Evaluating Automated Security Tools

Protecting information technology from attack today requires automated security tools that:
    ·  archive system data
    ·  monitor system indicators for abnormal events; and 
    ·  alert you when anything untoward occurs.

Below is an overview of the features you should expect from automated security tools.  You can use these guidelines to compare the functionality of Engagent Sentry II to other automated security tools and to decide for yourself which is the most effective automated security tool available.  

Event Logs

The most important system information on Windows system is in the Event Logs:  Event Logs fill up quickly, and at many sites valuable (and irreplaceable) Event Log information is casually overwritten.  Attempting not to lose events in Event Logs has previously meant a very time-intensive process of managing event logs individually:  determining thresholds for actual file size of the logs and dealing with them when they reach that size.  Sentry II writes Event Logs into a database.  This best practice ensures that even if a malicious user intentionally tries to eliminate evidence by clearing event logs, the information will be preserved.  Having events in the database greatly facilitates analysis, allowing you to perform more powerful queries on them, analyze trends, spot anomalies, and create triggers on specific events.   

It is not enough to preserve Event Logs for forensics experts to pore through after a security event has occurred.  You need an automated process monitoring the Event Logs in real time to watch for the first indications of trouble.  For an outline of the vital reasons why every responsible IT administrator needs to install an automated process to monitor event logs, click here.

Click here to see a detailed list of specific Windows events your automated process should monitor.

Processes

Your automated tools should allow you to receive alerts based on any process or processes you select.  These alerts should include:

    ·  Alert if specified processes are not running.

This allows you to know there is a problem on the server or workstation.  The health of a common system process can serve as a "heartbeat monitor," to let you know all is well with the system.  Certainly if an anti-virus or security process you depend on to always run stops running, you want an instant alert.  Your tools should also have the built-in option of automatically restarting processes if they are not running.

    ·  Alert if specified processes are running.

Every administrator knows some processes that should never be run in their domain.  Whether the process is a a famous password cracking utility, the latest worm, or just a popular peer-to-peer file sharing bandwidth hog, your automated tools should let you if it ever shows its ugly head on your network.  Your tools should also have the built-in option of automatically terminating the process the moment it appears.  

System Counters

In addition to whether a process has run at all, setting thresholds on system counters allows you to receive an alert if a process suddenly starts using more system resources than usual.  For example, some administrators set watches on the CPU usage of processes such as the following:

WinLogon Process
    Bursts of activity by the WinLogon process – especially during idle periods – may show intrusion attempts.

NetDDE
    Most workstations show a baseline NetDDE usage of 0; unexpected activity by NetDDE may be the sign of an attack. 

Scheduler
    Activity of the Windows Scheduler on a desktop where it has not previously been observed may be suspicious.

Of course, most anomalous behaviors will turn out to have benign explanations, but security-conscious administrators prefer to receive an alerts and investigate for themselves.

In addition to process counters, many administrators will want an alert if thresholds are exceeded by  other counters such as

    ·  Bytes transmitted on RAS ports
    ·  UDP datagrams sent
    ·  Available system memory
    ·  Peak usage of paging file
    ·  Percentage of registry quota in use
  
A good security tool makes it easy to set up a variety of methods to sample the health of your network, to change them over time, and to quickly add ad-hoc watches for specific threats.

Services

Particularly for servers, the most important indicator of system health is that the services you care most about continue to run.  If, for example, your SQL Server, your Exchange Server, or your web server stops running, you would surely want your automated tools to notify you instantly.   But it is also possible to use common system services to monitor the health of desktop system as well.  And most administrators will want to insure that specific unwanted services never run.  As with Processes (above), you automated security tools should not only allow you to specify alerts for services, but also to automatically restart important services that have stopped, and to terminate noxious services the instant they start.

Files

Some files are sufficiently important that you would like a report whenever they are altered.  A good automated security tool will allow you to get notice when specified files:

    ·  Are created.
    ·  Are deleted
    ·  Change size
    ·  Are altered in any way

Your automated tools should allow you to set alerts on any sets of files or any directory.  Many administrators, for example, want notification on any change to the Windows System directory, because such changes are often the first sign of the appearance of novel "malware" on a system.

Syslogs

The alerts specified above will go a long way toward protecting the health of the Windows systems for which you are responsible.  You can make those systems more secure, however, by monitoring the health of other systems that surround your Windows systems:  routers, hubs, Unix systems, Linux systems, and any other device that may form a periphery.

The standard interface to such devices is the Syslog file.  The automated security tool you select should definitely allow you to monitor the syslogs of neighboring systems with the same precision – and the same ease – as you monitor your servers and desktops. 

SNMP

In addition to syslogs, many network devices support Simple Network Management Protocol (SNMP).  An effective automated security tool will allow alerts form real-time monitoring of select SNMP Trap messages from your network devices (which may indicate suspicious, unauthorized, or performance related activities).  In addition, the best automated security tools will allow proactive SNMP Query monitoring of select SNMP Counter variables from your network devices.