Ultimate Windows Security for ArcSight. YOUR COMPLETE ARCSIGHT SOLUTION FOR MICROSOFT WINDOWS Product Overview - October 2012

Transcription

1 Ultimate Windows Security for ArcSight YOUR COMPLETE ARCSIGHT SOLUTION FOR MICROSOFT WINDOWS Product Overview - October 2012

2 Ultimate Windows Security for ArcSight As ArcSight customers expand their security focus from perimeter defense to insider threats and compliance, the first data source they typically look at is Microsoft Windows. Microsoft Windows Servers provide a critical capability in most environments by managing their users, files, and systems. However, if you spend any time with the Windows Security Log you know that it s an undocumented mess full of inconsistencies, noise, false positives and cryptic codes. This makes implementing content difficult and problematic unless an organization maintains a staff with exceptional Windows and ArcSight expertise. Ultimate Windows Security and ThetaPoint have joined forces to solve this problem. The joint effort brings years of Windows and ArcSight experience together to offer a comprehensive solution that provides organizations with the resources necessary to build a proactive monitoring and compliance program for their Microsoft environment. IMAGE PLACEHOLDER Randy Franklin Smith is a highly trusted subject matter expert on the Windows security log and publishes UltimateWindowsSecurity.com (UWS). UWS spent years reverse engineering the events in the security log and isolating the arcane patterns that help you filter out the noise and mine the real gold that the Windows security log has to offer. UWS codified this knowledge into the Security Log Resource and Rosetta Audit Logging Kits for Windows and Active Directory. The kits are a collection of training modules, reference materials, design specifications, and expert guidance designed for end users to implement within their SIEM. The team at ThetaPoint has taken these resources and incorporated the knowledge, best practices, and recommendations into a turnkey solution for the ArcSight platform. UWS for ArcSight instantly gives ArcSight users all the power and knowledge of Windows Security Log and Rosetta Auditing Kits in a simple to use solution. The Ultimate Windows Security for ArcSight Solution Package includes an ArcSight content pack, Security Log Resource Kit, Rosetta Audit Logging Kit, and access to Randy Franklin Smith and ThetaPoint Consultants. UWS for ArcSight will jumpstart your ability to understand, monitor, alert, and conduct incident response leveraging ArcSight ESM for your Microsoft Server and Active Directory environment. Seamless Integration into ArcSight TM ESM Ultimate Windows Security for ArcSight implements many of the best practices and recommendations as documented in the Security Log Resource and Rosetta Audit Logging Kits. It was built using all your favorite ArcSight ESM features and seamlessly integrates into any environment where you are using the ArcSight Windows Unified SmartConnector and ArcSight ESM or Express. The installation and configuration time is typically less than 10 minutes. The content pack leverages ArcSight Resource Bundles (ARB). The content package includes a full solutions and installation guide along with 600+ ESM resources including Rules, Reports, Trends, Dashboards, Active Channels, and others.

3 ArcSight Content Pack The team at ThetaPoint built the content with one goal in mind: Answer the question that hundreds of clients have asked over the years when it comes to Windows security logs. What should I be looking for in my Windows Security Logs? The result is a comprehensive content pack that answers that question. Built on the guidance and best practices of Randy Franklin Smith and Ultimate Windows Security Team, the content pack dives into everything from User Authentication and User Session Tracking to Policy and Configuration Changes to Authorized Services Running on Servers. The content pack contains rules, reports, dashboards, integration commands, and more to support the following use cases surrounding both Active Directory and Member Servers for Windows Server 2003 and 2008: Users: Authentication, Failed Logons, Lockouts, Account Changes, Session Tracking, Elevated User Privileges, Administrator Monitoring, Permission Changes, Disabled Enabled Accounts, Password Resets, New Users Created, and more. Groups: Group Changes, Group Member Additions Deletions, and more. Policy: Audit Policy Changes, Domain Security Policy Changes, and more. System: Authorized vs Unauthorized Processes, System Time Changes, Event Log Cleared, Restore Mode, Unable to Log Events, System Shutdown, Local User Monitoring, and more.

4 Security Log Resource Kit The Security Log Resource Kit is the foundation for understanding the complexities within the Windows security log. The Security Log Resource Kit includes virtual training, mini-seminars, digital books and handouts so that organizations can use to become experts in dealing with the Windows security log. Once an organization has mastered these skills, only then are they in a position to secure their Microsoft Server environment. Security Log Secrets Interactive Edition Security Log Secrets illuminates the cryptic Windows security log and gives you the knowledge to effectively monitor, report and investigate activity throughout your Windows and Active Directory environment. Security log expert Randy Franklin Smith, uses innovative techniques to teach you monitoring, reporting and analyzing the Windows security logs in your network. You ll master how to leverage the security log to facilitate a better security posture and handle compliance issues. You will learn how to monitor end-users as well as administrators and how to detect intrusions and system changes. More than a long, passive DVD viewing experience, SLS-Interactive is an interactive Flash Video based training course designed to closely duplicate the live, instructor-led learning experience.the learning objectives and benefits from SLS-Interactive are: Understand the differences between Windows Server 2000, 2003, and 2008 (coming soon) log events Understand the audit changes in access control to privileged financial, customer and patient data Understand how to detect and report changes in administrator authority Understand how to centrally monitor logons Understand how to track changes in system policy including group policy objects and organizational units Security Log Mini-Seminars The Security Log Mini-Seminars are a collection of focused learning courses on key areas of the Windows security log. The courses are delivered as WMV and MP4 with PDF slide handouts on the following topics. Each course ranges from 15 to 45 minutes in duration. Understanding Authentication and Logon Monitoring Kerberos Authentication Catching Policy and Configuration Changes Monitoring User Accounts Tracking File Access Leveraging the Windows Security Log for Compliance Understanding Logon and Logoff Events Top 12 Suspicious Intrusion Indicators Tracking Access Control Changes Unraveling the All New Windows Server 2008 Security Log and Audit Policy Understanding Authentication Events Auditing File Access: The Good, Bad and Ugly Auditing User Accounts in Active Directory and Windows Servers Detecting Suspicious Logon Attempts

