Insider-Focused Investigation Made Easier
|
|
- Hubert Curtis
- 5 years ago
- Views:
Transcription
1 A SANS Product Review Written by Dave Shackleford August 2015 Sponsored by Raytheon Websense 2015 SANS Institute
2 Introduction For years, organizations have struggled with insider threats. Insider threats are those that arise from employees, contractors, partners and even customers that have already been granted some degree of access to internal computing assets and resources. According to the 2015 Verizon Data Breach Investigations Report (DBIR), insider abuse is higher than ever in breach and fraud cases. The Verizon team saw that 38 percent of insider abuse cases came from internal end users (knocking cashiers out of first place for the first time since 2011), and most of these insider abuse cases included afterthe-fact investigations and forensics. 1 In other words, most organizations don t catch insider abuse before or even during the crimes. For most insider abuse cases, the key to detection relies on monitoring behaviors and patterns of activity versus detection of a single signature-based event. Many organizations have traditionally had difficulty when developing behavior-centric monitoring programs and tools to adequately detect insider threats and malicious activity coming from trusted users and systems. SANS recently reviewed Raytheon Websense s SureView Insider Threat 6.9 monitoring and audit management platform, which focuses on user behaviors such as policy violations, malicious activities on endpoint systems and other, more complex warning signs that may indicate insider threat activity. SureView Insider Threat can augment traditional data loss prevention (DLP) tools by observing user interaction, both within and external to a network, fingerprinting files and data types, and detecting malware and suspicious indicators at the host and network levels. 1 Verizon 2015 Data Breach Investigations Report (DBIR), p. 46, Figure 38. 1
3 Interface and Ease of Use Our review first focused on the user interface and usability of SureView Insider Threat. Raytheon Websense provided a prebuilt SureView Insider Threat virtual appliance and back-end database that we found simple to connect and configure; the configuration included a number of prebuilt policies. We began by examining the configuration for the appliance and the options we would normally use as part of provisioning it for investigation teams. Our examination focused primarily on users, connectivity options and (where applicable) authentication and integration with internal systems. After a SureView Insider Threat appliance is up and running, admins can adjust its configuration through the browser-based management interface, which is simple to navigate and use. First, the Operators section allows admins to create new user accounts for operating the SureView Insider Threat investigation platform. Role-based access is easy to configure, with specific groups for various types of data access, as well as access to and control of particular functions and features in the product itself, as shown in Figure 1. Figure 1. Configuring a New Operator The Nodes section allows you to configure individual SureView Insider Threat nodes, as well as cluster node options for high availability in larger deployments. The majority of system configuration settings are in the Control Panel section. Here, you can manage passwords, RADIUS authentication and authorization options, certificate and public key infrastructure (PKI) settings, agent deployment variables and other system settings. Perhaps most important, the Control Panel section is where you configure SureView Insider Threat to automatically send events to a security information and event management (SIEM) system. 2
4 Interface and Ease of Use (CONTINUED) From here on, we connected to the appliance with the Enterprise Application Suite, a Windows client available from the Tools section of the system console. The interface has three workbench tabs: Administration, Investigation and Policy. First, we explored the Policy Workbench. The SureView Insider Threat system has a number of default policies available for monitoring Windows, Linux and Android platforms. Some policies focus on one type of event or action, while others are combination policies that monitor all activity. A number of policies concentrate on compliance requirements or access to certain data types, which the analyst can define. We reviewed the existing policies and created several test policies to determine how easy the process was. The Policy Workbench, shown in Figure 2, includes a new policy called SANS Test Policy ; this policy includes several simple rules looking for the keyword SANS in event logs and files on Windows platforms. Figure 2. SureView Insider Threat Policy Workbench and Test Policy Navigating the Policy Workbench was simple and straightforward. 3
5 Interface and Ease of Use (CONTINUED) The Administration Workbench allows you to monitor and control any agents installed on systems within the environment. The workbench pane is simple to understand, with six tabs across the bottom that allow users to manage the SureView Insider Threat deployments: Makes agent groups easy to define and edit. This tab also displays the number of agents, users and policies assigned to a group. Issues commands to agents and agent groups. You can send ad hoc commands, or define and store commands for consistent application. Saves preconfigured installer applications for simple deployment. Assembles bundles of installer applications, application adapters and collection tools, for later deployment. Configures application adapters and collection tools that integrate with endpoint operating systems and applications for gathering data and events. Defines specific aggregations of agents and users that are part of