for enterprise & service...
TRANSCRIPT
Confidential
Security Best PracticesFor Enterprise & Service Providers
Friday, October 20, 2017
Christopher Souser , CISSP, MSPA, ITIL
90 Minutes
Confidential
Welcome!
Please check-in on the mobile app - see your
class record, remember
what tests to take, and
help us improve
Confidential
Logistics
• WiFi SSID: SSID: IRsummit
• WiFi PW: Prognosis
• Download the Slides from
https://Online.Prognosis.com
– If you haven’t registered for it register now and
let us know to get you approved.
Confidential
Introduction• About Me – Payments and Infrastructure Consultant @ IR.
– IR Payments and Infrastructure Consultant for 2.5 years.
– ISC2 CISSP for 9.5+ years.
– IR Prognosis customer for years before working for IR.
– Responsible for running PCI, TR39, SSAE-II, PCI PIN, and
internal Information Security Audits for 10+ years at a
customer before joining IR.
– Several InfoSec / IT training courses including the VISA PCI
QSA, ISC2 CSSLP, ITIL, HP NonStop, & HP Atalla training.
– Authored much of the Prognosis Security & PCI Guides.
– Check me out on LinkedIn:
https://www.linkedin.com/in/ChristopherRSouser/
Confidential
Security Can be Complicated
• I will try to touch on key
security concepts
within Prognosis that
are consistent in all
product lines ..
• Further detail is
available in our
documentation or by
asking questions at the
end.
Confidential
Please hold questions to the end..
• Lots of content to
cover in little time.
• This is a summary but
happy to talk in more
detail later.
• Slide Deck Available for
Download next week.
Confidential
Security Deployment Guide• 11.3+’s Security
Deployment Guide is
redone and consolidates
a lot of information I am
going to cover.
• Security Configuration
Content going forward.
• Future: Will contain
product specific guides.
Confidential
Before we begin.. think about..• What are you audited
to?
– Internal Policy
– PCI DSS
– EU General Data
Protection
• What are the most
common questions in
audits / reviews when it
comes to Prognosis?
– Logging
– Data Protection
– Secure
Communication
– Access Controls
– PCI Applicability
Confidential
Learning Objectives
• After completing this course you should be able to:
– Understand How Prognosis Secures Information
– Understand middleware Prognosis uses.
– Understand Prognosis Lifecycle
– Understand Different Area of Prognosis Security
– Understand Key Logs & Usage Analytics
– Understand How to Secure the Data / User.
– Understand Additional Steps you can take to
secure Prognosis
Confidential
FIP 140-2
• 11.0+ Contains a FIPS 140-2 Mode as well as has many general
improvements required to meet FIPS 140-2 compliancy of our
customers.
• FIPS 140-2 COMPLIANT; not certified.
– No plans to actually certify.
– Costly, time consuming, and version specific (refer to
release cycle later)
– Read more at http://csrc.nist.gov/groups/STM/cmvp/standards.html
Confidential
PCI
• IR is considered an Application Vendor and
Prognosis an Application under the Payment
Application Data Security Standard (PA-DSS) and
Payment Card Industry Data Security Standard (PCI-
DSS).
• This definition comes from the Payment Card
Industry Security Council (PCI SSC) and as defined
under version 3.1 & 3.2, Prognosis is not classified as
a 'Payment Application' nor is IR a 'Service Provider’.
Confidential
PCI• Section 4.1b of the PA-DSS Program Guide 3.1
which specifically states: PA-DSS does not apply to
'Non-Payment Applications that are part of a
Payment Application suite, for example, a fraud-
monitoring, scoring, or detection application
included in a suite' and 'These applications should
not be assessed separately from other applications
they rely upon since all PA-DSS Requirements are
not met within a single application'.
Confidential
Deployment Architecture
Note: The content of this section is subject to change and is based on rule-of-thumb observations since for some of this information there is no ‘official’ document with this information.
