I'm trying to understand whether we should connect our remote access VPN clients to our SIEM for monitoring purposes. Specifically, does this help in checking for any suspicious login attempts and ensuring proper security logging?
5 Answers
Ideally, everything should connect to your SIEM for comprehensive monitors. Proper integration means you can catch suspicious activities effectively, including bad auth attempts. Without it, you might miss something important.
We actually ditched the VPN entirely and switched to Netskope SASE. I feel like VPNs are just another risk unless you use IPSec throughout your network.
Nah, we've actually disconnected our VPN from the SIEM because it was just flooding us with alerts. Our dashboard now looks great - all green! Sometimes it's better to simplify things and avoid alert fatigue.
This is the way!
It's really about making sure all VPN activity is logged centrally in your SIEM. This way, it can alert you on anomalies. Also, having MFA and PKI can help prevent those bad login attempts before they become a problem. If users don't have a managed key setup, they won't even get to the authentication stage!
So, you're saying Google Cloud KMS is the direction you're going?
From a network perspective, those logs should definitely be prioritized as part of your overall security perimeter.
Gotta keep the KPIs looking good, right?