6 Best Windows Server Monitoring Tools

If you administer a number of Windows servers, you know how ensuring that they are all running smoothly and operating at the best of their capacity can be time-consuming. This is where Windows server monitoring tools can come in handy. Today, we’re going to have an in-depth look at a few of the best of these tools.

We’ll begin by exploring Windows server monitoring, what it is and the various types of monitoring and monitoring tools that are available. As you will soon find out, Windows server monitoring is not one thing but rather an array of technologies that combine to offer a complete monitoring solution. We’ll also discuss integrated monitoring tools. These are tools that combine various types of monitoring into one package. We’ll see how this can be a big advantage but also that it can come with some limitations. And finally, we’ll review some of the very best Windows server monitoring tools we could find.

About Windows Server Monitoring

Monitoring Windows servers is not different from monitoring any type of device, And the main reason why anyone needs it is rather simple. There’s just too much to monitor. Given the complexity of a modern Windows server with potentially dozens of critical services running and multiple processing cores, manually monitoring everything to ensure that all is running smoothly would quickly overwhelm any administrator. When I first started as a network administrator, the company where I worked had about half a dozen servers and they were all located right next to me, in the same room where my desk was. It was easy for me and my two colleagues to constantly keep a watchful eye on everything. We just had to turn around to see the servers’ consoles. Whenever something went wrong, it wasn’t long before one of us noticed it.

Fast forward some twenty-something years and things are very different. Many organizations have dozens if not hundreds of servers. And today’s environment is not only made of servers anymore. Between networking equipment, security appliances, and every conceivable type of network-attached devices, modern administrators tend to have their hands full. This is where monitoring tools can come in handy. They sit in the background and become your eyes on every Windows server on your network. Whenever something goes wrong or is out of its normal range of operation, alerting kicks in and sends some type of notification. This allows administrators to concentrate on more useful tasks while ensuring that they’ll be able to quickly react in case of trouble.

INTERESTING READ: 7 Best Windows Management Instrumentation (WMI) Monitoring Tools

Various Tools For Different Monitoring

There are mainly three different things most Windows administrators need to monitor. First, they need to monitor that all of the Windows servers they are responsible for are up and running but also that they are performing within their normal acceptable range. This can mean many things, in terms of monitoring. At its most basic level, a Windows server monitoring tool will ensure that equipment is up and running and that the IP ports which are supposed to be open are. For instance, a web server should be responding to requests on port 80 and possible 8080. In addition to checking open ports, Windows server monitoring tools also use the Simple Network Management Protocol, or SNMP to read operational parameters from devices. The CPU load for each core or the percentage of available memory could be monitored just as CPU core temperature could. Different devices have different operational parameters available via SNMP. The best tools will let administrators pick which parameter of each Windows server to monitor.

Another important type of monitoring for Windows servers is application monitoring. This one can take many forms and it seems like every developer of application monitoring tool has his own idea of how it should be done. Suffice to say that the basic idea is to ensure that the applications running on the servers are available to end-users when they need them and that they are behaving normally. For example, a tool could be monitoring the Exchange server of the SQL server running on a Windows server. This type of monitoring is most often accomplished through the use of local monitoring agents installed on the application servers.

ALSO READ: 7 Best IT Inventory Management Tools (Reviewed)

About Integrated Tools

In order to make Windows server administrators’ lives easier, a few vendors offer integrated monitoring tools. These are tools that combine two or more different types of monitoring tools. For instance, it is not rare to see tools that can monitor Windows servers and the applications running on them. Some even include network bandwidth utilization functionalities.

There are several advantages to these integrated tools, the main one being having all your monitoring data at the same place. Other advantages include an easier installation and not having to learn to install, configure, and use multiple tools. There’s also a definite cost advantage as integrated tools are often less expensive than purchasing individual tools.

But as nice as integrated tools can be, they do have a few drawbacks too. Generally speaking, integrated tools tend to be poorer in terms of available features. They can often do everything OK but not necessarily amazingly. They typically don’t go as deep in their monitoring features. They can also be somewhat cumbersome in large organizations where different teams manage different types of equipment and each team would benefit from having its own dashboard.

The Best Windows Server Monitoring Tools

Let’s have a look at some of the best Windows server monitoring tools. We’ve tried our best to include various types of tools. Our primary goal was to demonstrate the great variety of options available. Some of the tools reviewed below are integrated tools while others are specific server monitoring tools. Others are network monitoring tools with server monitoring features. Picking the best Windows server monitoring tool for you need can be intimidating. Have a look at the reviews below to find which tool best matches your specific needs and give it a try.

1. SolarWinds ipMonitor (FREE TRIAL)

Who doesn’t know SolarWinds, a publisher of some of the very best network and system administration tools? The twenty-year-old company enjoys a solid reputation and its flagship product, the Network Performance Monitor, consistently scores among the top SNMP monitoring tools. And as if that wasn’t enough, SolarWinds also makes a handful of free tools, each addressing a specific need of network administrator. The Advanced Subnet Calculator and the Kiwi Syslog Server are two examples of those free tools.

With a rather large product portfolio, it’s no surprise that SolarWinds does offer an integrated monitoring solution that goes by the name of ipMonitor. It is a relatively simple integrated tool that offers essential up/down and performance monitoring for servers, applications, and networks.

SolarWinds ipMonitor - Dashboard

This tool will quickly discover infrastructure and will recommend SmartMonitor settings which are designed to make setup simpler and faster. It also provides an easy-to-use web interface and network maps for clear, at-a-glance views of your environment. The tool can send customizable alerts and reports to help ensure you are the first to know about issues or application failures. In addition to alerts, it also has automated remediation capabilities to minimize downtime.

On the application monitoring front, the system can simulate the end-user experience for web and other applications and it uses standard protocols such as SNMP and WMI for agentless, monitoring of applications and systems. The system includes its own embedded web server and database and it is designed for a simple, integrated installation experience without the need for installing separate components.

The ipMonitor web-based interface offers centralized and customizable summary views. It helps provide visibility into the health of your IT infrastructure. The tool supports drag and drop, and is designed to make it easy to add and remove elements from the view and help ensure you have the reports, statistics, and gauges you need—right at your fingertips. ipMonitor’s dashboards make it easy to identify problem areas at a glance, letting you resolve issues quickly.

Prices for ipMonitor start at $1 495 for up to 500 monitors. This one-time cost includes the first year of maintenance. For those who’d prefer to try the tool before purchasing it, a free 14-day trial is available.

2. SolarWinds Server And Application Monitor (FREE TRIAL)

Not as integrated as ipMonitor, the SolarWinds Server and Application Monitor is a great example of a smaller integrated tool. But since it shares the same Orion platform as the Network Performance Monitor, together they form a truly integrated tool with many more features that can be found on ipMonitor.

This tool was designed to help administrators monitor servers, their operational parameters, their processes, and the applications which are running on them. It can easily scale from very small networks to large ones with hundreds of servers—both physical and virtual—spread over multiple sites. The tool can also monitor cloud-hosted services like those from Amazon Web Services and Microsoft Azure.

SolarWinds Server and Application Monitor Dashboard

The SolarWinds Server and Application Monitor is very easy to set up and its initial configuration is just as easily done with the help of its auto-discovery process. It is a two-pass process. The first pass will discover servers, and the second one will find applications. This can take time but can be sped up by supplying the tool with a list of specific applications to look for. Once the tool is up and running, the user-friendly GUI makes using it a breeze. You can choose to display information in either a table or a graphic format.

Prices for the SolarWinds Server and Application Monitor start at $2 995 and vary based on the number of components, nodes, and volumes monitored. A free 30-day trial version is available for download, should you want to try the product before purchasing it.

3. SolarWinds Server Configuration Monitor (FREE TRIAL)

Next on our list is yet another tool from SolarWinds. This one is very specific in what it monitors, though. Its primary purpose is monitoring and auditing server configurations and it is called the SolarWinds Server Configuration Monitor or SCM. But despite its rather descriptive name, there’s more to this tool. It is a powerful and easy-to-use product that was designed to provide tracking of server and application changes in your network. As a troubleshooting tool, it can give you the necessary information about configuration changes and their correlations with performance slowdown. This can help you find the root cause of some performance problems caused by configuration changes.