specific groups, matching specific patterns, for easy searching. An example of a command issued to one agent that gathers any error files appears in Figure 3. Figure 3. Administration Workbench Commands The ability to monitor and manage agents in the main console pane is straightforward. All major functions for deploying and controlling agents are intuitive and easy to access. The final tab, the Investigation Workbench, allows security teams to create specific cases for investigating user and system behavior, looking for insider threats in the environment. Creating cases was simple, but there are many advanced query and search features to explore and numerous ways to use the data reported from deployed agents. Creating specific investigation cases is covered in more detail later in the paper (under Insider Threats and the Investigation Workbench ), but the interface is intuitive and we quickly made ourselves comfortable. 4
6 Audit Trail Monitoring The SureView Insider Threat management interface s Audit section includes a detailed list of all activities performed on the SureView Insider Threat platform, ranging from operational tasks to authentication, as well as configuration changes and system status messages. This audit trail is simple to access and query, and should be useful in proving to auditors or investigators that operators performed certain actions. A snapshot of the audit log appears in Figure 4. Figure 4. SureView Insider Threat Audit Trail Logs and events can be viewed in more detail, as shown in Figure 5. Figure 5. Log and Event Detail View 5
7 Policy Creation and Management With SureView Insider Threat, new policies are simple to create, even when you are working from scratch. Existing policies can serve as templates right-clicking the existing policy and selecting Copy enables you to clone a policy and adapt the clone for Windows, Linux or Android systems. You can also add policies directly to Investigation Workbench queries from the context (right-click) menu or export them for future editing. The context (right-click) menu for policy editing and actions appears in Figure 6. SureView Insider Threat s configuration options fall into these categories: Rules are the heart of policy templates and can make use of document fingerprints (which can also include s, web content, printed documents, application content and clipboard data), regular expressions, file types observed, filters on document attributes, file hashes and other attributes. Each rule has editable links in the syntax view; you can modify the syntax with a click, changing menu options or typing text strings to create pattern matches. Figure 6. Policy Editing and Actions Menu Actions occur after an event triggers a rule or set of rules. The most basic actions are logging and reporting events within the SureView Insider Threat system or collecting data from the system in question. Data collection is incredibly flexible, with options to collect data from file content or actions taken, instant messaging apps, , web content, network activity, the Windows registry and other sources. Much like the rules formatting, actions are comprised of statements with clickable links you can modify via inline menus. Other available actions include sending s or events to a SIEM platform, adding the system reporting the event to a particular group (for example, a watchlist to monitor for suspicious behavior), prompting users, stopping processes or preventing storage devices from being mounted. 6
8 Policy Creation and Management (CONTINUED) Pre-filtering can reduce false alarms by performing certain checks before triggering rules, potentially excluding events related to specific processes, files, network events or Windows registry entries. Categories can help organize policies, which is useful when a large number of different policies are in place within an organization. These categories are also used when assigning policies to a specific group of agents and users. Figure 7 shows an example of a simple policy we used in our testing. Figure 7. Test Policy in Policy Workbench All policies can have a priority assigned to them, as well as a definition of scope where they apply across deployed agents. 7
9 Insider Threats and the Investigation Workbench The real power of SureView Insider Threat comes from the Investigation Workbench, where analysts will likely spend the majority of their time once policies are created and deployed, building cases that chronicle searches and analysis of system- and user-driven events. During this review, we ran several mock investigations using the sample data in the testbed. In the first investigation, we investigated a user ( Christopher Foster ) to follow up on unusual activity recorded by a SureView Insider Threat agent deployed on his system. Our first step was to start a new investigation in the Investigation Workbench, either by clicking the Create a new case button in the workbench s Cases pane, or by selecting the Cases menu item and choosing Create. We then provided a case name and designated the case s security level (who can see it and access it). Once our case was created, we ran our first query against the SureView Insider Threat database using the query engine at the top of the window. Our first order of business was limiting the events to only those seen on 01/27/2015, as shown in Figure 8. Figure 8. Limiting Events to a Date/Time Range 8
10 Insider Threats and the Investigation Workbench (CONTINUED) The event highlighted in Figure 8 also corresponds to the subject of our investigation (CFOSTER in the REALWORLD2008 domain). Right-clicking the event record let us add this user to the query, thus limiting the data to only those events on 01/27/2015 recorded for user REALWORLD2008/CFOSTER. The output of this new result appears in Figure 9. Figure 9. Limiting Events to a Specific User and Agent Having limited the view to one user on a specific day, we could evaluate the specific events listed. Selecting an event caused a side pane to open with minute details about the event. First, we looked at the Webmail with Attachment event, which the keyword mail.google.com triggered. Figure 10 shows this event. Figure 10. Webmail with Attachment Event 9
