A Robust Solution to Meet Your Every Need
The flagship product of the EventTracker family, EventTracker Enterprise is capabilities-rich, with key features that expand its competences beyond SIEM and log management. These include File Integrity Monitoring, Change Audit, Config Assessment, Cloud Integration, Event Correlation, and writeable media monitoring.
EventTracker Enterprise Features
The EventTracker family offers automatic remediation capabilities that users can configure using scripting, powershell, Visual Basic, and others. Based on correlated events that meet serious or critical thresholds, or that occur after hours, EventTracker Enterprise can be set to take immediate, predefined action. Dozens of predefined remedial actions include:
- Disabling non-white listed USB devices
- Terminating unrecognized executables
- Shutdown and restart services
- Shutdown systems
- Failover cluster
- Shutdown/restart databases
- Terminate runaway process
- After hours policy enforcement (to enforce policy even when you aren’t there)
Available as an option with EventTracker Enterprise, Behavior Analysis enables you to quickly detect and address changes in system and user behaviors. Automatic baseline learning or flexible rules definitions determine your thresholds for alerting on anomalies in your infrastructure. Real-time processing and correlation give you the complete picture of what’s new and different. Track behavior anomalies out-of-the-box for twelve data points including users, admins, systems, processes and more. Behavior Analysis processes, analyzes and correlates inbound audit logs at speeds up to 100,000 per second. It detects log volume deviations based on what’s expected or what you define which enables you to have the most complete understanding of threats and unauthorized use.
The file system and registry of every Windows system is ever-changing. This change may be voluntary or involuntary and happens quickly and often without the user’s knowledge. Under the current Windows OS architecture there is no easy way for the user to understand change, identify change and recover from change.
Change management is a concept by which all system changes are intelligently tracked and reported on demand for the user to analyze, understand, and if needed, recover from change. EventTracker Enterprise alerts you to the critical changes you need to know.
Change detection is also an invaluable tool to help in identifying zero-day attacks because reactive anti-virus and rule-based firewall systems are not a complete defense:
- Malware signatures are changing constantly
- Often the same malware can come back in a slight variation that is enough to elude antivirus systems
- A Zero-Day attack is new and consequently the signature is not available in the antivirus software
Regular security audits on system configuration settings greatly improve the overall security posture of organizations, but without automation this valuable discipline is almost impossible to feasibly perform. EventTracker Enterprise includes an integrated configuration assessment module that enables users to monitor security policies such as FDCC, defined using the eXtensible Configuration Checklist Description Format (XCCDF). These checklists can originate from the National Checklist Program (NCP), NIST, DISA STIGS or from checklists defined internally by the end-user. EventTracker Enterprise comes pre-packaged with over 30 checklists from various sources.
EventTracker Enterprise validates and stores the contents of each checklist in the EventTracker Enterprise Configuration Database and enables these checklists to be run against target systems to test compliance of the configuration. Assessments can be ad-hoc or scheduled to execute daily, enabling compliance to be managed on a continuous basis. The results from each assessment are automatically collected and combined with the information in the appropriate XCCDF profile to produce compliance reports. Reports can be output in html, excel or in OVAL/XCCDF for submission to compliance organizations.
EventTracker Enterprise Configuration Assessment is fully SCAP certified as a FDCC Scanner, Authenticated Configuration Scanner and an Authenticated Vulnerability and Patch Scanner.
EventTracker Enterprise provides enhanced end-point monitoring and security, generating an event when USB/DVD/CD removable media is inserted including the username and device serial number; all file transfers to USB/DVD/CD devices are recorded including the time/date stamp; USB devices can be automatically disabled based on serial number.
File Integrity Monitoring
Monitoring change on the file system and in the system registry of a Windows system substantially improves corporate security and availability.
- Most IT security and operations problems are related to, or result in, an unauthorized or unplanned change on the file system or in the Windows registry.
- A minor change to an executable or library file is often the only clue IT personnel have that something potentially dangerous has happened on the system.
- Compliance regulations such as PCI-DSS require file integrity monitoring change on critical devices
Yet within the Windows architecture it is, for all practical purposes, impossible to detect what was changed, much less who changed it and when.
EventTracker Enterprise’s file integrity monitoring software automatically monitors and detects system change over time and compares these changes with a previously recorded known or trusted state.
The changes are then easily categorized:
- Authorized vs. un-authorized changes vs. harmless system changes
- Business knowledge vs. configuration changes
- Undesired configurations or
- Known vulnerabilities
File Integrity Monitoring for Windows is an effective way to help prevent costly damage from these new attack types.
- Most infections (Sasser, myDoom, Blaster) hide on your system by adding or modifying an exe or dll.
- To become infected, something on the system has to change, and EventTracker Enterprise detects these hidden changes and alerts you.
- EventTracker Enterprise enables you to quickly cut through the sheer number of executables and dll’s with misleading, innocuous names to zero in on the ones that have been added, deleted or modified.
