GFI EventsMnge vs Netikus.net EventSenty GFI Softwe www.gfi.com

GFI EventsMnge vs Netikus.net EventSenty GFI EventsMnge EventSenty Who we e Suppot fo MS SQL Seve Suppot fo MSDE / MS SQL Expess Suppot fo MySQL dtbse Scns nd pocess Windows Event Logs (.evt) Built in Syslog seve Built in SNMP tp seve Scns nd pocess W3C logs MS SQL Seve udit - C2 style Pocessing pefomnce (events/second) Requies n gent on ech mchine Rel time monitoing of events Mchine helth monitoing Noise eduction technology Out of the box event clssifiction nd intepettion fo Windows nd Active Diectoy events Out of the box event clssifiction nd intepettion fo Linux mchines Out of the box event clssifiction nd intepettion fo Cisco, Junipe nd Allied Telesis netwok devices Out of the box event clssifiction nd intepettion fo Micosoft Exchnge Seve Out of the box event clssifiction nd intepettion fo Micosoft ISA Seve Out of the box event clssifiction nd intepettion fo Micosoft IIS Out of the box event clssifiction nd intepettion fo Micosoft SQL Seve Out of the box event clssifiction nd intepettion fo PCI DSS complince Scn emote sites ove WAN links Role bsed use uthentiction in the console Scns Windows Vist nd Windows 2008 Seve specific events Sttus monitoing vilble Notifictions vi emil Notifictions vi SMS Notifictions vi pge Specific PCI DSS complince epots Account usge epots (ex. filed logons, ccount lockouts etc) Account mngement epots (ex. dd/delete/modify uses nd goups etc.) Specific epots on chnges in domin/locl policies/use ights ssignment, etc Specific epots on chnges in object ccess (ex. files, egisty etc.) Scheduled epoting Up to 6000 No Aound 1000 Yes GFI is mket lede in secuity softwe, offeing high pefomnce solutions t unbetble pices to smll nd medium sized businesses. Poducts like GFI MilEssentils, the leding spm filte poduct on the mket, hs ove 80,000 customes; GFI MilSecuity ws the fist to pply multiple nti-vius engines to combt viuses; while GFI WebMonito is the no. 1 web filte fo Micosoft ISA Seve. GFI FAXmke emins the best fx seve solution ound. GFI leds the wy in the SMB sphee, combining pice, qulity nd innovtive technology in ll poducts. The GFI diffeence Moe thn 30 wds Out of the box suppot fo Cisco, Junipe Netwoks, Allied Telesis netwok devices Smt intepettion nd clssifiction of events Noise eduction Seve-bsed instll, no client softwe equied Cetified fo Windows Seve 2008 All ights eseved. GFI Softwe Ltd.

GFI EventsMnge vs Netikus.net EventSenty Tnsltes cyptic events in epots (such s logon types, pivileges codes, ccess codes, SIDs etc.) Suppots expoting epots to pdf, dox, xls nd tf Moe infomtion section dded to the desciption in ech event nd diect link to website fo moe info on events GFI EventsMnge EventSenty Pocessing the infomtion fom the extended fields of the Windows events It is not sufficient to pocess only the genel fields of the log messges nd chive the extended fields of the event/desciption in single field. The infomtion vilble t the genel tgs level (like use, compute, dte/time, nd event id) is not enough to be ble to povide good gnulity when deciding wht to do with the messge. Thee e mny situtions in which the sme event, with cetin infomtion on n extended field, like object nme fo object ccess events, is FAR moe impotnt thn the sme event, with the sme genel fields, but with diffeent infomtion on the extended field mentioned bove. Also, in most of the cses, the extended fields hold the citicl infomtion, like the ccesses used, logon type, client mchine nd so on. At the sme time, eliminting noise is vey impotnt spect of secuity monitoing. The noise epesents in vege close to 50% of the dt logged, nd in some cses even 80%. A good noise eduction system will sve you lots of time nd esouces. Achieving such good noise eduction system is impossible without the gnulity given by the extended fields pocessing. Sech cpbilities on the extended fields is not enough, you lso need to mtch the seched vlue to cetin extended field. So finding use X in the desciption of the event, does not men tht use X geneted the event. Thee e events with moe thn two distinct use nmes in the desciption, so it is impotnt to be ble to see on which extended field you could find the vlue Use X. GFI EventsMnge chieves the following by using this dvnced pocessing technique: highe gnulity in intepeting nd clssifying the events fste nd esie ccess to extended event infomtion vey good noise eduction filtes ccountbility fo the ctions which led to the logging of the events by identifying the use who geneted it Scnning pefomnce Hving good scnning pefomnce is the key in ensuing elible secuity monitoing nd legl complincy system, especilly in medium to lge ogniztions. At the sme time, in ode to chieve el time monitoing, you need high pefomnce scnning engine. Fcts evel tht on vege, domin contolle sustining domin with smll to medium numbe of ctive uses nd mchines genetes ound 5000 secuity udits pe hou. Domin contolles sustining lge domins, with 3000+ ctive uses cn genete ound 130 000 secuity udits pe hou. Add to these numbes the events in the othe logs nd you will ive to quite lge quntities pe domin contolle pe hou. Multiply the esult with the numbe of Domin Contolles you need to monito, do the sme mth fo seves, All ights eseved. GFI Softwe Ltd.

