Monitoring Ten Critical Conditions - EventTracker · Monitoring the Windows Event Log is critical...
Transcript of Monitoring Ten Critical Conditions - EventTracker · Monitoring the Windows Event Log is critical...
Security Beyond the Windows Event Log Monitoring Ten Critical Conditions
White Paper
White Paper
Security Beyond the Windows Event Log
Abstract Monitoring the Windows Event Log is critical because the Operating System continuously monitors and
logs critical security, system and application events in the Log. Monitoring the Windows Event Log alone,
however, is simply not enough because many important conditions in Windows are not stored in the Event
Log. The following are the ten most critical security conditions that are not monitored by the Windows
Operating System or logged in the Event Log. These conditions are critical for any enterprise large or small.
This technical white paper describes the conditions, gives expert recommendations and details how
EventTracker can help. The following ten conditions are described:
1. Tracking Operating System, File and Registry Changes
2. Tracking and Monitoring USB Device Activity
3. Consolidation and Tracking of Application Specific Log Files
4. Tracking Enterprise Wide Disk Space Usage and Trending
5. Network Connection Monitoring
6. Hot fix Install Monitoring
7. Application Usage Tracking
8. Monitor and Tracking of Software Installs/Uninstalls
9. Monitor and Tracking of Critical Services
10. Run away CPU and Memory Processes
By following the recommendations in this White Paper your organization will be more secure, and suffer
less operational impact due to unplanned outages.
The information contained in this document represents the current view of EventTracker. on the issues
discussed as of the date of publication. Because EventTracker must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of EventTracker, and EventTracker cannot
guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. EventTracker MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights
under copyright, this paper may be freely distributed without permission from EventTracker, if its content is
unaltered, nothing is added to the content and credit to EventTracker is provided.
EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from EventTracker, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious. No
association with any real company, organization, product, person or event is intended or should be inferred.
© 2017 EventTracker Security LLC. All rights reserved. The names of actual companies and
products mentioned herein may be the trademarks of their respective owners.
White Paper
Security Beyond the Windows Event Log
1. Tracking Operating System, File and Registry
Changes On an enterprise’s critical production servers nothing should be changed without review and approval
other than data files, log files and error files. Anything else is an unauthorized or unwanted change. It is
also important to protect your system configuration. In most cases, Windows audit is not a suitable
answer because turning on auditing for the whole system will substantially impact server performance.
Any Windows Desktop or Server can contain hundreds of thousands of files and half a million registry
values. Monitoring changes on the file system and the system registry is invaluable as a method to
substantially improve corporate security. An unauthorized software installs, or the introduction of a virus
or worm all change the file or registry structure. This change, especially in the case of a virus or worm, is
often the only clue you have as an administrator that something has happened on the system.
EventTracker’s Change Management module takes a periodic snapshot of all changes made to the
Operating System, Files and Registry. These "snapshots" are kept in a browse-able view and any two can
be compared to quickly get a list of everything that is new, deleted or just changed. In addition, alerts can
be configured that will proactively alert personnel when critical files have been changed.
EventTracker allows you to monitor and manage changes to all Windows systems from a central console.
It enables you to quickly define policies that make sense for your organization so that it monitors and
alerts on unauthorized or suspicious changes in your critical applications, services, registry entries or files.
Recommendations 1. Minimize security risks caused by authorized and unauthorized changes by monitoring for any
changes in critical files like EXEs, DLLs, Drivers and INI files.
2. Generate a daily report of files added/removed/deleted from the system especially from
standard operating system directories like C:\windows or C:\program files.
3. Generate an alert when anything changes in the windows start up sequence. This is critical as
many serious viruses change the startup sequence under the registry so that when the system is
booted, a new unknown exe is launched or a program with a virus is renamed as a valid program.
Microsoft uses the registry hive -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - and starts the
programs listed in the hive when you reboot the system. It is critical to monitor all changes in
this registry hive.
4. Monitor share drive changes – Unplanned or unauthorized additions/deletions/modifications in
shared drive settings can open up a security hole.