SolarWinds Server Configuration Monitor Screenshot

The SolarWinds Server Configuration Monitor is an agent-based tool, with the agent deployed on each Windows server being monitored. The advantage of this architecture is that the agent can keep gathering data even when the server is disconnected from the network. The data is then sent to the tool as soon as the server is back online.

Feature-wise, this product leaves nothing to be desired. In addition to what’s already been mentioned, this tool will automatically detect servers that are eligible for monitoring. It comes with out-of-the-box configuration profiles for the most common servers. The tool will also let you view hardware and software inventories and report on them too. This is a great tool that can be used to monitor your on-premises physical and virtual server as well as your cloud-based environment.

Prices for the SolarWinds Server Configuration Monitor are not readily available. You’ll need to request a formal quote from SolarWinds. However, a 30-day evaluation version is available for download.

4. ManageEngine OpManager

The ManageEngine OpManager is another all-in-one package that will monitor your servers’ (physical and virtual) vital signs as well as those of your networking equipment and alert you as soon as something is out of its normal operating range. The tool benefits from an intuitive user interface that will let you easily find the information you need. There is also an excellent reporting engine that comes loaded with pre-built reports while still supporting custom ones. The product’s alerting features are also very complete.

ManageEngine OpManager Dashboard

The tool runs on either Windows or Linux and is loaded with great features. One worth mentioning is its auto-discovery feature that can map your network, giving you a uniquely customized dashboard. The ManageEngine OpManager dashboard is super easy to use and navigate, thanks to its drill-down functionality. For those of you who are into mobile apps, client apps for tablets and smartphones are available, allowing you to access the tool from anywhere.

The ManageEngine OpManager is available in two versions. The Essential edition is intended for small and medium organizations with up to a thousand devices with prices starting at around $700 for 25 devices. For larger organizations, the Enterprise edition can scale up to ten thousand devices. Its price starts at under $20 000 for 500 devices. If you are interested in giving the tool a try, a free 30-day trial is also available.

5. PRTG Network Monitor

The PRTG Network Monitor or, more simply, just PRTG from Paessler AG, is another excellent integrated monitoring system. The enterprise-grade product claims to be the fastest to set up. According to Paessler, the tool can be set up in a couple of minutes. While our experience shows that it can take a bit more than that, it’s still pretty easy and quick to set up. Its auto-discovery process is one of the main reasons for the speed of installation.

PRTG Dashboard - Datacenter Monitoring

The PRTG Network Monitor is a feature-rich product. It comes with a choice of user interfaces. There’s a Windows enterprise console, an Ajax-based web interface, and mobile apps for Android and iOS. In the background, this tool mainly uses SNMP to poll devices and display interface utilization on chronological graphs. But it doesn’t stop there. Through the use of additional sensors, PRTG can monitor servers and applications. In fact, there aren’t many monitoring tasks that it won’t handle.

The PRTG Network Monitor is available in two versions. There’s a free version that is full-featured but will limit your monitoring ability to 100 sensors. When using SNMP, each monitored parameter counts as one sensor. For example, if you monitor two interfaces on a router, it will count as two sensors. Each instance of a specific monitoring sensor also counts as one. If you need more than 100 sensors, you need to purchase a license that starts at $1 600 for 500 sensors. A free, sensor-unlimited and full-featured 30-day trial version is available.

6. Zabbix

Zabbix is known as one of the best free and open-source system monitoring platforms. This enterprise-grade system can scale from small to very big networks. This tool can monitor networks, both local and cloud-based servers, and the services running on them, making it a true integrated monitoring platform. Don’t let the fact that it’s free and open-source put you off, though. It would be a mistake as this tool has a lot to offer.

Zabbix Dashboard

Zabbix uses SNMP as well as the Intelligent Platform Monitoring Interface (IMPI) for monitoring devices. You can use the software to monitor bandwidth, device CPU and memory utilization, general device health as well as configuration changes. The product also features an impressive and completely customizable alerting system. It will not only send email or SMS alerts but also run local scripts which could be used to fix some issues automatically.

Although Zabbix is free, ancillary services can be purchased. For instance, you can purchase support services. Five levels of technical support are available. There is also a complete certification training program that can be purchased. This is totally optional, though, as community support is available for free and it is very good. Finally, this product’s alerting features are up to par with other products on our list and so is its reporting engine.

Zabbix has all you can expect in an enterprise-grade integrated monitoring tool except the high price tag. And the only thing you’ll need to spend to put it through a test run is your time.

Read 6 Best Windows Server Monitoring Tools by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter

6 Best Linux Network Monitoring Tools

Knowing what is happening on the network they manage is essential to most network administrators. This is why network monitoring tools were created. They let managers keep a watchful eye on the network while also providing much-needed assistance when troubleshooting issues. And with the ever-growing popularity of Linux in the data center, we thought we’d have a look a some of the very best Linux network monitoring tools.

As we often do, we’ll begin by defining network monitoring. We’ll explain what it is and what benefits it can bring. We’ll follow-up by introducing the Simple Network Management Protocol. After all, it is the underlying technology used by most network monitoring tools. We’ll also explain in some detail how SNMP is used to calculate network bandwidth usage while keeping our explanation as non-technical as possible. Next, we’ll briefly talk about Linux and talk about the advantages of using it as a network monitoring platform. This will bring us to the core of our discussion the actual Linux network monitoring tools. We’ll review a handful of the best tools we could find that will run on Linux.

About Network Monitoring

Network monitoring or, as it is often called bandwidth monitoring measures the amount of traffic passing a given point on a network. The measuring point is often a router or switch interface but it’s not uncommon to monitor network bandwidth utilization of a server’s LAN interface. The important thing here is to realize that all we’re measuring is the amount of traffic. Standard, basic network monitoring won’t give you any information about what that traffic is, only how much of it there is.

There are several reasons for wanting to monitor network bandwidth utilization. First and foremost, it can help you pinpoint any area of contention. As a network circuit’s utilization grows, its performance starts degrading. And the more you approach the network’s maximum capacity, the more impact there is on performance. By letting you keep an eye on network utilization, monitoring tools give you a chance to detect high utilization—and address it—before it becomes noticeable by users.

Capacity planning is another major benefit of network monitoring tools. Network circuits—especially long-distance WAN connections—are expensive and will often have only the bandwidth that was required when they were initially installed. While that amount of bandwidth might have been OK back then, it will eventually need to be increased. By monitoring the evolution of your network circuits’ bandwidth utilization, you’ll be able to see which ones need to be upgraded and when.

Network monitoring tools can also be useful for troubleshooting poor application performance. When a user complains that some remote application has slowed down, looking at the network’s bandwidth utilization can quickly help you determine whether or not the problem is caused by network congestion. If you see low network utilization, you can safely concentrate your troubleshooting efforts elsewhere.

INTERESTING: Best IP Scanners for Linux

SNMP In A Nutshell

Most network monitoring tools rely on the Simple Network Management Protocol (SNMP) to do their magic. But despite a rather misleading name, SNMP is actually somewhat complex. However, you don’t have to be an expert and know all about it to use it. It’s just like you don’t have to be an auto mechanic to drive a car. It is, however, preferable to have at least some idea of how it works so let’s have a look at it.

At its base, SNMP is a communication protocol that specifies how an SNMP management system can read and write operational parameters in remote devices. The parameters are referred to as Object Identifiers or OIDs. Some interesting OIDs, from a network monitoring standpoint, are those that correspond to important device metrics such as CPU and memory load or disk usage, for example.

When monitoring networking bandwidth utilization, two OIDs are of particular interest. They are the bytes out and the bytes in counters associated with each interface. They are automatically incremented by the network devices as data is output or input. More about those in a moment.

