Network Detective Detector User Guide
advertisement
Network Detective Detector User Guide © 2016 RapidFire Tools, Inc. All rights reserved 20160524 – Ver 4B Network Detective™ Detector Contents Overview ................................................................................................................................................. 3 Components of the Detector ............................................................................................................... 3 Detector .......................................................................................................................................... 3 Diagnostic Tool ................................................................................................................................ 3 Network Detective Application ........................................................................................................ 3 Detector Features ................................................................................................................................ 4 Level 1 (Daily) Network Scan ............................................................................................................ 4 Level 2 (Weekly) Security Scan ......................................................................................................... 4 Daily Alerts ...................................................................................................................................... 4 Weekly Notices ................................................................................................................................ 4 Automated Assessment Reporting ................................................................................................... 4 Remote Updating of the Detector ........................................................................................................ 5 Automated Scanning and Scheduling Best Practices ................................................................................ 5 Getting Started ........................................................................................................................................ 6 Detector Deployment Options ............................................................................................................. 6 Installing the Detector on Hyper-V ....................................................................................................... 6 Starting the Detector on Hyper-V......................................................................................................... 6 Connecting the Optional Small Form Factor Server Computer .............................................................. 6 Creating a Site and Associating the Detector to the Site ....................................................................... 7 Step 1 - Creating a New Site ............................................................................................................. 7 Step 2 - Adding a Detector to a Site .................................................................................................. 8 Warning Concerning the Removal of a Detector Appliance from a Site............................................. 9 Backing Up Smart Tags for Reuse ..................................................................................................... 9 Defining the Detector Settings ........................................................................................................... 10 Configuring Daily and Weekly Data Collection Scans and Schedules ............................................... 10 Configuring the Detector Scan Settings .......................................................................................... 11 Setting Daily Alert and Weekly Notice Schedule ................................................................................. 17 Setting Up Daily Alerts and Weekly Notices ....................................................................................... 20 Setting-up Daily Alerts ................................................................................................................... 20 Example of a Daily Alert ................................................................................................................. 31 1 Network Detective™ Detector Setting Up Weekly Notices ............................................................................................................. 32 Example of a Weekly Notice........................................................................................................... 41 Assigning Smart Tags to Change Events that Refine Alerts and Notices .............................................. 42 Examples of Smart Tag Use ............................................................................................................ 42 Warning Concerning the Removal of a Detector Appliance from a Site........................................... 43 Backing Up Smart Tags for Reuse ................................................................................................... 43 Adding and Configuring Smart Tags................................................................................................ 44 Deleting Smart Tags ....................................................................................................................... 53 Viewing the Notifications History and Past Alert Details ........................................................................ 54 Preferences Menu Options .................................................................................................................... 56 Setting the Master Report Default Preferences .................................................................................. 56 Using the Manage Detector Appliance Feature to Configure Automatic Report Generation ................... 57 Setting Up Automatic Reports for Network Assessments ................................................................... 57 Setting Up Automatic Reports for Security Assessments .................................................................... 63 Updating a Software Appliance.............................................................................................................. 68 Appendices............................................................................................................................................ 70 Appendix I – Software Appliance Diagnostic Tool ............................................................................... 70 Purpose of the Diagnostic Tool ...................................................................................................... 70 Appendix II – Saving and Reusing Smart Tags through Export and Import .......................................... 73 Steps to Export and Save Smart Tags for Later Use ......................................................................... 73 Steps to Import Smart Tags for into your Site for Use with Detector .............................................. 