For Immediate Release

Prism Microsystems Unveils EventTracker DriveShield for Preventing “WikiLeaks” and Enhancing Monitoring of USB and Writable Media

EventTracker DriveShield monitors USB, CD/DVD-W

Columbia, MD, August 30, 2011 — Prism Microsystems, a leading provider of comprehensive security and compliance software for the US Department of Defense (DoD) and US Federal Government agencies, today announced the release of EventTracker DriveShield, an easy-to-deploy solution designed to provide visibility to files copied to USB devices or burned to CD/DVD-W drives.

Designed in response to “WikiLeaks” and similar data breach incidents and the processes that were implemented afterwards, EventTracker DriveShield protects important information by monitoring users with access to sensitive data — while alerting preventing and reporting, improper transfers to writable media.

EventTracker DriveShield monitors USB devices and writable media that are inserted or removed, as well as change activities for these devices, including any file adds, modifications, deletions, or copies that are made, recording the time and date, location, and the user name.   This information is then available in real time alerts, and in dashboards and summary or detailed reporting from the console.   EventTracker DriveShield can also disable USB devices based on white listing the serial numbers.

This solution enables the DoD and Federal civilian agencies to utilize the convenience, portability and storage capacity of removable media, while complying with reporting, security and compliance requirements.

“What good is technology if you can’t use it safely and efficiently?   Many government organizations have banned the use of these types of portable storage technologies and are going back to paper to print and distribute manuals and training materials. This is unfortunate, costly and inefficient. EventTracker DriveShield allows the safe use of writable media USB and CD/DVD and while actually improving security,” said Prism Microsystems CEO A.N. Ananth.

EventTracker DriveShield available through GSA resellers holds the following certifications:

Common Criteria EAL-2

US Army Certificate of Networthiness


FIPS 140-2

About Prism Microsystems

Prism Microsystems delivers business critical solutions that transform high-volume cryptic log data into actionable, prioritized intelligence that will fundamentally change your perception of the utility, value and organizational potential inherent in log files. Prism’s leading solutions offer Security Information and Event Management (SIEM), real-time Log Management, and powerful Change and Configuration Management to optimize IT operations, detect and deter costly security breaches, and comply with multiple regulatory mandates. Visit for more information.

Press Inquiries:
Joanne Hogue
(410) 658-8246

Why are Workstation Security Logs so Important?

No one needs to be convinced that monitoring Domain Controller security logs is important; member servers are equally as important: most people understand that member servers are where “our data” is located. But I often face an uphill battle helping people understand why workstation security logs are so critical.

Frequently I hear IT administrators tell me they have policies that forbid the of storing confidential information locally. But the truth is, workstations and laptops always have sensitive information on them – there’s no way to prevent it. Besides applications like Outlook, Offline Files and SharePoint workspace that cache server information locally, there’s also the page file, which can contain content from any document or other information at any time.

But even if there were no confidential information on workstations, their security logs are still very important to an enterprise audit trail, forensics and for detecting advanced persistent threats. There’s a wealth of audit trail information logged by workstations that can’t be found anywhere else and consequently a host of questions that can only be answered by workstation logs.

First of all, if you care about when a user logged off, this information can only be found in the workstation’s security log. Domain controllers audit the initial authentication during logon to a workstation but essentially forget about the user thereafter. Logoff times cannot be determined based on shared folder connections because Windows does not keep network logons open to file servers between file accesses. So, during logout from Windows, the only computer on the network that logs this is the workstation.

And what about logon failures? Yes, domain controllers do log authentication failures but the events logged are tied to Kerberos and the error codes are based on RFC 1510’s failure codes. Kerberos failure codes are not as granular and do not map directly to all the reasons a logon can fail in Windows. Therefore some authentication failure codes provided in event IDs 4768 and 4771 can mean any one of several possible reasons. For instance, failure code 0×12 which Kerberos defines as “Clients credentials have been revoked” can mean that the logon failed due to the account being disabled, locked out or outside of authorized logon hours.

With today’s focus by bad guys on the endpoint it’s also important to know if someone is trying to break into a workstation. If the attacker is breaking into the workstation with a domain account, the evidence of this can be found in the domain controller security logs by looking for the same to events mentioned above. However workstations also have local accounts and these are big targets for attackers since local accounts are often poorly secured and tend to fly under the radar in terms of security monitoring. When you attempt to logon to a workstation with a local account, this activity is not logged on the domain controller. Since the authentication is being handled locally the event is also logged locally in the form of event ID 4776. The event description can be confusing; it reads: “The domain controller failed to validate the credentials for an account.” What it should actually say is “the system” instead of “domain controller” because this event is logged on all types of computers.

Files that a user accesses on file servers with file system auditing on those servers can be tracked, but an audit trail of what programs were being executed by the user is logged on workstation security logs. During forensic investigations I’ve found that knowing what programs a user ran and for how long can be crucial to documenting what actually occurred. Furthermore, many of the advanced persistent threat (APT) attacks being waged depend on malicious executables run on end user workstations. You can’t afford not to have a record of what’s running on your endpoints. Unfortunately, the Process Tracking (aka Detailed Tracking) category only logs programs run on the local computer therefore no information about end user desktop program usage is available in domain controller or member server security logs. The only process events logged on servers are the actual server programs that execute there.

There’s a lot of critical audit trail information only available if auditing is enabled on the workstations. Of course enabling auditing on workstations is one thing while collecting logs from thousands of additional computers is another. There are some very important workstation security events which Windows auditing does not record. For instance, Windows does not audit when devices or removable storage like flash drives are connected or disconnected, and it does not record what files are transferred to or from the removable storage, nor does Windows audit the installation of software.

Workstations are really just as important as any other component of a secure network. If an attacker can compromise the workstation of a user with access to critical information the attacker can impersonate that user and access any information or applications that user has access to on the network. Even workstations of users without access to sensitive resources are important because attackers, especially in APT, scenarios are happy to start with any endpoint as beach head and attack other systems from there. Moreover workstations are arguably the most vulnerable components of your network since they process so much content from the Internet connected with web browsing and email, because they come into contact with potentially infected files on removable storage and because they connect to other insecure networks like Wi-Fi hotspots.

In a webinar I will present later this year in cooperation with Prism Microsystems I’ll delve more deeply into these issues and how to address them. It’s important that we educate decision makers about why endpoint security and audit logs from endpoints are so important. We have to get beyond the mainframe inspired mindset that security only matters on the centralized systems where critical data resides. Be sure to register for this event and invite your manager.

How do retailers follow PCI DSS Compliance?

Security and Compliance At Talbot’s

Talbots is a leading multi-channel retailer and direct marketer of women’s apparel, shoes and accessories, based in Tampa, Florida. Talbots is well known for it’s stellar reputation in classic fashion. Everyone knows to look to Talbots when it is time to buy the perfect jacket or a timeless skirt.

Talbots customers are women in the 35+ population that shop at their 568 stores in 47 states, catalogs and online at Approximate sales for Talbots in 2010 were $991 million.

With its multi-pronged approach to reaching its customers, Talbots must be constantly vigilant in maintaining its records, having access to reports at any time and making sure it is up-to-date with its Payment Card Industry Data Security Standard (PCI DSS compliance). PCI DSS is a set of requirements designed to ensure that companies that process, store or transmit credit card information maintain a secure environment for the information throughout the transaction process. It was the pursuit of the highest-level of PCI DSS compliance that brought EventTracker to Talbots’ attention.

For the full Talbot’s case study click here.