Security Beyond the Windows Event Log Monitoring Ten Critical Conditions

Security Beyond the Windows Event Log Monitoring Ten Critical Conditions Author: Jagat Shah CTO Prism Microsystems, Inc White Paper 8815 Centre Park Drive Columbia MD 21045 877.333.1433

Abstract Monitoring the Windows Event Log is critical because the Operating System continuously monitors and logs critical security, system and application events in the Log. Monitoring the Windows Event Log alone, however, is simply not enough because many important conditions in Windows are not stored in the Event Log. The following are the ten most critical security conditions that are not monitored by the Windows Operating System or logged in the Event Log. These conditions are critical for any enterprise large or small. This technical white paper describes the conditions, gives expert recommendations and details how EventTracker can help. The following ten conditions are described: 1. Tracking Operating System, File and Registry Changes 2. Tracking and Monitoring USB Device Activity 3. Consolidation and Tracking of Application Specific Log Files 4. Tracking Enterprise Wide Disk Space Usage and Trending 5. Network Connection Monitoring 6. Hot fix Install Monitoring 7. Application Usage Tracking 8. Monitor and Tracking of Software Installs/Uninstalls 9. Monitor and Tracking of Critical Services 10. Run away CPU and Memory Processes By following the recommendations in this White Paper your organization will be more secure, and suffer less operational impact due to unplanned outages. The information contained in this document represents the current view of Prism Microsystems Inc. (Prism) on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism. Prism cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. 2009 Prism Microsystems Inc. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

1. Tracking Operating System, File and Registry Changes On an enterprise s critical production servers nothing should be changed without review and approval other than data files, log files and error files. Anything else is an unauthorized or unwanted change. It is also important to protect your system configuration. In most cases, Windows audit is not a suitable answer because turning on auditing for the whole system will substantially impact server performance. Any Windows Desktop or Server can contain hundreds of thousands of files and half a million registry values. Monitoring changes on the file system and the system registry is invaluable as a method to substantially improve corporate security. An unauthorized software install, or the introduction of a virus or worm all change the file or registry structure. This change, especially in the case of a virus or worm, is often the only clue you have as an administrator that something has happened on the system. EventTracker s Change Management module takes a periodic snapshot of all changes made to the Operating System, Files and Registry. These "snapshots" are kept in a browsable view and any two can be compared to quickly get a list of everything that is new, deleted or just changed. In addition, alerts can be configured that will proactively alert personnel when critical files have been changed. EventTracker allows you to monitor and manage changes to all Windows systems from a central console. It enables you to quickly define policies that make sense for your organization so that it monitors and alerts on unauthorized or suspicious changes in your critical applications, services, registry entries or files. Recommendations 1. Minimize security risks caused by authorized and unauthorized changes by monitoring for any changes in critical files like EXEs, DLLs, Drivers and INI files. 2. Generate a daily report of files added/removed/deleted from the system especially from standard operating system directories like C:\windows or C:\program files. 3. Generate an alert when anything changes in the windows start up sequence. This is critical as many serious viruses change the startup sequence under the registry so that when the system is booted, a new unknown exe is launched or a program with a virus is renamed as a valid program. Microsoft uses the registry hive - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - and starts the programs listed in the hive when you reboot the system. It is critical to monitor all changes in this registry hive. 4. Monitor share drive changes Unplanned or unauthorized additions/deletions/modifications in shared drive settings can open up a security hole. 5. Generate an alert condition if an environment variable changed in your Windows settings 6. Generate an alert condition - for any hardware changes on any system Prism Microsystems, Inc. 3

