SNARE Enterprise Agents Features

Similar documents
Agent vs Agentless Log Collection

Reflector - User Information

Snare v6 - Feature Summary

LDAP and LDAP Groups for Snare Central - User Information

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Guide to Snare for Windows for v4.2/4.3

Evaluator Group Inc. Executive Editor: Randy Kerns

Release Notes for Snare Enterprise Agent for MSSQL Release Notes for Snare Enterprise Agent for MSSQL v1.2/1.3

Release Notes for Snare Server v6 Release Notes for Snare Server v6

Release Notes for Snare Windows Agent Release Notes for Snare Enterprise Agent Windows v4.2/4.3

VMware Logging Guide for Snare Server v7.0

Symantec NetBackup Vault Operator's Guide

High Availability through Warm-Standby Support in Sybase Replication Server A Whitepaper from Sybase, Inc.

WHITE PAPER: BEST PRACTICES. Sizing and Scalability Recommendations for Symantec Endpoint Protection. Symantec Enterprise Security Solutions Group

FIVE BEST PRACTICES FOR ENSURING A SUCCESSFUL SQL SERVER MIGRATION

APNIC DNSSEC APNIC DNSSEC. Policy and Practice Statement. DNSSEC Policy and Practice Statement Page 1 of 12

STRM Log Manager Administration Guide

Virtualization with Arcserve Unified Data Protection

PowerBroker Auditing & Security Suite Version 5.6

Oracle Enterprise Manager

CCH Central Suite. How do I update to Microsoft.NET Framework in preparation for the CCH Central Suite? KB Article 6547 (02 Jan 2018)

Arcserve Solutions for Amazon Web Services (AWS)

Arcserve Unified Data Protection Virtualization Solution Brief

Cisco Meeting Management

High Availability and Disaster Recovery Solutions for Perforce

Veritas Storage Foundation for Windows by Symantec

Symantec NetBackup Appliance Fibre Channel Guide

Backup and Recovery. Backup and Recovery. Introduction. DeltaV Product Data Sheet. Best-in-class offering. Easy-to-use Backup and Recovery solution

Virtual Disaster Recovery

IM: Symantec Security Information Manager Patch 4 Resolved Issues

Understanding Virtual System Data Protection

Direct Upgrade Procedure for Cisco Unified Communications Manager Releases 6.1(2) 9.0(1) to 9.1(x)

Arcserve Cloud Frequently Asked Questions

ALERT LOGIC LOG MANAGER & LOG REVIEW

by Cisco Intercloud Fabric and the Cisco

Oracle Utilities Meter Data Management Integration to SAP for Meter Data Unification and Synchronization

March 2011

APM Import Tool. Product Guide

SIEM Solutions from McAfee

SECURE CLOUD BACKUP AND RECOVERY

Intel Small Business Extended Access. Deployment Guide

Oracle Database Firewall. 1 Downloading the Latest Version of This Document. 2 Known Issues. Release Notes Release 5.

Centrix WorkSpace Discovery Installation Guide. Version 1.0

BIG-IP System: Migrating Devices and Configurations Between Different Platforms. Version

Upgrade Guide. Upgrading to EventTracker v6.4 b50. Upgrade Guide Centre Park Drive Publication Date: Feb 17, 2010.

WANSyncHA Microsoft Exchange Server. Operations Guide

arcserve r16.5 Hybrid data protection

BIG-IP System: Migrating Devices. Version

Intel Active Management Technology Overview

HP S1500 SSL Appliance. Product overview. Key features. Data sheet

Avaya ExpertNet Lite Assessment Tool

OUR CUSTOMER TERMS CLOUD SERVICES - INFRASTRUCTURE

Alliance Key Manager A Solution Brief for Technical Implementers

Geolocation and Application Delivery

OnCommand Unified Manager 7.2: Best Practices Guide

Desktop DNA r11.1. PC DNA Management Challenges

Tanium Integrity Monitor User Guide

SaaS Providers. ThousandEyes for. Summary

HP Database and Middleware Automation

Upgrade Guide. Upgrading to EventTracker v6.4 b50. Upgrade Guide Centre Park Drive Publication Date: Feb 17, 2010.

