Let’s be honest, a network attack of any scale is inevitable in today’s IT world. Do you have the ability to quickly identify the details of the attack?
If your network goes down, your network monitoring tool can tell you what happened, but knowing details about who was vulnerable or why the attack happened is even more valuable.
An often overlooked feature of log management software is the ability to conduct forensic analysis of events. Instead of searching for a needle in a haystack, forensic analysis tools can make drilling down to identify details a quick and easy task.
SolarWinds Log & Event Manager has cutting-edge IT search for fast and easy forensic analysis. Here are six ways that the forensic analysis feature of Log & Event Manager can help you piece together what really happened.
1) Incident response
Say goodbye to complex queries. Conducting forensic analysis, in general, is a quicker and simpler way to do incident response.
The faster you get the data, the better. Where Log & Event Manager helps is by removing the need to build complex queries to get the data.
More often than not, you’re responding so fast that you don’t have time to build a complex search to find a needle in a haystack. A better way is to identify the information you have (this IP, this warning, this exception, etc.) and plug that into a search and see what you can find from the log data.
Log & Event Manager surfaces information to make it easy to quickly scan and find what is out of the ordinary so you can start drilling down from there.
2) Troubleshooting system outages
Your monitoring technology will let you know there is an outage before Log & Event Manager would. The monitoring technology will indicate what system had an outage, and possibly provide some additional data. But the logs are going to contain more details.
From a forensic analysis approach, you’re going to use the logs as evidence of foul play, or to identify root cause (i.e. you’ll be able to see that a piece of software was installed 30 seconds before an outage occurred). Exceptions, warnings, file changes, etc. are all recorded so you can use those as evidence for the cause of the outage.
3) Monitor authorization and access attempts
All authentication and access logs are collected in Log & Event Manager. With forensic analysis, you can quickly see if someone has gained unauthorized access, if there were repeated attempts by a single account, or if the attempting IP address looks suspicious.
You can also filter by an account that’s not part of an authorized account list or not in AD. One of the simplest ways to identify unusual access activity is to look for IP addresses that don’t belong. If you start seeing external or different types of IP addresses, then you know it’s something to investigate.
4) Identify user activity
You can map user activity using historical data to link together event logs. You can see the activity of one user, a group of accounts, or a specific type of account.
Using Log & Event Manager to collect logs from hundreds devices makes it easy to summarize the log data to surface events, privilege changes, etc. The forensic analysis feature allows you to quickly identify anything that looks unusual in the accounts you are investigating.
5) Monitor network traffic logs
Monitoring traffic logs is as simple as asking why you are seeing an excessive amount of outbound traffic from one IP address.
If you have detailed information about the IP address, you can quickly recognize that the increased traffic is suspicious unless you know that the IP is allowed to communicate outbound.
Traffic logs hold source, destination, port, and protocol details. You can use this information to determine if the abnormality is something you can ignore or if it’s worth investigating.
6) ID file changes
When collecting logs, you’re going to see millions of file changes. How do you know which ones to isolate? It’s best to isolate file changes against critical files (protected docs, financial information, personal documents, HR records, etc.). Look at file changes from a forensic approach to determine if suspicious activity has occurred.
Often times, a virus will affect file attribute changes such as permissions changes. This could allow the retrieval of information like a password, resulting in unauthorized file or network access.
Forensic analysis can help you identify if files have been changed, when they were changed, and who made the changes.
Additional features of Log & Event Manager:
- Out of the box rules and reports make it easy to meet industry compliance requirements
- Normalize log data to quickly spot security incidents and make troubleshooting easy
- USB Defender – Detach unauthorized USB devices and monitor file activity for potential data theft
- Build complex searches fast with a simple drag-and-drop interface, as well as save and reuse custom searches.
- File integrity monitoring – monitor and alert on registry, file, and folder activity to detect suspicious and malicious behavior
SolarWinds® Log & Event Manager (LEM) gives you advanced IT search functionality without all the costs. View your log data in a way that makes sense for fast and effective event forensics, troubleshooting, root cause analysis, and overall log management. Do more, spend less, save time.