EventTracker Enterprise v7.3
Strengths: This product is a well-designed enterprise-class tool
Weaknesses: Hard to find a substantial weakness
Verdict: Version 7.3 of EventTracker Enterprise is a big leap forward in SIEM technology. Recommended
EventTracker Enterprise is comprehensive and designed to be scalable to address multiple locations, business units and domains using the EventTracker standalone, collection point and collection master architecture.
The latest version (7.3) expands/improves the offering in areas of file integrity monitoring, change audit, configuration assessment, cloud integration, event correlation and writeable media monitoring and management. Some of the other new features include: built-in ticketing system (with acknowledgement, search, notes and email); support for log4j and related standards, such as log4cxx, log4net, log4php; scheduled discovery of applications and systems; configurable behaviour rules to detect new and out-of-the-ordinary behaviour by user-specified thresholds, frequency or learned-behaviour thresholds; and risk-based prioritisation for incident identification and automatic or manual remediation solutions.
The product ships via software or as a virtual or hardware appliance. It uses a flat file database that is fully indexed for performance and a proprietary compression function that compresses the data 90 per cent or more for excellent storage management. The event data is encrypted and hashed to ensure the integrity of the information. The anonymisation feature issues an alert if tampering is attempted. Another strong feature is the integration of the Microsoft's Specialized Security - Limited Functionality (SSLF) hardening option to the EventTracker system. The SSLF was designed to help protect information in hostile environments and is required on certain government systems.
EventTracker provided a number of excellent documents to aid in its installation, configuration and use. Most useful were the install guide, hardening guide for EventTracker Server and the user manual.
Installation was quick and easy. The MSI application automatically set up the major prerequisites, including the database, web services and the Microsoft .Net Framework. Once the security group was created, it was populated with users (administrative and standard) and alerts and reports were generated and system attacks launched.
EventTracker Enterprise performed very well. Various dashboard views were populated based on the class of the event. There were a large number of pre-packaged reports, categories and alerts - making it easy to identify real incidents versus normal logging noise.
The product provided features to filter unwanted activity. Following a brief agent enrolment process a number of features were available for viewing and processing: email alerting; remediation; behaviour analysis; forensic search; change activity reporting; and compliance reports. The system provides a risk-based prioritisation facility for assets that we liked.
One of the most powerful set of features was found under the 'reports' tab by selecting 'compliance'. Equally rich functionality was found under the 'config assessment' tab and then by selecting 'report' and then 'benchmark'. There were a large number of report options and the benchmarks were categorised by publisher and system platforms, and systems were tagged and assessment launched. Once completed, the system reported the config assessment results.
The Open Vulnerability and Assessment Language (OVAL) results provided excellent references. Options are available for justifying deviations, but there are too many to address in this evaluation. Suffice it to say that this product is rich in high value - high quality functions that will help meet most of the known compliance requirements.
Support is a 24/7 fee-based service, which includes phone and email assistance, a portal via the website, a knowledgebase and FAQs. EventTracker also offers product support, design, planning, implementation services and training.
This tool hits all of the benchmarks for a top-tier SIEM and is money well spent.