- Azure Sentinel—A real-world example - Tue, Oct 12 2021
- Deploying Windows Hello for Business - Wed, Aug 4 2021
- Azure Purview: Data governance for on-premises, multicloud, and SaaS data - Wed, Feb 17 2021
NETIKUS.NET released version 3.5 recently, and in this article, we're going to look at what's new and improved and where EventSentry might fit into your IT infrastructure.
A SIEM to go ^
NETIKUS EventSentry monitors your Windows servers and clients, along with network devices and Linux systems for security information. It gathers the data in one place for you to see the state of your infrastructure, known as a security information and event management (SIEM).
In case you've been living under a rock, the world has woken up to the fact that much of our society (at least in the developed world, and increasingly in the developing world as well) is now totally reliant on IT, and much of it has terrible security. The need for businesses of all sizes to take security seriously has never been greater, and a great first step is increasing visibility by gathering telemetry from your environment so you know what's going on.
"There are two types of companies: those that have been hacked, and those who don't know they have been hacked." –John Chambers (former CEO of Cisco)
A SIEM will help ensure your company is the first type, not the second.
Installation and configuration ^
Whenever I review a networking monitoring or SIEM tool, a few criteria are high on the list. It should be easy to do several things: installing the tool, adding servers and devices, and finally, tweaking alerts and customizing dashboards.
I'm happy to report the installation of the trial software on my test server was smooth, followed by a notification that there was a new build available, which it promptly downloaded and installed. I then tested both the Active Directory (AD) scanning feature to add servers and the network scan. In this screenshot, you can see it found a lot of servers (time to clean out old computer accounts in my AD domain). Finally, it was easy to set up reports and configure alerts.
New Features in 3.5 ^
Understanding which processes on your servers accept incoming network traffic or send outgoing traffic is a great way to spot malicious traffic. This new feature in 3.5 integrates with Sysmon, a free Sysinternals tool. It shows you active processes and their information, along with network activity initiated by a process and processes listening for incoming connections. If you have the optional NetFlow component for EventSentry, you also get correlation between the data that Sysmon sees and what NetFlow reports from switches and routers. Even if you don't have Sysmon, EventSentry shows you open TCP ports on a monitored machine. Note that previous versions had process tracking—3.5 adds the link between the network traffic and the process.
Another new feature is registry tracking. Normalizing all registry audit events on a monitored PC makes it easier to report on changes and activity in the registry across your infrastructure.
Earlier versions had the ability to group machines together to help organize the view of your entire network in a flat group structure, but the new tagging feature is more flexible. You can add tags (dev, test, staging, or prod, for instance) and then use the tags when creating web reports and when targeting packages to machines.
Monitoring changes to important files is part of earlier versions and is called file integrity monitoring (FIM). New additions to this feature include the option to suppress warnings for digitally signed files (think Microsoft updates), which should lower the number of nuisance alerts. Another very interesting addition is the ability for FIM to calculate the entropy of files and alert you when this changes, giving you a heads up for ransomware. Only encrypted (and compressed) files have a significant increase in randomness or entropy.
Another feature that should reduce unnecessary alerts is dynamic disk space alerts. Windows doesn't do this, and it's a pet peeve of mine. As soon as space goes below 10%, even on a 4 TB drive, the icon goes red. It's OK though—I still have 370 GB free! EventSentry adapts to larger volumes and only alerts you when disk space is really running low.
EventSentry has replaced the SHA‑256 algorithm for calculating checksums with a more efficient version, lowering CPU usage. They're also transitioning from 32-bit processes to 64-bit ones with the Heartbeat Agent getting an upgrade in 3.5. If you're sending event logs to a remote Syslog receiver, you can now use TLS to protect the traffic.
A good SIEM ^
My main concern is that for larger environments, SIEMs should move beyond the "find problem, alert human" stage, because this approach doesn't scale. To improve this situation, SIEMs can assist humans by using machine learning and artificial intelligence (AI) to filter alerts and build timelines so analysts have fewer alerts to deal with.
However, SIEMs with AI features are considerably more expensive and often require extensive tweaking, increasing cost further. On the other hand, EventSentry can integrate with such SIEMs, marrying the best of both world: real-time monitoring with easy deployment, coupled with a system that can use machine learning to detect anomalies.