NetIQ Security Manager is a security solution that effectively manages events
and security information. It can actually reduce time of exposure of your
network to attacks by detecting attacks in real time and issuing immediate
notifications. It can also respond to attacks by stopping suspicious services
and processes. It's an agent-based software, which you can deploy on agents
manually or by using agent manager that is present in Security Manager's
console. Mainly it has three modules--an Event Manager, an Intrusion Manager and
a Log Manager. The Event Manager module fetches information from Windows event
logs and other logs created by applications or other products. Then it stores
them to its SQL database and presents it in an easy to read manner in its main
console. It uses correlation rules and software's built-in security knowledge to
show the behavior and performance of the applications and products you choose to
monitor. Correlation rule is a group of norms configured in the software to
detect a pattern of real-time events. The Correlation server which comes with
security manager collects events from the agents and applies correlation rules
to them and provides a real time analysis of them. Its intrusion Manager module
can detect various internal, external, malicious attacks or policy violations
such as logon failures etc. It also can respond to intrusive activities by
running a batch file, script or stopping a service. It can also issue alerts
through pages, emails and by issuing alerts in Security Manager's Control
Center.
|
Its third module, the Log Manager captures information about events from
Event and Intrusion Manager and provides analysis and reports of all the events'
data. Log Manager is responsible for providing Log Summary, Forensic Analysis,
and Trend Analysis reports. It also keeps archive of logs for future usage and
can be useful to verify events at the time of audit or to spot trends in events
in an enterprise.
Trend analysis requires a component called Trend Analysis server which
acquires data from log databases and constructs a cube for trend analysis. A
cube is a multidimensional database of interconnected and summarized data.
How to use?
For installing the security manager you need Windows 2003 Server or Windows 2000
Server with Microsoft SQL Server 2000 with SP3 or later and SQL Server 2000
Analysis services with SP3 running. To use some of its reporting features, you
will also need MS Office XP Web components.
Once the software is installed, open Security Manger's Control Center from
the program menu. From here you can monitor events, resolve alerts, create and
view trend, do forensic analysis, create reports etc. The Control Center can
monitor and report on any connected configuration groups. A configuration group
has one database server storing information for a group of monitored computers
or devices. The Control Center displays alerts and events from all connected
configuration groups in default views or in customized views configured in the
Monitor Console. It supports two types of agents; managed and unmanaged agents.
The only difference being that the managed agents can be upgraded by the central
server while the unmanaged ones need to be updated manually. Unmanaged agents
are handy when the machine is behind a firewall or over the WAN where security
manager cannot deploy managed agents. To deploy managed agents on the machine
you want to monitor, from the Control Center console go to configuration groups.
Select the configuration group in which you want this computer to be in and on
Tasks menu click on Launch Agent Administrator. This will launch a new window,
here click on the Managed Agents tab. Now from right panel, click Deploy Agents
and select Add and browse for the computers you want to monitor one by one and
click on Finish. Now in the Action column, select the option 'Deploy managed
agent immediately' and select 'Deploy now'. This will start deploying managed
agents to the machines you selected.
NetIQ's Control Center: View alerts issued by servers and also details of the events from its security knowledge base |
In Control Center's main window, you can view alerts issued by all the
computers that you are monitoring. To assign an alert to an administrator, right
click on that alert and click on update alert option. A new window will pop up,
here click on browse and choose the administrator to whom you want assign the
alert. To correlate alerts, click on the Correlate option on the Alert Tasks tab
on the Tasks menu-bar. A wizard will pop up. Click next on the Events tab, it
will show you the event you want to correlate. Click on that event, a menu will
pop up. On this menu click on Add Event. It will load all events present in its
database in a new window. Select the events with which you want to correlate
your current event. You can also create a new manual event by clicking on Add
New tab. Click ok to go back to the wizard. Now wizard will ask you to define
the time limit of event occurrence and response i.e. what alert to issue when
the event is detected. Once the wizard has finished, it takes about 10 minutes
before security manager can start correlating the events.
In the Control Center you can view real time details of alerts based on their severity levels |
To do a forensic analysis click on the Forensic Analysis tab, and choose
Forensic Analysis wizard. The second step of the wizard will ask you to choose
the Columns and Report Types. Here simply check the fields you require for
forensics. Next, it will ask you to choose time range for the forensic analysis.
Going further through the wizard, it will ask you Columns to be used for
filtering. When you check a column you also need to define filtering criteria
for it. For example, if you choose to filter by severity levels, you will have
to choose the severity levels as high, low or medium. After the wizard has
finished, go to Completed Reports option and select the report you have just
created and click on Show Report. Similarly you can also create summary and
trend analysis reports by using their respective wizards.
Forensic Analysis reports provide a consolidated view of raw logs present in security manager and can be handy when researching on an issue |