Confidential
Quick Review of Architecture
• Prognosis collects from many data
sources for each product line.
• Collectors were on-demand and by
default are not persistent.
• Each product lines collectors work in
different ways.
Confidential
Prognosis Architecture
SDN
APISQL WMI AD
AXL
HTTP
SNMP
SOAPMQ MTS B24
Postili
on
FTM
and
moreSNMP LOGS
Aggregation Real-time Troubleshooting
Automation &
Prescription
Root-Cause Analysis
DisplaysAlerts
SAT CDR SNMP RTCP
Confidential
High Level Request/Presenter
Prognosis WebUI Display (simplified)
Data Source Data is Collected Data Storage Distribution PresentationP
has
e
SUMMARYRECORDS
Prognosis Collector
PaymentsSystems
Dashboards
Web UI& Live CanvasNETRTR
DatabaseCollection
PQLSRV
Confidential
Core Communications
• There are:
– Managing Node(s)
– Monitor Nodes(s)
• On Ports:
– 1960 (Net Router)
– 6767 (PQL)
– 443 (Web)
Confidential
Monitoring Nodes Ports / Services
• Product line have
additional ports /
services specific to
them.
• 3rd Party Tools
utilized by some
gathers also have
their own ports.
Confidential
Monitored Node
• Explicitly says some
things can only be
done locally and
states only the
intermediate
managing node
can connect to it.
Confidential
Intermediate Managing Node
• Locks down things
• Network
Configuration
contains Route-To
statements to the
Primary Managing
node.
Confidential
Security Components
• Security Subsys
• Network Subsys
• Role Based / PQL Security (IRRBS)
• WebUI Navigation
• IRGUI
• Optional License Restrictions
Confidential
Ways to Change Configuration• WebUI & IRGUI Web Prognosis Subsys Configurations
– Some have wizards which perform syntax checking.
– Almost all are editable in plain text.
• WebUI Security Wizard for IRRBS & Navigation Views
• IRCNFUTL Prognosis Subsys
• IRPQLCLI
– Subsys Configurations
– Thresholds
– IRRBSNote: Prognosis Subsys’s are all output in an IRFAX, IRRBS & Navigation is not.
Confidential
SUBSYS SECURITY• Controls:
– Most Granular Access Controls to components.
• User level; cannot use AD/LDAP Groups
– Generally Stop / Start / Read / Write Access
– Node to Node Access Controls
• Configured Where:
– Prognosis Configuration in IRGUI & WebUI.
Confidential
SUBSYS NETWORK• Controls
– Managing / Monitoring Relationship
– Node-to-Node Encryption Levels (pre-11.0)
– Can control which Prognosis systems are allowed
to connect to it.
• Configured Where:
– Prognosis Configuration in IRGUI & WebUI.
Confidential
WebUI Navigation• Controls
– Associates to Security Profiles in IRRBS
– Default Screens Access
– Navigation Tree
– Can be utilized to create custom navigation
trees for users.
• Configured
– WebUI Administration or directly in XML.
Confidential
Role Based / PQL Security (IRRBS)
• Controls
– Controls Data Access; including customer
filtering.
– Can utilize user or AD/LDAP groups.
– Controls Component access in WebUI.
• Configured:
– WebUI Administration / IRPQLCLI
Confidential
IRGUI / Desktop Client Security
• Controls
– Controls IRGUI
Functions
– Limited one password
override.
– Can deploy different
versions to different
users.
• Configured:
– Desktop UI
Confidential
License• Some functions are controlled in the license which enable
disable some Prognosis functions and options.
• Generally non-chargeable license codes that can be added.
• In Particular
– AUT = Automation – Enables Node.js Automation Framework in WebUI and other areas. • Though this doesn’t prevent Node from being called by commands or
analysts.
– PCI = Introduced in 11.4 and initially only for Postilion, but will likely be expanded with additional functions over time.