76 2 Network Detective™ Detector Overview Detector is an appliance-based system used for performing scheduled IT assessment scans then issue network change related Daily Alerts and Weekly Notices after Anomalies, Changes, or Threats (ACT) have been identified on the network. This guide is designed to provide an overview and specific steps required to install and configure the Detector appliance and schedule the collection of data remotely, schedule automated assessment scans, and issue network change related Daily Alerts and Weekly Notices. Components of the Detector Detector This is the Detector software application that operates on either on a user supplied Microsoft Hyper-V based system or the Small Form Factor Server computer available from RapidFire Tools. Optional Small Form Factor Server Computer This is an optional hardware component that can be purchased from RapidFire Tools to host and operate the Detector. It is a small, portable appliance which plugs into the target network through an Ethernet connection. Diagnostic Tool This tool is used for configuring and troubleshooting the Detector. The Diagnostic Tool should be run on the same network as the Detector to perform diagnostics checks such as for Detector connectivity or for available updates. Network Detective Application This is the same Network Detective desktop application and report generator that is used with any other Network Detective modules. This application contains additional features to manage the Detector remotely. 3 Network Detective™ Detector Detector Features The one key purpose of the Detector is to perform scans from the point-of-view of the client’s internal network and issue Daily Alerts and Weekly Notices. Below is an overview of the scans that can be performed by the Detector. Level 1 (Daily) Network Scan The “Level 1” Network and Security Assessment Scan is a Daily Scan performed from the point-of-view of the Detector. The resulting scan can be used to issue Daily Alerts, Weekly Notices, and generate reports from the Network Assessment and Security Assessment modules. Level 2 (Weekly) Security Scan The “Level 2” Network and Security Assessment Scan is a Weekly Scan performed from the point-ofview of the Detector. The resulting scan can be used to issue Weekly Notices and generate reports from the Network Assessment and Security Assessment modules. Daily Alerts Detector Daily Alerts is a Detector feature whereby you and other designated recipients within your company can be sent “Alerts” via email based on automated Detector scans being performed on a daily basis. These Alerts serve the purpose of notifying you of changes identified within your customer’s IT infrastructure after pre-scheduled scans/assessments have been performed. Daily Alerts are sent as emails in both Expanded and Compact detail formats. Weekly Notices Detector Weekly Notices is a Detector feature whereby you and other designated recipients within your company can be sent “Notices” via email based on automated Detector scans being performed on a weekly basis. These Notices serve the purpose of notifying you of changes identified within your customer’s IT infrastructure after pre-scheduled scans/assessments have been performed. Automated Assessment Reporting Automatic Report Generation enables you to use the Detector to schedule and generate of a number of assessment reports associated with the following: Network Assessments Security Assessments Note that the: A) Network Assessment Reports are only available to Network Assessment module subscribers. B) Security Assessment Reports are only available to Security Assessment module subscribers. 4 Network Detective™ Detector Remote Updating of the Detector The Detector is easy to update remotely. Updates include bug fixes, new features, and additional scans types. Automated Scanning and Scheduling Best Practices It is recommended that Detector scans are scheduled to be performed on a daily and weekly basis using the Level 1 (Daily) Scan and Level 2 (Weekly) Scan respectively. 5 Network Detective™ Detector Getting Started Detector Deployment Options There are two Detector deployment options available to users: Detector deployment on a user owned and operated Hyper-V base system Detector deployment on the Small Form Factor Computer Server available from RapidFIre Tools Installing the Detector on Hyper-V Please refer to the Virtual Appliance Installation Guide. During the installation process, please take note of the Detector Appliance ID presented to you during the Virtual Appliance installation process. The Detector Appliance ID will be required when you Associate the Detector with the Network Detective application “Site” that you will set-up for your client’s network as detailed in the instructions provided below. Starting the Detector on Hyper-V Upon the installation of the Virtual Appliance software, Detector will be available for use based on your purchase of the Detector as referenced within you Network Detective account subscription. Connecting the Optional Small Form Factor Server Computer To set up the Small Form Factor Server Computer used to operate the Detector, first go to the physical location of the target network. After finding a secure location for the device, connecting it to the network can be accomplished in two easy steps: Note: When users have purchased a Small Form Factor Server Computer, the Appliance ID can be found on a printed label on the Small Form Factor Server Computer itself. 6 Network Detective™ Detector Creating a Site and Associating the Detector to the Site In order to set up the use of Detector to identify security issues and issue alerts, a Site must be created within the Network Detective application and the Detector that is connected to your client’s network must be “Associated” with the created Site. Before using the Detector, the Detector must be associated with a Site in the Network Detective application. Perform the following steps to use Network Detective to create a Site and Associate a Detector with the site: Step 1 - Creating a New Site If you have not yet added any Sites, open the Network Detective application and navigate to New Site from the Home screen. Define a name for the Site. This should be unique and easily identifiable, such as the customer name or physical location. 7 Network Detective™ Detector Step 2 - Adding a Detector to a Site Adding a Detector to a Site After starting a new assessment, or within an existing assessment, in order to “Associate” a Detector with the Site, you must first select the selector symbol to expand the Site’s preferences view. This action will expand the Site’s preferences window for you to view and to add an Appliance to the Site. To add an Appliance to a Site, from the Site Preferences Window select the Appliances Add button as noted above. Select the Appliance ID of the Appliance from the drop down menu. Note: When users have purchased a Small Form Factor Server Computer, the Appliance ID can be found on a printed label on the Small Form Factor Server Computer itself. 8 Network Detective™ Detector After successfully adding a Detector to the Site, it will appear under the Appliance bar in the Site Preferences Window. The status of the Appliance will be indicated as Active. To view a list of all Appliances and their associated Sites, navigate to the Appliance tab from the top bar of the Network Detective Home screen. This will show a summary of all Appliances, their activity status, and other useful information. To return to the Site that you are using to perform your Detector based assessments, click on Home icon above, and select the Site that you are using with the Detector. Warning Concerning the Removal of a Detector Appliance from a Site When a Detector has been Associated with a Site and the Scan Schedule, Alert Schedule, Alert Recipients, and Smart Tags settings have been defined, if the Detector is ever Associated with a different Site, the original Site’s Detector settings will be automatically deleted. Backing Up Smart Tags for Reuse You have the ability to Export the Smart Tags associated with a Network Detective Site file that is Associated with Detector. If you wish to save the assigned Smart Tags contained within the existing Site that is Associated with Detector for later use with a new Site, then use the Smart Tags Export and Import options described in Appendix II – Saving and Reusing Smart Tags through Export and Import found on page 73. 