 Tom here for more systems and welcome to a special sponsored technical demo brought to you by Blumera. They produce a SIM tool plus XDR, a platform combining the essential tools of logging, automated 24 seven threat management, monitoring, detection and response. This is also a tool we're currently using for our clients. Sponsors are chosen from my channel based on what I feel is in alignment with you, the audience and Blumera is designed to be used by internal IT teams or companies in the managed service provider space who have to manage multiple clients. So yes, they fully support multi-tenancy. You will find links in the description down below to their site, either choose Lawrence dot video slash Brumera or Blumera dash MSP, if you're in the managed service provider space. Also put in the comments down below if you think it should be pronounced SIM or SIM. I've seen some debate on this, but for the rest of this video, we're just going to pronounce it Blumera. All right, I want to start here at a high level to talk about where Blumera fits within your security tool stack. Blumera has not only an agent, but also sensors and a cloud connector. You can think of it as the system that can glue together all these different systems. So you have a single place to do your security investigations that has all the data and that data can include firewall data, data from the actual endpoint agents such as a Windows agent, the Blumera sensors that are pulling syslog data that are coming in. Also Blumera cloud connectors for things like integrations with Office 365 duo, Cisco Umbrella, Google workspaces, Sentinel one. So this is not a replacement for your endpoint security tool. This is a way to have that data also included in your security investigation because endpoint tools such as Sentinel one are going to give you what's going on with the endpoint, but then feeding that data to Blumera and Blumera having other data that it can cross reference in there such as your firewall logs, your Microsoft Office 365 logs, putting all this together and even your cloud security service logs. Once you start putting all of this, now you have one place where you can say the endpoint triggered this, then from the endpoint it did that. And this allows you to investigate everything very well by having all your data pulled into one monitoring service. It's really slick how this works. And I really like their firewall integration as well because this not only is going to tie together those other information such as the endpoint security vendors and the cloud vendors, but then what about the firewall? Well that is going to be something I want to talk about right here at the top. Yes, they have PF Sense support. I bugged them about this for a little while that I would love all my PF Sense firewalls to do this. We've been using Blumera for a while and so we worked with them to build the updated parsers for it. But if you're not a PF Sense user, don't worry. They've got Checkpoint, Cisco ASA, Cisco Meroc, Citrix Application Delivery Controller, F5 Big IP, Fortinet, Palo Alto, Sonic Walls, Sofos, WatchGuard. If you don't see something on the list here while I'm doing this video, go ahead and check their page or reach out to their salespeople. There may be more in the pipeline that are supported by the time you're watching this video. They iterate relatively fast. On a side note of things like Windows deployments, it's actually really easy for the agent deployment before you're going, but I have like 7,000 agents I have to monitor. How hard is that to deploy? They do support automation for the deployment. For example, we're using this in our RMM tool that allows us to massively deploy this out to any of our customers that are on the Blumera plan. It's just easy to use, easy to integrate, and get the logs going and shipping. Now, the nice thing is with a Windows agent, if that user happens to be someone who's not always in the office, it does not have to send the logs to a local collector at that office. The Windows agents can shift the logs right to Blumera. So if this person is not in the office and they are mobile with a laptop and traveling, that information can flow right through to Blumera. All right. Now let's talk a little bit more about the reporting. Now I'm going to be talking about the Blumera Executive Summer Report. I will show some of the stuff that we have at Lawrence Systems and CNWR that we have integrated. But I will be flipping back and forth between a demo that doesn't have any personal information from the companies in there versus mine. So this one right here is ours. That's why it says CNWR at the top. And you can see how much data it has Blumera analyzed and retained to date, 630 gigs. A few things got changed after the merger. I think they actually have more data than that. So we've been using them for a while. But this is really nice because they can show the Meraki IP Flows, Meraki URLs, PF Sense Traffic and other Meraki Flows. And yes, we are using Meraki at one of our locations and we have PF Sense at the other location. This is actually a really cool thing with Blumera is if you're a environment, and this happens quite a bit where you have a mix of different locations with different firewalls set up. You can flow all that data together and then have an executive summary for that particular client and that place that client is us. And then that data goes right in here. I can get a consolidated summary view of that data and risks across both organizations. Now, most of the triggering that happened in here was us testing things because this is loaded on the tool. Some of the systems we have here and demos we have at CNWR and Lawrence systems. And you can see like Microsoft Consent Application granted. So when you have someone offing against Office 365 to add applications, if those applications are not normal, you may get some are not tuned to be on your list of, hey, go ahead and approve this. It may have a prop that comes in here. There's actually a ton of fine tuning you can do. I'm not