LogicMonitor Security Best Practices
At LogicMonitor we take the protection of customer data and cybersecurity very seriously. Security is a team effort and partnership between LogicMonitor and our valued customers. Below we have provided our recommended guidance on security best practices, and how to keep your LogicMonitor portals secure, including the 2FA authentication enablement. General Security LogicMonitor Security Corporate site: LogicMonitor’s Security corporate site provides resources for our customers who are interested in reviewing our security white papers or accessing SOC2 Type 2 and SOC3 reports. Security Best Practices: This comprehensive document offers invaluable security guidance and best practices which LogicMonitor strongly recommends be diligently followed. It also provides critical insights into how LogicMonitorsecures customer accounts, such as regular updates to strong, unique passwords and not sharingaccount information. Configuring Multi & Single Sign On Single Sign-On Integration Setup Guide: Single Sign-On (SSO) is a powerful mechanism for enforcing robust authentication measures, including 2FA, while simultaneously mitigating the risk of password-related issues. This guide outlines the prerequisites and initial setup steps for SSO, including how to restrict account access to SSO user accounts. Multi Sign-On Integration Setup Guide: Multi-sign on augments security by requiring multiple authentication factors. This document empowers administrators to add multiple tenants (Identity Providers), and manage users directly from their Identity Provider (IdP). Microsoft Azure Active Directory (AD) IdP for Single Sign-On (SSO) Setup Guide: Customers interested in utilizing Microsoft Azure Active Directory (AD) IdP for SSO will find this guide invaluable. It provides step-by-step instructions for integrating Azure with LogicMonitor. Additional Tools to Increase Security Account IP Whitelisting: Customers looking to restrict access to their accounts, based on specific IP addresses or subnets, can refer to point five (5) in the "Configuring the Portal Settings" section document for detailed guidance. Role Based Access Control settings: Role-Based Access Controls offer a powerful means of restricting access to security features or entire product sections for specific user groups. This document explains the numerous configurations available at the role level, ensuring that your security posture aligns seamlessly with your business requirements. Preparing for two-factor authentication (2FA) Remote Session Access Control: In preparation of implementing 2FA, this document comprehensively explains the Access Controls available for the Remote Session feature, allowing for enhanced security through customizable access restrictions or feature disabling. 2FA Setup Guide: This guide provides step-by-step instructions on configuring 2FA at various levels. LogicMonitor strongly recommends customers who are not currently using 2FA or employing Single Sign-On (SSO), without enabling the "Restrict to SSO" option, proactively enable 2FA for their non-SSO user accounts. User Reporting for 2FA: The User Report serves as a vital tool in securing your account with 2FA. It facilitates the identification of user accounts that do not currently utilize 2FA or lack associated phone numbers, which could potentially disrupt user access, if not addressed before 2FA is activated. See also 2FA FAQ’s&User Reports.445Views31likes0CommentsFinding Cisco IOS XE CVE-2023-20198 With ConfigSources
On October 16, 2023, Cisco published a vulnerability that affects IOS XE machines running the built-in web server:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z This is tracked ashttps://nvd.nist.gov/vuln/detail/CVE-2023-20198 By adding a simple Config Check to an existing Cisco IOS ConfigSource, LogicMonitor can help people quickly identify which resources have the web server enabled. Here is an example: Name: Cisco-CSCwh87343-Check Check type: "Use Groovy Script" Groovy script: /* The built-in string variable 'config' contains the entire contents of the configuration file. The following example will trigger an alert when the configuration file contains the string "blue". if (config.contains("blue")) { return 1; } else { return 0; } */ if (config.contains("ip http")) { return 1; } else { return 0; } Then trigger this type of alert: Warning Description: "Search for presence of Cisco CSCwh87343 vulnerability" Caveats: -This will apply to all devices where the ConfigSource is used, even though all devices may not be affected by the vulnerability -This assumes usage of ConfigSources and specifically the Cisco_iOS ConfigSource Thanks to Todd Ritter for finding this CVE and Creating the ConfigSource189Views16likes1CommentLogicMonitor Portal Security
These articles: https://techcrunch.com/2023/08/31/logicmonitor-customers-hit-by-hackers-because-of-default-passwords/?guccounter=1 https://www.bleepingcomputer.com/news/security/logicmonitor-customers-hacked-in-reported-ransomware-attacks/ ...indicate that some LogicMonitor accounts may have had weak default passwords applied and become compromised. Until we have an official word from LogicMonitor, may I suggest that all LogicMonitor administrators: Delete or suspend any users that should not be in your system Ensurethat no “out of the box” accounts are Active (including the lmsupport account) You should set this account to “Suspended” until we have word that this account is not affected Note that unless this account is Active, LogicMonitor Support cannot access your portal Enable2FA for ALL users I mean,you did that already, right? RIGHT? IMPORTANT: You need to do this for administrator users,even ifyou have SSO Ensure that any user that has not logged in recently (say for 60 days) is either deleted or set to Suspended IMPORTANT:Revoke administrator/manager rights from anyone that does not absolutely need them The recommendation is 2 users per LogicMonitor portal If you don’t recognise a user, seriously consider setting it to Suspended Be cautious of System Integration accounts - you may disrupt these if you are not careful If a system has access, ensure that this via an API user, not an Access Token on a named person. I will update this post with other suggestions as they are made.Solved1.2KViews19likes8CommentsWinRM Collector and Non-admin scripts beta
