Secure
Vantage Update: New MOM 2005 Security Solutions Available
Volume 1,
Issue 2 October 5th 2006
In
this Issue
New
MOM 2005 Security Solutions
Last month we released four new management
packs, one of which we are pleased to offer as a free
download. The new Directory Services MP, available at no
charge, introduces detailed collection and alerting features
to track OU changes in the Active Directory. Try it and see.
If you like the kind of information it provides we hope you
will also try some of our other new management packs.
The three other new management packs are the Policy
Controls MP, Heterogeneous Reporting MP and the Reporting
Subscription Auditor. The Policy Controls Management Pack
(PCMP) provides detailed Group Policy attribute discovery,
base-lining, compliance assessment, impact analysis and
historical tracking of all GPO changes. To complement this,
Heterogeneous Reporting enables customers to integrate any
event stream in MOM (ie Oracle Logs, AS400, Unix, etc..) with
our sec! urity reporting architecture for Account Management
and Logon Activity. Finally, the new Report Subscription
Auditor provides visibility into SQL reporting services
subscriptions and to audit the distribution of security
reports. These combined solutions will add significant
value to your infrastructure and enable you to further extend
your investment in MOM 2005 and
System
Center
. Check out these great new solutions
today!
- Audit Who's
Been Changing Group Policy with our Policy
Controls MP
- Extend your
visibility into OU changes with the Directory
Services MP
- See who's
subscribed to security reports using the Report
Subscription Auditor
- Security
reporting for non-windows events via Heterogeneous
Reporting Services
Special Offer: We'll include a full 1 year software maintenance
subscription on all Policy Controls MP orders received before
October 31st 2006
What's
New in SCMP v2.0!
A
Management Pack incremental update will be made available
later this month to all our existing customers. If you are
already a Secure Vantage customer, we highly recommend that
you implement this update that will allow you to take
advantage of the powerful new reporting for advanced forensic
analysis, and to discover how the improved KB can assist with
your optimization and support efforts. The update provides
improvements in our Control Rules to address more auditing
scenarios and provides lots of new KB content with more
external links. In addition, SCMP v2.0 includes our new
Reporting Event eXtension (REX), which enhances forensic
analysis capabilities and enriches the overall reporting
experience. Through close collaboration with many of our
clients, we have also made improvements on existing reports
and alerts, reducing the potential for false-positive a! lerts
as well as correcting a number of errors customers noted in
SCMP v1.0 reports. Please
Note: SCMP
v2.0 and REX are only available to SCMP customers. The trial version of
SCMP will continue to offer only a subset of the rich
functionality SCMP offers. Please
send an email to scmp@securevantage.com to request your SCMP update.
Microsoft
Audit Collection Service (ACS) in the forefront: Learn
why ACS is Critical to Compliance
Have
you ever wondered about the integrity of the information
collected in a security audit when all of your currently
available security monitoring solutions read from the local
Windows Security Event Log? Do you get concerned when you
think about an administrator clearing data to hide activity?
Well, worry no more. Microsoft's new Audit Collection Service
not only addresses this issue, it also institutes true
segregation as well as non-invasive and tamper resistant
collection. At Secure Vantage we are very excited by
what Microsoft has created, and are working hard to provide
complementary reporting and operations solutions to help
show off the potential offerings for customers needing tight
control over IT security. Trial versions of our new ACS
Management Pack will be available in time for ITForum 2006 in
November. With
the exception of ACS, all currently available security log
auditing solutions carry a potential risk: the information
integrity cannot be insured. Not only does ACS address some of
the fundamental problems with Windows Security event auditing,
the solution also provides an optimized architecture for
storing the large amounts of data associated with security. If
you're not already evaluating ACS or looking to implement it,
you could be at risk. Obviously you will want to compare ACS
with other solutions. As you do, ask these two simple
questions.
1. Can
you rely on the information or could someone with local
administrative privilege have tampered with it before you
collected it?
2. Can
you collect the data from a separate AD forest to
enforce segregation of duties?
If
the answer to each question is not a categorical Yes!, beware
of falling for sophisticated features or attractive
packaging. The fact is, the data you are working with
cannot be relied on. It only takes one rogue operator and you
may never figure out what they did! Make sure you are
investing in the right base technology. Check out the Audit
Collection Service now available in System Center Operations
Manager 2007 at http://www.microsoft.com/mom/default.mspx.
