Welcome to Log Talk

Welcome to Log Talk, the Prism Microsystems blog that provides active commentary and insight on all things related to Log Management and Analysis. Postings on this blog are intended to provide a mix of actionable tips and knowledge to help you leverage your log data as well as provide advice on compliance and security implementations. Whether you’re a customer or not, we are interested in hearing your opinions and experiences as well. Do you do Log Management? If not, why? If yes, what is your primary purpose for doing so – Compliance, security, systems management? We hope to uncover all this and more and hopefully facilitate some interactive discussion. Please note however that we do reserve the right to remove offensive and/or irrelevant comments.

On an aside, check out this article by Ananth on ‘rightsizing your compliance data gathering‘ for some great advice to keep in mind when implementing a compliance strategy.

More posts coming soon!

– Harmala

Compliance audit got you nervous? It doesn’t have to be that way

Log Management and Compliance 

In past articles, I’ve covered how log management helps with operations and incident response, all in a distinctly “Pragmatic” way. This month we are going to address what I consider to be the 3rd leg of the stool – compliance.

Security professionals have a love/hate relationship with compliance. They love the fact that compliance is a board level issue and it has visibility within all parts of the organization. It has dramatically increased the perception of the value that security provides and has made getting funding for large-scale security projects much easier.

But then there is the audit. That one word – A-U-D-I-T, can strike fear into the heart of the oldest and most battle-weary security pro. They think to the classic torture scene in Marathon Man, where the bad guys use a dental drill. And it usually goes on for 3 days or more. Most security folks go into an audit in full battle regalia, spewing acrimony and expecting misery. I’m here to tell you that it doesn’t have to be that way.

The first thing you need to understand is that the auditor is after the same thing that you are, which is to protect the assets of the organization. I know it’s hard to believe, but they have your company’s best interests in mind when they put you through the ringer. They are responsible, so if a major issue happens and the auditors have missed it – THEY ARE LIABLE TOO. So don’t take it personally, they are trying to cover their hind sections like everyone else.

So what is the absolute best way to help the auditors feel good that your company’s stuff is protected? You need to give the auditor the feeling that you are in control. If you aren’t, then you better give the perception that you are. In most cases, especially with a subjective assessment, perception is reality.

In my book, The Pragmatic CSO, I go through how your audit should work. I’ll summarize that quickly. Since we are trying to set the perception that we are in control, we need to treat the auditor as a peer. You need to talk to them in business language. Show them how your security program works and what controls you have implemented. If you treat the auditor as the enemy or as a technical wonk, they’ll return the favor – and that’s not a good thing.

Be candid about any incidents you’ve had and what you did to both isolate the root cause of the attack, as well as make sure it doesn’t happen again. Also be sure to go over the changes you’ve made to your environment based on the findings of the last audit. You don’t want to forget to show the auditor that you actually listened the last time they spoke.

Notice I haven’t said the term log management yet. The real hope is that you don’t need to go into granular levels of details about firewall configs and the like. By seeing your security program, checking out your security architecture, and going through an incident post-mortem the auditors get that perception that you are in control. They may look at your other stuff, but at that point it’s the rubber stamp committee. They know you can do the job, so they are just verifying so they can fill out their checklist.
That’s the optimal case, and it does happen, but not every time. Sometimes the auditor will be “difficult.” They’ll want to see lots of data. They’ll want to see things for themselves. They don’t believe you. Don’t take this personally; the reality is some auditors are just like that. So you’ll want to be able to substantiate what you are doing and one of the best ways to do that is to pull data out of your log management platform.

Using data you are already gathering for operational and incident response, you can show what happened and what didn’t happen. Your log data can provide lots of detail about specific devices, databases and/or applications. You can also pull regulatory-specific reports showing who accessed what.

Since PCI is the most specific of the general security-oriented regulations, let’s see how log data you are collecting can meet a bunch of the PCI requirements.

  • Requirement 1 – Firewall: Your firewall logs can confirm configuration, as well as what activity has happened on the device.
  • Requirement 3 – Protect stored cardholder data: You can pull logs from applications and show that only authorized parties accessed the database with private information.
  • Requirement 5 – Use and update anti-virus: You can show, via logs, that AV is installed and updated on every device on the network.
  • Requirement 7 – Restrict access to cardholder data: Log data can show which requested sessions were NOT authorized, thus proving that you restrict access to the cardholder data.
  • Requirement 9 – Restrict physical access to data: Amazingly enough, you can also pull logs from your physical security system, which shows who entered the restricted facilities and when.
  • Requirement 10 – Track and monitor all access (this is the big one): This one requirement specifically calls for log management. As if you needed another reason to seriously consider more effectively managing your logs.

I’m sure in some way, shape or form the other requirements can also be substantiated with log data as well. But the point is, you can gather all this data, correlate it, reduce it and present it manually. That sounds like a lot of fun. Or you can put in place a log management platform to do a lot of this work, in a scalable, leveraged, and automated fashion. The choice is yours.

To be clear, acing an audit is about more than just gathering log data and being able to present it effectively. But in those instances where the auditor wants lots of data and excruciating detail, you’ll be glad you’ve been keeping those logs and now can actually use them.

4 Steps to Compliance

 Keep these steps in mind while putting together a compliance strategy.

Industry News

Removable Devices: The menace within

Handheld USB devices have been a godsend to anyone who wants to take information from one PC to another, but their ease of use also has created a new type of security headache for companies.  

Featured Success Story

EventTracker at San Bernardino County Superior Court

Cool Tools

Prism Microsystems and the EventTracker Support Team announce a new Webinar series to help you get the most out of your EventTracker investment. Each Tuesday, beginning November 6, the EventTracker Support Team will present a brief 20-30 minute “how-to” focused on a specific function of EventTracker.

How to Disagree with Auditors New EventTracker 6.0 and more

Log Management and Incident Response

I’m going to let you in on a little secret. It’s a tough message to get, but part of being Pragmatic is not deluding yourself about what you can and can’t do. The cold harsh reality of today’s information security environment is that you will be compromised. I don’t know whether it will be tomorrow, next Tuesday, or some other time in the future -but it will happen. There are just too many legitimate attack vectors, too many restrictions on what we can and can’t do, and too many limitations on budget and resources to ever be “truly secure.”

The good news is that all is not lost. What we do as information security professionals still matters, even though at some point you’ll have an incident. Here’s another secret for you: The way you deal with the inevitable incident will make the difference between being a hero and a goat. Heroes figure out how to contain the damage and make the incident into a learning experience for the organization.

Goats dust off their resume and hope they can get another gig.

One of the first things I counsel my user clients on is to develop a structured, documented and heavily practiced incident response plan. Most security professionals feel they are too busy to actually write stuff down, but there are a lot of reasons formality is a must when dealing with incident response. For a very detailed description of the Pragmatic incident response process, check out my book – The Pragmatic CSO at www.pragmaticcso.com.

In a nutshell, I advise you to build an “Incident Playbook” that details exactly what is going to happen if/when you are compromised. Here is a very high level structure to the plan.

  • Section 1: Containment – This section specifies what happens in the event of an issue. Do you disconnect the specific device or the entire network? Do you patch all devices immediately, add a new IPS rule, turn off exposed applications or take some other remediation actions? The point is you have a problem, and you don’t want your team (or yourself) to freeze when you need to be taking action. So script out the first few “plays” in your playbook and make sure you can execute on these during trying times.
  • Section 2: Notification – Depending on the nature of the incident, you may need both an internal and external component to the notification plan. First, nail down the internal stuff. When do you go to the CIO? When do you consult the general counsel? What about the CEO and entire senior team? Then deal with the external notification process. How and when do you tell customers about a potential privacy breach? These questions must all be answered BEFORE you have an issue.
  • Section 3: Law Enforcement – You also want to have defined (and agreed upon) times when law enforcement will be brought into the situation. If you detect a criminal activity, obviously you want the cops (or special agents) involved sooner rather than later. But you want to make sure you aren’t just subjectively deciding when to notify the authorities.

