Hello, and welcome to our cybersecurity dojo for part one of our four-part series, intended to guide you in the mastery of security kung fu. My name is Josh Berman. I'm the Product Marketing Manager for SolarWinds Security and Tools Products, and I'll be emceeing today's session. As we embarked on creating this series, we always knew that in the back of everyone's minds there were a couple of curious thoughts. Why kung fu? And what does martial arts have to do with how I protect my network? Well, kung fu is a Chinese term referring to any study, learning, or practice that requires patience, energy, hard work, discipline, and time to complete. So really, it's not just martial arts. Perhaps, by this definition, you're starting to see the parallels that we know exist with IT security and the vital part many of you play with your respective organizations. For today's lesson, we'll be discussing the role of security information and event managements or SIEM solutions play in improving your business security posture, and helping you meet and maintain regulatory compliance. Before I introduce our security kung fu masters, who will be guiding today's lesson, I would like to address a few items pertaining to the format of today's event. We'd like to keep this webinar session to as close to 50 minutes as possible. Although we've planned for a Q and A session at the end of the presentation, I encourage you to submit your questions via the Q and A box. We will do our best to address them throughout the presentation, that is assuming the team on Q and A standby doesn't beat us to the punch. Noted earlier, this event marks the first of a four-part series. For details regarding our next session, Security Kung Fu - Playing with Firewall Logs, which will take place on March 1st, or any of our other subsequent events, visit go.solarwinds.com/kungfuwebcastseries. There you'll be provided with access to register for our future events when they become available. Now, before we dig too far into things, I want to remind you about our awesome giveaway. You see it presented here on the slide. So for a lucky 25 individuals out there, we'll be awarding you with your very own Security Kung Fu t-shirt. In order to qualify, you must be in attendance for the entirety of today's event, so stay tuned and enjoy the session. Okay, on to the good stuff. So after I introduce our security kung fu Masters, we'll discuss a bit about the cybersecurity battleground and the threat businesses are facing today. We'll highlight several IT security stances business employ to improve their security posture, emphasizing the need for a layered security approach. And then, we'll discuss the role SIEM solutions play in contributing to this cause providing a live demo of SolarWinds Security Event Manager to illustrate a few key points. From there, we'll open the floor to Q and A session, which will qualify our t-shirt giveaway contestants, and then we'll conclude the session. So on to our Security Kung Fu Masters. I'd first like to introduce Curtis Ingram. As a Sales Engineer for SolarWinds Security Event Manager, Curtis possesses a breadth of knowledge regarding IT security and compliance subject matter, and the role SIEM solutions play in meeting these important business objectives. So Curtis, thanks for joining us today. Also, we have with him Ian Trump. Ian is a thought leader in IT security. His 2016 in-depth analysis of cybercrime and threats of the future were featured in industry publications such as SC Magazine, InfoSecurity, IDG Connect, CBR, and then the list goes on. You see them listed here. I encourage you guys to connect with Ian on Twitter as well. I think we're going to be sending out his Twitter handle there in a second, which we already did. All right. So we're good. So guys, thanks for joining us. So with a 24-hour news cycle, we're constantly bombarded with headlines of the latest data breach, malware infection, email phishing scam, or high-profile compliance violation. You'll see some of the headlines listed there. Although the sources of these incidents often varies, the consequences for businesses of all sizes remains relatively the same-- hefty fines, criminal penalties, lawsuits, brand damage, loss of customer loyalty, and you know, it can go on for days and days. It's no wonder nowadays we no longer consider IT security a nice to have, but a matter of your company's own survival. It's why I believe that the mastery of the art of Security Kung Fu may be your only hope. So some points I want to illustrate here, and I'll get to this figure presented on the slide in a second. But the cybersecurity market was reported to reach 75 billion dollars in 2015, and what's even kind of more interesting about it, is that's going to over double by 2020. It'd be 170 billion dollars. That's reported by Forbes. The most interesting note, and the reason why I flashed this statistic on here is that cybercrime, not just the cybersecurity market, the businesses out there helping other businesses protect their network, is that cybercrime costs are projected to reach 2 trillion dollars by 2019, another statistic by Forbes. And I think this is just absolutely telling of the situation that we are all in and the climate that we're facing. Now, I'm going to have Ian get to some more of this very shortly, once I pass over presenter rights to him. But before I do that, we've posted a polling question or two here on the session, and I encourage you guys to reach out and give us some feedback real quick. Much appreciated.
