EventSentry v4.2: Identifying insecure configurations with a hybrid SIEM

Netikus.net EventSentry v4.2 was recently released and contains improved security capabilities for environments to monitor changes, provide alerts and proactively discover security vulnerabilities. In this review of new features, we will take a look at the new capabilities provided with EventSentry v4.2 and see how they improve EventSentry’s offering.

About the EventSentry Hybrid SIEM ^

Before we take a look at the new features with this latest release of EventSentry, let's conduct a brief overview of EventSentry. Compared to many of the popular names in the SIEM space, EventSentry is an economical SIEM solution that touts the following:

  • Unlimited data—Unlike other SIEM solutions, EventSentry allows you to collect and archive an unlimited amount of data, for a single price.
  • Economical offering—To go along with the unlimited data retention, it offers one full year of email and phone support.
  • No sensor limits—EventSentry is licensed per host, so you can monitor as many metrics per host as you want.

EventSentry provides a holistic solution for monitoring and discovering security issues in a Windows environment. It offers features above and beyond a simple Syslog collector. It allows monitoring many relevant aspects of Windows systems, including health metrics, performance, inventory, and other details, to go along with the normal events and log files that are collected.

Events are collected and alerted on in real time, and data transmitted to the collector is encrypted and compressed with collected metrics cached during network outages. EventSentry does a really good job of providing descriptive and contextual information in email alerts. Terms are explained, IP addresses are resolved into DNS names and geolocation data is added as well.

EventSentry allows you to correlate security event data to help put together the "entire picture" of security events. When trying to gather information for forensic data it enables answering pertinent questions such as who ran the application, when did the user log on and which files were changed and from which workstation.

The web-based reporting also provides an API interface that third-party solutions and applications can make use of to tie into the EventSentry SIEM solution.

New features in EventSentry v4.2 ^

EventSentry v4.2 provides a list of new features to take note of, including:

  • Validation scripts
  • Browser extension inventory
  • New "EventSentray" utility
  • Filter compliance reports to administrator activity
  • Other improvements

Let's look at each of these in more detail.

Validation scripts

One of the major new features in EventSentry v4.2 is the inclusion of validation scripts. With most SIEM products, the main core functionality centers on identifying potentially malicious behavior in the environment. However, EventSentry v4.2 takes this a step further in the v4.2 release with the validation scripts.

Malicious behavior can often be the result of misconfigured or insecure configurations across the landscape of your servers and workstations. What if you could identify these insecure configurations or vulnerabilities before they were exploited? With validation scripts, EventSentry v4.2 allows you to do that. This helps to bolster the overall benefit of the solution, raising it from simply being a reactive tool that can identify malicious behavior to one that helps to identify weaknesses before they are exploited.

With EventSentry v4.2 validation scripts, you can scan endpoints to determine various weaknesses and insecure configurations across the landscape of your Windows Server environment as well as Windows client workstations. As you can see below, there are currently 60 checks that are carried out on the Windows Server side for security purposes. One to note is the Windows Build Version Check (OS Updated), which helps to quickly see whether the box is up-to-date with patches. Unapplied patches are a huge vulnerability in most environments.

Viewing the failed validation script report for a Windows Serve

Viewing the failed validation script report for a Windows Serve

Browser extension inventory

Browser extensions are generally a blind spot in many environments, as users often install browser extensions if they have the system rights to do so. Browser extensions can potentially enable malicious activity and data compromise in your environment. Having the ability to inventory which extensions are installed across the environment is a great way to have visibility into this threat vector.

You can set up:

  • Alerts—Notifications when extensions are installed, updated, or uninstalled
  • Searchable inventory

With this information, initial discovery can be performed, a baseline set, and reporting and alerting configured to notify on a regular basis to show new browser extensions that have been installed.

New "EventSentray" utility

Once you have onboarded an endpoint and installed the agent with EventSentry v4.2, you will notice a new systray app that Netikus calls the EventSentray utility. This is a handy little app that allows easily seeing system resources for systems that admins remote into for troubleshooting. It aggregates useful information that sysadmins generally have to look for in multiple utilities, including the following:

  • CPU, memory, disk utilization, and storage use
  • Top three apps consuming CPU and memory
  • IP address, host name, and connection speed
  • Currently logged on users
  • Quickly viewing whether the host has a pending reboot

Another really great feature with the system tray utility for EventSentry is that end users can submit support tickets by means of a customizable link. Support tickets that are created will also grab the real-time information from the system (screenshot as well if desired) and append this to the support ticket.

Viewing the EventSentry utility

Viewing the EventSentray utility

Filter compliance reports to administrator activity

EventSentry v4.2 has improvements in the realm of compliance reports with this release. Many compliance regulations require reporting administrator activities. With EventSentry v4.2, you can now filter the built-in compliance reports to detail activity for administrator activity with a simple checkbox. This makes it easy to provide the documentation needed for compliance reviews or official audits.

Filtering based on administrator activity with EventSentry compliance reports

Filtering based on administrator activity with EventSentry compliance reports

Other improvements

There are a couple of other improvements with the EventSentry v4.2 release, including dashboard import and export as well as webcam and image dashboard tiles that organizations will find useful, in terms of both management and information display.

The import and export functionality will no doubt be useful when moving dashboards between EventSentry environments. Also, the web cam and image functionality will help to round out the information display for organizations that need to display these information types in a dashboard tile.

Import and export dashboards in EventSentry v4.2 image courtesy of Netikus

Import and export dashboards in EventSentry v4.2 image courtesy of Netikus

An example of the web cam and image dashboard.

New image and web cam dashboard tiles image courtesy of Netikus

New image and web cam dashboard tiles image courtesy of Netikus

Wrapping up and impressions ^

I really like the new features and capabilities in this latest release of EventSentry v4.2. The standout with this release is the validation scripts feature. I think many organizations can easily benefit from the quick security information and visibility that can be gained by way of the validation script scans across the Windows environment. It is a great way to quickly see low-hanging security fruit from a remediation standpoint and perhaps discover vulnerabilities or misconfiguration that wouldn't be seen otherwise. The other features, such as the browser plugin inventory, admin reports, and new system tray utility, will certainly add value to the offering.

0

Poll: Does your organization plan to introduce Artifical Intelligence?

Read 4sysops without ads and for free by becoming a member!

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account