Protecting Microsoft Hyper-V 3.0 Environments with Arcserve

What can the OnBase Cloud do for you? lbmctech.com

Veritas NetBackup Vault Operator's Guide

Managed Security Services - Event Collector Implementation, Configuration and Management

Altiris Software Management Solution 7.1 from Symantec User Guide

Business Benefits of Policy Based Data De-Duplication Data Footprint Reduction with Quality of Service (QoS) for Data Protection

Oracle Java SE Advanced for ISVs

Why Real Testing Requires Emulation, Not Just Simulation for Layer 4-7

product overview CRASH

TB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored

Security Correlation Server Redundancy And Failover Guide

Deep Security Integration with Sumo Logic

Conquer New Digital Frontiers with leading Public Cloud Platforms.

Network Security Platform 8.1

Oracle Enterprise Manager

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

Network Security Protection Alternatives for the Cloud

Understanding Layer 2 Encryption

Hitachi Adaptable Modular Storage and Hitachi Workgroup Modular Storage

Easy Incorporation of OPTIGA TPMs to Support Mission-Critical Applications

TIBCO LogLogic Universal Collector Release Notes

McAfee Embedded Control for Retail

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Alliance Key Manager A Solution Brief for Partners & Integrators

Docker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications

IBM Europe Announcement ZP , dated November 6, 2007

How Security Policy Orchestration Extends to Hybrid Cloud Platforms

Features. HDX WAN optimization. QoS

Technical factsheet Cloud Backup

Siebel Server Sync Guide. Siebel Innovation Pack 2015 May 2015

Snort: The World s Most Widely Deployed IPS Technology

NGFW Security Management Center

Enterprise Vault Setting up Exchange Server and Office 365 for SMTP Archiving and later

White Paper. A System for Archiving, Recovery, and Storage Optimization. Mimosa NearPoint for Microsoft

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

Virtualized Network Services SDN solution for service providers

Citrix Connector Citrix Systems, Inc. All rights reserved. p.1. About this release. System requirements. Technical overview.

Transcription:

SNARE Enterprise Agents Features A Prophecy International Company

Agents Centralized log management and analysis is essential to assuring the integrity of critical logs and achieving compliance with a growing list of regulations. However, the requisite process of transmitting log data across public or even private networks can simultaneously work against these important objectives. The SNARE Agents provide users with the tools necessary to address this challenge. The SNARE Agent is the industry standard for logging security events and is used with most SIEM servers, services and MSSP s. They are easy to install, configure and manage and greatly enhance the three pillars of information security: Confidentiality, Integrity and Availability. The SNARE Agents are issued as a supported Enterprise Agent and as an unsupported limited Open Source download. When deciding which release of the Agent your organization should use, the following questions should be considered: Support - If you need a supported security platform, then you need to use the Enterprise Agent. The Open Source Agent is provided to the open source community, free of charge and as issued. The Enterprise Agents include maintenance, upgrades, bug fixes and support of the product and for you as a customer. 2. Complete and Factual - If your organization needs to know that every log will be captured and forwarded with integrity, then you need to use the Enterprise Agents. The Open Source Agent does not support TCP, caching, custom event logs, UTC or registry audits. 3. Sensitivity and Confidentiality If your organization works with sensitive data, then you need to use the SNARE Enterprise Agents, which include best practices and encryption protocols. The SNARE Agent features are summarized in the following table. Agent Features Enterprise Open Source Support Maintenance, Upgrades and Customer Support 2. Windows 2012 / Windows8 Platforms 3. Custom Windows Event Logs 4. Event Log Caching 5. Confirmed Log Message Delivery 6. Encryption 7. Monitor Registry Events 8. Dynamic DNS Support 9. External Device Monitoring, e.g. USB Devices InterSect Alliance..A Prophecy International Company Page 2