Confidential
User Management Options
• WebUI vs. IRGUI / Windows / Thick Client
• Role Matrix
• Locking Down WebUI
– Navigation Views
– Customer Meta Field
– Custom Screens
– Timeouts
• Citrix / Terminal Service Deployments
Confidential
How Users Connect
• Users should connect to
the Managing Node and
generally not directly to
a monitoring node under
normal operation
circumstances.
• Doing so can create
extra load on the system
and unexpected
change.
A managing node is technically optional for some deployments, IR’s recommended deployment always uses one.
Confidential
Web UI Users
• WebUI
– For General Operational Users
– Supports Customer Data Separation via IRRBS.
– Windows can be configured to be persistent.
– Screen Mashups Available
– No ability to create new screens as of 11.3
– No Command Execution (unless via Consulting)
– Currently Limited Configuration Ability; but
growing number of configuration wizards.
Confidential
Windows Thick Client / IRGUI
• IRGUI
– Administrative & Power Users
– Can do most things in Prognosis
– Define new database / thresholds / displays /etc.
– Easier Database Replays
– On-The-Fly Data & Direct Screen Access
– Troubleshoot Prognosis
– Some unique configuration wizards.
Confidential
Role Matrix
• Role Matrixes can
be utilized to
decide both
decide definition of
roles as well as
which client or even
if RDP access is
required for a user.
Confidential
Optional Security Components
• LDAP for IRGUI & WebUI (10.4+)
• SSO for the WebUI via an IDP (11.0+)
• SIEM Integration (11.0+)
• FIPS-140 Mode (11.0+)
• KMS / KMIP for Node-to-Node Communications
(11.2+)
Confidential
LDAP
• LDAP for IRGUI & WebUI in 10.4+
• Support for LDAP or LDAPS
• Works for IRGUI & WebUI
• No specifically assigning certificates currently
supported, right now will accept any presented as
of 11.3.
Confidential
Single Sign On (SSO)
• SSO for the WebUI via an Identity Proxy (IDP) in 11.0+
• SAML 2.0 compatible IDPs
– Microsoft ADFS
– OpenAM
• Only for the WebUI
• No Mixed Mode SSO/Non-SSO. All authentications
done through IDP once enabled.
• Well documented with most setup work is in the IDP
and then a few configurations within Prognosis.
Confidential
Single Sign On (SSO)• What experience should they expect.
• Like logging into Office365
• Users will still have to login again after logging into their
machine.
• As long as browser is open instance is open shouldn’t have to
login again.
• This enables the customer to implement Mutli-Factor
Authentication.
• Session Management within Prognosis 11 has not changed.
– Such as no change to inactivity timers or cookies utilized;
though there are some actions that can be taken on this
via web.config.
Confidential
KMS / KMIP Integration
• KMS / KMIP for Node-
to-Node
Communications
(11.2+)
• Only allows nodes with
current key from KMS to
communicate with
other nodes.
• Mixed mode not
supported
Confidential
SIEM Integration – Audit.log
• Configure Audit Log Roll over even without a SIEM.
• Output directly to a SIEM
• Configured within Prognosis SUBSYS Configuration
and can be plain text SysLog format over TCP/UDP
or TLS 1.2 Encrypted when pointed to a certificate.
• Audit log logs privileged events but does not log
before and after configuration states.• Note: If this feature is enabled logs will not be available locally on server. May
require external involvement to troubleshooting.
Confidential
SIEM Integration – WVLOG.txt
• Audit Log Logged and several examples are in Prognosis Help.
• WVLOG also goes to the Windows Application log, and if they are sending the Audit.log to the SIEM they are also probably
pulling the Windows Application log. – Definition of WVLOG events in multiple languages can be found here:
• Prognosis Event configuration is defined in the DEFSERR configuration file
• User interface errors and their language localization are contained in DEFSUER.
– Common ones are also in the Prognosis PCI Guide.
• It is not recommended you delete the WVLOG.txt after pulling it into the SIEM.