11 Insider Threats and the Investigation Workbench (CONTINUED) In this detailed view, we could see the time of the event, which application was in use (Mozilla Firefox, in a Private Browsing window), and where the user was going (Gmail). This agent captured the event as a video, with replay capabilities that enabled us to watch exactly what the subject was doing. The he sent appears in Figure 11; note the attachment named FamilyReunionInfo.doc.gpg. Figure 11. Video Replay of User Actions 10
12 Insider Threats and the Investigation Workbench (CONTINUED) Going back to the event detail, we found the attached file referenced in the Gmail upload event. We then dug further, looking for all applications in use, this filename, and any related actions from collections and events. By performing a more thorough query for all activity related to our subject, we found File Renamed activities that eventually led us to the true nature of the incident CFOSTER renamed FJEA Business Expense Budget.xlsx to the seemingly innocuous.gpg file we saw in the , as shown in Figure 12. Figure 12. File Renamed Activity by the Insider Suspect Digging even further, we discovered that the subject had renamed a sensitive file, encrypted it (using kleopatra.exe, a GPG component) and then ed it to an accomplice outside the organization. We found the process of starting an investigation, creating queries and reviewing evidence results with SureView Insider Threat to be simple and straightforward, especially when compared to similar endpoint security and forensics tools. 11
13 Insider Threats and the Investigation Workbench (CONTINUED) In our second investigation, we investigated Greg Alexander after the SureView Insider Threat agent recorded some unusual activity on his system. As in the first investigation, we searched for all events and collections from the date of the activity but added the agent name JEAGALEXANDER_laptop so the query would pull results for that machine only. Looking at the list of applications the user ran on that day led us to an unauthorized application: the Tor browser, used for anonymized browsing, as shown in Figure 13. Figure 13. Tor Browser Launched by Suspected Hostile Insider In looking at specific times when our subject started the Tor browser, we found he initiated a remote desktop connection into another server approximately five minutes before opening the browser. Fortunately, we could easily query for the startup of the remote desktop application (mstsc.exe) and look for all collected evidence, as shown in Figure 14. Figure 14. Events and Collection from a Remote Desktop Connection 12
14 Insider Threats and the Investigation Workbench (CONTINUED) Selecting the item Keys Typed enabled us to see the keystrokes the subject made while logging in to the server, as shown in Figure 15. Having learned that the subject was logging in to servers and systems within our environment, we wanted to discover any user accounts associated with his name, no matter their location. SureView Insider Threat enabled us to query or browse based on entities as well as events or collection data. In this case, we looked through entities such as LDAP records and other information for the subject s full name ( Gregory P Alexander ). We discovered the subject had two accounts: REALWORLD2008/ GALEXANDER and TRAINING1407/ ADMIN1407, as shown in Figure 16. Figure 15. Keystroke Recording of Remote Desktop Password Figure 16. Finding the Subject s User Accounts 13
15 Insider Threats and the Investigation Workbench (CONTINUED) In this case, the second account (TRAINING1407/ADMIN1407) was unauthorized, and we wanted to know more about any associated devices or device activity recorded for that account. The SureView Insider Threat entity browser came to our rescue again; performing a query for that entity was easy. The results showed three removable devices associated with the TRAINING1407/ADMIN1407 account, as shown in Figure 17. Figure 17. Removable Drives Associated with Illicit Account At this point in our investigation, we could drill into the drives themselves as entities. In particular, the SanDisk Cruzer device looked interesting, so we searched for related items by right-clicking the entity in the console and looking for related items. This search returned numerous Drive Mounted events for our investigation s timeframe, as shown in Figure 18. Figure 18. Drive Mounted Events 14
16 Insider Threats and the Investigation Workbench (CONTINUED) Finally, by looking at more detail for some of these events, we could see the files associated with the drive. These results indicated the device held a bootable Linux installation, as shown in Figure 19. This information may indicate that the subject was booting a system (or systems) into Linux to compromise credentials or other information by accessing data from a different OS and thus avoiding the permissions of the normal OS. As in the first example, the process of starting an investigation with SureView Insider Threat, discovering what the subject was doing and creating queries that accurately gathered evidence of malicious activity was straightforward and painless. In addition to these two complete cases, we explored many more example cases of detecting illicit web browsing and access to systems and network data. Throughout, we found the investigation features of SureView Insider Threat easy to use; they enabled us to quickly find data and events related to both users and computers within the test Figure 19. File List for Bootable USB environment. Although there seemed to be an almost infinite number of search and discovery options, any of which we could use to build new queries and aggregate data into cases, the user interface greatly simplified the assessment of the data. The depth and completeness of the data SureView Insider Threat gathers from system agents impressed us as well. Security analysts can easily replay content and activity, or examine files and applications used within specific timeframes, to gain a better understanding of the events they investigate. 15
