Security Information and Event Management (SIEM, typically pronounced seam) software provides real-time analysis of server applications and generates statistics and alerts. Most SIEM solutions, especially those collecting data in real time, rely upon agents to tap into server security and event information and transfer the data to a central monitoring server for reporting.
I reviewed NETIKUS EventSentry v3.3 here at 4sysops in February 2017; read the article if you need a general overview of how the product works.
Today I'd like to review what's new and what's changed in EventSentry v3.4, released on November 6.
MBR/boot sector monitoring
Although EventSentry is not technically antimalware, the new MBR/boot sector monitoring feature can alert you when suspicious activity occurs on your network. As you know, some malicious software writes code to an infected system's boot sector to hijack the system startup process.
The EventSentry v3.4 agent can now recognize startup disk MBR/boot sectors, detect modifications, alert your security staff, and enable them to restore the MBR/boot sector from EventSentry’s known-good backup. That's powerful!
Related is the new file entropy feature. Ransomware has been in the news a lot this year. EventSentry can now calculate the entropy of any file, which would trigger when ransomware attempts to encrypt a large number of files (encrypted and compressed files have a higher entropy than "regular" files).
The new collector threshold feature monitors lateral movement across the network—specifically, the repetition of alert thresholds across multiple monitored machines. This component can detect sophisticated attacks, APTs, Malware or simply policy abuses like an employee sharing their username & password with coworkers.
EventSentry v3.4 can now generate NIST 800-171 compliance reports as well.
Software version checking
Many configuration management solutions automate software distribution, but keeping that software up to date often requires another product. EventSentry v3.4 includes a large software version database that can detect and alert you to out-of-date software on your monitored hosts. You can then schedule reports for selected (or all) systems so you can immediately identify outdated and potentially insecure software (think Flash). I show you the interface in the next screenshot.
NETIKUS even invites their customers to submit a list of their own standard software for inclusion in their software version checker database.
UPS and laptop battery monitoring
EventSentry v3.4 now can monitor and alert on uninterruptable power supplies (UPSs) attached to your servers as well as batteries in your laptops. In addition to alerting you when a monitored host is on battery instead of mains power, EventSentry can also perform a graceful shutdown after an administrator-configurable time period has elapsed.
User activity auditing
Businesses use EventSentry for a variety of reasons:
- Complying with internal security policies
- Complying with industry and/or governmental regulations
- Maintaining service-level agreements (SLAs)
- Integrating with IT service-management (ITSM) frameworks
Previous EventSentry versions tracked a variety of user-specific events, including but not limited to:
- Processes started
- Files accessed
- Modifications to applications and services
EventSentry v3.4 now consolidates all of these user-specific auditing streams into a single, easy-to-understand dashboard view. I show you the interface in the next screenshot.
Speaking of data roll-up, EventSentry v3.4 now also consolidates the current audit policy status of every monitored host into a single dashboard view. Previously, it wasn't possible to see the actual status of all audit policies through the proverbial "single pane of glass."
Better integration with third-party log management software
Depending on the size and distribution of your organization, not every group may use EventSentry. Starting in v3.4, EventSentry now expands the syslog formats it supports; the new format line-up is as follows:
- Common Event Format (CEF, Arcsight)
- Graylog Extended Log Format (GELF)
- Nagios Log Server
- RFC 3164
- RFC 5424
You can still use the HTTP and process actions to integrate EventSentry data with other reporting tools.
Detailed disk space alerting
Historically, EventSentry has always been able to monitor disk space usage. However, v3.4 now reports on the 15 largest files and folders per volume, as shown in the following screenshot.
I especially like this feature because it's useful for me to understand exactly which file system objects consume the most space, not simply what percentage of free space I have available per volume. No more SpaceMonger for me!
NetFlow bandwidth reports
NetFlow is a popular Cisco network protocol that makes it easier to collect and interpret IP traffic that flows through devices that support the NetFlow protocol. EventSentry v3.4 expanded the NetFlow component (introduced with v3.3) to measure the bandwidth using NetFlow instead of (or, in addition to) SNMP.
Specifically, this means that EventSentry can now provide more detailed bandwidth reports, including network metrics such as:
- Bytes per packet
- Bytes sent/received
- Packets sent/received
- Utilization percent
You may be aware that NETIKUS offers three different license types for monitored hosts:
- Full (Windows Server or Client)
- Network Device (Linux, macOS, VMware hosts, switches, or firewalls)
NETIKUS recommends that existing customers contact them for upgrade information. In summary, it's clear to me that NETIKUS put a lot of effort into EventSentry v3.4. They listen closely to their customers and actually integrate their feedback into the product.
I will leave you with some links for further learning.