Monitoring for unwanted activity

Your network needs protection from unwanted activity. Obviously, having a Windows NT event log tool tailored for security analysis would lead to greater productivity, not to mention peace of mind. Intrusion Detection has such a tool: Kane Security Monitor (KSM) 3.03. KSM sits quietly on your network, pointing out suspicious network traffic and system-related events and notifying the appropriate personnel when it suspects a break-in.

KSM, a proactive event log analyzer, can detect and respond to potential security problems in realtime, barring any system and network lag time. KSM consists of three parts: an auditor service, an agent service, and a management console. A network administrator installs KSM's agent and auditor services on NT systems that require monitoring. The agents collect data on each computer from event log entries. KSM forwards entries matching security patterns to the auditor service, the central repository for all information that the agents collect. The auditor service then reports potential security problems to an administrative staff member. The management console provides the GUI to administer the product, reviews the alert logs, and generates reports.

KSM has numerous core features. For example, its pattern recognition system automatically searches event logs for possible abuses (e.g., too many failed logon attempts or excessive privilege granting, both of which might be evidence of an attempted break-in). The system can recognize patterns such as failed file access, browsing and curious users, denial of service, masquerading users, password cracking attempts, and administrative ID abuse. You can also program KSM to look for additional patterns (e.g., when someone accesses your desktop or copies sensitive files).

KSM can generate standard text reports and graphical charts and combine data from all installed agents into one report for easy review. Screens 1 and 2 show examples of how KSM reports failed logon attempts. Because KSM operates in near realtime, it actively monitors event logs at a defined interval so that you learn about potential problems within moments of their occurrence.

KSM's many features help provide effortless security monitoring. KSM watches user network usage habits and points out instances that seem out of character. For example, if I haven't used FTP for several months and then use it to download a file, KSM notifies the systems administrator immediately.

KSM has several shortcomings. Because KSM doesn't operate at the packet level, it can't stop attacks in progress or block a host that might be launching an attack. Also, KSM can't recognize network-based attacks that aren't in the event logs. So if you're relying solely on this tool, various NT services and applications could come under attack without your knowledge.

Installation and Use
When I installed KSM on a Digital PC 5510 300MHz system with 32MB of RAM, a wizard appeared and guided me through the process. After I chose an installation directory, I selected a system to run the KSM auditor service under and a path to store collected data. Next, I selected and defined several properties for those systems on which I wanted to install the KSM agent.

The installation wizard guides you through establishing extensive audit policies when you install the KSM agent on a given machine. Because KSM relies on NT event logs for security-related information, those logs must be actively collecting information. Therefore, you must turn on Auditing in User Manager and select the events to record. You must also define the email addresses that KSM will deliver security alerts to. You need to install Microsoft's Messaging API (MAPI) for KSM to send email alerts, or errors will occur.

I installed KSM agents on two NT servers. I also installed an agent and an auditor on one NT workstation. I let the software run for 3 days to collect information. Then I ran reports on logon failures, hack attempts, and the 10 most-wanted users. The 10 most-wanted users report lists the 10 users who generate the most security-related events.

Because my shop consists of a small LAN, several trusted users, and myself, I didn't expect to uncover any serious security incidents. However, KSM tracked and presented several potential problems, including numerous bad logon attempts taking place after business hours.

Successful Monitoring
KSM is easy to install, configure, and use, and it won't tax your system. However, KSM doesn't function at the packet level or receive information about attacks that aren't recorded in the event logs, so you won't want to use it as your only means of monitoring network security. Your best bet is to use KSM in conjunction with a product that monitors at the packet level. Overall, KSM is a cost-effective way to enhance your network security.

Kane Security Monitor 3.03
Contact: Intrusion Detection * 212-348-8900 or 800-408-6104, Web:
Price: Starts at $1495 per server
System Requirements: 486 processor or better, Windows NT 3.51 with SP5 or later, Console component: 25MB of hard disk space, 16MB of RAM, Auditor service: 20MB of hard disk space, 32MB of RAM