Okay. Well, Josh thanks for warming things up for me. You know, I'm really excited to be here because I came with the dowry when LogicNow was acquired by SolarWinds, so this is sort of my first SolarWinds corporate podcast, so thank you so much for everyone that's joining us today. I just want to go back and talk a little bit about the numbers that Josh dropped right now, and you know when we see by 2020 that the security industry that's, you know, your A/V people, your SIEM people, all the different components that make up the cybersecurity industry, that's going to be worth 170 billion dollars, okay? Now when we think about this, we put it into context and we see two trillion dollars in cybercrime, you have to put another number into that context, and that is what the value chain of the entire Internet, the type of value that it brings together. And that's only going to be about 5.3 trillion dollars. So here's the problem. We have a 170 billion dollar industry trying to take on two trillion in cybercrime and the two trillion in cybercrime accounts for almost half of the entire Internet value chain in 2020 based on predictions. So this is a major problem that we have to pay attention to because that money is going to come out of the pockets of people that don't take this security stuff seriously. So this is what the podcast is about today. It's really about understanding what, in the future, is going to happen. Now, one of the major components, one of the reasons why cybercrime is projected to go in the direction that it is, is that we're entering the realm now of the Crime-as-a-Service model. So in Europol's latest release, they talk about what are the threats. You know, there's drugs and prostitution and illegal arms sales and, you know, migrant smuggling and a whole bunch of different threats. But bubbling up to the surface is a more robust cybercrime ecosystem, and by ecosystem, I mean pieces of being a cybercriminal are all now brokered out in underground forums. And the reality is you can have somebody that has minimal capability but they have access to funds, they can now conduct themselves like an advanced persistent actor. You can purchase Dridex malware. You can purchase a denial of service attack on the underground forums, so what essentially has happened is the cybercrime industry has professionalized it. You used to be big into, you know, phishing attack and those pharmacy things, drugs. Now it has become a complete industry offering every possible cybercrime service available. And even though we see this kind of, I'm going to say it, migration, what we need to do is not lose perspective and understand that the ransomware and banking Trojans do remain the top malware driven threats. There's other threats, of course, like fraud and, you know, the old I'm going to give you a check and see if your bank works and you're going to give me a portion of that check money back. And, you know, the check bounce. So there's a huge cybercrime industry built around there. So one of the examples that I really wanted to stress today, and this is because, you know, we're going to be talking about SEM shortly, and the security layer that SEM occupies. But these particular three Chinese hackers hacked law firms to get insider information about mergers and acquisitions. So they broke in to these law firms, and we'll talk about the methodology of what they used. But essentially, they were looking for information that they could leverage into going long or going short on stocks. Basically, looking for insider information to trade on the stock exchange. Now, of course, law firms absolutely a huge target. I mean, we've seen all sorts of breakdowns in legal firms' security. This goes all the way back to Mossack Fonseca, where they were attacked and a whole bunch of information was disclosed. In this particular tack though, the methodology was something that did leave a smoking gun. Essentially, they pounded on the outer ports of the law firms. In some cases, brute forcing their way in. This is a very overt attack, which I'm just going to kind of set up Curtis to talk about this in a moment, when he gets to the demo. But the idea here is that this was not a stealthy attack by any means. But because these law firms, and these were big law firms by the way, didn't have any solution that would tell them about failed login attempts en masse, well guess what? The bad guys broke in. Now, one of the reasons why they were taken down was that once the law enforcement folks got involved, they were able to get the necessary information to figure out the IP addresses that these guys were coming from. Now, interestingly enough, they didn't even disguise their intent. They did not obscure their IP addresses. So from an operational, security perspective, essentially, you know, there was none. And they got caught. From a practitioner-user