|Sentry II - Evaluating Automated Security Tools|
Evaluating Automated Security Tools
Protecting information technology from attack today requires
automated security tools that:
Below is an overview of the features you should expect from automated security tools. You can use these guidelines to compare the functionality of Engagent Sentry II to other automated security tools and to decide for yourself which is the most effective automated security tool available.
The most important system information on Windows system is in the Event Logs: Event Logs fill up quickly, and at many sites valuable (and irreplaceable) Event Log information is casually overwritten. Attempting not to lose events in Event Logs has previously meant a very time-intensive process of managing event logs individually: determining thresholds for actual file size of the logs and dealing with them when they reach that size. Sentry II writes Event Logs into a database. This best practice ensures that even if a malicious user intentionally tries to eliminate evidence by clearing event logs, the information will be preserved. Having events in the database greatly facilitates analysis, allowing you to perform more powerful queries on them, analyze trends, spot anomalies, and create triggers on specific events.
It is not enough to preserve Event Logs for forensics experts to pore through after a security event has occurred. You need an automated process monitoring the Event Logs in real time to watch for the first indications of trouble. For an outline of the vital reasons why every responsible IT administrator needs to install an automated process to monitor event logs, click here.
Click here to see a detailed list of specific Windows events your automated process should monitor.
Your automated tools should allow you to receive alerts based on any process or processes you select. These alerts should include:
· Alert if specified processes are not running.
This allows you to know there is a problem on the server or workstation. The health of a common system process can serve as a "heartbeat monitor," to let you know all is well with the system. Certainly if an anti-virus or security process you depend on to always run stops running, you want an instant alert. Your tools should also have the built-in option of automatically restarting processes if they are not running.
· Alert if specified processes are running.
Every administrator knows some processes that should never be run in their domain. Whether the process is a a famous password cracking utility, the latest worm, or just a popular peer-to-peer file sharing bandwidth hog, your automated tools should let you if it ever shows its ugly head on your network. Your tools should also have the built-in option of automatically terminating the process the moment it appears.
In addition to whether a process has run at all, setting thresholds on system counters allows you to receive an alert if a process suddenly starts using more system resources than usual. For example, some administrators set watches on the CPU usage of processes such as the following:
Of course, most anomalous behaviors will turn out to have benign explanations, but security-conscious administrators prefer to receive an alerts and investigate for themselves.
In addition to process counters, many administrators will want an alert if thresholds are exceeded by other counters such as
· Bytes transmitted on RAS ports
Particularly for servers, the most important indicator of system health is that the services you care most about continue to run. If, for example, your SQL Server, your Exchange Server, or your web server stops running, you would surely want your automated tools to notify you instantly. But it is also possible to use common system services to monitor the health of desktop system as well. And most administrators will want to insure that specific unwanted services never run. As with Processes (above), you automated security tools should not only allow you to specify alerts for services, but also to automatically restart important services that have stopped, and to terminate noxious services the instant they start.
Some files are sufficiently important that you would like a report
whenever they are altered. A good automated security tool will allow you to
get notice when specified files:
The alerts specified above will go a long way toward protecting the health of the Windows systems for which you are responsible. You can make those systems more secure, however, by monitoring the health of other systems that surround your Windows systems: routers, hubs, Unix systems, Linux systems, and any other device that may form a periphery.
The standard interface to such devices is the Syslog file. The automated security tool you select should definitely allow you to monitor the syslogs of neighboring systems with the same precision – and the same ease – as you monitor your servers and desktops.
In addition to syslogs, many network devices support Simple Network
Management Protocol (SNMP). An effective automated security tool will allow
alerts form real-time monitoring of select SNMP Trap messages from your
network devices (which may indicate suspicious, unauthorized, or performance
related activities). In addition, the best automated security tools will
allow proactive SNMP Query monitoring of select SNMP Counter
variables from your network devices.
Free Product Download
© 2002-2005 Engagent