Event details Event id Source Description 3233 WhatChanged File Added: C:\windows\Acrobet.dll Curr Snapshot Time: Wed Aug 06 14:00:08 2008 Curr Size: 0 (Bytes) Curr Creation Time: 7/31/2008 (15:36:14) Curr Version: - 3.7.1.8 Prev Snapshot Time: Tue Aug 05 17:35:03 2008 3234 WhatChanged File Modified: E:\SVNWorkingDir\WORK\WCW\Source\remins\Release\remins.dll Curr Snapshot Time: Wed Aug 06 14:00:08 2008 Curr Size: 102400 (Bytes) Curr Creation Time: 8/5/2008 (13:18:43) Curr Last Write Time: 8/5/2008 (21:9:26) Curr Version: 4.2.5.0 Prev Snapshot Time: Tue Aug 05 17:35:03 2008 Prev Size: 102400 (Bytes) Prev Creation Time: 8/5/2008 (13:18:43) Prev Last Write Time: 8/5/2008 (13:18:43) Prev Version: 4.2.5.0 3235 WhatChanged File Deleted: E:\0a0191419d9ec494c027c4\WapRes.3082.dll Curr Snapshot Time: Wed Aug 06 14:00:08 2008 Prev Snapshot Time: Tue Aug 05 17:35:03 2008 Prev Size: 102400 (Bytes) Prev Creation Time: 10/30/2006 (3:18:4) Prev Version: 3236 WhatChanged Total file changes between snapshots taken on Tue Aug 05 17:35:03 2008 and Wed Aug 06 14:00:08 2008: 193 Files Added: 96 Files Modified: 6 Files Deleted: 91 3237 WhatChanged Registry Key Added: HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Enum\Root\LEGACY_PROCEXP100 Curr Snapshot Time: Wed Aug 06 14:00:08 2008 Prev Snapshot Time: Tue Aug 05 17:35:03 2008 Prism Microsystems, Inc. 4

Event id Source Description 3238 WhatChanged Registry Key Modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ WindowsUpdate \Auto Update Value Name: UnableToDetectTime Curr Snapshot Time: Wed Aug 06 14:00:08 2008 Curr Data: 2008-08-06 07:15:08 Prev Snapshot Time: Tue Aug 05 17:35:03 2008 Prev Data: 2008-08-04 07:15:07 3239 WhatChanged Registry Key Deleted: HKEY_LOCAL_MACHINE\SOFTWARE\Classes \CLSID\{550EEDDD-AE7A-49BC-9A38-C7168DC2456D} Value Name: (Default) Curr Snapshot Time: Wed Aug 06 14:00:08 2008 Curr Data: -Not Present- Prev Snapshot Time: Tue Aug 05 17:35:03 2008 Prev Data: SDISERVR50.SDIEVENT 3240 WhatChanged Total registry changes between snapshots taken on Tue Aug 05 17:35:03 2008 and Wed Aug 06 14:00:08 2008: 111 Keys Added: 37 Keys Modified: 45 Keys Deleted: 29 Prism Microsystems, Inc. 5

2. Tracking and monitoring USB Storage Device Activities USB Storage Devices like flash drives are enormous productivity enhancers. The Challenges of USBs, however, are also readily apparent. Number one is that sensitive data can easily go outside the green zone. This can be through an inadvertent act such as an employee copies a file onto a USB legitimately, but then forgets to delete it and subsequently loses the USB device, or an overt action where an employee intentionally copies sensitive materials and carries them off premises. The result of both actions however, is the same you have sensitive data in the wild. There is a huge potential for damage from both the whoops case and the outright malice case of a disgruntled employee or cyber-criminal. With USB devices being so widespread, it also becomes very difficult to exercise granular control. How do you prevent USB devices that are no larger than car-keys from entering the premises? And with cell-phones and ipods all having storage capability, what do you do forbid those onsite as well? Doing so results in a lot of very unhappy employees that either ignore the policy or are less productive. EventTracker tracks the insert and removal of any USB device and also records the user and all files copied to the USB device. Optionally EventTracker can maintain an approved list of USB devices and their serial numbers and block USB devices that don t match the approved device list. Every time a USB is inserted, the EventTracker agent looks at its permission list, and if there is no violation of policy, permits the device access, while logging the insert activity. If a violation of policy is detected, access is prevented and the violation is immediately sent to the EventTracker Console. If access is permitted, EventTracker also begins to actively monitor all activity on the device, and every file that is written to or deleted from the device is recorded. A complete audit trail that consists of the user, device type, serial number, time and all the file activity is captured and sent as an event to the EventTracker Console for processing and storage. Recommendations 1. To protect your organization from outside viruses and prevent non-required files to be copied in your environment, if possible allow only approved and registered USB drives and insert the serial number of these devices into the EventTracker agent permission list. Block the USB device if it doesn t match the permissible serial number 2. Generate an alert condition if a USB device is blocked by EventTracker 3. Send a memo to all users that USB activities are being monitored for protection 4. Schedule a report to review when and who mounted USB drives Prism Microsystems, Inc. 6