Hello, and welcome to LogicMonitor’s Beta for WinRM non-admin automation! At Logicmonitor we are constantly pushing the envelope on security. In our endeavor to further reduce the attack surface of our customers we are proud to bring to you the beta program for monitoring windows devices using least privilege. This beta would also allow you to try out our WinRM based collector. Goal for the beta Validate and test windows monitoring with WinRM based collectors running with least privilege in your environment. We suggest the following operations to test out the non-admin automation 1. Set up a normal WMI based windows collector to monitor your windows devices. 2. Set up at least 10 the WinRM based beta collector by following the instructions in the support page. Ensure that the collectors are not running under admin privilege after completing the setup. 3. Move your devices from the WMI based collector to the beta collector to confirm that the WinRM beta collector fulfills your windows monitoring needs. 4. Test out WMI, Powershell and perfmon datasources Timeline The beta has started and will run Through Sept 30, 2023. Documentation Since the process to install a WinRM collector is slightly more tedious than a normal LM collector, we advise you to go through the documentation before setting it up. Documentation for the beta is available at https://www.logicmonitor.com/support/configuring-winrm-for-windows-collector and updated as questions come in, or as things are added/fixed. Note: The beta is available in EA collector 34.100 and later. All you have to do is follow the steps in the support documentation above to install the WinRM collector. Feedback You can submit your feedback via this linkor post a comment here to chat directly with the product manager. You can also contact Logicmonitor support or you Customer Success Manager for further assistance.413Views13likes0Commentsmodernize WebSSH client
One of our customers could not connect via the WebSSH client to a newly setup switch using modern SSH algorithms. I personally only rarely use that feature, but I tested it and traced the issue to: %SSH-3-NO_MATCH: No matching kex algorithm found: client diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 server ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 I added diffie-hellman-group14-sha1 to the switch KEX list, but would prefer to keep only modern algorithms active. Any chance we can get that client updated to negotiate newer algorithms? Security teams are more and more tight on what is allowed to operate within enterprise networks (for good reason). Thanks, Mark42Views4likes0CommentsPassword exposed by error message
@Sarah Terry Please address urgently. These new verbose error dialogs expose the WMI password. Ideally I'd like a Settings options to disable such verbose error messages, or restrict them byrole. (Also can these dialogs be more responsive, no a 1920x1080 screen these appear as narrow panels in the middle.)10Views1like8CommentsRansomware Monitoring
Curious if anyone is leveraging LM for first line Ransomware detection. Reading indicators typically include a high number of file name changes on the server/PC. Seems like that would be something that LM could help us identify early on and alert out to take action before additional servers are compromised. Looks like a working number is about 4 renames a second for the threshold. Thanks, Mitch9Views1like1CommentRead only agent / collector
I know I've brought this up before, but I'd like to bring it up again. LM's requirement that collectors run as local admins (or system) is a GAPING security hole in your product. No amount of certificate signing, or other like security measures are a replacement for running a collector or an agent as a read only account. The fact is, with every security measure you take, if the collector is running as an admin account or a system account, its going to be exploitable in one way or another. Having the signed scripts and what not, would be great, but really it shouldn't be the primary focus IMO. Security is much better when its locked down by default and opened up as needed, compared to what you guys are doing, which is a completely open system, that you're trying to add security enhancements on top of. It's almost akin to you guys having no firewall,and then adding a few rules here an there to block certain types of traffic, while the rest of the network is completely exposed. A more prefered architecture (security wise) would be an agent / collector that can run as a read only account and be supported. WMI, perfmon, and many other functions all work fine with a regular user, when it's executed locally. That is why an agent or a special collector is needed. Most ideal communication path would be an "agent" talks to a "collector" which then talks to the portal. This would also allow us to keep our internet locked down. I suspect this would also have the other advantage of taking a lot of load off the collectors and really putting most of the work on the agent, which is ultimately better given that the workload would be distributed. For now though, even having a "supported" configuration for a collector not running as a local admin / system would be a great step in the right direction. The reason this is less of a concern for solution like Solarwinds and SCOM is they're on premises based solutions, meaning there is much lower external risk factor. You guys are cloud, and there for need to design the solution from an untrusted point of view.30Views1like11CommentsCreate role for API only user
Problem I havea datasource that collects information from the LogicMonitor API. In order for this to work correctly I need a valid user on the LM platform with a valid API token. I can see two potential paths forward. Case 1 - Use my existing account as the datasource author with my API token. This has a big downside that if I have to leave the company for any number of reasons and my account gets disabled this datasource will stop working and is customer facing. This is probably not so good. Case 2 - Create a 'service account' inside LogicMonitor that can have its' own API token and if any one human needs to leave the company there really is not a big problem. The issue with this is that this user has a username and a password that can grant it access to the UI under all the permissions granted by the role but this account should/will never be used within the UI. This also generates a potential securityproblem because the password will most likely never be rotated because as long as the API user and token work this is simply going to sit there. Request Be able to create a new user type of 'API only' which will never have access to the UI and therefore you should not have to set any of the UI specific information for the account. This would remove the need for any of this information under that account: First/Last name/Email/Password/Force password change/2-factor/Phone/SMS/SMS Email format23Views1like3CommentsSecure syslog forwarding to LogicMonitor via TLS
Our team has verified that secure syslog forwarding (via TLS) is not supported currently and would like to submit a feature request to LogicMonitor DEV team to asseswhether securesyslogforwarding can be implemented. An example will be syslog-ng forwarding secure (i.e. encrypted) syslog messages to LogicMonitor collector. https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/concepts-tls.html This will enable centralized logging server to forward secure syslog messages to LogicMonitor collector then. Thanks & Best Regards, Horace31Views3likes0Comments