Dating back to a time when IT security was not much of an issue, SNMP only has minimal security. An SNMP manager connecting to an SNMP-enabled device will transmit a “community string” with its request. If the string matches that configured in the equipment, the request will be carried out. Devices typically have two community strings configured, one for read-only OIDs and one for modifiable ones. The communication is not encrypted and anyone intercepting it would see the community strings in clear text. This is why SNMP is typically only used on private, secure networks.

How SNMP Is Used To Monitor Networks

To monitor bandwidth utilization, SNMP-based tools periodically read the bytes in and out counters of a networking device’s interfaces at know intervals. Five minutes is a typical interval value but shorter times can be used for finer resolution. They then store the polled values in some sort of database or file.

The rest of the process is simple maths. The monitoring system subtracts the previous counter value from the current one to get the number of bytes transmitted or received during the polling interval. It can then multiply that number by eight to get the number of bits and divide it by the number of seconds in the polling interval to get the number of bits per second. This information is typically plotted on a graph showing its evolution in time and/or stored in a database.

It is important to note that what you get is an evaluation of the average utilization over the polling interval, not the real bandwidth utilization. For instance, if a circuit is used at maximum capacity during half of the polling interval and carries no traffic during the other half. It would show up as being used at 50% of its capacity despite being maxed out for an extended period. Shorter polling intervals will reduce this distortion but it is important to keep in mind that these systems only give you average values.

ALSO READ: Best Linux Log Management Tools

A Word About Linux

As an operating system, Linux is not, functionally speaking, very different from any others such as Windows or OS X. The main difference between Linux and other popular operating systems is the fact the Linux is a free and open-source product and most distributions are available free of charges. It is important here to distinguish free in “free and open-source” from free in “free of charges”. The first one refers to freedom rather than price.

Over the years, Linux, which was once a marginal operating system installed by nerds and computer science students—I recall spending weeks downloading SLS Linux one diskette image at a time over a 1200 baud connection; I guess I was one of those nerds—has grown to be a popular option as a server operating system. Some recent distributions are also making much progress as a viable alternative to Windows as a personal computer operating system.

Linux As A Network Monitoring Platform

While Linux is a popular operating system for servers of all kinds, it is even more so when it comes to running specific tools. There are several free and open-source network monitoring tools that will only run on Linux. And if your tool of choice can run on either Windows or Linux, wouldn’t it make more economic sense to run in on a free OS rather than waste some money on a costly operating system such as Windows?

While some people still don’t trust free and open-source operating systems and software for mission-critical applications and wouldn’t, for instance, put their precious corporate data on a MySQL server running on Linux, many of them don’t usually have as many objections to using the platform for running network administration tools.

MUST READ: Best NetFlow Collectors for Linux

The Best Linux Network Monitoring Tools

1. ManageEngine OpManager

The ManageEngine OpManager is a powerful all-in-one network monitoring tool that offers comprehensive network monitoring capabilities. It can help you keep an eye on network bandwidth utilization, detect network faults in real-time, troubleshoot errors, and prevent downtime. The tool supports various environments from multiple vendors and can scale to fit your network, regardless of its size. It can run on either Linux or Windows and will let you monitor your devices and network and give you visibility over your entire network infrastructure. Installation and setup of this product are both quick and easy. You can get it running in under two minutes. It requires no complex installation procedures and comes bundled with built-in databases and web servers.

ManageEngine OpManager Dashboard

The ManageEngine OpManager constantly monitors network devices’ performance in real-time and displays it on its live dashboards and graphs. In addition to bandwidth, it examines several critical operational metrics such as packet loss, errors and discards, etc.

The tool can help you detect, identify, and troubleshoot network issues with its threshold-based alerts. You can easily set multiple thresholds for every performance metric and get notifications when they are exceeded. Reporting is another area where this tool shines. Intelligent reports will let you get detailed insights on network performance. There are more than 100 built-in reports and you can customize, schedule and export these out-of-the-box reports as needed.

2. Zabbix

Zabbix is a free and open-source product that can be used to monitor anything. The tools can run on a handful of Linux distributions—including Rapsbian, the Raspberry Pi version on Linux—and it will monitor network bandwidth, servers, applications and services, as well as cloud-based environments. It features a highly professional look and feel. This product also boasts a broad feature set, unlimited scalability, distributed monitoring, strong security, and high availability. Despite being free this is a true enterprise-grade product.

Zabbix Dashboard

Zabbix uses a combination of monitoring technologies. It supports SNMP monitoring as well as the Intelligent Platform Monitoring Interface (IMPI). It can also do agent-based monitoring with agents available for most platforms. For easy setup, there’s auto-discovery as well as out-of-the-box templates for many devices. The tool’s web-based user interface has several advanced features such as widget-based dashboards, graphs, network maps, slideshows, and drill-down reports.

Zabbix also features a highly customizable alerting system that will not only send out detailed notification messages but that can also be customized based on the recipient’s role. It can also escalate problems according to flexible user-defined service levels.

3. Zenoss Core

Zenoss Core may not be as popular as some of the other monitoring tools on this list but it truly deserves its spot because of its feature set and professional look and feel. The tool can monitor many things such as bandwidth utilization, traffic flows, or services like HTTP and FTP. It has a clean and simple user interface and its alerting system is excellent. One thing worth mentioning is its rather unique multiple alerting system. It allows a second person to be alerted if the first one does not respond within a predefined delay.

Zenoss Core Dashboard

On the downside, Zenoss Core is one of the most complicated monitoring systems to install and set up. Installation is an entirely command-line driven process. Today’s network administrators are used to GUI installers, configuration wizards and auto-discovery engines. This could make the product’s installation seem a bit archaic. Then again, this is in line with the Linux world. There are ample installation and configuration documentation available and the end result makes it worth the efforts.

4. Nagios

There are two versions of Nagios available. There’s the free and open-source Nagios Core and there’s the paid Nagios XI. Both share the same underlying engine but the similarity stops there. Nagios Core is an open-source monitoring system that runs on Linux. The system is completely modular with the actual monitoring engine at its core. The engine is complemented by dozens of available plugins that can be downloaded to add functionality to the system. Each plugin adds some features to the core.

Nagios XI Dashboard

Preserving the modular approach, the tool’s front-ends is also modular and several different community-developed options are also available for download. The Nagios core, the plugins and the front end combine and make for a rather complete monitoring system. There is a drawback to this modularity, though. Setting up Nagios Core can turn out to be a challenging task.

As for Nagios XI, it is a commercial product based on the Nagios Core engine but it is a complete self-contained monitoring solution. The product targets a wide audience from small businesses to large corporations. It is much easier to install and configure than Nagios Core, thanks to its configuration wizard and auto-discovery engine. Of course, this ease of setup and configuration comes at a price. You can expect to pay around $2 000 for a 100-node license and about ten times as much for an unlimited one.

5. Cacti

We had to include Cacti on this list. After all, at 17 years of age, it is one of the oldest free and open-source monitoring platform. And it is still quite popular to this day it is still actively developed. The latest version was just recently released. While Cacti might not be as feature-rich as some other products, it is still an excellent tool. Its web-based user interface has somewhat of a vintage feel but it is well laid out and easy to understand and use. The tool’s primary components are a fast poller, advanced graphing templates, and multiple acquisition methods. While the tool primarily relies on SNMP polling, custom scripts can be devised to get data from virtually any source.

Cacti Screenshot

This tool’s main strength is in polling devices to fetch their metrics—such as bandwidth utilization—and graphing the collected data on web pages. It does an excellent job of that but that’s all it will do. If you don’t need alerting, fancy reports or other extras, the product’s simplicity might be just what you need. And if you need more functionality, Cacti is open-source and entirely written in PHP, making it highly customizable and you can add any missing features you need.

Cacti makes extensive use of templates which account for an easier configuration. There are device templates for many common types of devices as well as graph templates. There’s also a huge online community of users who write custom templates of all kinds and make them available to the community and many equipment manufacturers also offer downloadable Cacti templates.

6. MRTG

The Multi Router Traffic Grapher, or MRTG, is the granddaddy of all network bandwidth monitoring systems. While the open-source project has been around since 1995, it is still in widespread usage, despite the fact that the latest version is already a few years old. It is available for Linux and Windows. Initial setup and configuration are somewhat more complicated than what you’d experience with other monitoring systems but excellent documentation is readily available.

MRTG Screenshot

Installing MRTG is a multi-step process and you need to carefully follow the setup instructions. Once installed, you configure the software by editing its configuration file. What MRTG lacks in user-friendliness, it gains in flexibility. Mostly written in Perl it can easily be modified and adapted to one’s exact needs. And the fact that it’s the first monitoring system and that it is still around is a testament to its value.

Read 6 Best Linux Network Monitoring Tools by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter

What are DDoS Attacks and How to Guard Against Them

Distributed Denial of Service (DDoS)) attacks are unfortunately more common than we’d like. This is why organizations need to actively protect against them and other threats as well. And while these types of attacks can be nasty and have a major impact on your systems, they are also relatively easy to detect.

How to prevent a DDoS attach

In this post, we’ll have a look at ways you can protect your assets against DDoS attacks and review some products that can help you with that.

We’ll begin by describing what DDoS attacks are. As you’re about to discover, their principle of operation is as simple as their potential impact is high. We’ll also explore how these attacks are often categorized and how various types of attacks actually differ. Next, we’ll discuss how to protect against DDoS attacks. We’ll see how content delivery networks can keep attackers away from your servers and how load balancers can detect an attack and steer attackers away. But for those rare attacks that manage to actually reach your servers, you need some local protection. This is where security information and event management (SIEM) systems can help so our next order of business will be to review some of the very best SIEM systems we could find.

About DDoS

A Denial of Service (DoS) attack is a malicious attempt to affect the availability of a targeted system, such as a website or application, to its legitimate end-users. Typically, attackers generate large volumes of packets or requests ultimately overwhelming the target system. A Distributed Denial of Service (DDoS) attack is a specific type of DoS attack in which the attacker uses multiple compromised or controlled sources to generate the attack. DDoS attacks are often classified according to which layer of the OSI model they attack, with most attacks happening at the network layer (layer 3), the transport (layer 4), the presentation (layer 6), and the Application layer (layer 7).

Attacks at the lower layers (such as 3 and 4) are typically categorized as Infrastructure layer attacks. They are by far the most common type of DDoS attack and they include vectors such as SYN floods and other reflection attacks like UDP floods. These attacks are usually large in volume and aim to overload the capacity of the network or the application servers. The good thing (for as much as there’s anything good about being under attack) is that they are a type of attack that has clear signatures and they are easier to detect.

As for attacks at layers 6 and 7, they are often categorized as Application layer attacks. Although these attacks are less frequent, they also tend to be more sophisticated. These attacks are typically small in volume compared to the Infrastructure layer attacks, but they tend to focus on particular expensive parts of the application. Examples of these types of attacks include a flood of HTTP requests to a login page or an expensive search API, or even WordPress XML-RPC floods, which are also known as WordPress pingback attacks.

MUST READ: 7 Best Intrusion Prevention Systems (IPS)

Protecting Against DDoS Attacks

To effectively protect against a DDoS attack, time is of the essence. This is a real-time type of attack so it requires a real-time response. Or does it? In fact, one way to protect against DDoS attacks is to send attackers somewhere else that your servers.

One way this can be accomplished is by distributing your website through some type of content distribution network (CDN). Using a CDN, users of your website (both legitimate ones and potential attackers) never hit your web servers but those of the CDN, thereby protecting your servers and ensuring that any DDoS attack will only impact a relatively small subset of your clients.

Another way of preventing DDoS attacks from reaching your servers is through the use of load balancers. Load balancers are appliances that are typically used to steer incoming server connections to multiple servers. The main reason why they are used is to provide extra capacity. Let’s suppose that a single server can handle up to 500 connections per minute but your business has grown and you now have 700 connections per minute. You can add a second server with a load balancer and incoming connections will be automatically balanced between the two servers. But the more advanced load balancers also have security features that can, for instance, recognize the symptoms of a DDoS attack and send the request to a dummy server instead of potentially overloading your servers. While the efficiency of such technologies varies, they constitute a good first line of defense.

Security Information And Event Management To The Rescue

Security Information and Event Management (SIEM) systems are one of the best ways of protecting against DDoS attacks. They way they operate allows that to detect almost any kind of suspicious activity and their typical remediation processes can help stop attacks dead in their tracks. SIEM is often the last line of defense against DDoS attacks. They will trap any attack that actually makes it to your systems, those that have managed to bypass other means of protection.

The Main Elements Of SIEM

We’re about to explore in deeper detail each major component of a SIEM system. Not all SIEM systems include all these components and, even when they do, they could have different functionalities. However, they are the most basic components that one would typically find, in one form or another, in any SIEM system.

Log Collection And Management

Log collection and management is the main component of all SIEM systems. Without it, there is no SIEM. The SIEM system has to acquire log data from a variety of different sources. It can either pull it or different detection and protection systems can push it to the SIEM. Since each system has its own way of categorizing and recording data, it is up to the SIEM to normalize data and make it uniform, no matter what its source is.

After normalization, logged data will often be compared against known attack patterns in an attempt to recognize malicious behaviour as early as possible. Data will also often be compared to previously collected data to help build a baseline that will further enhance abnormal activity detection.

ALSO READ: Best Cloud Logging Services Tested & Reviewed

Event Response

Once an event is detected, something must be done about it. This is what the event response module fo the SIEM system is all about. The event response can take different forms. In its most basic implementation, an alert message will be generated on the system’s console. Often email or SMS alerts can also be generated.

But the best SIEM systems go a step further and will often initiate some remedial process. Again, this is something that can take many forms. The best systems have a complete incident response workflow system that can be customized to provide exactly the response you want. And as one would expect, incident response does not have to be uniform and different events can trigger different processes. The best systems will give you complete control over the incident response workflow. Keep in mind that when seeking protection against real-time events such as DDoS attacks, event response is probably the most important feature.

Dashboard

Once you have the log collection and management system and the response systems in place, the next important module is the dashboard. After all, it will be your window into the status of your SIEM system and, by extension, the status of your network’s security. They are such an important component hat many tools offer multiple dashboards. Because different people have different priorities and interests, the perfect dashboard for a network administrator will be different from that of a security administrator, and an executive will need a completely different one as well.

While we can’t evaluate a SIEM system by the number of dashboards it has, you need to pick one that has the dashboard(s) you need. This is definitely something you’ll want to keep in mind as you evaluate vendors. Many of the best systems will let you adapt built-in dashboards or build customized dashboards to your liking.

Reporting

The next important element of a SIEM system is reporting. You might not know it just yet—and they won’t help you prevent or stop DDoS attacks, but you will eventually need reports. The upper management will need them to see for themselves that their investment in a SIEM system is paying off. You might also need reports for conformity purposes. Complying with standards such as PCI DSS, HIPAA, or SOX can be eased when your SIEM system can generate conformity reports.

While reports may not be at the core of a SIEM system, they are still essential components. And often, reporting will be a major differentiating factor between competing systems. Reports are like candies, you can never have too many. And of course, the best systems will let you adapt existing reports or create custom ones.

The Top Tools For Protecting Against DDoS Attacks

Although there are various types of tools that can help protect against DDoS attacks, none provide the same level of direct protection as security information and event management tools. This is what all the tools on our list are actually SIEM tools. Any of the tools on our list will provide some degree of protection against many different types of threats, including DDoS. We’re listing the tools in order of our personal preference but, despite their order, all six are excellent systems that we can only recommend you try them for yourself and see how they fit your environment.

1. SolarWinds Security Event Manager (FREE TRIAL)

You may have heard of SolarWinds before. The name is known by most network administrators and with reason. The company’s flagship product, the Network Performance Monitor is one of the best network bandwidth monitoring tools available. But that’s not all, the company is also famous for its numerous free tools such as its Advanced Subnet Calculator or its SFTP server.

