Monitoring Windows Workstations Seven Important Events

Transcription

1 Monitoring Windows Workstations Seven Important Events White Paper 8815 Centre Park Drive Publication Date: October 1, 2009 Columbia MD

2 ABSTRACT Monitoring event logs from workstations provides two important benefits. Firstly, it saves money by adopting a proactive approach to supporting end users. Problems that can end up in calls to the help desk can often be avoided or fixed more quickly. This enhances the productivity of end users and reduces the cost of IT operations. Secondly monitoring workstation logs enhances the overall security of your organization. The problem lies in the sheer volume of data that must be analyzed which renders manual monitoring completely impractical. On the other hand, if you don t monitor workstations at all, you are exposed to security risks, higher cost of administration, lost productivity and user frustration. Rather than adopt an all or nothing position, these documents suggest a middle ground with automation to help justify the cost. The information contained in this document represents the current view of Prism Microsystems, Inc. on the issues discussed as of the date of publication. Because Prism Microsystems, Inc. must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, Inc. and Prism Microsystems, Inc. cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism Microsystems, Inc. MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this Guide may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism Microsystems, Inc. may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, Inc. the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred Prism Microsystems, Inc. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Prism Microsystems, Inc. 2

3 Why Monitor Workstation Event Logs? Monitoring event logs from Windows workstations provides two important benefits: Save money by adopting a proactive approach to supporting end users (increased productivity of IT personnel and end users) Enhanced overall security of your organization. The numbers of workstations and sheer volume of data that must be analyzed, however, generally renders manual monitoring completely impractical. A log management solution such as EventTracker provides the automation framework to collect all the logs but organizations often still hesitate for the following reasons: Too much work and administrative effort to monitor hundreds of workstations. Cost/benefit (ROI) is not justified EventTracker addresses both of these challenges by providing a single central console for provisioning, installing and maintaining agents on all of workstations, and through cost effective device pricing for workstations. Once the ROI question is overcome the next question lies in what should be monitored from each workstation. Many workstation events are simply not important enough to collect and store. A practical and acceptable medium ground is recommended in this White Paper - monitor a small subset of critical events from workstations such that cost and benefits are justified. This approach yields three main benefits: 1 Annual cost of managing and supporting user can be reduced up to 10% 2 Improves internal IT control 3 Overall security improvements EventTracker, although able to collect any and all workstation event logs, provides a preconfigured rule set for workstations to enable concentration on the most important events. These include: User logon/logoff; Logon failures; Disk space utilization; USB drive inserts/removal, Audit of files copied to device; Service/ start and stop; Runaway process monitoring and Software install/uninstall monitoring Prism Microsystems, Inc. 3

4 Seven Critical Events Event Purpose What to monitor Operation 1. User logon/logoff Monitoring user logon/logoff increases IT control. Can detect an insider threat. Windows event id 528, 538 Weekly automated task: - Generate and review report of logon-logoffs by users and by group of computers - Generate graph to monitor off hours log on activities 2. Logon failures Intrusion detection, security enhancement, help desk support Windows event id 529, 530, 531, 532 Daily task: Review the automated logon failure report by user and by computer to ensure security. 3. Monitor disk space Operations, help desk EventTracker agent generates threshold defined for disks Daily task: Review all the disks in your workstation farm which are above 80% full. 4. Monitor USB Device inserts, record files copied to the device Security Monitor users who mount USB drive or DVD/CD drives and copy files. USB devices on workstations represent a major security hole for data leakage EventTracker agents monitor USB drive inserts and device changes. Produces an audit trail of the time, user and list of files copied each time the device is used. Daily task: Review report for USB drive activities 5. Monitor Service Start and Stop Operations, help desk, security Your workstation security and operation is compromised because your critical services are not started (e.g. Virus checking) EventTracker agent monitors all services Daily task: Review all stopped services on all workstations Weekly task: Review total downtime generated by the services Prism Microsystems, Inc. 4

5 6. Monitoring runaway process - Operations, help desk - Trap and identify all the process and services which start consuming over 50% CPU and over 100MB of RAM EventTracker monitors runaway process Real-time alert: Notify system administrator right away for runaway process. System administrator should identify and stop runaway process. Weekly task: Review all the runaway processes such that you can remove the task or get the fix from the application vendor 7. Monitor Software install/uninstall IT controls, Patch management, operations EventTracker agents monitors software install/uninstall Daily Task: Review all the software installed on workstations and identify unwanted installed software which violates company policy and licenses Weekly task: Generate patch management report to make sure that your workstations are up to date Prism Microsystems, Inc. 5

