Monitoring Ten Critical Conditions - EventTracker · Monitoring the Windows Event Log is critical...

Security Beyond the Windows Event Log Monitoring Ten Critical Conditions

White Paper

White Paper

Security Beyond the Windows Event Log

Abstract Monitoring the Windows Event Log is critical because the Operating System continuously monitors and

logs critical security, system and application events in the Log. Monitoring the Windows Event Log alone,

however, is simply not enough because many important conditions in Windows are not stored in the Event

Log. The following are the ten most critical security conditions that are not monitored by the Windows

Operating System or logged in the Event Log. These conditions are critical for any enterprise large or small.

This technical white paper describes the conditions, gives expert recommendations and details how

EventTracker can help. The following ten conditions are described:

1. Tracking Operating System, File and Registry Changes

2. Tracking and Monitoring USB Device Activity

3. Consolidation and Tracking of Application Specific Log Files

4. Tracking Enterprise Wide Disk Space Usage and Trending

5. Network Connection Monitoring

6. Hot fix Install Monitoring

7. Application Usage Tracking

8. Monitor and Tracking of Software Installs/Uninstalls

9. Monitor and Tracking of Critical Services

10. Run away CPU and Memory Processes

By following the recommendations in this White Paper your organization will be more secure, and suffer

less operational impact due to unplanned outages.

The information contained in this document represents the current view of EventTracker. on the issues

discussed as of the date of publication. Because EventTracker must respond to changing market conditions,

it should not be interpreted to be a commitment on the part of EventTracker, and EventTracker cannot

guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. EventTracker MAKES NO WARRANTIES, EXPRESS OR

IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights

under copyright, this paper may be freely distributed without permission from EventTracker, if its content is

unaltered, nothing is added to the content and credit to EventTracker is provided.

EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual property

rights covering subject matter in this document. Except as expressly provided in any written license

agreement from EventTracker, the furnishing of this document does not give you any license to these

patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious. No

association with any real company, organization, product, person or event is intended or should be inferred.

© 2017 EventTracker Security LLC. All rights reserved. The names of actual companies and

products mentioned herein may be the trademarks of their respective owners.

White Paper


1. Tracking Operating System, File and Registry

Changes On an enterprise’s critical production servers nothing should be changed without review and approval

other than data files, log files and error files. Anything else is an unauthorized or unwanted change. It is

also important to protect your system configuration. In most cases, Windows audit is not a suitable

answer because turning on auditing for the whole system will substantially impact server performance.

Any Windows Desktop or Server can contain hundreds of thousands of files and half a million registry

values. Monitoring changes on the file system and the system registry is invaluable as a method to

substantially improve corporate security. An unauthorized software installs, or the introduction of a virus

or worm all change the file or registry structure. This change, especially in the case of a virus or worm, is

often the only clue you have as an administrator that something has happened on the system.

EventTracker’s Change Management module takes a periodic snapshot of all changes made to the

Operating System, Files and Registry. These "snapshots" are kept in a browse-able view and any two can

be compared to quickly get a list of everything that is new, deleted or just changed. In addition, alerts can

be configured that will proactively alert personnel when critical files have been changed.

EventTracker allows you to monitor and manage changes to all Windows systems from a central console.

It enables you to quickly define policies that make sense for your organization so that it monitors and

alerts on unauthorized or suspicious changes in your critical applications, services, registry entries or files.

Recommendations 1. Minimize security risks caused by authorized and unauthorized changes by monitoring for any

changes in critical files like EXEs, DLLs, Drivers and INI files.

2. Generate a daily report of files added/removed/deleted from the system especially from

standard operating system directories like C:\windows or C:\program files.

3. Generate an alert when anything changes in the windows start up sequence. This is critical as

many serious viruses change the startup sequence under the registry so that when the system is

booted, a new unknown exe is launched or a program with a virus is renamed as a valid program.

Microsoft uses the registry hive -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - and starts the

programs listed in the hive when you reboot the system. It is critical to monitor all changes in

this registry hive.

