CyberSafe Log Analyst analyzes the Windows 2000 event log files against activity signatures. Activity signatures are events, or a sequence of events, which can indicate computer misuse. CLA uses a set of predefined activity signatures that have been defined by CyberSafe's security experts.
To effectively use CyberSafe Log Analyst, you should also apply effective audit policy. Applying effective audit policy reduces the number of events stored in the Windows 2000 event log file, and therefore reduces the number of insignificant activities that will be reported. Although you can specify the activity signatures in which you are interested when you generate a report, you should also apply modifiers to your audit policies. For example, the General Object Browsing activity signature detects the reading or attempted reading of any audited object on the system. If you specify Read access of files, a large number of events could be generated as all files are opened with Read access as a minimum. We recommend that you use the Success or Failure options as modifiers to reduce the number of events generated. The General Virus and Trojan Horse activity signature detects the modification or attempted modification (Write) of any audited executable (files that end with *.exe, *.bat, and *.com). Again, using Success or Failure options as modifiers of the Write access can reduce the number of events generated.
Audit policies are created so that you can monitor various system and user activities. They define which user and system activities are stored in the Windows 2000 security event log. The security event log, in turn, is used to detect intrusions and misuse of your computer systems. Audit policies consist of system, file/directory, and registry key audit parameters.
You track selected user activities and behavior by auditing security events and storing the data in the security event log. Your audit policy specifies the types of security events to be logged. The types of security events you include in an audit policy can range from system-wide events (such as a user logging on) to specific events (such as a user attempting to read a particular file). For each event, you can choose to include successful events, unsuccessful events, or both.
Intrusion detection is the process of reviewing activity records and indicators to identify misuse of your corporate network. The NT Security Log is a collection of security-related activity records that may be used to detect intrusion into and misuse of NT systems. When auditing is turned on, NT automatically collects relevant security events. Knowing what to set in a policy, and exporting that policy to all necessary computers, can be a tricky and time-consuming process. A properly defined policy can provide intrusion detection and unauthorized user access of network files and resources.
Windows 2000 includes tools to help you configure auditing. File (NTFS) auditing is set from the Security tab on the Properties window of any file or directory (available by right-clicking the file or directory in Windows Explorer). You can also use third-party tools, such as the Centrax Audit Strategy Tools® (CAST®), which can automate the creation and deployment of audit policies across your entire enterprise. For more information CAST, visit the CyberSafe Web site at www.cybersafe.com.