Hello, everyone! Welcome to our cybersecurity dojo for part three of our action-packed four-part series intended to guide you in the mastery of Security Kung Fu. My name is Josh Berman, Product Marketing Manager for SolarWinds Security and Tools Products. And I'll be emceeing today's session.
I have to start off by saying thank you to all of you who have joined us for today's session. And a special thanks to those of you who have made it to not just one, but all of our previous Security Kung Fu events. I want to remind everyone that if by chance you missed out on one or more of our previous sessions, you're in luck. We'll post a link on chat here in a second. We'll provide you with direct access to our Security Kung Fu webinar series page, where you can watch each session on-demand and gain access to a handful of products from SolarWinds' core IT security portfolio, which are available all for free trial. Check it out, and see what you missed. And also, don't forget to use the social buttons on the page to share it on Twitter, and Facebook, and other sites.
For today's session, we'll be discussing how Active Directory changes and events, such as adding users to privileged groups, escalating privileges, and changing user accounts may not only be indicators of malicious activity on the network, but the very action themselves can create security holes, which may lead to compromises in the future. It's no wonder that many of the top compliance frameworks— like DATA, SOX, HIPAA, PCI DSS, the list goes on— include, in some way, provisions which fight the need for monitoring for such changes in order to maintain a strong security posture and provide for the confidentiality, the integrity, and the availability of data of all kinds.
Before I introduce our Security Kung Fu Masters who'll be guiding today's lesson, I'd like to address a few items pertaining to the format of today's events. We'd like to keep this webinar session to as close to 50 minutes as possible. Although we've planned for a Q&A session at the end of the presentation, I encourage you to submit your questions via the Q&A box, and we'll do our best to address them throughout the presentation. So fire them out there and we'll see what we can do.
Now, before we dig too far into things, I want to remind you all that there is a very awesome giveaway happening today. For 25 lucky individuals out there, we'll be awarding you with your very own Security Kung Fu t-shirt. There's no better way to demonstrate your mastery of the art of security kung fu than wearing one of these bad boys around the office. Of course, aside from generally being awesome at your job, but you know what I mean here. Go ahead and hang tight today, and at the end of the session, we'll be able to send out a notice to all of our winners. Oh, and as a reminder: in order to qualify, you must be in attendance for the entirety of today's event, so I encourage you to stay tuned.
What are we covering today? Well, in our previous sessions, we've spent a lot of time focusing on how new threats emerge, somewhat taking an outside-in approach to our view of the network and how hackers think. After we introduce our Security Kung Fu Masters, we'll talk a bit about the threats coming from within. A hacker silently waiting to elevate permissions moves laterally through the networks, and those that are coming from within our own ranks, whether malicious in nature or not. We'll highlight the need for monitoring Active Directory changes to at least identify these actions and how this can contribute to both security and compliance. From there, we'll cover the role SIEM solutions play in the process, which will culminate in a live demo of SolarWinds Security Event Manager, a log management and SIEM solution capable of aiding your business in this very important task.
To follow, though, is a bit of wrapping up and of course our Q&A session, where we'll get to some of your questions if we don't answer them on chat. Noted earlier, this event marks the third installment of our four-part series. For details regarding the next session, titled Security Kung Fu: Security vs. Compliance, which will take place on May 4th, be sure to visit our webinar series page, which is pictured there on the slide and RSVP today.
I'm really looking forward to this session and I hope you are too. So, I would like to introduce you to a few folks. As Product Manager for SolarWinds Security and Portfolio, Jamie Hynds draws on years of experience, serving in a variety of roles such as the sales engineer for SolarWinds core IT products and IT auditor and security consultant for Deloitte, among others. In each capacity, he has assisted businesses in the adoption of technologies that enhance security, meet regulatory IT compliance, and pass audits for a broad array of compliance frameworks. Thanks, Jamie, for joining us.
Thanks Josh. Happy to be here.
Along with Jamie, I have Ian Trump. Ian is a thought leader in IT security. His 2016 in-depth analysis of cybercrime and threats of the future was featured in industry publications such as SC Magazine, Infosecurity, the Times, USA Today, and many, many more tier-one publications. Ian understands the mentality and approach of hackers and often shares such insights on Twitter. I encourage you to follow him there. Gentlemen, thank you both for joining us. Ian, thank you for joining us, I'm going to pass things over to you here shortly. One second.
All right, Josh. All right. Well, thank you so much, Josh, for your kind introductions. This is really exciting for me because I am live right now from the Chicago Annual Members Meeting for CompTIA. And shortly after this, I get to go on stage and talk about the thing that I love the most, which is IT security. And how important this stuff is that we're going to talk about today.
One of the most, I think, pertinent pieces of information is to look at how hackers are getting into systems. And we're talking about the penetration of perimeter defenses, which seem to be increasingly easier to do. I mean we just saw, with Vault 7 and the disclosures from the CIA data dump, that there is an exploitable vulnerability on 300 models of Cisco routers, firewalls, and switching. When you look at this particular situation, you're sort of one vulnerability disclosure away from having a bad actor in your system. And that bad actor can do a lot of damage.
When you look at the Verizon data breach report, they go in-depth, and in a lot of cases, we're talking 93% of cases, it took attackers minutes or less to compromise systems. The reality that we live in today is we are one click away from getting our systems hacked. In a lot of cases, that's a ransomware attack.
In other cases, especially in regulated industries, financial verticals, pharmaceutical industries, really, what we're talking about is intellectual property theft. We're talking about the compromise of systems that can be easily monetized. So, that's either with the information, the personally identifiable information of people that can be then sold on the criminal underground. But essentially, if you can't detect somebody in your network, you are going to be in very, very difficult straights when it comes to being publicly acknowledged as having had a bad actor in your system.
One of the reports that I frequently cite is the Mandiant report that talks on average, approximately 200 days is the time that the bad guys have been in a system gathering the information that they need in order to monetize that illicit access. Again, that could be databases of credit cards, it could be installation of malware that is grabbing information, or simply just looking through the organization to find data that is unprotected or that is important to the organization. We've seen in the past, many law firms that have been infiltrated and important information pulled from that law firm and then used in everything from stock manipulation to extortion and bribery attempts.
Now, Active Directory is really, I'm going to say, a hive of activity inside the network perimeter. In fact, Active Directory, properly implemented and monitored, will give you visibility on any sort of threat. And that can be malicious activity, negligent employee behavior, a simple situation where, even though there might be policies and procedures in place, a backup copy of an SQO dump, for instance, ends up on an unprotected endpoint that isn't encrypted. That contains PII information. There are all sorts of different scenarios that can lead to a data breach, either by a malicious actor or accidentally. The idea behind the combination of LEM, the SIEM solution from SolarWinds, and a robust, healthy, Active Directory gives you visibility on those issues.
The other piece of the pie that I think is really important is to understand that Active Directory breaks. We may have encountered situations where our time synchronization has gone sideways on one domain controller, a condition known as journal wrap, where a domain controller goes into a read-only mode. All kinds of crazy of being able to log in at one workstation but not log into another. We've seen things like the PDC battling for who is going to be the master browser of the network. There are a number of different scenarios with inside Active Directory, that it is absolutely critical that you are aware of, that these particular problems are taking place.
Even though the focus of today's webinar is really on the security side of Active Directory, I think it's important to understand that security in this context can be availability--can be the ability to allow your users access to the data that they need. So, when you look at the broader picture of security, which is that confidentiality, integrity, and availability triangle, the role of Active Directory becomes absolutely central to managing that security, ensuring that integrity, and making sure that systems are available for folks to log in to.
Now, one of the most exciting revelations of hacking came to us recently in an indictment of two Russians, I believe, and one Canadian, and this indictment was handed down from the U.S. Justice Department about the hacking of Yahoo. Now, just to bring you up to speed, this whole case really has been, I'm going to say, important to the security community for a number of different reasons.
First of all, no big surprise that the original attack vector in this attack was a phishing email. But this phishing email installed a remote backdoor in the system, that then allowed the hackers to ravage through Yahoo's infrastructure and do a number of different things: look at and monitor, illegally, user accounts, create users in the actual system, attempt to steal various pieces of intellectual property that Yahoo had— specifically, getting away with the sign-in keys. So, one of the tragedies of the Yahoo data breach was they did not protect the most important intellectual property they had, which were the sign-in keys, which are used to make session cookies. As a result of that disclosure, what happened is, the evil hackers were able to duplicate those session keys and hijack, at will, any session on Yahoo's server.
Now, the ramifications of the Yahoo data breach, as you know, have done a number of things. One, it cost them huge amounts of money because of the disclosure of these hacks. I would say brand and user-trust reputation also suffered significantly. Melissa Myers, who was heading up Yahoo, was forced to resign and also didn't collect her 25 million or so bonus as a result of the shoddy security at Yahoo. There was other activity taking place within Yahoo as well, it's all wound up in the indictment. I highly recommend it as an excellent case study on why you need internal monitoring of systems. And in the small-medium business world that internal monitoring systems is really all about monitoring that Active Directory environment. And so the parallels between what happened in Yahoo and the huge ramifications that it had, for all the professionals that are working there, for all the shareholders that were counting on a big payday and had to accept a much smaller payday as a result of the security. This case study has profound ramifications in cybersecurity.
Let's talk a little bit about why the actual need for monitoring Active Directory. Well, as I pointed out, Active Directory is the— I'm going to say, the hive, the lifeblood of your network. And what we're seeing, especially when it comes to regulated industries, financial industries, law firms, and things like that, is these are not simple ransomware attacks anymore. These are attacks where the bad guys get in and they take their time looking for things of interest.
One of the stats that we pulled out here, again coming from Mandiant, on the 2017 data breach, over 500 days from the time of compromise to detection in the EMEA region, okay? That's Europe, Middle East, and Africa. 146 days is the global average. I need to point this out, that this is going to be a very important number moving forward, because of legislation such as GDPR, and state legislation that requires the disclosure of a data breach or regulatory action could follow. So, what Active Directory monitoring does give you is the ability to detect breach and detect the bad actors in your network in a far shorter period of time than these global averages that we're seeing. And this really becomes important for your business, for your brand, for your reputation, for the protection of your customers, but also the protection of your employees.
We're seeing the fact that employee-account compromise, especially employees with privileged access to particular systems, are being targeted. And being able to detect when something has gone off the rails with those privileged accounts becomes really important. Conversely, access to privileged data, especially using the Windows Active Directory audit functions now becomes a situation where you have a canary that will start barking alerts at you if it starts to see a whole bunch of information that should be very protected in your organization starting to be accessed in a sequential way. Activity in Active Directory can equal compromise and I think that's the most important takeaway today.
The other issue is that we've put a lot of faith and trust in that perimeter defense in things like our antivirus and other security tools that we've deployed throughout our network. The problem with a penetration of your Active Directory and an actor who manages to elevate privileges, like Josh showed us, becomes an issue because they now have the ability to globally turn off those defenses. And that should send absolute chills up your spine. Because at that particular point, it is simple to send out a group policy object that is malicious that either changes permissions, degrades the security, such as turning the Windows firewall off, and possibly even stopping your protection software. So, whatever you on your endpoint, GPO can be pushed out to say "kill that service" and all of a sudden now, all of your endpoints have become vulnerable because Active Directory has been compromised.
What are the most important areas to look at? Well, certainly my partner in crime is going to go through a lot of these in his demo. But more importantly is to get an idea of where to start. Because there is a tremendous amount of information available in the Active Directory logs and all of the activities that are going on. Part of this webinar today is really going to be about what to look out for.
Now, new user creation is probably the number one smoking gun if you weren't the one, as the network admin, creating that user. [Laughs] So certainly, in small/medium business, alarm bells would go up if a new user has been created on the system that the IT folks don't know anything about. Certainly, absolute smoking gun that something has gone tragically wrong. User lock code events, user-enabled events— these, again, should be under the purview of the help desk or under the purview of the IT.
Lock code events can indicate a number of bizarre circumstances. One, internally, you can have a situation where a user has been locked out of an account because of account expiry and if that account happens to be a dedicated user—a lot of folks make a backup account, forget that it will expire and then, all of a sudden, their backups are not working any more. So, being on the lookout for these kind of lock code events is very helpful.
In our world of apps, where you have your email tied to your user ID on your phone and your email and your user ID is a password in Active Directory, it's all integrated. One of the problems I've seen, and I actually suffered from this a week ago, was my phone had a different password than my domain account. What happened was, because the phone kept trying that wrong password, guess what? It locked me out of my account and I had to call the help desk and they had to remove the lockout. So again, was it malicious? No, but it was one of those things that strikes the availability. I couldn't get at my email for 10 minutes. I started breaking out in a sweat and it was awful. Again, things like deleting users are our concern, especially if you don't have a process in place in order to facilitate the sudden deletion of users, can indicate some very scary things going on.
And then of course, authentication events: user logons and failed logons, the big one being failed logon attempts. A lot of older systems, especially Windows 2003, the administrator account did not have a provision to be locked out after failed logins. What this meant is, is if you exposed either web access or remote desktop in Windows 2003 on the internet, a protagonist could brute force those accounts all day long and there would be no lockout.
In hosted systems where you may have a VPN portal that is a standalone, in the demilitarized zone of your network, VPN attacks where they are continuing to brute force a VPN password, sometimes don't even show up in your login event monitoring. So, it's really important to look at both what's going on, at say the firewall, or any services here in DMZ, and correlate that to Active Directory events so that you have visibility on that full spectrum.
Again, though, sort of Active Directory being the keys to the castle. We when talk about things like group changes and stuff like that, we see where the hackers may take an existing compromised account and try to do something called privilege escalate or move it into a new group, or disable security, changes in group policy, changes in audit policy, things like that in order to protect their tracks. Interestingly enough, one of the other important things to monitor for is the clearing of logs. Because once the bad guys have gotten in and done a whole bunch of stuff, what they may want to do is try and clear the logs to cover their tracks, to erase the fact that they got into the system and did a whole bunch of stuff. This is where the SIEM technology really helps because it is doing it in real time. It's collecting that information in real time. So suddenly, if there's no more information to collect, that is certainly an indication of a problem. And, finally, the password reset process.
Again, you have to make sure that you are verifying that these are legit requests. I mean, I had to sort of authenticate and give them my particulars when I contacted the help desk. Who is your boss? Do you mind if we check with him? What is your telephone number? Do you mind if we call you back? Just to make sure that I was who I said I was.
The other issue that comes into play is compliance. And Jamie is going to take you through a number of different compliance, reporting that we have in the SEIM SEM product. But I really want to push this because not only is a SEM SEIM solution going to help you deal with that threat, deal with a hacker that gets inside your systems or a user that's making a mistake or even a malicious user— you have a responsibility to maintain your compliance, as well. The only way to do this is to log certain events in your system, so that you can demonstrate that you're doing the necessary due diligence. We go through a lot of them: PCI DSS, HIPAA, SOX, et cetera. Jamie will go into a little bit more depth on the reporting capability that we have and the best practices when it comes to our monitoring.
And with that, I am going to pass the baton over to— I think, over to Jamie, and we'll take it from there. So, thank you very much for part one and now we have the fantastic demo from Jamie.
Hey Ian, this is actually Josh. I'm going to hop on real quick. I think we're going to fire off a quick poll to get some information from the crowd here while we get things set up on our end. Everyone, if you could please participate, we'd be interested to find out your feedback. Actually, what we plan to do is, based on the aggregate of responses that we've received from this event and our past two webinar sessions; we'll kind of use that to guide the conversation for the fourth and final installment of our Security Kung Fu webinars series, which is going to be focused on security and compliance.
I see some results coming in but I encourage everybody who's out there and listening to please participate in the poll. Shortly after that, I think we're going to launch one other poll question before we get started with Jamie's part of the presentation.
Hey guys. Thanks for a fantastic presentation. First of all, my name is Jamie Hynds. I'm the Product Manager for the SolarWinds Security Portfolio. Today, we're going to touch on Active Directory, monitoring changes in Security Event Manager, which is our SEIM solution.
So AD is probably the front line for a lot of organizations when it comes to trickery, and it's going to be vital to monitor changes, and track changes in that. Ian mentioned that activity in Active Directory can also be a sign of compromise. So, that having a tool in place to actually monitor that in real time and send you notifications, and even automate actions on that, it's quite difficult to do in terms of monitoring event jobs manually, et cetera.
So, what Security Event Manager does is, it collects event logs from your Active Directory controllers, as well as lots of other Windows servers, Linux machines, Syslog devices, et cetera, but for the purpose of today's webinar, we're going to put prime focus on Active Directory. The way it works is you install an agent on your Active Directory server and from there, then, we can get the logs in real time from memory sent to the Log & Events Manager appliance. With that then, you can view the logs in real time, you can look at historical logs, and you can also analyze logs in real time, as well, to monitor for any malicious activity.
Some of the event logs that Ian mentioned in particular there, are around for things like account changes, group changes, authentication events, et cetera. So, with the Security Event Manager, you get lots and lots of out-of-the-box features in terms of looking at filters here, for example. So, you're not just getting event logs and starting out with a blank canvas as such. We actually have lots of pre-built reports, rules, filters already built, et cetera, to help you get started.
So here you can see, very easily on the left-hand side here, we have some authentication filters out of the box. For example, I can look here and I can see some remote user logons and this is coming from DC01, from my domain controller in this case. I can see myself actually, Jamie Hynds, logged in, at this date and time, to this machine. Interestingly enough, it will also capture the event ID. So, I know in the previous guide there, we include lots of event IDs. So, if you're not sure of particular key words or event names, et cetera, you can monitor in SEM using event IDs as well.
So, in this case, like a remote logon particular to event ID 4624, you can very easily create your filters based on that as well. And I can see here, in this case, we'll also include the logon type. So you can see remote logon corresponds with my remote user logons here. So, the great thing about having a tool such as Security Event Manager is that all the event logs will be normalized. So rather than trawling through your event viewer windows and trying to make sense of what's happening, as you can see with Security Event Manager, we actually split these out in different fields. You can see very easily the user logons, here some event info, here's the machine name, the time, source account, et cetera, is all split out into different fields. So, it makes it a lot easier to read, and it's a lot more human-readable, rather than looking at event logs, in their native format.
So equally, down here under the Change Management section, we also have lots of useful filters, which capture locked viewer events, which Ian spoke about there a few moments ago. So, for example, in a group changes scenario, I can see here, since I've logged into the console here, here's all the various different group changes that have occurred. The ones that might be of particular interest are maybe users that have been added to the main admins. That's going to be a cause of concern. I can see here, this user here was added to this group, administrative group. What's very important to monitor is source accounts. So, as Ian mentioned, if it's maybe a user that isn't an administrator. Why is this particular user adding this user to the admins group? So you could actually monitor for anything, for a source account, that is not equal to administrator. So, you can monitor for that kind of activity as well.
Equally, maybe, you want to see people that were added to a group and then removed from the group a few minutes later. So maybe someone was giving an inappropriate access for a few minutes; maybe just did something malicious and then were moved back into their original group again. That could be suspicious. There's lots of use cases there, in terms of monitoring these logs.
We can also look at user account changes. So, if I want to see things like password changes, or account re-enabled, et cetera, these are all monitored in here as well. Just to give you an idea of how quick this happens, so we're not waiting for days to index, and we're not polling data every 10 minutes, or anything like that, it's all in real time. So as soon as an event happens via the main controller it's going to hit the Security Event Manager.
As an example, if I was to take this user here, I can then maybe, say my filter here, my user-deleted filter, if I come in here and just delete this user. [Whispering to self] So, I can see then see immediately, I can see that user was deleted and I can see all the various information. As you can see within literally milliseconds, you're getting that data into the Security Event Manager appliance. We're not doing polling every few minutes or waiting for data to be written into a database. It's all in real time.
Down here then, I have some filters. You know, if you're looking at password resets, you want to ensure that users are resetting their passwords. You want to look at account lockouts and here I can see all my account lockouts, et cetera. Makes it very easy to see what's happening in real time. We can also display this information on the dashboard as well. So, if you wanted to see something like change event management by type, I can see here, here's all the various different events that have occurred related to Active Directory change monitoring. And I can see there's some new group members. I can see there's some user enables, so I want to see what users were enabled. Click in here and I can see straightaway, here are the users that were enabled. This could be a concern if maybe someone has left your company and they're disabled and then for some reason or another, someone has come in and re-enabled that account, and has used it maliciously.
So with my experience in my job, and I know one thing we always looked at was joiners, movers, and leavers. You want to ensure that someone joins the company, they have the correct access. If they leave the company, that accounts are disabled in time, et cetera. So as you see here, if someone has left the company but yet they've been re-enabled, that's going to raise a red flag from both the security and compliance point of view immediately. So that's kind of how we look at the recent events log, in terms of visualizing those and looking at your events as they come in.
But equally, from against an opposing point of view, you're going to want to see what happens, when, where, and who did it. For that, we have this section here, called the nDepth section, and that allows us to very easily search through events historically, based on customs queries you can create here using this drag-and-drop interface. Or also, you can just type in keywords. We'll also have lots of saved searches here and you can create your own custom searches. So I can see I have a search here for change management events for the last week. I can come in here and see all my various, different event names.
So, if I wanted to see, for example, there have been some new domain members. So, there'd be a certain number of users created. So, you want to run this report, maybe once a week, and you want to see which accounts were created, who were they created by, and was it appropriate that they were created, which groups they are part of, et cetera. All this kind of analysis can be done here within the nDepth section. So I can look for new domain members, and then, once the search is complete, it will then show me here's my new domain members. So, this case, I can see three domain members, and I can then, using the time up here, I'll be able to see what day they were created, what time they were created.
So, it's often very useful in terms of monitoring for any out-of-hours activity. You can actually set your time frames up here and say, you only want to see event logs that were created in Active Directory between the hours of 9:00 p.m. and 9:00 a.m. So it could be someone trying to perform malicious activity out of hours, thinking it could go unnoticed. From here, I can see for the last week, new domain members. I can see immediately of what the account names were, where they're created from, what time, and the source account ID that actually created the account. In this case, it's the administrator. You can very easily, with one or two clicks, get the information you're looking for from a historical point of view.
You can also schedule this to run. So, I could say I want to schedule this report to run once a week, every Friday afternoon. When it comes to audit time, you have all these reports saved to make it very easy if an auditor wants to see. "Show me all new accounts created on this particular week." You can very easily go to your directory, pull up the report for that week, and you can then see, here's the accounts that were created, here's the accounts that were disabled, here's any group changes, and then justify why they were appropriate changes.
You can also leverage the, in-built correlation rules, which is where Security Event Manager really comes into its own in terms of monitoring for activity and also, actually creating active responses around that. Again, much like the filters, we have lots and lots of out-of-the-box builds for that. As an example, you can see user account changes and I have a rule here, out of the box, to look for user added to group. So, if an administrator, I want to get an alert immediately to show me that a particular user has been added to a group, I can then get that alert within a few seconds of the event happening. In this case, the correlation is going to be: new group member, member added to group. If that happens once in 30 seconds, I want to send an email to whichever user you want or group of users. Equally, you could adjust your correlation time and say I only want to see if there's increased activity such as three users being added to the same group in 30 seconds. That could be cause for a concern.
Equally, it's very, very easy to customize the filters. So if you wanted to, let's say, add a condition to this filter to say if there's a new group member, but I only want to monitor one particular group. So, you don't want to be bombarded with alerts that say that users added to lots and lots of different groups. I could say I only want to focus in on any group that contains the word 'admin.' Be that the main administrators, the admin group, administrators group, et cetera; this is what it currently captures. I can then see I'll now get an alert every time someone's added to the admin group, which is going to be quite important to monitor.
Equally, if I come back to Group Changes, again, you can see it says new group created, and down here on the bottom, we have all the various different templates that's included with the product. So, if there's users added to group, removed from groups, machines changed. We also have Policy Changes, which is quite important. So, if there's any group policy modifications, or equally, if someone adjusts an audit policy. So someone might think they're very clever by ensuring that Active Directory changes aren't actually monitored. They'll adjust the audit policy first. If that's the case, you can then have an elective say this particular user changed the audit policy, which might indicate they're trying to hide something they're doing.
Equally, on that point actually, if someone cleared an event log, so someone goes into your domain controller and tries to remove an outer lock, so they can clear it, you can actually catch that in SEM also. So, it'll be an object release, maybe the system log, or the security log was cleared, was done by me, at this date and time, et cetera. Not only can you get an email alert, we can actually also make changes within Active Directory as well, which can be very, very, powerful. In this case, my action— and there you can see rules I've showed you thus far—is going to be an email alert.
But as you can see in the bottom left here, we also have actions. So we have lots of different rules or, in fact, actions that we can take based on an event happening. In here, you can see there's lots of Active Directory centric and actions we can take, such as you want to maybe add a user to a group. So something happens, you want to escalate their privileges temporarily, maybe, and add them to a group. Or equally, on the flip side, you can remove them from a group. If the user does something malicious, I can come in here and say, because they've done this, I want to flag them for removal and then tied to the agent on the domain controller, we can then remove that user from the group.
We can also disable accounts. If you want to disable an account or you want to maybe delete a user group et cetera, or delete a user account, there are lots and lots of actions we can take directly from SEM in Active Directory. In Active Directory, you can also stop services, you can shut down machines, you can kill processes. Maybe you don't want users or administrators running certain processes or certain services, on your Active Directory domain controller, so you can then come in here and actually say, any time an admin or anyone tries to start a particular process on my domain controller, I can then kill that process automatically. So, it's very, very powerful in terms of mitigating against any malicious activity. As soon as that happens, we can not only notify, but also respond, using any of these various different actions. So we also have lots of report out-of-the-box as well, so I just come in here to the reporting tool. The reporting tool is a Windows application, so it's a bit separate from your SEM console, but you can install it on any Windows server, workstation, et cetera, and then create the connection into the Security Event Manager appliance and from then, we have a list of pre-defined reports, which you can run against your SEM manager. On the compliance piece that Ian spoke about, we have lots and lots of reports for various different compliance standards. As you can see here, we have reports for a PCI, SOX, COBUS, and HIPAA, GPG13 in the UK, ISO, et cetera, so there's lots and lots of templates out of the box. So say, if I'm looking at just a HIPAA as an example, I can then see, here's all the various different reports that come with the products that's going to relate to HIPAA.
So in this case, I can see some authentication reports, change management reports, et cetera. Let's put that in a better view here. You can see on the left-hand side here, here's the reports we have. If you want to look at, maybe, authentication reports from Active Directory, we have lots of reports maybe just showing all user logons, just showing logons failure, such as a key indicator there.
So I can see in the report I've run earlier, I can see here that my top logon users by—sorry, top logon failures by users. So I can see all these various different users and how many failures they have. Straightaway I can see there's quite a number of failures from the guest user. Probably someone tried to guess a password on the guest account, could be concerning. I can then come in here and I can see all the dates and times the event occurs. I can see source machines, event info. Quite important, I can actually see as well the failure reason. I can see, is it because an account is currently disabled? Is it because the user name doesn't exist? Is it because of the wrong password? Et cetera. So we can actually filter based on this. You can filter just based on accounts that are currently disabled, et cetera.
You can also then export those to a number of different formats. So you can see it supports PDFs, HTML, Excel, text files, et cetera. All the common formats are all supported. In terms of a change management point of view in Active Directory, we also have, as you can see here, lots of change management reports also. You can see here, we have change management events for things like user lockouts, user re-enabled, and any group activity, maybe groups that have been created or deleted, and we have one there for new users being created, account lockouts, user added to groups, et cetera.
So again, from a compliance point of view and an auditing point of view, very easy to schedule these reports. If you want the report to show me all events that show user added to group, I then want to schedule that report maybe to run every week and outfit your timeframe and then you can have a great archive of all your various different reports. And you can very easily reference those at times of audits; put the piece of the puzzle back together for a particular time frame. You can reference these reports; they're going to have all your various different event logs.
So, I hope that gives you a good idea of what our Security Event Manager, too, is capable of when it comes to Active Directory monitoring. There is a huge amount of use cases, not just for Active Directory, but monitoring Windows servers, Linux servers, network devices, like firewalls, routers, et cetera, so SEM isn't just tied to Active Directory, but it's certainly a big area which we can help with.
In terms of licensing, it's worth mentioning it's done on a per-node basis. If you have, we'll say, a LEM50 license, that's going to allow you to collect event logs from up to 50 different devices. So it's not licensed based on a log volume. It's done based on per node, which is—it makes it very easy, I guess, in terms of working out how many nodes you have. That's your license requirements; you don't have to be concerned with the data volume we're sending every day or anything like that, because that's the license model there, also.
So I'm sure we have a few questions to give to Josh, do we?
Yeah, let me— let's switch over to the slide deck. And actually folks, we have a poll going on right now, that I'd love for you to help participate in, as we kind of work things over real quick. We got a lot of questions on chat today. I actually managed to handle a bunch of them coming from anyone from customers to individuals that are interested in exploring Security Event Manager in depth. Also, some very security-focused questions, which I actually have Ian looking into at the moment. He's kind of our go-to on those matters.
How about I ask Jamie a couple of questions here, right off the bat? It kind of came up in chat, but what other SolarWinds products can assist with monitoring or managing Active Directory in some way?
I know we touched on it in a lot of different ways. So, we have a few products, and guides that can assist with different use cases, I guess. So actually, SEM is going to be focusing on your event logs, and change management, et cetera, whereas the Server & Application Monitor is going to actually monitor the performance of Active Directory. The Server & Application Monitor, or SAM for short, allows you to monitor things like process counters and services. You can run scripts, et cetera, to pull back values. That's more concerned with the performance of Active Directory, not just looking at event logs, like Security Event Manager.
Cool. Well, I've got another question that I thought it might be good to help clarify, but is SEM available as a cloud service or does it need to be installed on-premises?
LEM is installed on-prem, yep. It's a virtual appliance. That makes the deployment super easy. It's just a matter of deploying that virtual template we give you. It supports both VMware and Hyper-V. And then from there, you just create your— assign your agents on your machines to send those to LEM. It's not available as a cloud server, and it's typically installed on-prem.
Okay. I know that Jamie answered a couple of questions while he was talking a moment ago about the pricing structure, or the licensing structure for the product, but if you do have any questions about that, please reach out. Also, I think we'll be firing off another poll question here in a second. I'll keep answering some questions. I hope you hang on the line. I know we're coming up on the full 50 minutes that I promised you, but I think with all these questions, we've got some really good information here still yet to share.
A question came up about SEM in general, whether it was just intended for log collection or aggregation, and the normalization, which is the key feature, of course, of the product. But one of the questions is: What features does SEM include for automatic reporting and alerting on certain events that take place? You kind of showed us some, but I think it's helpful to reiterate.
Yeah sure, so as I said, you're not going to be starting off with a blank canvas in Security Event Manager. There is a huge amount of pre-defined filters, correlation rules, alerts, reports, et cetera, and SEM has been assisting customers with compliance, audits, and security for a long time. So, it's built up over years of experience in terms of those reports, rules, and et cetera. It's certainly not a blank canvas. There's lots and lots of great content with the product that helps you get started as quickly as possible.
Okay. I don't know if there's anything else that you wanted to touch on at this point. I think, for anybody out there that's been firing off questions the last minute or so, while I've been talking with Jamie, I'll stick around on the line and I'll be able to respond to your questions, if you just keep your chat window open or your Q&A box open, I'll continue to respond to your questions. Keep firing them at us and we'll get to them shortly.
There's one question there, Josh, about file integrity monitoring. If users log onto different machines, can we track what they're doing with files?
Yeah, so Security Event Manager can perform file integrity monitoring, especially for Windows boxes. What we can do is, you can configure file integrity monitoring directly from the SEM web console. From there, you can decide if there's any particular files or directory or even registry keys you want to monitor. Say there was some folders on your network that has tech-essential information. You can then have SEM monitor those. From there then, you can see if you have deleted files, if they're written, or read files that changed permissions, et cetera. And again, we've lots of rules, filters, reports, et cetera, based on that file activity. If someone does manage to maybe create and use an Active Directory and log onto a machine, and wanted to read files or make changes, SEM makes it very easy to actually perform that file integrity monitoring on your Windows boxes as well.
Great. Any other last-minute items or anything?
The last question, I think we have that guy there.
Okay, perfect. We'll just move on here with a couple of last-minute notices for everybody. I want to reiterate the fact that SEM and our other products are available on solarwinds.com. We have a patch manager, listed there on the screen, which often contributes to the goal of compliance and security. So, I thought you might want to check that out there. I encourage you to go to solarwinds.com/lem as well, L-E-M. You can download a free 30-day trial of that product as well, the one that we've been highlighting on today's event.
There's also a host of other products that Jamie had mentioned before, which kind of contributes to the goal of monitoring and managing Active Directory, as well as contributing to securing compliance, which will be a topic of our next session, coming up on May 4th. If you're at all interested in that, which you've probably indicated on some of our poll questions, go ahead and go to go.solarwinds.com/kungfu-webcast-series and that's where you can find our webcast series page, and find out more information about our events and also watch our on-demand sessions.
I think that pretty much well wraps things up. If you're still out there and want to ask some questions, please do funnel them through to us. And we'll be sure to get them all answered here while we hang on the line. I want to thank everybody for joining us and I look forward to seeing you at our next session, the fourth and final edition of this Security Kung Fu series.
Special thanks to Jamie and to Ian for joining me today. Everyone have a great rest of the week. Thank you.