Thursday, June 29

Netconnect 2006

I attended the 6th annual NetIQ Global Users conference in May, held in Orlando, FL. It was a wonderful chance to meet a lot of the people that I have worked with over the past 6 years as a NetIQ employee in the Technical Support and the Professional Services departments. I was also flattered by the fact that several customers remembered me from my days in Technical Support. Staying on after the conclusion of the conference, I attended two days of training on NetIQ's Security Manager product.

Netconnect 2006 was organized into five product demonstration and education tracks, including:

IT Automation
This track covered customizing, automating and tuning the AppManager (AM) Suite, including threshold automation and workload management with AppManager Performance Profiler (AMPP).

IT Service Management
This track focused on the convergence of security management with service level management, and how to transition your IT services from event management to service management. Products covered within this track included AM, VigilEnt Policy Center (VPC) and Analysis Center (AC).

Compliance and Risk Management
This track reviewed the impact of governmental regulations on IT from many perspectives, including preparing for audits, rules of evidence, organizational policy management, etc. Products examined were the Security Compliance Suite and the Risk and Compliance Center.

Security Management
This track presented NetIQ's broad coverage of security monitoring, automated response and reporting. Products presented were Security Manager (SM) and the Security Compliance Suite.

Change Control and Windows Administration
This track reviewed issues of managing operational changes and enforcing IT policies for Windows systems in a cost-effective manner. NetIQ's product lineup in this area recently expanded with the introduction of Change Administrator for Windows. Additional products covered included NetIQ Change Guardian for Active Directory (CGAD), Directory & Resource Administrator (DRA) and Group Policy Guardian (GPG).

As my personal goal in attending NetConnect was to broaden my awareness of NetIQ’s security and policy compliance solutions, I focused on the Security Management track, specifically SM. Workshops I attended included an overview of new features in SM 5.5; using the Security Compliance Suite to ensure compliance; integrating SM with AM, and the SM Essentials class. Here are some quick highlights.

SM is made up of three major components – Event Manager, Intrusion Manager and Log Manager.

-- Event Manager monitors the Windows event logs for security related incidents and executes responses and notifications based on best-practices rules. All incidents and responses are collected into a backend SQL database. This is the first phase of the complete event management life-cycle.

-- Intrusion Manager builds on Event Manager to help secure systems from internal/external, malicious/benign, or accidental/policy-based violations. For example, Intrusion Manager lets you monitor root and administrator logon failures, security configuration changes, or possible buffer overflow attacks. The monitoring rules are based on security industry best practices, and can be extended to custom configurations.

-- Log Manager copies all the information collected by Event Manager and Intrusion Manager to a separate SQL Server database designed for the analysis and reporting of security status across the enterprise. Log manager exposes knowledge articles on the analyzed events to supplement the administrator's understanding of each security scenario.

A core feature of SM is its ability to monitor with "event correlation", in which rules are configured to cover sequences of events filtered for various attributes such as criticality, time and number of occurrences.

Some of the new features in SM version 5.5 include:

AutoSync Technology
NetIQ provides new modules and module updates based on requested features or newly discovered security vulnerabilities. These updates are posted to the AutoSync Server. In the SM administrator console, these updates can be obtained by running the Module Installer. The Module Installer queries the AutoSync Server and distributes any updates available to the deployed agents as required.

Agentless Monitored Computer
The newest version of SM now supports agentless monitoring. An agentless computer is monitored by a proxy agent on another computer.

Protection for Oracle Database Servers
Security Manager now offers monitoring for Oracle database servers. Changes to security roles and user accounts can be monitored, along with the status of the audit subsystem.

The value of NetConnect was certainly worth the time and money to attend. I plan to release more detailed reports on the Security Compliance Suite in the months ahead.