SolarWinds has tools for pretty much every network management task and that includes SIEM. Although the SolarWinds Security Event Manager (also called SEM) is best described as an entry-level SIEM system, it is likely one of the most competitive entry-level SIEM systems on the market. The SolarWinds SEM has everything you’s come to expect from a SIEM system. It has excellent log management and correlation features, a great dashboard and an impressive reporting engine.

SolarWinds Security Event Manager Screenshot

The SolarWinds Security Event Manager will alert you to the most suspicious behaviours, allowing you to focus more of your time and resources on other critical projects. The tool has hundreds of built-in correlation rules to watch your network and piece together data from the various log sources to identify potential threats in real-time. And you don’t only get out-of-the-box correlation rules to help get you started, the normalization of log data allows for an endless combination of rules to be created. Furthermore, the platform has a built-in threat intelligence feed that works to identify behaviours originating from known bad actors.

The potential damage caused by a DDoS attack is often determined by how quickly you identify the threat and start addressing it. The SolarWinds Security Event Manager can hasten your response by automating them whenever certain correlation rules are triggered. Responses can include blocking IP addresses, changing privileges, disabling accounts, blocking USB devices, killing applications, and more. The tool’s advanced, real-time response system will actively react to every threat. And since it’s based on behaviour rather than signature, you’re protected against unknown or future threats. This feature alone makes it a great tool for DDoS protection.

The SolarWinds Security Event Manager is licensed by the number of nodes sending log and event information. In that context, a node is any device (server, network device, desktop, laptop, etc.) from which log and/or event data is collected. Pricing starts at $4 665 for 30 devices, including the first year of maintenance. Other licensing tiers are available for up to 2 500 devices. If you want to try the product before purchasing it, a free fully functional 30-day trial version is available for download.

2. RSA NetWitness

Since 2016, NetWitness has focused on products supporting “deep, real-time network situational awareness and agile network response”. The company’s history is a bit complex: After being acquired by EMC which then merged with Dell, the NetWitness business is now part of the RSA branch of Dell, which is great news as RSA enjoys a solid reputation in IT security.

RSA NetWitness is a great product for organizations seeking a complete network analytics solution. The tool incorporates information about your business which helps prioritize alerts. According to RSA, the system “collects data across more capture points, computing platforms, and threat intelligence sources than other SIEM solutions”. There’s also advanced threat detection which combines behavioural analysis, data science techniques, and threat intelligence. And finally, the advanced response system boasts orchestration and automation capabilities to help get rid of threats before they impact your business.

RSA NetWitness Screenshot

One of the main drawbacks of RSA NetWitness is that it’s not the easiest product to use and configure. There is, however, lots of comprehensive documentation available which can help you with setting up and using the product. This is another enterprise-grade product and you’ll need to contact RSA sales to get detailed pricing information.

3. ArcSight Enterprise Security Manager

ArcSight Enterprise Security Manager helps identify and prioritize security threats, organize and track incident response activities, and simplify audit and compliance activities. This is another product with a somewhat convoluted history. Formerly sold under the HP brand, it has now merged with Micro Focus, another HP subsidiary.

The ArcSight Enterprise Security Manager is another immensely popular SIEM tool that’s been around for more than fifteen years. The tool compiles log data from various sources and performs extensive data analysis, looking for signs of malicious activity. And to make it easy to identify threats quickly, the tool lets you view the analysis results in real-time.

ArcSight Command Center

Feature-wise, this product doesn’t leave much to be desired. It has powerful distributed real-time data correlation, workflow automation, security orchestration, and community-driven security content. The ArcSight Enterprise Security Manager also integrates with other ArcSight products such as the ArcSight Data Platform and Event Broker or ArcSight Investigate. This is yet another enterprise-grade product that, like pretty much all quality SIEM tools, will require that you contact the sales team to get detailed pricing information.

4. Splunk Enterprise Security

Splunk Enterprise Security—or Splunk ES, as it is often called—is possibly one of the most popular SIEM systems and it is particularly famous for its analytics capabilities. The tool monitors your system’s data in real-time, looking for vulnerabilities and signs of abnormal activity.

Security response is another of Splunk ES’ strong suits and that is important when dealing with DDoS attacks. The system uses what Splunk calls the Adaptive Response Framework (ARF) which integrates with equipment from more than 55 security vendors. The ARF performs automated response, speeding up manual tasks. This will let you quickly gain the upper hand. Add to that a simple and uncluttered user interface and you have a winning solution. Other interesting features include the Notables function which shows user-customizable alerts and the Asset Investigator for flagging malicious activities and preventing further problems.

Splunk ES Risk Analysis

Splunk ES is an enterprise-grade product and, as such, it comes with an enterprise-sized price tag. As it is often the case with enterprise-grade systems, you can’t get pricing information from Splunk’s web site. You’ll need to contact the sales department to get a quote. But in spite of its price, this is a great product and you might want to contact Splunk and take advantage of an available free trial.

5. McAfee Enterprise Security Manager

McAfee is another household name in the IT security field and it probably requires no introduction. It is, however, better known for its virus protection products. The McAfee Enterprise Security Manager is not just software. It is actually an appliance that you can get in either virtual or physical form.

In terms of its analytics capabilities, many consider the McAfee Enterprise Security Manager to be one of the best SIEM tools. The system collects logs across a wide range of devices. As for its normalization capabilities, it is also top-notch. The correlation engine easily compiles disparate data sources, making it easier to detect security events as they happen, an important feature when trying to protect against real-time events such as DDoS attacks.

McAfee Enterprise Security Manager

There is, however, more to the McAfee solution than just its Enterprise Security Manager. To get a truly complete SIEM solution you also need the Enterprise Log Manager and Event Receiver. The good news is that all three products can be packaged in a single appliance, making the acquisition and setup processes somewhat easier. For those of you who may want to try the product before you buy it, a free trial is available.

Read What are DDoS Attacks and How to Guard Against Them by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter

What are DDoS Attacks and How to Guard Against Them

Distributed Denial of Service (DDoS)) attacks are unfortunately more common than we’d like. This is why organizations need to actively protect against them and other threats as well. And while these types of attacks can be nasty and have a major impact on your systems, they are also relatively easy to detect.

How to prevent a DDoS attach

In this post, we’ll have a look at ways you can protect your assets against DDoS attacks and review some products that can help you with that.

We’ll begin by describing what DDoS attacks are. As you’re about to discover, their principle of operation is as simple as their potential impact is high. We’ll also explore how these attacks are often categorized and how various types of attacks actually differ. Next, we’ll discuss how to protect against DDoS attacks. We’ll see how content delivery networks can keep attackers away from your servers and how load balancers can detect an attack and steer attackers away. But for those rare attacks that manage to actually reach your servers, you need some local protection. This is where security information and event management (SIEM) systems can help so our next order of business will be to review some of the very best SIEM systems we could find.

About DDoS

A Denial of Service (DoS) attack is a malicious attempt to affect the availability of a targeted system, such as a website or application, to its legitimate end-users. Typically, attackers generate large volumes of packets or requests ultimately overwhelming the target system. A Distributed Denial of Service (DDoS) attack is a specific type of DoS attack in which the attacker uses multiple compromised or controlled sources to generate the attack. DDoS attacks are often classified according to which layer of the OSI model they attack, with most attacks happening at the network layer (layer 3), the transport (layer 4), the presentation (layer 6), and the Application layer (layer 7).

Attacks at the lower layers (such as 3 and 4) are typically categorized as Infrastructure layer attacks. They are by far the most common type of DDoS attack and they include vectors such as SYN floods and other reflection attacks like UDP floods. These attacks are usually large in volume and aim to overload the capacity of the network or the application servers. The good thing (for as much as there’s anything good about being under attack) is that they are a type of attack that has clear signatures and they are easier to detect.

As for attacks at layers 6 and 7, they are often categorized as Application layer attacks. Although these attacks are less frequent, they also tend to be more sophisticated. These attacks are typically small in volume compared to the Infrastructure layer attacks, but they tend to focus on particular expensive parts of the application. Examples of these types of attacks include a flood of HTTP requests to a login page or an expensive search API, or even WordPress XML-RPC floods, which are also known as WordPress pingback attacks.