6 Summary Consolidating and mining system and application event logs represents a powerful tool to detect the subtle signs around the corporate network that indicate either there is an increased security risk or an actual security breach in progress. Event Log Management is recognized as a critical requirement to meet corporate compliance objectives, but the investment made for compliance can also be leveraged to substantially increase the overall security of the network, decrease expensive system downtime by preventing security breaches, and increase overall operational efficiency of the IT department. Prism Microsystems, Inc. 6

7 The EventTracker Solution The EventTracker solution is a scalable, enterprise-class Security Information and Event Management (SIEM) solution for Windows systems, Syslog/Syslog NG (UNIX and many networking devices), SNMP V1/2, legacy systems, applications and databases. EventTracker enables defense in depth, where log data is automatically collected, correlated and analyzed from the perimeter security devices down to the applications and databases. To prevent security breaches, event log data becomes most useful when interpreted in near real time and in context. Context is vitally important because often the critical indications of impending problems and security violations are only detected by watching patterns of events across multiple systems. EventTracker enables complex rules to be run on the event stream to detect signs of such a breach. EventTracker also provides real-time alerting capability in the form of an , page or SNMP message to proactively alert security personnel to an impending security breach. The original event log data is also securely stored in a highly compressed event repository for compliance purposes and later, forensic analysis. For compliance, EventTracker provides a powerful reporting interface, scheduled or on-demand report generation, automated compliance workflows that prove to auditors that reports are being reviewed and many other features. With pre-built, auditor grade reports included for most of the compliance standards (FISMA, HIPAA, PCI-DSS, SOX, GLBA, and others); EventTracker represents a compliance solution that is second to none. EventTracker also provides advanced forensic capability where all the stored logs can be quickly searched through a powerful Googlelike search interface to perform quick problem determination. EventTracker lets users completely meet the logging requirements specified in the National Institute for Standards and Technology (NIST) Special Publication Guide To Computer Security Log Management, which has emerged as a well-recognized guide for Log Management. EventTracker also includes network connection monitoring, change auditing and USB activity tracking on Windows systems, all in a turnkey, off the shelf, affordable, software solution. EventTracker provides the following benefits A highly scalable, component-based architecture that consolidates all Windows, SNMP V1/V2, legacy platforms, Syslog received from routers, switches, firewalls, critical UNIX servers (Red Hat Linux, Solaris, AIX etc), Solaris BSM, workstations and various other SYSLOG generating devices. Automated archival mechanism that stores activities over an extended period to meet auditing requirements. The complete log is stored in a highly compressed (>90%), secured archive that is limited only by the amount of disk storage. Real-time monitoring and parsing of all logs to analyze user activities such as logon failures and failed attempts to access restricted information. Full support for monitoring of virtualized enterprises. Alerting interface that generates custom alert actions via , pager, beep, console message, etc. Event correlation to constantly monitor for malicious hacking activity. In conjunction with alerts, this is used to inform network security officers and security administrators in real time. This helps minimize the impact of breaches. Various types of network activity reports, which can be scheduled or generated as required for any investigation or meeting audit compliances. Host-based Intrusion Detection (HIDS). Role-based, secure event and reporting console for data analysis. Prism Microsystems, Inc. 7

8 Change Monitoring on Windows machines USB Tracking, including restricted use, insert/removal recording, and a complete audit trail of all files copied to the removable device. Built-in compliance workflows to allow inspection and annotation of the generated reports. EventTracker is delivered as a software only solution running on industry standard Microsoft operating systems. It is virtualization ready and can be deployed on a single or multiple dedicated or virtual servers. Easy to use, highly scalable and affordable it represents a solid choice for any organization attempting to meet compliance or simply attempting to improve their overall IT responsiveness and security. Prism Microsystems, Inc. 8

9 About Prism Microsystems Prism Microsystems, Inc. delivers business-critical solutions to consolidate, correlate and detect changes that could impact the performance, availability and security of your IT infrastructure. With a proven history of innovation and leadership, Prism provides easy-to-deploy products and solutions for integrated Security Management, Change Management and Intrusion Detection. EventTracker, Prism s market leading enterprise log management solution, enables commercial enterprises, educational institutions and government organizations to increase the security of their environments and reduce risk to their enterprise. Customers span multiple sectors including financial, communications, scientific, healthcare, banking and consulting. Prism Microsystems was formed in 1999 and is a privately held corporation with corporate headquarters in the Baltimore-Washington high tech corridor. Research and development facilities are located in both Maryland and India. These facilities have been independently appraised in accordance with the Software Engineering Institute s Appraisal Framework, and were deemed to meet the goals of SEI Level 3 for CMM. For additional information, please visit Prism Microsystems, Inc. 9