A Security Analyst’s Guide to Monitoring Remote VPN Activity in the LogRhythm SIEM

Monitoring Remote Worker on VPN

Remote work is no longer a trend, and is becoming the norm for many companies. Whether your organization has been practicing remote work for a while, or it is just beginning to adopt work-from-home policies, VPN monitoring the ability to track and monitor activity over a virtual private network (VPN) is critical. VPNs are a popular and common way for employees to connect into corporate networks and access resources and data to do their jobs.

In many cases, companies have had to quickly scale their remote working support in response to recent events. This blog post will explore how to use LogRhythm NextGen SIEM dashboards to effectively monitor employees using VPNs while working from home. Are you monitoring the VPN activity of your remote workforce? LogRhythm has a new promotion to help you improve visibility. Learn more here.

What is VPN Monitoring?

As mentioned above, VPN monitoring is the ability to track and monitor private network activity. There are a variety of configurations for implementing VPNs. One configuration is called “split tunneling” where only business data that is required to go over the VPN will, and all other traffic goes directly over the public internet. This configuration eases the network bandwidth load on VPN concentrators, but historically, many companies would not allow split tunneling due to the risk of data loss it presents. While that risk still exists for many teams, companies that have migrated data stores to the cloud, avoid the shortcomings of split tunneling.

If your organization still has a lot of data inside the corporate walls, you need to focus on VPN traffic monitoring to detect suspicious activity and known threats. While IT operations should also focus heavily on remote employees’ VPN usage, their focus should be ensuring there’s enough availability over VPN for employees to access. Insights and visibility are the key starting points for monitoring an organization’s VPN. A security information and event management (SIEM) solution provides alerts is ultimately what both IT operations and the SOC need.

Visualize VPN Traffic Using the LogRhythm NextGen SIEM Platform

VPN monitoring tools, like Juniper’s SSL-VPN solution, is like many VPN solutions when it comes to IT operations and SOC use cases. It can help your team identify what’s normal and spotting what’s abnormal or suspicious and act accordingly.

The LogRhythm NextGen SIEM offers two WebUI dashboards to help IT ops and your team to visualize the log data. The first dashboard is a layout for the events that shows employees accessing the VPN, how often they’re accessing it, and the location of where they are accessing the VPN. When performing a search on events or logs, the results will display in the analyst dashboard that helps show VPN data in a meaningful way. Using the dashboard, you can quickly identify who is utilizing the VPN connection, where the connection is originating, and shows the VPN traffic over time.

LogRhythm NextGen SIEM WebUI of Juniper SSLVPN Analyze Dashboard
Figure 1. WebUI of Juniper SSLVPN Analyze Dashboard

The dashboards enable you to identify key pieces of data to validate and separate legitimate activity from potentially illegitimate activity or other potential anomalies to investigate. Some of the use cases are:

  • Unusual Region (Origin): Either an unusual location that stands out, or possibly an abnormally high activity count that could indicate a large concentration of employees authenticating, or possibly a large set of failed activity like a brute force attack coming from a particular region. Either way, a bottom “X” or a top “X” will reveal activity that you should investigate.
  • Unusual Top User (Origin): Most users will generate few counts here. You should investigate users that generate a large count for possible issues with the client, or configuration settings. You may also spot a rare username that designates it’s a service account, or privileged user account that typically does not log in via VPN. Using the counts, and sorting by top “X” or by bottom “X” will likely reveal users that need investigating.
  • Unusual Activity Found on the Threat Activity Map: Quickly identifying where in the world connections are actually occurring (or being attempted) will help identify locations that should be investigated for unknown legitimate use. For example, where a sales team is traveling to a part of the world that has not normally been observed. Some companies have policies on traveling abroad such as requiring that users contact security before traveling for security briefings, use temporary traveling equipment that is authorized for overseas travel, etc. Identifying legitimate VPN use may reveal other policy violations. Identifying high counts of activity from particular areas of the world might identify a brute force attempt. You will need to spend a little time here to identify what should be investigated, and eventually get a feel for what is abnormal to further investigate.

Investigating, performing pivots, and gathering data will reveal additional use cases that are unique to your business. An additional use case might be that users should always disconnect a VPN session and not let the session timeout. “Max Session Timeout Reached” logs identified in LogRhythm’s “Top MPE Rule Name” widget should be investigated and could possibly result in additional security training to the employee around corporate policy in VPN use.

How to Use the Event or Analyze Dashboards to Find Unusual Logs

LogRhythm’s Event Dashboard and Analyze Dashboard layouts both leverage the same building blocks (widgets) to deliver use cases that help analysts identify and investigate activity. This section of the blog post highlights the similarities of these dashboards and demonstrates how you can use the data presented in the widgets when monitoring VPN traffic activity.