4. Monitor share drive changes – Unplanned or unauthorized additions/deletions/modifications in

shared drive settings can open up a security hole.

White Paper


5. Generate an alert condition – if an environment variable changed in your Windows settings

6. Generate an alert condition - for any hardware changes on any system

Event Details

Event ID Source Description

3233 WhatChanged File Added: C:\windows\Acrobet.dll Curr Snapshot Time: Wed Aug 06 14:00:08 2008 Curr Size: 0 (Bytes) Curr Creation Time: 7/31/2008 (15:36:14) Curr Version: - 3.7.1.8 Prev Snapshot Time: Tue Aug 05 17:35:03 2008

3234 WhatChanged File Modified: E:\SVNWorkingDir\WORK\WCW\Source\remins\Release\remins.dll

Curr Snapshot Time: Wed Aug 06 14:00:08 2008 Curr Size: 102400 (Bytes) Curr Creation Time: 8/5/2008 (13:18:43) Curr Last Write Time: 8/5/2008 (21:9:26) Curr Version: 4.2.5.0

Prev Snapshot Time: Tue Aug 05 17:35:03 2008 Prev Size: 102400 (Bytes) Prev Creation Time: 8/5/2008 (13:18:43) Prev Last Write Time: 8/5/2008 (13:18:43) Prev Version: 4.2.5.0

3235 WhatChanged File Deleted: E:\0a0191419d9ec494c027c4\WapRes.3082.dll

Curr Snapshot Time: Wed Aug 06 14:00:08 2008

Prev Snapshot Time: Tue Aug 05 17:35:03 2008 Prev Size: 102400 (Bytes) Prev Creation Time: 10/30/2006 (3:18:4) Prev Version:

3236 WhatChanged Total file changes between snapshots taken on Tue Aug 05 17:35:03 2008 and Wed Aug 06 14:00:08 2008: 193 Files Added: 96 Files Modified: 6 Files Deleted: 91

White Paper



3237 WhatChanged Registry Key Added: HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Enum\Root\LEGACY_PROCEXP100

Curr Snapshot Time: Wed Aug 06 14:00:08 2008

Prev Snapshot Time: Tue Aug 05 17:35:03 2008

3238 WhatChanged Registry Key Modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\ WindowsUpdate \Auto Update

Value Name: UnableToDetectTime

Curr Snapshot Time: Wed Aug 06 14:00:08 2008 Curr Data: 2008-08-06 07:15:08

Prev Snapshot Time: Tue Aug 05 17:35:03 2008 Prev Data: 2008-08-04 07:15:07

3239 WhatChanged Registry Key Deleted: HKEY_LOCAL_MACHINE\SOFTWARE\Classes \CLSID\{550EEDDD-AE7A-49BC-9A38-C7168DC2456D} Value Name: (Default)

Curr Snapshot Time: Wed Aug 06 14:00:08 2008 Curr Data: -Not Present-

Prev Snapshot Time: Tue Aug 05 17:35:03 2008 Prev Data: SDISERVR50.SDIEVENT

3240 WhatChanged Total file changes between snapshots taken on Tue Aug 05 17:35:03 2008 and Wed Aug 06 14:00:08 2008: 193 Files Added: 96 Files Modified: 6 Files Deleted: 91

White Paper


2. Tracking and Monitoring USB Storage Device

Activities USB Storage Devices like flash drives are enormous productivity enhancers. The Challenges of USBs,

however, are also readily apparent. Number one is that sensitive data can easily go outside the “green

zone”. This can be through an inadvertent act such as an employee copies a file onto a USB legitimately,

but then forgets to delete it and subsequently loses the USB device, or an overt action where an employee

intentionally copies sensitive materials and carries them off premises. The result of both actions however,

is the same – you have sensitive data “in the wild”. There is a huge potential for damage from both the

“whoops” case and the outright malice case of a disgruntled employee or cyber-criminal.