9 Network Detective™ Detector Defining the Detector Settings The setup process of the Detector consists of setting up the following options: Level 1 (Daily) Scan Level 2 (Weekly) Scan Daily Alerts Recipient Assignment, Event Selection, and Scheduling Weekly Notices Recipient Assignment, Event Selection, and Scheduling Automatic Report Generation Smart Tags Configuring Daily and Weekly Data Collection Scans and Schedules Detector based scans can be setup to run on a daily and weekly basis. Below is an overview of the scans that can be set-up and performed using the Detector. Level 1 Scan (Daily) Scan – The resulting daily scan can be used to issue Daily Alerts, Weekly Notices, and generate reports from the Network Assessment and Security Assessment modules. Level 2 Scan (Weekly) Scan – The resulting weekly scan can be used to issue Daily Alerts, Weekly Notices, and generate reports from the Network Assessment and Security Assessment modules. The next section outlines the steps to set-up the scans to be performed using Detector. 10 Network Detective™ Detector Configuring the Detector Scan Settings To set up the scans to be performed by Detector, follow the steps below. Step 1 – Select the Site Double click your mouse pointer on the Site that you are configuring automated scan, alerts, and reports to be performed upon in order to view and access the Site. Step 2 – Select Manage Detector Appliance and Access the Detector Settings After the Site has been opened, select the Detector icon located within the Site bar. 11 Network Detective™ Detector The Detector Settings window will be displayed. Next select the Settings Preferences option by selecting the The Settings window will be presented. Step 3: Define the Scan Settings To set the Scan Configuration, select the Modify option. 12 selector. Network Detective™ Detector The Scan Configuration Wizard window will be displayed. Choose Merge Option from the wizard and click the Next button. Step 4: Input Credentials 13 Network Detective™ Detector Input administrative credentials to access the Domain Controller or indicate that the target network does not contain a Domain Controller. Then select the Next button. Step 5: Select Local Domains Choose either to scan all Domains detected on the target network or to restrict the Scan to selected Organizational Units (OUs) and Domains. Then select the Next button. Step 6: Specify IP Ranges The IP ranges from the target network will be auto-detected and included in the scan. To include additional subnets input them here. Then select the Next button. 14 Network Detective™ Detector Step 7: Add SNMP Information By default, the Detector will retrieve data from devices with the community string “public.” If desired, define an additional “read” community string (such as “private”) and enter it here. Then select the Next button. Step 8: Confirm and Finish Scan Settings Click on the Finish button to complete the configuration of the Detector Scan Configuration settings. The result of the setting of the Detector Scan Configuration will be updated to the Detector Settings window with the following information: 15 Network Detective™ Detector Step 9: Setting Daily and Weekly Scan Schedules Set the Daily and Weekly Scan schedule by setting the Level 1 (Daily) Scan and Level 2 (Weekly) Scan schedule times and days. To schedule the scans, select the Modify button in the Schedules section of the Settings window. The Schedule window will be displayed. Set the Time Zone, the Level 1 Scan (Daily) scan time, and the Level 2 Scan (Weekly) scan time and day. After these scan Schedule Settings have been defined, select the Save button to save the settings. 16 Network Detective™ Detector Setting Daily Alert and Weekly Notice Schedule Daily Alerts and Weekly Notice bulletins can be scheduled to be issued on a daily or weekly basis respectively. The Daily Alerts and Weekly Notice schedule can be defined using the Site’s Settings Preferences option. To set up the Daily Alerts and Weekly Notices schedule, follow the steps below. Step 1 – Select the Site Double click your mouse pointer on the Site that you are configuring automated scan, alerts, and reports to be performed upon in order to view and access the Site. Step 2 – Select Manage Detector Appliance and Access the Detector Settings After the Site has been opened, select the Detector icon located within the Site bar. 17 Network Detective™ Detector The Manage Detector Settings window will be displayed. Next select the Settings Preferences option by selecting the 18 selector. Network Detective™ Detector The Settings window will be presented. Step 3: Define the Alerts and Notice Schedule Settings Select the Modify button in the Schedules section of the Settings window. The Schedule window will be displayed. Within the Schedule Window set the Time and Days when Daily Alert and Weekly Notice bulletins should be issued. After the Alerts and Notice schedule has been set, select the Save button to save these settings. 19 Network Detective™ Detector Setting Up Daily Alerts and Weekly Notices Setting-up Daily Alerts The use of the Daily Alerts feature presumes that the Level 1 (Daily) Scan and/or Level 2 (Weekly) Scan types available on the Detector Appliance have been configured. Daily Alerts will be sent to designated email recipients when a number of changes to your client’s network and IT infrastructure have been identified as a result of automated scans being performed by Detector. The changes detected and reported upon include: changes to network users, computers, and the network itself. To send Daily Alerts containing important information to contacts within your company, setup Detector Daily Alerts to be sent to designated recipients by performing the following steps. Step 1 – Select the Site Double click your mouse pointer on the Site that you are configuring automated scan, alerts, and reports to be performed upon in order to view and access the Site. Step 2 – Select Manage Detector Appliance and Access the Detector Settings After the Site has been opened, select the Detector icon located within the Site bar. 20 Network Detective™ Detector The Detector Settings window will be displayed. Step 3 – Add Daily Alerts Recipients and Assign Daily Alert Email Notification “Subject” Text 1. To add a Daily Alerts Recipient, select the Daily Alerts Preferences option by selecting the selector on the Daily Alerts bar. The Daily Alerts Preferences will be displayed to enable access to the Daily Alerts settings. 21 Network Detective™ Detector The Daily Alerts settings enable the selection of the Daily Alert recipients, setting the “Subject” text for the alert, the assignment of the types of changes to the network that issue alerts, and to enable the suppression of “No Issue” Alerts notifications. 2. Add one or more alert Recipient by selecting the Add Recipient button available in the Daily Alerts Preferences window as displayed below. The Daily Alert Configuration window will be displayed. 