SolarWinds Partner Training Security Event Manager
2y ago
67 Views
1 Downloads
1,018.42 KB
9 Pages
Report/dmca
Download PDF

Transcription

SolarWinds Partner Training Security Event ManagerParticipant’s GuideSolarWinds Partner TrainingSecurity Event Manager - Participant’s Guide 2019 SolarWinds Worldwide, LLC. All rights reserved.

SolarWinds Partner Training Security Event ManagerParticipant’s GuideTable of ContentsArchitecture and Configuration . 3Managing Nodes and Connectors . 3Using Events Search, nDepth, and the Reports Application . 3Deploying Agents, File Integrity Monitoring, and USB Defender. 4Building Rules and Using Automated Actions . 6Managing Groups . 6SEM System Requirements . 7SEM Deployments . 7SEM Installation Guide . 8SolarWinds SEM Port and Firewall Requirements . 9Allocate CPU and Memory Resources to the SEM . 9Audit Policies and Best Practices for SEM . 9 2019 SolarWinds Worldwide, LLC. All rights reserved.

SolarWinds Partner Training Security Event ManagerParticipant’s GuideArchitecture and ConfigurationSolarWinds Security Event Manager (formerly Log & Event Manager) is a security information and eventmanagement (SIEM) virtual appliance designed to add value to existing security products and increase efficiencies inadministering, managing, and monitoring security policies and safeguards on your network. To learn more, please visit these links:o https://documentation.solarwinds.com/en/success center/SEM/Content/Install Guide/installprep/how-SEM-works.htmo https://documentation.solarwinds.com/en/success center/LEM/Content/Admin Guide/1.0understanding sem/SEM-Component-Overview.htmManaging Nodes and ConnectorsAdding Nodes and creating the appropriate Connectors are required steps for your SEM receiving data to performany of its other functions. Nodes and Connectors can be managed under the Nodes tab of the web console. To learn more about this, please visit these ccess Center/SEM/Content/Admin Guide/New In6 arwinds.com/en/Success Center/SEM/Content/Admin Guide/5add syslog and agent nodes/sem-managing-connectors.htmUsing Events Search, nDepth, and the Reports ApplicationThere are multiple ways to search the database and retrieve events stored within it. Specifically, we have the Eventssearch for basic keyword queries, nDepth for more complicated queries that may include groups or multipleconditions, and the Reports application to generate predefined reports for compliance and auditing purposes. 2019 SolarWinds Worldwide, LLC. All rights reserved.

SolarWinds Partner Training Security Event ManagerParticipant’s Guide To learn more, please visit these links:o https://documentation.solarwinds.com/en/Success Center/SEM/Content/Admin Guide/New In6 4/SEM-Search-Filter-Historical-Records.htmo https://documentation.solarwinds.com/en/Success Center/SEM/Content/Admin Guide/11sem ndepth/chapter-head-explore-ndepth.htmo https://documentation.solarwinds.com/en/Success Center/SEM/Content/Admin Guide/12sem reports/reports.htmDeploying Agents, File Integrity Monitoring, and USB Defender Deploying AgentsAgents can be downloaded directly from the web console or from the SEM download section of the CustomerPortal. You then have multiple options to deploy the agents in your environment. To learn more, please visit this ess Center/SEM/Content/Admin Guide/4deploy sem agents/sem-agent-install-overview.htm 2019 SolarWinds Worldwide, LLC. All rights reserved.

SolarWinds Partner Training Security Event ManagerParticipant’s Guide Windows File Integrity MonitoringoWindows File Integrity Monitoring increases SIEM intelligence with policy-based auditing of fileand registry activity including “reads,” “writes,” and “deletes.” FIM can help you demonstratecompliance of regulations including PCI DSS, HIPAA, and Sarbanes-Oxley, as well as help increasesecurity intelligence to detect insider abuse, zero malware, and advanced persistent threats. To learn more, please visit this link:o https://documentation.solarwinds.com/en/Success Center/LEM/Content/Admin ty-monitoring-connectors.htm USB DefenderoUSB Defender writes events to the Windows Application Log for parsing via the WindowsApplication connector and use with the USB Defender Local Policy (UDLP) connector. Within theApplication Log event, there is additional detail that isn’t normalized and sent to SEM but can beused with the UDLP whitelist file to create more complex comparisons and more restrictive policy. 2019 SolarWinds Worldwide, LLC. All rights reserved.

