Service - Superna ™ Eyeglass Ransomware Defender or Easy Auditor Installation Service Description

Eyeglass Service Description

Part number “SEL-EyeGlass RNSW & Auditor Basic Install - eyeglass-P016


Revision 1 Dec 28, 2017

Superna ™ Eyeglass Ransomware Defender or Easy Auditor Installation

Overview:

This service is designed for customers who are deploying Superna Eyeglass Ransomware defender and/or Easy Auditor and need installation and configuration assistance.   

  • NOTE: This part number is used for Ransomware Defender OR Easy Auditor products.  Quantity 2 of this service is required if both products have been ordered.   

    • Scope: Covers a single clustered Eyeglass agent installation and configuration, with up to 2 collocated same site Clusters.

  • Service Delivery: Remote WebEx

  • Operating Hours: Monday to Friday 8:30 to 5:30 EDT

  • Terms and Conditions of task covered in product maintenance agreement Exhibit A  section 4.0

  • Mandatory: Eyeglass Installation Questionnaire Form completed located here with all questions answered.  Service will not be scheduled until completed in full.

  • Exclusions:

    • NOTE: Only product documentation will be followed.  This is not a consulting service.

    • Installation Technicians are not authorized to provide design recommendations, for DR features.    

    • Hands on changes to external IT components example DNS, Isilon, Active Directory or other non Superna supplied products.

    • Service delivery requires customer to have hands on knowledge of all external IT components.

    • NOTE: This service is not a security audit.  Consulting services should be purchased.  Installation technician is not authorized to provide security advice.

Prerequisites:

Eyeglass Ransomware Defender or Easy Auditor Installation and Config Service:

Initial Setup:


The following are initial setup steps whether installing Ransomware Defender, Easy Auditor or both:



  1. Eyeglass Ransomware Defender/Easy Auditor Install Phase  - Remote Install with customer via Webex meeting to accomplish the following:

    1. Prerequisite - Gather site installation requirements from submitted Installation Checklist Form for review

    2. Prerequisite -Identify VM deployment option:

      1. 1 physical ESX host and 3 VM’s (lowest HA option)

      2. 3 physical hosts and 1 VM per host (highest HA option)

    3. Prerequisite - Deploy OVA (vcenter administrator required)

      1. Require 3 VM ip addresses

      2. Require Eyeglass IP address

      3. Require open ports between Agent and Eyeglass,  Agent and cluster as per installation guide

      4. Require Access Zone (HDFS enabled) to be created for Agent database

      5. Create IP pool with at least  3 nodes in the IP pool and  3 IP addresses

    4. Install OVA with above prerequisites

    5. Test connectivity ip and ports between components (Eyeglass, Agent and cluster)

    6. Installation Completed

  2. Configuration Phase - Webex

  1. Apply License to Eyeglass

    1. Verify license

  2. Edit configuration file on agent startup (api token created in Eyeglass)

  3. Startup clustered agent code

    1. Validate correct startup

    2. Validate DB create on HDFS Access Zone

    3. Validate Service heartbeat in Eyeglass with Service Manager Icon

    4. Validate shutdown and restart of cluster success

  4. Configure CEE on Isilon to audit files in HDFS Access Zone for testing phase

    1. Enter 3 x CEE end points on Isilon

      1. OR configure Turboaudit with NFS

    2. Enable auditing on one or more access zones

NOTE:  If  all access zones are not enabled, capture enabled audited access zones in installation document.  Full auditing of all data requires all access zones to be entered into Isilon CEE configuration.

    1. Verify audit messages are being processed

    2. Completed

  1. Go to the Ransomware Defender Section if the product was purchased

  2. Go to the Easy Auditor Section if the product was purchased

Ransomware Defender Section:

This only applies if the service was purchased with Ransomware Defender.

  1. Test and Configuration Phase - Ransomware

    1. Configure Security Guard feature

      1. Validate successful execution

      2. Configure schedule

      3. Knowledge transfer on log file validation for Security guard

    2. Enable monitor mode to baseline user behavior

    3. Review Security assessment on enforcement section in the admin guide

      1. Customer to decide on Low , Medium or High risk profile.  Review decision criteria in the admin guide.  http://documentation.superna.net/eyeglass-isilon-edition/product-addon-documentation/ransomware-defender-admin-guide#TOC-How-to-determine-threat-response-settings-to-meet-your-Company-s-Risk-Profile

      2. Update check list in installation document this section was reviewed

      3. Configure settings as per customer risk profile decision.

    4. Over 2-3 weeks schedule validation sessions on the installation

      1. Collect support logs

      2. Explain whitelist settings to customer and future behaviours that have lockout that may require ongoing whitelist updates.

      3. Make whitelist changes from analysis of statistics and user behaviors detected apply to installation.  Repeat process until detections are set correctly for customer environment

  2. Knowledge Transfer Phase - Ransomware

    1. How to enable production mode

    2. Operational cluster management section

      1. Start, stop, upgrade

    3. How to process  security incidents workflow from the admin guide http://documentation.superna.net/eyeglass-isilon-edition/product-addon-documentation/ransomware-defender-admin-guide#TOC-How-to-respond-to-Security-Events-for-Warning-Major-or-Critical-Events

    4. How and when to make whitelist changes when introducing new server applications that write data to Isilon.

      1. Enable monitor mode

      2. Monitor application and events

      3. Exit monitor mode when application workflow does not generate security incidents

    5. How to use ECACTL CLI and key command troubleshooting

      1. Start cluster ecactl cluster start

      2. Stop cluster ecactl cluster down

      3. Check for running containers ecactl containers ps

      4. Get stats on running containers ecactl stats

    6. UI walk through ransomware

      1. Active Events

      2. Event History

      3. Settings

      4. Statistics

        1. Licensing

      5. Managed Services Icon

      6. Security Guard

  3. Service complete

Easy Auditor Section:

This only applies if the service was purchased with Easy Auditor.

  1. Test and Configuration Phase - Easy Auditor

    1. Verify audit data is being stored in the analytics database with query interface

    2. Run test user query report

    3. Run test path based report

    4. Run one builtin report as example

    5. Test Where did my folder go?

      1. Rename a directory or drag and drop a directory

      2. Run search in Where did my folder go?

    6. Review test wiretap functionality on a path with a test user mounting and accessing files

      1. Verify user activity is visible in the UI

      2. Review decode of open files and actions

    7. Review DLP feature

      1. Set policy of of 5% of on a path and 5 minutes time period

      2. Create test share on the path above

      3. Copy test data example 10G to the share

      4. From a client pc mount the share and read all the data (copy to local) drive.

      5. Verify Auditor active audit events lists the user that performed the DLP event and the  AD account, file list, and source IP address audit event

      6. Complete

  1. Knowledge Transfer Phase - Easy Auditor

    1. How to build a query and filter on user, path, file extension, file action

    2. How to run query  reports

      1. How to save queries

      2. How to load queries and edit them

      3. Review how to filter with Excel CSV from admin guide for detailed filtering

    3. How to run  builtin reports

      1. Describe purpose of each builtin report available

    4. Cluster Operations

      1. How to use ECACTL CLI and key command troubleshooting ECA cluster issues

      2. Start cluster ecactl cluster start

      3. Stop cluster ecactl cluster down

      4. Check for running containers ecactl containers ps

      5. Get stats on running containers ecactl stats

  2. Service complete