With USB devices being so widespread, it also becomes very difficult to exercise granular control. How do

you prevent USB devices that are no larger than car-keys from entering the premises? And with cell-

phones and iPods all having storage capability, what do you do – forbid those onsite as well? Doing so

results in a lot of very unhappy employees that either ignore the policy or are less productive.

EventTracker tracks the insert and removal of any USB device and also records the user and all files copied

to the USB device. Optionally EventTracker can maintain an approved list of USB devices and their serial

numbers and block USB devices that don’t match the approved device list.

Every time a USB is inserted, the EventTracker agent looks at its permission list, and if there is no violation

of policy, permits the device access, while logging the insert activity. If a violation of policy is detected,

access is prevented and the violation is immediately sent to the EventTracker Console. If access is

permitted, EventTracker also begins to actively monitor all activity on the device, and every file that is

written to or deleted from the device is recorded. A complete audit trail that consists of the user, device

type, serial number, time and all the file activity is captured and sent as an event to the EventTracker

Console for processing and storage.

Recommendations 1. To protect your organization from outside viruses and prevent non-required files to be copied in

your environment, if possible allow only approved and registered USB drives and insert the serial

number of these devices into the EventTracker agent permission list. Block the USB device if it

doesn’t match the permissible serial number

2. Generate an alert condition – if a USB device is blocked by EventTracker

3. Send a memo to all users that USB activities are being monitored for protection

4. Schedule a report to review when and who mounted USB drives

White Paper



3238 EventTracker Detected new drive <G:> Volume Label: Dane Volume Serial No: 761664230 Volume ID: \\?\Volume{6b480935-5be8-11dd-93bb-00188bba1d15}\ Type: Removable-USB File System: FAT Network Volume: No Description: Change affects physical device or drive

3239 EventTracker USB Monitoring started for G:\ Volume Label: Dane Volume Serial No: 761664230 Volume ID: \\?\Volume{6b480935-5be8-11dd-93bb-00188bba1d15}\ Type: Removable File System: FAT Console User: LEMONYELLOW\jagat Active Users: PRISMUSA\Jagat

3240 EventTracker USB Monitoring stopped for G:\ Volume Label: Dane Volume Serial No: 761664230 Volume ID: \\?\Volume{6b480935-5be8-11dd-93bb-00188bba1d15}\ Type: Removable File System: FAT Console User: LEMONYELLOW\jagat Active Users: PRISMUSA\Jagat Added ETshows.xls 08/25/2008 12:52:42 PM (Active Users: PRISMUSA\Jagat) Added requirement.xlsx 08/25/2008 12:52:42 PM (Active Users: PRISMUSA\Jagat) Added scalability.doc 08/25/2008 12:52:42 PM (Active Users: PRISMUSA\Jagat)

White Paper



3242 EventTracker Media drive <H:> is disabled by EventTracker. Please contact your system administrator. Volume Label: PNPL1 Volume Serial No: 1918040687 Volume ID: \\?\Volume{bf4b109d-44f2-11dd-b2fb-00148549755f}\ Type: Removable File System: FAT32 Network Volume: No Description: Change affects physical device or drive.

3229 EventTracker Drive <G:> removed. Type: N/A Network Volume: No Description: Change affects physical device or drive.

Sample Reports #1: USB Activity Report by Machine

White Paper


Sample Reports # 2: Summary Report

White Paper


3. Consolidation and Tracking of Application Specific

Log Files There are thousands of third party applications, custom applications and scripts, which are mission critical

for businesses but do not write into the Windows Event Log and instead keep application specific logs.

These include some Microsoft applications as well. Monitoring these log files is a best practice in order to

detect critical conditions that may impact your operations and compromise your security.

EventTracker can be configured to monitor any type of log file you may want to monitor and consolidate.

You can either monitor and aggregate all these log files automatically into the EventTracker archive or

monitor for selective entries in a log file, in real time, which match user defined criteria. If certain error or

failure entries are detected, you can be immediately alerted.