though, it would be very useful for your business to be able to detect that sort of attack and mitigate that by taking either a necessary step at the firewall to block the attempts, or looking at an alternative solution, such as protecting that Outlook web access with VPN access, for instance. So this brings us to the story of our kung fu, or our security 'fu' stances where we talk about proactive security, detective security, and reactive-recovery. What we're trying to put out there for everyone is that having simply one posture, if you will, doesn't allow you the flexibility that you need to meet that modern crime-as-a-service threat. So pro-activity is something that we've been talking about in the security industry really for ages. You know, you put antivirus onto your machines. You patch and update machines. You know, you put in things like web protection. This is all a stance, if you will, built around the idea of preventing the bad guys from getting into the network, right? Now unfortunately, because of the sophistication of the actor, and the ability of the actor to find out what those defenses are, and in some cases by-pass them, or because of poor security or, you know, one hole in your infrastructure-- the bad guys get in. We need to talk about detective capability. We need to be able to establish what normal activity is, from a security perspective, and what abnormal activity is. And so this is where you get into the detective products. Really, you're beginning to see the value of having that SIEM product, being able to help you understand what's different and what has triggered an alert because, quite frankly, in the network, there will be a whole bunch of different events. Curtis will talk to you about how many events that are processed and things like that. But the reality is is what you're looking for is that smoking gun, that indicator that says there is something abnormal going on in the network. Now, it could be a variety of different things, but it's certainly nice to be able to have something that is looking at all of those events and making sure that things are working properly. Because not everything is technically a security event, but certainly, when you talk about confidential information and trying to protect it, if you see something like a brute-force log in attempt, well, obviously, that's something that has gone wrong. Now, the other component to security is really about the breakdown of the first two. So security, when you define it into confidentiality, integrity, and availability, one of the key components that you have to deliver is an availability solution. That takes the form of a backup service offering, for instance. And because we're all familiar with their ransomware threat, one of the major ways of combating the ransomware threat is being able to quickly and efficiently restore those files. So even though you have your proactive and your detective layers in place, sometimes because technology and human beings are not perfect, you will have a situation where you will have to go to that reactive-recovery capability. So when we talk about the proactive stance, we're really talking about trying to keep the bad guys out. Perimeter security--measures like firewalls with various firewall rules. Really, what I see a lot in small/medium businesses is a lack of egress firewall rules. As lack of rules that say, for instance, IRC is a protocol that's used sometimes by bad guys, but certainly by hackers. If you write a single firewall rule that says, 'Ban IRC protocol from going outside the network,' well, if it hits that firewall and you have that rule in place, and it's a firewall-rule violation, that will get picked up by your log management console. So there's an awful lot to do between the SEM solution and the firewall and writing those egress rules. So that when your network starts to try and misbehave-- it can be identified at the firewall. If you're letting all your traffic out, there's a good chance the bad guys can get a piece of malware onto those endpoints, and exfiltrate all your data, or land a ransomware payload without you even understanding where it came from. So part of that process that we look at for the proactive stance is really about keeping your antivirus up to date-- anti-malware, web protection, and patch management. Those are sort of the three standard, technological packages that you see in every basic security offering. What we would suggest more is that to make all of this stuff more efficient, to make the technological stack work better, is to really talk about hardening those end points, making sure that those end points are secure. And if possible removing things like Java or Silverlight or Adobe Flash from the standard day-to-day computers, or any computers that require an elevated security risk. For instance, if you have one computer