White Paper
Security Beyond the Windows Event Log
5. Generate an alert condition – if an environment variable changed in your Windows settings
6. Generate an alert condition - for any hardware changes on any system
Event Details
Event ID Source Description
3233 WhatChanged File Added: C:\windows\Acrobet.dll Curr Snapshot Time: Wed Aug 06 14:00:08 2008 Curr Size: 0 (Bytes) Curr Creation Time: 7/31/2008 (15:36:14) Curr Version: - 3.7.1.8 Prev Snapshot Time: Tue Aug 05 17:35:03 2008
3234 WhatChanged File Modified: E:\SVNWorkingDir\WORK\WCW\Source\remins\Release\remins.dll
Curr Snapshot Time: Wed Aug 06 14:00:08 2008 Curr Size: 102400 (Bytes) Curr Creation Time: 8/5/2008 (13:18:43) Curr Last Write Time: 8/5/2008 (21:9:26) Curr Version: 4.2.5.0
Prev Snapshot Time: Tue Aug 05 17:35:03 2008 Prev Size: 102400 (Bytes) Prev Creation Time: 8/5/2008 (13:18:43) Prev Last Write Time: 8/5/2008 (13:18:43) Prev Version: 4.2.5.0
3235 WhatChanged File Deleted: E:\0a0191419d9ec494c027c4\WapRes.3082.dll
Curr Snapshot Time: Wed Aug 06 14:00:08 2008
Prev Snapshot Time: Tue Aug 05 17:35:03 2008 Prev Size: 102400 (Bytes) Prev Creation Time: 10/30/2006 (3:18:4) Prev Version:
3236 WhatChanged Total file changes between snapshots taken on Tue Aug 05 17:35:03 2008 and Wed Aug 06 14:00:08 2008: 193 Files Added: 96 Files Modified: 6 Files Deleted: 91
White Paper
Security Beyond the Windows Event Log
Event ID Source Description
3237 WhatChanged Registry Key Added: HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Enum\Root\LEGACY_PROCEXP100
Curr Snapshot Time: Wed Aug 06 14:00:08 2008
Prev Snapshot Time: Tue Aug 05 17:35:03 2008
3238 WhatChanged Registry Key Modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\ WindowsUpdate \Auto Update
Value Name: UnableToDetectTime
Curr Snapshot Time: Wed Aug 06 14:00:08 2008 Curr Data: 2008-08-06 07:15:08
Prev Snapshot Time: Tue Aug 05 17:35:03 2008 Prev Data: 2008-08-04 07:15:07
3239 WhatChanged Registry Key Deleted: HKEY_LOCAL_MACHINE\SOFTWARE\Classes \CLSID\{550EEDDD-AE7A-49BC-9A38-C7168DC2456D} Value Name: (Default)
Curr Snapshot Time: Wed Aug 06 14:00:08 2008 Curr Data: -Not Present-
Prev Snapshot Time: Tue Aug 05 17:35:03 2008 Prev Data: SDISERVR50.SDIEVENT
3240 WhatChanged Total file changes between snapshots taken on Tue Aug 05 17:35:03 2008 and Wed Aug 06 14:00:08 2008: 193 Files Added: 96 Files Modified: 6 Files Deleted: 91
White Paper
Security Beyond the Windows Event Log
2. Tracking and Monitoring USB Storage Device
Activities USB Storage Devices like flash drives are enormous productivity enhancers. The Challenges of USBs,
however, are also readily apparent. Number one is that sensitive data can easily go outside the “green
zone”. This can be through an inadvertent act such as an employee copies a file onto a USB legitimately,
but then forgets to delete it and subsequently loses the USB device, or an overt action where an employee
intentionally copies sensitive materials and carries them off premises. The result of both actions however,
is the same – you have sensitive data “in the wild”. There is a huge potential for damage from both the
“whoops” case and the outright malice case of a disgruntled employee or cyber-criminal.
With USB devices being so widespread, it also becomes very difficult to exercise granular control. How do
you prevent USB devices that are no larger than car-keys from entering the premises? And with cell-
phones and iPods all having storage capability, what do you do – forbid those onsite as well? Doing so
results in a lot of very unhappy employees that either ignore the policy or are less productive.
