Interview with Andre Muscat of GFI
I had the opportunity recently to have a quick interview with Andre Muscat who is a product manager for GFI Software.
Hello Andre, can you tell us a bit more about yourself, your position at GFI and GFI itself?
Yes sure, my name is Andre' Muscat - Product Manager for the Network Security products division at GFI Software (www.gfi.com). I am responsible for leading the design and overall customer experience of the network security products which include GFI EventsManager,GFI EndPointSecurity and GFI LANguard products. During my 9 year carrier with GFI, I have worked closely with fellow security and development professionals which led to the authoring and release of various GFI security solutions, concept prototypes, reporting technology, training material, whitepapers and article contributions on network security and risk assessment topics.
Founded in 1992, GFI Software Ltd has always had a vision; Delivering state-of-the art solutions that meet and exceed the network security requirements of corporations. Driven by our hunger to fulfill this vision, GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs.
GFI continuously conducts extensive in-house security research via our security professionals who research new areas of danger for computer networks. Through our ability to innovate and adopt key technologies early on, GFI is able to provide award-winning technology coupled with an aggressive pricing strategy strongly focused on modern businesses needs. Through this approach GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale.
Of concern to most system administrators and security analysts is the ability to mine and make sense out of all the data collected by an appliance, or program. How does Events Manager 7 go about doing this?
Absolutely spot on. The primary objective of every network administrator is to keep the IT infrastructure up and running; And this can only be achieved by knowing what is really happening on the corporate network (i.e. Who is accessing what, etc....). Most administrators are aware that this information is already available and accessible through the event logs and operational data generated by their IT Infrastructure. The biggest challenge lies in managing the overwhelming deluge of events; Unfortunately this often leads systems administrators to give up on events management. The sheer volume of events generated is disheartening and systems administrators are often at a loss on how to analyze and mine through this vast amount of information in a timely fashion.
GFI EventsManager is the all-in-one solution which enables the administrator to automatically collect, centralize, analyze and effectively report on the events generated by corporate hardware and software systems - straight out of the box!
A key focus of the product is placed on the ability to generate advanced informative unique reports on the information collected - at the click of a button. Should the administrator need to investigate on particular incidents in depth GFI EventsManager ships with advanced Event Browsing tools which enable him to analyze the events that took place at a particular time on an event by event basis.
It is a known fact that 70% of the total events generated on the
Windows based corporate network is actually "noise". This is the technical term used to refer to trivial events generated by the IT infrastructure. Noise often causes systems administrators to react late to immediate threats, since critical events are hidden within the volume of trivial events generated by the system. While this is already fantastic enough to talk about on its own merits, GFI EventsManager ships in such a way that out of the box it enables the administrator to automatically filter out noise/trivial events data. GFI EventsManager is the solution which separates the noise from the useful data, translates the information in a way which administrators and executives can easily understand as well as automatically alerts you on important events; Hence keeping the administrator updated in real-time on what is really happening on their networks.
GFI EventsManager is the state of the art solution for
- Distributed Event Management for Windows Event Logs, W3C logs and Syslogs.
- Noise reduction in events collected / received.
- Important event alerting & remediation
- Event Centralization
- Event Classification into critical/high/medium/low levels.
- Event Filtering & Querying
- On demand/scheduled Reporting
GFI released a detailed document which allows administrators to identify how to deploy and scale GFI EventsManager to their network irrespective of the size & distribution (LAN/WAN). This document is available for download from http://www.gfi.com/whitepapers/deploying-gfi-event...er.pdf
Does Events Manager 7 only work with an SQL server backend?
GFI EventsManager 7 is designed to work with vast amounts of data collected from different sources and requires a responsive scalable database backend to be efficient in the handling of this data.
GFI EventsManager supports the following databases:
- Microsoft MSDE (FREE)
- Microsoft SQL Server2000
- Microsoft SQL Server 2005 Express Edition (FREE)
- Microsoft SQL Server 2005 Workgroup Edition
- Microsoft SQL Server 2005 Standard Edition
- Microsoft SQL Server 2005 Enterprise Edition
More information on supported databases and details to ensure database backend business continuity, manageability and scalability area available from the deployment options paper available for download from document is available for download from http://www.gfi.com/whitepapers/deploying-gfi-eventsmanager.pdf
What kinds of reports can one generate via the Report Pack that ships with Events Manager 7?
The GFI EventsManager ReportPack is a separately downloadable and installable add-on to the product. The GFI EventsManager ReportPack can be used to generate reports which indicate what is really going on the network to both administrators and executives:
- In various formats including graphical, statistical and tabular formats
- Using the actual events data collected by GFI EventsManager.
The reports which ship in the GFI EventsManager ReportPack help administrators and management teams assess legal compliance, network wide system health and security policy enforcement. Further to this, these reports are also an important tool supporting forensic investigations. This puts the administration teams in a position to make more informed decisions and allows them to proactively control hardware and software usage within the corporation network.
From trend reports for management (ROI) to daily drill-down reports for technical staff, the GFI EventsManager ReportPack provides administrators with the easy-to-view information required, to fully understand the events activity on the corporate network.
Sample Password changes report
Sample Trend report
Out of the box, the GFI EventsManager ReportPack allows for the creation of reports in the following categories:
- Account Usage reports
Reports in this category provide detailed lists of events related to user logon, such as successful and failed logons, logoff and account lockout events.