GFI EventsMnge vs Netikus.net EventSenty woksttions, pplictions nd devices you need to monito, nd the finl esult cn be between sevel hunded thousnds nd sevel millions events. GFI EventsMnge offes unequled scnning nd pocessing pefomnce. Multitheded scnning, coupled with medium poweed seve (dul Xeon t 3.0 GHz nd 4 GB of RAM memoy) cn scn ove 6 million events PER HOUR fom multiple log types on multiple mchines. This pefomnce should cove most of the pefomnce needs in the SBS mket. Event intepettion Best defult settings, out of the box functionlity The log messges e vey cyptic nd little documenttion is povided bout thei menings. Even less infomtion is povided bout ll the situtions in which the events o sequences of events get geneted. Usully people know little both bout wht they need, nd how to intepet the log messges, nd the effot to bette undestnd those, tkes lot of time which is usully not vilble. Just pesenting the messges s they e is not solution fo most of the potentil uses of secuity monitoing nd legl complincy solution. Wht usully hppens with egul log mngement solutions is the following: the softwe is instlled nd stts poviding myid of events which e in the end just numbes. Wht you need to do is cy out esech in ode to undestnd wht vious numbes men in ode to be ble to distinguish impotnt infomtion out of the lge quntity of spm. This esech my not yield ny esults in decent timefme costing the custome time nd leving him with no solution. GFI EventsMnge offes the best defult event pocessing ules, with intuitive nmes to seve s tnsltions fo the cyptic messges; defult compute goups, fully peconfigued in tems of pocessing ules nd ctions which pply nd scnning intevls, ll tiloed on compute oles. Moeove, ech secuity event contins link to website whee the use cn find not only moe infomtion on it, but lso feedbck fom community of uses nd links to othe elted infomtion. The event pocessing ules system is vey flexible nd expndble, lso llowing fst nd esy customiztion. The impotnce of hving such event pocessing ules is citicl, s they epesent both the mens, nd the knowledge equied to successfully pefom secuity monitoing. Poweful SQL Audit combined with log mngement SQL Audit becme vey popul fetue mong the poducts which hndle log mngement. Thee e minly two wys of uditing the SQL Seve: one bsed on wht Micosoft SQL Seve logs into the.evt Windows event log, nd configution chnges which e detemined bsed on the chnges in the system dtbses, on one hnd, nd full C2-style uditing which long with the bove povides lso infomtion on the ctivity on the use dtbses. GFI EventsMnge tkes the C2-style ppoch nd delives full view on wht hppens on you SQL Seve. Tht mens tht pt fom uditing seve/dtbse chnges, logons etc, you cn lso udit ctivity nd know exctly wht dt ws viewed/chnged/dded, by whom, fom wht ppliction nd fom which mchine. All ights eseved. GFI Softwe Ltd.

GFI EventsMnge vs Netikus.net EventSenty Event pocessing ules Why e event pocessing ules impotnt? How wee they ceted? Event pocessing ules hve the following oles: evlute, intepet, clssify, nd tnslte events. Secuity elted event pocessing ules nd noise eduction ules e ceted bsed on the Micosoft Secuity nd Attck Detection Plnning Guide, PCI Complince equiements nd Best Pctices documenttion. The event pocessing ules fo system helth, secuity pplictions nd vious compute oles e ceted bsed on Micosoft documenttion nd ou vst expeience in event log monitoing. The event pocessing ules fo the Syslog messges eceived fom Cisco devices e ceted bsed on extensive esech on the vdocumenttion povided by Cisco. Sme fo messges sent by Junipe Netwoks nd Allied Telesis. The SNMP suppot included MIBs fo most of the impotnt device mnufctues mking it even esie fo costumes to configue nd use the poduct. Dtbse udit Why is dtbse udit impotnt fo complince? Most of the legl complincy cts sk fo the bility to povide ccountbility fo the ctions tken when woking with sensitive infomtion (cdholde infomtion in cse of PCI DSS, finncil infomtion in cse of SOX, etc). If the sensitive infomtion esides in dtbse, you will need to udit the ctivity on tht dtbse. The min poblem is tht fo exmple, Micosoft SQL Seve logs events to.evt fomt only up to the point whee the use is logging on the SQL Seve. It does not log ny infomtion bout the ctions which the use pefomed on use dtbses. Hence you will need solution which is ble to get this infomtion too. GFI EventsMnge is ble to get tht infomtion fo you. The competition will only be ble to collect configution chnges nd mngement infomtion, without ny use ctivity on the use dtbses. Ese of use How often should I monito my infstuctue seves? Wht messges should I look fo in ode to detect possible ttck? Wht system event souces do I need to monito in ode to be leted on disk filues? Wht bout TCP/IP filues? GFI EventsMnge nswes ll those questions fo you vi its event log mngement nd pocessing engine. Thee e peconfigued compute goups nd pocessing ules fo those goups, so ll you need to do is dd you computes o devices to the coesponding compute goup in GFI EventsMnge. All ights eseved. GFI Softwe Ltd.

GFI EventsMnge vs Netikus.net EventSenty Noise eduction nd complince How much noise is thee in the logs? It is difficult to estimte exctly how much noise the logging systems we suppot cete. Fo Windows, ou esech lbotoies hve conducted tests in ode to nswe this question. Depending on the udit settings, compute cn genete ound 70% noise infomtion s esult of: noml system ctivity/typicl behvio, defective logging/bugs nd ove-logging/edundncy. Fo exmple, insted of getting one event when use ccount is ceted, you get sixteen. With the etention policies of thee month live dt, with egds to logs, enfoced by the legl complincy cts, 70% noise is lot to cte fo, nd it leds to significntly highe costs to eview, stoe, filte nd pocess noisy events. Disclime The dt contined in this document is bsed on esech cied out by GFI. The picing dt fo the competitos poducts hs been compiled fom vious souces nd theefoe is coect to the best of ou knowledge. GFI does not epesent o wnt the ccucy o elibility of this infomtion, nd will not be lible if individuls/compnies use o misuse this infomtion. Redes should contct diectly the compnies mentioned in this document to obtin the ltest picing detils. All ights eseved. GFI Softwe Ltd.