Monitoring Windows Workstations Seven Important Events



Similar documents
Monitoring Microsoft SQL Server Audit Logs with EventTracker The Importance of Consolidation, Correlation, and Detection Enterprise Security Series

Monitor DHCP Logs. EventTracker. EventTracker Centre Park Drive Columbia MD Publication Date: July 16, 2009

The Top Ten Insider Threats and How to Prevent Them

Fifty Critical Alerts for Monitoring Windows Servers Best Practices

Monitor Oracle Event Logs using EventTracker

Security Beyond the Windows Event Log Monitoring Ten Critical Conditions

EventTracker Architecture Handling Millions of Events Each Day

Monitoring SharePoint 2007/2010/2013 Server Using Event Tracker

Monitor Mobile Devices via ActiveSync Using EventTracker

Enable File and Folder Auditing

Integrating Symantec Endpoint Protection

Fifty Critical Alerts for Monitoring Windows Servers Best practices

Integrating Juniper Netscreen (ScreenOS)

QRadar SIEM 6.3 Datasheet

Integrate Microsoft Windows Hyper V

EventTracker: Configuring DLA Extension for AWStats report AWStats Reports

EventTracker: Configuring DLA Extension for AWStats Report AWStats Reports

Detecting a Hacking Attempt

Integrate Websense Web Security Gateway (WSG)

Apache: Analyze Logs for Malicious Activities & Monitor Server Performance

Integrate Cisco IronPort Security Appliance (ESA)

Enable Audit Events in MS SQL Server EventTracker v6.x, v7.x

Integrate Cisco IronPort Web Security Appliance (WSA)

Integrate Astaro Security Gateway

How To- Create Local Account and Active Directory Authentication EventTracker Enterprise

Integrating Barracuda Web Application Firewall

TNT SOFTWARE White Paper Series

Clavister InSight TM. Protecting Values

Upgrade Guide. Upgrading to EventTracker v6.0. Upgrade Guide Columbia Gateway Drive, Suite 250 Publication Date: Sep 20, 2007.

How To Buy Nitro Security

EventTracker: Support to Non English Systems

EventTracker Enterprise v7.3 Installation Guide

SmoothWall Virtual Appliance

IIS Web Server Configuration Guide

Enterprise Security Solutions

Integrate Check Point Firewall

Analyzing Logs For Security Information Event Management Whitepaper

Boosting enterprise security with integrated log management

Security Information & Event Management A Best Practices Approach

Protection & Compliance are you capturing what s going on? Alistair Holmes. Senior Systems Consultant

The Impact of HIPAA and HITECH

Analyzing Logs For Security Information Event Management Whitepaper

IIS Web Server Configuration Guide

Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

How To Create An Intelligent Infrastructure Solution

Using NetIQ Security and Administration Products to Ensure HIPAA Compliance March 25, Contents

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

Quest InTrust. Version 8.0. What's New. Active Directory Exchange Windows

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:

Overcoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.

Sarbanes-Oxley Act. Solution Brief. Sarbanes-Oxley Act. Publication Date: March 17, EventTracker 8815 Centre Park Drive, Columbia MD 21045

IBM Tivoli Endpoint Manager for Security and Compliance

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

Analyzing Logs For Security Information Event Management

IBM Tivoli Endpoint Manager for Lifecycle Management

IBM Tivoli Compliance Insight Manager

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley

IBM Tivoli Monitoring for Applications

Scalability in Log Management

Mapping EventTracker Reports and Alerts To FISMA Requirements NIST SP Revision 3 Prism Microsystems, August 2009

Best Practices for Building a Security Operations Center

FIREMON SECURITY MANAGER

How to Install MS SQL Server Express

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

How To Achieve Pca Compliance With Redhat Enterprise Linux

The Flexibility of SIEM in Use A look at how two customers use EventTracker

SANS Top 20 Critical Controls for Effective Cyber Defense

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

Netwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

CA Systems Performance for Infrastructure Managers

How To Secure Your System From Cyber Attacks

HP Security Assessment Services

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

Protecting What Matters Most. Bartosz Kryński Senior Consultant, Clico

How To Manage A Privileged Account Management

Secure IIS Web Server with SSL

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

IBM QRadar Security Intelligence Platform appliances

IBM QRadar Security Intelligence April 2013

Transcription:

Monitoring Windows Workstations Seven Important Events White Paper 8815 Centre Park Drive Publication Date: October 1, 2009 Columbia MD 21045 877.333.1433