in your organization that the point-of-sale terminal is hooked to, that's the kind of thing that you certainly might want to log every single event that's going on on that machine. But in addition, you may want to remove Adobe Flash or Java or Oracle or Silverlight from that end point to make it more difficult for the bad guys to infect that end point with malware. And a big component of that proactive stance is having user-awareness training and policies and procedures for your users and management so that everyone understands-- What are we trying to protect? What are our defenses? And what the heck do I do if I think something is going on that's strange? That's a really important component left out at a lot of user-awareness training programs that I'm familiar with, which go in to the extraordinary technical detail about what a phishing attack is, but at the end of the day, the poor user, if they think something like that has happened, needs somewhere to go. So when we talk about the detective stance, we're now really acting in more of a risk management layer. What we're trying to do here is make sure that the important data that we have is kept confidential. And what we don't want is that exfiltration to take place of that important data. So this is where the cybercriminals are not so much interested in landing ransomware, but more of that espionage attack, or that, 'I want to do a follow-on attack where I harvest credentials.' 'I want to explore a share on a drive called, research and development.' 'I want to go after the donor list .xls file.' If you're a non-profit, that's one of the most important files you probably have. So this is where you're now setting up the cyber-mouse trap, if you are, in order to detect that the bad guys have gotten into the system and are looking at things that they shouldn't. This has a lot of interesting processing behind the scenes. You're going to look at heuristics. You're going to look at behavior-based things. You're going to try to baseline activity against what normal looks like. And that gives you the type of capability like host intrusion and network intrusion. So hostware, you believe an end point might be compromised and that's now starting to do something not normal. Or network where a whole new machine or I'm going to say something else, could be Raspberry Pi, has been infiltrated into the network, and maybe in what's called promiscuous mode, sucking up a whole bunch of data that is moving around the network. Hopefully, looking for those unprotected password hashes, or hashes that are easily breakable once they can be recorded. You also find that the network intrusion needs to be extended to the wireless infrastructure. Hackers certainly can sit outside a business, slowly smash away at the wireless access password and attempt to infiltrate that way as well. So when we talk about the recovery stack here, what we're really trying to do here is we're trying to establish that we need to restore business services if we have a compromise. One of the important things is determining what that compromise has been and what actually needs to be restored. Do you need to go into a recovery mode? Do you need to declare a major cyber-incident in your organization? In which case, you'll need some criteria about what it is that's been taken or what the attempt looked like. You have an obligation to report these kind of things. And certainly, you need to involve PR and Legal. And really, one of the most amazing things about the SIEM product is your ability to go back in time-- your ability to look at something that happened several days ago--because a lot of these detections might take place several weeks after the initial successful hack. So it's really important that you be able to go back in time and see-- were these guys after something specific, or was it a generic data theft? So another example that we're going to talk about, and Chris is going to discuss, is the Australian Red Cross Blood Services hack. So Troy Hunt had an amazing blog on his site. He's also the guy that runs the Have I Been Pawned website, which is a huge resource to check user IDs to see if they've shown up in a data breach. So anyways, he chronicled the Australia's Red Cross Blood Services hack, and what was determined is that the folks were coming in, hitting the web server, and attempting to find files by throwing in commands to that web server to move into directories that shouldn't normally be available if the web server's properly configured. So again, if you're logging and monitoring the Apache logs or the load balancer that's in front of the server, this may give you a good indication that somebody is looking for something they shouldn't have access to. And in this particular case, because the backups of the web server database were stored locally on the machine, the hackers were able to