gonna spend a lot of time on it, but it's a feature you can have. So if you have things that are regular on your network, you go, yes, go ahead and grant those. That way you can focus on only the anomalies. Like when someone suddenly wants to grant an application that's not normally used in your organization. Screen Connect is a tool we use and playing with PowerShell execution, remote command execution, Overscreen Connect definitely triggers it, but as it should. That way you know, even if someone were to compromise like one of your remote access tools, you have a way to follow up with what happened. And actually that's one of the demos I'm gonna show is how that looks. We did have a splash top, just one incident there. Suspicious rule box creation. This one's huge for stopping business email compromise being notified that suddenly someone or many someones are changing all their inbox rules. That is a reason to investigate cause it's not something people do every day. This is what happens in business email compromises if they steal a session token or get on an endpoint, they'll go in and use that off session token to update rules to start forwarding emails out, often creating a forward rule. So this is the suspicious rule creation in this case was creating some forward rules in there and it triggered on that and it notified us of the impossible travel active logon. So if someone logs in and let's say Tom was playing with a VPN and popped up in a different country and then tried to log in again, you've now done an impossible travel within a few minutes. You've suddenly popped up at two different, very different locations. So you can have that monitored and it may be completely not a problem or it may be a real problem. But this is the tool that lets you investigate that what that is. And this is the summary report for what was done. This is also used to show to your clients so you can show them what you did over a certain time period because the real time action is what we're going to talk about next. Now we're at the dashboard and I'll be switching back and forth so I don't have to redact information of our account to a demo account provided to me by Blumera to do this video. So this is the FurnerTech one and then the other one we're going to be going to is my CNWR one. I want to show the MSP portal real quick. So if you're in the manager's right of space they do have a complete portal. I can't show you this because all of our clients are in there and well I don't want to dump that information online. You can click add account at each individual one of your clients that you manage and which version of the system you want. This is kind of cool because you can have different tiers maybe that you're selling and then each client can have a different tier set up. So you can have them on the pro endpoint visibility or XDR edition or the free edition to do some basic monitoring. And if you're someone goes, well I have a hundred plus clients. How do I get them all in here? I don't want to fill out this a hundred times. Yes, they have a template. You can just download this template put all your clients in there and upload it and they will take care of aligning all of that for you. So this is a cool feature if you want to onboard or you're moving from another system and you want to get all of your clients set up so you don't have to manually type them all in. Now this doesn't matter if you're a single IT organization using this you don't really have to worry about the MSP portal but you can have multiple locations. So we're actually going down here to settings and we have our locations which one is our Toledo office and our Southgate office. Then when you look at the cloud connectors and sensors if we look at this here's all the different cloud connections which is for all of organizations and then the sensors once again have location tags back in them. So from the single organization as I showed you in the summary report this is how we pull information from one organization but multiple sensors at multiple locations. So this is something for internal IT teams or even a single client that has multiple locations that you can do. This allows you to understand where the data come from. You can do drill downs on these but it does have the location option to individually track all of this data. Now I set up this particular demo with this Tom VirtualBox Studio LAN. We're going to click on this and go to device details. Don't worry I can show you the IP address information in here and I have triggered some unresolved findings so we'll walk through what that looks like really quick. So platform windows I can go to view the device logs view unresolved findings gives me the internal IP, the external IP you can look it up that's actually behind a PIA VPN whether or not this host is isolated when I can isolate it here or exclude it from host isolation. This is a way you can build rules and say if an event happens automatically isolate this host. Now the log data is it gets shipped to Blamer you'll still have access to any of the logs it sent but once you host isolated you've stopped anyone else from accessing it including other tools. This is a really handy way to stop threat actors who are not necessarily physically at the computer but are remotely accessing it via command and control servers. So how host isolation allows you to say stop this computer can no longer talk to the internet until we can figure out why it's doing what it's doing but you may want to exclude it if you have automatic host isolation. This is one of those things if there's a false positive you don't wanna stop a database server for example so you can decide those parameters it does have fine-grained controls over it but let's go ahead and look at the logs and the device to give you an idea of how you pull logs together. So here are the device logs it kind of just gives you a dump but let's go ahead and show advance and add suggested fields to narrow it down and all right we have a little bit more information here but maybe more than