Intrusion Detection

Intrusion Detection Systems for Any Environment

Zartek Global USM™ delivers intrusion detection for your network that enables you to inspect traffic between devices, not just at the edge. You can also correlate events from your existing IDS/IPS into a single console for complete network visibility while preserving your investments.

Network Intrusion Detection System (NIDS)

Catch threats targeting your vulnerable systems with signature-based anomaly detection and protocol analysis technologies. Identify the latest attacks, malware infections, system compromise techniques, policy violations, and other exposures.

Host-based Intrusion Detection System (HIDS) and File Integrity Monitoring (FIM)

Analyze system behavior and configuration status to track user access and activity. Detect potential security exposures such as system compromise, modification of critical configuration files (e.g. registry settings, /etc/passwd), common rootkits, and rogue processes.

Deploys in Less Than One Hour

Sign up and deploy Zartek Global USM quickly. Start seeing actionable alarms in less than one hour.

Integrated SIEM Correlation

More than 2,000 correlation directives (and growing) to alert you to the most important threats.

Always Vigilant

Automatically receive new IDS signatures and updated correlation directives for the latest threats.

Works with Other IDS

Forward IDS and IPS event logs from your existing devices to the USM Sensor for event correlation.

Quickly View Threats in the Dashboard

We utilize the Kill Chain Taxonomy to highlight the most important threats facing your network and the anomalies you should investigate. You can easily see the types of threats directed against your network and when known bad actors have triggered an alarm.

Attack Intent & Strategy

The Kill Chain Taxonomy breaks out threats into five categories, allowing you to understand the intent of the attacks and how they’re interacting with your network and assets:

  • System Compromise – Behavior indicating a compromised system.
  • Exploitation & Installation – Behavior indicating a successful exploit of a vulnerability or backdoor/RAT being installed on a system.
  • Delivery & Attack – Behavior indicating an attempted delivery of an exploit.
  • Reconnaissance & Probing – Behavior indicating an actor attempt to discover information about your network.
  • Environmental Awareness – Behavior indicating policy violations, vulnerable software, or suspicious communications.

 

External Known Bad Actors

Indicated by the OTX ‘Atomic’ logo, alarms and events associated with known Indicators of Compromise (IoCs) are highlighted throughout USM. This allows you to prioritize security events that contain data linked to malicious activity.

Reduced Noise

Correlating IDS/IPS data with multiple security tools reduces false positives and increases accuracy of alarms.

Automatic Notifications

Set up email notifications and implement phone messaging services such as SMS.

Complete Threat Evidence

See attack type, number of events, duration, source and destination IP addresses, and more.

Workflow Management

Create tickets from any alarm, delegate to users, or integrate with an external ticketing system.

Analyze Consolidated Threat Details Faster

Accelerate your response work by analyzing related threat details in one place.

Event Details

See the directive event, the individual event(s) that triggered the directive event, and the correlation
level of the directive rule.

You can click on any event to examine details such as:

  • Normalized event
  • SIEM information
  • Reputation of source and destination IP addresses
  • Knowledge base about the event
  • Payload of the packet triggering the event

 

Powerful Analytics Uncover Threat and Vulnerability Details – All in One Console

Get to the bottom of who and what’s targeting your assets and what systems are vulnerable.

Search SIEM Events

You have the flexibility to conduct your own analysis. For example, you may want to search the SIEM database for events that came from the same host as the offending traffic triggering an alarm.

  • Displays events stored in the database
  • Filters help you find more granular data
  • Sort by event name, IP address, and more

 

Check Assets and Vulnerabilities

Search the built-in asset inventory for assets involved with an alarm. Integrated vulnerability assessment scans indicate whether an attack is relevant by identifying vulnerable operating systems, applications and services and more – all consolidated into a single view.

  • See all reported alarms and events by asset
  • Modify your mitigation / remediation strategy based on presence of threats targeting vulnerable systems
  • Correlate reported vulnerabilities with malicious traffic

 

Inspect Packet Captures

Use integrated packet capture functionality to capture interesting traffic for offline analysis. Packets can be viewed in the integrated Tshark tool, or you can download the capture as a PCAP file.