3. Select the To button in order to display a the list of Network Detective User email addresses that can be designated as Daily Alert Recipients: 22 Network Detective™ Detector The Select Users Form will be displayed. Select the email address for the person that you want to receive Daily Alert notifications. After selecting a Recipient’s email address from the list of email addresses in the Select Users Form, or typing in a Recipient’s email address manually, click on the OK button. Repeat this process for each recipient that you want to add to the “To” list present in the Daily Alert Configuration window, Using Email Addresses That Are Not Available in Network Detective If you do not see an email address for an individual in your company that you want to be assigned as a Daily Alert Recipient, then add the desired individual as a user of the Network Detective using the Network Detective Manage Users option. Alternatively, if an individual you that would like to receive an alert is not listed in the Select Users Form, you can select the Email field to the right of the To button in the Daily Alert Configuration window and type in the email address of the intended recipient of the alert email as presented below. 23 Network Detective™ Detector 4. Once each Daily Alert email recipient’s address has been selected and assigned, the Daily Alert Configuration window will be updated with the list of recipient email addresses. 24 Network Detective™ Detector 5. Type in text for the Subject line to be contained within the Daily Alert email as illustrated below. 25 Network Detective™ Detector Note About Subject Text: It may be helpful to use a subject text format that references your client’s company name, the name of the Network Detective Site you used, and the term Daily Alert. For example: Client Company Name – Site Name Daily Alert After the completion of Step 5 above, the Subject text to be present within each Daily Alert message along with the email recipients that will receive Daily Alerts will have been defined. 6. Next, set the Email Format for the Daily Alert. The Email Format options are Expanded and Compact. Expanded Email Format – selecting this option will augment Daily Alerts with detailed information about the Anomalies, Changes, and Threats (ACT) detected. Using this option, Daily Alerts will be sent via an HTML formatted email in a friendly readable format for alerts that includes recommendations and formatting. The Expanded for is ideal for users using email readers on PC or tablet devices. Compact Email Format – selecting this option will present the identified Anomalies, Changes, and Threats detected in a summarized form. Using this option, Daily Alerts will be sent in a Plain Text email format. Daily Alerts in Compact form work well with mobile device email readers and email integration to PSAs. 7. Next, set the Alert Sort option to control how Anomalies, Changes, and Threats (ACT) notices are to be sorted within the Daily Alerts emails sent to Recipients. The Alert Sort options are ACT then Severity, which sorts issues by Anomaly, Change and Threat (ACT) types and Severity. The other Alert Sort option is by Severity only. 26 Network Detective™ Detector Select the Alert Sort method of choice 8. Set the Suppress No Issue Alerts option if you wish to suppress Daily Alerts that contain no issues from being sent when no ACT issues have been identified. Next, either select the Save & Close button to save the Daily Alert Configuration, or select the 27 Network Detective™ Detector Selected Alerts tab to set the Change events that trigger a Daily Alert. Note, if the Suppress No Issue Alerts is not selected, the Daily Alerts will be sent with a No Issue Alerts status as presented in the example below. Step 4 – Use the Selected Alerts Feature to Set Network and Use Change Events that Trigger Daily Alerts There are four primary settings options that can be configured to set-up and trigger Daily Alerts. These options are: Access Control –Access Control Bulletins are issued for changes in the following: o o o o o o o Computers – Alerts are issued for changes in the following: o o o o Administrative rights New device on restricted networks New profiles and users Suspicious user logins Unauthorized access to endpoints on the accounting, Cardholder Data Environment (CDE), EPHI, and restricted IT computers, and unauthorized printers Addition of unauthorized printers on the network Unusual logon times and unusual logons to computers by users Applications installed on locked down systems Critical patches missing Internet restrictions on not enforced Removable drives added to one or more locked down systems Network Security – High and medium internal network vulnerabilities trigger Alerts 28 Network Detective™ Detector Wireless – Alerts are issued when connections to Unauthorized Wireless Networks take place. To specify which network and security change events should trigger Daily Alerts to be sent to one or more alert recipients, the Daily Alerts Selected Alerts settings must be defined. Select the Selected Alerts tab in the Daily Alert Configuration window to access and select the Daily Alert change events that, when detected, trigger a Daily Alert notice being sent reporting a change event. The Anomalies, Changes, and Threat (ACT) alert events options are available for selection within the Daily Alerts settings window as presented below. Select the Daily Alerts options of your choice, then, select the Save & Close button to save the Daily Alert Configuration settings. 29 Network Detective™ Detector Step 5 – Configure the Daily Alerts Delivery Schedule To schedule the Daily Alerts notifications, select the Modify button in the Schedule section of the Settings Preferences window in order to set the Daily Alerts notification schedule. Please note that the default setting for alert distribution frequency of Daily Alerts is for alert emails to be sent per the Notifications Time and Schedule specified within the Schedule Settings Preferences as presented below. ` Daily Alerts will be sent to alert recipients at the scheduled time and frequency to notify alert recipients of network and/or security issues related to internal vulnerabilities that are detected as changes to the network or its security status. After setting the Daily Alert time and frequency (days selected), select the Save button to save these settings. 30 Network Detective™ Detector Example of a Daily Alert Below is an example of a Daily Alert message sent by Detector. 31 Network Detective™ Detector Setting Up Weekly Notices The use of the Detector Weekly Notices feature presumes that you have set up one (1) or more automated scans for one (1) or more of the Assessments types available on the Detector Appliance. Weekly Notices is a Detector feature whereby you and other designated recipients within your company can be sent “Notices” via email. These Weekly Notices serve the purpose of notifying recipients by email of changes identified within your customer’s IT infrastructure after pre-scheduled scans/assessments have been performed. The changes contained within a Weekly Notice email will be a result of a comparison of the most current and previous scans being performed by Detector. To setup Detector Weekly Notices perform the following steps. Step 1 – Select the Site Double click your mouse pointer on the Site that you are configuring automated scan, alerts, and reports to be performed upon in order to view and access the Site. Step 2 – Select Manage Detector Appliance and Access the Detector Settings After the Site has been opened, select the Detector icon located within the Site bar. 32 Network Detective™ Detector The Detector Settings window will be displayed. Step 3 – Add Weekly Notice Recipients and Assign Weekly Notice Notification “Subject” Text 1. To add a Weekly Notice Recipient, select the Weekly Notice Preferences option by selecting the selector on the Weekly Notice bar. The Weekly Notice Preferences will be displayed to enable access to the Weekly Notice settings. 33 Network Detective™ Detector The Weekly Notice settings enable the selection of the Weekly Notice recipients, setting the “Subject” text for the alert, the assignment of the types of changes to the network that issue alerts, and to enable the suppression of “No Issue” Alerts notifications. 2. Add one or more alert Recipient by selecting the Add Recipient button available in the Weekly Notice Preferences window as displayed below. The Weekly Notice Alerts configuration window will be displayed. 3. Select the To button in order to display a the list of Network Detective User email addresses that can be designated as Weekly Notice Recipients: 34 Network Detective™ Detector The Select Users Form will be displayed. Select the email address for the person that you want to receive Weekly Notice notifications. After selecting a Recipient’s email address from the list of email addresses in the Select Users Form, or typing in a Recipient’s email address manually, click on the OK button. Repeat this process for each recipient that you want to add to the “To” list present in the Weekly Notice alerts configuration window. Using Email Addresses That Are Not Available in Network Detective If you do not see an email address for an individual in your company that you want to be assigned as a Weekly Notice Recipient, then add the desired individual as a user of the Network Detective using the Network Detective Manage Users option. Alternatively, if an individual you that would like to receive an alert is not listed in the Select Users Form, you can select the Email field to the right of the To button in the Weekly Notice configuration window and type in the email address of the intended recipient of the alert email as presented below. 35 Network Detective™ Detector 4. Once each Weekly Notice email recipient’s address has been selected and assigned, the Weekly Notice Alerts configuration window will be updated with the list of recipient email addresses. 5. Type in text for the Subject line to be contained within the Weekly Notice email as illustrated below. 36 Network Detective™ Detector Note About Subject Text: It may be helpful to use a subject text format that references your client’s company name, the name of the Network Detective Site you used, and the term Weekly Notice. For example: Client Company Name – Site Name Weekly Notice After the completion of Step 5 above, the Subject text to be present within each Weekly Notice message along with the email recipients that will receive Weekly Notice will have been defined. 6. Set the Suppress No Issue Alerts option if you wish to suppress Weekly Notices that contain no issues from being sent when no Anomalies, Changes, and Threats (ACT) issues have been identified. 37 Network Detective™ Detector Next, either select the Save & Close button to save the Weekly Notice Alerts configuration, or select the Selected Notices to set the Change events that trigger a Weekly Notice. Note, if the Suppress No Issue Alerts is not selected, the Weekly Notice will be sent with a No Issue Alerts status as presented in the example below. 38 Network Detective™ Detector Step 4 – Use the Selected Notices Feature to Set Network and Use Change Events that Trigger Weekly Notices There are two primary settings options that can be configured to set-up and trigger Weekly Notice. These options are: Network, Endpoint, and Security Related Change Events o o o o o o Computers DNS Domain and local users Network devices and printers Switch port connects Wireless network Network Security – this option sends notices when new vulnerabilities associated with Internal Network Security are identified To specify which network and security change events should trigger Weekly Notice to be sent to one or more alert recipients, the Weekly Notice Selected Notices settings must be defined. Select the Selected Alerts tab in the Weekly Notice Alerts configuration window to access and select the Weekly Notice change events that, when detected, trigger a Weekly Notice being sent reporting a change event. The Weekly Notice alert events options are available for selection within the Weekly Notice settings window as presented below. 39 Network Detective™ Detector Select the Weekly Notice alert options of your choice, then, select the Save & Close button to save the Weekly Notice configuration settings. Step 5 – Configure the Weekly Notice Delivery Schedule To schedule the Weekly Notice alerts, select the Modify button in the Schedule section of the Settings Preferences window in order to set the Weekly Notice notification schedule. Please note that the default setting for scheduled delivery of the Weekly Notice is for the Notice to be sent per the Notifications Time and Schedule specified within the Schedule Settings Preferences as presented below. ` Weekly Notices will be sent to alert recipients at the scheduled time and day to notify alert recipients of network and/or security issues related to internal vulnerabilities that are detected as changes to the network or its security status. After setting the Weekly Notice time and day, select the Save button to save these settings. 40 Network Detective™ Detector Example of a Weekly Notice Below is an example of a Weekly Notice message sent by Detector. 41 Network Detective™ Detector Assigning Smart Tags to Change Events that Refine Alerts and Notices Detector incorporates a proprietary feature named “Smart Tags”. The Smart Tags feature allows you to fine-tune the Detector to adapt to each client’s unique IT environment to detect network Anomalies, Changes, and Threats (ACT). Smart Tags allow you to enrich the detection system by adding information about specific users, assets, and settings that helps Detector get “smarter” about what it is finding. That means more potential threats identified with fewer “false positives.” Here is an example of some of the Smart Tags available for use: Tag Applied To AUTHORIZED SSID SSID BUSINESS OWNER User BUSINESS OWNER PC Computer GUEST NETWORK IP Range GUEST WIRELESS NETWORK IP Range IT ADMIN User LOCKED DOWN Computer RESTRICTED IT ADMIN ONLY Computer RESTRICTED NETWORK IP Range SINGLE DESKTOP USER User VIRTUAL MACHINE Computer AUTHORIZED PRINTER Printer TRANSIENT PRINTER Printer Examples of Smart Tag Use Here are some examples of how you might use the Smart Tags to fine-tune Detector’s alerts for a particular client: Restricted Computer Access Detection Within Detector, you can tag a particular computer as being “RESTRICTED IT ADMIN ONLY”. Then, when any user logs into the network that has not been tagged “IT ADMIN”, Detector will send an alert. 42 Network Detective™ Detector Changes to Locked Down Computer Detection Within Detector, you can tag a particular computer as “Locked Down” (meaning, do not allow changes to this computer). If someone manages to install an application on this machine, then Detector will detect that the application was installed and send an Alert. In this way, tagging can remove false positives and increases the relevance of alerts. Wireless Network Availability Detection Within Detector, you can tag a specific wireless network as a “GUEST WIRELESS NETWORK” telling Detector it does not need to worry about new devices appearing on it. But if a new device shows up on any non-guest network, then the appearance is significant and Detector will send you an alert so you can determine if it is worth looking into. Using Smart Tags You can select, configure, or modify, your Smart Tags at any time. That allows you to see what kind of alerts Detector is sending you and create the tags you want to use to “tweak” the Detector system. The use of Smart Tags improves the detection of Anomalies, Changes, and Threats (ACT) by providing additional “knowledge” of the network environment to the Detector. Once the Detector has scanned your network for the first time, you can explore the data and assign Smart Tags to entries like computers and users. The use of the Smart Tags feature presumes that the Level 1 (Daily) Scan and/or Level 2 (Weekly) Scan types available on the Detector Appliance have been configured and performed. Warning Concerning the Removal of a Detector Appliance from a Site When a Detector has been Associated with a Site and the Scan Schedule, Alert Schedule, Alert Recipients, and Smart Tags settings have been defined, if the Detector is ever Associated with a different Site, the original Site’s Detector settings will be automatically deleted. Backing Up Smart Tags for Reuse You have the ability to Export the Smart Tags associated with a Network Detective Site file that is Associated with Detector. If you wish to save the assigned Smart Tags contained within the existing Site that is Associated with Detector for later use with a new Site, then use the Smart Tags Export and Import options described in Appendix II – Saving and Reusing Smart Tags through Export and Import found on page 73. 43 Network Detective™ Detector Adding and Configuring Smart Tags To assign and configure Smart Tags to enable Detector to recognize any Anomalies, Changes and Threats (ACT) that trigger Daily Alerts or Weekly Notice alerts, perform the following steps. Step 1 – Select the Site Double click your mouse pointer on the Site that you are configuring automated scan, alerts, and reports to be performed upon in order to view and access the Site. Step 2 – Select Manage Detector Appliance and Access the Detector Settings After the Site has been opened, select the Detector icon located within the Site bar. 44 Network Detective™ Detector The Detector Settings window will be displayed. Step 3 – Access Smart Tags and Verify that Scan Data has been Downloaded Select the Smart Tags link within the Detector’s Settings window. If no scans have been performed by the Detector, the following message will be presented by Network Detective. After scans have been performed, select the Smart Tags link and download the scan as instructed. 45 Network Detective™ Detector Once the scans have been downloaded, the completion of the process will be confirmed by the presentation of the Smart Tags options consisting of Applied Tags, Recommended Tags, and Available Tags as presented below. Once the Smart Tags are “Up to Date”, you can access, view, and use the settings for Applied Tags, Recommended Tags, and Available Tags. Also note: When starting a Site using the Detector, then attempting to view or update the Smart Tags configuration, you may be prompted to update the scan data with the latest scan per a notice as displayed below. Depending on the number of changes in Users and Computers on your client’s network, you may wish download the updated scan to ensure the latest User identity and Computer information is available for use when setting Smart Tag configurations. 46 Network Detective™ Detector Step 4 – Select and Apply Recommended Tags 1. To add a Smart Tag from the Recommended Tags list, select the Recommended Tags option by selecting the selector on the Recommended Tags bar. The Recommended Tags window will be displayed. 2. Next, select the Smart Tag that you would like to configure and apply. For example, select the IT Admin tag by double-clicking on the IT Admin User Smart Tag Icon. 47 Network Detective™ Detector This action will display the Tag Explorer window for this Smart Tag. Within the Tag Explorer window, instructions are presented that detail: what the Tag is to be “Applied To” (i.e. users or computers) the “For What” purpose the Tag can be used the “Why” reason to use the Tag Note: There are a number of Smart Tags that should be used as logical “pairs”. For example, the IT Admin User tag should be used with the Restricted IT Admin Computer Only tag. Using this pair of Smart Tags will enable you to define all of the IT Admin users, and the computer endpoints that are to be only accessible by IT Admin users. Alerts will be generated when non-IT Admin users access the computers designated as Restricted IT Admin Computers Only. 3. Next, define which network Users are IT Admin Users by selecting the Users that should be designated as IT Administrators in the Tag Explorer window presented for the IT Admin Users tag. To specify the IT Admin Users, select the Check Box next to Users that should be designated as IT Admin Users from the list presented in the Tag Explorer window as displayed below. 48 Network Detective™ Detector 4. Next, select the Save & Close button to save the Smart Tag settings for the IT Admin User Smart Tag. When the IT Admin Tag is configured and Applied, the IT Admin Tag will be available for updating in the Applied Tags section of the Smart Tags options window. Step 5 – View Applied Tags To view the Smart Tags that have been Applied from the Applied Tags list, select the Applied Tags option by selecting the selector on the Applied Tags bar. The Smart Tags that have been applied to the Detector configuration for the Site will be listed in 49 Network Detective™ Detector the Applied Tags window as seen below. You can double click on the Smart Tag to view the tag’s settings. Step 6 – Select and Apply Additional Smart Tags from the Available Tags Window 1. To add a Smart Tag from the Available Tags list, select the Available Tags option by selecting the selector on the Available Tags bar. The Smart Tags available for use will be displayed. 50 Network Detective™ Detector 2. Double click on the Smart Tag that you want to use and the Tag Explorer window for the selected tag will open. Configure the Tag by selecting the Users or Computers listed in the Tag Explorer window that you want to designate as being “Tagged” within the Tag as displayed below. 3. Next, select the Save & Close button to save the Smart Tag settings for the selected Smart Tag. When the Tag you selected is configured and Applied, the Tag will be available for updating in the Applied Tags section of the Smart Tags options window. 51 Network Detective™ Detector 4. Verify that the Tag you configured and Applied is in the Applied Tags window. To view the Smart Tags that have been Applied from the Applied Tags list, select the Applied Tags option by selecting the selector on the Applied Tags bar. The Applied Tags will be displayed to enable you to confirm that the Smart Tag you selected and configured has been Applied. 52 Network Detective™ Detector Deleting Smart Tags Use the following steps to delete a Smart Tag Step 1 – Open the Applied Tags Window and Select the Tag for Deletion To access the Smart Tags that have been Applied from the Applied Tags list, select the Applied Tags option by selecting the selector on the Applied Tags bar. The Applied Tags window will be displayed. Step 2 – Select the Tag and Delete Right click the mouse pointer on the tag to be deleted. A Remove Tag menu option will be presented. Select the Remove Tag menu option and the tag will be deleted and removed from the Applied Tags window. 53 Network Detective™ Detector Viewing the Notifications History and Past Alert Details When using the Network Detective with a Detector, there is an ability to access the history associated with all Daily Alerts and Weekly Notices for review purposes. To access the Notifications History, select the Notifications link available within the Detector Settings window. The Notification History window will be displayed. The Notifications History Time Frame view of the alert history can be set to 7, 14, and as long as 30 days. 54 Network Detective™ Detector To view an individual Daily Alert or Weekly Notice, select the row containing the record of the Alert or Notice you want to view and double click the row to see the Alert or Notice details. 