MUST READ: 7 Best Intrusion Prevention Systems (IPS)

Protecting Against DDoS Attacks

To effectively protect against a DDoS attack, time is of the essence. This is a real-time type of attack so it requires a real-time response. Or does it? In fact, one way to protect against DDoS attacks is to send attackers somewhere else that your servers.

One way this can be accomplished is by distributing your website through some type of content distribution network (CDN). Using a CDN, users of your website (both legitimate ones and potential attackers) never hit your web servers but those of the CDN, thereby protecting your servers and ensuring that any DDoS attack will only impact a relatively small subset of your clients.

Another way of preventing DDoS attacks from reaching your servers is through the use of load balancers. Load balancers are appliances that are typically used to steer incoming server connections to multiple servers. The main reason why they are used is to provide extra capacity. Let’s suppose that a single server can handle up to 500 connections per minute but your business has grown and you now have 700 connections per minute. You can add a second server with a load balancer and incoming connections will be automatically balanced between the two servers. But the more advanced load balancers also have security features that can, for instance, recognize the symptoms of a DDoS attack and send the request to a dummy server instead of potentially overloading your servers. While the efficiency of such technologies varies, they constitute a good first line of defense.

Security Information And Event Management To The Rescue

Security Information and Event Management (SIEM) systems are one of the best ways of protecting against DDoS attacks. They way they operate allows that to detect almost any kind of suspicious activity and their typical remediation processes can help stop attacks dead in their tracks. SIEM is often the last line of defense against DDoS attacks. They will trap any attack that actually makes it to your systems, those that have managed to bypass other means of protection.

The Main Elements Of SIEM

We’re about to explore in deeper detail each major component of a SIEM system. Not all SIEM systems include all these components and, even when they do, they could have different functionalities. However, they are the most basic components that one would typically find, in one form or another, in any SIEM system.

Log Collection And Management

Log collection and management is the main component of all SIEM systems. Without it, there is no SIEM. The SIEM system has to acquire log data from a variety of different sources. It can either pull it or different detection and protection systems can push it to the SIEM. Since each system has its own way of categorizing and recording data, it is up to the SIEM to normalize data and make it uniform, no matter what its source is.

After normalization, logged data will often be compared against known attack patterns in an attempt to recognize malicious behaviour as early as possible. Data will also often be compared to previously collected data to help build a baseline that will further enhance abnormal activity detection.

ALSO READ: Best Cloud Logging Services Tested & Reviewed

Event Response

Once an event is detected, something must be done about it. This is what the event response module fo the SIEM system is all about. The event response can take different forms. In its most basic implementation, an alert message will be generated on the system’s console. Often email or SMS alerts can also be generated.

But the best SIEM systems go a step further and will often initiate some remedial process. Again, this is something that can take many forms. The best systems have a complete incident response workflow system that can be customized to provide exactly the response you want. And as one would expect, incident response does not have to be uniform and different events can trigger different processes. The best systems will give you complete control over the incident response workflow. Keep in mind that when seeking protection against real-time events such as DDoS attacks, event response is probably the most important feature.

Dashboard

Once you have the log collection and management system and the response systems in place, the next important module is the dashboard. After all, it will be your window into the status of your SIEM system and, by extension, the status of your network’s security. They are such an important component hat many tools offer multiple dashboards. Because different people have different priorities and interests, the perfect dashboard for a network administrator will be different from that of a security administrator, and an executive will need a completely different one as well.

While we can’t evaluate a SIEM system by the number of dashboards it has, you need to pick one that has the dashboard(s) you need. This is definitely something you’ll want to keep in mind as you evaluate vendors. Many of the best systems will let you adapt built-in dashboards or build customized dashboards to your liking.

Reporting

The next important element of a SIEM system is reporting. You might not know it just yet—and they won’t help you prevent or stop DDoS attacks, but you will eventually need reports. The upper management will need them to see for themselves that their investment in a SIEM system is paying off. You might also need reports for conformity purposes. Complying with standards such as PCI DSS, HIPAA, or SOX can be eased when your SIEM system can generate conformity reports.

While reports may not be at the core of a SIEM system, they are still essential components. And often, reporting will be a major differentiating factor between competing systems. Reports are like candies, you can never have too many. And of course, the best systems will let you adapt existing reports or create custom ones.

The Top Tools For Protecting Against DDoS Attacks

Although there are various types of tools that can help protect against DDoS attacks, none provide the same level of direct protection as security information and event management tools. This is what all the tools on our list are actually SIEM tools. Any of the tools on our list will provide some degree of protection against many different types of threats, including DDoS. We’re listing the tools in order of our personal preference but, despite their order, all six are excellent systems that we can only recommend you try them for yourself and see how they fit your environment.

1. SolarWinds Security Event Manager (FREE TRIAL)

You may have heard of SolarWinds before. The name is known by most network administrators and with reason. The company’s flagship product, the Network Performance Monitor is one of the best network bandwidth monitoring tools available. But that’s not all, the company is also famous for its numerous free tools such as its Advanced Subnet Calculator or its SFTP server.

SolarWinds has tools for pretty much every network management task and that includes SIEM. Although the SolarWinds Security Event Manager (also called SEM) is best described as an entry-level SIEM system, it is likely one of the most competitive entry-level SIEM systems on the market. The SolarWinds SEM has everything you’s come to expect from a SIEM system. It has excellent log management and correlation features, a great dashboard and an impressive reporting engine.

SolarWinds Security Event Manager Screenshot

The SolarWinds Security Event Manager will alert you to the most suspicious behaviours, allowing you to focus more of your time and resources on other critical projects. The tool has hundreds of built-in correlation rules to watch your network and piece together data from the various log sources to identify potential threats in real-time. And you don’t only get out-of-the-box correlation rules to help get you started, the normalization of log data allows for an endless combination of rules to be created. Furthermore, the platform has a built-in threat intelligence feed that works to identify behaviours originating from known bad actors.

The potential damage caused by a DDoS attack is often determined by how quickly you identify the threat and start addressing it. The SolarWinds Security Event Manager can hasten your response by automating them whenever certain correlation rules are triggered. Responses can include blocking IP addresses, changing privileges, disabling accounts, blocking USB devices, killing applications, and more. The tool’s advanced, real-time response system will actively react to every threat. And since it’s based on behaviour rather than signature, you’re protected against unknown or future threats. This feature alone makes it a great tool for DDoS protection.

The SolarWinds Security Event Manager is licensed by the number of nodes sending log and event information. In that context, a node is any device (server, network device, desktop, laptop, etc.) from which log and/or event data is collected. Pricing starts at $4 665 for 30 devices, including the first year of maintenance. Other licensing tiers are available for up to 2 500 devices. If you want to try the product before purchasing it, a free fully functional 30-day trial version is available for download.

2. RSA NetWitness

Since 2016, NetWitness has focused on products supporting “deep, real-time network situational awareness and agile network response”. The company’s history is a bit complex: After being acquired by EMC which then merged with Dell, the NetWitness business is now part of the RSA branch of Dell, which is great news as RSA enjoys a solid reputation in IT security.

RSA NetWitness is a great product for organizations seeking a complete network analytics solution. The tool incorporates information about your business which helps prioritize alerts. According to RSA, the system “collects data across more capture points, computing platforms, and threat intelligence sources than other SIEM solutions”. There’s also advanced threat detection which combines behavioural analysis, data science techniques, and threat intelligence. And finally, the advanced response system boasts orchestration and automation capabilities to help get rid of threats before they impact your business.

RSA NetWitness Screenshot

One of the main drawbacks of RSA NetWitness is that it’s not the easiest product to use and configure. There is, however, lots of comprehensive documentation available which can help you with setting up and using the product. This is another enterprise-grade product and you’ll need to contact RSA sales to get detailed pricing information.