grab hold of that database, and exfiltrate about 1.65 gigabytes from that server-- which unfortunately contained the unencrypted complete copy of the latest database. Now why, in this particular case, did I pick this example? That's a very good question. I picked this because the data that was inside that database went far beyond the names, date of births, telephone numbers. It gave things like sexual preferences, blood type, relationship information, all of those kinds of very important data that is deeply personal and deeply private. So there's an example of a not-for-profit organization that contained extremely sensitive data that, unfortunately, ended up in the hands of nefarious folks. So as we move on here, because I don't want to take up all the time talking about you, I want to introduce you to the Lockheed-Martin Cyber Kill Chain. And what we use this for is really a teaching aide. What we talk about is the various stages of going from exploit of an end point, delivering that piece of software to the actual actions that take place on the end point. So what you can see is the delivery is really a WAN to LAN. Something is coming into your environment. It hits the end point. Something happens on the end point. Usually an exploit, or, if it's a user, they just happen to open the attachment on the email. Then finally, some sort of software is installed, either in memory or as a file, downloaded file. Finally, there's a communication that comes out of that process that starts running on the machine, and that's called your command and control where it dials back to where the bad guys are hosting their command and control server. And then finally, there could be a decision to drop a ransomware payload on that end point, and start encrypting all the things. This is really a teaching aide. And as you can see across the top, what we've put down is the mitigative technologies. I'd say if you get nothing out of this webinar, other than Curtis's amazing demo that'll be coming up shortly, you really want to pay attention to this slide because this will help you understand what security technologies work and where they work in that infection end point. So finally, we need to talk about what SIEM does for you. Why are we saying it's such an important layer? Well, we believe that it gives you visibility in the area that's critical to your business, and that is "Threat Hunting." Ransomware is relatively easy to recover if you've got a good backup or a cloud-based backup. Relatively easy to restore the files that got encrypted and remove the piece of malware from the end point. What we're talking about here is more of the protection of intellectual property, protection of PCI data, protection of healthcare data, and pretty much protection of everything that a law firm would actually have on their files. The feature about SIEM that I love the most is really about the ability to go back in time. The ability to see how the bad guys got in, what their activities were and really timeline out the attack, and learn from it. Understand what the initial attack vector was and then what the guys did. Obviously, the SIEM is now required for many compliances, to provide evidence, as well as to have that security documentation because, should you ever fall afoul of a regulator, one of the things they will ask is for the documentation of your security policies, as well as what security technology you have and what you're auditing. One of the brilliant things about SIEM solutions is they do uncover unauthorized changes in the environment. That you can see network connections to known hostile IP addresses-- a great indication of compromise in the system. And also, properly configured, you can see data exfiltration files that shouldn't be accessed by anything other than the system or an administrator; attempts to access those files by other folks. So when you look at what a SIEM can do for you, you really talk about looking and combining at the network layer activity and correlating that with machine data and, ultimately, user behavior. So it goes really from the user click to what the machine does, to what the network does. And a SIEM solution can bring that all together. So I'm going to pass the presentation over to Chris Ingram, and he's going to be able to walk through a little bit more detailed information on the SolarWinds Security Event Manager, our SIEM solution. Over to you, Curtis.
In one sec. This is Josh. I just want to interject real quickly. Guys, I wanted to let you know that we have another poll that we placed out for you guys. We'll leave it open for a little bit longer period of time this go around, because we had some folks that wanted to participate that couldn't chime in. So please do submit your responses to the poll question and Ian thanks so much so far. Sounding great, and Curtis, we'll pass it over to you.
