Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RuSIEM IT assets


Published on

IT assets in RuSIEM/RvSIEM.

Published in: Software
  • Be the first to comment

  • Be the first to like this

RuSIEM IT assets

  1. 1. Co-Founder, CEO Олеся Шелестова Software, Hotfixes, Services, Processes, Assets. (RuSIEM/RvSIEM free) 2017
  2. 2. What is IT asset? • Hardware • Operation system • Software • Patches • Processes • Services • Users and groups • etc 3
  3. 3. IT Assets • NetBIOS/FQDN • IP/MAC • Processes (auditd for *nix/bsd, RuSIEM Hasher for Windows – name, path, child/parent processes, md5/sha1 hash) • Windows services (name, path, state) • Software (name, vendor, version, install path, install date) • Hotfixes (Ms$ KB) • Extensible schema for assets 4
  4. 4. Why assets are important • Inventory • Identify risks • Identify vulnerabilities • Detection of unauthorized access and attacks • Audit Standard/Policy violations 5
  5. 5. Filling assets with SIEM SIEM can receive in real time: • through event logs: • Information about installing the software • Portable software • Installing hotfixes • Processes and services • Open ports • OS version and SP • Through traffic: • Used applications (example, by http.user.agent or L7 inspection) • Protocols and ports • User names, encryption, software version and etc • Through active checks and integrations: • Open ports • ARP table • Vulnerabilities (audit/pentest scans) • Detailed information about users, processes, services, OS, applications, OS startup parameters, installed software and SP. 6
  6. 6. Static slice VS real-time • During a full scheduled audit scan, the ports can be closed. Or closed for scanner ip (firewall/arp/route/etc). • Host may be offline • The user can install the vulnerable software at any time and delete it - this fact will remain hidden • The process or application can be started from a removable drive • Malware can be install service, run process, attach DLL, change system executable file 7
  7. 7. Ideology • SIEM receives periodically static slice of assets (authenticity and complete set) – scanners/active checks/inventory • SIEM receives real-time data about the changes in assets from events and traffic 8 We will have up-to-date information about the asset. Anytime. In real-time.
  8. 8. With RuSIEM/RvSIEM • We have released the RuSIEM agent module with active WMI checks to obtain a list of installed software and installed operating system patches • The module is already available in the commercial version of RuSIEM and will soon be available in RvSIEM free • Asset building is available only in the commercial version with the RuSIEM Analytics module • Without the analytics module, in RuSIEM/RvSIEM will be available: • Use of correlation rules for the audit of installed and installed software, patches • Use reports on installed and installed software, patches • Search by events for software analysis and patches 9
  9. 9. Our site: Facebook: Telegram: Mail: CEO, Olesya Shelestova Thank you 10