Security Monitoring for VMware Environments

The LogRhythm NextGen SIEM Platform Provides Full Virtual Environment Monitoring Capabilities

Virtualizing an environment provides many advantages in the form of decreased operational costs, increased workforce efficiency, and an easier disaster recovery process. Unfortunately, a virtualized environment also significantly increases your risk and the possibility that intruders might compromise your network. Holistic monitoring of your organization’s virtual environment is critical to protecting admin privileges, machine backups, and critical infrastructure.

To solve this problem, you can extend LogRhythm’s SIEM functionality to virtual environment monitoring. LogRhythm’s Machine Data Intelligence (MDI) Fabric includes VMware Vcenter as a prebuilt supported log source through which you can monitor a number of activities.

Below are three use cases to help guide your team to better monitor systems across physical and virtual workloads. These instances of LogRhythm’s MDI Fabric­ and AI Engine solutions are tailored to VMware, but they can also apply to any virtual environment for both data center workloads or virtual desktop infrastructure (VDI).

Use Case 1: Monitoring VMware Admins

The Problem

It is unfortunately all too easy to steal data from VM clones and snapshots. There are many high-level admin functions that a perpetrator can exploit to gain vCenter administrative access, including:

  • User log in/out

  • Virtual machine creation, modification, and deletion

  • Startup/shutdown of virtual machines

  • Managing CPU, disk, and memory utilization and allocation within the virtual environment

  • Cloning copies of the virtual machine

The Solution

Using MDI Fabric, LogRhythm can monitor all of the above activities by creating alerts, dashboards, and reports for each of the admin-related activities. By creating a privileged user monitoring scenario specifically for VMware admins, alerts for high risk events (such as instances of virtual machine cloning) can be applied to help administrators avoid misuse or data exfiltration. Here are sample dashboards highlighting this visibility.


Figure 1: VMware Dashboard App


Figure 2: Comprehensive Snapshot and VM View

Use Case 2: Monitoring Virtual Machine Backups

The Problem

Virtual machines are backed up by using the VMware’s native snapshot feature. From a security point of view, you need to know how many snapshots are created in an organization during or after the backup window to determine if there’s suspicious activity.

During normal operations, the number of VMs that are backed up remains almost the same. Snapshots are typically taken for backup of virtual machines after office hours. Any snapshot taken during office hours would be worth investigating.

The Solution

With LogRhythm’s AI Engine, you can monitor for activities of snapshots created and deleted, using the dashboard to understand daily operations and detect anomalies.

You can set up a use case rule for:

Snapshot Created Events + Non-Observed Snapshot Deleted Events

This will help in deducing if a backup has been successful or whether the snapshot has been deleted after the backup activity is over. Because snapshots take up disk space, this use case will help you investigate and free up space by deleting snapshots manually. An iteration to this rule can also be made by correlating with events from the backup application:


Figure 3: Correlate Events Rule 1

An alarm can be triggered to alert of incomplete backup operations:


Figure 4: Incomplete Backup Risk Rule 1


Figure 5: Incomplete Backup Alarm 1

You can establish another rule for when:

Snapshot Created and Deleted but Backup Failed

– OR –

Backup Succeeded + Non-Observed Snapshot Deleted

The Snapshot Created and Deleted but Backup Failed rule will help you to monitor the number of snapshots that are created and deleted for backup operations on a daily basis. You can generate an alert for when the number of snapshot creation/deletion activities has gone above or below a certain threshold.

For snapshots created during office hours, you’re able to observe and alert all instances where snapshots are created during office hours but the user is not the backup admin.


Figure 6: Correlate Events Rule 2

A high-priority alarm can then be generated based on the snapshot activity during office hours. The alarm can be drilled down to check logs or card properties, revealing details of which user created a given snapshot.


Figure 7: Incomplete Backup Risk Rule 2


Figure 8: Incomplete Backup Alarm Rule 2

Use Case 3: Monitoring Virtual Desktop Infrastructures (VDIs) During Outage

The Problem

Banking and public-sector organizations use VDIs extensively to help reduce overhead for desktop management—especially in a geographically distributed environment. Virtual desktops are created and deleted on demand as users constantly log in to the environment remotely as part of their daily jobs. Thus, VDIs pose serious challenges when it comes to monitoring the activities that happen within these environments.

The Solution

Use cases can be built using LogRhythm’s MDI Fabric to monitor the VDI environment as a whole. As a prebuilt log source tool, LogRhythm provides log processing policies for VMware View for monitoring VDI environments. Through seamless integration with Vshield, you can look at all network traffic-related events within the organization.

Use cases can be created for:

  • Mapping user activity to virtual desktops by creating a behavior profile of which users have logged in to what VD

  • Abnormal provisioning of virtual desktops within the environment as a misconfiguration (you can monitor for a threshold of virtual desktops being created within the organization)

  • Vshield integration monitoring of all internal traffic, including excessive packet drops, suspicious traffic behavior, etc.

VMware Security Monitoring

Employing effective monitoring techniques to virtual environments helps your organization focus on the convenience and productivity enabled by such technology while mitigating the platform’s inherent risks.

To monitor virtual environments, there can be many more instances of applying LogRhythm’s MDI Fabric and AI Engine aside from the three use cases we’ve explored here. As a prebuilt feature of LogRhythm MDI Fabric, VMware Vcenter serves as a dynamic log source support platform through which you can comprehensively monitor virtual environment events and activities.