Keeping track of user and privileged account activity is at the heart of keeping your environment secure and complying with various IT regulations. This is a very difficult task because of the vast amounts of data scattered across numerous systems. Collecting, storing, and analyzing this data is not a trivial task and generally requires large amounts of storage, time-consuming collection of event data, and in-house expertise about the event data being collected. Native tools are just not robust enough to handle the needs of the enterprise.
InTrust and Quest software is the only event log management solution in the market that addresses all of these concerns in heterogeneous environments composed of Windows, Unix and Linux servers, databases, business applications and network devices. InTrust also provides tamper-proof logs on each remote server where logs can be duplicated is they're created preventing a rogue user or administrator from tampering with the audit log evidence.
Using InTrust Deployment Manager, you can start collecting critical data in minutes. We start by creating a new collection which could either be Syslog events or Windows events. In this scenario, we will create a Windows event collection.
First we give the collection a name. Next we select the devices to collect from. You can select an entire domain, DCs, or individual servers. In this example, we will select all domain controllers in our domain.
We can then select the type of log we want to collect data from. In this case, we will add in the Windows system log in addition to the DNS server log. We then select or create our file-based repository. This repository can be indexed to allow for full text search of the consolidated event log data for compliance and security auditing. This repository saves your company money on storage costs by utilizing the highly compressed repository, 20 to 1 with indexing, 40 to 1 without.
If your project requires that data is made available to a SIEM solution, interest can be configured to forward events to a variety of SIEM solution providers. Events can also be filtered before being sent to a SIEM provider. This can save companies substantial amounts of money for solutions that charge by storage or the number of events.
To search for and view events collected by InTrust, we use the InTrust repository viewer. For example, we'll dive in here to auditing domain controllers. I can take a look at logons. And we can take a look at all failed logins. These are pre-built reports that we can run.
And as you can see, we have a few accounts here that have tried to log in unsuccessfully. Bill S, for example, has tried to log into the Cloud Lab DC. And we can see that he failed to authenticate because there was an unknown user name or bad password. And at one point, the account became disabled. If needed, this report can be saved.
In addition, the report can also be scheduled. So if you have a desire to have a certain type of report delivered to you on a regular basis, we can do that. So for this particular report, I want to look at the last seven days of events. We will create an Excel file. We will also save this to a fileshare. And we can also send an email to the recipient with a link to the report.
Perhaps we want to look for applications being run on workstations that might be malicious. We can open up our audit workstations. We can take a look at process tracking. And notice here we have programs executed. And we have quite a few events-- too many to go through, so I think what I'll do here is we'll filter these events.
I'm interested in investigating Bill S, so I can sort by a particular user. I also want to sort by a particular application. I can either select them from a list here. I will click on Custom and search for any condition where the user ran PowerShell. So I will say contains PowerShell. We'll click OK. And as you can see, I have a few items where Bill S ran PowerShell.
If we take a look at this event a little deeper, you will see that the creator process name was PowerShell.exe. Earlier I created a WMI event subscriber. So every time PowerShell is launched, it would also launch a particular payload. In this case, it's launching calculator.exe. But of course, this could be any batch file VBScript for the type of file.
InTrust also has the capability of sending real time alerts. In this example, I have set up some real time alerts so I know if a computer is rebooted multiple times. I can also take a look at failed logins involving administrative accounts. I can also take a look at things like multiple failed logins. So if I have a certain number of failed logins within a certain amount of time, we can be alerted to that. And we can then start our investigation.
Another quick way to get information out of InTrust is using our IT Security Search portal. From our previous example, we were investigating Bill S. We saw that he ran PowerShell. And it ran another application in response to PowerShell being launched.
Through the web interface, I can very quickly type in a few key words. And I can see when the events took place, what the event was. I can dive into the event details to get more information about exactly what occurred.
So using InTrust, you'll be able to reduce the complexity of searching, analyzing, and maintaining critical IT data scattered across information silos. You'll be able to adhere to compliance regulations with event log retention, such as GDRP, HIPPA, SOX, PCI, and FISMA. And you'll be able to quickly troubleshoot widespread issues should an incident occur.
For more information, go to Quest.com/InTrust and download a trial.