17 Conclusion After spending time with SureView Insider Threat, we concluded it is a powerful tool that can collect just about any type of system data imaginable, enabling investigators to build cases by highlighting points of evidence including: Although Raytheon Websense configured the system we tested, we found accessing and configuring the platform s configuration options to be simple and straightforward. The interfaces for the SureView Insider Threat workbenches were also easy to use and intuitive. In particular, the policy creation and management engine allowed us to create flexible and robust policies for Windows, Linux and Android systems quickly and then apply them to groups and categories of known users and deployed agent systems. The Administration Workbench provides a simple and flexible tool to manage all aspects of the deployment and monitoring processes for agents, and the capability to issue onetime or scheduled commands to agent systems is useful for both operations and security teams. However, the most impressive part of SureView Insider Threat is its Investigation Workbench. By creating cases and adding evidence items based on queries across numerous systems and date ranges, security teams can rapidly analyze insider threat scenarios within their environments. 16
18 About the Author, a SANS analyst, instructor, course author, GIAC technical director and member of the board of directors for the SANS Technology Institute, is the founder and principal consultant with Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. A VMware vexpert, Dave has extensive experience designing and configuring secure virtualized infrastructures. He previously worked as chief security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead the Atlanta chapter of the Cloud Security Alliance. Sponsor SANS would like to thank its sponsor: 17
Improving the Effectiveness of Log Analysis with HP ArcSight Logger 6
Improving the Effectiveness of Log Analysis with HP ArcSight Logger 6 A SANS Product Review Written by Dave Shackleford April 2015 Sponsored by Hewlett Packard Enterprise 2015 SANS Institute Introduction
More informationImproving the Effectiveness of Log Analysis with HP ArcSight Logger 6
Improving the Effectiveness of Log Analysis with HP ArcSight Logger 6 A SANS Product Review Written by Dave Shackleford April 2015 Sponsored by HP 2015 SANS Institute Introduction Most organizations today
More informationGoogle Identity Services for work
INTRODUCING Google Identity Services for work One account. All of Google Enter your email Next Online safety made easy We all care about keeping our data safe and private. Google Identity brings a new
More informationHow to Conquer Targeted Threats: SANS Review of Agari Enterprise Protect
How to Conquer Targeted Email Threats: SANS Review of Agari Enterprise Protect A SANS Product Review Written by Dave Shackleford May 2017 Sponsored by Agari 2017 SANS Institute Introduction: Email Is a
More informationEkran System v Program Overview
Ekran System v. 6.2 Program Overview Contents About the Program Login Ekran Server & Management Tool Notifying Users about Being Database Management Monitored Licensing User Blocking Client Installation
More informationEkran System v Program Overview
Ekran System v. 5.1 Program Overview Contents About the Program Ekran Server & Management Tool Database Management Licensing Client Installation Monitoring Parameters Client Protection Advanced User Authentication
More informationShavlik Protect: Simplifying Patch, Threat, and Power Management Date: October 2013 Author: Mike Leone, ESG Lab Analyst
ESG Lab Review Shavlik Protect: Simplifying Patch, Threat, and Power Management Date: October 2013 Author: Mike Leone, ESG Lab Analyst Abstract: This ESG Lab Review documents hands-on testing of Shavlik
More informationRSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief
RSA Solution Brief The RSA Solution for VMware View: Managing Securing the the Lifecycle Virtual of Desktop Encryption Environment Keys with RSA Key Manager RSA Solution Brief 1 According to the Open Security
More informationTargeted Attack Protection: A Review of Endgame s Endpoint Security Platform
Targeted Attack Protection: A Review of Endgame s Endpoint Security Platform A SANS Product Review Written by Dave Shackleford October 2017 Sponsored by Endgame 2017 SANS Institute Introduction Signature-based
More informationMcAfee Skyhigh Security Cloud for Amazon Web Services
McAfee Skyhigh Security Cloud for Amazon Web Services McAfee Skyhigh Security Cloud for Amazon Web Services (AWS) is a comprehensive monitoring, auditing, and remediation solution for your AWS environment
More informationForeScout Extended Module for Carbon Black
ForeScout Extended Module for Carbon Black Version 1.0 Table of Contents About the Carbon Black Integration... 4 Advanced Threat Detection with the IOC Scanner Plugin... 4 Use Cases... 5 Carbon Black Agent
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More informationForeScout Extended Module for Qualys VM
ForeScout Extended Module for Qualys VM Version 1.2.1 Table of Contents About the Qualys VM Integration... 3 Additional Qualys VM Documentation... 3 About This Module... 3 Components... 4 Considerations...