Event Details


3230 EventTracker Desc: FILE: <File Name> \r\n TYPE: <File Type> \r\n FIELD: <Search String> \r\n ENTRY: <Record Found> \r\n

White Paper


4. Tracking Enterprise Wide Disk Space Usage and

Trending Monitoring and managing disk space usage is a challenge for many organizations and System

Administrators end up spending significant time on this mundane but important task. Daily or weekly

availability and trending reports are critical to Operations as well as to Security. It is important to monitor

the amount of available storage space not only to efficiently manage disk resources, but also because

programs might fail due to an inability to allocate space. In addition, low disk space might make it

impossible for a system’s paging file to grow to support virtual memory.

EventTracker continuously monitors disk thresholds for systems and can generate, for example, a real-

time alert if disk space of a critical server falls below 40% availability. Each system also generates an event

notifying daily disk usage and trends and EventTracker provides a number of preconfigured reports for

enterprise-wide disk usage.

Recommendations 1. Generate an alert condition when your critical disk has crossed the 90% threshold

2. Generate an alert condition when variation of disk usage compared to the previous day is high

3. Generate daily/weekly reports to analyze disk space availability, usage and trends


3232 EventTracker System - SQLA Disk space availability Drive C:, Disk Size: 20000 MB, Free: 10980 MB, Free(in percent): 54 Drive D:, Disk Size: 76316 MB, Free: 58921 MB, Free(in percent): 77 Drive E:, Disk Size: 18161 MB, Free: 5109 MB, Free(in percent): 28 Drive G:, Disk Size: 38475 MB, Free: 3482 MB, Free(in percent): 9 Drive H:, Disk Size: 199996 MB, Free: 7782 MB, Free(in percent): 3

3201 EventTracker System –Webserver51 Detected free space in drive C: is less than 20 percent. Drive: C: Disk Size: 14999 MB Free: 358 MB Free(in percent): 2 percent

White Paper


Sample Reports # 1

Sample Reports # 2

White Paper


5. Network Connection Monitoring

Monitoring network connections is an easy method to improve performance, understand system usage

and to address security threats. In many cases it is unknown network users and applications that impact

performance of critical servers, and when a machine is compromised it generally begins to communicate

information to the outside world. By monitoring ports, applications and processes within a server for

patterns of access by both remote connections and users communicating to the outside world, new or

unusual activity can be detected for an early warning sign that something is not right.

EventTracker continuously monitors and tracks all inbound as well as outbound TCP/UDP connections.

The EventTracker Agent generates an event whenever a new connection is created or a deleted.

EventTracker also maintains a list of suspicious network activities, such as activity on a nontypical port

number, and a blacklist and/or whitelist of acceptable or unacceptable connections. EventTracker can also

provide automatic remedial action to terminate the connection if your rule set indicates that the

connection source is not in your whitelist or is part of your blacklist.

Recommendations 1. Generate a daily report on all incoming connections to all ports sorted by incoming IP address. An

optional prevention approach is to immediately terminate a process or generate an alert condition

if the IP address is not in your trusted list

2. Generate profile of users accessing certain ports or applications – For instance, what is average

connection time?

3. Generate a daily report for the 50 top web sites visited by your company

4. Generate a top ten of the applications a user is connecting to

White Paper


Event Details


3223 EventTracker Socket CREATED: Type: TCP Status: New Local Address: ISA.Isatest.local Local Port: 21953 Remote Address: KAH Remote Port: 1558 Connection State: TIME_WAIT Process ID: 0 Process Name: [System Process] Image File Name: C:\Program Files\Microsoft ISA Server\wspsrv.exe

3224 EventTracker Socket MODIFIED: Type: TCP Status: Changed Local Address: ISA.Isatest.local Local Port: 60940 Remote Address: RR.PMTPA.WIKIMEDIA.ORG Remote Port: 80 (http) New Connection States: CLOSE_WAIT

3225 EventTracker Socket DELETED: Type: TCP Status: Deleted Local Address: MICKEY.Toons.local Local Port: 4187 Remote Address: WEBDOC1.TOONS.LOCAL Remote Port: 445 (microsoft-ds) Connection active time: 438 secs Last known Connection State: ESTAB Process ID: 4 Process Name: System Image File Name: C:\WINDOWS\system32\lsass.exe