Confidential
Web.Config & IIS Parameters
• Prognosis utilizes IIS and the settings within IIS and the Web.Config can be
leveraged to manipulate sessions from the certificate to session timeframes.
• For Example– Does not have an inactivity timeout due to the way the web displays work, but you can
manipulate the maximum session timeframes.
– Certificate Configuration
– Change Ports
– Manipulate / Filter Content
Confidential
Maximum Session Time• The Prognosis WebUI will leave a user logged in up to a specific time.
• To adjust this open the Web.Config modifying or adding the
highlighted sections. Though this is NOT a user inactivity timeout, but
a maximum session length timeout. <httpRuntime requestValidationMode="4.0" maxRequestLength="52428800" />
<httpCookies httpOnlyCookies="true" requireSSL="true" />
<sessionState cookieName="Prognosis" mode="InProc" timeout="120"/>
<customErrors mode="On" defaultRedirect="~/error" />
<globalization culture="auto" uiCulture="auto" />
Note: The timeout parameters are in minutes.
• Prognosis does not provide at this time true inactivity timeout periods; a
work around for lack of user inactivity timers is reducing the user session
timeout and / or using Microsoft IIS Application Pool Recycling.– There is also a parameter to allow maximum time to complete login form which is in
seconds.
Confidential
FIPS 140-2 Mode
• Currently (as of 11.3) only available for Windows OS.– Linux / Unix (Future, no specific ETA)
– HP NonStop (no specific plans)
• FIPS Compliancy setting in NETWORK configuration; once
changed requires restart.
– If you attempt to use non-compliant function it will crash
Prognosis. It is basically a compliancy check.
– By default turned off
Confidential
Securing the OS
• Application Whitelisting
• File Integrity Monitoring (FIM)
• Disabling Unnecessary Services
• Critical Logs
• Critical Backups
Confidential
Application Whitelisting• Almost all Prognosis executables run out
of the Server and Server\x64 folders under the Prognosis root folder
• Almost all executables run by Prognosis follow the naming convention
ir<name>.exe
• These executables read and write to files in the sub-directory tree of Server\Configuration under the Prognosis root folder.
• Most Prognosis executables are deployed in production builds with their accompanying debug files (.PDB) to assist in troubleshooting.
• PDBs should not be deleted and have not been identified to date as a security risk.
Confidential
Programs to Secure• Some executables
pose higher risks than
others and should be
restricted to:
– The service account
Prognosis runs under.
– Administrators
– Users Prognosis runs
commands as with
stored credentials.
• ircmdgwy.exe
• irtrace.exe
• ircnfutl.exe
• irpqlcli.exe
• irperl.exe
• irclean.exe
• irtea*.exe
• node.exe
Confidential
File Integrity Monitoring• File Integrity Monitoring
can be performed on
key sets of files but not
on the entire directory
as several files change
constantly.
• All *.ini files
• The Prognosis security
guide contains a good
list as well as some
exclusions.
Confidential
Anti-Virus/Malware & Endpoint• Anti-virus/malware and End-point protection can be
utilized on Prognosis but need to include the
exclusions listed under FIM as well as ensure they do
not place locks on any files at any time.
• Some specific tools versions have at times caused a
system outage on customer systems when these
exclusions have not been applied! – Not in the FIM list but very important is an exclusion on “irfilmon.sys”
Confidential
Disabling Unnecessary Services• CRITICAL: DO NOT GET DELETE HAPPY!
– Prognosis installs all of our products with each installation depending on whether you chose “Monitoring” or
“Managing Node” and are simply enabled via license and
configuration.
– Just because it’s a different product line doesn’t mean you
can delete it.
– If you delete files or content it WILL break upgrades and
patches.
Confidential
Disabling Unnecessary Services• Cleanups that make the most difference:
– Minimize Navigation Views available to profile in the WebUI.• Do not delete them, just disable them.
– Disable unnecessary extractors that may be running.• Such as Web Search Analysts
– Modify Prognosis SUBSYS components to only run necessary
services and adjust memory appropriately.
– If system resources are limited, you can also modify .ini files to limit Prognosis data collection.
Confidential
Key Log Locations• C:\Prognosis\WebUI\IIS\Logs
• C:\Prognosis\User Interface\Log
• C:\Prognosis\Server\Log
• C:\Prognosis\Server\Configuration\Automation\Logs
• C:\Prognosis\Server\Configuration\audit– Prognosis SIEM configuration is only Auditlog.txt content.
• C:\Prognosis\Server\Configuration\wvlog.txt– Much of Wvlog.txt still goes to Windows Application Event Log
– If SIEM if configured for Prognosis the Windows event log will also likely go
to a SIEM but WVLog.txt will still be present.
Confidential
Logging Records• CMD* : Command executions issued by Prognosis
and partial output.
• PROB* : Primarily for Analysts and Tracing, but you
will see activities done by the analysts and
thresholds occurring within them.
• Automated*: Background Summary activities
• Automation*: Node.js activity log.
• PrognosisErrorLog: The Prognosis WVLOG.txt and all
but the last column brought into a Prognosis
Record.
Confidential
Backups: Run an IRFAX Regularly!
• It backs up:
– Configuration
– Encrypted Passwords
– Error Logs
– .INI Files
– Running Thresholds and
Analysts
• It does not backup
– Displays
– Databases
– Customizations
– WebUI Content /
Customizations
– IRRBS
To ensure the integrity and reducing MTTR for Prognosis run an IRFAX no less than monthly and keep at least 3 previous copies on file.
Confidential
Backups: Key Files• Configuration (including subsys security & password)
– ..\Prognosis\Server\Configuration\F0*
– ..\Prognosis\WebUi\IIS\Administration\*.* (including all sub-directories)
– ..\Prognosis\WebUI\IIS\Dashboards\decorator.xml
– PLUS product specific .ini files!
• Security– ..\Prognosis\Server\Configuration\irrbs
– ..\Prognosis\Server\Configuration\irgui.scb
– ..\Prognosis\Server\Configuration\PRGNINI.ini
– ..\Prognosis\Server\Configuration\PrivacySettings.ini
– ..\Prognosis\WebUI\IIS\*.config
Note: All but the F0* files should have FIM enabled on them to detect change; some files names also differ slightly on non-Windows platforms.
Confidential
Backup Locations
• Displays– ..\Prognosis\User Interface\My Displays & Customizations\
• Thresholds and Analysts
– Running ones are captured as part of an IRFAX
• Databases– Where ever you store them, best practice is to NOT store them
under the ..\Prognosis\ directory; but the default is
..\Prognosis\Server\Configuration\<database name>.
– Ideally they should be stopped when backing up the directory,
but not always required but do require a full backup each time..
Not just a differential.
Confidential
Backup Locations
• Customizations
– Typically stored in a customizations directory
• WebUI Content
– Dashboards needs to be republished from a Display
regardless in most cases, but backing up the following is
important for all users.
• WebUI\IIS\Dashboards\user\*.owl & *.xml
Confidential
Middleware and 3rd Party Tools
• You should be aware of which middleware
and 3rd party tools are in Prognosis.
– Generally you can ‘patch at will’ if these 3rd party
tools show up in security scans.
– Prognosis bundles its own versions of some of the
tools which should not be patched. They are
denoted with IR<app> or Prognosis <app>.
– IR generally updates middleware component
versions and patches in point releases vs.
patches.
Confidential
Open Source Tools• Prognosis uses the following tools:
– Microsoft .NET (all)
– Perl (all) – (irperl)
– Node.JS (10.3+)
• Patch base and modules but do not upgrade
core version (i.e. 6.x to 8.x)
– MongoDB (11.0+) – UC S4B Only
– RabbitMQ (11.2) (Prognosis RabbitMQ)
– Postgres (11.3+)
Confidential
Encryption
• OpenSSL Libraries
– Used for Passwords & Node-to-Node
Encryption
• Variants: Pre-10.3, 10.3-10.5, 11.0+
• Some cross-version compatibility.
