"We have met the enemy, and he is us." The old Pogo comic strip character could well have been talking about the activities of privileged users, as companies, driven by auditing and compliance requirements, increasingly turn their security efforts inward.
In large organizations, monitoring user activity is a truly formidable task. Consul Risk Management's InSight Suite cuts the job down to size, employing SIM-like technology to produce actionable and auditable data.
Configuration/Support A
With the help of InSight's wizards, we had our test system up and collecting log information within a day; in a complex environment, setting up all of the data sources will take some time, depending on your organization's change policies.
InSight relies primarily on host agents to gather log information, but also supports syslog to include important systems, such as firewalls, that can't run agents. Agents can be installed remotely on Windows systems, as well as *nix systems running SSH. Consul will create custom feeds for unsupported log formats.
The company's support team responded quickly to questions we had regarding the system.
Effectiveness A
InSight's user-centric system stores log files in native format, but maps the data to its Oracle reporting engine. Its user-centric W7 model parses information into when, what, where, who, from-where (source), on-what and where-to categories—a simple but effective scheme for analyzing and reporting significant activity.
InSight can issue alerts based on exceptions to user-defined policy, such as a DBA making unauthorized changes to a customer information table, or a sales manager accessing HR files.
Policy creation is straightforward after a short learning curve; managers can specify who can do what, on what and when they can do it. Of course, this requires some tuning over time as you adjust the setting to accurately reflect security policy.
A full log manager is also included, complete with search engine capabilities.
InSight had no problem collecting and storing large amounts of log data—we accumulated about five million lines in our lab with no sign of strain on the system.
The log manager search mechanism is easy; if you want to see all of the entries of users logging into your domain controller, you simply select it from menu list and type the user ID in the search field. Because InSight stores all logs in their original format, they can be retained for archive requirements or downloaded for audit and forensics.
External ticketing systems are supported to create a complete workflow.
Reporting B
InSight's iView reporting system's main page provides a good at-a-glance sense of your security posture, offering a trend chart of policy exceptions, as well as a W7-based grid showing the exceptions within each category. The grid is populated with different colored and sized dots to indicate frequency of policy exceptions and events. You can drill down to get detailed information on the exceptions.
InSight provides a wide variety of templates, such as those for generating detailed custom and trend reports, including system restarts, failed transactions and help desk actions.
Any iView page can be printed directly, or exported in .pdf, .html, .csv and Excel formats.
Verdict
Consul's InSight Suite v7is a powerful tool with well-defined policies for large organizations; it automates the daunting task of monitoring privileged user activity to meet security and compliance requirements.
Testing methodology: Our lab included a variety of Windows, Linux and Solaris systems using both agent collection and syslog. We used hardware provided by Consul, which recommends a Windows 2000 Server or 2003 Server system with a 3Ghz Xeon processor as well
as a minimum of 6 GB of RAM.
