Eventtracker: Removable Media Device Monitoring Version 7.X
Total Page:16
File Type:pdf, Size:1020Kb
EventTracker: Removable Media Device Monitoring Version 7.x EventTracker 8815 Centre Park Drive Columbia MD 21045 Publication Date: Dec 21, 2011 www.eventtracker.com EventTracker: Removable Media Device Monitoring Abstract With the introduction of newer portable devices, the security needs of protecting integrity and confidential data has been changed. An increasing need of portable access to the data has also increased the risk of sensitive or confidential data exposure. Therefore, to keep a record of removable media device activities has become one of the most important compliance factor for the enterprise. EventTracker’s advanced removable media monitoring capacity protects and monitors system(s) from illegal access or data theft. EventTracker helps user(s) to disable the unauthorized access to the machine and allow the trusted devices connection. Purpose This document will help you to enable the removable device monitoring and explains the procedure to find the Device ID and USB serial number. It also monitors insertion/removal and files written to and read from removable media such as CD/DVD and USB. Intended Audience Administrators who are assigned the task to monitor and manage events using EventTracker. Scope The configurations detailed in this guide are consistent with EventTracker Enterprise version 7.x. The instructions can be used while working with later releases of EventTracker Enterprise. The information contained in this document represents the current view of Prism Microsystems Inc. on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, and Prism Microsystems cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism Microsystems MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism Microsystems may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. © 2013 Prism Microsystems Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 1 EventTracker: Removable Media Device Monitoring Table of Contents Overview ....................................................................................................................................................... 3 EventTracker Monitoring Features ............................................................................................................ 3 Implement Monitoring Removable Media Feature in EventTracker v7.1 .............................................. 6 Monitor CDW/DVD Burning Activities ................................................................................................... 6 Monitor CD-ROM Activities ..................................................................................................................... 6 Configure EventTracker Agent to Monitor Removable Media ............................................................. 7 Disable USB Drives .............................................................................................................................. 7 Exempt Authorized USB Drives .......................................................................................................... 8 Configure Device Monitoring Alerts ....................................................................................................... 9 Import and Configure CD-DVD Monitoring Alert .............................................................................. 9 Configure USB Device Monitor Alerts .................................................................................................. 10 EventTracker Device Monitoring Categories ....................................................................................... 11 EventTracker Device Monitoring Reports ............................................................................................ 13 Category Reports ............................................................................................................................... 13 Custom Reports ................................................................................................................................. 15 EventTracker Generated Events ........................................................................................................... 17 Media Type: CD/DVD Recorder ......................................................................................................... 17 Media Type: CD-ROM ........................................................................................................................ 21 Media Type: Removable (USB) .......................................................................................................... 25 Limitations ............................................................................................................................................. 31 EventTracker Configurations for removable device monitoring in v7.2 ............................................... 32 EventTracker settings options for USB and other device changes ................................................... 32 Define USB exception list ...................................................................................................................... 34 To find USB volume serial number ....................................................................................................... 35 To find USB Device ID ............................................................................................................................ 37 To convert USB Serial number format ................................................................................................. 40 Possible Substring match for Device ID............................................................................................... 41 2 EventTracker: Removable Media Device Monitoring Overview The USB and removable media are vital part of any enterprise when it comes to data transfer. They have many shapes as flash memory drives, cell phones, cameras, and PDAs that can serve as storage devices. These portable devices are convenient for transfer and storage of large data with or without network access and that too in short time. However, with all these advantages, it has some security vulnerabilities. In modern day enterprise, USB data transfer is the simplest way of Data theft. The chances of data leakage, creation of duplicate documents and illegal data transfer etc has also increased. As a SIEM solution, EventTracker not only has the ability to monitor the USB or removable media device communications, but it also can identify the trusted USB and other devices. You can define the unique identifier number of the USB so that the device will not be disabled upon insertion, and can access the information from system. EventTracker Monitoring Features Reports insertion / removal of the removable device EventTracker will log every activity of the USB or other removable media device like plug-in, plug-out, or data transfer etc. A complete audit trail that consists of the user, device type, serial number, time and all the file activities are captured, and sent as an event to the EventTracker Console for processing. Prevents unauthorized access and reports the intrusion in real time Every time an USB is inserted, the EventTracker agent looks at USB exception list, and if there is no violation of policy, permits access to the device, while logging the insert activity. If a violation of policy is detected, access is prevented and the violation is immediately sent to the EventTracker Console. At this point if access is permitted, EventTracker also begins to monitor all the activities on the device, and every file that is written to or deleted from the device is recorded. Restricts Access EventTracker can restrict access to all the USB Devices on a particular system, and also can exempt the specified USB devices from monitoring which are added in the USB Exception list. 3 EventTracker: Removable Media Device Monitoring Protects the system from malware EventTracker can disable the USB or other removable media device upon insertion, and thus safeguards the network from viruses and Trojans. Logging USB device communication For the security and compliance purpose, EventTracker logs the USB communication in detail as incidents. Figure 1: Event Properties Get Alert notification In EventTracker, user can configure alerts to receive the notification upon removable media activities. Example: EventTracker: USB device disabled, Media Insert