Search This Blog

Monday, October 29, 2007

EventTracker's custom reporting rocks; Have you considered "Whitelisting

As you know I follow the log management software and service market closely and let you know when I come across something notable.  To that end check out what I found interesting about the latest version of EventTracker below.

 

Also, I’m very stoked about a new approach to stopping malware that eliminates the signature update treadmill.  It’s called whitelisting…

 

EventTracker

 

EventTracker is one of the log management solutions that I follow closely.  I recently got a demo from A. N. Ananth at Prism Microsystem of EventTracker 6.0 and was quite impressed by 2 major new enhancements.

1.        EventTracker now has one of the very best custom reporting facilities I’ve seen on the market.  With this new feature I can finally build the kinds of reports I’ve already designed for the Windows Security Log as part of my “Rosetta” project.  A common complaint I’ve had about canned and custom reports in most log management solutions is the program throws the whole, ugly event at you instead of just the elements that are important.  For instance, let’s say you want a report of all new user accounts created in AD (event ID 624 from your domain controllers).  I don’t want a report that looks like this:

00-00-2007 14:32am   Event ID: 624        Computer: DC1

User Account Created:

New Account Name:harold

New Domain:ELM

New Account ID:ELM\harold

Caller User Name:administrator

Caller Domain:ELM

Caller Logon ID:(0x0,0x158EB7)

Privileges-

 

Windows Server 2003 adds these fields

 

Attributes:

Sam Account Name:harold

Display Name:harold

User Principal Name:harold@elm.local

Home Directory:-

Home Drive:-

Script Path:-

Profile Path:-

User Workstations:-

Password Last Set:

Account Expires:

Primary Group ID:513

AllowedToDelegateTo:-

Old UAC Value:0x0

New UAC Value:0x15

User Account Control:

Account Disabled

'Password Not Required' - Enabled

'Normal Account' - Enabled

User Parameters:-

Sid History:-

Logon Hours:

 

                Repeated over and over again for every occurrence of event ID 624.  I want something like this:

 

                New User Accounts Report

 

     Date       Time      New Account     Created by:          Computer:

08-10-2007 14:32pm   mtg\jsmith      mtg\bob_admin        DC1

08-10-2007 14:44pm   mtg\wjones      mtg\bob_admin        DC1

08-12-2007 08:20am   mtg\jgleason    mtg\administrator    DC1

 

                See the difference?  EventTracker makes it really easy to build reports like this. 

 

2.        The other major improvement in EventTracker is to scalability.  EventTracker now allows you to scale up to tens thousands of systems using optional Collection Points.  A Collection Point is simply an EventTracker Console and provides full functionality with real-time alerting and correlation. Events are collected and can be optionally stored for local reporting purposes. In addition, the events are periodically transmitted in encrypted form to the Collection Master that receives event archives from all the local Collection Points. The Collection Master contains log data from across the enterprise and supports enterprise wide reporting, monitoring and long term log archival as well as auditor requests. 

 

These 2 enhancements should keep EventTracker on your shortlist of log management solutions.

 

Check out EventTracker and download a demo at  PrismMicrosys.com
 
 

Whitelisting

 

As you are all too well aware we are all caught in a never ending cycle of anti-malware signature updates and software patches to Windows and applications.  Wouldn’t it be great if you could switch from the reactive mode of updates to a proactive mode of – don’t run anything I don’t trust?  It sounds good at first blush but Microsoft’s attempt to exploit this idea – Software Restrictions – just doesn’t work in the real world.

 

1.                    How do you determine which programs, scripts, java applets and Office macros to trust?  How do you keep it updated?

2.                    How do you deal with all the exceptions.  Things like Executive Bob or Salesrep Sally who need and/or demand the ability to install and run certain software that isn’t on your official blessed list.  You can get around these exceptions.

3.                    How do you keep things flexible and practical?

4.                    How do you track what’s being allowed to run, what’s being blocked, when and how often?

 

The Software Restrictions part of Windows’ Group Policy doesn’t help you with any of this and I don’t know any company out there that’s done a comprehensive implementation of Software Restrictions that blocks everything but that which is specifically allowed.

 

That’s why I was fairly blown away with Bit9’s Parity product which addresses all the issues I bring up.  Bit9 Parity is cool because it provides a regularly updated library of common software used and trusted by most companies today.  For the majority of your trusted software you don’t need to compute the EXE hashes and set up the policies.  You just pick and choose what you want from Bit9’s canned list.  For the remaining one off programs you set up allow policies.  At this point 95% of your users will probably be able to do their normal work without any interruption. 

 

Next you determine what Parity should do if when someone tries to run some type of software that is not recognized and approved.  You can configure Parity, based on criteria about the software, to completely block execution or allow execution but alert you.  Of course you can tweak these policies based on type of user, Organizational Unit in AD and other factors such as – is the user currently connected to the network or are they away on a business trip with their laptop. 

 

It has an emergency mode where with a single click you can temporarily block all new installations of unknown software even by normally privileged users.  This is great if you know a new worm or virus is heading your way but your AV provider says they won’t have a patch for 8 hours or more.

 

The point I’m trying to make is that Bit9’s implementation of whitelisting is effective, realistic , practical and easy to manage.  It’s built for the real world in that it blocks unwanted, untrusted software without preventing stopping certain users who do need to experiment and install software.  For such users you still get a report and if you find something inappropriate or unwanted you can disabled it after the fact preventing future execution or spread of the program.

 

Here’s Bit9’s website if you want more information about Parity. 
Bit9.com
Let me know what you think about whitelisting and products you like.

 

Regards,

Randy Franklin Smith

 

No comments: