RuSIEM IT assets
•Download as PPTX, PDF•
0 likes•252 views
1) The document discusses IT assets including hardware, software, processes, services, users and groups. 2) IT assets that can be monitored include NetBIOS/FQDN, IP/MAC addresses, processes and their hashes, Windows services, installed software and patches. 3) A SIEM can provide real-time information about changes to assets by monitoring event logs, network traffic, and through active checks and integrations to identify risks, vulnerabilities, and policy violations.
RuSIEM IT assets
- 1. Co-Founder, CEO Олеся Шелестова oshelestova@rusiem.com Software, Hotfixes, Services, Processes, Assets. (RuSIEM/RvSIEM free) 2017
- 2. What is IT asset? • Hardware • Operation system • Software • Patches • Processes • Services • Users and groups • etc 3
- 3. IT Assets • NetBIOS/FQDN • IP/MAC • Processes (auditd for *nix/bsd, RuSIEM Hasher for Windows – name, path, child/parent processes, md5/sha1 hash) • Windows services (name, path, state) • Software (name, vendor, version, install path, install date) • Hotfixes (Ms$ KB) • Extensible schema for assets 4
- 4. Why assets are important • Inventory • Identify risks • Identify vulnerabilities • Detection of unauthorized access and attacks • Audit Standard/Policy violations 5
- 5. Filling assets with SIEM SIEM can receive in real time: • through event logs: • Information about installing the software • Portable software • Installing hotfixes • Processes and services • Open ports • OS version and SP • Through traffic: • Used applications (example, by http.user.agent or L7 inspection) • Protocols and ports • User names, encryption, software version and etc • Through active checks and integrations: • Open ports • ARP table • Vulnerabilities (audit/pentest scans) • Detailed information about users, processes, services, OS, applications, OS startup parameters, installed software and SP. 6
- 6. Static slice VS real-time • During a full scheduled audit scan, the ports can be closed. Or closed for scanner ip (firewall/arp/route/etc). • Host may be offline • The user can install the vulnerable software at any time and delete it - this fact will remain hidden • The process or application can be started from a removable drive • Malware can be install service, run process, attach DLL, change system executable file 7
- 7. Ideology • SIEM receives periodically static slice of assets (authenticity and complete set) – scanners/active checks/inventory • SIEM receives real-time data about the changes in assets from events and traffic 8 We will have up-to-date information about the asset. Anytime. In real-time.
- 8. With RuSIEM/RvSIEM • We have released the RuSIEM agent module with active WMI checks to obtain a list of installed software and installed operating system patches • The module is already available in the commercial version of RuSIEM and will soon be available in RvSIEM free • Asset building is available only in the commercial version with the RuSIEM Analytics module • Without the analytics module, in RuSIEM/RvSIEM will be available: • Use of correlation rules for the audit of installed and installed software, patches • Use reports on installed and installed software, patches • Search by events for software analysis and patches 9
- 9. Our site: https://www.rusiem.com Facebook: https://www.facebook.com/rvsiem Telegram: https://t.me/rusiem Mail: support@rusiem.com CEO, Olesya Shelestova oshelestova@rusiem.com Thank you 10