New and Updated Features for BeyondInsight
version 6.0 adds several new features that further enhance an organizations ability to have greater risk visibility by sharing privilege and vulnerability intelligence with leading SIEM solutions as well more easily manage Windows least privilege
within their environments.
Certified Security Information & Event Management (SIEM) Connectors
Having certified integrations for forwarding critical events to third party security solutions marks a critical step in escalating user and asset security in much the same way network management and automated help desk solutions perform these functions in a traditional IT infrastructure.
Adding real-time user, asset and vulnerability intelligence to SIEM solutions, like FireEye TAP, HP ArcSight, IBM QRadar, LogRhythm, McAfee ESM, and Splunk arms organizations with superior targeted attack and breach detection, as well as broader compliance visibility. BeyondInsight 6.0 has the following new certified connectors, for sharing privilege and vulnerability data with leading SIEM solutions:
- FireEye connector forwards event data to a FireEye TAP server using on premise COM Broker
- HP ArcSight connector forwards event data to HP ArcSight in Common Event Format (CEF)
- IBM QRadar connector forwards data to IBM QRadar in Log Extended Event Format (LEEF)
- LogRhythm connector forwards event data to LogRythm in Log Extended Event Format (LEEF)
- McAfee ESM connector forwards all data types to MacAfee ESM (Nitro) via Syslog
- Splunk connector forwards event data via a Splunk HTTP Event Collector
- Universal Event Forwarding connector forwards event data to configured listeners in a variety of customizable formats
BeyondInsight Enhancements for PowerBroker for Windows
BeyondInsight version 6.0 includes the following enhancements for PowerBroker for Windows
least privilege management:
Enhancements to event reporting and presentation
Some organizations with large amounts of data may experience time-out issues when retrieving queries. This is because, by default, the grid will not automatically populate when viewing PowerBroker for Windows events. Instead, the retrieve query will only start after the user has clicked on the Run Filter button and selected the associated criteria (above the column header). A new option in BeyondInsight reporting is available to change this default behavior. This enhancement will speed results and review of events.
Support for “Custom Rule Applied” Events
Applications which show a rule has been applied can now have additional actions taken on them. For example, when a UAC rule matches against an application, the event showing this would not allow the automated creation of policy for future executions of the application. This could lead to more time in rolling out PowerBroker for Windows. This enhancement allows PowerBroker Windows administrators a much more streamlined process for data collection and subsequent rule creation.
Earlier versions of BeyondInsight assumed that – because an elevation rule had been applied – an administrator wouldn’t want to do anything more to the application and therefore one-to-one rules where disallowed. However, as an example, applying a UAC rule on Program Files and (x86) when setting up PowerBroker for Windows is an excellent way of essentially saying, “if it worked yesterday, it should work today.”
Reduce the Noise
The PowerBroker Windows event grid now automatically suppresses events showing an application requesting elevation where a PBW rule was already created. This greatly reduces redundant data and allows PBW administrators to quickly understand what applications still need to be reviewed and/or have policy created for them.
In cases where customers use the ‘Application Requested Elevation” event these would become very redundant if a rule was created on the same application the event was seen on. So you would now have an App Requested AND a Custom Rule Applied event for the same process. This is quite confusing and frustrating to a PBW Admin and more so when you have more than one person making rules. For example, AdminA goes in and creates rules based on the App Requested Events. AdminB goes in and filters the data to just see the App Requested Events, (in other words, he doesn’t see the corresponding Custom Rule Applied events). He assumes he needs the rules, does the research to make sure the apps are ‘approved’ and duplicates the work that was already done.
Asset Authentication Option Available in Run-As Access
When using PowerBroker for Windows secure Run-As - using credentials managed in PowerBroker Password Safe
– to run an application as a different user an asset authentication option is now available that will authenticate the asset the application is launched from, rather than authenticate the user again to Active Directory. This enhancement will speed up the processing and launching of the targeted application.