  • Set capture timeout
  • Select number of packets to capture
  • Choose source and destination IP addresses to capture

 

Examine Raw Logs

Search for any raw logs that are related to activity reported by an alarm. For example, look for logs that are related to the source IP address that was reported in the alarm.

  • Raw logs are digitally signed for evidentiary purposes
  • Filter by time range and search pattern
  • Export raw logs as a text file

Simplify Host IDS Deployment and Accelerate Threat Detection

For getting detailed information about what’s happening on your critical systems, nothing beats Host Intrusion Detection Systems (HIDS).

With Zartek Global USM™, the host IDS picks up where the network IDS leaves off, monitoring individual hosts and analyzing data such as operating system log files, changes to system files and software, and network connections made by the host.

Day One Results

Deploy Zartek Global USM and see actionable threat insights on day one.Download a Free Trial >

With host intrusion detection, you gain granular visibility into the systems and services you’re running so you can easily detect:

  • System compromises
  • Privilege escalations
  • Unwanted applications
  • Modification of critical configuration files (e.g. registry settings,/etc/password)
  • Malware
  • Rootkits
  • Rogue processes
  • Critical services that have been stopped
  • User access to systems and applications

 

How It Works

The HIDS agent in Zartek Global USM looks for suspicious or malicious activity on individual hosts. It analyzes operating system log files, looking for changes to system files and software, as well as network connections made by the host.

The host intrusion detection system (HIDS) component in Zartek Global USM is simple to set up:

  • Add an agent in the Zartek Global USM interface.
  • Deploy the HIDS agent to the target system, either automatically from Zartek Global USM, or by manually downloading and installing it.
  • Change the configuration file on the agent to specify the files, folders, and registry keys that you would like monitored.
  • Verify HIDS operations by looking at the HIDS events.

 

Compatibility

Zartek Global HIDS runs on most major operating systems, allowing you to deploy one tool across your heterogeneous environment. HIDS Agent Supported OS Options:

  • GNU/Linux (all distributions, including RHEL, Ubuntu, Slackware, Debian, etc)
  • Windows 7, 2003, Vista, 2008, 2012
  • VMWare ESX 3.0,3.5 (including CIS checks)
  • FreeBSD (all current versions)
  • OpenBSD (all current versions)
  • NetBSD (all current versions)
  • Solaris 2.7, 2.8, 2.9 and 10
  • AIX 5.2 and 5.3
  • Mac OS X 10.x
  • HP-UX 11

 

Zartek Global Unified Security Management

HIDS Plus Other Essential Security Tools for Rapid Threat Detection and Response

With USM, the host intrusion detection system comes integrated out-of-the box with a host of additional security tools. Zartek Global USM delivers a complete view into the security of your environment by combining SIEM with automated asset discovery, vulnerability data, visibility to netflow data, network IDS, host IDS and visibility to known malicious hosts.

Zartek Global Unified Security Management

HIDS Plus Other Essential Security Tools for Rapid Threat Detection and Response

With USM, the host intrusion detection system comes integrated out-of-the box with a host of additional security tools. Zartek Global USM delivers a complete view into the security of your environment by combining SIEM with automated asset discovery, vulnerability data, visibility to netflow data, network IDS, host IDS and visibility to known malicious hosts.

Detect File Changes

When an attacker or malware changes the attributes of a file, like in a CryptoLocker or ransomware type attack, the HIDS agent within Zartek Global can quickly detect the change and alert you. With Zartek Global’s built in threat signatures and correlation directives, you can then intelligently respond to attacks in little time.

Client/Server-Based Architecture for Added Security and Stability

USM’s host intrusion detection technology protects the data collected by the HIDS agents by utilizing a client/server architecture. Because an attack could compromise the HIDS agent at the same time it compromises the OS, it’s essential to store the forensic and security data centrally, away from the host. This safeguard prevents the data from being altered or obfuscated to avoid detection.

Tuned Event Correlation

With the core data sources already built-in, our 2,900+ event correlation rules are already “fine tuned” and optimized, right out of the box.

Close the Compliance Gap

If you’re still trying to meet PCI DSS requirements for log inspection and monitoring (section 10) or File Integrity Monitoring (section 10 and 11), Zartek Global HIDS is for you. You can deploy lightweight HIDS agents on your critical systems, and the USM server will correlate suspicious and malicious activity and combine that analysis from the other built-in security controls.