10. UTC for Time Zone Normalization 1 Agent Heartbeat 12. Multiple Destinations 13. Single MSI 14. Snare Agent Management Console 15. Monitor Policy Status 16. Service Tracking 17. Group Policy Support 18. Monitor Agent Configuration Changes 19. Event Throttling 20. Light on Resources 2 Regulation Compliance 22. Real Time Event Filtering 23. Easy to use Installer 24. UDP Option 25. Locale Date Information 26. Stability 27. Latency and Real Time 28. Multiple Syslog Headers Options 29. Remote Control Interface 30. Native OS Audit Control 3 Upgrading Following is a more detailed description of the SNARE Agent Features: Vendor Support The SNARE Enterprise Agents give you access to customer, product and technical support to ensure compliance. 2. Windows 2012 / Windows8 SNARE Enterprise Agents are supported on all Windows platforms, including W2012 and W8. 3. Custom Windows Event Logs The SNARE Enterprise Agents extend the reach of the open source SNARE Agents beyond the core Windows Event Logs. They enable the collection, filtering and transmission of non-standard and third party Windows Event Logs as well. InterSect Alliance..A Prophecy International Company Page 3

4. Event Log Caching Intermittent network outages pose a significant challenge to the integrity of centralized log management. One of the most feared IT Auditor questions has long been: What happens to the log events if there is a network disruption? This is particularly true of systems leveraging syslog for log aggregation. Event Log Caching significantly enhances the integrity of the overall log management system by storing undelivered messages in memory on the originating host in the event of a transmission failure. Common sources of transmission failures include: network stack malfunction on the host machine, network device failure or misconfiguration (e.g. router), destination server being offline or network outages. Once the SNARE Enterprise Agent is notified of any problems delivering messages to the destination server, by using TCP mode the event log cache is used to preserve subsequent messages as long as the destination server is unavailable. Once a new connection can be established with the server, the cached events are forwarded to their destination. This ensures that events are not lost. 5. Guaranteed Log Message Delivery System administrators and security professionals alike are under ever increasing pressure to ensure the completeness and integrity of logs. This is particularly challenging during the process of transmitting log messages from the originating host via syslog to a centralized log repository. Leveraging the features of Smart TCP, SNARE Enterprise Agents are notified of any problems encountered during transmission and take appropriate actions to preserve event log continuity and completeness, ensuring that events make it to the target destination and that there are no lost or missing logs. 6. Encryption One of the goals of security IT is to ensure the secure and protected transportation between the agent and the collector, preventing the compromising of your security information during transit. This entails the ability to encrypt messages between the originating host and the Server, be it SNARE or others. SNARE Enterprise Agent supports both TLS and SSL* encryption, allowing the agent to securely and confidentially send event logs to any TLS or SSL* capable collection device. The agent will negotiate the best encryption available. Once the messages have been accepted by the Server, they are decrypted and processed as normal messages. By utilizing the Centralized Configuration Management option, agent message encryption can be quickly rolled out across the network, enhancing log integrity and confidentiality throughout the organization. 7. Monitor Registry Events The SNARE Enterprise Agents include the ability to apply auditing to sections of the registry and report changes, thus ensuring that the auditing system is not compromised to provide a false sense of security. 8. Dynamic DNS Support If DNS names are used in the configuration of either the Advance Remote Control or Log Message Simulcast features, generally the host name is resolved only once as the agent starts up. With dynamic DNS support, the agent can be scheduled to automatically refresh the associated IP InterSect Alliance..A Prophecy International Company Page 4