55 Network Detective™ Detector Preferences Menu Options The Network Detective Preferences menu presents one set of options that can be configured as defaults for Detector’s branding of the reports generated by the Appliance. Setting the Master Report Default Preferences For instructions on how to set the Report Default preferences, please refer to the Setting the Report Branding and Customization Preferences instructions contained within the Network Detective User Guide. 56 Network Detective™ Detector Using the Manage Detector Appliance Feature to Configure Automatic Report Generation Below is an overview of the steps required to setup Automatic Report Generation for the following Assessment Report types: Network Assessments Security Assessments Note: Automated reports for the Network and Security Modules can be scheduled for delivery from the Detector Appliance. Reports below 5 MB in size will be attached the Reports Available notification email sent to Recipients. Reports over 5 MB in size will be available for download in the Downloaded Reports section. Setting Up Automatic Reports for Network Assessments Automatic report generation for the Network Assessment Module requires that the scans be run on a Detector before a report can be generated. Following are the steps necessary to set up automatically generated reports for the Network Assessment Module: Automatic report generation for the Network Assessment Module requires that the scans be run on a Detector before a report can be generated. Following are the steps necessary to set up automatically generated reports for the Network Assessment Module being used with Detector: 1. Create a new Site that is that is to be used with Detector to perform and collect network scan information. 2. Associate your Detector with the Site that is to be used for a particular network that has Detector installed. 3. Manage the Detector and create a new Scan Task that collects the necessary Network Assessment data. 57 Network Detective™ Detector 4. Schedule the Daily Scan and Weekly Scan Task for the times that are appropriate for this Assessment. 5. Next, define the Branding for the reports to use your company’s brand for all of the reports generated by selecting the Branding button. Assign the Report Prepared For information, Report Prepared By information, your company Logo, the Theme, and Cover Images for your reports. Select the Ok button to save your Branding settings. 6. Using the access Detector Settings feature and the Reports Settings Window, select the Schedule Report button to create a Report Delivery Task that specifies desired reports from the Network Assessment Module. 58 Network Detective™ Detector Select the Network Assessment reports that should be generated. Keep in mind that reports for specific Assessment types can only be produced after the Scans required for a specific Assessment type have been performed. Click Next button to proceed to the next step. 7. Schedule the created Report Generation and Delivery Task for a time which is certain to be after the scan is complete. Reports will use whatever data is on the Detector based on the most recent scan that has been completed, so if the scan is not complete then the reports will not have the most recent scan’s data either. 59 Network Detective™ Detector 8. If the user has specified that reports be delivered by email, the specified email should receive an email with a .zip file of the reports attached as long as the zip file is less than 5 MB in size. To enable Detector to send reports or report availability notifications by email, set the Subject and type in the recipient’s Email address in the Email field or select the Email address of the recipient from a list of available Network Detective users. If the generated Report’s file in .ZIP format should be protected by a password, then select the Password Protect ZIP File option and assign a password to be used for the file’s access protection. 9. Report generation can take several minutes. After sufficient time has passed after the report generation task schedule time, view the generated reports by navigating to the Download Reports item on the left hand side of the Network Detective application. 60 Network Detective™ Detector Report generation can take several minutes. After sufficient time has passed after the report generation task schedule time, view the generated reports by navigating to the Downloaded Reports icon on the left hand side of the Network Detective application as seen below. The Download Detector Reports option will appear at the top of the Network Detective window. Then press the Download Reports button at the top. A dialog will appear with reports generated by the Detector. 61 Network Detective™ Detector 10. Select and right click on a report to download the report. 62 Network Detective™ Detector Setting Up Automatic Reports for Security Assessments Automatic report generation for the Security Assessment Module requires that the scans be run on a Detector before a report can be generated. Following are the steps necessary to set up automatically generated reports for the Security Assessment Module being used with Detector: 1. Create a new Site that is that is to be used with Detector to perform and collect network scan information. 2. Associate your Detector with the Site that is to be used for a particular network that has Detector installed. 3. Manage the Detector and create a new Scan Task that collects the necessary Security Assessment data. 4. Schedule the Daily and Weekly Scan Task for the times that are appropriate for this Assessment. 5. Next, define the Branding for the reports to use your company’s brand for all of the reports generated by selecting the Branding button. Assign the Report Prepared For information, Report Prepared By information, your company Logo, the Theme, and Cover Images for your reports. 63 Network Detective™ Detector Select the Ok button to save your Branding settings. 6. Using the access Detector Settings feature and the Reports Settings Window, select the Schedule Report button to create a Report Delivery Task that specifies desired reports from the Security Assessment Module. Select the Security Assessment reports that should be generated. 64 Network Detective™ Detector Keep in mind that reports for specific Assessment types can only be produced after the Scans required for a specific Assessment type have been performed. Click Next button to proceed to the next step. 7. Schedule the created Report Generation and Delivery Task for a time which is certain to be after the scan is complete. Reports will use whatever data is on the Detector based on the most recent scan that has been completed, so if the scan is not complete then the reports will not have the most recent scan’s data either. 65 Network Detective™ Detector 8. If the user has specified that reports be delivered by email, the specified email should receive an email with a .zip file of the reports attached as long as the zip file is less than 5 MB in size. To enable Detector to send reports or report availability notifications by email, set the Subject and type in the recipient’s Email address in the Email field or select the Email address of the recipient from a list of available Network Detective users. If the generated Report’s file in .ZIP format should be protected by a password, then select the Password Protect ZIP File option and assign a password to be used for the file’s access protection. 9. Report generation can take several minutes. After sufficient time has passed after the report generation task schedule time, view the generated reports by navigating to the Downloaded Reports icon on the left hand side of the Network Detective application as seen below. 