EventTracker tracks the insert and removal of any USB device and also records the user and all files copied
to the USB device. Optionally EventTracker can maintain an approved list of USB devices and their serial
numbers and block USB devices that don’t match the approved device list.
Every time a USB is inserted, the EventTracker agent looks at its permission list, and if there is no violation
of policy, permits the device access, while logging the insert activity. If a violation of policy is detected,
access is prevented and the violation is immediately sent to the EventTracker Console. If access is
permitted, EventTracker also begins to actively monitor all activity on the device, and every file that is
written to or deleted from the device is recorded. A complete audit trail that consists of the user, device
type, serial number, time and all the file activity is captured and sent as an event to the EventTracker
Console for processing and storage.
Recommendations 1. To protect your organization from outside viruses and prevent non-required files to be copied in
your environment, if possible allow only approved and registered USB drives and insert the serial
number of these devices into the EventTracker agent permission list. Block the USB device if it
doesn’t match the permissible serial number
2. Generate an alert condition – if a USB device is blocked by EventTracker
3. Send a memo to all users that USB activities are being monitored for protection
4. Schedule a report to review when and who mounted USB drives
White Paper
Security Beyond the Windows Event Log
Event ID Source Description
3238 EventTracker Detected new drive <G:> Volume Label: Dane Volume Serial No: 761664230 Volume ID: \\?\Volume{6b480935-5be8-11dd-93bb-00188bba1d15}\ Type: Removable-USB File System: FAT Network Volume: No Description: Change affects physical device or drive
3239 EventTracker USB Monitoring started for G:\ Volume Label: Dane Volume Serial No: 761664230 Volume ID: \\?\Volume{6b480935-5be8-11dd-93bb-00188bba1d15}\ Type: Removable File System: FAT Console User: LEMONYELLOW\jagat Active Users: PRISMUSA\Jagat
3240 EventTracker USB Monitoring stopped for G:\ Volume Label: Dane Volume Serial No: 761664230 Volume ID: \\?\Volume{6b480935-5be8-11dd-93bb-00188bba1d15}\ Type: Removable File System: FAT Console User: LEMONYELLOW\jagat Active Users: PRISMUSA\Jagat Added ETshows.xls 08/25/2008 12:52:42 PM (Active Users: PRISMUSA\Jagat) Added requirement.xlsx 08/25/2008 12:52:42 PM (Active Users: PRISMUSA\Jagat) Added scalability.doc 08/25/2008 12:52:42 PM (Active Users: PRISMUSA\Jagat)
White Paper
Security Beyond the Windows Event Log
Event ID Source Description
3242 EventTracker Media drive <H:> is disabled by EventTracker. Please contact your system administrator. Volume Label: PNPL1 Volume Serial No: 1918040687 Volume ID: \\?\Volume{bf4b109d-44f2-11dd-b2fb-00148549755f}\ Type: Removable File System: FAT32 Network Volume: No Description: Change affects physical device or drive.
3229 EventTracker Drive <G:> removed. Type: N/A Network Volume: No Description: Change affects physical device or drive.
Sample Reports #1: USB Activity Report by Machine
White Paper
Security Beyond the Windows Event Log
Sample Reports # 2: Summary Report
White Paper
Security Beyond the Windows Event Log
3. Consolidation and Tracking of Application Specific
Log Files There are thousands of third party applications, custom applications and scripts, which are mission critical
for businesses but do not write into the Windows Event Log and instead keep application specific logs.
These include some Microsoft applications as well. Monitoring these log files is a best practice in order to
detect critical conditions that may impact your operations and compromise your security.
EventTracker can be configured to monitor any type of log file you may want to monitor and consolidate.
You can either monitor and aggregate all these log files automatically into the EventTracker archive or
monitor for selective entries in a log file, in real time, which match user defined criteria. If certain error or
failure entries are detected, you can be immediately alerted.