address. This setting is crucial for installing new SNARE Servers or dynamically changing the destination server in the event of a network or site failure (i.e. disaster recovery) without having to reconfigure or restart a single agent. This feature provides uninterrupted real time 24x7 operation. 9. External Device Monitoring, e.g. USB Devices Tracking USB device connection/disconnection is difficult using only the Windows event log. Depending on the device in question, the events generated when active varies widely in the number and amount of detail. A mechanism registers the agent directly with the operating system so as to be notified on the arrival and detach events for all USB devices. USB auditing is supported on Windows XP, 2003, 2008 and 2012. 10. UTC for Time Zone Normalization In organizations that cover multiple time zones, the SNARE Enterprise Agent can use UTC time zone normalization to ensure the correct sequencing of events, by standardizing across geographies and time zones. 1 Agent Heartbeat The SNARE Enterprise Agent can send out regular heartbeats, letting the collecting device know that the agent is operational at all times without having to make contact and therefore enabling quick response if a system is down or being compromised. 12. Multiple Destinations Log message simulcasting allows distribution of events to multiple destinations. Each Enterprise Agent is able to simultaneously direct event logs to multiple destination servers for redundancy, disaster-recovery, correlation and transitioning purposes. Deployed along with a hot-standby SNARE Server, perhaps deployed at an off-site disaster recovery site, SNARE Enterprise Agents provide an extremely cost-effective, high-availability log management system. When deployed along with a 3rd party correlation engine or SIEM tool, Log Message Simulcasting also facilitates a best-of-breed approach to both Log and Security Event Management. The best redundancy measures in a logging architecture, is to duplicate the events at the point of generation. This function is built into the SNARE Enterprise agents, and therefore allows for full redundancy in those situations where a continuous logging operation is required. 13. Single MSI The SNARE Enterprise Agent supports being used as a single smart MSI for all Windows platforms and releases, thus ensuring a simplified and error free distribution. 14. Snare Agent Management Console The SNARE Enterprise Agents can be managed, monitored and configured by the SNARE Agent Management Console. This Console is able to query all deployed SNARE Enterprise Agents for their current configuration settings. It can then automatically compare deployed agents with the master template and remotely apply and activate an updated configuration if necessary. 15. Monitor Policy Status The SNARE Enterprise Agent sends an audit event any time it attempts to make a change to the local security policy InterSect Alliance..A Prophecy International Company Page 5

16. Service Tracking The SNARE Enterprise Agent sends audit events on service operations such as starting, stopping, memory usage, configuration fingerprints and any errors or warnings triggered during operations. 17. Group Policy Support The SNARE Enterprise Agent checks the MS Policy location as the primary source for configuration settings. This means that Group Policy Objects (e.g. ADM files) can be used to configure the agent in an easy and widely supported way without the need for setting "Preferences", also known as tattooing. 18. Monitor Agent Configuration Changes The SNARE Enterprise Agent monitors activity in the operating system, but, "Who is watching the watcher?" This feature adds another layer of security to the SNARE Enterprise Agents, by allowing administrators to remotely monitor changes to the Agent s configuration. 19. Event Throttling The SNARE Enterprise Agents include an event throughput EPS control for environments where there is a limited, restricted or low band width. The EPS Rate Limit is a hard limit on the number of events sent by the agent per second to any destination server. This EPS rate limit applies only to sending the events, not capturing the events. The EPS rate limit settings help to reduce the load on slow network links or to reduce the impact on the destination servers during unexpected high event rates. 20. Light on Resources Small Deployment Footprint (< 5Mb) Minimal Host Resource Requirements (E.G. <5% of CPU) Minimal Host Memory Requirements (E.G. less than 20Mb 2 Regulation Compliance The SNARE Agents provide the ability to gather information to comply with NISPOM, PCI, SOX or other regulatory requirements. 22. Real Time Event Filtering Most operating system logging sub-systems can generate a flood of events. It is therefore important that the agents are able to filter those events which contribute to the organization s security requirements, or to trap only those that are required while ignoring others, greatly reducing network traffic as well as back end server and analysis resources measured in EPS. Tailoring the required events, whilst filtering or discarding the unwanted ones, can be undertaken by the SNARE Agents. The SNARE Agents include the ability to filter events by inclusion or exclusion, using standard or complex expressions to filter on content, event type, user, and/or success/failure of the event record. Multiple objective filtering expressions may exist at any one time. The SNARE Agents find, filter and forward events in real time as they are generated, and automatically send them to the SIEM server. SNARE also provides the ability to bypass any agent filtering in situations where all events are required, and/or the resource allocation of filtering is to be performed on the server. InterSect Alliance..A Prophecy International Company Page 6

