In my other blog, I recently discussed how Actionable Intelligence seems to be the achilles heal of SIEM solutions.  I promised to continue that discussion with a few words about NetVision’s approach to the problem.  And it’s quite simple actually.

The SIEMs and enterprise log management vendors seemed to have started from a different viewpoint.  They began by thinking about the dozens (or hundreds) of systems and applications that generate logs.  They thought about how to best collect logs from heterogeneous sources and then attempted to correlate information across different types of data.  For some organizations, these solutions must seem heaven-sent.  How else would you deal with all that log information?  How else would you collect, capture, and store those logs in case you need to look through them in the future?

Where they seem to fall short, though, is in providing actionable intelligence about what’s happening in the environment.  How could they?  They collect logs from hundreds of systems at once.  Even if it’s possible to setup alerts or actions based on some activity, someone would need to figure out how to interpret the logs, understand what possible values would be in the logs, configure the appropriate response to each event type in each system, and constantly monitor and keep them all up to date.  Doesn’t sound fun.  Certainly not simple.

Our angle of sight is different.  We see the core network directory (Microsoft Active Directory or Novell eDirectory) as the heart of the network.  It grants network access (sometimes local access to the workstation) and is often used to authenticate requests from VPNs, portals, and other systems.  A new account in the directory means a new identity to keep track of and a new potential threat on the network.  So that’s where we’ve focused since 1995.

We are buried deep within the core network directory and related file systems.  We don’t scrape logs and we’re not worried about what logs are being generated by some router or web server out in the network. Because of that focus, we have been able to build extensive tools that make it easy to filter on the types of events and information that are important to you.  And we’ve taken it a step further.

With our SIMON managed service, you don’t have to know anything about creating policies or configuring filters.  We do it all for you based on best-practices, years of experience, and your own personal needs.

The end result?  Actionable Intelligence.

You get emails when you want them that tell you who made a change, what change they made, and the before- and after- values.  Some events just write to the database, others kick out files, others generate alerts.  Some decisions are based on the resource (domain admins group).  Other decisions are based on the actor (employees scheduled to exit the company), the attribute changed, or even the time-of-day.  Data is transformed immediately into information and then analyzed and re-routed as appropriate.

This isn’t some future reality either.  We’ve been doing this a long time.  And we keep getting better.  I can’t wait to tell you what’s next for us.

NetVision customers often ask for help reporting on the last time a particular user logged onto the network.  Here’s what you need to know about finding the right attributes.

Active Directory
When querying for Last logon, a very common mistake is to look at the LastLogonTimeStamp attribute.  If this attribute is selected, no data will be returned.  It’s a calculated attribute that doesn’t hold information.  The correct attribute to query is LastLogon.  This attribute contains the last time the user logged into AD. 

NOTE: If you’re filtering in real-time for specific users, be careful.  The person logging in will NOT show as the UserID, it will show as the system process used in authenticating the user.  To correctly monitor for specific accounts, NetVision customers can set your filter to include the list of accounts you are interested in monitoring.  When the LastLogon attribute is written to AD, the object (or DN) that receives the attribute change is what NetVision records.  If the policy is set correctly, you will see the change to the LastLogon time and you will be able to see the system process that authenticated the user or object.

eDirectory
When querying for last logon in eDirectory, a common mistake is to select the lastLoginTime attribute.  If this attribute is selected, the date and time that will be returned is not the true last time the user logged in, but the time before.  For example, If I logged in on 1/5/09 at 8am, and then logged in again on 2/8/09 at 9am, the lastLoginTime attribute will have the value of 1/5/09 8am (a full month off).  The correct attribute to query is loginTime.  This entry contains the true last time the user logged into eDirectory.

 Got Other Challenges Like This?
The roles and usage of the dozens of relevant objects and attributes - and how to correctly configure policies - can be a lot to understand and remember over time.  As requirements change, you want to make sure the right information is being captured and analyzed.  NetVision’s SIMON managed service makes it all simple.  You don’t have to remember a thing.  Just tell us what’s important to you and we put our expertise to work to do the job quickly and efficiently.

Audit Monthly is NetVision’s monthly newsletter featuring tips and information on effective security audit.  In addition to the main content area, monthly recurring side-bar sections include:

• Auditor Tips - features tips and insight from security audit industry veterans.
• Product Corner - includes highlights and updates from NetVision’s product management group.
• From the Field - provides real-world stories from NetVision’s field sales and service teams.

Subscribe to Audit Monthly.

Here is the link to Deloitte’s 6th Annual Global Security Survey.  There’s some very interesting information in the survey:

• The number one problem found by information security auditors: excessive access rights
• The number one cause of failed security projects: lack of resources
• The number one root cause of Information Systems failures: human error

The survey also discusses the changing role of the CISO.  Go take a look!

There’s an interesting article over at CSO titled 5 Tips for Managing Security in a Recession.  It has some good advice for people trying to maintain security and audit-ability on a restricted budget. 

The final paragraph talks about the value of outsourcing being cost-cutting but warns of the security risk.  We thought about that a lot last year during our planning meetings for SIMON.  Ultimately, we concluded that we could put out a solution that recovers budget without introducing security risk by implementing an appliance-based approach on-site that is managed by experts.  You outsource the pain, but not the data.  The data stays safe at home.

Everybody is talking about the cost of non-compliance. But what about the enormous cost of achieving compliance? For many, that cost seems to make the assurance of being compliant seem hardly worthwhile (think insurance). You wouldn’t pay $20,000/yr. for homeowners insurance that covers up to $100k/yr. …especially when the threat of catastophe seems unlikely.

The bottom line - there are better ways to approach the problem. If you’re laying out every regulation and trying to map some control in your environment to each of the requirements, you’re probably paying way too much in both cost and effort. Simplify by taking a multi-regulatory approach. And (of course) leverage pragmatic solutions that cut costs to acheive the same goal. Spending what amounts to some large percentage of the potential threat cost is not your only option! That’s the idea behind SIMON.

Founded in 1995, NetVision is a pioneer in Identity & Access monitoring and reporting. NetVision provides periodic assessment and real-time monitoring capabilities with superior event filtering and from-the-source data collection. NetVision is focused on providing relevant answers to critical identity & access questions across platforms on core network directories and file systems.

Welcome to NetVision’s new corporate blog. We look forward to many interesting conversations!