More informationUSE CASE IN ACTION Splunk + Komand
USE CASE IN ACTION Splunk + Komand USE CASE IN ACTION - SPLUNK + KOMAND - 1 Automating response to endpoint threats using using Sysdig Falco, Splunk, Duo, and Komand Many security teams use endpoint threat
More informationDon t Be the Next Data Loss Story
Don t Be the Next Data Loss Story Titus: Blair Canavan McAfee: Chris Ellis Date The Importance of Data Protection McAfee DLP + TITUS Data Classification About McAfee Founded in 1987 as the world s largest
More informationWhitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response
Advanced Threat Hunting with Carbon Black Enterprise Response TABLE OF CONTENTS Overview Threat Hunting Defined Existing Challenges and Solutions Prioritize Endpoint Data Collection Over Detection Leverage
More informationSOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2
Requirement Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence
More information68 Insider Threat Red Flags
68 Insider Threat Red Flags Are you prepared to stop the insider threat? Enterprises of all shapes and sizes are taking a fresh look at their insider threat programs. As a company that s been in the insider
More informationSOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM
RSA NETWITNESS EVOLVED SIEM OVERVIEW A SIEM is technology originally intended for compliance and log management. Later, as SIEMs became the aggregation points for security alerts, they began to be more
More informationSecurity from the Inside
Security from the Inside Detect, Record, and Eliminate Malicious User Behavior 24/7 live screen recording & playback Automatically allow or block any activity Real-time user activity tracking Rule-based
More informationSIEM: Five Requirements that Solve the Bigger Business Issues
SIEM: Five Requirements that Solve the Bigger Business Issues After more than a decade functioning in production environments, security information and event management (SIEM) solutions are now considered
More informationMcAfee Skyhigh Security Cloud for Citrix ShareFile
McAfee Skyhigh Security Cloud for Citrix ShareFile McAfee Skyhigh Security Cloud for Citrix ShareFile helps organizations securely accelerate their business by providing industry-best Data Loss Prevention
More informationSponsored by Oracle. SANS Institute Product Review: Oracle Audit Vault. March A SANS Whitepaper. Written by: Tanya Baccam
Sponsored by Oracle SANS Institute Product Review: Oracle Audit Vault March 2012 A SANS Whitepaper Written by: Tanya Baccam Product Review: Oracle Audit Vault Page 2 Auditing Page 2 Reporting Page 4 Alerting
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationSOLUTION OVERVIEW. Enterprise-grade security management solution providing visibility, management and reporting across all OSes.
SOLUTION OVERVIEW Enterprise-grade security management solution providing visibility, management and reporting across all OSes. What is an endpoint security management console? ESET Security Management
More informationManaging and Auditing Organizational Migration to the Cloud TELASA SECURITY
Managing and Auditing Organizational Migration to the Cloud 1 TELASA SECURITY About Me Brian Greidanus bgreidan@telasasecurity.com 18+ years of security and compliance experience delivering consulting
More informationGuide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1
Guide to Deploying VMware Workspace ONE VMware Identity Manager 2.9.1 VMware AirWatch 9.1 Guide to Deploying VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware
More informationEvolving Micro-Segmentation for Preventive Security: Adaptive Protection in a DevOps World
A SANS Whitepaper Evolving Micro-Segmentation for Preventive Security: Adaptive Protection in a DevOps World Written by Dave Shackleford January 2019 Sponsored by: VMware Intro to Micro-Segmentation Network
More informationMEETING ISO STANDARDS
WHITE PAPER MEETING ISO 27002 STANDARDS September 2018 SECURITY GUIDELINE COMPLIANCE Organizations have seen a rapid increase in malicious insider threats, sensitive data exfiltration, and other advanced
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationNetwrix Auditor for SQL Server
Netwrix Auditor for SQL Server Quick-Start Guide Version: 9.5 10/25/2017 Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment from
More informationAppDefense Getting Started. VMware AppDefense
AppDefense Getting Started VMware AppDefense You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit
More informationForeScout Extended Module for IBM BigFix
ForeScout Extended Module for IBM BigFix Version 1.0.0 Table of Contents About this Integration... 4 Use Cases... 4 Additional BigFix Documentation... 4 About this Module... 4 Concepts, Components, Considerations...