Full Threat Context

All you need to know about an incident is captured in each alarm, including asset information (such as OS, software, and identity), vulnerability data, visibility to netflow data, raw log data, and more.

Packet Capture

Any packet that triggers an IDS signature is automatically captured and displayed with the IDS event. Session monitoring and packet capture can then be invoked for more extensive forensic investigation.

Detect the Latest Threats with Weekly Threat Intelligence Updates

Researching threats and maintaining your SIEM software, IDS, and vulnerability assessment tools for the latest threat detection isn’t trivial. Let us do the heavy lifting for you.

Zartek Global Labs threat research team fuels your USM platform with the latest threat intelligence, so you can focus on detecting and responding to the most critical issues in your network.

Zartek Global Labs threat research team spends countless hours mapping out the different types of attacks, the latest threats, suspicious behavior, vulnerabilities, and exploits they uncover across the entire threat landscape. They leverage the power of Zartek Global Open Threat Exchange™ (OTX), the world’s largest crowd-sourced repository of threat data to provide global insight into attack trends and bad actors.

Zartek Global Labs delivers eight coordinated rulesets:

  • Network IDS signatures
  • Host-based IDS signatures
  • Asset discovery signatures
  • Vulnerability assessment signatures
  • Correlation rules
  • Reporting modules
  • Dynamic incident response templates
  • Newly supported data source plug‐ins

In general, change can be good. But not for the security professional.

Changes on critical servers often signal a breach. That’s why it’s essential to use File Integrity Monitoring (FIM) for your critical servers so you’re alerted as soon as changes happen. In fact, if those servers are in-scope, PCI DSS requirements 10.5.5 and 11.5 state you must install file integrity monitoring software in order to pass your audit.

FIM tracks who has accessed sensitive data on in-scope systems as well as what they did to that data. This provides a necessary audit trail, as well as allows you to validate that the changes were authorized, expected, and did not jeopardize the integrity and security of the data.

 

Where to Implement FIM

Typically, you’ll want to be selective about where you install the FIM software, since many system and application files will change often in a dynamic network environment. You’ll want to focus on monitoring the integrity of critical files on in-scope assets to detect unauthorized modification of critical system files, configuration files, or content files, all of which could indicate compromised devices or applications. In other words, install file integrity monitoring software wherever you need to monitor WHO has done WHAT to in-scope servers WHEN.

The PCI DSS standard is explicit on this. If you need to demonstrate PCI DSS compliance, then you must install FIM software to track changes to:

  • Critical system files
    • System executables
    • Application executables
  • Configuration files / content files (including cardholder data)
  • Centrally stored, historical or archived, log and audit files

 

How FIM Works

Generally, FIM relies on agent-based technology that is installed on the host or server where sensitive files are stored. In Zartek Global USM™, we rely on lightweight agents that are provisioned, managed, and monitored centrally via our web-based console. As soon as there is a change to a monitored file, the USM platform triggers an Alarm. Even though these changes might not require a response, it’s important to monitor all activity to first determine a baseline and then detect any abnormalities like policy violations or potential system compromise.

 

Implement File Integrity Monitoring with Integrated Host-based IDS (HIDS)

Simplify the implementation of file integrity monitoring by using a single, multi-functional agent, rather than installing multiple single-purpose agents. With Zartek Global USM, you can deploy a single agent to perform file integrity monitoring as well as host-based intrusion detection.

 

Monitor Privileged User Activity

Monitoring privileged user activity on your critical systems and files is an essential security best practice. In fact, many regulatory standards, including PCI DSS, explicitly require it. Zartek Global’s implementation of host-based IDS and file integrity monitoring enables you to monitor all user activity on your critical systems. These events are forensically captured, processed, and correlated with other data to provide the necessary context you need for effective incident response.

 

Evaluate Threat Trends on Critical Systems

In addition to monitoring individual events on your critical systems, you’ll also want to evaluate performance and threat trends over time. Zartek Global USM provides graphical trending reports and dashboards so you can easily spot anomalies and issues that might require additional investigation. You’ll be able to quickly identify deviations from operational baselines, which often signal a potential system compromise.

