascinated by it all. And I always liked the idea of, oh, how could I apply to things like I don’t know, SQL Server, and, well, the idea that I can look at the log activity, anything that writes to the Windows event log anywhere, whether it’s Earth or cloud, and I can be picking that up. So, there’s lots of goodness inside of this tool that I’m really excited to use for myself, and to see our customers use.

Definitely, and we are constantly working on the security portfolio itself, so I’m pretty sure you’re going to be seeing a lot more things to come.

All right, so now we’re going to take a quick look at SEM.

Yes! I want to show you the difference because now we’ve talked about the cloud, and now I want to kind of drill into it, and show you why the on-prem has really great solution too.

Cool. [electronic whirring]

So, when we were talking about the cloud solution, so, like I said, we’re not shipping the logs actually back and forth, so on-prem, we kind of want to know everything that’s going on in the environment, right? So, when we showed it earlier in the architecture, that’s where the agents come into play, and that’s how we’re able to gather the information. So, now we’re into the portal, the manager portion of it. So, this is where we’re actually at the realm. So, when we’re going into here, you’re seeing all the local events that are coming through in real time that’s coming across there. Now, what I like about this is you can take it in and out of live mode up here in the top right-hand corner. I can also turn over here, and when we click on the events, it’ll show us everything that’s coming across. So, when we see this information, we can then drill into and be like, “Hey, this is actually from TriGeo, this is the Destination Machine, this is the TCP ports, this is the severity,” this is everything that’s coming across there. It automatically stops you out of live mode. So, I wanted to mention that because some people are like, “Ah, I was messing around with some of the alerts, and then it didn’t come back in there,” you know, when they’re looking at some of the events. And I’m like, “Well, did you flip it back over to live mode?” So just little things that can catch you. So we can go back into live mode, we can move this over, and we can see everything that’s coming across. On the left-hand side, you see the normalization of all of the events that’s coming across, it’s going subcategorize these into security IT operations, and then on top of that, tell you the hit counts, like how many times of which that these things are happening, which is all great. But what I like is I can actually drill into that, and switch my screen over, still in live mode. So, I keep mentioning the live mode because it’s so important. It’s awesome to be able to have it there, but if you’re really intensely trying to get into things, you want it to kind of slow down and be able to see. But when you’re honing into a filter, it’s still in live mode, that’s how you’ve just seen one come through, but now I’m able to drill in, and kind of do a live filter search in here. So, say if I’m wanting to look at like Billy Bob that’s coming across here. I can actually put in Billy, and it’ll refine the search down so that I can see it the way that it’s supposed to be, right? We want searching that works. That’s kind of the real time, when you’re doing root cause analysis or when you’re doing things of that nature, you want to be able to drill in where it’s pertinent and where you need to be at. And now, when we’re looking at the nodes that we come across here, what’s cool is that we can see the agent, the agent types. You can see the statuses that are coming across there. Now, here’s a little bit of a difference. I can go into the agents, I can see these here, and now I can say manage my node connectors. By doing that, that’s when I can actually see the available connectors that I can apply to that agent. So, a lot of the times when we deploy the agents, maybe you don’t need everything that’s on there for resources, things of that nature, but if there’s pertinent information, that’s where I can go in. There’s 831 actual, but 84 pages of different collecting types of which that we can have. So, you can strategically, you hone in on exactly what you want the information to come in there that’s going to help you security-wise too, for ports and things like that to be open. So, a lot of times when the security people are like, “Hey, I don’t want to open up all these ports, what do you need?” Well you can say, “OK, cool, I’m just going to use this. I just need this SSL connection,” or “I just need this port open. That’s it and we’re done.” You’re able to do that, so you can manipulate it. So, wanted to make sure everybody knew where that was at. Now on the Rules, these are where you can actually hone in and search. So say if I’m looking for a change temp or anything that’s coming across there, I can put through here a change.

Chagne. That’s French.

It is. And then it’ll show me all the changes that are related.

Oh, look at this, and there’s one for SQL Server Database changes.

I’m so glad you brought that up because there’s one that I really wanted to show you.

Oh, is there? OK!

There is.

Injection? What?

I figured this would make you happy.


Cause you were talking about earlier, “Oh, I wish I could turn back time on that one.”

Uh huh.

So, I’m going to look at this alert, and I’m going to set this up. It’s a rule, so that we can filter out this. So, we can see that the rules are here, how they’re defined, we can see the events that are coming across there access, and we can literally just sit here and drag and drop if we wanted to add more of these that come across here. So say if wanted to do asset, I can add an asset into this rule, and then it allows me to filter in so that you don’t mess things up. Does that make sense?

It does.

A lot of the times in some of the reporting that we’ve done in the past, especially with regex, things like that, it gets pretty convoluted, right? Like it’s like, “Ah, I hope I didn’t put this asterisk in the wrong spot” or “I didn’t end this here.” This is going to be a drop-down worthy filtering system that’s all new on this. I hope you guys have noticed that. As soon as I hit Assets, it’s going to say exactly what you can do with that. So I can grab say the event info, and then it’s going to say these are the only operators that you have, and it’s literally String that’s allowed, and you can just put like REAL or whatever you’re wanting to do, and save that, and it’s going to automatically do everything on the background for you. So, a lot of the times when it was formerly known as LEM, people were like, “Ah, I just can’t get these rules things set up. there’s just so many constraints or not enough constraints, and I’m kind of getting in a mess here.” Well now, you’re no longer like drinking from the fire hose. It’s like step-by-step exactly what you’re wanting to do and how you’re wanting to do it. Now I think there was something that you were wanting to talk about that you’d heard from Cisco Live! about the people that were asking questions about SEM.

Well that had to do with the new functionality because this is a new console all written in HTML 5, bringing us away from Flash. Yay. But the problem was not all the functionalities come across. I think there’s just a couple of things that are missing.

Yeah, we have just a couple things left that’s over into Flash, like the word cloud that I’ve heard a lot people talk about.

I love the word cloud. I do.

Right? And so all you have to do is go up here to the SEM Console in the top right-hand side because some of you didn’t know where that was, and you click on that, and it’ll take you directly to the console so that you, the one of which we remember from Flash, so that’s going away, but in case you still have some lingering things that you want to check, that’s an easy way to do it. And I’m glad you brought that up.

Yeah, it was great for me to be at Cisco Live! in order to even talk to people about the tool, and I wasn’t even the aware of the button until one of the customers came up and said, “Not all the functionality and here’s the button,” and I said, “Oh, look at that.” [Destiny laughing] So, the functionality still is there. That’s where you would find it, but everything else that is inside of SEM right now is just fabulous. Of course, the SQL Server stuff is just hitting home for me.

It’s got to make you happy.

It makes me very happy. Anything else?

No, I think that’s it. So, I mean, mainly just know that we are constantly working on the security portfolio right now, and that is our major driver point. Security is huge right now, and we’re wanting to make sure we’re hitting those pain points, and we’re providing a solution, as you can obviously see here.

That’s wonderful. So, I want to thank you for joining me.

No problem.

And thank you as well, and we’ll see you on the next SolarWinds Lab. [upbeat electronic music]