3. ArcSight Enterprise Security Manager

ArcSight Enterprise Security Manager helps identify and prioritize security threats, organize and track incident response activities, and simplify audit and compliance activities. This is another product with a somewhat convoluted history. Formerly sold under the HP brand, it has now merged with Micro Focus, another HP subsidiary.

The ArcSight Enterprise Security Manager is another immensely popular SIEM tool that’s been around for more than fifteen years. The tool compiles log data from various sources and performs extensive data analysis, looking for signs of malicious activity. And to make it easy to identify threats quickly, the tool lets you view the analysis results in real-time.

ArcSight Command Center

Feature-wise, this product doesn’t leave much to be desired. It has powerful distributed real-time data correlation, workflow automation, security orchestration, and community-driven security content. The ArcSight Enterprise Security Manager also integrates with other ArcSight products such as the ArcSight Data Platform and Event Broker or ArcSight Investigate. This is yet another enterprise-grade product that, like pretty much all quality SIEM tools, will require that you contact the sales team to get detailed pricing information.

4. Splunk Enterprise Security

Splunk Enterprise Security—or Splunk ES, as it is often called—is possibly one of the most popular SIEM systems and it is particularly famous for its analytics capabilities. The tool monitors your system’s data in real-time, looking for vulnerabilities and signs of abnormal activity.

Security response is another of Splunk ES’ strong suits and that is important when dealing with DDoS attacks. The system uses what Splunk calls the Adaptive Response Framework (ARF) which integrates with equipment from more than 55 security vendors. The ARF performs automated response, speeding up manual tasks. This will let you quickly gain the upper hand. Add to that a simple and uncluttered user interface and you have a winning solution. Other interesting features include the Notables function which shows user-customizable alerts and the Asset Investigator for flagging malicious activities and preventing further problems.

Splunk ES Risk Analysis

Splunk ES is an enterprise-grade product and, as such, it comes with an enterprise-sized price tag. As it is often the case with enterprise-grade systems, you can’t get pricing information from Splunk’s web site. You’ll need to contact the sales department to get a quote. But in spite of its price, this is a great product and you might want to contact Splunk and take advantage of an available free trial.

5. McAfee Enterprise Security Manager

McAfee is another household name in the IT security field and it probably requires no introduction. It is, however, better known for its virus protection products. The McAfee Enterprise Security Manager is not just software. It is actually an appliance that you can get in either virtual or physical form.

In terms of its analytics capabilities, many consider the McAfee Enterprise Security Manager to be one of the best SIEM tools. The system collects logs across a wide range of devices. As for its normalization capabilities, it is also top-notch. The correlation engine easily compiles disparate data sources, making it easier to detect security events as they happen, an important feature when trying to protect against real-time events such as DDoS attacks.

McAfee Enterprise Security Manager

There is, however, more to the McAfee solution than just its Enterprise Security Manager. To get a truly complete SIEM solution you also need the Enterprise Log Manager and Event Receiver. The good news is that all three products can be packaged in a single appliance, making the acquisition and setup processes somewhat easier. For those of you who may want to try the product before you buy it, a free trial is available.

Read What are DDoS Attacks and How to Guard Against Them by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter

The Best Software Update Tools for 2019

Keeping software up to date might not be an administrator’s top priority but it remains an important task that should definitely not be overlooked. It is also a tedious and time-consuming task and we’re all convinced that we have better things to do. Regardless of whether this is true or not, that can leave many of us searching for ways to automate the process.

Best 5 Software Update Tools

This is precisely what this post will be about as we explore the ins and outs of updating software but, more importantly, review some of the best tools you can use to assist with this important but too often neglected task.

As we often do, we’ll start off with some general considerations and discuss the necessity of updating software, exploring why it is more important than you might think. We’ll then pause briefly as we discuss the differences—if any—between patching and updating software. Next, we’ll cover the benefits of using software update tools before we have a look at the main features commonly found in them. That will lead us to the core of the matter: our reviews of five of the best tools that you can use to keep software up to date.

The Necessity Of Updating Software

There are several reasons one would want to update software. Some will argue that having all the latest features of the software you use is the most important reason. But while taking advantage of the latest and greatest features may look tempting, there is also a degree of risk associated with it. What if the update breaks something that used to work? Or what if the new version drops a feature that you need? What if the software is so different that users need to be re-trained?

The other major reason for updating software is security-related. Ill intentioned individuals and groups are constantly looking for vulnerabilities in software that they can use to gain access to your systems and data. Software updates and patches typically address and correct those vulnerabilities, thereby making your environment more secure and reducing the risk of attacks.

INTERESTING READ: Best IP Scanners for MAC

Updating and Patching – Any Difference?

It seems like software updating and software patching are two terms that are often confused and used interchangeably. There are, however, a few differences between updating and patching software, at least from our point of view. Updating software typically refers to adding new features or new functionality to software. An update will typically increment the version number of the software. For instance, you’ll go from version 6.1.5 to version 6.7.1.

As for patching software, this is a process that often happens between updates and its primary purpose is fixing bugs or correcting some discovered security vulnerability. As a general rule, patched software keeps the same version number although this is not necessarily the case.

From a software update tool, the two terms can be used interchangeably as most tools can be used to handle either updating or patching software. Some of the tools we’re about to review are advertised as patch management tools while others all themselves deployment or update tools.

The Benefits Of Using Software Update Tools

Updating software is a tedious task. In fact, it’s not the actual update process which poses problem but rather the whole update management process. You need to research what updates and patches are available, evaluate whether you need them, plan their deployment, etc. It can quickly become a daunting endeavour, even more so when you have a number of computers to update.

Gone are the days when updates and patches were scarce. Back then, you could easily omit software updates and wait for the next major version. But with the modern threat scene, this is no longer the case and there are compelling reasons to install each and every update and patch that’s available.

Patch management or software deployment tools can help with keeping all your software up to date. These tools automate multiple tasks within the patch management cycle, making the whole process a much simpler deal. The best ones will even check the web for updates and schedule their deployment with little or no intervention on your part.

ALSO READ: 8 Best Network Discovery Tools and Software

Main Components Software Update Tools

Software update tools vary greatly in their feature sets. While they all share some common functionality and they all have the same general goal: helping you keep your software up to date, some are fully automated and will handle every aspect of software updates and patch management while other are merely deployment tools, leaving you with the task of locating, downloading and testing updates and patches before their deployment. Some of the most common features of software update tools include the following.

Software Inventory

A detailed inventory of all installed software and their current updates and patches is performed automatically on all computers. This can help ensure that all software is kept up to date and with all the required patches.

Checking For Available Updates

Software update tools will scan each publisher’s website for available updated versions and patches of all your installed software. This operation is typically based on the results of the software inventory process so that only updates and patches for existing software are considered.

Download Updates And Patches

Once the available updates and patches are identified—either automatically or through a manual process—they can be automatically downloaded from each publisher’s website. This ensures that Internet usage is kept minimal and that files are only downloaded once, even when dealing with hundreds or thousands of computers.

Scheduling Deployment

Whether updates and patches were acquired manually or automatically, this process will schedule their deployment according to the organization’s policies. For instance, end-user machines are likely best updated when they are not in use, especially if the update requires a reboot. And on large networks with hundreds—if not thousands—of machines, it might be advisable to deploy updates and patches in smaller batches. The scheduling options of software update tools are usually quite flexible.

Deployment Staging

Updating software poses a certain risk. This is particularly true with critical software such as operating systems or other major services like email or databases. Applying updates or patches is always accompanied by a risk that something that used to work will stop working. For that reason, it is often advisable to go through a staging phase before any large-scale deployment. A group of carefully selected machines can be updated and then thoroughly tested before the general deployment is scheduled.

Rollback

But despite all the testing and all the staging that is put in place, there will be situations when you might have no choice but to roll back installed updates or patches. The best tools, of course, will have that functionality built right into them.

MUST READ: Best Intrusion Detection Tools Tested & Reviewed

Using Software Publishers’ Built-in Tools

Some of the larger software publishers—one can think of companies such as Microsoft or Adobe, for instance—do include some form of patch management or self-updating feature built right into their software or they offer a proprietary patch management tool. While using them could be tempting, it is far from perfect. For starters, if you manage software from multiple vendors, you could end up having to deal with several patch management systems, each with its learning curve.