we want and this is a way you can start parsing things so we can start adding filters to this ID equals or command equals for example and I actually what I triggered I think I did a who am I so let's go ahead and equals this submit and there we go here's me running who am I and I'm able to say all right this is narrowed down to a single command I was looking for you can also take these logs if you don't wanna use their tool here you can export them to JSON or export through CSV the system as far as the web interface is only gonna show you so many logs at a time so it's not scrolling your screen but when you do the exports you can dump out all of these logs to really get a good grip on everything that it has in there and on the screen you're gonna have some limitations but it's gonna be dumped on the screen it's not the most useful until you start filtering for what you're actually looking for now because I pivoted from a single instance a Windows machine into the report builder it started showing me all the logs for that particular device but if you want to just go to report builder and we can choose things like previous one hour all the way up to 30 days and then start choosing your data sources like Azure sign-ins or whatever you've integrated into your system these are showing you what logs are available we even have Honeypot logs if you'd like to look at those Juno system, Microsoft Windows logs I don't know what all is in this demo account I switched back over to this one because that way I can actually show you what some of the data dumps look like and it's gonna impose some general Windows logs here so these are some of the tests that they have and you can turn this on or off for ad suggested fields or apply distinct counts to report so you can start narrowing things down and of course filtering down exactly the thing you're looking for generally you're not looking through the logs the logs are gonna be pulled together through the finding so let's jump over to the findings that I have we're gonna start this investigation from the dashboard I have two unresolved findings they're both for the same system Blamerik groups things together because there's actually more commands that I ran but I ran them in two different ways the first one was remote access tool screen connect so you can pretend someone has a reverse shell or took over a screen connect session a remote access tool frequently used by a lot of enterprise IT and from there they wanna know what level of access they have if they have shell access they're gonna ask this question maybe something like who am I obviously if you're screen connecting you're familiar with it you know it has full access so we also first ran who am I which is under here because we wanna know what level of access and then we said hey let's run like net use because I wanted to know what shares might be connected to the system so there's the command that was run and it groups them together instead of creating multiple findings so all of the things that happen with a shell connection and how it was logged just all in this finding here so you can start the process now Blumera walks you through the process first we gotta assign who's the responder to this so we're gonna assign that to me was this executed by an approved administrator as part of a normal business operations no it was not and we can start walking through proceed to next question this allows you to without having a whole manual or follow your procedure as much they have their own procedures here that walk you through security investigation so you don't need to have someone who's extremely skilled at doing this day in day out someone can go oh I can walk through these questions files are created by the user sense of data was accessed some combination of activity was observed this is ongoing security testing that seems like a good answer for seed internal security testing red team penetration testing internal I was the one doing it and now we can mark this as result now this is also where rules get tuned so if a rule is triggered that's when your opportunity to actually update the tech detection filter to decide whether or not this is in a regular occurrence and start building rules upon it from there they've got a good documentation that shows you how to do that but they have where these rule builders are also there is attachments and notes resolution notes and details so once these are done you can close it all but then have this as an archive when you have to look it up later or if it is an actual real incident these are gonna be very important to whoever's doing your incident response or your insurance providers let's go back over to findings and talk about why this one was different and that's really simple on this one we'll go to the view finding details and same questions in there to perform as a security test yeah, all we're gonna go with yes was in our security test but we can't choose that until we've assigned myself to it so say this and we'll say yes for security test now the reason this finding didn't get grouped in the clearing of event logs is because I didn't do this one through the shell so let's say someone got on the system and said, hey, let's go ahead and just use green connect to interact and we just ran clear event log and PowerShell which of course immediately is something a user shouldn't be running so once again, we have a trigger that would create this finding and then start your investigative process on it and that's why this is a different type of finding than a backend shell one because I did this interactively over the screen by opening up PowerShell and we'll just scroll back up here to the top and we'll just close the finding as valid now switch back over to the demo account because I wanna show you a non-windows event and let's go here and view the finding details of this unauthorized, attempted access to public IP is attempting to connect via SSHG network so what is this approved network activity? Well, what if it was? Well, that means we're gonna go here to