Event Details Event Id: Source: Description 3228 EventTracker Detected new drive <G:> Volume Label: Dane Volume Serial No: 761664230 Volume ID: \\?\Volume{6b480935-5be8-11dd-93bb-00188bba1d15}\ Type: Removable-USB File System: FAT Network Volume: No Description: Change affects physical device or drive 3239 EventTracker USB Monitoring started for G:\ Volume Label: Dane Volume Serial No: 761664230 Volume ID: \\?\Volume{6b480935-5be8-11dd-93bb-00188bba1d15}\ Type: Removable File System: FAT Console User: LEMONYELLOW\jagat Active Users: PRISMUSA\Jagat 3240 EventTracker USB Monitoring stopped for G:\ Volume Label: Dane Volume Serial No: 761664230 Volume ID: \\?\Volume{6b480935-5be8-11dd-93bb-00188bba1d15}\ Type: Removable File System: FAT Console User: LEMONYELLOW\jagat Active Users: PRISMUSA\Jagat Added ETshows.xls 08/25/2008 12:52:42 PM (Active Users: PRISMUSA\Jagat) Added requirement.xlsx 08/25/2008 12:52:42 PM (Active Users: PRISMUSA\Jagat) Added scalability.doc 08/25/2008 12:52:42 PM (Active Users: PRISMUSA\Jagat) 3242 EventTracker Media drive <H:> is disabled by EventTracker. Please contact your system administrator. Volume Label: PNPL1 Volume Serial No: 1918040687 Volume ID: \\?\Volume{bf4b109d-44f2-11dd-b2fb-00148549755f}\ Type: Removable File System: FAT32 Network Volume: No Description: Change affects physical device or drive. 3229 EventTracker Drive <G:> removed. Type: N/A Network Volume: No Description: Change affects physical device or drive. Prism Microsystems, Inc. 7

Sample Reports Sample Report #1: USB Activity Report by Machine Sample Report#2: Summary Report Prism Microsystems, Inc. 8

3. Consolidation and Tracking of Application Specific Log Files There are thousands of third party applications, custom applications and scripts which are mission critical for businesses but do not write into the Windows Event Log and instead keep application specific logs. These include some Microsoft applications as well. Monitoring these log files is a best practice in order to detect critical conditions that may impact your operations and compromise your security. EventTracker can be configured to monitor any type of log file you may want to monitor and consolidate. You can either monitor and aggregate all these log files automatically into the EventTracker archive or monitor for selective entries in a log file, in real time, which match user defined criteria. If certain error or failure entries are detected, you can be immediately alerted. Event Details Event id: Source: Description 3230 EventTracker Descr : FILE: <File Name> \r\n TYPE: <File Type> \r\n FIELD: <Search String> \r\n ENTRY: <Record Found> \r\n Prism Microsystems, Inc. 9