So as you deploy a SIEM solution into your environment, I think one of the key things to be aware of is the number of systems that generate logs, and where you can pull all that data into a single pane of glass, so that you can watch that. With Security Event Manager, part of our goal with this product is to make integration with all the other things that are already in your network easier. So collecting data from your servers and your workstations, collecting data from IDS and IPS devices, collecting data from your firewalls, your routers, your file servers, your domain controllers, and any other critical application that may be out there, so that all those logs can be brought to a central place, and then we have the ability to correlate those logs and respond to them as well as search and help you with, as Ian said, the timeline of events when you're trying to troubleshoot what's been going on. With LEM, one of the first things it does is show information in real time, which looks really cool, but as a mere mortal, sometimes it is hard to keep up with the amount of information a large environment generates. Because of that, we include a lot of filters out-of-the-box to help drill down into what's going on. So in the case of the bad web requests, in the case of the blood bank, you may be looking at traffic that's getting denied by your ACLs. You might be looking at traffic that's going around your web proxies. You may just be looking at web traffic in general. But the idea is that information is being broken out from the greater data stream with the information that is coming on. The idea, too, is that we want to be able to break down other critical changes. If someone has already penetrated your network, perhaps you'd be concerned about group changes. Someone being added to your domain admins would be suspicious unless you know that there's a work order or a new admin being hired that might actually need those permissions. Now, obviously, you can't have somebody sit here and watch this console all the time, and that's where we would start tying into our LEM's rules engines. In the rules engine, we have the ability to define criteria and have SEM look at patterns of events-- kind of that behavior analysis that Ian mentioned. And we include a lot of templates out-of-the-box to try and make this easier. But we also have these categorized and broken down by different kinds of devices, different kinds of compliance standards, different kinds of behavior in your network to help you identify what's going on. So whether you come in here and you're, let's say, a bank or something, and you decide to look at a requirement, you're going to get notifications-- alerts about, like, critical user events, or unauthorized USB devices. But that will also be covered in some cases under like user changes-- will also lead you to critical user accounts or critical group events. You can define and customize what SEM considers critical to fit your environment, and then have those alerts being sent out to you in real time, which helps with you being aware of what's happening in your environment in a hurry. Some of the templates that we include that might have helped with the examples that Ian provided. For example, we can create rules that have thresholds and look for excessive log on failures. So if someone is failing to log in a whole lot of times, I can set different thresholds and have the SEM take some sort of action. Maybe it's blocking the source IP. Maybe it's disabling the user account they're trying to use. Maybe it's just alerting an administrator that there's something going on. But I had the ability to customize how this template is going to behave. In the case of something like the blood bank, where people were making web requests or URL requests for peculiar things, we might have used something like our SQL injection or XSS, cross-site scripting injection vectors, where we can be looking at web traffic, perhaps gathering logs from something like a proxy, a web filter, your websense device, for example, and looking at the kinds of text that's appearing in those queries. We have a pre-built list of things that are suspicious, like in the case of the cross-site scripting. So if we were to see any of those things in your links that might suggest that someone is fabricating bogus URLs, in the attempt to trick your web server into doing something that maybe you don't want it to be doing. A big piece of Security Event Manager is that we want to provide things out-of-the-box because we realize that more and more companies are required to meet compliance and industry standards and don't have dedicated InfoSec staff. Maybe there just aren't enough people or enough dollars to make that happen for every business. So we want to provide templates and things that can make this product useful to any size business very quickly, and start getting meaningful alerts. We also know that a lot of times, you don't have time to learn a query language or something complicated to ask the system what's been going on in your environment, and so we provide our nDepth tool here under 'Explore.' With nDepth, SEM will automatically pull back data for any time range I choose, including custom ranges. And I can interact with any charts and graphs or my list of what's been going on-- my summary review over here on the left-- to find out more information. So if I'm curious about a particular event, or something coming from a particular device or system-- If I'm curious about a particular kind of user, you know, source machine, user name, or some sort of traffic-- I can drill down into my timeline. Perhaps this was an unusual spike. I double click on that. It's going to drill down into that very quickly. Maybe that's a lot of web traffic, and I'm curious what's been going on there. So let's filter down to just web events. Maybe I see a URL access that's unusual, so I'll go ahead and click on that and add that to my filter. And very quickly, I've gone from tens of thousands of events to what I want to see. And that allows me to then create reports and views. I can export my data. Take this to whomever needs to see it and provide that documentation to my auditors. SEM also includes a thick client reporting console that includes a lot of compliance and industry standard reports that can help you satisfy your auditor's requirements for documentation as well. But in these ways, we can be gathering the data so that you can do your forensics, do the reaction to a potential breach. We can also be alerting you in real time. As another example of the way SEM might assist with something like the Chinese break-in at the law firms, we also have SEM integrated with Threat Intelligence now. So we are working with a partner company to synchronize a list of known bad actors every 24 hours. And when that data is, you know-- if we see any of those malicious IPs, like maybe somewhere suspicious in China or Russia, we have pre-built filters that are going to be able to come into this, and I can see like all of my threat events, all the places where that IP matched my threatening list of IPs. So we can bring that into SEM and then you can create your own alerts or rules off of that. Or again, we provide templates for a lot of these things as well. So if you've got a server reaching out to a known malicious IP or a bad actor, that could suggest a malware infection. Maybe someone has finally opened the bad attachment. Or if I see authentication coming from known bad IPs, that could be a notification that someone's trying to break in as well. So Josh and Ian, is that... I think, at this point, just make sure we've covered all the things that make sense in the SEM interface.