– TLS
• TLS 1.2 Only (11.0+)
• TLS 1.0 & 1.1 (Up to 10.5)
Confidential
Encryption
WebUI
.NET Encryption
PrognosisAES256-CFB-SHA256AES256-CFB-HMAC
Base64PRNG
Key Generation
(Linux/Unix/NSK)
OpenSSLAES256-CFB-HMAC
Base64PRNG
Key Generation
(Windows)
OpenSSL FIPS
Crypto Library
NetRouter Pconnect PQL Passwords Pace XML
Prognosis is now using a single standard Cryptography Library for all platforms.
FIPS is only support on the Windows Platform in P11.
Confidential
Multi-tenacy
• Prognosis Meta Data
“.CustomerName”
provides row-level data
segmentation for SOME
records.
• Generally set in the
code or in some cases
the configuration of a
collector.
Confidential
Multi-tenacy
• Can be set on a
monitoring node for all
collectors in PRGNINI.ini
• Otherwise
accomplished hard
coding values and
cryptic prompt values
in presentation layer
Confidential
Data Masking• PrivacySettings.ini offers
pattern data masking.
• By default collectors
mask Bank Card
information by record
in the collector
• Other data can be
masked using
configuration and this
will be system wide.
Confidential
Data StorageImportant: Prognosis databases can be opened by anyone with a compatible Prognosis version to read the database.
• Utilize Prognosis Subsys Security to lock this down AND
• Create directory(s) outside of the Prognosis directory structure and store all databases there and secure them appropriately to the local Prognosis service account.– This is needed because by default Prognosis stores databases in the root
of the Configuration directory as it is there in all installations (except NonStop).
– Bonus: This will also speed up upgrades as lot.
Confidential
Approximate Release Cycle
• Prognosis Versions
– 11.3.0
– 11.1.0p01
– 10.5.1p09
– 9.1.0sp4
• Versioning
– 11.#.# Major
– ##.1.# Minor / Point
– ##.#.1 Sub-Release
– ##.#.#p01 Patch
– ##.#.#sp1p# Service Pack
– Hotfixes – Not versioned
Confidential
Approximate Release Cycle
• Major– As required
– Usually several years apart
– Examples: 11.0, 10.0, 9.x.. etc
• Minor / Point– 2-4 times per year.
– Examples: 11.0.0, 11.1.0, 11.2.0
• Sub-Release– Rapid Release Version
– Limited Distribution
– As Required
– Examples: 11.0.1, 11.1.1
• Hotfix– Only As required
– Very Limited Distribution
Confidential
Version Releases
• Patches are:– Roll-ups of previous patches
– New patches
– New Functionality
Important: Patches are specific to the minor/point and sub-release version. So though there may be an overlap in patches numbers between a for 10.5.1 should not be applied to 10.5.0 for example and vice-versa unless explicitly instructed to do so.
• Version Releases– Minimally twice a
year.
– Expect a release in
June and December.
• Hotfixes are:– A hotfix is a out of band /
unofficial patch.
– They are not cumulative
and address specific issues.
– They are not guaranteed to
redistributed in an official
patch for that particular
release of the product.
– May need to be reapplied
after patching or
upgrading.
– May be customer specific.
– Are usually built for a
specific version and patch
level.
Confidential
Patch Releases
• Patches:– Require a restart of
Prognosis to apply
but not a restart of
the system.
• See online help
for additional
information on
applying
patches.
– Generally do not
contain ‘new’
functionality.
– Minor / Point Version
Specific:
• 'z1110' - specifies
Prognosis version 11.1.0
• 'p05' - specifies patch
number 5.
