Let’s
be honest, a network attack of any scale is inevitable in today’s IT world. Do
you have the ability to quickly identify the details of the attack?
If
your network goes down, your network monitoring tool can tell you what
happened, but knowing details about who was vulnerable or why the attack
happened is even more valuable.
An
often overlooked feature of log management software is the ability to conduct
forensic analysis of events. Instead of searching for a needle in a haystack,
forensic analysis tools can make drilling down to identify details a quick and
easy task.
SolarWinds Log & Event Manager has cutting-edge IT
search for fast and easy forensic analysis. Here are six ways that the forensic
analysis feature of Log & Event Manager can help you piece together what
really happened.
1)
Incident response
Say
goodbye to complex queries. Conducting forensic analysis, in general, is a
quicker and simpler way to do incident response.
The
faster you get the data, the better. Where Log & Event Manager helps is by
removing the need to build complex queries to get the data.
More
often than not, you’re responding so fast that you don’t have time to build a
complex search to find a needle in a haystack. A better way is to identify the
information you have (this IP, this warning, this exception, etc.) and plug
that into a search and see what you can find from the log data.
Log
& Event Manager surfaces information to make it easy to quickly scan
and find what is out of the ordinary so you can start drilling down from there.
2)
Troubleshooting system outages
Your
monitoring technology will let you know there is an outage before Log
& Event Manager would. The monitoring technology will indicate what
system had an outage, and possibly provide some additional data. But the logs
are going to contain more details.
From
a forensic analysis approach, you’re going to use the logs as evidence of foul
play, or to identify root cause (i.e. you’ll be able to see that a piece of
software was installed 30 seconds before an outage occurred). Exceptions,
warnings, file changes, etc. is all recorded so you can use those as evidence
for the cause of the outage.
3)
Monitor authorization and access attempts
All
authentication and access logs are collected in Log & Event Manager. With
forensic analysis, you can quickly see if someone has gained unauthorized
access, if there were repeated attempts by a single account, or if the
attempting IP address looks suspicious.
You
can also filter by an account that’s not part of an authorized account list or
not in AD. One of the simplest ways to identify unusual access activity is to
look for IP addresses that don’t belong. If you start seeing external or
different types of IP addresses, then you know it’s something to investigate.
4)
Identify user activity
You
can map user activity using historical data to link together event logs. You
can see the activity of one user, a group of accounts, or a specific type of
account.
Using
Log & Event Manager to collect logs from hundreds devices makes it
easy to summarize the log data to surface events, privilege changes, etc. The
forensic analysis feature allows you to quickly identify anything that looks
unusual in the accounts you are investigating.
5)
Monitor network traffic logs
Monitoring
traffic logs is as simple as asking why you are seeing an excessive amount of
outbound traffic from one IP address.
If
you have detailed information about the IP address, you can quickly recognize
that the increased traffic is suspicious unless you know that the IP is allowed
to communicate outbound.
Traffic
logs hold source, destination, port, and protocol details. You can use this
information to determine if the abnormality is something you can ignore or if
it’s worth investigating.
6)
ID file changes
When
collecting logs, you’re going to see millions of file changes. How do you know
which ones to isolate? It’s best to isolate file changes against critical files
(protected docs, financial information, personal documents, HR records, etc.).
Look at file changes from a forensic approach to determine if suspicious
activity has occurred.
Often
times, a virus will affect file attribute changes such as permissions changes.
This could allow the retrieval of information like a password, resulting in
unauthorized file or network access.
Forensic
analysis can help you identify if files have been changed, when they were
changed, and who made the changes.
Additional
features of Log & Event Manager:
- Out
of the box rules and reports make it easy to meet industry compliance
requirements
- Normalize
log data to quickly spot security incidents and make troubleshooting easy
- USB
Defender – Detach unauthorized USB devices and monitor file activity for
potential data theft
- Build
complex searches fast with a simple drag-and-drop interface, as well as
save and reuse custom searches.
No comments:
Post a Comment