Event Details
Event ID Source Description
3230 EventTracker Desc: FILE: <File Name> \r\n TYPE: <File Type> \r\n FIELD: <Search String> \r\n ENTRY: <Record Found> \r\n
White Paper
Security Beyond the Windows Event Log
4. Tracking Enterprise Wide Disk Space Usage and
Trending Monitoring and managing disk space usage is a challenge for many organizations and System
Administrators end up spending significant time on this mundane but important task. Daily or weekly
availability and trending reports are critical to Operations as well as to Security. It is important to monitor
the amount of available storage space not only to efficiently manage disk resources, but also because
programs might fail due to an inability to allocate space. In addition, low disk space might make it
impossible for a system’s paging file to grow to support virtual memory.
EventTracker continuously monitors disk thresholds for systems and can generate, for example, a real-
time alert if disk space of a critical server falls below 40% availability. Each system also generates an event
notifying daily disk usage and trends and EventTracker provides a number of preconfigured reports for
enterprise-wide disk usage.
Recommendations 1. Generate an alert condition when your critical disk has crossed the 90% threshold
2. Generate an alert condition when variation of disk usage compared to the previous day is high
3. Generate daily/weekly reports to analyze disk space availability, usage and trends
Event ID Source Description
3232 EventTracker System - SQLA Disk space availability Drive C:, Disk Size: 20000 MB, Free: 10980 MB, Free(in percent): 54 Drive D:, Disk Size: 76316 MB, Free: 58921 MB, Free(in percent): 77 Drive E:, Disk Size: 18161 MB, Free: 5109 MB, Free(in percent): 28 Drive G:, Disk Size: 38475 MB, Free: 3482 MB, Free(in percent): 9 Drive H:, Disk Size: 199996 MB, Free: 7782 MB, Free(in percent): 3
3201 EventTracker System –Webserver51 Detected free space in drive C: is less than 20 percent. Drive: C: Disk Size: 14999 MB Free: 358 MB Free(in percent): 2 percent
White Paper
Security Beyond the Windows Event Log
Sample Reports # 1
Sample Reports # 2
White Paper
Security Beyond the Windows Event Log
5. Network Connection Monitoring
Monitoring network connections is an easy method to improve performance, understand system usage
and to address security threats. In many cases it is unknown network users and applications that impact
performance of critical servers, and when a machine is compromised it generally begins to communicate
information to the outside world. By monitoring ports, applications and processes within a server for
patterns of access by both remote connections and users communicating to the outside world, new or
unusual activity can be detected for an early warning sign that something is not right.
EventTracker continuously monitors and tracks all inbound as well as outbound TCP/UDP connections.
The EventTracker Agent generates an event whenever a new connection is created or a deleted.
EventTracker also maintains a list of suspicious network activities, such as activity on a nontypical port
number, and a blacklist and/or whitelist of acceptable or unacceptable connections. EventTracker can also
provide automatic remedial action to terminate the connection if your rule set indicates that the
connection source is not in your whitelist or is part of your blacklist.
Recommendations 1. Generate a daily report on all incoming connections to all ports sorted by incoming IP address. An
optional prevention approach is to immediately terminate a process or generate an alert condition
if the IP address is not in your trusted list
2. Generate profile of users accessing certain ports or applications – For instance, what is average
connection time?