As the name implies, the Event Dashboard only displays event data (logs of high security interest). If you aren’t seeing the data you expect to see here, you may need to set a Global Log Processing Rule (GLPR) to pull events on data they would like to see in this dashboard.

The Analyze Dashboard can display the search results of Events or Logs that span a long period of time. When performing a search, and analyst will need to select the VPN Log Source Type, in this case “Syslog – Juniper SSL VPN.”

LogRhythm NextGen SIEM Analyze Dashboard
Figure 2. Analyze Dashboard: Juniper SSLVPN: MPE Rule Name “Host Policy Check Passed”

Quickly Spot Changes in the Origins of VPN Connections

In the image below, both dashboards have “Top Region (Origin)” widget to quickly see a change in those regions where VPN activity is originating. Investigating a region of interest will show if connections are suspicious over time.

LogRhythm NextGen SIEM Top Region (Origin) Widget
Figure 3. Top Region (Origin) Widget

This screen shot is from the Event Dashboard. Note: In this case, only seven hours of data is shown, which isn’t enough time to determine if the top region being displayed is suspicious. Typically, looking back two weeks will provide relevant insights, so add in 336 hours back to the search criteria before clicking on “Add to Search.”

When viewing the search results in the Analyze dashboard, you can see some patterns, especially in the “Top MPE Rule Name” widget. Although this widget appears in both the Event and Analyze Dashboards, it’s displayed as a trend in the Analyze Dashboard making it easier to see activity of interest over time.

Top MPE Rule Name LogRhythm Dashboard
Figure 4. Top MPE Rule Name Last 14 Days Based on Search Criteria

When mousing over “Session Started,” you see that this volume of activity is normal. There aren’t any obvious spikes that could be suspicious when comparing to the other activities. This Region (Origin) is expected.

Monitor Unusual VPN Activity

Top User (Origin) is another widget that appears across both dashboards. Much like “Top Region (Origin)” widget, the “Top User (Origin)” widget is useful in quickly identifying anomalous user activity.

LogRhythm NextGen SIEM Top User (Origin) Widget
Figure 5. Top User (Origin) Widget

The above dashboard shows that most of the activity has a count of “1.” The anomalous user activity clearly stands out at the top. The analyst would then move to filter the user on the Event Dashboard and open up the search results in the Analyzer Dashboard.

LogRhythm WebUI Analyze Dashboard: Juniper SSLVPN
Figure 6. WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Filtering on Top User from Event Dashboard

The above screenshot shows something apart from the “Host Checker Policy Check Failed” logs. These results are absent of other identified activity like authentication. The primary difference in using this widget is that the focus is immediately on a user of interest. Using the same steps as before, pivot from the most recent log message and go back in time 14 days (336 hours).

Search Criteria from the LogRhythm Analyze Grid
Figure 7. Search Criteria from the Analyze Grid and Timeframe of Last 14 Days

Sometimes, especially when first starting out in discovering your environment, a scenario where in the last 14 days of activity, the same two activities identified are identified, and still no authentication logs will occur.

LogRhythm WebUI Analyze Dashboard: Juniper SSLVPN Analyze
Figure 8. WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Search Results for Last 14 Days Reveals the Same Two Activities Previously Observed

At this point, investigate back further in time. The quickest way to do this is to reuse the previous search and expand the time back. To reuse the search, click on “Search” and then click the pen icon next to the first “Recent searches,” which should display the previous searches.

LogRhythm NextGen SIEM WebUI Analyze Dashboard: Juniper SSLVPN Analyze
Figure 9. WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Last Three Months Search

Now, focus on the Common Event “User Logon” to determine the last time the user actually logged on through the VPN. Filtering on “User Logon” will change the dashboard to display only those relevant logs, making it easier to visualize.

LogRhythm NextGen SIEM WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Filtered on Common Event: User Logon
Figure 10. WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Filtered on Common Event: User Logon

The above screenshot shows that the last time the user actually logged on was approximately February 23. However, the previous screenshot shows a lot of activity associated with the user past this date. You should focus on the logs around the time of the last user login. From the “MPE Rule Name” trend chart, you can select the time around the area of interest to focus in on logs around that time.

WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Focusing on Time of Interest
Figure 11. WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Focusing on Time of Interest by Clicking and Moving Right with the Mouse Across the Timeline

This will create a new time-based filter. Next, remove the other filter of “User Logon” to see the other logs around this time. The below screenshot shows a set of activity that paints a picture of normal activity, including a “Session Started” and “Host Checker Policy Check Passed.” When the connection is open too long, you’ll see a “Maximum Session Timeout Reached” message.

WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Focused on Logs Around Last "User Logon" Common Event
Figure 12. WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Focused on Logs Around Last “User Logon” Common Event

At this point, engage with your ITOps team to collaborate on the investigation. By understanding the last user logon timeframe, ITOps should be able to determine what changes were made, and if those changes were part of change control. Determining if the change was part of a change control process will likely be the determining factor in declaring this investigation an incident or not.

Monitor Spikes in Failed VPN Activity

Top Common Event is another widget that appears across both the Event Dashboard and Analyze Dashboard. The Analyze Dashboard also contains a filtered widget to highlight “Failed” Common Events. Failed activity, in general, is likely something to investigate further to determine if the failure is due to a security issue.

The Common Event view in the Event Dashboard is in a trend view. It shows trends of interest that would require further investigation. Focus in on a failed Common Event first and visualizing the trend chart. Investigate the spikes of failed activity first.

WebUI Dashboard: Event Dashboard: "Host Checker Policy Check Failed"
Figure 13. WebUI Dashboard: Event Dashboard: “Host Checker Policy Check Failed”

Filter on “Host Checker Policy Check Failed” to investigate further on the Analyze Dashboard. From here, perform additional pivots like earlier to determine if this activity is suspicious in nature.

WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Filtered on "Host Checker Policy Check Failed" Common Event
Figure 14. WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Filtered on “Host Checker Policy Check Failed” Common Event

In the Analyze Dashboard, you can quickly spot that there are three users failing with a variance in log counts.

WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Filter out Top Region (Origin) California
Figure 15. WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Filter out Top Region (Origin) California

The above dashboard shows that there is one specific user in Colorado failing. Investigate if the user was successful after failing.

Figure 16. Searching Based on Inspector “Add to Search” Criteria, +/- 1 Hour

Then open the search results in the Analyze Dashboard to view all the logs involved with the user’s VPN activity including the “Host Checker Policy Check Failed” Common Event, as well as “User Logon” Common Event.

LogRhythm WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Highlight Host Checker Policy Check Passed on MPE Rule Name Widget
Figure 17. WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Highlight Host Checker Policy Check Passed on MPE Rule Name Widget

The three MPE rule names above show that, although the user had trouble authenticating at first, the user was able to authenticate successfully. The system passed the policy checks, determining it was authorized to access the VPN network. Therefore, no security incident occurred, and no follow-up with IT operations is needed.

Uncover Why VPN Connections are Failing

Both the Event Dashboard and Analyze Dashboard have a “Top MPE Rule Name” widget, which provides a detailed description of what each log actually represents. On the Event Dashboard, it is being displayed as a top count while on the Analyze Dashboard, it is being displayed as a trend chart. Much like the “Top Classification” widget, this widget provides a granular view of the events or logs observed. It provides insights into reasons why VPN connections are failing, such as a non-trusted device or an attacker-controlled device trying to access the VPN. This widget also gives ITOps insight into why connections are failing operationally (availability and usability).

LogRhythm WebUI Event Dashboard: Top MPE Rule Name Displayed in a Bar Chart Count
Figure 18. WebUI Event Dashboard: Top MPE Rule Name Displayed in a Bar Chart Count

Review the trend chart of “Top MPE Rule Name” for any suspicious activity that stands out. The trend chart is set to display the data in a logarithmic view. The logarithmic view is good to quickly see activity with low counts compared to activity with high counts.

Figure 19. WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Top MPE Rule Trend Last Three Months

Hovering over the top activity name in the list displays the most common activity. The interesting data point is where the count seems to unexpectedly go to zero.

Figure 20. WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Authentication Key Exchange Highlighted

Zooming in on that timeframe will provide a closer look. Select the time of interest in the trend chart will create a time-based filter. Then highlight the activity as before to see the pattern compared to the other rules.

Figure 21. WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Time Filtered: Authentication Key Exchange Highlighted

In reviewing the logs, switch to the “Log Message” view under “Details & Actions” to see the actual count in the log message. In this case, it’s “Number of NCP connections: 0.” The lack of activity is indicative that no users are logged on at the moment. But something else during that timeframe stands out when you highlight the rule name “SSL Negotiation Failed.” The activity is occurring between the gap when no users are logged on.

Figure 22. WebUI Analyze Dashboard: Juniper SSLVPN Analyze: Highlighting “SSL Negotiation Failed” Activity

Filter on this rule to display it in the Analyzer Grid. This action shows two logs, both with the same “Host (Origin)” IP address.

