eTrust Security and Systems Audit Information

Today’s eBusiness environments are increasingly complex, with security activity information spread across numerous heterogeneous systems and applications. It is an ongoing challenge to monitor the security of the entire environment. Hackers scan networks looking for vulnerabilities that will allow them to gain system access. A failed logon attempt on one host may not be suspicious. Multiple servers experiencing failed logons within a short period could indicate that someone is trying to gain unauthorized access. The ability to correlate suspicious events across multiple heterogeneous systems enables the security team to quickly respond to a potential intrusion.

In the event of an intrusion, all of the information related to the attack needs to be securely captured and stored. Audit logs that are secured—and haven’t been tampered with—may be submitted as permissible evidence in a legal proceeding. Most importantly, audit logs are the most critical, if not the only, way to assess the extent of the security incident—identifying which resource has been endangered and what information has been disclosed.

While many systems and applications generate audit information, they do not address the need for reliable collection and archival of audit data. Organizations need an audit collection solution that clearly communicates relevant data to security and systems managers, enabling rapid assessment and response.

Native Auditing Shortfalls

A fundamental requirement for system security is the ability to detect and monitor any activity on the system. While many systems and applications generate audit information, they do not offer reliable information collection and archival. They also fall short of providing flexible and consolidated viewing, reporting and analysis of the audit—often lacking intuitive interfaces, offering limited functionality and presenting cryptic or even unusable event messages. These insufficiencies drive many organizations to turn auditing off, thus creating major security risks.

Native event logs are written locally by most operating systems, RDBMS and commercial or homegrown applications. They document the actual transactions performed immediately after they are completed. An unusual sequence of events can alert a security administrator to a possible intrusion. However, identifying and correlating suspicious events is often very difficult. For example, when intruders attempt a password attack in Windows NT, they may soon reach the Bad Password limit for the account and be locked out, unless they are attempting to break into an Administrator account. Windows NT does not provide lockout for Administrator accounts. If a lockout event is recorded, it appears only in the event log for the workstation where the bad passwords were entered, and only if that workstation enabled auditing for failed logon and logoff events. No event is ever logged at the domain controller. The auditor suspecting improper use of an account must search the event logs of all client stations to find the lockout.

In the case of an intrusion, it is critical to have an immediate alert that warns if someone is wandering the network, launching attacks or stealing or tampering with critical data. Native auditing is oftentimes used ineffectively since:

Logs grow large and are overwritten.

Data is written locally and discarded.

Tools for sorting and analysis are insufficient.

There is no central policy control—events occurring on different hosts cannot be correlated.

Cross-platform analysis is impossible.

eTrust Audit Delivers

With eTrust Audit, security administrators can collect enterprise-wide security events and system audit data, filter collected information for consolidated viewing and reporting and automatically trigger appropriate actions upon detecting unusual or malicious activities on the system. eTrust Audit can collect event information from a wide spectrum of sources, including UNIX and Windows NT servers, web servers, eTrust products, mainframe security products and other application services. eTrust Audit stores this information in a central database for easy access and reporting without the performance relapse caused by other auditing products.

Information is archived in a central database for easy retrieval and reporting. Security administrators can receive real-time alerts or can easily view logs and audit systems across platforms to determine the security status of the entire enterprise. eTrust Audit delivers scalability for large eBusiness environments, providing reliable security for enterprise-wide resources.

How eTrust Audit Works

eTrust Audit installs a Recording and Routing Agent on each targeted system or application host as well as a Server Collector at the point where consolidation is desired. These components work in concert to redirect and collect all audited events throughout the environment. These components can reside on the same system. All collected data are translated into an easy-to-understand format for viewing and reporting.

eTrust Audit can assign patterns to events so that actions can be automatically triggered based on the matched events. This gives administrators a first line of defense for host intrusion detection and the ability to control damages that might be inflicted by unauthorized user accesses. eTrust Audit also ships with predefined rules so that the deployment of patterns can be performed swiftly and customization can be done easily.

To support rapidly evolving technology, eTrust Audit has an open design that can accept event data submitted by other applications that are not natively supported by eTrust Audit. Applications can send standardized SNMP trap information to the eTrust Audit Router for future filtering and handling. Another option is the more powerful Submit API (SAPI) function calls, which transmit more detailed and customized information from the application to eTrust Audit. eTrust Audit can easily adapt to organizational needs for event management and alert handling.

Distinctive Functionalities

Wide Support of Servers and Applications.  eTrust Audit's policy-based approach to security and audit management and its rich set of out-of-the-box policies allows for a simple initial implementation of the host-based intrusion detection system in the enterprise, enhanced functionality in the area of long-term audit collection, storage, analysis and reporting, and collection of security-related events across multiple machines and domains from various types of servers and applications, including UNIX and Windows NT/2000, the eTrust product suite, Web servers, Unicenter TNG, mainframe security products, database services, and other applications. The collected information is placed into a centralized database, making it available for analysis, reporting, and correlation, and helping your organization form a complete picture of system activities.

Central Audit Log Data Repository Potentially valuable log data are generated in a variety of places throughout the enterprise. However, this type of data is useful only when it is centralized, searchable, and stored in a relational database. eTrust Audit meets this requirement by collecting audit log data, from a variety of sources, into a central repository built around a relational database.

Flexible Filtering, Actions, and Alerts. All log events can be filtered at almost any level, including the end-user (client) level, and selected events can trigger a number of actions and alerts individually or simultaneously. Administrators can specify filter criteria so that only relevant information is presented. eTrust Audit also lets you automate the triggering process for detected events. This flexibility allows you to create and manage the enterprise security audit environment to meet your security requirements.

Centralized Policy Management. eTrust Audit provides strong centralized security policy management functionality. The ability to define your organization's security policy and perform remote distribution of host-based Intrusion Detection rules to the client from one central host is one of the top needs of security managers and administrators today. eTrust Audit's policy-based approach to security and audit management, as well as its rich set of out-of-the-box policies, provide security administrators with a simple initial implementation of the host-based intrusion detection system in the enterprise.

Real-time Monitoring. Critical events can be filtered, logged, and sent to Security Monitors, a capability that allows systems, network, and security personnel to be notified of critical events in near real-time. In the event of hacker attacks, maintaining the ability to immediately react to an attack becomes crucial. eTrust Audit is designed to cope with hacker attacks and provide instantaneous damage and attack control.

Bundled Report Creation and Web Based Reporting. eTrust Audit comes bundled with numerous reporting and graph functions. Additional reporting capabilities can be easily added using SQL, Crystal Reports, or any other SQL-based report or development tool. Additionally, eTrust Audit can generate reports in HTML language so that any Web browser can view the report data without extra software, providing accessibility to the Report Viewer.

Cross-Platform and Cross-Application Event Management. eTrust Audit collects Audit Log data from various sources, which allows for central security and event monitoring in mixed-enterprise environments. The ability to correlate events among different systems makes eTrust Audit a critical management tool for today's eBusiness world. Its ability to identify activity patterns across different systems and applications gives administrators the upper hand when dealing with unauthorized accesses or hackers. malicious assaults.

GUI Tools for Collections and Viewing. eTrust Audit's Viewer is an easy-to-use graphical tool that lets you view and filter audit data in a consistent, searchable format with powerful filters and reporting capabilities. eTrust Audit's intuitive approach greatly simplifies collections and use of audit data.