That's really cool.
Yeah, I think this was great, Curtis. I really appreciate you showing us the bit about what SEM can do. You know, if it's all right with you, what would be best is if you passed the presenter rights back over to me, and we can start our Q and A session.
Yeah, let me get in one second there to throw that over.
So just before we start, you know, that is one of the areas where I think that failed authentication is one of the biggest smoking guns. And certainly, you want to protect not only your servers and your database servers and things like that, but your infrastructure too. The last thing you want is unauthorized logins to your routing firewall switch and wireless access points. So the SEM product can really bring all of that information together. And you know, if you're able to filter by IP addresses, you've got a real leg up on detecting crazy stuff that might be going on.
Awesome. So real quick guys, we're going to offer up another polling question here as we transition to our Q and A session. So take a moment there, and provide your feedback. You guys, we've gotten a lot of really great questions, and I know we've been able to answer some of them really quickly over chat. We actually have some limitations on characters that we can supply, so I think what I'd rather do is just go ahead and list off some of these questions for everybody to hear. And maybe Curtis and Ian, you can help me respond to them. Let's see... So... First off, we had a question about pricing and licensing. Curtis, this often comes up in conversations that we have on our webcast. So do you mind giving us a quick overview on how SEM is priced?
Sure. So Security Event Manager is priced by the number of nodes that you want to collect data from. The volume of traffic that they send, the number of messages, the number of megabytes or gigabytes is no matter to your license. With the appropriate resources, memory, CPU, and disc space, Security Event Manager is capable of handling 300-350 million events a day-- that's about 4000 events a second-- as no big issue. So we can bring that much traffic into Security Event Manager. You can collect as many logs as you like from any given device, and use that in your correlations, and getting that insight into your environment and in your alerting. SEM does have special licensing for workstations. Workstations being your Windows XP, 7, Vista, 8, and 10 platforms-- especially for customers where you may be interested in monitoring your point-of-sale systems that typically run on those workstation platforms. This can make using SEM a lot more cost effective. Otherwise, everything else is considered a universal node license and the smallest bundle of those from SolarWinds is 30.
Well, thanks for responding to that question. We did receive... We're ticking these off one at a time. We just got a general question: Is this product MSP friendly? Or for multi-tenant use? Can you comment on that, Curtis?
Certainly, with Security Event Manager, we've had MSP's deploy the product. For multi-tenant, LEM's database is part of its virtual client's, and all the data kind of goes into the same database. So depending on what your tenants' or what your customers' requirements are, it may be best to look at multiple SEM installations. It kind of is handled case-by-case and we have had a number of successful MSP deployments for Security Event Manager.