White Paper



3226 EventTracker Socket CREATED: Type: UDP Status: New Local Address: MICKEY Local Port: 4500 (ipsec-msft) Process ID: 436 Process Name: lsass.exe Image File Name: C:\WINDOWS\system32\lsass.exe

3227 EventTracker Socket DELETED: Type: UDP Status: Deleted Local Address: MICKEY Local Port: 4416 Connection active time: 216 secs Process ID: 3396 Process Name: UserActivity.exe Image File Name: D:\WORK\products\etmgr-win-v6-x\bin\UserActivity.exe

Sample Reports # 1

White Paper


6. Hot-fix Install Monitoring

Many corporate desktops and servers are compromised for a simple preventable reason – they have not

been updated to the latest version of Operating System, Anti-virus and applications like Office that provide

the execution environment for malware. Being able to easily identify and report hot-fix levels on all the

resources in the enterprise is a simple yet powerful method to help avoid costly downtime or loss of critical

corporate data.

EventTracker Agents report on all current Anti-virus, Operating System and Office hot-fix levels. Reports

can be run on single machines as well as groups of machines, and provides a way for operations and

security staff to quickly ascertain which machines are at risk of compromise.

Recommendations 1. Generate a weekly report on all machines to confirm hot-fix installations.

2. If a critical hot-fix is released, use EventTracker to generate an on-demand report to verify all

machines have been updated.

Sample Reports #1

White Paper


7. Application Usage Tracking

Even a mid-size organization potentially has thousands of users and workstations in their enterprise. It is

critical an organization know what applications are run by users. This enables security and operations

personnel to identify and track users as they download and run random or unlicensed applications on

computers and expose the company to both security and legal risks.

EventTracker monitors the start and stop of every program on each system. It facilitates easier license

tracking, capacity planning, software usage matrix generation, and security monitoring.

Event Details


3221 EventTracker App Open: Exe: EXCEL.EXE Name: Microsoft Office 2000 Description: EXCEL.EXE Version: 9.0.2719 Vendor: Microsoft Corporation PID: 7840

3222 EventTracker App Close: Exe: MSDEV.EXE Name: Microsoft (R) Visual Studio PID: 3800

White Paper


Sample Report #1 – Daily Application Usage by each computer

Sample Report #2: - Application usage summary by each user

White Paper


8. Monitor and Tracking of Software

Installs/Uninstalls

If software is installed and uninstalled on a production server without a formal review process it

represents not only a service availability risk but also a potential serious security threat for your

organization. In addition, unapproved and unlicensed software can be a legal and security nightmare on

both workstations and servers. In spite of best practices and intentions, most organizations cannot track

software installs and uninstalls reliably on either critical servers or workstations over time

EventTracker actively monitors all software install/uninstalls for both real-time alerting and reporting and

analysis. EventTracker also helps in documenting what host fixes and patches are added or removed from

your environment

Recommendations 1. Generate an alert condition to notify whenever new software is installed or uninstalled on a server.

If you get an alert from a mission critical server, generate a report on what files have been added,

deleted and removed as a result of these installs or uninstalls

2. Schedule a weekly report of all software installs and uninstalls on all servers and workstations

Review them for out of ordinary installations or license violations

Event Detail


3208 EventTracker Detected software <Microsoft Visual Studio 6.0 Enterprise Edition> has been installed on this system. Name: Microsoft Visual Studio 6.0 Enterprise Edition

3209 EventTracker Detected software <EventTracker> has been uninstalled from this system. Name: EventTracker

White Paper


Sample Report #1

White Paper


9. Monitor and Tracking of Critical Services Services are a key foundation for running applications within the Windows architecture, and some critical

applications appear to the User as nothing but a Windows Service. These Windows Services must be

running for the application to be available. If a key Service dies, your application becomes unavailable. If

an antivirus service dies, for example, it opens a hole in your security.

