To protect companies and customers from data loss or theft, many industries and government organizations are subject to regulatory compliance. The 2013 Gartner CEO Survey noted that the second overall business risk is regulatory change.
A common theme in all compliance standards is auditing user activities, particularly access to confidential customer data. This can be a time consuming and laborious process, but non-compliance can mean heavy penalties and fines, in addition to loss of reputation and customer goodwill.
EventTracker’s solutions helps to automate the steps required by each standard to insure compliance, and maintain it going forward. With EventTracker, organizations can secure the environment, establish the baseline, track user activity, alert on potential violations, and generate audit ready reports.
CISOs and CIOs are charged with improving the state of information security across the federal government and commercial organizations. Moreover, they are spending increasing amounts of money to secure their systems. However, securing those systems is enormously complex, and so there is a need to focus attention and resources on the most critical risk (and therefore the highest payoff) areas.
The Consensus Audit Guidelines are a first step toward providing specific guidelines to technical system administration and information security personnel to ensure that their systems have the most critical baseline security controls in place. The controls take advantage of the knowledge gained in analyzing the myriad attacks that are being successfully launched against federal systems, industrial-base systems, and commercial networks.
See a complete Mapping of EventTracker Reports and Alerts to SANS Consensus Audit Guidelines
Control 1: Inventory of Authorized and Unauthorized Devices
StatusTracker auto discovers network assets including well known applications. Such discovery can be performed on demand on automatically on a schedule. Once an asset is discovered, its up/down status is checked periodically and changes to status are reported and generate alerts.
The USB/CD/DVD monitor capability of the EventTracker Agent for Microsoft Windows is an essential control. Any USB device that includes mass storage is reported as inserted/removed; any data copied to it can be recorded and based on serial number, can be blocked.
Control 2: Inventory of Authorized and Unauthorized Software
The EventTracker Agent for Microsoft Windows monitors and reports the installation or removal of any software. The Change Audit feature detects any changes to monitored files and folders and if often critical in detecting new software that is dropped onto the system without an installation process. This feature also detects changes to any registry entry.
Control 3: Secure Configurations
EventTracker is a NIST certified
SCAP scanner. Assessment baselines available include those from NIST, DISA, Microsoft, CIS, and USGCB.
An editor is available whereby standard baseline configurations can be tweaked as needed.
Control 5: Malware Defenses
EventTracker monitors the status of anti-virus applications including their logs and service status. Services are restarted as needed. All software install/removal is detected. Insertion of USB devices and related activities are tracked. Integration is available with HBSS, McAfee ePolicyOrchestrator, Snort, and Imperva DAM.
Control 6: Application Software Security
Application software security is managed by receiving and processing log files in various formats including log4j, text, csv, xml, evt/evtx, W3C etc. Changes to application exe or dll files or registry entries are detected by the Change Audit feature. A policy editor is available to define golden baselines and report deviations.
Control 7: Wireless Device Control
EventTracker monitors various Wireless devices including routers, Access Points, Intrusion Systems, Network Access Control solutions and also MS Exchange ActiveSync. As smartphones and tablets proliferate in the enterprise, MS Exchange and Sharepoint are often the critical access point. EventTracker can detect the application of policy and remote wipe of such devices via Exchange 2007/10.
Control 11: Limitation and Control of Network Ports, Protocols, and Services
StatusTracker auto discovers network assets and this discovery can be on-demand or scheduled. This includes port scanning to determine associated applications. Changes are reported and can generate alerts. The EventTracker Windows Agent monitors services and can be configured to alert when ports or services that are not on a whitelist are started. This feature has been extensively used by energy utilities that are subject to NERC.
Control 12: Controlled Use of Administrative Privileges
EventTracker profiles the behavior of users with Administrative privileges in many environments including Windows, Unix, VMware and firewalls like Cisco, Fortinet, Checkpoint and Juniper. New users or out of ordinary behavior is detected and reported. A large number of reports are available which can be run on a schedule or generated on demand.
Control 13: Boundary Defense
EventTracker receives and processes log data from all popular firewalls including Cisco, Checkpoint, Fortinet, Zywall, Juniper, Netscreen etc. Built in knowledge packs are used to process logs and generate alerts. Support is also available for many IDS/IPS systems including Snort, remote access solutions including Cisco and Juniper VPN solutions, proxy devices like BlueCoat etc.
The EventTracker Windows Agent monitors all TCP connections to/from and can alert on suspicious traffic.
Control 14: Maintenance, Monitoring, and Analysis of Security Audit Logs
This is a primary function of EventTracker and comprehensive features are available for receiving, processing, archiving and alerting/correlation of log data from a very wide variety of log sources.
Control 15: Controlled Access Based on the Need to Know
EventTracker can monitor critical file and folder access and alert on cases where access is denied or on cases where access is unexpected. It also monitors all successful and failed logon attempts to all servers either locally or remotely. All administrator and user activity can be monitored.
Control 16: Account Monitoring and Control
EventTracker monitors both User and Administrator account activity. It can learn normal behavior over a defined training period and report/alert on first-time-seen or out-of-ordinary conditions. Detailed reports on user activities are available including login, file/folder access, printing, USB activities etc.
Control 17: Data Loss Prevention
EventTracker monitors all network and object access. All logs that describe this access are securely stored. The EventTracker Windows Agent detects the insertion/remove of any USB device with Mass Storage. This includes sticks, smartphones, tablets, portable hard disks etc. All activities on such devices can be monitored. Unauthorized devices (via serial number) can be blocked. Insertion and removal of CD/DVD is also detected and a list of all files copied to such devices is recorded. The launch of popular CD burning software packages such as Nero or Roxio can be detected and reported in real time.