Kemp LoadMaster is a critical addition to any application delivery or general network infrastructure. In addition to features like application delivery, load balancing, SSL/TLS offloading, LoadMaster protects against common web security threats and provides Single Sign-On (SSO) and authentication. When combining Kemp Web Application Firewall (WAF) and Kemp Edge Security Pack (ESP), LoadMaster becomes an integral part of a Security Information and Event Management (SIEM) system that helps protect networks.
SIEM technology has been in existence for more than a decade, initially evolving from the log management discipline. It is combing security event management (SEM) – which analyses log and event data in real time to provide threat monitoring, event correlation and incident response – with security information management (SIM) which collects, analyses and reports on log data.
SIEM software works by collecting log and event data that is generated by host systems, security devices and applications throughout an organization’s infrastructure and collating it on a centralized platform.
Gartner indicates that SIEM technology is typically deployed to support three primary use cases:
- Advanced threat detection – Reporting on trends and behaviors regarding user and entity activity, data access and application activity. Threat detection includes incorporation of threat intelligence and business context, in combination with ad-hoc query capabilities
- Basic security monitoring – Log management, compliance reporting and basic real-time monitoring of selected security controls
- Investigation and incident response – Dashboards and visualization capabilities, workflow and documentation support to enable effective incident identification, investigation and response
Azure Sentinel is a cloud-native SIEM from Microsoft that allows you to collect data at cloud scale, detect threats and minimize false positives using analytics, investigate threats with Artificial Intelligence (AI) and respond to incidents rapidly with built-in orchestration and automation of common tasks. The Kemp Technologies LoadMaster integration with Azure Sentinel is simple and easy to achieve.
The Kemp WAF provides JSON format logs and Edge Security Pack provides Common Event Format (CEF) logs that are easily consumed and parsed by Azure Sentinel to enhance visibility of whom is connecting to your application via the LoadMaster and to their intentions.
Deploying LoadMaster with the Kemp Edge Security Pack (ESP) enabled, simplifies the secure publishing of applications with pre-authentication of clients and Single Sign-On (SSO) to improve the user experience. ESP can be fully integrated into your current authentication and authorization directories, including Microsoft Active Directory.
Deploying LoadMaster with the Kemp Web Application Firewall (WAF) enabled as part of your network infrastructure helps deliver defense in depth for your web servers and applications. The Kemp WAF provides continuous protection against vulnerabilities with daily rule updates based on threat intelligence and research from Trustwave. We also provide a Trustwave application rule pack based on their guidelines. You can adjust these templates as required and create your own rulesets to deliver your organization’s precise needs.
Please see video here demonstrating Kemp ESP CEF logs integration with Azure Sentinel.
Please see video here demonstrating Kemp WAF JSON logs integration with Azure Sentinel.
Based on my personal experience, the integration between LoadMaster and Azure Sentinel was easy to achieve. You need to ensure that you install the Azure Sentinel Linux scripts as ‘sudo’ and have some patience for the first syslog messages to appear in Azure Sentinel, this can take a coffee or two so don’t worry! After that, it is close to real-time, depending on your network connectivity. It is worth investing some time in learning the basics of the Azure Sentinel Kusto language to parse the received information.
Contact us today to discuss all your application delivery and security needs.
- Magic Quadrant for Security Information and Event Management, Published 3rd December 2018, ID G00348811