• Important: Patches are specific to the point
release, so though there is
overlap patches for 10.5.1
should not be applied to
10.5.0 for example.
Confidential
Patch Releases
– Released for all
platforms at the
same time.
• Even if there are not
changes for that
platform.
– Prognosis patches
are cumulative.
• Unless specifically
noted the latest can just be applied.
• Patch Release– Current Minor version
• Approximately
Monthly
– Previous Minor
Version
• As required
– Other Supported
Versions
• Critical Only
Confidential
Patch Naming Conventions• Patches are:
• Platform Specific
• Released for all platforms at
the same time, even if there
are not changes for that
platform.
• All Prognosis patches are
cumulative.
• Require a restart of
Prognosis to apply but not a
restart of the system.
• Generally do not contain
new functionality.
• A patch file is only
valid for a specific
version of Prognosis.
• All patches have a
patch number. This
may not be the same
number in a different
version.
• A patch file is only for
a specific target
Operating System
platform.
Confidential
Client Considerations
• Desktop Clients– Users utilizing the Desktop client need to
be on the same minor version or greater
than the servers in which they connect.
– It is generally best practice to keep their
patch level similar to the newest level.
– There is no way to install multiple versions
of the client on the same workstation
without use of a Virtual Machine.
• Servers– Managing Node
Servers can manage
monitoring nodes of a
lesser version.*
– In Tiered Managing
Node deployments
intermediate nodes
should be on similar
version.
* = If Compatible
Confidential
Supported Versions
Full Support Essential Support Sustaining Support End of Life (EoL)11.110.4+
10.2, 10.3 10.0, 10.19.1 SP4 (NSK)
All other 9.x8.x
Full Support Essential Support Sustaining Support End of Life (EoL)11.x10.4+
10.2, 10.3 10.0, 10.1 9.x
11.1 (Nov-23-2016) 11.0 (June 28, 2016) 10.5 (Dec 16, 2015) 10.4 (Jun 30, 2015)Current:Patch 1Jan 15-2017
Last Patch:Patch 5Nov 30, 2016
Last Patch:Patch 6June 27, 2016
Last Patch:Patch 7April 14, 2016
11.2 : On the release of P11.2, the support matrix will likely be as follows:
Supported PlatformsFor detailed platform support information, please refer to the release notes of that latest version.Definitions of the support level are also defined in support documentation. As well be sure refer to the supported platform and component guides on https://online.prognosis.com.
11.1 : With the release of P11.1, the supported versions are:
Supported PlatformsAs of February 03, 2017 this information is being provided for example purposes.Best practice is to try to upgrade Prognosis at least every 12-24 months or within a couple of point releases.
Note: Prognosis 10.0.0 was GA in November 2013
Confidential
Support Levels Defined
Full Support
Full Support includes all support services. This includes, but is not limited to:
• Assistance using the product• Providing workarounds and/or existing fixes/patches• Creation of new fixes/patches at IR's discretion
Essential Support
Under Essential Support, we will:
• Provide assistance using the product, though priority will be given to customers running the current release
• Make all existing fixes/patches available• Provide workarounds where possible• ONLY create new fixes/patches for Priority 1 and 2 issues where no workaround can be
made available. No fixes for Priority 3 and 4 will be created
Sustaining Support
Under Sustaining Support conditions, we will:
• Provide assistance in using the product, though priority will be given to customers running the current release
• Make all existing fixes/patches available• Provide workarounds where possible• May direct customers to upgrade to the current release
End of Life (EOL)End of life, product is obsolete
Confidential
Upgrade to 11.0 Considerations• Consult IR for full details, but high level:
– Node-to-Node and Password Encryption
changes and so there are identified
incompatibilities for certain functions or in
general.
– Once converted to new formats cannot be
converted back to pre-11.0 formats.
Confidential
Patch / Upgrade Summary• Customers should plan to upgrade Prognosis
at least a point release at least every 12-18
months.
• Customer should check for patches
quarterly.
