Advertisment

Manage your Security Solutions Well!

author-image
PCQ Bureau
New Update

NetIQ Security Manager is a security solution that effectively manages events

and security information. It can actually reduce time of exposure of your

network to attacks by detecting attacks in real time and issuing immediate

notifications. It can also respond to attacks by stopping suspicious services

and processes. It's an agent-based software, which you can deploy on agents

manually or by using agent manager that is present in Security Manager's

console. Mainly it has three modules--an Event Manager, an Intrusion Manager and

a Log Manager. The Event Manager module fetches information from Windows event

logs and other logs created by applications or other products. Then it stores

them to its SQL database and presents it in an easy to read manner in its main

console. It uses correlation rules and software's built-in security knowledge to

show the behavior and performance of the applications and products you choose to

monitor. Correlation rule is a group of norms configured in the software to

detect a pattern of real-time events. The Correlation server which comes with

security manager collects events from the agents and applies correlation rules

to them and provides a real time analysis of them. Its intrusion Manager module

can detect various internal, external, malicious attacks or policy violations

such as logon failures etc. It also can respond to intrusive activities by

running a batch file, script or stopping a service. It can also issue alerts

through pages, emails and by issuing alerts in Security Manager's Control

Center.

Advertisment
Direct Hit!
Applies To:

IT Manager, Security Manager



Price: $2500 per console, $ 1000 per server


USP: Manage your security information and events effectively




Primary Link:
http://www.netiq.com/products/sm/




Google Keywords: Event managing security solution

Its third module, the Log Manager captures information about events from

Event and Intrusion Manager and provides analysis and reports of all the events'

data. Log Manager is responsible for providing Log Summary, Forensic Analysis,

and Trend Analysis reports. It also keeps archive of logs for future usage and

can be useful to verify events at the time of audit or to spot trends in events

in an enterprise.

Trend analysis requires a component called Trend Analysis server which

acquires data from log databases and constructs a cube for trend analysis. A

cube is a multidimensional database of interconnected and summarized data.

Advertisment

How to use?



For installing the security manager you need Windows 2003 Server or Windows 2000
Server with Microsoft SQL Server 2000 with SP3 or later and SQL Server 2000

Analysis services with SP3 running. To use some of its reporting features, you

will also need MS Office XP Web components.

Once the software is installed, open Security Manger's Control Center from

the program menu. From here you can monitor events, resolve alerts, create and

view trend, do forensic analysis, create reports etc. The Control Center can

monitor and report on any connected configuration groups. A configuration group

has one database server storing information for a group of monitored computers

or devices. The Control Center displays alerts and events from all connected

configuration groups in default views or in customized views configured in the

Monitor Console. It supports two types of agents; managed and unmanaged agents.

The only difference being that the managed agents can be upgraded by the central

server while the unmanaged ones need to be updated manually. Unmanaged agents

are handy when the machine is behind a firewall or over the WAN where security

manager cannot deploy managed agents. To deploy managed agents on the machine

you want to monitor, from the Control Center console go to configuration groups.

Select the configuration group in which you want this computer to be in and on

Tasks menu click on Launch Agent Administrator. This will launch a new window,

here click on the Managed Agents tab. Now from right panel, click Deploy Agents

and select Add and browse for the computers you want to monitor one by one and

click on Finish. Now in the Action column, select the option 'Deploy managed

agent immediately' and select 'Deploy now'. This will start deploying managed

agents to the machines you selected.

NetIQ's Control Center: View alerts issued by servers and

also details of the events from its security knowledge base
Advertisment

In Control Center's main window, you can view alerts issued by all the

computers that you are monitoring. To assign an alert to an administrator, right

click on that alert and click on update alert option. A new window will pop up,

here click on browse and choose the administrator to whom you want assign the

alert. To correlate alerts, click on the Correlate option on the Alert Tasks tab

on the Tasks menu-bar. A wizard will pop up. Click next on the Events tab, it

will show you the event you want to correlate. Click on that event, a menu will

pop up. On this menu click on Add Event. It will load all events present in its

database in a new window. Select the events with which you want to correlate

your current event. You can also create a new manual event by clicking on Add

New tab. Click ok to go back to the wizard. Now wizard will ask you to define

the time limit of event occurrence and response i.e. what alert to issue when

the event is detected. Once the wizard has finished, it takes about 10 minutes

before security manager can start correlating the events.

In the Control Center you

can view real time details of alerts based on their severity levels

To do a forensic analysis click on the Forensic Analysis tab, and choose

Forensic Analysis wizard. The second step of the wizard will ask you to choose

the Columns and Report Types. Here simply check the fields you require for

forensics. Next, it will ask you to choose time range for the forensic analysis.

Going further through the wizard, it will ask you Columns to be used for

filtering. When you check a column you also need to define filtering criteria

for it. For example, if you choose to filter by severity levels, you will have

to choose the severity levels as high, low or medium. After the wizard has

finished, go to Completed Reports option and select the report you have just

created and click on Show Report. Similarly you can also create summary and

trend analysis reports by using their respective wizards.

Forensic Analysis reports

provide a consolidated view of raw logs present in security manager and can

be handy when researching on an issue
Advertisment