The Best Software Update Tools

We’ve searched the market for the best software update tools we could find and we’re glad to introduce our findings. Some of these tools will integrate with tools from the big software publishers such as WSUS and SCCM from Microsoft. Others, on the other hand, are totally stand-alone. Some tools are better suited for smaller environments and some will scale up to installations of almost any size. Let’s have a look at the best features of each tool.

1. SolarWinds Patch Manager (FREE TRIAL)

Most network administrators are familiar with SolarWinds and its many excellent products. After all, the company has been making some of the best network and system management tools for about 20 years. Its flagship product, the SolarWinds Network Performance Monitor is recognized as one of the best SNMP network monitoring tools. And the company is also famous for its free tools, each addressing a specific need of network administrators. Some of these tools include a free TFTP server or a free subnet calculator.

But when it comes to patch management, the SolarWinds Patch Manager is what you need. This is another excellent product with an impressive feature list. Featuring an intuitive web interface, the tool will let you view the latest available patches, the top 10 missing patches in your environment, and the general health overview of your environment based on which required patches have been deployed.

The SolarWinds Patch Manager’s reporting engine is another strength of the product. It offers easy-to-use and powerful reporting which can provide information on the status of patches. Reports can also be used to demonstrate to auditors that systems are patched and compliant and help find those that are not.

SolarWinds Patch Manager Dashboard

The SolarWinds Patch Manager features centralized patching of Microsoft servers and third-party applications. As such, you can use it to deploy and manage both 3rd-party applications and Microsoft patches. This tool can simplify your patch management process. It will handle patch research, scheduling, deployment, and reporting. Using it can save you a lot of time. In fact, the more servers and computers you have, the more time you’ll save. All that while assured that all needed patches are applied. Who could ask for more?

And it gets even better. The SolarWinds Patch Manager works with your Microsoft SCCM and WSUS installations, adding to the of these tools. Furthermore, its Custom Package Wizard will let you easily build custom packages for any application. All that without having to resort to the use of SCUP or any complicated scripting. These custom packages can be used to deploy any MSI, MSP or EXE via Microsoft WSUS or SCCM. And these are only some of the tool’s best features. It has much more to offer.

Prices for the SolarWinds Patch Manager start at $3 690 and varies according to the number of nodes you need to manage, from 250 to 60 000. If you prefer to try the tool before committing to its purchase, a free 30-day fully-functional evaluation version is available for download.

For more info, read our full review on the Patch Manager from SolarWinds.

2. PDQ Deploy

Next on our list is a systems management solution for the Small and Medium Business (SMB) market called PDQ Deploy. You might have guessed it from its name, this is a software deployment system, not just an updating or patching tool. Of course, you can use it to manage and deploy updates and patches but it will do much more. With this tool, system administrators can silently install almost any application, update or patch to multiple Windows computers simultaneously.

PDQ Deploy Screenshot

PDQ Deploy comes with over 200 ready to deploy, pre-built packages for some of the most common applications. You can also create custom, multi-step deployments that can include running local commands or scripts using PowerShell, VB or batch language. The tool can also interact with Active Directory, Spiceworks, and PDQ Inventory, the publisher’s own hardware and software inventory solution. As for update and patch management, the system will automatically download, schedule, and deploy updates and patches.

PDQ Deploy is available in two versions: a Free version and an Enterprise version. The two products mostly differ in their respective feature sets with many of the more advanced features only available with the Enterprise version. Patch and update management is one of those advanced features that require the Enterprise version. This software differs from its competitors in that it’s not priced based on the number of managed nodes but instead on the number of administrators using it. And at $500 per admin, it is more than reasonably priced. And like its competitors, a free trial version is available if you want to give the product a try.

3. ManageEngine Patch Manager Plus

ManageEngine is another familiar name in the field of network management. The company’s software update tool is simply called the ManageEngine Patch Manager Plus. Why Plus? Simply because the tool offers more than just patch management. The tool is simple to set up and use, and it will keep Linux, Mac, and Windows systems updated. Furthermore, this tool can handle updates and patches for over 250 third-party applications, including most of the popular ones.

ManageEngine Patch Manager Plus Screenshot

The ManageEngine Patch Manager Plus can help you ensure patch compliance, thereby helping you with regulatory issues. Real-time audits and reports are also available. Testing is one of the product’s strong suits and updates and patches can be tested and approved—or declined—depending on severity and priority. Test groups of computers can easily be set up, letting administrators measure the impacts of any patch before its wide-scale deployment.

The ManageEngine Patch Manager Plus is available in several editions. There’s the Free Edition which is limited to 25 devices. Next, you have the Professional Edition starting at $245 and the Enterprise Edition starting at $345. Compared to the Enterprise Edition, the Professional Edition lacks a few features such as the ability to update virus definitions on target machines, the automated testing and approval of patches, and the possibility to use distribution servers.

4. GFI Languard

It’s no accident that GFI Languard’s name doesn’t seem to reveal that this is a software update tool; it’s not. GFI Software, the tool’s publisher, claims that it is “The ultimate IT security solution for business”. This tool is clearly way more than just a software update tool. It will scan networks for vulnerabilities, automate patching, and help achieve compliance. You can think of it as a cross between software updates, patch management, and vulnerability scanning.

GFI Languard Screenshot

One thing that sets this software apart from the others is that it doesn’t only support desktop and server operating systems. It works just as well with Android or iOS. GFI Languard routinely performs some sixty thousand vulnerability tests and ensures your devices are all kept up-to-date with the latest patches and updates.

The intuitive reporting dashboard of GFI Languard is definitely worth mentioning. And so is its virus definition update management which works with all major antivirus vendors. As for the tool’s patch management abilities, it will not only patch operating systems but also web browsers and many third-party applications.

As for the vulnerability assessment features of GFI Languard, these too go well beyond the desktops and servers. They’re available for a wide range of networked devices such as switches, routers, access points, and printers. This tool will also let you view some security issues within your networks such as rogue USB Drives, phones, and tablets.

GFI Languard has a rather complex pricing structure. It is a subscription-based service and its subscription must be renewed annually. Prices are calculated per node and the cost per node lowers as one adds more nodes. To make things even more complex, you have one price for the original subscription, one for each node that you add during the subscription term, one for the subscription renewal and one for upgrades. For users who prefer to try tools before buying them, a free trial version is available.

5. Kaseya VSA

Although our last entry is not a software update tool per se, we felt it deserved a spot on this list. At its core, Kaseya VSA is a remote support platform but it excels at automating various tasks, such as updating software. The tool features a remote control module that allows you to implement bulk updates as well as to remotely connect to and administer any end device. The tool also provides automated network monitoring with built-in alerts, patch management, and service auditing, making it a very complete remote monitoring and management solution.

Kaseya VSA - Live Connect Screenshot

Feature-wise, Kaseya VSA has everything you’d expect. It has remote control, patch and vulnerability monitoring, audit and inventory, network monitoring, virus protection, unified backups and compliance management. The tool also features AssetIQ, a contextual documentation management system made to ease the task of managed service providers. It can, for example, be structured as a script for Help Desk agents to work through an incident and eventually direct problems to back-office staff.

And when it comes to updating software, the tool will let you set up policies to automate your patching processes. These can include software deployment, patch management, and issue troubleshooting. Kaseya VSA also includes real-time visibility that shows you the patch status of all the software you’re monitoring and to keep an eye on which network devices are on or off. This product can be rather useful should you choose to manage patches as part of a larger remote monitoring effort and ensure that all your network devices are performing correctly, that they are being used appropriately, and that their software is kept up-to-date.

Pricing for the product is not readily available but it can be easily obtained by contacting Kaseya. Furthermore, both a demo and a 14-day free trial version are available so you can see for yourself what how the product fits your specific needs.

Read The Best Software Update Tools for 2019 by Renaud Larue-Langlois on AddictiveTips – Tech tips to make you smarter