4. Tracking Enterprise Wide Disk Space Usage and Trending Monitoring and managing disk space usage is a challenge for many organizations and System Administrators end up spending significant time on this mundane but important task. Daily or weekly availability and trending reports are critical to Operations as well as to Security. It is important to monitor the amount of available storage space not only to efficiently manage disk resources, but also because programs might fail due to an inability to allocate space. In addition, low disk space might make it impossible for a system s paging file to grow to support virtual memory. EventTracker continuously monitors disk thresholds for systems and can generate, for example, a real-time alert if disk space of a critical server falls below 40% availability. Each system also generates an event notifying daily disk usage and trends and EventTracker provides a number of preconfigured reports for enterprise-wide disk usage. Recommendations 1. Generate an alert condition when your critical disk has crossed the 90% threshold 2. Generate an alert condition when variation of disk usage compared to the previous day is high 3. Generate daily/weekly reports to analyze disk space availability, usage and trends Event Details Event id: Source: Description 3232 EventTracker System - SQLA Disk space availability Drive C:, Disk Size: 20000 MB, Free: 10980 MB, Free(in percent): 54 Drive D:, Disk Size: 76316 MB, Free: 58921 MB, Free(in percent): 77 Drive E:, Disk Size: 18161 MB, Free: 5109 MB, Free(in percent): 28 Drive G:, Disk Size: 38475 MB, Free: 3482 MB, Free(in percent): 9 Drive H:, Disk Size: 199996 MB, Free: 7782 MB, Free(in percent): 3 3201 EventTracker System Webserver51 Detected free space in drive C: is less than 20 percent. Drive: C: Disk Size: 14999 MB Free: 358 MB Free(in percent): 2 percent Prism Microsystems, Inc. 10

Sample Reports Sample report#1 Sample report#2 Prism Microsystems, Inc. 11

5. Network Connection Monitoring Monitoring network connections is an easy method to improve performance, understand system usage and to address security threats. In many cases it is unknown network users and applications that impact performance of critical servers, and when a machine is compromised it generally begins to communicate information to the outside world. By monitoring ports, applications and processes within a server for patterns of access by both remote connections and users communicating to the outside world, new or unusual activity can be detected for an early warning sign that something is not right. EventTracker continuously monitors and tracks all inbound as well as outbound TCP/UDP connections. The EventTracker Agent generates an event whenever a new connection is created or a deleted. EventTracker also maintains a list of suspicious network activities, such as activity on a nontypical port number, and a blacklist and/or whitelist of acceptable or unacceptable connections. EventTracker can also provide automatic remedial action to terminate the connection if your rule set indicates that the connection source is not in your whitelist or is part of your blacklist. Recommendations 1. Generate a daily report on all incoming connections to all ports sorted by incoming IP address. An optional prevention approach is to immediately terminate a process or generate an alert condition if the IP address is not in your trusted list 2. Generate profile of users accessing certain ports or applications For instance, what is average connection time? 3. Generate a daily report for the 50 top web sites visited by your company 4. Generate a top ten of the applications a user is connecting to Prism Microsystems, Inc. 12

Event Details Event Id Source Description 3223 EventTracker Socket CREATED: Type: TCP Status: New Local Address: ISA.Isatest.local Local Port: 21953 Remote Address: KAH Remote Port: 1558 Connection State: TIME_WAIT Process ID: 0 Process Name: [System Process] Image File Name: C:\Program Files\Microsoft ISA Server\wspsrv.exe 3224 EventTracker Socket MODIFIED: Type: TCP Status: Changed Local Address: ISA.Isatest.local Local Port: 60940 Remote Address: RR.PMTPA.WIKIMEDIA.ORG Remote Port: 80 (http) New Connection States: CLOSE_WAIT 3225 EventTracker Socket DELETED: Type: TCP Status: Deleted Local Address: MICKEY.Toons.local Local Port: 4187 Remote Address: WEBDOC1.TOONS.LOCAL Remote Port: 445 (microsoft-ds) Connection active time: 438 secs Last known Connection State: ESTAB Process ID: 4 Process Name: System Image File Name: C:\WINDOWS\system32\lsass.exe 3226 EventTracker Socket CREATED: Type: UDP Status: New Local Address: MICKEY Local Port: 4500 (ipsec-msft) Process ID: 436 Process Name: lsass.exe Image File Name: C:\WINDOWS\system32\lsass.exe 3227 EventTracker Socket DELETED: Type: UDP Status: Deleted Local Address: MICKEY Local Port: 4416 Connection active time: 216 secs Process ID: 3396 Process Name: UserActivity.exe Image File Name: D:\WORK\products\etmgr-win-v6-x\bin\UserActivity.exe Prism Microsystems, Inc. 13

Sample Reports Sample report#1 Prism Microsystems, Inc. 14

6. Hot-fix Install Monitoring Many corporate desktops and servers are compromised for a simple preventable reason they have not been updated to the latest version of Operating System, Anti-virus and applications like Office that provide the execution environment for malware. Being able to easily identify and report hot-fix levels on all the resources in the enterprise is a simple yet powerful method to help avoid costly downtime or loss of critical corporate data. EventTracker Agents report on all current Anti-virus, Operating System and Office hot-fix levels. Reports can be run on single machines as well as groups of machines, and provides a way for operations and security staff to quickly ascertain which machines are at risk of compromise. Recommendations 1. Generate a weekly report on all machines to confirm hot-fix installations. 2. If a critical hot-fix is released, use EventTracker to generate an on-demand report to verify all machines have been updated. Prism Microsystems, Inc. 15

Sample Reports Sample Report#1 Prism Microsystems, Inc. 16

7. Application Usage Tracking Even a mid-size organization potentially has thousands of users and workstations in their enterprise. It is critical an organization know what applications are run by users. This enables security and operations personnel to identify and track users as they download and run random or unlicensed applications on computers and expose the company to both security and legal risks. EventTracker monitors the start and stop of every program on each system. It facilitates easier license tracking, capacity planning, software usage matrix generation, and security monitoring. Event Details Event id: Source: Description 3221 EventTracker App Open: Exe: EXCEL.EXE Name: Microsoft Office 2000 Description: EXCEL.EXE Version: 9.0.2719 Vendor: Microsoft Corporation PID: 7840 3222 EventTracker App Close: Exe: MSDEV.EXE Name: Microsoft (R) Visual Studio PID: 3800 Prism Microsystems, Inc. 17

Sample Reports Sample Report#1 Daily Application Usage by each computer Prism Microsystems, Inc. 18

Sample Report#2: Application usage summary by each user Prism Microsystems, Inc. 19

8. Monitor and Tracking of Software Installs/Uninstalls If software is installed and uninstalled on a production server without a formal review process it represents not only a service availability risk but also a potential serious security threat for your organization. In addition, unapproved and unlicensed software can be a legal and security nightmare on both workstations and servers. In spite of best practices and intentions, most organizations cannot track software installs and uninstalls reliably on either critical servers or workstations over time EventTracker actively monitors all software install/uninstalls for both real-time alerting and reporting and analysis. EventTracker also helps in documenting what host fixes and patches are added or removed from your environment Recommendations 1. Generate an alert condition to notify whenever new software is installed or uninstalled on a server. If you get an alert from a mission critical server, generate a report on what files have been added, deleted and removed as a result of these installs or uninstalls 2. Schedule a weekly report of all software installs and uninstalls on all servers and workstations Review them for out of ordinary installations or license violations Event Detail Event id Source Description 3208 EventTracker Detected software <Microsoft Visual Studio 6.0 Enterprise Edition> has been installed on this system. Name: Microsoft Visual Studio 6.0 Enterprise Edition 3209 EventTracker Detected software <EventTracker> has been uninstalled from this system. Name: EventTracker Prism Microsystems, Inc. 20