More informationGuide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE
Guide to Deploying VMware Workspace ONE with VMware Identity Manager SEP 2018 VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationVMware VMware View. RSA Secured Implementation Guide for RSA DLP Endpoint VDI. Partner Information. Last Modified: March 27 th, 2014
RSA Secured Implementation Guide for RSA DLP Endpoint VDI Partner Information Last Modified: March 27 th, 2014 Product Information Partner Name VMware Web Site www.vmware.com Product Name Version & Platform
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More informationAirWatch Mobile Device Management
RSA Ready Implementation Guide for 3rd Party PKI Applications Last Modified: November 26 th, 2014 Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product Description
More informationForescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2
Forescout Version 1.2 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More informationSecuring Amazon Web Services (AWS) EC2 Instances with Dome9. A Whitepaper by Dome9 Security, Ltd.
Securing Amazon Web Services (AWS) EC2 Instances with Dome9 A Whitepaper by Dome9 Security, Ltd. Amazon Web Services (AWS) provides business flexibility for your company as you move to the cloud, but new
More informationNetwrix Auditor for Active Directory
Netwrix Auditor for Active Directory Quick-Start Guide Version: 8.0 4/22/2016 Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment
More informationMOVE BEYOND GPO FOR NEXT-LEVEL PRIVILEGE MANAGEMENT
MOVE BEYOND GPO FOR NEXT-LEVEL PRIVILEGE MANAGEMENT DON T USE A HAMMER MOVE BEYOND GPO FOR NEXT-LEVEL TO TURN A SCREW PRIVILEGE MANAGEMENT The first stage of privilege management Most organizations with
More informationCyberArk Privileged Threat Analytics
CyberArk Privileged Threat Analytics Table of Contents The New Security Battleground: Inside Your Network 3 Privileged account security 3 Collect the right data 4 Detect critical threats 5 Alert on critical
More informationSailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities
SailPoint IdentityIQ Integration with the BeyondInsight Platform Providing Complete Visibility and Auditing of Identities Table of Contents Executive Summary... 3 Identity and Access Management... 5 BeyondTrust
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationUSM Anywhere AlienApps Guide
USM Anywhere AlienApps Guide Updated April 23, 2018 Copyright 2018 AlienVault. All rights reserved. AlienVault, AlienApp, AlienApps, AlienVault OSSIM, Open Threat Exchange, OTX, Unified Security Management,
More informationNext Generation Authentication
Next Generation Authentication Bring Your Own security impact Dominique Dessy Sr. Technology Consultant 1 2012 DIGITAL UNIVERSE 1.8 ZETTABYTES 1,800,000,000,000,000,000,000 2 $ 3 4 Threat Landscape 60%
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationSecurity and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /
Security and Compliance Powered by the Cloud Ben Friedman / Strategic Accounts Director / bf@alertlogic.com Founded: 2002 Headquarters: Ownership: Houston, TX Privately Held Customers: 1,200 + Employees:
More informationAvanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.
Avanan for G Suite Technical Overview Contents Intro 1 How Avanan Works 2 Email Security for Gmail 3 Data Security for Google Drive 4 Policy Automation 5 Workflows and Notifications 6 Authentication 7
More informationHIPAA Regulatory Compliance
Secure Access Solutions & HIPAA Regulatory Compliance Privacy in the Healthcare Industry Privacy has always been a high priority in the health profession. However, since the implementation of the Health
More informationPetroleum Refiner Overhauls Security Infrastructure
Petroleum Refiner Overhauls Security Infrastructure Small team strengthens security posture and responds faster to threats HollyFrontier Customer Profile Fortune 500 independent petroleum refiner and distributor
More informationForeScout Extended Module for IBM BigFix
Version 1.1 Table of Contents About BigFix Integration... 4 Use Cases... 4 Additional BigFix Documentation... 4 About this Module... 4 About Support for Dual Stack Environments... 5 Concepts, Components,
More informationDisk Encryption Buyers Guide
Briefing Paper Disk Encryption Buyers Guide Why not all solutions are the same and how to choose the one that s right for you.com CommercialSector Introduction We have written this guide to help you understand
More informationGuide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1
Guide to Deploying VMware Workspace ONE DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationSMARTCRYPT CONTENTS POLICY MANAGEMENT DISCOVERY CLASSIFICATION DATA PROTECTION REPORTING COMPANIES USE SMARTCRYPT TO. Where does Smartcrypt Work?