ABSTRACT Monitoring event logs from workstations provides two important benefits. Firstly, it saves money by adopting a proactive approach to supporting end users. Problems that can end up in calls to the help desk can often be avoided or fixed more quickly. This enhances the productivity of end users and reduces the cost of IT operations. Secondly monitoring workstation logs enhances the overall security of your organization. The problem lies in the sheer volume of data that must be analyzed which renders manual monitoring completely impractical. On the other hand, if you don t monitor workstations at all, you are exposed to security risks, higher cost of administration, lost productivity and user frustration. Rather than adopt an all or nothing position, these documents suggest a middle ground with automation to help justify the cost. The information contained in this document represents the current view of Prism Microsystems, Inc. on the issues discussed as of the date of publication. Because Prism Microsystems, Inc. must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, Inc. and Prism Microsystems, Inc. cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism Microsystems, Inc. MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this Guide may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism Microsystems, Inc. may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, Inc. the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. 2009 Prism Microsystems, Inc. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Prism Microsystems, Inc. 2

Why Monitor Workstation Event Logs? Monitoring event logs from Windows workstations provides two important benefits: Save money by adopting a proactive approach to supporting end users (increased productivity of IT personnel and end users) Enhanced overall security of your organization. The numbers of workstations and sheer volume of data that must be analyzed, however, generally renders manual monitoring completely impractical. A log management solution such as EventTracker provides the automation framework to collect all the logs but organizations often still hesitate for the following reasons: Too much work and administrative effort to monitor hundreds of workstations. Cost/benefit (ROI) is not justified EventTracker addresses both of these challenges by providing a single central console for provisioning, installing and maintaining agents on all of workstations, and through cost effective device pricing for workstations. Once the ROI question is overcome the next question lies in what should be monitored from each workstation. Many workstation events are simply not important enough to collect and store. A practical and acceptable medium ground is recommended in this White Paper - monitor a small subset of critical events from workstations such that cost and benefits are justified. This approach yields three main benefits: 1 Annual cost of managing and supporting user can be reduced up to 10% 2 Improves internal IT control 3 Overall security improvements EventTracker, although able to collect any and all workstation event logs, provides a preconfigured rule set for workstations to enable concentration on the most important events. These include: User logon/logoff; Logon failures; Disk space utilization; USB drive inserts/removal, Audit of files copied to device; Service/ start and stop; Runaway process monitoring and Software install/uninstall monitoring Prism Microsystems, Inc. 3

Seven Critical Events Event Purpose What to monitor Operation 1. User logon/logoff Monitoring user logon/logoff increases IT control. Can detect an insider threat. Windows event id 528, 538 Weekly automated task: - Generate and review report of logon-logoffs by users and by group of computers - Generate graph to monitor off hours log on activities 2. Logon failures Intrusion detection, security enhancement, help desk support Windows event id 529, 530, 531, 532 Daily task: Review the automated logon failure report by user and by computer to ensure security. 3. Monitor disk space Operations, help desk EventTracker agent generates threshold defined for disks Daily task: Review all the disks in your workstation farm which are above 80% full. 4. Monitor USB Device inserts, record files copied to the device Security Monitor users who mount USB drive or DVD/CD drives and copy files. USB devices on workstations represent a major security hole for data leakage EventTracker agents monitor USB drive inserts and device changes. Produces an audit trail of the time, user and list of files copied each time the device is used. Daily task: Review report for USB drive activities 5. Monitor Service Start and Stop Operations, help desk, security Your workstation security and operation is compromised because your critical services are not started (e.g. Virus checking) EventTracker agent monitors all services Daily task: Review all stopped services on all workstations Weekly task: Review total downtime generated by the services Prism Microsystems, Inc. 4

6. Monitoring runaway process - Operations, help desk - Trap and identify all the process and services which start consuming over 50% CPU and over 100MB of RAM EventTracker monitors runaway process Real-time alert: Notify system administrator right away for runaway process. System administrator should identify and stop runaway process. Weekly task: Review all the runaway processes such that you can remove the task or get the fix from the application vendor 7. Monitor Software install/uninstall IT controls, Patch management, operations EventTracker agents monitors software install/uninstall Daily Task: Review all the software installed on workstations and identify unwanted installed software which violates company policy and licenses Weekly task: Generate patch management report to make sure that your workstations are up to date Prism Microsystems, Inc. 5