3. Generate a daily report for the 50 top web sites visited by your company
4. Generate a top ten of the applications a user is connecting to
White Paper
Security Beyond the Windows Event Log
Event Details
Event ID Source Description
3223 EventTracker Socket CREATED: Type: TCP Status: New Local Address: ISA.Isatest.local Local Port: 21953 Remote Address: KAH Remote Port: 1558 Connection State: TIME_WAIT Process ID: 0 Process Name: [System Process] Image File Name: C:\Program Files\Microsoft ISA Server\wspsrv.exe
3224 EventTracker Socket MODIFIED: Type: TCP Status: Changed Local Address: ISA.Isatest.local Local Port: 60940 Remote Address: RR.PMTPA.WIKIMEDIA.ORG Remote Port: 80 (http) New Connection States: CLOSE_WAIT
3225 EventTracker Socket DELETED: Type: TCP Status: Deleted Local Address: MICKEY.Toons.local Local Port: 4187 Remote Address: WEBDOC1.TOONS.LOCAL Remote Port: 445 (microsoft-ds) Connection active time: 438 secs Last known Connection State: ESTAB Process ID: 4 Process Name: System Image File Name: C:\WINDOWS\system32\lsass.exe
White Paper
Security Beyond the Windows Event Log
Event ID Source Description
3226 EventTracker Socket CREATED: Type: UDP Status: New Local Address: MICKEY Local Port: 4500 (ipsec-msft) Process ID: 436 Process Name: lsass.exe Image File Name: C:\WINDOWS\system32\lsass.exe
3227 EventTracker Socket DELETED: Type: UDP Status: Deleted Local Address: MICKEY Local Port: 4416 Connection active time: 216 secs Process ID: 3396 Process Name: UserActivity.exe Image File Name: D:\WORK\products\etmgr-win-v6-x\bin\UserActivity.exe
Sample Reports # 1
White Paper
Security Beyond the Windows Event Log
6. Hot-fix Install Monitoring
Many corporate desktops and servers are compromised for a simple preventable reason – they have not
been updated to the latest version of Operating System, Anti-virus and applications like Office that provide
the execution environment for malware. Being able to easily identify and report hot-fix levels on all the
resources in the enterprise is a simple yet powerful method to help avoid costly downtime or loss of critical
corporate data.
EventTracker Agents report on all current Anti-virus, Operating System and Office hot-fix levels. Reports
can be run on single machines as well as groups of machines, and provides a way for operations and
security staff to quickly ascertain which machines are at risk of compromise.
Recommendations 1. Generate a weekly report on all machines to confirm hot-fix installations.
2. If a critical hot-fix is released, use EventTracker to generate an on-demand report to verify all
machines have been updated.
Sample Reports #1
White Paper
Security Beyond the Windows Event Log
7. Application Usage Tracking
Even a mid-size organization potentially has thousands of users and workstations in their enterprise. It is
critical an organization know what applications are run by users. This enables security and operations
personnel to identify and track users as they download and run random or unlicensed applications on
computers and expose the company to both security and legal risks.
EventTracker monitors the start and stop of every program on each system. It facilitates easier license
tracking, capacity planning, software usage matrix generation, and security monitoring.
Event Details
Event ID Source Description
3221 EventTracker App Open: Exe: EXCEL.EXE Name: Microsoft Office 2000 Description: EXCEL.EXE Version: 9.0.2719 Vendor: Microsoft Corporation PID: 7840
3222 EventTracker App Close: Exe: MSDEV.EXE Name: Microsoft (R) Visual Studio PID: 3800
White Paper
Security Beyond the Windows Event Log
Sample Report #1 – Daily Application Usage by each computer
Sample Report #2: - Application usage summary by each user
White Paper
Security Beyond the Windows Event Log
8. Monitor and Tracking of Software
Installs/Uninstalls
If software is installed and uninstalled on a production server without a formal review process it
represents not only a service availability risk but also a potential serious security threat for your
organization. In addition, unapproved and unlicensed software can be a legal and security nightmare on
both workstations and servers. In spite of best practices and intentions, most organizations cannot track
software installs and uninstalls reliably on either critical servers or workstations over time
EventTracker actively monitors all software install/uninstalls for both real-time alerting and reporting and
analysis. EventTracker also helps in documenting what host fixes and patches are added or removed from
your environment
Recommendations 1. Generate an alert condition to notify whenever new software is installed or uninstalled on a server.
If you get an alert from a mission critical server, generate a report on what files have been added,
deleted and removed as a result of these installs or uninstalls
2. Schedule a weekly report of all software installs and uninstalls on all servers and workstations
Review them for out of ordinary installations or license violations
Event Detail
Event ID Source Description
3208 EventTracker Detected software <Microsoft Visual Studio 6.0 Enterprise Edition> has been installed on this system. Name: Microsoft Visual Studio 6.0 Enterprise Edition
3209 EventTracker Detected software <EventTracker> has been uninstalled from this system. Name: EventTracker
White Paper
Security Beyond the Windows Event Log
Sample Report #1
White Paper
Security Beyond the Windows Event Log
9. Monitor and Tracking of Critical Services Services are a key foundation for running applications within the Windows architecture, and some critical
applications appear to the User as nothing but a Windows Service. These Windows Services must be
running for the application to be available. If a key Service dies, your application becomes unavailable. If
an antivirus service dies, for example, it opens a hole in your security.