Account Management reports
Reports in this category display a graphical overview and provide details on important information related to user and computer account changes and security group modifications.
Policy Changes reports
Reports in this category list details on policy changes affected on the network.
Object Access reports
Reports in this category display successful and failed object accesses, such as list and read, and objects which have been deleted.
Application Management reports
Reports in this category display information on issues related to application install and uninstall events, as well as events generated on applications crashing and hanging.
Print Server reports
Reports in this category list details on documents printed, the users printing documents file details of the printed documents and the date and time whenprint operations took place.
Windows Event Log system reports
Reports in this category list details on important Windows Event log issues such as Event Log service start/stop, log clearing and service errors
Events Trend reports
Reports in this category enumerate the 10 computers and users with the most events for a specified unit period of time.
Critical Messages reports
Reports in this category list the most important events requiring immediate attention, together with the top 10 rules being triggered by these events.
Important ReportPack features:
- Common reporting framework for all GFI products including GFI EventsManager, GFI EndPointSecurity and GFI LANguard Network Security Scanner.
- Report Customizations
- Report generation in real-time or on a schedule
- Automated report distribution via email.
- Export reports to various file formats including PDF, DOC and HTML.
- Ships with a pre-configured set of printer friendly reports
Is Events Manger 7 meant to work solely in a Microsoft Windows network, or will it also work with Linux and UNIX seen as many networks today are homogenous?
GFI EventsManager Event Sources
Indeed GFI identifies the reality of homogenous environments as well as the need to be able to cater for the information and data produced by the key devices, appliances and applications which are running in this environment. That is why while GFI EventsManager is designed to be installed on a Windows operating system, the technology is implemented in such a way that it can accept and received data to process from different environments including Linux OS and non-Windows based hardware appliances such as firewalls and routers.
Any computer, device or application which generates events in any of the supported log types (EVT, W3C or Syslog) can be monitored by GFI EventsManager. This includes, but is not limited to firewall appliances, network routers, PABXs, Access control systems as well as web servers
More information on supported data sources and deployment scenarios is available from the deployment options paper available for download from http://www.gfi.com/whitepapers/deploying-gfi-event...er.pdf
Microsoft Windows event logs can often be rather confusing. Does Events Manger 7 offer any sort of "human translation" for these logs?
Being a company that invests in our own security and analysis, we quickly came to realize the difficulties and challenges which administrators face when they come to analyze the logs which are contained within Windows Events (as well as other sources of logs) as these are most often written by developers in "developer jargon". Administrators need a way to translate what is being said without the complexity of understanding programming codes and all of the technical stuff that makes part of the software developer world.
GFI EventsManager 7 overcomes this issue by presenting important events in a way that is more user friendly and understandable. Not only does GFI EventsManager classify and highlight important events into four main categories (Critical/high/medium/low importance) but also provides additional explanations (where applicable) that translate events data into a more user-understandable/friendly message.
GFI EventsManager takes this to the next level by also including links to a specialized website (www.eventid.net) from where administrators can get and personally contribute more information on particular Windows events; This effectively allows them to learn more on how to handle particular events.
Event understandability is important both for forensic and reporting needs; Thus event explanation/translation is also reflected within both the GFI EventsManager Event Browser and GFI EventsManager ReportPack.
Will Events Manager 7 help system administrators identify normal events or traffic in an effort to properly baseline their networks?
Through the research made by the GFI SecurityLabs and partners we found a high percentage of events generated within networks can normally be classified as noise; trivial, unwanted or repetitive event data which provide little value to the user. In fact only 30 % of the total number of events generate by a typical IT infrastructure is relevant to the network administrator.
An important feature of GFI EventsManager 7 is that out of the box it ships with an advanced set of event processing rules which identify and remove a huge chunk of this unwanted event data allowing the administrator to concentrate on the events which matter and should be taken care of with priority.
An important part of the GFI EventsManager event processing rules is that these rules can be customized and tailored to suite the various network requirements. In addition new event processing rules can be created and assigned on a policy basis.
Events management is already a very labor intensive and complex field on its own; Imagine deploying a complex solution to manage computer events on homogenous IT infrastructures!
A unified standardized system which is flexible and customizable to modern networks is required for the everyday needs of administrators. Through this standardization, advanced monitoring gauges and trending reports that can be generated through the GFI EventsManager ReportPack, administrators are not only able to identify the baseline operations of their network but can also effectively detect and immediately react to illicit activity that might have happened on their network and which requires further investigation.
GFI EventsManager General Status View
GFI EventsManager Statistics View
Does GFI plan to continue evolving their default rule set to take future changes into consideration?
Absolutely, at GFI we see GFI EventsManager 7 as the foundation for even further advanced rule set development. Our first challenge was to upgrade and provide technology which can scale and deliver results out of the box to administrators with event management solution needs.
Support for more log types (EVT/W3C and Syslog) was the first step. Providing a homogenous configuration environment where processing rules are created and processed in the same logic flow for all log types was the second. The third and next step is to further enhance our event processing rules - adding support for more applications, appliances, and solutions.
For this we are already working with partners and technology enthusiasts who need such solutions for their networks. There are practically an infinite number of applications which need to be monitored. All input and help which we may receive to improve this product is always welcome. Feature requests for this type of product is second place compared to the event processing needs which administrators require for the monitoring of their day to day applications.
Anybody who would like to propose or work further with us to develop even further specialized event processing rules can contact us on [email protected]. We welcome all feedback and look forward to receiving more from your readers