I’ll also remind you that practice makes perfect. Seriously, we’re not just talking about Little League here. The Incident Playbook won’t be worth the paper it’s written on if you or your team bungles the response when you are playing for keeps. So practice, practice and then practice some more.

Since this column is about log management and incident response, let me talk a bit about the documentation required to handle incidents effectively. Basically there are two aspects where log management will prove an invaluable tool in your IR arsenal. First is operationally. Once you identify that you have a problem, you can use your log information to quickly pinpoint the problem, contain the damage, and ultimately remediate the issue. I discussed the Pragmatic operational security techniques that leverage log management last month.

Secondly, log information will prove invaluable as you (or an forensic specialist and/or law enforcement) investigate the compromise and try to figure out what happened and build a case against the perpetrators. Actually in some cases, your internal HR and legal team may suggest you just monitor the situation in order to gather even more evidence that could be used. In either case, the log files indicating what the perpetrators did and when will be critical to building up the evidence you need.

So what? You are already gathering log files, so what’s the big deal? Why do you need a purpose-built log management platform? Basically, your evidence needs to stand up in court. So you can’t risk having any of your logs roll, then you’d lose the data. Or even worse, have the logs tampered with to hide any tracks the attackers may leave, so even though you have the data – it doesn’t stand up in court.

This last point is one of the most important drivers for a separate log management infrastructure. A commonly used technique by the hackers is to cover their tracks by going into the logs of a compromised machine or application and altering the log files to remove any evidence they were there. If you are sending the log records in real time to a separate environment, there is no chance for tampering and inconsistencies will be identified very quickly.

Moreover, the log management infrastructure should be sequencing and hashing the log records to cryptographically prove that the logs have not been tampered with. This again is critical should your case ever be told in front of a jury. Secure logs provide much of the evidence needed to bring perpetrators to justice and make sure the charges stick.

The sad truth is that by the time most organizations realize they have an issue and they needed to be gathering log data in a secure fashion, it’s too late. Once the log files roll, the data is gone. Once the attackers have altered the logs, you can’t figure out what happened. It’s never too early to start gathering data that will be useful when you number comes up and you get compromised.

It will happen. At some point your luck will run out and wouldn’t you rather be the hero, who contains the damage and provides the data to facilitate a comprehensive investigation? I know I would.

Industry News

EventTracker 6.0 launches; offers unprecedented scalability and flexibility to geographically-dispersed enterprises

The new release delivers major architectural and performance enhancements, more powerful analysis features, and a redesigned reports console that provides audit-friendly workflows for a pain-free compliance audit.

The case for automated Log Management in meeting HIPAA compliance

The right log management solution, used in conjunction with internal procedures and policies, provides Covered Entities with the capability to have a strong, yet cost effective compliance strategy in place, and to easily demonstrate adherence to external auditors.

Hot Topics

Dissecting Compliance Workflow Processes

Building and maintaining a compliance workflow process sounds daunting, but it’s not all that different from other enterprise business processes.

Featured Success Story

Arch Insurance demonstrates compliance with Sarbanes-Oxley compliance to external auditors and improves security posture with real-time monitoring of critical systems and user-activity tracking.

Optimize IT operations pinpoint vulnerabilities

Log Management and Pragmatic Operations

Last month, I introduced the concept of the Pragmatic CSO methodology, a 12-step program to help security professionals overcome their addiction to throwing new products at every new attack vector and security problem. Additionally, the process helps security professionals build a value proposition, interface with senior management more effectively, and run their security operation as a business. As a high level construct, the 12 steps are helpful, but ultimately security professionals need to do something, and that’s what we are going to discuss this month.

The next step in the journey is to understand how Pragmatic CSOs operate their businesses and stay on top of what is a seemingly infinite attack surface, with new innovative threats appearing pretty much every day. We’ll wrap that around to how leveraging log management helps you keep your environment secure.

The operational disciplines of running your security business are discussed in Step 7: Operations and Monitoring of the Pragmatic CSO. The approach is largely predicated on understanding what is happening on your network. Many organizations have no idea what is going on with their networks. Seriously. So they have no way to know that they’ve been compromised. That is until it becomes painfully obvious, and that is way too late.

I don’t know a lot, but I can tell you if you don’t have a very clear idea about what is “normal” on your network, you will have a hard time figuring out when something is NOT normal. Determining these anomalies is the first step in figuring out if you have a problem in your environment. That is the first clue to the fact that you’ve been had.

Nowadays, the attack surface is pretty much infinite, so the idea of protecting every flank is neither practical nor achievable. Thus, the idea of “getting ahead of the threat” is bunk. The best we can hope for is to REACT FASTER when we identify an issue. I’ve alluded to how you react faster above, but let me be more specific. We’ve got to baseline the environment, make sure the baseline is clean (so we aren’t normalizing on a compromised environment), and then monitor to detect when something is not “normal.”

This idea of “looking forward” has proven to be very effective in combating both known attacks, as well as those new, innovative attacks that make practitioners crazy. But once you determine something bears more investigation, what then? It’s critical to compliment the ability to look forward with a capability of “looking back” to investigate an issue, identify the root cause and remediate the problem.

Since we are trying to react faster, the sooner we can investigate the issue, the better it will be for our ability to contain potential damage. The good news is that a lot of the information we need to investigate these issues exists. Amazing, eh? You’ve got pretty much everything you need to get to the bottom of the issue in your logs.

Yes, your logs. Pretty much every device, server, application and database generates logs. This log data can provide the basis to analyze what happened, when and by whom. When you are trying to isolate bad behavior, this information is invaluable. It’s a good idea to gather as much data as you can from as many sources as you can. You have to balance how much data is too much, but I’d rather opt on the side of gathering more, rather than less data.

So if you are going to gather all this log data, what is important to think about? First you need to make sure the data is protected. The first thing a bad actor does is to go back and erase their tracks by messing with the logs. Why leave evidence when the objective is to remain undetected? So the log files must be moved off the main system, so the bad folks can’t get to them. Other layers of security can include locking down the data store, and hashing and sequencing the log records to further prevent tampering.

Scalability is also a pretty important aspect of your log management platform. Most log data gets tossed in the virtual circular bin because the sheer volume of information. We are talking about a LOT of data. A typical large enterprise can (and do) generate billions of log messages a day. Yes, that’s billions with a B. Clearly this is nothing that a human can do him/herself. You need help and that’s where a log management platform comes into play.

What else do you need to worry about? Given that we are trying to react faster, the ability to analyze and drill down into specific log sources quickly and effectively is also pretty important. I didn’t say in real time because that’s not going to happen. First the log files need to be sent to the platform and analyzed, which takes a bit of time. In reality, it’s more like “pseudo real-time.” Odds are by the time you figure out you need to investigate, you’ll have the data at your disposal.

Next month we are going to dig deep into using the log management platform within the context of incident response, so I’ll table the rest of that discussion until then.

So what else do we need to use this log data for? Lastly, log data can be a very important decision support tool. Aside from helping to investigate incidents, the idea of using that log data to do trend analysis and pinpoint scalability issues, new attack vectors, potentially troubling internal activity and the like can all be unlocked via log data.