EventTracker continuously monitors all services. If a service starts up or goes down, an event is generated
in real-time and you can be notified, and if a critical service terminates it can be restarted automatically
by EventTracker. EventTracker provides a real-time dashboard to review the status of all critical services
and for Service Level Agreement (SLA) monitoring. A number of preconfigured reports are included with
EventTracker to review overall availability of critical services.
Recommendations 1. Generate an alert condition if a critical service dies. If the service is mission critical, configure
EventTracker to restart the service automatically
2. Generate an alert condition if a new service starts on your critical systems
3. Generate a daily report of service down-time and share with the IT department for management
of service level agreements (SLA)
Event Details
Event ID Source Description
3202 EventTracker Detected Service <VNC Server> is not running. Name: VNC Server Type: Service
3203 EventTracker Detected %s <%s> was restarted successfully. \r\n\tName: %s \r\n\tType: %s
3204 EventTracker Detected Service <WcwService> could not be restarted. Name: WcwService Type: Service
White Paper
Security Beyond the Windows Event Log
Sample Report #1 - Service down time report sorted by computer
White Paper
Security Beyond the Windows Event Log
10. Run away CPU and Memory Processes Runaway processes are programs, services or user scripts which go haywire generally due to a software
design problem and start consuming excessive amounts of CPU or memory. A user is typically unaware
when this happens until performance of the entire machine becomes highly degraded and often the end
result is a hung system and a necessary system reboot. Quick identification of these run away processes
is vital for the performance and availability of windows servers and workstations.
EventTracker enables the definition of acceptable CPU and memory thresholds for any Windows process.
The EventTracker Agent then continuously monitors all running processes in the system. If it detects a
process that exceeds its defined thresholds it generates an event in real-time and notifies you. Generally,
a runaway process needs to be terminated to free up critical resources. If configured, EventTracker can
also take automatic remedial actions such as terminating and restarting a runaway process to immediately
free up critical resources.
Recommendations Set up the following critical alert conditions that notify system administrators in real-time when:
1. CPU utilization of a system consistently remains higher than 85%
2. Memory utilization of a system consistently remains higher than 90%
3. Any process consumes more than 80% of CPU for a long time. Consider launching a remedial action
to terminate the process automatically if this occurs frequently.
4. Any process that consumes more than 250MB of memory. For repeat offenders, launch automatic
remedial action to terminate the process
Event ID Source Description
3206 EventTracker Detected High Memory Usage. More than 50 percent in use for last 180 seconds. Peak Memory: 52 percent Total Physical: 1015 MB Total Paging: 2446 MB Avail Physical: 486 MB Avail Paging: 1985 MB
3207 EventTracker Detected High CPU Usage. More than 80 percent in use for last 180 seconds. System CPU Usage: 98 % Process Name: ntiis.exe Process CPU Usage: 60 %.
White Paper
Security Beyond the Windows Event Log
Event ID Source Description
3215 EventTracker Detected Memory usage is back to below configured threshold limit. Peak Memory: 44 percent Total Physical: 1015 MB Total Paging: 0 MB Avail Physical: 2446 MB Avail Paging: 0 MB