23. Installer The SNARE Agents include an easy to use Installer which also provides a Silent install option. 24. UDP Option SNARE Agents can use the UDP protocol for fire and forget message delivery. 25. Locale Date Information If there are locations where the language is not English, the SNARE Agent uses a fixed date and time locale of US English to ensure the integrity of the log record. 26. Stability The event collection minimizes any interference with the host's operating system and applications, so that the service can be stable and independent. 27. Latency and Real Time The SNARE Agents operate in real time mode. This means that as the events are generated, they are automatically sent to the SIEM server without delay. This provides as real time alerting as possible, as well as making it increasingly difficult to compromise a system. Deleting the local log files will not remove the events which have already been sent to the remote SIEM Server. 28. Multiple Syslog Headers Options The SNARE Agents allow for a tailorable event log format, with native SNARE or multiple syslog headers options. Most event logs are simply 'flat' text files, in which a system or application appends event records. In this case, the only discriminators required to read any type of event log would be the location of the log file, and the record structure. This could easily be coded so that these parameters are tailorable by the user, and hence able to be adapted to a wide range of event logs. 29. Remote Control Interface When the audit/event logging configuration of the target system needs to be dynamically changed, SNARE provides the ability to remotely control the SNARE Agents. The extent of the remote control functionality includes the ability to manage the filtering objectives ' of the remote agents, along with the ability for the remote agent to reset the host's event logging system. The remote control functionality is able to control almost all facets of the agent's operation. The control over the agent's operation is provided with minimal if any impact on the host. If required, the SNARE Agents are also able to change the operating system's native audit settings to match the audit collection requirements. The Advanced Remote Control feature allows each agent to be remotely configured from a set of administrator IP addresses or the IP address associated with the backup SNARE Server. 30. Native OS Audit Control The event generation or event sub-system on most modern operating systems includes the ability to control how the event logs are generated, configured and produced. On some systems this can be quite complicated and confusing. Fortunately, the SNARE Agents are able to configure the native event sub-system, and if so desired, allow only specific events to be generated which are required or defined by the security policy. Also, the SNARE Agent can be configured so that it does InterSect Alliance..A Prophecy International Company Page 7

not, in any way, reconfigure the underlying operating system. 3 Upgrading The SNARE Agents provide an upgrade option to preserve existing configuration settings. *This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" InterSect Alliance..A Prophecy International Company Page 8

Summary Are the Confidentiality, Integrity and Availability of distributed system logs critical to you? Do you currently manage a large deployment of Open Source SNARE Agents? Are you looking for a costeffective, end-to-end log analysis and management system? If the answer to any of these questions is yes, then SNARE Enterprise Agents offer high-value capabilities that simply cannot be found in any other solution available today. Many thousands of organizations, including Fortune 500, government agencies, multinational businesses and highly sensitive sites around the world rely on SNARE every second of every day as the platform of choice for audit, collection, analysis, reporting, management and archival of event information., the Trusted, Low Risk, High Value Choice. For more information visit us at www.intersectalliance.com or contact us as follows: The Americas 1 (800) 834 1060 Toll Free or +1 (303) 488 3451 Denver Asia Pacific +61 8 8213 1200 Adelaide Australia Europe and the UK +44 (797) 090 5011 or email us at intersect@intersectalliance.com Intersect Alliance International Pty Ltd shall not be liable for errors contained herein or for direct, or indirect damages in connection with the use of this material. No part of this work may be reproduced or transmitted in any form or by any means except as expressly permitted by Intersect Alliance International Pty Ltd. The Intersect Alliance logo and Snare logo are registered trademarks of Intersect Alliance International Pty Ltd. Other trademarks and trade names are marks and names of their owners as may or may not be indicated. All trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications and content are subject to change without notice. InterSect Alliance..A Prophecy International Company Page 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback