Kemp LoadMaster is a critical addition to any application delivery or general network infrastructure. In addition to features like application delivery, load balancing, SSL/TLS offloading, LoadMaster protects against common web security threats and provides Single Sign-On (SSO) and authentication. When combining Kemp Web Application Firewall (WAF) and Kemp Edge Security Pack (ESP), LoadMaster becomes an integral part of a Security Information and Event Management (SIEM) system that helps protect networks.
SIEM
SIEM technology has been in existence for more than a decade, initially evolving from the log management discipline. It is combing security event management (SEM) – which analyses log and event data in real time to provide threat monitoring, event correlation and incident response – with security information management (SIM) which collects, analyses and reports on log data.
SIEM software works by collecting log and event data that is generated by host systems, security devices and applications throughout an organization’s infrastructure and collating it on a centralized platform.
Gartner indicates that SIEM technology is typically deployed to support three primary use cases:
- Advanced threat detection – Reporting on trends and behaviors regarding user and entity activity, data access and application activity. Threat detection includes incorporation of threat intelligence and business context, in combination with ad-hoc query capabilities
- Basic security monitoring – Log management, compliance reporting and basic real-time monitoring of selected security controls
- Investigation and incident response – Dashboards and visualization capabilities, workflow and documentation support to enable effective incident identification, investigation and response
Azure Sentinel is a cloud-native SIEM from Microsoft that allows you to collect data at cloud scale, detect threats and minimize false positives using analytics, investigate threats with Artificial Intelligence (AI) and respond to incidents rapidly with built-in orchestration and automation of common tasks. The Kemp Technologies LoadMaster integration with Azure Sentinel is simple and easy to achieve.
The Kemp WAF provides JSON format logs and Edge Security Pack provides Common Event Format (CEF) logs that are easily consumed and parsed by Azure Sentinel to enhance visibility of whom is connecting to your application via the LoadMaster and to their intentions.
Deploying LoadMaster with the Kemp Edge Security Pack (ESP) enabled, simplifies the secure publishing of applications with pre-authentication of clients and Single Sign-On (SSO) to improve the user experience. ESP can be fully integrated into your current authentication and authorization directories, including Microsoft Active Directory.
Kemp WAF
Deploying LoadMaster with the Kemp Web Application Firewall (WAF) enabled as part of your network infrastructure helps deliver defense in depth for your web servers and applications.
Kemp’s Web Application Firewall (WAF) helps to protect your custom or off the shelf applications from common vulnerabilities, such as SQL injection and cross-site scripting (XSS). It lets you create per application security profiles to enforce source location-level filtering, pre-integrated rulesets for common attack vectors and custom rules support. With these pre-defined rules and the ability to create your own custom rules, you can protect all your applications from within the LoadMaster from known attacks and prevent specific traffic patterns from reaching your applications and APIs – all without changing your application or infrastructure. It can also help meet organizational PCI-DSS and data loss prevention (DLP) compliance requirements. Visibility is provided with granular per-application event logging, in-UI statistic visualization and false positive analysis with rich telemetry to 3rd party SIEMs.
The Kemp Web Application Firewall (WAF) enabled as part of your network infrastructure helps deliver in-depth, defence for your web servers and applications from an ever changing threat landscape. Our cost-effective solutions allow you to start with the protection you need today, and then scale and grow as the number of users of your applications grow.
Please see video here demonstrating Kemp ESP CEF logs integration with Azure Sentinel.Please see video here demonstrating Kemp WAF JSON logs integration with Azure Sentinel.
Based on my personal experience, the integration between LoadMaster and Azure Sentinel was easy to achieve. You need to ensure that you install the Azure Sentinel Linux scripts as ‘sudo’ and have some patience for the first syslog messages to appear in Azure Sentinel, this can take a coffee or two so don’t worry! After that, it is close to real-time, depending on your network connectivity. It is worth investing some time in learning the basics of the Azure Sentinel Kusto language to parse the received information.
Contact us today to discuss all your application delivery and security needs.
References
- https://azure.microsoft.com/en-in/services/azure-sentinel/#product-overview
- https://docs.microsoft.com/en-us/azure/sentinel/overview
- https://www.csoonline.com/article/2124604/what-is-siem-software-how-it-works-and-how-to-choose-the-right-tool.html
- https://searchsecurity.techtarget.com/definition/security-information-and-event-management-SIEM
- https://www.forcepoint.com/cyber-edu/siem
- Magic Quadrant for Security Information and Event Management, Published 3rd December 2018, ID G00348811