In general, change can be good. But not for the security professional.

Changes on critical servers often signal a breach. That’s why it’s essential to use File Integrity Monitoring (FIM) for your critical servers so you’re alerted as soon as changes happen. In fact, if those servers are in-scope, PCI DSS requirements 10.5.5 and 11.5 state you must install file integrity monitoring software in order to pass your audit.

FIM tracks who has accessed sensitive data on in-scope systems as well as what they did to that data. This provides a necessary audit trail, as well as allows you to validate that the changes were authorized, expected, and did not jeopardize the integrity and security of the data.

 

Where to Implement FIM

Typically, you’ll want to be selective about where you install the FIM software, since many system and application files will change often in a dynamic network environment. You’ll want to focus on monitoring the integrity of critical files on in-scope assets to detect unauthorized modification of critical system files, configuration files, or content files, all of which could indicate compromised devices or applications. In other words, install file integrity monitoring software wherever you need to monitor WHO has done WHAT to in-scope servers WHEN.

The PCI DSS standard is explicit on this. If you need to demonstrate PCI DSS compliance, then you must install FIM software to track changes to:

  • Critical system files
    • System executables
    • Application executables
  • Configuration files / content files (including cardholder data)
  • Centrally stored, historical or archived, log and audit files

 

How FIM Works

Generally, FIM relies on agent-based technology that is installed on the host or server where sensitive files are stored. In Zartek Global USM™, we rely on lightweight agents that are provisioned, managed, and monitored centrally via our web-based console. As soon as there is a change to a monitored file, the USM platform triggers an Alarm. Even though these changes might not require a response, it’s important to monitor all activity to first determine a baseline and then detect any abnormalities like policy violations or potential system compromise.

 

Implement File Integrity Monitoring with Integrated Host-based IDS (HIDS)

Simplify the implementation of file integrity monitoring by using a single, multi-functional agent, rather than installing multiple single-purpose agents. With Zartek Global USM, you can deploy a single agent to perform file integrity monitoring as well as host-based intrusion detection.

 

Monitor Privileged User Activity

Monitoring privileged user activity on your critical systems and files is an essential security best practice. In fact, many regulatory standards, including PCI DSS, explicitly require it. Zartek Global’s implementation of host-based IDS and file integrity monitoring enables you to monitor all user activity on your critical systems. These events are forensically captured, processed, and correlated with other data to provide the necessary context you need for effective incident response.

 

Evaluate Threat Trends on Critical Systems

In addition to monitoring individual events on your critical systems, you’ll also want to evaluate performance and threat trends over time. Zartek Global USM provides graphical trending reports and dashboards so you can easily spot anomalies and issues that might require additional investigation. You’ll be able to quickly identify deviations from operational baselines, which often signal a potential system compromise.

The earlier you can detect and respond to a breach, the faster you can lower the risk and potential damage. However, many breaches are going undetected for weeks or months because IT teams lack the tools and the expertise to collect and analyze the security data they need for better visibility.

Too often organizations will deploy point products to respond to each new threat, which is an expensive and cumbersome way to try to solve the problem of lack of total security visibility. Deploying several single-purpose security products gives you only some of the capabilities you need, which leaves gaps in your ability to detect and respond to malicious activity on your network.

 

A Better Approach: UTM and USM

Instead of having to evaluate, purchase, deploy, configure, and maintain these point products separately, you can have best-in-class threat management by combining threat protection from Fortinet FortiGate Unified Threat Management (UTM) devices with Zartek Global Unified Security Management™ (USM) threat detection and response.

Deploying Fortinet FortiGate UTM and Next Generation Firewall (NGFW) devices at your network edge and Zartek Global USM™ in your network is an effective, affordable way to significantly reduce the cost and complexity of complete threat management.

  • FortiGate UTM and NGFW devices offer high-performance threat prevention at the edge of your network that block unwanted applications and malware, prevent intrusions, and block other malicious activity.
  • Zartek Global USM platform provides essential security capabilities for within the network and remote locations, centralized management, and constant updates to the Zartek Global Labs Threat Intelligence.
  • When leveraged together, you get complete security visibility and threat detection, with a consolidated, correlated view critical security events across the entire network.

 

Complete Security Visibility with USM

Zartek Global’s proven USM platform enables you to integrate and correlate alerts from any FortiGate device to accelerate and simplify threat detection, response, and regulatory compliance across your entire network. By combining Zartek Global USM with the FortiGate UTM and NGFW products, you can achieve best-in-class threat intelligence, detection, and remediation guidance:

  • USM’s centrally managed, built-in security controls complement and supplement FortiGate capabilities
  • Over 2,000 pre-configured correlation rules accelerate threat detection
  • Simplified, built-in security information event management (SIEM) and reporting of all events in a single console
  • Continuously updated threat intelligence from Zartek Global Labs Threat Research Team accelerates and simplifies threat detection and remediation, making existing teams and tools more effective
  • Fast deployment—go from download to detection in an hour, begin seeing essential alerts

 

Why Threat Intelligence from Zartek Global?

The Zartek Global Labs Threat Research team maximizes the efficiency of any security-monitoring program by creating and delivering integrated threat intelligence. This coordinated set of advanced correlation rules and product updates that accelerates and simplifies threat detection and remediation, making existing teams and tools more effective. USM’s integrated threat intelligence from Zartek Global Labs eliminates the need for IT teams to spend precious time conducting their own research on emerging threats, or on alarms triggered by their security tools.

The Zartek Global Labs team regularly delivers threat intelligence as a coordinated set of updates to the USM platform, which accelerates and simplifies threat detection and remediation. These updates include correlation directives, IDS signatures, vulnerability audits, asset discovery signatures, IP reputation data, data source plugins, remediation guidance, and report templates. No other vendor has the ability to provide the level of integration, correlation and insight that the Zartek Global USM platform delivers.

Deploying USM and UTM together will provide the level of integration, correlation, and insight you need to detect and respond to threats.

 

Zartek Global USM Adds Value to Any FortiGate Deployment

Already have FortiGate deployed? By adding Zartek Global USM to your existing FortiGate UTM or NGFW deployment, you will have the ability to correlate, analyze, and report on events from multiple FortiGate devices, as well as the other security and network devices in your network, quickly and effectively. Zartek Global USM provides you with a complete, simple and affordable all-in-one security management platform, as well as the advanced security intelligence you need to effectively defend yourself against today’s advanced threats.

Once you install the 30-day evaluation software, you’ll see for yourself the Zartek Global difference:

  • Timely, Accurate Threat Intelligence: Constantly updated Threat Intelligence from Zartek Global Labs ensures the security controls included in the USM platform are up to date, accelerating threat detection, remediation, and regulatory compliance
  • Global Threat Data: Zartek Global Labs threat research team leverages the power of OTX, the world’s largest crowd-sourced repository of threat data, to give you global insight into attack trends and bad actors
  • Reduced Complexity: Zartek Global USM is purpose-built to deliver comprehensive threat detection, remediation, and compliance management, all managed by one console
  • Accelerated Deployment: You can install Zartek Global USM quickly and begin delivering valuable insight in less than a day, significantly reducing the time between installation and insight
  • Lower Cost: Zartek Global delivers Unified Security Management at a fraction of the cost of traditional SIEM
  • Improved Implementation and Tuning: Zartek Global is engineered to be managed by IT teams with limited resources, minimizing the amount of tuning required to begin receiving actionable security intelligence

 

About Zartek Global

Zartek Global is the champion of mid-size organizations that lack sufficient staff, security expertise, technology, or budget to defend against modern threats. Our Unified Security Management (USM) platform provides all of the essential security controls required for complete security visibility, and is designed to enable any IT or security practitioner to benefit from results on day one. Powered by the latest Zartek Global Labs Threat Intelligence and the Open Threat Exchange—the world’s largest crowd-sourced threat intelligence exchange—Zartek Global USM delivers a unified, simple and affordable solution for threat detection and compliance management.

Zartek Global is a privately held company headquartered in Silicon Valley and backed by Trident Capital, Kleiner Perkins Caufield & Byers, GGV Capital, Intel Capital, Sigma West, Adara Venture Partners, Top Tier Capital and Correlation Ventures.