SolarWinds Partner Training Security Event ManagerParticipant’s Guideoo The USB Defender Local Policy (UDLP) connector enables a SEM Agent to enforce restrictions onUSB devices, even when the Agent is not connected to the SEM Manager. Instead of using ruleswhen disconnected, the connector uses a list of permitted users or devices. The Agent comparesthe fields in all USB device-attached events to a locally stored whitelist of users or devices. If noneof the fields match an entry on the list, the Agent detaches the device.USB Defender automatically detects changes to the whitelist file and reloads it when the managerdistributes updated data to the agent. The USB Defender service does not need to restart.To learn more, please visit these links:o https://documentation.solarwinds.com/en/Success Center/SEM/Content/Admin Guide/9sem response actions/sem-detach-usb-active-response.htmo https://documentation.solarwinds.com/en/Success Center/SEM/Content/Admin Guide/New in6 r.htmBuilding Rules and Using Automated ActionsSEM Rules allow you to receive immediate notification or immediately execute automated actions on the eventcriteria you specify. Some actions can send commands back to your Windows machines or network devices via theuse of Active Response Connectors. To learn more, please visit these links:o https://documentation.solarwinds.com/en/Success Center/LEM/Content/Admin Guide/10lem rules/lem-rules.htmo https://documentation.solarwinds.com/en/Success Center/SEM/Content/Admin Guide/New in6 ing GroupsThere are multiple types of groups contained in SEM that can be used in your nDepth or Rules for more advanced ormore easily managed queries. To learn more, please visit these links: 2019 SolarWinds Worldwide, LLC. All rights reserved.

SolarWinds Partner Training Security Event ManagerParticipant’s cess Center/SEM/Content/Admin Guide/6.5sem tation.solarwinds.com/en/Success Center/SEM/Content/Admin Guide/6.5sem groups/sem-configuring-user-defined-groups.htmSEM System RequirementsUse the following tables to plan your Security Event Manager deployment to suit your network environment. Serversizing is affected by: The number of nodes and network traffic. Consider event throughput and performance degradation whenplanning the size of your deployment. As the number of nodes and network traffic increase, the size of yourdeployment will need to grow with it. For example, if you are running a small deployment and noticeperformance degradation at 300 nodes, move to a medium implementation. You are storing original (raw) log messages in addition to normalized log messages. If you’ll be saving uniquelog messages, increase the CPU and memory resource requirements by 50%. See your hypervisordocumentation for more information.SEM Deployments Small DeploymentPer DayMaximumNodesSet Up Combinations (Devices)SecurityUp to 5005 to 10Network (w/ or w/oworkstations)Servers Minimum HW RequirementsProcessor2 – 4 cores 2.0GHz or fasterMemory8 GBHD Space250 GB with 40– 200 IOPSNetwork1 GBE NIC10 to 25030 to 150ReceivedEventsTriggeredRulesUp to 35MillionUp to500Medium DeploymentPer DayMaximumNodes300 up to2,000Set Up Combinations (Devices)SecurityMinimum HW Requirements10 to 25Network (w/ or w/oworkstations)Processor10 to 2506 – 10 cores 2.0GHz or faster16 to 48 GBRAM 2019 SolarWinds Worldwide, LLC. All rights reserved.ReceivedEventsTriggeredRules30 to 50MillionUp to1,000

SolarWinds Partner Training Security Event ManagerParticipant’s GuideServers 30 to 150Memory1 TB hard drivewith 200 – 400IOPSHD Space1 GBE NICNetwork6 – 10 cores 2.0GHz or fasterLarge DeploymentPer DayMaximumNodesSet Up Combinations (Devices)SecurityMinimum HW Requirements10 to 25ProcessorMore than1,000Network (w/ orw/o workstations)Servers 250 to1,000500 to1,000ReceivedEventsTriggeredRules200 to400MillionUp to5,00010 – 16 coreprocessors at2.0 GHz48 GB RAM ormoreMemory2 TB hard drivewith 400 ormore IOPSHD Space1 GBE NICNetwork10 – 16 coreprocessors at2.0 GHzFor more information about sizing criteria, VM hardware requirements, SEM software requirements, SEMagent hardware and software requirements, and SEM reports application hardware and softwarerequirements, visit:o https://documentation.solarwinds.com/en/success center/SEM/content/System Requirements/SEM 6-6 system requirements.htmo https://documentation.solarwinds.com/en/Success Center/LEM/Content/Admin Guide/2lem set-up config th-search.htmSEM Installation Guide For complete information on how to install SEM, please visit:o https://documentation.solarwinds.com/en/Success Center/SEM/Content/SEM Installation Guide.htm 2019 SolarWinds Worldwide, LLC. All rights reserved.

SolarWinds Partner Training Security Event ManagerParticipant’s GuideSolarWinds SEM Port and Firewall RequirementsAny firewalls standing between any two points of communication should allow inbound or outbound traffic acrossthe specified ports to ensure that SEM works properly.In the table, "inbound" assumes the SEM VM is behind the firewall, and firewall rules allow network traffic throughthe firewall to the SEM VM. To learn more, please visit this linko locate CPU and Memory Resources to the SEMBy default, SEM deploys with 8GB of RAM and 2 CPUs on the VMware ESX(i) and Microsoft Hyper-V platforms. ForSEM to work properly, you must allocate enough CPU and memory resources to the SEM VM. To learn more, please visit this link:o https://documentation.solarwinds.com/en/success center/SEM/content/Admin Guide/2SEM set-up config maintenance/allocate-cpu-and-memory.htmAudit Policies and Best Practices for SEMWindows Audit Policy determines the verbosity of Windows Security Logs on domain controllers and othercomputers on the domain. The recommendations in this document have been found to be most effective from botha best practice and compliance standpoint and are based on customer experience and recommendations fromMicrosoft. To learn more, please visit this link:o icle/Audit-Policies-and-Best-Practicesfor-SEM 2019 SolarWinds Worldwide, LLC. All rights reserved.

SolarWinds Partner Training Security Event Manager Participant’s Guide 2019 SolarWinds Worldwide, LLC. All rights reserved. Table of Contents

Related Books

SOLARWINDS LOG & EVENT MANAGER (LEM): USE CASES

SOLARWINDS LOG & EVENT MANAGER (LEM): USE CASES

Adverse Event Analysis: A Staff Training Exercise

Adverse Event Analysis: A Staff Training Exercise

Estimating Log Generation for Security Information Event .

Estimating Log Generation for Security Information Event .

Vendor Landscape: Security Information & Event Management .

Vendor Landscape: Security Information & Event Management .

Info-Tech Security Information & Event Management

Info-Tech Security Information & Event Management

Websense Security Information Event Management (SIEM .

Websense Security Information Event Management (SIEM .

GFI White Paper How to perform network-wide security event .

GFI White Paper How to perform network-wide security event .

Xerox AltaLink Series Security Information and Event .

Xerox AltaLink Series Security Information and Event .

Cisco Security Information Event Management Deployment

Cisco Security Information Event Management Deployment

Security Information and Event Management (SIEM) Mid .

Security Information and Event Management (SIEM) Mid .

Your SAP Training Partner

Your SAP Training Partner

Partner acceleration guide for IBM Security QRadar

Partner acceleration guide for IBM Security QRadar

PopularTags

Recent Views