EventTracker continuously monitors all services. If a service starts up or goes down, an event is generated

in real-time and you can be notified, and if a critical service terminates it can be restarted automatically

by EventTracker. EventTracker provides a real-time dashboard to review the status of all critical services

and for Service Level Agreement (SLA) monitoring. A number of preconfigured reports are included with

EventTracker to review overall availability of critical services.

Recommendations 1. Generate an alert condition if a critical service dies. If the service is mission critical, configure

EventTracker to restart the service automatically

2. Generate an alert condition if a new service starts on your critical systems

3. Generate a daily report of service down-time and share with the IT department for management

of service level agreements (SLA)

Event Details


3202 EventTracker Detected Service <VNC Server> is not running. Name: VNC Server Type: Service

3203 EventTracker Detected %s <%s> was restarted successfully. \r\n\tName: %s \r\n\tType: %s

3204 EventTracker Detected Service <WcwService> could not be restarted. Name: WcwService Type: Service

White Paper


Sample Report #1 - Service down time report sorted by computer

White Paper


10. Run away CPU and Memory Processes Runaway processes are programs, services or user scripts which go haywire generally due to a software

design problem and start consuming excessive amounts of CPU or memory. A user is typically unaware

when this happens until performance of the entire machine becomes highly degraded and often the end

result is a hung system and a necessary system reboot. Quick identification of these run away processes

is vital for the performance and availability of windows servers and workstations.

EventTracker enables the definition of acceptable CPU and memory thresholds for any Windows process.

The EventTracker Agent then continuously monitors all running processes in the system. If it detects a

process that exceeds its defined thresholds it generates an event in real-time and notifies you. Generally,

a runaway process needs to be terminated to free up critical resources. If configured, EventTracker can

also take automatic remedial actions such as terminating and restarting a runaway process to immediately

free up critical resources.

Recommendations Set up the following critical alert conditions that notify system administrators in real-time when:

1. CPU utilization of a system consistently remains higher than 85%

2. Memory utilization of a system consistently remains higher than 90%

3. Any process consumes more than 80% of CPU for a long time. Consider launching a remedial action

to terminate the process automatically if this occurs frequently.

4. Any process that consumes more than 250MB of memory. For repeat offenders, launch automatic

remedial action to terminate the process


3206 EventTracker Detected High Memory Usage. More than 50 percent in use for last 180 seconds. Peak Memory: 52 percent Total Physical: 1015 MB Total Paging: 2446 MB Avail Physical: 486 MB Avail Paging: 1985 MB

3207 EventTracker Detected High CPU Usage. More than 80 percent in use for last 180 seconds. System CPU Usage: 98 % Process Name: ntiis.exe Process CPU Usage: 60 %.

White Paper



3215 EventTracker Detected Memory usage is back to below configured threshold limit. Peak Memory: 44 percent Total Physical: 1015 MB Total Paging: 0 MB Avail Physical: 2446 MB Avail Paging: 0 MB

3216 EventTracker Detected CPU usage is back to below configured threshold limit. \r\n\tCPU Usage: %d percent.

3217 EventTracker Process <devenv.exe> has crossed the memory usage limit. Process: devenv.exe Limit: 150 MB Actual: 222 MB PID: 333

3218 EventTracker Process <IDriver.exe> has crossed the CPU usage limit. Process: IDriver.exe Limit: 60 % Actual: 94 % Total CPU Usage: 143 Seconds. PID: 333

3219 EventTracker Memory usage of process <googleearth.exe> is now normal and below the usage limit. Process: googleearth.exe Limit: 60 MB Actual: 35 MB

3220 EventTracker CPU Usage of process <%s> is now normal and below the usage limit. \r\n\tProcess: %s \r\n\tLimit: %d %% \r\n\tActual: %d %%

White Paper


Sample Report #1 – Show the System CPU problem incidents

Sample report #2: This report indicates the processes with excessive memory

consumption

White Paper


The EventTracker Solution

The EventTracker solution is a scalable, enterprise-class Security Information and Event Management