This trending analysis is also a critical tool in your ongoing efforts to substantiate your value to senior management, as Pragmatic CSOs must do, and prove compliance to auditors. Remember, senior management like reports that show what you do and why? Trend analysis and good colorful reports add a measure of credibility, so that is an added benefit to centralizing logs.

Until next month, be Pragmatic.

Industry News

Survey: Security policies neglect off-network devices 
A majority of companies put confidential data at risk every day when equipment such as servers, desktops, laptops and portable storage devices leave the confines of their network, according to a recent survey of 735 IT security practitioners.

Related content –protect the server where data resides and not just the perimeter, to minimize theft of confidential/sensitive data.

Leveraging Log Data for Better Security

Looking at Log Management Pragmatically

As the first article in a 6-part series on the specifics of log management, I want to introduce the concept of the Pragmatic CSO methodology and go into how/why the idea of log management is important to achieving the goals of the Chief Security Officer. This piece will lay the foundation for the journey we will take together over the next 6 months.

First and foremost, security professionals are under siege from all sides. Their bosses don’t understand what they do and why it costs so much money. It’s pretty unlikely that auditors would consider the CSO a friend either, given the traditionally acrimonious relationship between the security and audit teams. We shouldn’t forget the bad guys, who keep using new and innovative attacks to compromise personal information and steal critical intellectual property.

The typical security professional I work with has trouble getting funding for key projects, justifying his/her existence within the organization, and ultimately being perceived as relevant to the operations of the business. All of this impacts their ability to be successful in protecting the information assets of the organization. Yes, it’s a pretty big problem.

In over 15 years working in the security space and looking at the problem from all sides, I’ve pinpointed a rather conceptually simple reason for this issue. In a nutshell, security people talk technology and their customers talk the language of business. This disconnect has become a chasm and really impacted the ability of security professionals to be successful. So in order to be relevant moving forward:

“Security professionals must learn to talk the language of business.”

This is what being a Pragmatic CSO is all about. I have built a 12-step program (yes, very similar to those other 12-step programs) to help security professionals overcome their addictions to throwing new products at every new attack vector. To help these folks build a value proposition and run their security operation as a business. Basically to learn how to be comfortable in the executive suite, since that’s where we belong.
But before we get into those nuances, let’s level set a bit and talk about the five reasons that we do security in the first place. Here goes:

  1. Maintain business system availability
  2. Protect intellectual property
  3. Limit corporate liability
  4. Safeguard the corporate brand
  5. Ensure compliance

That’s it. I’ve asked hundreds of people for other reasons why we would do security and everything comes back to one of these core needs. That was liberating, eh? Now we know why we are doing this. Next, let’s discuss the Pragmatic CSO process a bit.

In a short piece, I can’t really get into a lot of detail about how the process works, but let me outline it based on the sections.

  • Section 1: Plan to be Pragmatic – This first section is focused on figuring out what is important, taking a baseline of your environment and then managing the expectations of the senior team – so they know what you are up to and why.
  • Section 2: Build a Pragmatic Security Environment – Next up we build a business plan to guide the operation of the security environment, secure funding for the critical projects and actually go out and buy some stuff.
  • Section 3: Run your Security Organization Pragmatically – Then we spend time keeping things running, taking an aggressive monitoring approach to figuring out when you have a problem, building a containment strategy, training your users and testing your defenses.
  • Section 4: Communicate Your Value – Finally you need to toot your own horn a bit and build a reporting, communications and compliance capability to substantiate what you do on a daily basis

Each of these sections is meant to help you get deeper and deeper into the business operations of your organization and spend your time protecting the “right” stuff, as opposed to all the stuff. You can get more detail on the Pragmatic CSO process at http://www.pragmaticcso.com/poster.html.

I know what you are thinking. What does any of this have to do with log management? It turns out to be a lot. The key requirement of Step 1 – Assess the Value of Your Business Systems is to understand what is really important to your business. Since no one (that I know anyway) has a money tree in the back of their office, you need to make hard decisions about what to do and how to prioritize your activities. How do you do that without knowing what business systems would crater your organization if they went down or were compromised?

Right, you can’t. So once you understand what is important, you need to be able to track the progress on how those resources are protected. You certainly could do a lot of praying and maybe that would ensure the critical business systems are protected. But in my experience, this leap of faith is one that senior executives don’t “get.” So we need some hard numbers or at least an idea that the trend is moving in the right direction.

The log management function, which gathers activity information about the devices (networks, servers, applications, etc.) that run these business systems in a forensically sound and very scalable way, provides that kind of information. You can see what’s working and what isn’t. You can set thresholds to help you understand what is going on in your environment, and be able to fine tune your defenses to ensure the right systems are protected at the right times. Step 7 of the Pragmatic CSO process is called “Operate/Monitor Your Environment” and log management is a key aspect of being able to do that.

Next month I’ll delve more deeply into this topic, providing detail on how to leverage log management in your operational processes and keep the trains running on time.

Until then, Be Pragmatic.

Industry News

8 Sure-fire ways to beat a security audit

You might have your access control process fixed, but you probably haven’t adequately trained your administrators on how to manage it. You might have your configuration and change control systems in place, but you probably haven’t sufficiently documented the process for using them. If you’ve adopted strict security policies, your users likely have found a way of avoiding or bypassing them altogether.

Make no mistake — auditors will find fault with your systems, your processes, and the people who operate them. They’re auditors. It’s their job.

Regulatory Compliance:  Stay ahead to keep on top of issues

The key to regulatory compliance is the ability to enforce and monitor security policies and processes at any given time, all of the time. And an SMB must plan and maintain an effective security strategy for its business infrastructure from the onset to serve as a solid foundation for regulatory compliance.

Prism Microsystems and Type80 extend the power of Log management to the Mainframe Environment

Partnership provides large companies with unparalleled security and operational visibility that extends from the mainframe to the application level

Top Security Issues Facing the Enterprise

Collect Vista Events

Microsoft has made some considerable changes to event management in Windows Vista. One major change is the way you can now centrally collect events from a variety of systems. This article is the fifth in a series that demystifies the Vista Event Log.  

Windows Vista includes an updated implementation of Microsoft’s remote management infrastructure: Windows Remote Management (WinRM). The Vista Event Log uses WinRM along with the Windows Event Collector service as the engines for collecting events from remote machines and sending them to a central event collector system. This makes it very easy to troubleshoot problems or otherwise be aware of the type of events that occur on multiple systems because you only need to look at the collector system to review all events.

WinRM relies on WS-Management or Web Services Management which is a special protocol that integrates a series of operations within a Web services architecture. This is an industry standard that allows organizations to perform management operations over commonly-used TCP/IP protocols such as the HyperText Transfer Protocol (HTTP) or secure HTTP (HTTPS). The advantage of WS-Management is that the common protocols on which it relies are often open in firewalls for other purposes. This means that you can manage remote systems without turning your firewall into Swiss cheese. This is a very valuable Vista feature.

Several steps are required to prepare systems for event collection:

  • Each system that will forward events must be running one service: WinRM.
  • Each system that will receive events must be running two services: WinRM and the Windows Event Collector. These services are set to manual by default.
  • WinRM must be configured on both the forwarding computers and the collector computer.
  • The Windows Event Collector service must be configured on the collector system.
  • Access rights must be granted to the collector system on each of the forwarding computers.
  • Then, once each of the above steps is performed, you can move to the creation of an event subscription.

Of course, elevated rights are required to perform the operation. Remember that because of User Account Control (UAC), all users, even administrative users run with a standard user token. This means that you must make sure you use elevated rights when running these commands.

If you are working with machines that are part of an Active Directory (AD), then use the following procedure:

  • Log on to the source computer or the computer that will forward events.
  • Right-click on the Command Prompt and select Run as Administrator. Provide appropriate credentials, usually domain credentials that have local administrative privileges.
  • Using the newly elevated command prompt, type the following command:winrm quickconfigThen, type y followed with Enter to make the changes. This command sets up the source system to accept WS-Management requests from other computers. In actual fact, this will set the WinRM service to delayed autostart, start the service, create a WinRM listener on HTTP and enable WinRM exceptions in the Windows Firewall (see Figure 1).

WinRM
Figure 1. Running the WinRM Quick Configuration Command

  • Next, you need to add the collector computer’s account to the local Administrator’s group. There are two ways to do this. Either add the collector computer account by itself to the Administrator’s group or create a new group in AD, add the computer account to this group and then, add this group to the local Administrator’s account. The second method is the preferred method since it will allow you to add more collector systems in the long run simply by adding them to the group in AD.
    • Open AD Users & Computers with a Run as Administratorcommand and apply the appropriate credentials for administrative rights in AD.
    • Locate the appropriate organizational unit (OU) and if one is not available, create one. This OU should be designed to contain computer groups.
    • Create a new security group. Call it Event Collection Systems.
    • Add the computer account of the collection system to this group.
    • Then, use Computer Management, under Local Users & Groups to add the Event Collection Systems group to thelocal Administrator’s group.Repeat steps 1 to 4 on each source system.
  • Now, move to the collection system. Repeat the WinRM commandused in step 3. This will allow you to control bandwidth usage or latency of the event forwarding process.
  • Next, using the same elevated command prompt, run the following command:wecutil qcThen, type y followed with Enter to make the changes. This will configure the Windows Event Collector service to delayed autostart and start the service.
  • Now you’re ready to prepare your first subscription.
    • Open the Event Viewer using Run as Administrator and provide the proper credentials.
    • Go to the Subscriptions item in the tree pane.
    • Right-click on the Subscriptions item to choose Create Subscription (see Figure 2). You can also use the command in the action pane.
    • Name your collection and provide a description.
    • Identify the destination log. By default, all collected events go to the ForwardedEvents log.
    • Click the Add button to select computers from AD. Add all the computers you want to collect events from. You can also use theTest button to verify that communication works between the forwarders and the collector.
    • Next, click on Select Events to identify which events to collect. This launches the Query Filter dialog box. Set the options to collect the events you need or use an existing filter.
    • Finally, click on the Advanced button. This opens the Advanced Subscriptions Settings dialog box (see Figure 3). This dialog box allows you to control three settings.
      • The account used for collection. Leave this as is since the machine account is often best to use.
      • Event Delivery Optimization which lets you either control bandwidth used or increase the bandwidth used to ensure prompt delivery of the events. The Normal mode is a pull mode—the collector pulls events from forwarders. The other two modes are push modes—the events are pushed from the forwarders or source systems to the collector. If latency is not an issue, then select Minimize Bandwidth.
      • The protocol to use—HTTP or HTTPS. If events are forwarded in your network, then HTTP is probably fine, but if events have to go over open connections or if they contain sensitive data, then use HTTPS. This will encrypt all data between forwarders and collectors, but additional configuration will be required.

Click OK when done to finish the preparation of the collection. If they exist on the source computers, selected events will begin accumulating almost immediately.

Subscription
Figure 2. Creating a Subscription

Setting Advanced Options
Figure 3. Setting Advanced Options

If you choose to configure HTTPS as the transport protocol, you will need to enable port 443 in the Windows Firewall. Pull or Normal subscriptions only need this setting on the source computers. Push subscriptions need this port enabled on both forwarders and collectors.

If you do not have an Active Directory and are working in a workgroup, you need to be aware of some limitations and special configuration requirements.

  • Workgroup subscriptions only work in pull or normal mode.
  • Windows Firewall exceptions for Remote Event Log Management must be enabled on each system.
  • Since computer accounts do not trust each other in workgroups, you must create a special account on each system. Use the same account name and password on each system.
  • You must also tell the collector system to trust each source computer. Once again, this is done through the WinRM command.

As you can see, it is easier and simpler to configure subscriptions in an Active Directory environment. But, in either case, collecting events from remote systems is something that administrators of Windows systems have wanted to do for many years. Vista finally makes it possible. This was long overdue. But, the Vista event management and collection system is still in its infancy. In our next article we will compare Vista event management with commercial event collection systems and identify situations where each fits within your system management strategy.

About the Authors

Danielle Ruest and Nelson Ruest, MCSE+Security, MCT, Microsoft MVP, are IT professionals specializing in systems administration, migration planning, software management and architecture design. They are authors of multiple books, and are currently working on the Definitive Guide to Vista Migration for Realtime Publishers as well as the Complete Reference to Windows Server 2008 for McGraw-Hill Osborne. They have extensive experience in systems management and operating system migration projects.

Resnet

Hot Topics

Computer Economics Study: Insiders top IT pros’ worries

Insider misuse and unauthorized access to information by insiders are the No. 1 and No. 2 security threats worrying IT security professionals, according to Computer Economics’ “Trends in IT Security Threats: 2007” report.

Are security pros worrying about the right stuff?

Worrying almost seems to define the job of the CSO and CISO. The security chief is the corporate standard bearer for risk management in a world fraught with technical and human error, with hackers potentially lurking within and without. But are security pros worrying about the right things?

Cool Tools and Tips

Action Plan: Don’t be a victim company

6-step Action plan for companies seeking to avoid becoming the next victim of a cyber attack.

Managing the Payment Card Industry Data Security Standard

PCI DSS requirements cover network security, data protection, vulnerability management, access control, monitoring and testing, and information security. Identify the specific requirements affecting network administrators and learn about the EventTracker solution for addressing these requirements

Industry News

Survey: Vista adoption driven by OS security improvements

Network Administrators have turned to Windows Vista operating system because of its enhanced security features, according to a just released study

Retail security efforts crippled by inconsistencies

Efforts to enforce the PCI Data Security Standard are frustrating would-be compliant retailers with contradictory interpretations and conflicts of interest.

Growing enterprise demand for Log Management spurs record growth for Prism Microsystems

Increasing adoption of log management solutions resulted in 100% year on year quarterly revenue growth for Prism Microsystems and the addition of 60 new customers in the 1st quarter taking the customer base to over 600 companies across multiple sectors.

The New Face of Security Attacks The Danger Within

Automate Vista Events

Microsoft has made some considerable changes to event management in Windows Vista. One major change is the way you can link events to automated tasks. This article is the fourth in a series that demystifies the Vista Event Log.  

When you manage events, you often wish you could generate automatic actions when specific events occur. For example, it would be nice if you could automatically delete temporary files and send a notification to desktop technicians when PC disk drives get too full. In another scenario, it would be nice if you could receive automatic notification when unauthorized users try to log on to workstations that contain access to highly sensitive or confidential information. Or even better, display a message telling users they are trying to access unauthorized systems and then, send an email to appropriate authorities.

All of these things are now possible in Windows Vista. This is because Microsoft has revamped both the Event Log and the Task Scheduler and linked both together. Vista’s Task Scheduler is a much more powerful engine for task management and automation. And, when it is linked to the Event Log, the Task Scheduler becomes a strong engine for proactive systems management.
Linking events to automated tasks is a very straightforward process. It can be done in one of three ways:

  • Through the Task Scheduler
  • Through the Event Viewer
  • Through the command line

When creating either a basic or an advanced task in the Task Scheduler, you can select an event as the trigger for the task. Use the following procedure:

  • Create a new task (either basic or advanced).
  • Name the task and assign its credentials.
  • Select On an event as the task trigger.
  • Choose either Basic or Custom as the event setting.
    • Basic settings let you select which event log will be the source of the event, then which event source and finally, which event ID to look for (see Figure 1).
    • Custom settings let you create an Event Filter, letting you determine exactly how the task should be launched based on a series of filtered conditions.
  • Then continue adding the task properties such as conditions, actions and settings.

That’s it, simple isn’t it? It gets even better when you generate the task from the Event Viewer. Here you repeat much the same process, except that the task is generated from the event itself instead of the other way around.

Attach
Figure 1. Using the Basic Setting to Attach a Task to an Event

When you create an automated task from the Event Viewer, use the following procedure:

  1. First locate the event you want to attach the task to. You can either drill down to the event or create a filter to locate the event.
  2. Next, either right-click on the event to select Attach Task To This Event or use the action pane to click on the same command.
  3. This automatically launches the Basic Task wizard.
  4. Run through the wizard’s panes to generate the task.

The advantage of using this method to create the task is that it automatically fills in all of the information required to generate the trigger from the event. The disadvantage is that you can only create a basic task using this method. Of course, once the task is created, you can go to the Task Scheduler to add features and properties to the task, but this requires more steps to do so.

Generate-a-Task
Figure 2. Generate a Task from an Event

The last method is to use the command line to link a task to an event. To do so, you will need several values:

  • The Event Log from which the event is generated
  • The source of the event
  • The event ID

These values can be obtained either through the Event Viewer or through the wevtutil.exe command using the proper switches. For example, you might use:

wevtutil qe Security /c:n /rd:true /f:text

which would query the Security Event Log to obtain the latest events by reversing the list of events (/rd:true) and displaying then in text format (/f:text) as opposed to the default XML format. In this command line, the value for n should be a number indicating how many events you want returned by the command.

Then, once you have the values you need, you can use the Task Scheduler command to generate the task. For example, you might use:

schtasks /create /TN taskname /TR action /SC ONEVENT /EC System /MO *[System/EventID=IDnumber]

where taskname is the name you want to assign to the task, action is the action to perform, and IDnumber is the ID number of the event which will act as a trigger for the task. In this example, the source Event Log is the Systemlog. The task schedule is based on the occurrence of the event and is modified to identify the event ID.

As you can see, the combination of the Event Log with the Task Scheduler opens the door for several system management activities. And, since Vista offers a much more detailed and rich event management structure, the possibilities are endless. Tasks can be generated on one machine and exported in XML format to be imported to any other system.

In addition, tasks can run either locally or remotely. This is because Vista includes an updated implementation of Microsoft’s remote management infrastructure: Windows Remote Management (WinRM). In the next article, we will examine the remoting capabilities of the Vista Event Log as we take an in-depth look at WinRM and its use as the engine for collecting events from remote machines and sending them to a central event collector system.

About the Authors

Danielle Ruest and Nelson Ruest, MCSE+Security, MCT, Microsoft MVP, are IT professionals specializing in systems administration, migration planning, software management and architecture design. They are authors of multiple books, and are currently working on the Definitive Guide to Vista Migration for Realtime Publishers as well as the Complete Reference to Windows Server Codenamed “Longhorn” for McGraw-Hill Osborne. They have extensive experience in systems management and operating system migration projects.

Resnet

Hot Topics

The Top 5 Internal Security Threats

For years, the specter of viruses, trojans and worms caused many a chief security officer to lose sleep. But it’s the enemy within that is now prompting IT staffers to ramp up security efforts. According to Forrester Research, the majority of security breaches involve internal employees, with some estimates as high as 85 percent.

Cool Tools and Tips

How to Audit Server Room Security

The server room is a service provider. Anything that disrupts — or has the potential to disrupt — the services fulfilled by the server room is a vulnerability that must be addressed promptly. It is critical to periodically conduct an audit to identify risks that affect the physical security, practices and continuity of the server room.

Fifty Critical Alerts for Windows Servers

Identify the most important events generated by your windows servers for quick and efficient resolution. The strategic benefit of monitoring these critical events combined with a robust resolution strategy is significant for the reduction of IT costs while ensuring increased service availability and enhanced security for your enterprise.

Industry News

USDA Admits to Massive Data Breach

USDA officials said the agency became aware of the potential exposure of Social Security numbers on April 13, when a funding recipient notified the agency that she was able to ascertain identifying information on the government web site.

Lawmakers Decry Continued Vulnerability of Federal Computers

Recent hacks into government networks that maintain sensitive information have generated a growing recognition that current federal mandates are inadequate to prompt improved security.

Data Security and Compliance Regulations

Explore the Vista Task Scheduler

Microsoft has made some considerable changes to event management in Windows Vista. One related change is the way the Vista Task Scheduler has been enhanced. These enhancements allow you to link events to automated tasks. This article is the third in a series that demystifies the Vista Event Log.  

Event management includes close ties to system automation because you often need to generate automatic actions when specific events occur. For example, one of the most common tasks that is related to events is the automatic deletion of temporary files when disk drives get too full. Or in another scenario, you may require an automatic notification when unauthorized users try to log on to workstations that contain access to highly sensitive or confidential information.

In order to automate either notifications or tasks, you need to rely on the Task Scheduler. In Vista, the Task Scheduler has become much more of a real job scheduler. Like the Event Viewer and the Event Log system, the Task Scheduler has been completely rewritten and now offers several enhancements over the Task Scheduler found in previous versions of Windows. For one thing, the Task Scheduler now maintains a complete library of all scheduled tasks, all categorized according to source. In addition, like the Event Viewer, the Task Scheduler profits from a new interface based on the Microsoft Management Console (MMC) version 3.0 (see Figure 1).

Interface
Figure 1. The New Task Scheduler Interface

As with all MMC version 3 interfaces, this one sports three panes—moving from left to right, the first is the tree pane, the second is the details pane and the third is the action pane. And as you can see, the main Task Scheduler details pane displays task summaries, task summaries and active tasks giving you ready access to any task information.

Tasks in Vista are based on two main components:

  • Launch conditions which can include up to three components:
    • Triggers which are the elements which actually start a task
    • Conditions which outline when and how the task can run
    • Settings which outline the options for a task
  • Actions which tell a task what to do

So far, this isn’t very different than previous task automation features found in other versions of Windows, but Vista’s Task Scheduler is a far cry from the Windows NT AT command. Previous versions of Windows had serious drawbacks when it came to system automation. Credentials for a task were stored with the task, therefore any credential changes had to be updated in the task’s properties. In addition, only one single action could be performed per task, limiting the usefulness of the Scheduler. And, in some cases, the Task Scheduler was restricted to administrators only, once again reducing the usefulness of this tool.

In Vista, all of these situations have been corrected. Vista now includes a whole series of new triggers—events; machine status such as idle, startup, logon and so on; session state changes such as opening or closing of Terminal Services sessions, or lock or unlocking of sessions; or even the more conventional time-based task startups. Tasks can even use other tasks as triggers, letting you create new, conditional or chained tasks and then, once the task has been initiated, have it repeat regularly or in other situations, add delays or other limits to a task (see Figure 2). In addition, tasks can run on universal time so that global organizations can create tasks in one time zone and ensure they run properly in any time zone.

Triggers
Figure 2. Task Triggers

Each task can include more than one trigger ensuring the task will run if any of the launch elements occurs. Along with triggers, tasks will include conditions (see Figure 3) which determine how the task will behave. Conditions control if the task should run while the system is idle, if the task should run while the system is on battery power, if the system should be booted up to run the task should it be turned off, or even if the system should be linked to a network for the task to run.

Conditions
Figure 3. Task Conditions

Settings control whether the task can be run manually, what should happen if the system was turned off when the task start time occurred, what to do if the task does not complete or fails or even runs too long. Settings can also apply rules to a task. These rules can include what to do if the start time occurs and an instance of the task is already running, or even delete the task once it has run (see Figure 4).

Task Setting
Figure 4. Task Settings

Actions can be any number of items including running a program, sending an email or simply displaying a message. This makes the Task Scheduler very powerful indeed since you could automatically display a warning message to users whenever they try to access protected areas of their system. This makes a strong case for running locked down systems and the Task Scheduler gives you the tools you need to make sure the systems stay locked down and users curb their habits.

Of course, actions can also be more traditional and actually run programs. This is after all, what the Task Scheduler was originally designed to do. And sending messages is also quite useful since administrators can receive notifications when tasks occur. For example, if you want to make sure that a critical task was performed on a system, then create a conditional task that sends an email once the other task completes. This saves you from having to verify task logs after the task was scheduled to run.

Vista will even hide tasks and otherwise control which credentials should be used when a task is run. In most cases, credentials are not stored in the task so you can change account passwords centrally without having to worry about all tasks failing. In some scenarios, though, credentials are stored in the secure Credential Manager store. In these cases, you still need to modify passwords locally but not in the task.

You can also use the Task Scheduler to create tasks for either Vista systems or for down-level versions of Windows. Tasks can be exported in XML format and re-imported to any other system. This makes it very easy to generate tasks on one system and ensure they run on all the systems in organizations of all sizes.

Finally, each task includes a history of operation, listing all of the events which indicate when the task was run and for how long. This makes it very easy to monitor tasks and make sure they run when expected.

Tasks can be created in one of three ways. The first lets you create a basic task and runs you through a wizard that takes you through each step required to build the task. Advanced tasks are created using the Create Task command which can be found either in the context menu or in the action pane. Create Task opens the Task dialog box and gives you access to each of the elements that make up a task. Finally, you can create and manage tasks through the command line through an updated schtasks.exe command (see Figure 5). This command lets you script operations such as importing tasks on different systems.

Schedule Tasks
Figure 5. The schtasks.exe Command

Overall, the Task Scheduler is a much more powerful engine for task management and automation on Vista and, when it is linked to the Event Log, Task Scheduler becomes a very strong engine for proactive systems management. In our next article, we’ll examine just how Vista’s new Task Scheduler can be linked to the Event Viewer to automate tasks based on events and create a powerful system management platform with Vista’s own feature set.

About the Authors

Danielle Ruest and Nelson Ruest, MCSE+Security, MCT, Microsoft MVP, are IT professionals specializing in systems administration, migration planning, software management and architecture design. They are authors of multiple books, and are currently working on the Definitive Guide to Vista Migration  for Realtime Publishers as well as the Complete Reference to Windows Server Codenamed “Longhorn” for McGraw-Hill Osborne. They have extensive experience in systems management and operating system migration projects.

Resnet

Industry News

Whether SOX, HIPAA, GLBA or NISPOM, effective log management is key for meeting compliance requirements.

Network downtime from security attacks proves costly

Network downtime resulting from security attacks is costing companies a bundle, but steps can be taken to prevent the added expense.

Enhance the security of your critical systems (link to solutions – secure) with comprehensive security management including host-based intrusion detection, external attack detection, fast incidence response and forensic analysis.

By addressing data privacy, companies avoid public scrutiny 

Whether your company is public or private, large or small, today’s information privacy regulations may affect you and your organization on many different levels, not just financially and legally.

Explore Vista Event Log; Top Tips on Compliance, Security and Data Privacy

March EventSource Newsletter
By Danielle Ruest and Nelson Ruest

Explore the Vista Event Log

Microsoft has made some considerable changes in the Windows Vista Event Log. It sports a new interface and a significant number of new event categories making much more useful than ever before. This article is the second in a series that demystifies the Vista Event Log  

For Windows Vista, Microsoft scrapped all of its previous Windows code and started from scratch to rewrite the whole thing. Good idea? No doubt. With all the security issues Windows has been facing in the past few years, rewriting the code with security in mind was a must. But it also provides added benefits. For example, when Microsoft programmers were working on the Vista Event Log, not only did they rewrite the code, but they also took advantage of the opportunity to give it a complete overhaul. Who benefits? We do, as users or rather administrators of Vista PCs.

The new Vista Event Log includes several features:

  • New Event Viewer Interface
  • New Event Categories
  • New Event Filters
  • New Event Language: XML
  • New Event command-line tool

Each of these makes it much easier to manage events in Windows Vista.

The Event Viewer Interface

The first thing you’ll notice when you launch the Event Viewer in Windows Vista is the new look and feel. When you first open it, the Event Viewer presents its summary view. Based on the Microsoft Management Console 3.0, the new Event Viewer lays out its contents into three panes (see Figure 1). The left pane is still the tree view which will be familiar to most Windows technicians. It includes several nodes: Custom Views, Windows Logs, Applications and Services Logs and Subscriptions. The center pan is as it was before the details pane. When the focus is on the Event Viewer node, you see the summary view which lists all events according to importance as well as audited events. Finally, the right pane lists actions you can perform. Like context menus, the contents of this action pane will change with the views you select.

When you change views, for example, if you focus on a specific log and view the events it contains, the details pane becomes your event viewer, showing the actual contents of events without having to open each event and having to juggle windows to try to see event listings at the same time as you see event details (see Figure 2). This makes it much easier to work with events.

Summary View
Figure 1. The Summary View of the Event Log

Viewing Details
Figure 2. Viewing the details of an event

New Event Categories

Another major improvement of the Event Log is that it is now designed to collect every single event on the system. While previous versions of Windows stored event information in different locations—databases, flat files, event log—Vista now stores all events in the Event Log. This means that it now includes a whole series of new event categories. These are located under the Applications and Services Logs node in the tree pane (see Figure 1). Perhaps the most important change is in the Microsoft sub-node. This sub-node now includes 53 different categories under the Windows sub-node. Each category is focused on a specific service within Windows—BitLocker, Event Collector, Group Policy, User Access Control, and much more. Subcategories are listed for each—administrative, operational, analytic and so on—making it very easy to drill down deep into any issue.

In addition, each application that is Vista-ready will store its events inside this event category. Windows includes its own—Distributed File System (DFS) Replication, Hardware Events, Internet Explorer, Key Management Service, and Media Center. Third party applications also store their events here. This proves that the Event Log is now the one and only store for events in Vista.

New Event Filters

In addition, in the Custom Views node under the tree pane, you’ll see that Vista already includes a custom view: the Administrative Events view. This view is based on a filter and is used to automatically collect events that are of interest to system administrators, saving them from having to generate their own filters (see Figure 3). Because this is a default view, this filter is read-only, but you have full flexibility to create your own filters based on any event attribute.

Events Filter
Figure 3. The Details of the Administrative Events Filter

That’s right; filters can be based on a whole series of attributes (see Figure 4). Logged time is one of the first attribute you can focus on with six predefined time periods and the ability to create your own custom time period. Event level is next, letting you select either critical, errors, warning, verbose or information events. Then, you can filter either by log or by source. By log, gives you a tree pane that lets you check the logs you need. Source lets you select any potential event source. Finally, you can filter by event ID, tasks that may be associated with the event, keywords contained inside the event, user and computer generating the event. Quite a powerful set of filters.

Custom Events Filter
Figure 4. Creating a Custom Events Filter

New Event Language: XML

Filtering is now so powerful because Vista events are now completely structured, using an Extended Markup Language (XML) structure. Previous versions of Windows provided some structure for event reporting, but it was mostly only evident to programmers using the Win32 application programming interface. With Vista, this changes because they rely on XML with a published schema. Each event now includes an XML description (see Figure 5). This makes it much easier to filter out events that might be considered ‘garbage’ and lets you focus on the events that are of interest to you.
This will go a long way towards making it easier to audit change and manage systems running Windows Vista.

XML Details
Figure 5. The XML Details of an Event

New Event command-line

For those who love the command line, you won’t be disappointed with the new Event Log. Vista includes a new command: wevtutil.exe which is designed to let you manage and administer events in character mode. Wevtutil, for Windows Event Utility, includes a whole series of functions and switches, all aimed at event management (see Figure 6).

For example, you can find out all of the publishers registered on a system. That’s because with the new Event Log, publishers must register themselves on the system. Wevtutil will list not only publishers but also their configuration on the system and all of the events they might log on a system. Nobody can hide from administrators anymore!

Wevtutil will also let you install or uninstall event manifests, run queries against events, export and archive logs as well as clear them, all from the command line. If you’re into the command line, then take the time to explore this powerful new tool.

Wevtutil
Figure 6. The new wevtutil command

As you can see, the Event Viewer is considerably different from previous versions of Windows, even at just the interface level. But that’s not all. With Vista, you can integrate events with tasks, you can automate tasks based on events and you can forward key events to central locations.

In our next article, we’ll examine how Vista’s new Task Scheduler has also been upgraded in preparation for event automation. Windows Vista is here to stay and it’s easy to see why with powerful new tools such as the Event Viewer.

About the Authors

Danielle Ruest and Nelson Ruest, MCSE+Security, MCT, Microsoft MVP, are IT professionals specializing in systems administration, migration planning, software management and architecture design. They are authors of multiple books, and are currently working on the Definitive Guide to Vista Migration for Realtime Publishers as well as the Complete Reference to Windows Server 2008 for McGraw-Hill Osborne. They have extensive experience in systems management and operating system migration projects.

Resnet

Industry News

Time Change a ‘Mini-Y2K’ in Tech Terms

With daylight saving time taking effect from March 11, 2007, any device that has an internal clock looms as a potential problem and must be tweaked for the time change, usually with a software patch. Most internal clocks in computing devices are programmed for the old daylight-time calendar, which Congress set in 1986.
Read full article

Click here for information on impact on Microsoft Products

Best of Breed vs. Big Security: What’s Best for SMBs?

Historically, security has been a best-of-breed market. Customers would buy the leading product in each category and integrate the products into a cohesive whole. But now, is best of breed still the right approach? Even for small and medium-sized businesses (SMBs), which by definition are time-, resource- and money-constrained? Read full article

EventTracker delivers high-value integrated solutions to SMB’s providing a broad range of capabilities including advanced security, continuous compliance and IT optimization at significantly lower costs than traditional solutions. 

Lessons from the DuPont Breach: Five Ways to Stop Data Leaks

In the five months Gary Min was stealing $400 million worth of proprietary information from a DuPont database, he downloaded and accessed more than 15 times as many documents as the next-highest user of the system. But he wasn’t caught until after he left the company for a rival firm. Min pleaded guilty last November to misappropriating DuPont data and is scheduled to be sentenced on March 29. His case is only the latest to highlight a lack of internal controls for dealing with insider threats at many companies. Read full article

EventTracker monitors your mission critical servers or workstations from risks posed by data theft and hackers as well as host-based intrusions. 

Privacy, Compliance and Security for SMB’s

Here is a troubling statistic from the Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization: Since February 2005, the data records of more than 93 million U.S. residents have been exposed due to security breaches. While many of these breaches occurred at financial institutions and universities and were the result of hacking, many were also due to stolen computers and occurred at smaller businesses and organizations.

Companies of all sizes need to take precautions to keep customer data safe and secure, but how much security is enough? Does the size of your business matter, and what is an organization’s responsibilities regarding its customers’ privacy? Read full article

EventTracker delivers continuous compliance and advanced security management with modest resource requirements and low acquisition costs, offering solid value to SMBs. 

Cool Tools and Tips

Compliance School: SOX, Security Standards and Building a Compliance Framework

One of the most important elements of SOX compliance is providing evidence that the financial applications and supporting systems and services are adequately secured to ensure that financial reports can be trusted. This places a special burden on IT security departments. They need to understand which systems, services and processes need to be controlled, which aspects of security are most critical to compliance and what it takes to demonstrate that their company is in compliance.

Read tips on how to deal with compliance challenges facing IT security

Learn how EventTracker helps you automate and simplify complex compliance processes

OMB Security Mandate and Network Security Best Practices

Industry News

Logging data extracts puts some agencies in a bind

SPECIAL REPORT: Case study no. 3 – Mandate forces changes in who accesses information

OMB gives agencies 45 days to begin logging all computer-readable data extracts, and after 90 days, verify if the data has been erased or still is needed. Very few agencies—if any—have met this most challenging mandate of the four, industry and federal experts said.

A third requirement in the Office of Management and Budget’s June 23 data security memo can fundamentally change an agency’s approach to collecting, disseminating and securing data—which is perhaps why agencies have had so much trouble with it.

Logging isn’t that difficult, experts said, because every device creates a log. But the question is how to analyze the thousands of daily logs from a security perspective, said Carlos Blazquez, a senior information assurance analyst with SRA International Inc. of Fairfax, Va.

Read the full article

Learn how EventTracker analyzes millions of logs everyday

TJX data breach raises questions 

TJX Companies—the $16 billion global retail chain that owns T.J. Maxx and Marshalls, among many other brands—disclosed on Jan. 17 that it had “suffered an unauthorized intrusion” into its computer systems in December.

The statement said the company had retained the services of General Dynamics and IBM both to help investigate and to upgrade security systems to ostensibly prevent another, similar intrusion.
But a closer reading of the statement raises quite a few questions, none of which the company has tried to answer.

Read the full article

Learn how EventTracker improves security and overall business operations with real-time event monitoring, host-based intrusion detection, incidence response and Forensic analysis

Hot Topics

Network Security  

The 7 best practices for network security in 2007

We all face it – the daily barrage of spam, now infested with zero-day malware attacks, not to mention the risks of malicious insiders, infected laptops coming and going behind our deep packet-inspecting firewalls and intrusion-prevention systems. Some even have to worry about how to prove steps of due care and due diligence towards a growing roster of regulatory compliance pressures.
What can you do under so much extreme pressure to make 2007 a better year, not a year loaded with downtime, system cleanup and compliance headaches?

Read the full article

Learn how EventTracker protects mission critical servers and workstations

Security, disaster recovery: Top SMB predictions for 2007

During the last few disaster-prone years, small and medium-sized businesses (SMBs) learned the hard way that they are as vulnerable as large enterprises to hackers, hurricanes and the penalties of not complying with federal regulations.

It’s no surprise, then, that the Yankee Group’s 2006 U.S. Small & Medium Business IT Infrastructure Survey (Oct. 2006) found that SMBs’ top concern for 2007 is security, closely followed by backup and restore, and application and data availability.

“Optimization of technical assets” was another top priority, according to the survey.