• Security fixes are usually contained in
patches and upgrades; though sometimes a
hotfix is available.
Confidential
Usage Analytics
-
What do we collect
and why it is
important to
enable it.
25-May-2017 C.R.Souser – IR Confidential
Confidential
Applicability of Usage Analytics
▪ 11.1
▪ Page View if WebUI (Client Side)
▪ 11.2
▪ Page View if WebUI (Client Side)
▪ Quantity of Alerts Generated & UC Endpoints Monitored (Quantity & Type/Subtype) - (Server Side)
▪ Allows you to enable or disable usage analytics via WebUI Admin Global Configuration
▪ 11.3 IRGUI Windows Desktop Client
▪ Page View (Client Side)
▪ Alert Modification / Stop / Start frequency.
▪ Future:
▪ Expanding to use of active components utilized within a license beyond screens (i.e. Thresholds/Analyts/Dispman/etc)
▪ Security Configuration Statistics on # of Roles and Users Assigned to each role.
▪ Database size and records involved.
Versions
Confidential
Applicability of Usage Analytics
Viewing Analytics
▪ Are not locally cached or collected locally and is generated ‘client side’; not server side information.
▪ Thus, it is not visible locally to the customer, though 11.2 does add Prognosis databases used to capture and generate the statistics.
▪ As of 01-Oct-2017 there are no plans for IR to make this information available to the customer.
▪ Visible only to IR staff with appropriate access in Customer Profiles.
Confidential
Usage Analytics
▪ Usage analytics provides anonymous page hit information by users within Prognosis. While it may not be useful in all cases, it may help IR to understand how the users are using Prognosis and improve the product. ▪ Page Usage
▪ If the screen is a customized version of the screen
▪ If users are tending to navigate to the wrong screens to find information.
▪ What is sent to IR if Usage Analytics is enabled:▪ Client Side: Customer License Unique name only
▪ Client Side: External Public IP address of the end user (no internal IP addresses)
▪ Client Side: Page Visited with data and time in View Systems & Admin pages.
▪ Client Side: Non-User reversible unique user identifier that is used to purely quantify the number of users.
▪ Server Side: In 11.2 forward the quantity of alerts generated and in UC also the number of endpoints monitored.
Important: Client side usage analytics and are generated from the end users’ workstation.
No Personally identifiable information (PIFI), usernames, server names, screen data, or other server side information about yourenvironment is passed in the information to IR.
Ensure Usage Analytics is Enabled in Prognosis 11.1 Forward
Confidential
Recent Activity
*Masked Information is from License Key that contains customer name.
▪ We can see License Key Name and the Page Visited.
▪ Pages utilized in a session; a usage event is generated on a “user action” like clicking on a link or switching pages.
Confidential
A individual users activity
*Masked Information is from License Key that contains customer name.
▪ We can see License Key Name
▪ Pages utilized by the unique user as identified by the web browser; different browsers on the same machine may identify the user/machine as different.
Confidential
Machine Level Detail
*Masked Information is from License Key that contains customer name.
▪ We can see License Key Name, Products, Current Patch version, and Expiration
▪ Pages utilized by the unique user as identified by the web browser; different browsers on the same machine may identify the user/machine as different.
Confidential
Additional Information
• Learn More in:
– Prognosis Security Guide
– Prognosis Online Community Forums
– Questions:
• Christopher R. Souser– [email protected]
– LinkedIn: https://www.linkedin.com/in/christopherrsouser
Confidential
Next Steps
• Please Rate the Class
• Take the Knowledge
Reinforcement Test
• Log On to Online.Prognosis.com
to download slides & ask
questions
• Every class rating gets you a
chance to win prizes!
Confidential
Test Your Knowledge in the App
• How do you obtain the Prognosis Security Guide?
• How often should you be updating the a point release of Prognosis?
• Does Prognosis UA communicate any confidential data to IR?
• Is SSO Supported in the IRGUI?