Confidential

Security Best PracticesFor Enterprise & Service Providers

Friday, October 20, 2017

Christopher Souser , CISSP, MSPA, ITIL

Christopher.souser@ir.com

90 Minutes

Confidential

Welcome!

Please check-in on the mobile app - see your

class record, remember

what tests to take, and

help us improve

Confidential

Logistics

• WiFi SSID: SSID: IRsummit

• WiFi PW: Prognosis

• Download the Slides from

https://Online.Prognosis.com

– If you haven’t registered for it register now and

let us know to get you approved.

Confidential

Introduction• About Me – Payments and Infrastructure Consultant @ IR.

– IR Payments and Infrastructure Consultant for 2.5 years.

– ISC2 CISSP for 9.5+ years.

– IR Prognosis customer for years before working for IR.

– Responsible for running PCI, TR39, SSAE-II, PCI PIN, and

internal Information Security Audits for 10+ years at a

customer before joining IR.

– Several InfoSec / IT training courses including the VISA PCI

QSA, ISC2 CSSLP, ITIL, HP NonStop, & HP Atalla training.

– Authored much of the Prognosis Security & PCI Guides.

– Check me out on LinkedIn:

https://www.linkedin.com/in/ChristopherRSouser/

Confidential

Security Can be Complicated

• I will try to touch on key

security concepts

within Prognosis that

are consistent in all

product lines ..

• Further detail is

available in our

documentation or by

asking questions at the

end.

Confidential

Please hold questions to the end..

• Lots of content to

cover in little time.

• This is a summary but

happy to talk in more

detail later.

• Slide Deck Available for

Download next week.

Confidential

Security Deployment Guide• 11.3+’s Security

Deployment Guide is

redone and consolidates

a lot of information I am

going to cover.

• Security Configuration

Content going forward.

• Future: Will contain

product specific guides.

Confidential

Before we begin.. think about..• What are you audited

to?

– Internal Policy

– PCI DSS

– EU General Data

Protection

• What are the most

common questions in

audits / reviews when it

comes to Prognosis?

– Logging

– Data Protection

– Secure

Communication

– Access Controls

– PCI Applicability

Confidential

Learning Objectives

• After completing this course you should be able to:

– Understand How Prognosis Secures Information

– Understand middleware Prognosis uses.

– Understand Prognosis Lifecycle

– Understand Different Area of Prognosis Security

– Understand Key Logs & Usage Analytics

– Understand How to Secure the Data / User.

– Understand Additional Steps you can take to

secure Prognosis

Confidential

A quick word about

Security Audit

Certifications..

Confidential

FIP 140-2

• 11.0+ Contains a FIPS 140-2 Mode as well as has many general

improvements required to meet FIPS 140-2 compliancy of our

customers.

• FIPS 140-2 COMPLIANT; not certified.

– No plans to actually certify.

– Costly, time consuming, and version specific (refer to

release cycle later)

– Read more at http://csrc.nist.gov/groups/STM/cmvp/standards.html

Confidential

PCI

• IR is considered an Application Vendor and

Prognosis an Application under the Payment

Application Data Security Standard (PA-DSS) and

Payment Card Industry Data Security Standard (PCI-

DSS).

• This definition comes from the Payment Card

Industry Security Council (PCI SSC) and as defined

under version 3.1 & 3.2, Prognosis is not classified as

a 'Payment Application' nor is IR a 'Service Provider’.

Confidential

PCI• Section 4.1b of the PA-DSS Program Guide 3.1

which specifically states: PA-DSS does not apply to

'Non-Payment Applications that are part of a

Payment Application suite, for example, a fraud-

monitoring, scoring, or detection application

included in a suite' and 'These applications should

not be assessed separately from other applications

they rely upon since all PA-DSS Requirements are

not met within a single application'.

Confidential

Deployment Architecture

Note: The content of this section is subject to change and is based on rule-of-thumb observations since for some of this information there is no ‘official’ document with this information.

Confidential

Quick Review of Architecture

• Prognosis collects from many data

sources for each product line.

• Collectors were on-demand and by

default are not persistent.

• Each product lines collectors work in

different ways.

Confidential

Prognosis Architecture

SDN

APISQL WMI AD

AXL

HTTP

SNMP

SOAPMQ MTS B24

Postili

on

FTM

and

moreSNMP LOGS

Aggregation Real-time Troubleshooting

Automation &

Prescription

Root-Cause Analysis

DisplaysAlerts

SAT CDR SNMP RTCP

Confidential

High Level Request/Presenter

Prognosis WebUI Display (simplified)

Data Source Data is Collected Data Storage Distribution PresentationP

has

e

SUMMARYRECORDS

Prognosis Collector

PaymentsSystems

Dashboards

Web UI& Live CanvasNETRTR

DatabaseCollection

PQLSRV

Confidential

Core Communications

• There are:

– Managing Node(s)

– Monitor Nodes(s)

• On Ports:

– 1960 (Net Router)

– 6767 (PQL)

– 443 (Web)

Confidential

Monitoring Nodes Ports / Services

• Product line have

additional ports /

services specific to

them.