3216 EventTracker Detected CPU usage is back to below configured threshold limit. \r\n\tCPU Usage: %d percent.
3217 EventTracker Process <devenv.exe> has crossed the memory usage limit. Process: devenv.exe Limit: 150 MB Actual: 222 MB PID: 333
3218 EventTracker Process <IDriver.exe> has crossed the CPU usage limit. Process: IDriver.exe Limit: 60 % Actual: 94 % Total CPU Usage: 143 Seconds. PID: 333
3219 EventTracker Memory usage of process <googleearth.exe> is now normal and below the usage limit. Process: googleearth.exe Limit: 60 MB Actual: 35 MB
3220 EventTracker CPU Usage of process <%s> is now normal and below the usage limit. \r\n\tProcess: %s \r\n\tLimit: %d %% \r\n\tActual: %d %%
White Paper
Security Beyond the Windows Event Log
Sample Report #1 – Show the System CPU problem incidents
Sample report #2: This report indicates the processes with excessive memory
consumption
White Paper
Security Beyond the Windows Event Log
The EventTracker Solution
The EventTracker solution is a scalable, enterprise-class Security Information and Event Management
(SIEM) solution for Windows systems, Syslog/Syslog NG (UNIX and many networking devices), SNMP V1/2,
legacy systems, applications and databases. EventTracker enables “defense in depth”, where log data is
automatically collected, correlated and analyzed from the perimeter security devices down to the
applications and databases. To prevent security breaches, Event Log data becomes most useful when
interpreted in near real time and in context. Context is vitally important because often the critical
indications of impending problems and security violations can only be learned by watching patterns of
events across multiple systems. Complex rules can be run on the event stream to detect signs of such a
breach. EventTracker also provides real-time alerting capability in the form of an email, page or SNMP
message to proactively alert security personnel to an impending security breach.
The original Event Log data is also securely stored in a highly compressed event repository for compliance
purposes and later, forensic analysis. For compliance, EventTracker provides a powerful reporting
interface, scheduled or on-demand report generation, automated compliance workflows that prove to
auditors that reports are being reviewed and many other features. With pre-built auditor grade reports
included for most of the compliance standards (FISMA, HIPAA, SOX, GLBA, and NISPOM); EventTracker
represents a compliance solution that is second to none. EventTracker also provides advanced forensic
capability where all the stored logs can be quickly searched through a powerful Google-like search
interface to perform quick problem determination.
EventTracker lets users completely meet the logging requirements specified in NIST SP 800-92 Guide To
Computer Security Log Management, and additionally provides Host Based Intrusion Detection, Change
monitoring and USB activity tracking on Windows systems, all in an off the shelf, affordable, software
solution.
EventTracker provides the following benefits
A highly scalable, component-based architecture that consolidates all Windows, SNMP V1/V2,
legacy platforms, Syslog received from routers, switches, firewalls, critical UNIX servers (RedHat
Linux, Solaris, AIX etc), Solaris BSM, workstations and various other SYSLOG generating devices.
Automated archival mechanism that stores activities over an extended period to meet auditing
requirements. The complete log is stored in a highly compressed (>90%), secured archive that is
limited only by the amount of disk storage.
Real-time monitoring and parsing of all logs to analyze user activities such as logon failures and
failed attempts to access restricted information.
Alerting interface that generates custom alert actions via email, pager, beep, console message,
etc.
White Paper
Security Beyond the Windows Event Log
Event correlation modules to constantly monitor for malicious hacking activity. In conjunction
with alerts, this is used to inform network security officers and security administrators in real
time. This helps minimize the impact of breaches.
Various types of network activity reports, which can be scheduled or generated as required for any
investigation or meeting audit compliances.
Host-based Intrusion Detection (HIDS).
Role-based, secure event and reporting console for data analysis.
Change Monitoring on Windows machines
USB Tracking, including restricted use, insert/removal recording, and a complete audit trail of all
files copied to the removable device.
Built-in compliance workflows to allow inspection and annotation of the generated reports.
About EventTracker EventTracker’s advanced security solutions protect enterprises and small businesses from data breaches
and insider fraud, and streamline regulatory compliance. The company’s EventTracker platform comprises
SIEM, vulnerability scanning, intrusion detection, behavior analytics, a honeynet deception network and
other defense in-depth capabilities within a single management platform. The company complements its
state-of-the-art technology with 24/7 managed services from its global security operations center (SOC)
to ensure its customers achieve desired outcomes—safer networks, better endpoint security, earlier
detection of intrusion, and relevant and specific threat intelligence. The company serves the retail,
hospitality, healthcare, legal, banking and financial services, utilities and government sectors.
EventTracker is a division of Netsurion, a leader in remotely-managed IT security services that protect
multi-location businesses’ information, payment systems and on-premise public and private Wi-Fi
networks. www.eventtracker.com.