Summary Consolidating and mining system and application event logs represents a powerful tool to detect the subtle signs around the corporate network that indicate either there is an increased security risk or an actual security breach in progress. Event Log Management is recognized as a critical requirement to meet corporate compliance objectives, but the investment made for compliance can also be leveraged to substantially increase the overall security of the network, decrease expensive system downtime by preventing security breaches, and increase overall operational efficiency of the IT department. Prism Microsystems, Inc. 6

The EventTracker Solution The EventTracker solution is a scalable, enterprise-class Security Information and Event Management (SIEM) solution for Windows systems, Syslog/Syslog NG (UNIX and many networking devices), SNMP V1/2, legacy systems, applications and databases. EventTracker enables defense in depth, where log data is automatically collected, correlated and analyzed from the perimeter security devices down to the applications and databases. To prevent security breaches, event log data becomes most useful when interpreted in near real time and in context. Context is vitally important because often the critical indications of impending problems and security violations are only detected by watching patterns of events across multiple systems. EventTracker enables complex rules to be run on the event stream to detect signs of such a breach. EventTracker also provides real-time alerting capability in the form of an email, page or SNMP message to proactively alert security personnel to an impending security breach. The original event log data is also securely stored in a highly compressed event repository for compliance purposes and later, forensic analysis. For compliance, EventTracker provides a powerful reporting interface, scheduled or on-demand report generation, automated compliance workflows that prove to auditors that reports are being reviewed and many other features. With pre-built, auditor grade reports included for most of the compliance standards (FISMA, HIPAA, PCI-DSS, SOX, GLBA, and others); EventTracker represents a compliance solution that is second to none. EventTracker also provides advanced forensic capability where all the stored logs can be quickly searched through a powerful Googlelike search interface to perform quick problem determination. EventTracker lets users completely meet the logging requirements specified in the National Institute for Standards and Technology (NIST) Special Publication 800-92 Guide To Computer Security Log Management, which has emerged as a well-recognized guide for Log Management. EventTracker also includes network connection monitoring, change auditing and USB activity tracking on Windows systems, all in a turnkey, off the shelf, affordable, software solution. EventTracker provides the following benefits A highly scalable, component-based architecture that consolidates all Windows, SNMP V1/V2, legacy platforms, Syslog received from routers, switches, firewalls, critical UNIX servers (Red Hat Linux, Solaris, AIX etc), Solaris BSM, workstations and various other SYSLOG generating devices. Automated archival mechanism that stores activities over an extended period to meet auditing requirements. The complete log is stored in a highly compressed (>90%), secured archive that is limited only by the amount of disk storage. Real-time monitoring and parsing of all logs to analyze user activities such as logon failures and failed attempts to access restricted information. Full support for monitoring of virtualized enterprises. Alerting interface that generates custom alert actions via email, pager, beep, console message, etc. Event correlation to constantly monitor for malicious hacking activity. In conjunction with alerts, this is used to inform network security officers and security administrators in real time. This helps minimize the impact of breaches. Various types of network activity reports, which can be scheduled or generated as required for any investigation or meeting audit compliances. Host-based Intrusion Detection (HIDS). Role-based, secure event and reporting console for data analysis. Prism Microsystems, Inc. 7

Change Monitoring on Windows machines USB Tracking, including restricted use, insert/removal recording, and a complete audit trail of all files copied to the removable device. Built-in compliance workflows to allow inspection and annotation of the generated reports. EventTracker is delivered as a software only solution running on industry standard Microsoft operating systems. It is virtualization ready and can be deployed on a single or multiple dedicated or virtual servers. Easy to use, highly scalable and affordable it represents a solid choice for any organization attempting to meet compliance or simply attempting to improve their overall IT responsiveness and security. Prism Microsystems, Inc. 8

About Prism Microsystems Prism Microsystems, Inc. delivers business-critical solutions to consolidate, correlate and detect changes that could impact the performance, availability and security of your IT infrastructure. With a proven history of innovation and leadership, Prism provides easy-to-deploy products and solutions for integrated Security Management, Change Management and Intrusion Detection. EventTracker, Prism s market leading enterprise log management solution, enables commercial enterprises, educational institutions and government organizations to increase the security of their environments and reduce risk to their enterprise. Customers span multiple sectors including financial, communications, scientific, healthcare, banking and consulting. Prism Microsystems was formed in 1999 and is a privately held corporation with corporate headquarters in the Baltimore-Washington high tech corridor. Research and development facilities are located in both Maryland and India. These facilities have been independently appraised in accordance with the Software Engineering Institute s Appraisal Framework, and were deemed to meet the goals of SEI Level 3 for CMM. For additional information, please visit http://www.prismmicrosys.com/. Prism Microsystems, Inc. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information