Sample Reports Sample Report#1 Prism Microsystems, Inc. 21

9. Monitor and Tracking of Critical Services Services are a key foundation for running applications within the Windows architecture, and some critical applications appear to the User as nothing but a Windows Service. These Windows Services must be running for the application to be available. If a key Service dies, your application becomes unavailable. If an antivirus service dies, for example, it opens a hole in your security. EventTracker continuously monitors all services. If a service starts up or goes down, an event is generated in real-time and you can be notified, and if a critical service terminates it can be restarted automatically by EventTracker. EventTracker provides a real-time dashboard to review the status of all critical services and for Service Level Agreement (SLA) monitoring. A number of preconfigured reports are included with EventTracker to review overall availability of critical services. Recommendations 1. Generate an alert condition if a critical service dies. If the service is mission critical, configure EventTracker to restart the service automatically 2. Generate an alert condition if a new service starts on your critical systems 3. Generate a daily report of service down-time and share with the IT department for management of service level agreements (SLA) Event Details Event id Source Description 3202 EventTracker Detected Service <VNC Server> is not running. Name: VNC Server Type: Service 3203 EventTracker Detected %s <%s> was restarted successfully. \r\n\tname: %s \r\n\ttype: %s 3204 EventTracker Detected Service <WcwService> could not be restarted. Name: WcwService Type: Service Prism Microsystems, Inc. 22

Sample Reports Sample Report#1 - Service down time report sorted by computer Prism Microsystems, Inc. 23

10. Run away CPU and Memory Processes Runaway processes are programs, services or user scripts which go haywire generally due to a software design problem and start consuming excessive amounts of CPU or memory. A user is typically unaware when this happens until performance of the entire machine becomes highly degraded and often the end result is a hung system and a necessary system reboot. Quick identification of these run away processes is vital for the performance and availability of windows servers and workstations. EventTracker enables the definition of acceptable CPU and memory thresholds for any Windows process. The EventTracker Agent then continuously monitors all running processes in the system. If it detects a process that exceeds its defined thresholds it generates an event in real-time and notifies you. Generally a runaway process needs to be terminated to free up critical resources. If configured, EventTracker can also take automatic remedial actions such as terminating and restarting a runaway process to immediately free up critical resources. Recommendations Set up the following critical alert conditions that notify system administrators in real-time when: 1. CPU utilization of a system consistently remains higher than 85% 2. Memory utilization of a system consistently remains higher than 90% 3. Any process consumes more than 80% of CPU for a long time. Consider launching a remedial action to terminate the process automatically if this occurs frequently. 4. Any process that consumes more than 250MB of memory. For repeat offenders, launch automatic remedial action to terminate the process Prism Microsystems, Inc. 24

Event Details Event id Source Description 3206 EventTracker Detected High Memory Usage. More than 50 percent in use for last 180 seconds. Peak Memory: 52 percent Total Physical: 1015 MB Total Paging: 2446 MB Avail Physical: 486 MB Avail Paging: 1985 MB 3207 EventTracker Detected High CPU Usage. More than 80 percent in use for last 180 seconds. System CPU Usage: 98 % Process Name: ntiis.exe Process CPU Usage: 60 %. 3215 EventTracker Detected Memory usage is back to below configured threshold limit. Peak Memory: 44 percent Total Physical: 1015 MB Total Paging: 0 MB Avail Physical: 2446 MB Avail Paging: 0 MB 3216 EventTracker Detected CPU usage is back to below configured threshold limit. \r\n\tcpu Usage: %d percent. 3217 EventTracker Process <devenv.exe> has crossed the memory usage limit. Process: devenv.exe Limit: 150 MB Actual: 222 MB PID: 333 3218 EventTracker Process <IDriver.exe> has crossed the CPU usage limit. Process: IDriver.exe Limit: 60 % Actual: 94 % Total CPU Usage: 143 Seconds. PID: 333 3219 EventTracker Memory usage of process <googleearth.exe> is now normal and below the usage limit. Process: googleearth.exe Limit: 60 MB Actual: 35 MB 3220 EventTracker CPU Usage of process <%s> is now normal and below the usage limit. \r\n\tprocess: %s \r\n\tlimit: %d %% \r\n\tactual: %d %% Prism Microsystems, Inc. 25