(SIEM) solution for Windows systems, Syslog/Syslog NG (UNIX and many networking devices), SNMP V1/2,

legacy systems, applications and databases. EventTracker enables “defense in depth”, where log data is

automatically collected, correlated and analyzed from the perimeter security devices down to the

applications and databases. To prevent security breaches, Event Log data becomes most useful when

interpreted in near real time and in context. Context is vitally important because often the critical

indications of impending problems and security violations can only be learned by watching patterns of

events across multiple systems. Complex rules can be run on the event stream to detect signs of such a

breach. EventTracker also provides real-time alerting capability in the form of an email, page or SNMP

message to proactively alert security personnel to an impending security breach.

The original Event Log data is also securely stored in a highly compressed event repository for compliance

purposes and later, forensic analysis. For compliance, EventTracker provides a powerful reporting

interface, scheduled or on-demand report generation, automated compliance workflows that prove to

auditors that reports are being reviewed and many other features. With pre-built auditor grade reports

included for most of the compliance standards (FISMA, HIPAA, SOX, GLBA, and NISPOM); EventTracker

represents a compliance solution that is second to none. EventTracker also provides advanced forensic

capability where all the stored logs can be quickly searched through a powerful Google-like search

interface to perform quick problem determination.

EventTracker lets users completely meet the logging requirements specified in NIST SP 800-92 Guide To

Computer Security Log Management, and additionally provides Host Based Intrusion Detection, Change

monitoring and USB activity tracking on Windows systems, all in an off the shelf, affordable, software

solution.

EventTracker provides the following benefits

A highly scalable, component-based architecture that consolidates all Windows, SNMP V1/V2,

legacy platforms, Syslog received from routers, switches, firewalls, critical UNIX servers (RedHat

Linux, Solaris, AIX etc), Solaris BSM, workstations and various other SYSLOG generating devices.

Automated archival mechanism that stores activities over an extended period to meet auditing

requirements. The complete log is stored in a highly compressed (>90%), secured archive that is

limited only by the amount of disk storage.

Real-time monitoring and parsing of all logs to analyze user activities such as logon failures and

failed attempts to access restricted information.

Alerting interface that generates custom alert actions via email, pager, beep, console message,

etc.

White Paper


Event correlation modules to constantly monitor for malicious hacking activity. In conjunction

with alerts, this is used to inform network security officers and security administrators in real

time. This helps minimize the impact of breaches.

Various types of network activity reports, which can be scheduled or generated as required for any

investigation or meeting audit compliances.

Host-based Intrusion Detection (HIDS).

Role-based, secure event and reporting console for data analysis.

Change Monitoring on Windows machines

USB Tracking, including restricted use, insert/removal recording, and a complete audit trail of all

files copied to the removable device.

Built-in compliance workflows to allow inspection and annotation of the generated reports.

About EventTracker EventTracker’s advanced security solutions protect enterprises and small businesses from data breaches

and insider fraud, and streamline regulatory compliance. The company’s EventTracker platform comprises

SIEM, vulnerability scanning, intrusion detection, behavior analytics, a honeynet deception network and

other defense in-depth capabilities within a single management platform. The company complements its

state-of-the-art technology with 24/7 managed services from its global security operations center (SOC)

to ensure its customers achieve desired outcomes—safer networks, better endpoint security, earlier

detection of intrusion, and relevant and specific threat intelligence. The company serves the retail,

hospitality, healthcare, legal, banking and financial services, utilities and government sectors.

EventTracker is a division of Netsurion, a leader in remotely-managed IT security services that protect

multi-location businesses’ information, payment systems and on-premise public and private Wi-Fi

networks. www.eventtracker.com.

https://www.eventtracker.com/

Monitoring Ten Critical Conditions - EventTracker · Monitoring the Windows Event Log is critical...

Documents

Transcript of Monitoring Ten Critical Conditions - EventTracker · Monitoring the Windows Event Log is critical...