LogRhythm WebUI Details & Actions Display of the "SSL Negotiation Failed" Log
Figure 23. WebUI Details & Actions Display of the “SSL Negotiation Failed” Log

Pivot off of the “IP Address (Origin)” by clicking the gear icon next to the IP address in the Analyzer Grid to add it to the Inspector in order to see what other activity has occurred recently. By looking +/- 48 hours on the IP address being in the Origin or Impacted fields.

Figure 24. WebUI Inspector Populated with IP Address, Changed to Search in Origin or Impacted, and +/- 48 Hours

From here, click on “Search Now.” The results appear to be suspicious in nature when viewed on an Analyzer Dashboard that shows Common Event, Host (Origin), Host (Impacted), and TCP/UDP Port Impacted. Based on Common Events observed — such as “Traffic Allowed by Network Firewall,” followed by “Inbound Time Wait Established,” and then “Inbound Time Wait Closed” — in such a short repetitive order combined with the TCP/UDP Ports of 443 and 80, this would appear to be scanning activity.

Figure 25. WebUI Analyze Dashboard: Customization to Show Common Event, Host (Origin), Host (Impacted), TCP/UDP Port (Impacted) and Zone (Origin)

This is likely an incident and reconnaissance activity. Engage your ITOps team to block the origin IP address.

WebUI Event Dashboard: Threat Activity Map

The most noticeable difference between the Event Dashboard and the Analyze Dashboard is that the Event Dashboard contains a Threat Activity Map. This map is not available in the Analyzer Dashboard. The Threat Activity Map allows you to not only focus on areas around the world quickly, but also gives you the ability to zoom in on a particular area on the map. This helps you to further identify suspicious activity quickly when comparing locations in the “Top Region (Origin)” widget.

Figure 26. WebUI Event Dashboard: Juniper SSLVPN: Threat Activity Map

In the above Threat Activity Map, most connections are occurring in the western United States. This is to be expected in our example. To see a more detailed view of origin locations in the United States, zoom in on the map. Instead of just showing the majority of connections are coming from the Western United States — Washington, California, Iowa, Kentucky, Texas, and Colorado — LogRhythm’s headquarters — are showing.

Figure 27. WebUI Event Dashboard: Juniper SSLVPN: Zoomed on United States: Threat Activity Map

Zoom in further to see other dots on the map indicating connections from those areas like Utah and Nebraska to name a couple that were grouped together in the previous screenshot.

Figure 28. WebUI Event Dashboard: Threat Activity Map: Activity Near San Jose

The Analyzer Dashboard can also show the RBP value under the “Priority” widget and a Common Event trend widget to view the results. Filtering on the high RBP value quickly uncovers the highest risk that needs to be investigated further.

Figure 29. WebUI Custom Analyze Dashboard Displaying The “Top Priority” And The Common Event Trend Widgets

In this case, the user was not listed in the Juniper SSLVPN Events Dashboard. The activity should still be investigated, but not at this time, because it is not related to the VPN activity you are currently investigating. Performing comparisons like this will help answer questions quickly that should influence decisions. For example, if the user was found on the VPN Event Dashboard at the high end of the risk scale, there could be a corporate breach. Knowing that incident level is unlikely helps inform what should occur next, including performing an investigation more around the endpoint, and possibly cloud-based activities like Office 365.

WebUI Dashboards

Up to this point, the WebUI Event and Analyze Dashboards have been shown in segments. This is what the dashboards look like in their entirety. The dashboards are designed to flow information from a high level like “Region (Origin)” to a very granular level right like “MPE Rule Name” (specific activity descriptions). Color indicates areas that require attention, like failed Common Events in the Analyze Dashboard.

Figure 30. WebUI Dashboard: Juniper SSLVPN ‘Events’ Top Section
Figure 31. WebUI Dashboard: Juniper SSLVPN ‘Events’ Bottom Section
Figure 32. Juniper SSLVPN: Analyze Dashboard

Concluding the VPN Monitoring Guide

Using dashboards is an effective way of visualizing what is normal. It’s also a great way to visualize suspicious activity that may require an investigation to determine if there was a policy violation or possible intrusion. With the increase in users working from home, or otherwise working remotely, attempting to identify the new normal is challenging. Dashboarding is an effective way of quickly ascertaining the new normal.

To help ease some of the challenges of monitoring a remote workforce, LogRhythm is offering a promotion for remote workforce visibility using LogRhythm Cloud via a monthly subscription for a limited time. Learn more here.

Are you a LogRhythm customer? Access the full guide to VPN monitoring with LogRhythm dashboards on Community.