EventTracker Enterprise change audit is fully integrated into the EventTracker Enterprise architecture. EventTracker Enterprise stores all the change audit data as both system snapshots for later comparisons and as events in EventVault. Change events can have rules written against them to trigger alerts or any other action available in EventTracker Enterprise.
Log Collection, Log Monitoring, Log Management & Secure Archiving
EventTracker Enterprise enables automatic, unattended consolidation of millions of events in a secure environment. Incrementally scalable to meet the needs of any size organization, EventTracker Enterprise supports an infinite number of collection points, with each collection point able to process over 100,000 events per second. All this data is identified by the product-based Knowledge Base, which contains detailed information on over 20,000 types of events, and automatically determines which logs are alerts, which are incidents, and which can be ignored.
EventTracker Enterprise Monitors:
- CPU/Disk/Memory Threshold
- Custom applications
- File/folder access
- Mobile devices
- Network devices
- Pre-defined policy templates
- USB and CD/DVD
- Virtual infrastructure
Log Collection includes a flexible, agent-optional architecture providing managed real-time and batch aggregation of all system, event and audit logs. EventTracker Enterprise supports UDP and TCP (guaranteed delivery) log transport and is FIPS 140-2 compliant for transmission of events from agent/collection point to console. Supported log file formats:
- Windows EVT/EVTX
- SYSLOG NG
- SNMP V1/V2
- IIS/IIS W3C/IIS MSID
- FLAT FILE
- W3C LOG
EventTracker Enterprise also has an optimized, high performance event warehouse that is designed for efficient storage and retrieval of event logs. It reliably and efficiently archives event logs from across the enterprise without the need for any DBMS licenses or other overhead costs. And these logs are compressed (over 90% compression ratio) and sealed with a SHA-1 signature to prevent potential tampering.
- Log collection with guaranteed delivery
- Secure transmission for Windows log collection
- Infrastructure log management
- Virtual collection points
- Secure storage in EventVault
EventTracker Enterprise NetFlow Analyzer is a NetFlow collector, analyzer and reporting engine integrated together. EventTracker Enterprise NetFlow Analyzer helps you gain in-depth visibility into you network traffic and its patterns, thus empowering you to investigate, troubleshoot, and quickly remediate network slowdowns.
- Monitor network traffic per interface
- Configure NetFlow Collector with minimal effort Visualize near real-time network traffic
- Break-up summary with visual charts to quickly and easily identify top talkers, applications, and protocols hogging network bandwidth
- Network traffic reports with just a few clicks
- Long-term retention of NetFlow data for trending and capacity planning
- Cost effective
Real Time Alerting
EventTracker Enterprise’s alerting capability enables the user to generate alerts when critical events occur such as security breaches or performance problems. Unlike other alerting solutions EventTracker Enterprise Pulse runs rules against the incoming data stream in real-time enabling timely alert triggering and notification as opposed to running periodic scheduled searches against the event store.
The EventTracker Enterprise Alert Console provides a web-based centralized user interface to define and view all alerts. Alerts can be prioritized and ordered via a user-configurable weighting algorithm so important alerts are always given the attention they require. EventTracker Enterprise provides support for:
- An unlimited number of rule-based alerts
- Configurable graphical views of alert groups (systems, types, importance, etc)
- Customizable event criteria including event-fired automatic actions for any defined event
- Out of the box alerts for the most common predefined alert conditions
- Ability to minimize false positives
- Ability to suppress duplicate notifications
Alert actions include:
- Risk-based incident prioritization
- Incidents dashboard
- Forward to Alert Console
- Email/pager notification
- Execute automated remedial actions (custom scripts)
- RSS Feed
- Forward either SNMP or Syslog message to NOC software like HP/Openview, Tivoli, etc.
EventTracker Enterprise provides powerful and comprehensive analytics and reporting engines to allow users to easily and quickly search, analyze and report on all event data either in real-time, for compliance purposes or as part of a post-incident forensics process. EventTracker Enterprise stores events in their original state and the complete contents are accessible to the user.
The EventTracker Enterprise Analytics engine enables logs to be sliced and diced in real-time or as part of a forensic examination. You have the ability to search complete event descriptions with either Boolean or full PCRE (Perl Compatible Regular Expressions) syntax, quickly drill down to get specific information, define fine-grain custom output formats and export the results of an analysis to excel for further processing.
EventTracker Enterprise reporting allows users to easily report on all event data on either a scheduled or ad-hoc basis. All report templates are included as part of the base product. This includes a powerful report wizard to help you easily create, schedule and generate reports as well as several thousand summary and detail report templates for security, compliance and operations.
- Over 2,000 summary and detail templates for security, compliance and operations
- Compliance Report Packs: SOX 404, GLBA, PCI-DSS, HIPAA, FISMA, NISPOM, NERC, FERC, NCUA, FFIEC, ISO27001, Etc.