Yeah, I think there is a caveat to that question too, interest in whether pricing is similar as MSP. I think the response to that is 'no.' I mean, SEM is offered as a perpetual license, meaning there aren't any monthly fees. Once you buy it, you own the product in perpetuity. I can't recall whether we mentioned, but with your first purchase of LEM, you get one-year free maintenance, meaning 24/7 support is available by phone or email. Access to our Success Center, of course, which is an added bonus, where you can find videos and other content to help you get started using the product, and also boosting your understanding of the creative ways that you can apply the use of this tool. In addition to that 24/7 support that comes with the one-year free maintenance, is the ability to upgrade the product with each new release. So you know, those are some of the important points I want to make that I think will help answer one of the questions that we received there, and help us distinguish SEM from other products available to MSPs. Someone asked about the demo URL available for click through. So I just want to clarify. So SEM actually has a demo site that you can just test out the product; do some cool stuff online without kind of any commitment. And then also, we have supplied links to a free 30-day full access trial of LEM, if anyone's interested in just giving it a whirl. It's a great way to get started using the product, and getting things set up. And if you do happen to engage in a conversation with our sales team and move forward with purchasing the product, you'll actually be able to carry over much of your work into your live instance, which is an added feature. Let's see. I see that some of the answers are being handled stealthily by Curtis on chat. I appreciate you doing that. You know, there's a few others... So what are the first devices that should be configured to feed logs to LEM? I think that's a great question for anyone getting started using the product. Curtis, do you have any input on that?
Yeah. The real answer there is 'the important ones.' And that's going to change based on your business, your network, your devices. But I think where you usually start is you're looking at things like your domain controllers, any critical application servers-- where does sensitive or important information live-- things like your core routers and firewalls-- and where people are going to interact and touch your network. So the part of deploying a SIEM, regardless of where it comes from, or whose you use, is identifying in your own network what the most critical pieces are. So I mean, depending on, like I said, your industry. If you're PCI, that may be different than if you're dealing with HIPAA or health care-- that may be different than Sarbanes Oxley. But there are certain things that are common, I think, across multiple customers, and I've listed some of them in the Q and A.
Yeah. You know, I'm kind of bouncing all over the place. We're being just hit with so many questions, and I apologize to the folks that are asking some that aren't quite being answered. And actually, I think we might be running short on time, so I just want to clarify a few other points. But, you know, Curtis, I think this hearkens back to the question about the difference between SEM and its ability to help MSPs. How is SEM deployed? I don't know if we covered that quite yet.
LEM is a virtual appliance. So from SolarWinds, what you would get is the OVA or VHD and deploy that into your VMware or Hyper-V environment. And then, you know, that includes our software, the database, and the operating system for Security Event Manager. It makes setting up the appliance fairly simple. You import it, power it on, give it an IP in the time zone, and basically, you're ready to go.
Awesome. Yeah, thanks for clearing that up for us. I think at this point, what I'll do is hang out on chat for a little while, and help answer any questions. So don't feel like you're getting left out. Keep sending them in and we'll try to get to them at the end of the session today. But thanks so much for all the participation from everyone. So I think I'd like to go ahead and wrap things up. You know, if you're interested in learning more about LEM, visit solarwinds.com/LEM. It's that simple. There you can download a free 30-day trial. Like I mentioned before, it's fully functional. So I encourage you to do that. And also, keep an eye out for our next session, which is on March 1st for another series, another part of our four-part series on Security Kung Fu. The one will be about 'Playing with Firewall Logs.' So there's a lot to read into that. I know we got some questions about what we do with firewalls, so I hope to answer those soon. But this could be a great avenue for you to explore some of that. I don't think that registration is open quite yet for that, but just save that link there, and you'll be able to access it in the future. And we'll also send out an email to you and let you know when it's live, and you're ready to RSVP. And I think that's just about it. So again, I want to thank Curtis and Ian for your time today, and helping me kind of convey the importance of Security Kung Fu. I hope that it spreads out to everyone. One last note for anyone curious about the prizes that we're giving away. There's the awesome t-shirts. We will be contacting our 25 lucky winners via email. So stay tuned, watch your inbox and hopefully, you'll get selected. But always know, if you attend one of our future sessions, you'll have just another attempt at getting one of those sweet t-shirts. So thank you so much again to everybody for joining us. We'll hang out on chat a little while longer and I hope you all have a nice day.