Then check out our ACS Reporting solutions and join our
adoption program today. http://www.securevantage.com/ProductsACS.html
Partner
News MOM
BootCamp introduces more Secure Vantage Solutions
The
MOM BootCamp provided by Microsoft MVPs Rory McCaw and Gordon
McKenna is being extended to include training for the Policy
Controls MP from Secure Vantage. Our Policy Controls MP
provides GPO auditing, base-lining, impact analysis and
compliance assessment. This addition to the MOM BootCamp
complements the existing coverage of the System Controls MP
for Windows security event auditing, and gives customers
experience with two value-adding security solutions for MOM
2005. Signup today and get the training you've been looking
for from real experts with real experience. http://www.infrontconsulting.com/events.htm
Jay's
Joint, Tips and Tricks
- Event GUID
Conversion Clarification: Last year I started what I thought
would be a quick conversation with a MOM MVP. I would
never have guessed it then, but this dialogue turned into a
really interesting and ongoing discussion about using MOM to
audit security events.
You
see, when auditing security events with MOM 2005, event GUIDs
are not always translated into friendly text. A registry fix
was available that enforced the translation, but this created
sporadic reliability on the event parameter filtering and
alert processing. So what should customers facing this
scenario do? Here, in a nutshell, is the
answer:
Description
Filters: This avoids parameter filtering problems all together, use
both text and SID/GUID
Event
Filter Ordering: When
GUID conversion registry is enabled and filtering on event
parameters, use the MESSAGE DLL TYPE attribute set to match a
wildcard and place in the topmost position, you'll notice it
moves to the 2nd spot after saving, but this will
ensure proper processing of the event parameters in your
rules. Test
your Rules: Simulate
the scenario and verify your filter criteria works as
desired
The
following are some more links to an MS KB article, two MOM
blogs and a script to automate the change:
MS
TechNet: Resolve GUID Fix, http://support.microsoft.com/kb/904740/en-us Rory
McCaw Blog: http://rorymccaw.spaces.live.com/
- Filtering Noise:
Not sure if you really need to collect an event? Looking to
understand what's safe to filter? Want to improve the
quality of information in your security reports? Then
it's time to start filtering the noise.
The
System Controls MP provides basic security event filtering to
start you down this path with rule samples for set conditions
that facilitate fine tuning your collection stream. In
addition, we are working with our partners to deliver
filtering standards and packaged sets of filter
scenarios. Looking
ahead to the Audit Collection Service (ACS) we will be
introducing correlated noise filtering in which we take one
event, enrich with data from another and suppress the
duplicate or noise event. By enriching the existing data and
removing noise, we reduce overall storage requirements and
increase the value of existing reporting
data.
- Collection vs.
Control: We
have received a lot of questions in the past as to why you
would collect the event with one rule and alert on an event
with another. The simple answer is flexibility for
supporting multiple alerting scenarios while not impacting
the collection of the information. By separating collection
and alerting rules, our MPs provide an easy model for
managing the inbound information, and processing of that
data afterwards.
· November
5th, ACS Base Reporting RC1 available
· November
7th and 8th,
Denmark
, DS484 & ISO 17799 Compliance
with MOM 2005 · November
10th,
Reston VA
, Mobile Hands-On
Lab for MOM 2005, System Controls MP Lab
featured
· November 14th through 17th,
ITForum 2006 in
Barcelona
, Event Sponsor and Exhibitor
· December
7th, Pittsburgh PA
,
Mobile Hands-On Lab for MOM 2005, System Controls MP Lab
featured
http://www.securevantage.com/News/Events.aspx
Website
Enhancements
The www.SecureVantage.com website has gone through a transformation and is now much more
user friendly and easier to navigate. We are adding lots of
new content and are planning to release a secure collaboration
portal for customers and partners this fall. We hope you enjoy
the site improvements and always welcome your
feedback.
Looking
Forward
If
you are interested in knowing about all the solutions we're
building for 2007, please mark your calendars and come to IT
Forum in
Barcelona
, November 13th through
17th and visit us in the Expo Pavilion. At
the IT Forum we will be sharing our entire 2007 roadmap and
releasing a number of beta versions for next year's
solutions. And for those who cannot make it: stay
tuned. We will provide more details on our website later
this fall.
|