66 Network Detective™ Detector The Download Detector Reports option will appear at the top of the Network Detective window. Then press the Download Reports button at the top. A dialog will appear with reports generated by the Detector. 10. Select and right click on a report to download the report. 67 Network Detective™ Detector Updating a Software Appliance After installing a Software Appliance at the Site’s physical location and associating the Software Appliance with a Site in the Network Detective Application, it’s important to regularly update the Appliance to get the most out of the features available on the Software Appliance you are using which may include one or more of the following Data Collections, Automated Reports, Tech-Alerts, and Weekly Notices. In the Network Detective Application, navigate to Network Detective ribbon bar and select the Appliances icon. This action will display the Software Appliances window that lists all of the Appliances that are available for use within Network Detective. To update the selected Software Appliance, right click on the Appliance’s name, and select the Update menu option presented as displayed below. Note that the Update menu will only be visible if software updates are available. 68 Network Detective™ Detector IMPORTANT: The Appliance Update Now feature, when activated to update the Software Appliance, will shut down any tasks that are currently running on the Software Appliance. Before updating the Software Appliance, either stop a currently running task listed in the Task Library window Queued Tasks list, or perform the update after running tasks are completed. A dialog will appear confirming the request for a software update. 69 Network Detective™ Detector Appendices Appendix I – Software Appliance Diagnostic Tool Purpose of the Diagnostic Tool The Diagnostic Tool is used to gather relevant diagnostic information, test connectivity, manage updates, and allow remote support to the Appliance. 70 Network Detective™ Detector Available Commands There are a number of commands available within the Appliance Manager. Location and Information Locate Network Detective Appliance Re-initialize the Appliance discovery process and attempts to retrieve the Device ID number and other diagnostic information. Get Appliance Device ID Display the Software Appliance’s Device ID, used when associating the Software Appliance with a Site in the Network Detective Application. Diagnostics and Troubleshooting Appliance Diagnostics Queries the Software Appliance for diagnostic information used to verify running status, software, connectivity, and NIC Information. Ping Test from Appliance Performs a ping test directed at a specified host or IP address from the point of view of the Software Appliance itself. Note: network connectivity is required for the Appliance to operate properly. Get Log Files Retrieves diagnostics logs from the Appliance. Returns a link to download a .zip file containing run log information which may be used for further troubleshooting. Service Control Appliance Service Status Queries the Software Appliance to return its current status. The possible statuses are as follows: Idle: The Software Appliance is online, but performing no action. Queued: The Software Appliance is online and performing no action. A schedule is active and queued to run. Running: The Software Appliance is online and currently running a schedule. Appliance Service Restart Requests a Service Restart from the Software Appliance. Exercise caution when using this command because it may interrupt any running Scan. 71 Network Detective™ Detector Updating via USB Update Appliance via USB Requests the Software Appliance to update via USB. Attempts to detect a USB device. If a USB device is detected containing the necessary files is found to be connected to the Software Appliance an update will be performed. Please ensure that a USB stick containing the update is plugged into the USB port of the system hosting the Software Appliance. Check USB Update Status Returns the current status of a running update. Also attempts to detect any USB device with available updates. Remote Assistance Toggle Remote Assistance Status Instructs the Software Appliance to make itself available for Remote Assistance and to allow a technician to access the device for support. Check Remote Assistance Status Return the current status of Remote Assistance. Shutdown and Restart Restarts the Software Appliance. Shutdown Appliance Shuts down the Software Appliance. 72 Network Detective™ Detector Appendix II – Saving and Reusing Smart Tags through Export and Import Before associating a new Network Detective Site file to a Detector that has already been configured for use with another Site to detect Anomalies, Changes, and Threats (ACT) on a network, you may want to Export and reuse the original site’s Smart Tag settings before associating a new Site with your Detector if the Detector is to be used to detect ACT events on the same network. Once a Detector and its associated Site have been configured to operate with a given network, switching the Site file to be used with your Detector will trigger a deletion of the Smart Tag settings associated with the original Site used to configure and apply the Smart Tag settings to your Detector. If there is a requirement to save the Smart Tags from the current Site’s Detector configuration for reuse in a different Site associated with your Detector that is to be connected to the same network as the original Site was monitoring, you must use the Smart Tags Export and Import options to save and reuse the tags for later use in your new Site file used to configure the Detector’s configuration. Steps to Export and Save Smart Tags for Later Use Step 1 – Select the Site Double click your mouse pointer on the Site that you are configuring automated scan, alerts, and reports to be performed upon in order to view and access the Site. Step 2 – Select Manage Detector Appliance and Access the Detector Settings After the Site has been opened, select the Detector icon located within the Site bar. 73 Network Detective™ Detector The Detector Settings window will be displayed. Step 3 – Access Smart Tags and Verify that Scan Data has been Downloaded Select the Smart Tags link within the Detector’s Settings window. 74 Network Detective™ Detector Step 4 – Export Smart Tags Select the Export option to export the Smart Tags configuration. Your will be prompted to save the Smart Tags export file in a location of your choice. Select the folder you want to save the Smart Tags Configuration file in, name the file, and select the Save button to export the file. 75 Network Detective™ Detector Steps to Import Smart Tags for into your Site for Use with Detector Step 1 – Select the Site Double click your mouse pointer on the Site that you are configuring automated scan, alerts, and reports to be performed upon in order to view and access the Site. Step 2 – Select Manage Detector Appliance and Access the Detector Settings After the Site has been opened, select the Detector icon located within the Site bar. The Detector Settings window will be displayed. 76 Network Detective™ Detector Step 3 – Access Smart Tags and Verify that Scan Data has been Downloaded Select the Smart Tags link within the Detector’s Settings window. Step 4 –Import a Smart Tags Configuration File Select the Import option to import a Smart Tags configuration file. A prompt will be presented requesting verification from you in order to continue the Import of the Smart Tags Configuration File. 77 Network Detective™ Detector Select the Yes button to continue. The Import Detector Smart Tag Configuration window will be displayed. Select the Smart Tag Configuration File name and select the Open button to perform the Smart Tag Import process. 78
