When Do I Need SECagent?

The short answer is that the SECagent is not required unless the system or device you need to monitor is unable to send events using one of the numerous protocols typically used by network management platforms.  Most network and security devices as well as Linux/Unix systems are typically able to send events; however, most other environments are not.  If one of these protocols is available to send events, then SECcollector is able to receive these real-time events directly. Otherwise, SECagent is needed.

Actively Retrieve Events

SECagent actively captures event data from systems that cannot send it, which ensures that real-time analysis is complete and comprehensive.  This is an important issue for most organizations because not all systems and devices on the network are able to send their event data to either a central or a distributed repository on their own.  While some systems and devices can send events to a predetermined location on the network, there are many which cannot fulfill this requirement. This can create an important hole in a comprehensive network infrastructure and security management system.  To assess fully the state of the network for the systems and devices deployed all event data must be available and fully analyzed.

SECagent fills this gap and is able to get event data from sources that are unable to send them. It will fetch, watch, pull, and send this data to SECcollect on the fly.  SECagent is able to watch file systems, Windows events, data files, folders, registry keys and Active Directory events.

This product ensures that all events, whatever the platform, are available for a comprehensive network infrastructure and security management real-time analysis as well as for retrospective analysis.

SECagent can

Manage and control file and folder integrity

Manage user rights and access privileges on files and folders

Audit in real-time user activity on targeted files and folders

Audit in real-time access and changes to Active Directory

With SECagent Find

All the systems to which a specific user is connected

The users who connected to a specific system in a certain time frame

All the changes that occurred to group members in Active Directory

The changes in users accounts

All read access to a file or group of files on a critical server

Ensure Data Availability

As SECagent retrieves event data, it can also send the same event to several IP addresses simultaneously to prevent any data loss and to guarantee the data’s availability. Communications between SECcollect and SECagent are encrypted and SSL encapsulated.

Real-Time Monitoring of Event Logs and Registry Keys

A standard feature in SECagent, the Event Viewer transmits all events to SECcollect in Real-Time. This also happens when the value of a Registry Key is changed.

Advanced Features

Users Rights and Privilege Management for Files and Folders

Respecting Data Governance requires that IT and Security Managers know what rights and privileges users or groups of users are assigned to files and folders on their critical servers.  This allows them to correct configuration mistakes or to forbid unauthorized updates, whether the changes are accidental or fraudulent, and to apply the correct changes and actions immediately.  SECagent allows the audit of all targeted servers and enables the monitoring of user rights and privileges.

A scheduled map of these rights can be generated automatically, on a schedule or on a rights change event.  In parallel, an alert can be sent to Administrators and Managers with the details.

Real-Time Monitoring of Users Activity on Files and Folders

IT and Security Managers are interested in knowing which users accessed, read, modified or deleted a specific file or group of files or a folder and when.  To answer all these questions, SECNOLOGY developed a low-level driver to intercept all types of accesses and actions on system resources.  With this driver SECagent scans and audits in real-time all user activity on the targeted servers and/or workstations.  All events are forwarded in real-time to SECcollect and duly recorded.

File Integrity Management

Any event related to adding, changing or deleting a file, a group of files, a folder, a group of folders or even a security or network device configuration is immediately captured by SECagent and forwarded in real-time to SECcollect.  SECmanage also provides file integrity management independently.

The combination of both SECagent and SECmanage guaranties the integrity of a remote target by detecting any change on that target and triggering automatic recovery of that target. Whatever the change, enforce the reference image in production.

LDAP and AD Audit and Real-Time Monitoring

Use SECagent’s advanced features to monitor all operations affecting Active Director or LDAP.

SECagent performs real-time monitoring in many situations, tracking:

All the systems to which a user connects
The users who connect to a specific system
The changes applied to a group in Active Directory
All the changes applied to Active Directory objects
All the changes applied to Active Directory services
The changes applied to user accounts in Active Directory

A good example is a Web site. Should you decide to protect your Web site by keeping an image of the site as a reference somewhere on the network. Then, in case of any change to the Web site, SECNOLOGY will automatically detect the change and restore the site using the reference.  This will not protect your web site from attack, but it will definitely prevent the Web site from being corrupted!

How to ensure all events ?

SECagent ensures that all events, whatever the platform, are available for a comprehensive network infrastructure and security management real-time analysis as well as for retrospective analysis