detection filter and we don't want this alert to keep popping up every time that Bob logs in because this is Bob's remote IP he's allowed to SSHN and for some reason we didn't create a firewall rule to filter only for Bob's IP so it hits the system publicly and we just don't want it to keep triggering in Blumerra maybe not the best example but I wanna just give people the idea that we could say source IP equals we put Bob's IP in here and maybe we build out more rules when a rule is triggered it is your opportunity if it's a false positive to not have it happen again by tuning the rule and adjusting it so this means when you first onboard Blumerra you're gonna get some noise in there for things now their rules sets are good you can disable and enable rules as a baseline and working with your sales engineer to get it all set up but in the end there's always gonna be some false positive or hopefully not but if there is you have the opportunity on that trigger to stop that trigger from happening again either by making an adjustment to the detection filter or looking externally and going maybe we shouldn't have SSH open either way it gets you to a better security posture because less noise and focusing the alerts down to only the alerts are necessary makes your job easier in the big picture now speaking of making your job easier right here are the detection rules where you can select the presets of enabled or disabled and this is important because this is where you're going to say I do or do not want these rules for this particular customer's environment maybe this one makes sense to you where I wanna look at a windowed amount of time that one gig plus of outbound connection via generic network services going out this may look like data exfiltration but for example me being someone who uploads a lot of videos to YouTube this would go off all the time you'd have to do some tuning so you can actually turn these on or off depending on the use case so you can at least preset up the system for the most part you can enable or just say I want these rules turned off because I know I'm going to have a problem with this all the time it's gonna trigger too much so there is some level of tuning you can do but they try to find a good balance when they're setting this up for which rules are enabled and disabled once again talk to your sales rep about your environment they can help you with that now one last thing I wanna cover is gonna be the devices and the installation of those devices really easy you build an installation key select that key select the OS and then deploy as I said this can be built into scripting and automation so you can deploy at scale or you can do it on a one-off individual basis now going further back down the settings again the cloud connectors this is where the cloud connectors are really easy to set up you just punch in the add cloud connector choose AWS for example put in the name access key, secret ID, AWS region really simple they've automated a lot of this you can see with Bloomer last status update was on November 3rd today for each of these we know they're when they were created when the last update total logs that have been ingested from each one of these so our cloud has 717,000 logs that we can parse inside of there now the sensors are a little different because when we wanna add a new sensor we go here give it a name give it a description and we'll just say email the sensor and you tag what location because we have two locations we'll say all right we're gonna put one more sensor in Toledo now you really only usually need one sensor per location but you could do more if that's what you needed if there was some use case you had and it's gonna email you the instructions this just sets up in Docker it's really straightforward and here it is running in our XCPNG system this is our Southgate sensor it's just ingesting Syslog this is how devices that are on-prem send Syslog data to this and then from that it parses it out and sends it over to Bloomer that way I don't have to try to figure out if devices may or may not support encrypted Syslog cause you don't want it going unencrypted across the open internet you can ship all the logs to here and then it will form the secure connection to Bloomer and kinda act as a concentrator so if you have a lot of little devices that maybe certain log information needs to flow into this this is where you would send it from a Syslog standpoint on your server side network and then it will concentrate that data over to Bloomer and send those logs doesn't usually take too much to run this we've only got a couple cores well eight assigned to it which is more than needed if you look at the stats on this we're only using about 1.53 gigs of memory I did reboot it just to see if it would go down and it comes right back up to the same amount it doesn't take too much to run this there's a series of small Docker containers all of this gave you a better understanding of Bloomer and thank you Bloomer for sponsoring this video if you're interested in learning more about it do check their documentation it's ever evolving and of course as the future rolls forward so do new features and those will be listed in their documentation as well I didn't even cover 100% because the video would have been too long so read through there maybe you'll find other things that you're interested in that it also does or use my offer codes just go ahead and try it for yourself and sign up those two links I have down below Lawrence.video.com or Lawrence.video.com MSP if you're a man a search writer so you can find the version that's right for you as I said, they service both sides of the industry they have a free sign up go ahead, check it out and test it for yourself that's really what I encourage love to hear from all of you leave your thoughts and comments down below hoping to hear which one's the winner whether it's Seam or Sim so curious about that and connect with me in my forums or anywhere you can find me on the socials at LawrenceSystems.com All right and thanks