5 Security Logs Revealed Digital Book The Security Logs Revealed Books include many of the same materials delivered in the Security Log Secrets Training and Mini-Seminars. The Books can be used as standalone reference materials or as a self-paced teaching tool. Each book includes 100+ pages of security log knowledge for Windows Server 2003 and 2008 from security log expert, Randy Franklin Smith.The books cover the following topics in detail: Audit Policies and Event Viewer Understanding Authentication and Logon Account Logon Events Logon/Logoff Events Detailed Tracking Object Access Events Account Management Directory Service Access Events Privilege Use Events Policy Change Events System Events Getting the Most From the Security Log Security Log Encyclopedia Digital Book The Security Log Encyclopedia Book is a complete guide for both the Windows 2003 and 2008 security logs. It documents all 495 events in the Windows security logs and provides detailed explanation of each by Randy Franklin Smith. Rosetta Audit Logging Kit The Windows Security Log is a morass of cryptic security events - some noise, some highly valuable indicators of security activity. The same goes for other audit logs such as for SQL Server and SharePoint. Your auditors demand that you not only review these logs on a daily basis but monitor for suspicious events and respond in real time. So you purchase and implement a log management solution. Now you can collect security logs, securely archive them, produce daily reports and configure real time alerts. But... Which events do you report on? Which do you alert on? What is the significance of these events and how do you respond to them? How do you demonstrate compliance with specific requirements of PCI, SOX, HIPAA, GLBA, FISMA and other regulatory requirements? Log Management and SIEM vendors are very good at developing security and log management software but most will admit they are not subject matter experts in compliance, intrusion detection, and forensic information security. Rosetta Audit Logging Kit provides what we refer to as deep mapping in which for each report and alert we identify the specific controls which that report or alert facilitates and a detailed rationale for the mapping. With the Rosetta Audit Logging Kit you get: Best practice guidance on which events to alert and report on Report designs you can implement in your existing log management solution Alert specifications that include event criteria, alert text and suggested recipients Deep mappings to specific compliance requirements Recommended courses of action to each alert and report Filter specifications so you can get rid of the noise Personalized help from Randy Franklin Smith

6 Company Overview ThetaPoint, Inc. ThetaPoint is a group of elite security consultants who have combined their real world experience to establish a premier IT security consulting firm. ThetaPoint s primary mission is to enable organizations by providing industry leading services and solutions around ArcSight Products, SIEM, Log Management, Incident Response, and general IT security concerns. ThetaPoint consultants have a proven track record of success with Fortune 500 companies and government agencies in all industry verticals. Monterey Technology Group, Inc. Formed in 1997 by CEO Randy Franklin Smith, Monterey Technology Group, Inc. serves the InfoSec, IT Audit and Software Development communities with specialized services and solutions relating to Microsoft product security. Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active Directory security who specializes in Windows and Active Directory security. He performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies, national, and international organizations. Randy has written over 300 articles on Windows security issues, which appear in publications like Information Security Magazine and Windows IT Pro where he is a contributing editor and author of the popular Windows security log series. In 2003 Randy received the Apex Award of Excellence in the category of How-to Writing for his security feature 8 Tips for Avoiding the Next Big Worm. UltimateWindowsSecurity.com Web property of Monterey Technology Group, Inc. devoted to spreading knowledge and understanding of Windows Security, IT Audit and Compliance with exclusive content from Randy Franklin Smith. ThetaPoint Inc. Telephone:+1 (888) FAX:+1 (888) info@theta-point.com Website: For more information on this or other ThetaPoint Offerings, please contact us or visit our website ThetaPoint, Inc. ALL RIGHTS RESERVED 2012 Monterey Technology Group, Inc. ALL RIGHTS RESERVED. UltimateWindowsSecurity.com is a division of Monterey Technology Group, Inc. Other product and company names may be trademarks or registered trademarks of their respective owners. While every effort has been made to ensure the accuracy of the information presented in this publication, ThetaPoint and Monterey Technology Group does not warrant or assume any liability or responsibility for the accuracy, completeness, or usefulness of the information or processes disclosed in its publications or those of its partners. All information subject to change without notice.