Sample Reports Sample Report#1 Show the System CPU problem incidents Sample report#2: This report indicate the processes with excessive memory consumption Prism Microsystems, Inc. 26

The EventTracker Solution The EventTracker solution is a scalable, enterprise-class Security Information and Event Management (SIEM) solution for Windows systems, Syslog/Syslog NG (UNIX and many networking devices), SNMP V1/2, legacy systems, applications and databases. EventTracker enables defense in depth, where log data is automatically collected, correlated and analyzed from the perimeter security devices down to the applications and databases. To prevent security breaches, Event Log data becomes most useful when interpreted in near real time and in context. Context is vitally important because often the critical indications of impending problems and security violations can only be learned by watching patterns of events across multiple systems. Complex rules can be run on the event stream to detect signs of such a breach. EventTracker also provides real-time alerting capability in the form of an email, page or SNMP message to proactively alert security personnel to an impending security breach. The original Event Log data is also securely stored in a highly compressed event repository for compliance purposes and later, forensic analysis. For compliance, EventTracker provides a powerful reporting interface, scheduled or on-demand report generation, automated compliance workflows that prove to auditors that reports are being reviewed and many other features. With pre-built auditor grade reports included for most of the compliance standards (FISMA, HIPAA, SOX, GLBA, and NISPOM); EventTracker represents a compliance solution that is second to none. EventTracker also provides advanced forensic capability where all the stored logs can be quickly searched through a powerful Google-like search interface to perform quick problem determination. EventTracker lets users completely meet the logging requirements specified in NIST SP 800-92 Guide To Computer Security Log Management, and additionally provides Host Based Intrusion Detection, Change monitoring and USB activity tracking on Windows systems, all in an off the shelf, affordable, software solution. EventTracker provides the following benefits A highly scalable, component-based architecture that consolidates all Windows, SNMP V1/V2, legacy platforms, Syslog received from routers, switches, firewalls, critical UNIX servers (Red Hat Linux, Solaris, AIX etc), Solaris BSM, workstations and various other SYSLOG generating devices. Automated archival mechanism that stores activities over an extended period to meet auditing requirements. The complete log is stored in a highly compressed (>90%), secured archive that is limited only by the amount of disk storage. Real-time monitoring and parsing of all logs to analyze user activities such as logon failures and failed attempts to access restricted information. Alerting interface that generates custom alert actions via email, pager, beep, console message, etc. Event correlation modules to constantly monitor for malicious hacking activity. In conjunction with alerts, this is used to inform network security officers and security administrators in real time. This helps minimize the impact of breaches. Various types of network activity reports, which can be scheduled or generated as required for any investigation or meeting audit compliances. Host-based Intrusion Detection (HIDS). Role-based, secure event and reporting console for data analysis. Prism Microsystems, Inc. 27

Change Monitoring on Windows machines USB Tracking, including restricted use, insert/removal recording, and a complete audit trail of all files copied to the removable device. Built-in compliance workflows to allow inspection and annotation of the generated reports. Prism Microsystems, Inc. 28

About Prism Microsystems Prism Microsystems, Inc. delivers business-critical solutions to consolidate, correlate and detect changes that could impact the performance, availability and security of your IT infrastructure. With a proven history of innovation and leadership, Prism provides easy-to-deploy products and solutions for integrated Security Management, Change Management and Intrusion Detection. EventTracker, Prism s market leading enterprise log management solution, enables commercial enterprises, educational institutions and government organizations to increase the security of their environments and reduce risk to their enterprise. Customers span multiple sectors including financial, communications, scientific, healthcare, banking and consulting. Prism Microsystems was formed in 1999 and is a privately held corporation with corporate headquarters in the Baltimore-Washington high tech corridor. Research and development facilities are located in both Maryland and India. These facilities have been independently appraised in accordance with the Software Engineering Institute s Appraisal Framework, and were deemed to meet the goals of SEI Level 3 for CMM. For additional information, please visit http://www.prismmicrosys.com/. Prism Microsystems, Inc. 29