- Compliance Reports Review Tracking
- Report templates include Active Directory, security related events, login-logoff events, application related events, domain admin activity, password reset, account lock out, security profile changes, logon failures, system performance, software maintenance activities, trend analysis and more
- Custom Reporting And Analysis
- Pre-Defined Reports
- Report Distribution Via E-Mail
EventTracker Enterprise provides customizable, role-based dashboards that allow organizations to control the information visible to a user based on their role in the organization. It also allows users to remove the information they do not want to see, and rearrange the location of the information on the dashboard. For example, a system administrator may only have access to the information on the ten servers they are responsible for maintaining, while the director of security will see the relevant information concerning the entire infrastructure. It is from this interface that all searches are performed, and detailed information on an event can be accessed. EventTracker Enterprise is designed to make the user experience as easy and efficient as possible.
Search and Forensics Analysis
EventTracker Enterprise offers the most comprehensive and flexible search options in the SIEM/Log Management industry. Period! We have spent 10 years working with hundreds of security and sys admin users to address numerous log search scenarios and use cases. Whether you are responding in real-time to a threat or system issue or looking back in time to piece together a user’s activity spanning months, EventTracker Enterprise Search gets you what you need quickly in a useable format.
- Web-based “Google-like” keyword searching when you are searching for logs recently generated by a user, a system, a specific IP address or a specific event ID. EventTracker Enterprise keyword search immediately returns well formatted columnar log data with the most recent events first. Searchers can instantly drill-in or out, click-to-source through hyperlinks, refine through field-level filtering, time-slice and export results to a spreadsheet.
- EventTracker Enterprise also provides “Google-like Advanced Searching” for phrases, date/time ranges, include/exclude specific keywords, pre-defined categories, operators and wildcard characters or any combination for complex queries of gigabytes of log data.
- EventTracker Enterprise edition also provisions “Trending Today”, a dynamic search taxonomy re-generated daily on all events indexed since midnight. It shows top log sources using a directory tree interface and Cloud Tagging to help you visually spot the active systems, users and events. The same filtering, drill down and exporting abilities for your results sets are here too.
- “EventVault Explorer” also available only with EventTracker Enterprise edition, takes the above and adds fuzzy logic, stemming or SQL searching of subsets of log data for power analysis of off line data cubes. Use popular BI, OLAP and other report writers to search, analyze and represent your target log data the way you need it. This is the ultimate in speed, flexibility and visualization when it comes to log data.
- EventVault Explorer
- Export Search Results
- Indexed Search
- Standard Log Search
Supported Log Sources
With over 10 years of development, EventTracker boasts the largest collection of Knowledge Packs in the industry supporting upwards of 2,000 log sources. Popular platforms include: Windows, UNIX/Linux, z/OS, Solaris BSM, any Syslog (TCP or UDP), SNMP v1/v2, Checkpoint OPSEC LEA, VMware. EventTracker also processes flat files in text, XML, CSV, log4j, W3C, httperr and other formats. Files can be transferred by ftp, sftp, rcp, http or other methods.
Logs from users and admins, applications and databases, USB and writeable media, routers and switches, IDS/IPS, antivirus, mobile devices – even physical security systems and biometric systems are commonly fed to EventTracker. The simplicity of the integration capabilities of EventTracker Enterprise enable the rapid development of Knowledge Packs for new log sources.
For a complete list of currently supported devices click here.
Unified SOC View
MSSPs operating a Security Operations Center SOC) can get a single pane of glass showing risk-prioritized incidents from multiple sites. The intelligence embedded in EventTracker coupled with this feature allows efficient monitoring of threats by junior resources who escalate incidents as needed.This is an invaluable feature for MSSPs who provide service to multiple customers.
Smart Tokens for smart searching
Take advantage of a decade long investment in log knowledge by applying smart tokens to log search results. Extract archive data from compressed storage, smart tokens allow you to immediately see interesting fields and patterns in the results. Our dedicated knowledge team is constantly adding log information from popular products to the token library and so can users. Smart tokens free users from having to frame precise queries, which is something advanced users can do. Empower business users and junior staff to extract meaningful data from data sets. The true challenge of big data is to quickly extract meaningful information – smart tokens are an exciting innovation to satisfy this need.
Threat Intelligence Feeds
Take advantage of integrated list management features to manage internal and external feeds of threat intelligence. Lists, once created, can be updated automatically. Lists can be used to search through log data, thereby clearly seeing if global trends are impacting your network. Open Source feeds such as those provided by the Internet Storm Center Dshield block list, Team Cymru etc can be integrated. List look-up APIs are available for use in remedial actions. This allows efficient creation and use of both black and white lists for processes, IP addresses, services and port numbers. Easily meet NERC requirements to allow only white listed services and ports on critical equipment.
Secure SNMP V3 Support
EventTracker can receive traps and informs in any of v1, v2c or v3. Department of Defense sites or other high security networks mandated to use SNMP v3 can take advantage of this feature. Network equipment that supports this standard such as high end models from Cisco and Juniper are supported. EventTracker can issue notifications of alerts and incidents in various way including as an SNMP v3 INFORM, snmp v1/v2c traps, syslog, e-mail, SMS.