With real-time log analysis, SolarWinds Log & Event Manager (LEM) provides crucial visibility into a user's behavior on the network, including web usage, application usage, file access and more. Learn how.

1. 1
User Activity & File Access Monitoring
© 2013, SolarWinds Worldwide, LLC. All rights reserved.
SolarWinds Log & Event Manager

2. 2
Monitoring User Activity & File Access
» With real-time log analysis, SolarWinds Log & Event Manager (LEM)
provides crucial visibility into a user's behavior on the network,
including web usage, application usage, file access and more.
» LEM enables admins to easily identify anomalous patterns,
unauthorized access, and malicious activity.
» Additionally, LEM provides automated responses to instantly
remediate a security threat or network problem.
SOLARWINDS LOG & EVENT MANAGER

3. 3
Example Scenario 1: User Logon Attempts
While it may not seem intuitive to monitor successful logon
attempts, you may want to keep an eye out for a successful logon
after multiple failed attempts or logons occurring after hours, both of
which could signal a breach.
SOLARWINDS LOG & EVENT MANAGER
EXAMPLE:
If there are 50 failed attempts on a server or router followed by a
successful logon, does it imply that the user simply remembered
their credentials? Or does it mean that a hacker finally broke in and
now has access?
LEM can monitor user logons and provide the necessary correlation
to identify a threat vs. normal, everyday user activity. Very
importantly, it does so in real-time. If a threat is detected, LEM can
then instantly and automatically log the user off.

4. 4
Example Scenario 2: Privileged User Access
Elevated privileges are required by some users to do their job (i.e.
network admins, helpdesk support, HR, and Accounting to name a few),
but such privileged access can lead to security threats.
SOLARWINDS LOG & EVENT MANAGER
EXAMPLE:
A database administrator in charge of maintaining the company’s CRM
database starts accessing the HR database containing employees’
confidential data. Is this authorized? Malicious? Regardless, it’s out of
the ordinary for this user’s role and typical file access.
LEM can monitor file access and then correlate the event data to
determine if this is anomalous behavior. So, even though the database
administrator has access, it goes against this user’s typical pattern of
only accessing the CRM database. LEM can then automatically disable
the account or remove the user from a trusted group.

5. 5
Default User Activity Rules
SOLARWINDS LOG & EVENT MANAGER
LEM delivers out-of-the-box activity rules for monitoring key User
actions that could pose a risk to the network.

6. 6
Default File Auditing Reports
SOLARWINDS LOG & EVENT MANAGER
LEM provides real-time and historical visibility into file activity.
Whether it’s notification of inappropriate file access or searching for
the person who deleted an important document, LEM provides quick
and easy access to the event data that reflects file behavior and is
essential for protecting sensitive information.

7. 7
Available User-Based Active Responses
SOLARWINDS LOG & EVENT MANAGER
SolarWinds LEM then goes a step further by providing built-in Active
Responses to automatically respond to a threat, such as logging off a
suspicious user or removing a user from a particular group.

8. 8
Monitoring & Managing USB Device Access
» SolarWinds LEM includes built-in USB Defender technology that
provides real-time notification when USB drives are detected. This
notification can be further correlated with network logs to identify
potential malicious attacks coming from USB drives.
» With LEM’s USB Defender technology, you can take automated
actions such as disabling user accounts, quarantining workstations,
and automatically or manually ejecting USB devices.
» Additionally, LEM provides built-in reporting to audit USB usage
over time.
SOLARWINDS LOG & EVENT MANAGER

9. 9
Adding Authorized USB Devices
» SolarWinds LEM addresses the complexity of providing USB access
to select USB devices with a few simple steps.
• Build a Group of “Authorized” USB Devices
• Identify “Authorized” Devices
• Add “Authorized” USB Devices to a User Defined Group
SOLARWINDS LOG & EVENT MANAGER

10. 10
Adding Authorized USB Devices cont.
» Add the group of “Authorized” devices to SolarWinds LEM
rules using the simple drag-and-drop rule builder interface.
SOLARWINDS LOG & EVENT MANAGER

11. 11
Automatically Detaching USB Devices
» With LEM’s Active Responses, you can automatically detach a USB
or mass storage device from a workstation. This action is useful for
allowing only specific devices to be attached to your Windows
computers or detaching any device exhibiting suspicious behavior,
such as:
• When a computer endpoint gains unauthorized USB access
• When an authorized USB port logs suspicious user activity
• When unwarranted data transfer happens between an
enterprise computer and USB drive
• When USB access on a USB port becomes non-compliant with
organizational policies
• When a USB endpoint is infected and needs to be quarantined
SOLARWINDS LOG & EVENT MANAGER

12. 12
SolarWinds Log & Event Manager
 Log Collection, Analysis, and Real-Time
Correlation
 Collects log & event data from tens of
thousands of devices & performs true
real-time, in-memory correlation
 Powerful Active Response technology
enables you to quickly & automatically
take action against threats
 Advanced IT Search employs highly
effective data visualization tools –
word clouds, tree maps, & more
 Quickly generates compliance reports
for PCI DSS, GLBA, SOX, NERC CIP,
HIPAA, & more
 Built-in correlation rules, reports, &
responses for out-of-the-box visibility
and proactive threat protection
SOLARWINDS LOG & EVENT MANAGER
How can SolarWinds Log and Event Manager help?

13. 13
Thank You!
SOLARWINDS LOG & EVENT MANAGER