SMARTCRYPT PKWARE s Smartcrypt is a data-centric audit and protection platform that automates data discovery, classification, and protection in a single workflow, managed from a single dashboard. With
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.
More informationWorkspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810
Workspace ONE UEM Integration with RSA PKI VMware Workspace ONE UEM 1810 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments
More informationTHE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM
THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM Modern threats demand analytics-driven security and continuous monitoring Legacy SIEMs are Stuck in the Past Finding a mechanism to collect, store
More informationNetwrix Auditor. Event Log Export Add-on Quick-Start Guide. Version: 8.0 6/3/2016
Netwrix Auditor Event Log Export Add-on Quick-Start Guide Version: 8.0 6/3/2016 Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment
More informationAutomated Deployment Services
Building Out the Enterprise Using Automated Deployment Services Automated Deployment Services (ADS), a component of the Microsoft Windows Server 2003 operating system, includes a new set of imaging tools
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationObserveIT 7.1 Release Notes
ObserveIT 7.1 Release Notes In This Document About This Release... 2 New Features and Enhancements... 2 Backward Compatibility... 3 New Supported Platforms... 3 Resolved Issues... 4 Known Issues... 4 Limitations...
More informationYubico with Centrify for Mac - Deployment Guide
CENTRIFY DEPLOYMENT GUIDE Yubico with Centrify for Mac - Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component
More informationFast Incident Investigation and Response with CylanceOPTICS
Fast Incident Investigation and Response with CylanceOPTICS Feature Focus Incident Investigation and Response Identifying a potential security issue in any environment is important, however, to protect
More informationAbout This Document 3. Overview 3. System Requirements 3. Installation & Setup 4
About This Document 3 Overview 3 System Requirements 3 Installation & Setup 4 Step By Step Instructions 5 1. Login to Admin Console 6 2. Show Node Structure 7 3. Create SSO Node 8 4. Create SAML IdP 10
More informationSeqrite Endpoint Security
Enterprise Security Solutions by Quick Heal Integrated enterprise security and unified endpoint management console Enterprise Suite Edition Product Highlights Innovative endpoint security that prevents
More informationSYMANTEC DATA CENTER SECURITY
SYMANTEC DATA CENTER SECURITY SYMANTEC UNIFIED SECURITY STRATEGY Users Cyber Security Services Monitoring, Incident Response, Simulation, Adversary Threat Intelligence Data Threat Protection Information
More informationIntegrating AirWatch and VMware Identity Manager
Integrating AirWatch and VMware Identity Manager VMware AirWatch 9.1.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a
More informationPCI DSS Compliance. White Paper Parallels Remote Application Server
PCI DSS Compliance White Paper Parallels Remote Application Server Table of Contents Introduction... 3 What Is PCI DSS?... 3 Why Businesses Need to Be PCI DSS Compliant... 3 What Is Parallels RAS?... 3
More informationMcAfee MVISION Cloud. Data Security for the Cloud Era
McAfee MVISION Cloud Data Security for the Cloud Era McAfee MVISION Cloud protects data where it lives today, with a solution that was built natively in the cloud, for the cloud. It s cloud-native data
More informationVMware AirWatch Integration with RSA PKI Guide
VMware AirWatch Integration with RSA PKI Guide For VMware AirWatch Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com. This product
More informationSQL Server Solutions GETTING STARTED WITH. SQL Secure
SQL Server Solutions GETTING STARTED WITH SQL Secure Purpose of this document This document is intended to be a helpful guide to installing, using, and getting the most value from the Idera SQL Secure
More information1.0. Quest Enterprise Reporter Discovery Manager USER GUIDE
1.0 Quest Enterprise Reporter Discovery Manager USER GUIDE 2012 Quest Software. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide
More informationNot your Father s SIEM
Not your Father s SIEM Getting Better Insights & Results Bill Thorn Director, Security Operations Apollo Education Group Agenda Why use a SIEM? What is a SIEM? Benefits of Using a SIEM Considerations Before
More informationSecuring Office 365 with SecureCloud
Securing Office 365 with SecureCloud 1 Introduction Microsoft Office 365 has become incredibly popular because of the mobility and collaboration it enables. With Office 365, companies always have the latest
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationSetting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8
Setting Up Resources in VMware Identity Manager VMware Identity Manager 2.8 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments
More informationSecurity. Risk Management. Compliance.
Richard Nichols Netwitness Operations Director, RSA Security. Risk Management. Compliance. 1 Old World: Static Security Static Attacks Generic, Code-Based Static Infrastructure Physical, IT Controlled
More informationVSP16. Venafi Security Professional 16 Course 04 April 2016
VSP16 Venafi Security Professional 16 Course 04 April 2016 VSP16 Prerequisites Course intended for: IT Professionals who interact with Digital Certificates Also appropriate for: Enterprise Security Officers
More informationCentrify for Dropbox Deployment Guide
CENTRIFY DEPLOYMENT GUIDE Centrify for Dropbox Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component of
More informationForeScout Extended Module for Tenable Vulnerability Management
ForeScout Extended Module for Tenable Vulnerability Management Version 2.7.1 Table of Contents About Tenable Vulnerability Management Module... 4 Compatible Tenable Vulnerability Products... 4 About Support
More informationhow dtex fights insider threats
how dtex fights insider threats Over the past several years, organizations have begun putting more and more focus on the end user. But security teams are quickly realizing that tools like traditional UBA
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationAdvanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection
Advanced Threat Defense Certification Testing Report Symantec Advanced Threat Protection ICSA Labs Advanced Threat Defense December 8, 2015 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg,
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationDigital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS
Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS Digital Forensics Readiness: PREPARE BEFORE AN INCIDENT HAPPENS 2 Digital Forensics Readiness The idea that all networks can be compromised
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationForeScout Extended Module for VMware AirWatch MDM
ForeScout Extended Module for VMware AirWatch MDM Version 1.7.2 Table of Contents About the AirWatch MDM Integration... 4 Additional AirWatch Documentation... 4 About this Module... 4 How it Works... 5
More informationNetwrix Auditor. Administration Guide. Version: /31/2017
Netwrix Auditor Administration Guide Version: 9.5 10/31/2017 Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment from Netwrix Corporation
More informationDynamic Datacenter Security Solidex, November 2009
Dynamic Datacenter Security Solidex, November 2009 Deep Security: Securing the New Server Cloud Virtualized Physical Servers in the open Servers virtual and in motion Servers under attack 2 11/9/09 2 Dynamic
More informationEvaluating Encryption Products
Evaluating Email Encryption Products A Comparison of Virtru and Zix Importance of Email Encryption Most modern email providers, such as Google and Microsoft, offer excellent default security options, but
More information74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM
2014 SIEM Efficiency Report Hunting out IT changes with SIEM 74% OF USERS ADMITTED THAT DEPLOYING A SIEM SOLUTION DIDN T PREVENT SECURITY BREACHES FROM HAPPENING Contents Introduction 4 Survey Highlights
More informationDefendpoint for Mac 4.2 Getting Started Guide. Defendpoint for Mac. Getting Started Guide version 4.2
Defendpoint for Mac 4.2 Getting Started Guide Defendpoint for Mac Getting Started Guide version 4.2 August 2016 Defendpoint for Mac 4.2 Getting Started Guide Copyright Notice The information contained
More informationThe Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls
The Convergence of Security and Compliance How Next Generation Endpoint Security Manages 5 Core Compliance Controls Table of Contents Introduction.... 3 Positive versus Negative Application Security....
More informationSecurity Challenges: Integrating Apple Computers into Windows Environments
Integrating Apple Computers into Windows Environments White Paper Parallels Mac Management for Microsoft SCCM 2018 Presented By: Table of Contents Environments... 3 Requirements for Managing Mac Natively
More informationSnort: The World s Most Widely Deployed IPS Technology
Technology Brief Snort: The World s Most Widely Deployed IPS Technology Overview Martin Roesch, the founder of Sourcefire and chief security architect at Cisco, created Snort in 1998. Snort is an open-source,
More informationCommunity Edition Getting Started Guide. July 25, 2018
Community Edition Getting Started Guide July 25, 2018 Copyright 2018 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks are the
More informationMCAFEE INTEGRATED THREAT DEFENSE SOLUTION
IDC Lab Validation Report, Executive Summary MCAFEE INTEGRATED THREAT DEFENSE SOLUTION Essential Capabilities for Analyzing and Protecting Against Advanced Threats By Rob Ayoub, CISSP, IDC Security Products
More informationForescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2
Forescout Version 2.2 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More information