Read the full article

Learn how EventTracker provides a broad range of capabilities with modest resource requirements and a high ROI

Cool Tools and Tips

Log Management 101

Guide to Computer Security Log Management (Recommendations of the National Institute of Standards and Technology) 

A fundamental problem with log management that occurs in many organizations is effectively balancing a limited quantity of log management resources with a continuous supply of log data. Log generation and storage can be complicated by several factors, including a high number of log sources; inconsistent log content, formats, and timestamps among sources; and increasingly large volumes of log data. Log management also involves protecting the confidentiality, integrity, and availability of logs. Another problem with log management is ensuring that security, system, and network administrators regularly perform effective analysis of log data

Read the full document 

Using Security Event Logs for troubleshooting and incident response

If you walked into a room and things seemed odd or out of place, wouldn’t it be nice if there was an entry log at the door that you could check to verify who had been in the room or when? If your keys were missing, wouldn’t it be helpful if you had a log that listed out who had touched them last so you could track them down? When a security incident occurs on your computer, such as some sort of malware or system compromise, the security event logs can be very helpful in determining what happened to your computer and when. It might help you track down the individual responsible, or at least it may help you understand what happened so you can fix or undo it. That only works though if the security logging is enabled to begin with.

To learn more about using security event logs for your troubleshooting and incident response, see Why Should I Use Security Event Logs?

Learn how EventTracker manages logs comprehensively for effective security log management, compliance satisfaction and cost reduction.

Featured Article

EventTracker announces 2 new monthly Webinar series for 2007

Event Log Management How-To Series

Monthly webinars designed to explore ways to use EventTracker to its greatest potential for effective and efficient event log management. These webinars are free to anyone with a PrismPass.

Log Management Industry News and Trends Series

These free webinars are designed to bring you the latest industry news and trends affecting log management. Industry experts will discuss what’s on the horizon in security management, compliance regulations, IT operations and how they affect log management.

The next Log Management Industry News and Trends webinar in March features Nelson Ruest as he explores Vista event logs including the changes in the Event Log structure, Vista Task Scheduler, automating Vista Events, and collecting Vista Events.

Nelson Ruest, MCSE+Security, MCT, Microsoft MVP, is an IT professional specializing in systems administration, migration planning, software management and architecture design. Nelson has worked with many companies as well as written books, articles and training sessions to help organizations with complex IT projects and deployment strategies. His articles have appeared in Windows Server System Magazine, Network World, MCP Magazine and Redmond Magazine.

New EventTracker 5.6 and Managing Change in Vista

Manage Change in Windows Vista

Microsoft has made some considerable changes in the Windows Vista Event Log. How do those changes affect system auditing and how will they change the way you monitor systems? This article is the first in a series that demystifies the Vista Event Log.

Managing change in any network is a daunting task. You have to really know what is happening to be able to understand how your network evolves with use. In Windows, the best way to find out what is going on is to audit all system and user activity. As you probably know, the only way to do this is to use a two-part approach. First, you must create an audit policy. Second, you have to indicate which objects and which users you want to audit.

Turning on the audit policy is done through either the Local Security Policy (LSP) or through Group Policy. You use the Local Security Policy if you want to audit a single computer or if it is part of a workgroup. In previous editions of Windows, you had to put every policy element into a single LSP, but now Windows Vista supports multiple local policies which means that you can create different policies for different users.

The real power of policy though lies with Group Policy. That’s because it provides centralized policy deployment to multiple systems—create the policy once and deploy it to any number of systems. Of course, to use Group Policy, you must have an Active Directory and all of the systems you want to control must be members of that domain. This is true for all current versions of Windows, including Windows Vista. With Vista, Group Policy will now contain over 2,450 settings that can be centrally controlled.

Despite the fact that Vista now brings 800 new settings to Group Policy management, it has not changed in terms of Audit Policies. It still allows you to audit nine different types of events just as you could in Windows XP and Windows Server 2003 (see Figure 1). Whether you use Group Policy or the LSP, you will need to turn on each of the events you want to monitor. This is only the first part of the auditing process.

Vista LSP
Figure 1. The Vista LSP and Audit Policy

The second step is to change the security descriptor of the items you want to audit. For example, if you want to audit file access on a given shared folder, you’ll need to view its Properties, then its Security settings and finally, its Advanced Security settings, move to the Audit tab and then select who you want to audit. Fortunately, you can use groups to monitor the activities of all the users in your organization which makes it simpler to assign. You’ll have to repeat this activity on each server or workstation you want to monitor and for each object you need to watch.

Audited events are recorded in the Security Event Log and can be seen through the Event Viewer. Since events are recorded locally on each system that is affected, you need to visit each and every system to obtain a global picture of events on your network. This is a bit tedious if you don’t have an event collection mechanism—or a system that automatically collects key events and forwards them to a central location.

If you’re using Vista, then you can actually get Vista itself to forward the events. That’s right; Vista’s Event Log can now automatically act on events and send them to a central location, which until the release of Windows Server Codenamed “Longhorn” sometime next year, will have to be another Vista system. In addition, if you’re using Vista, you’ll soon discover that it records a host of events that were unheard of in previous versions of Windows.

In these previous versions, Microsoft used a number of different mechanisms to record events. Many products and sub-features of Windows recorded information in their own logs as if they didn’t even know the Event Log existed. It’s no wonder that most administrators didn’t even bother to verify any logs unless an untoward event occurred and they were spurred on by others: security officers for example. It was just too much work. With Vista, most of these tools now record events properly and store them into the Event Log. This is bound to make your life easier, but of course, only when all your systems have been upgraded to Vista. Isn’t that always the case? You have to perform more work to reduce the amount of work you have to do.

In our next article, we’ll examine how Vista’s Event Viewer now categorizes events to make it easier to understand what changes have been performed on the system. We’ll also look at how Vista provides detailed information on events, demystifying those arcane numbers and messages you could never understand. Perhaps then, you’ll think it is reason enough to move forward with your migration.

About the Authors

Danielle Ruest and Nelson Ruest, MCSE+Security, MCT, Microsoft MVP, are IT professionals specializing in systems administration, migration planning, software management and architecture design. They are authors of multiple books, and are currently working on the Definitive Guide to Vista Migration for Realtime Publishers as well as the Complete Reference to Windows Server Codenamed “Longhorn” for McGraw-Hill Osborne. They have extensive experience in systems management and operating system migration projects.

Resnet

Industry News

Security Flaws Haunt PDF, OpenOffice Users

Serious security vulnerabilities in two desktop applications could allow malicious hackers to plant malicious code on millions of computers. The more serious of the two is a cross-site scripting bug in Adobe’s ever-present Acrobat Plug-In, which fails to properly validate user-supplied data.

EventTracker Update

EventTracker 5.6 is now available

EventTracker 5.6 includes two major feature enhancements: Collection Point architectural enhancement and suspicious network activity monitoring.

The Collection Point feature is designed to enable multiple deployments of EventTracker to forward their respective log data to a central location from where reports can be generated.

The Suspicious Network Connection Monitoring feature has been added to the EventTracker Agent. The EventTracker Agent will now monitor all connections on the specific systems and map them to known threats.

The Suspicious Traffic Analysis option in the EventTracker Console is a report that gives detailed information of various suspicious connections in the enterprise.

Event Wiz

Event: Id 1018

Source: MSExchangeDSAccess

Description: Database is damaged error message. This means that online backup cannot complete because the database is damaged.

Resolutions include: Usability Improvements – PATROL for Exchange Servers contain several usability improvements.

License Management – OneKey license management software controls BMC Software product licenses, thereby reducing the time and attention that you must devote to license and password administration.

Complete resolution information from EventTracker KB