• 3rd Party Tools

utilized by some

gathers also have

their own ports.

Confidential

Segmented Architecture

Confidential

Monitored Node

• Explicitly says some

things can only be

done locally and

states only the

intermediate

managing node

can connect to it.

Confidential

Intermediate Managing Node

• Locks down things

• Network

Configuration

contains Route-To

statements to the

Primary Managing

node.

Confidential

Primary Managing Node

• Can be more open

Confidential

Primary Security Components

Confidential

Security Components

• Security Subsys

• Network Subsys

• Role Based / PQL Security (IRRBS)

• WebUI Navigation

• IRGUI

• Optional License Restrictions

Confidential

Ways to Change Configuration• WebUI & IRGUI Web Prognosis Subsys Configurations

– Some have wizards which perform syntax checking.

– Almost all are editable in plain text.

• WebUI Security Wizard for IRRBS & Navigation Views

• IRCNFUTL Prognosis Subsys

• IRPQLCLI

– Subsys Configurations

– Thresholds

– IRRBSNote: Prognosis Subsys’s are all output in an IRFAX, IRRBS & Navigation is not.

Confidential

SUBSYS SECURITY• Controls:

– Most Granular Access Controls to components.

• User level; cannot use AD/LDAP Groups

– Generally Stop / Start / Read / Write Access

– Node to Node Access Controls

• Configured Where:

– Prognosis Configuration in IRGUI & WebUI.

Confidential

SUBSYS NETWORK• Controls

– Managing / Monitoring Relationship

– Node-to-Node Encryption Levels (pre-11.0)

– Can control which Prognosis systems are allowed

to connect to it.

• Configured Where:

– Prognosis Configuration in IRGUI & WebUI.

Confidential

WebUI Navigation• Controls

– Associates to Security Profiles in IRRBS

– Default Screens Access

– Navigation Tree

– Can be utilized to create custom navigation

trees for users.

• Configured

– WebUI Administration or directly in XML.

Confidential

Role Based / PQL Security (IRRBS)

• Controls

– Controls Data Access; including customer

filtering.

– Can utilize user or AD/LDAP groups.

– Controls Component access in WebUI.

• Configured:

– WebUI Administration / IRPQLCLI

Confidential

IRGUI / Desktop Client Security

• Controls

– Controls IRGUI

Functions

– Limited one password

override.

– Can deploy different

versions to different

users.

• Configured:

– Desktop UI

Confidential

License• Some functions are controlled in the license which enable

disable some Prognosis functions and options.

• Generally non-chargeable license codes that can be added.

• In Particular

– AUT = Automation – Enables Node.js Automation Framework in WebUI and other areas. • Though this doesn’t prevent Node from being called by commands or

analysts.

– PCI = Introduced in 11.4 and initially only for Postilion, but will likely be expanded with additional functions over time.

Confidential

User Management Options

• WebUI vs. IRGUI / Windows / Thick Client

• Role Matrix

• Locking Down WebUI

– Navigation Views

– Customer Meta Field

– Custom Screens

– Timeouts

• Citrix / Terminal Service Deployments

Confidential

How Users Connect

• Users should connect to

the Managing Node and

generally not directly to

a monitoring node under

normal operation

circumstances.

• Doing so can create

extra load on the system

and unexpected

change.

A managing node is technically optional for some deployments, IR’s recommended deployment always uses one.

Confidential

Web UI Users

• WebUI

– For General Operational Users

– Supports Customer Data Separation via IRRBS.

– Windows can be configured to be persistent.

– Screen Mashups Available

– No ability to create new screens as of 11.3

– No Command Execution (unless via Consulting)

– Currently Limited Configuration Ability; but

growing number of configuration wizards.

Confidential

Windows Thick Client / IRGUI

• IRGUI

– Administrative & Power Users

– Can do most things in Prognosis

– Define new database / thresholds / displays /etc.

– Easier Database Replays

– On-The-Fly Data & Direct Screen Access

– Troubleshoot Prognosis

– Some unique configuration wizards.

Confidential

Role Matrix

• Role Matrixes can

be utilized to

decide both

decide definition of

roles as well as

which client or even

if RDP access is

required for a user.

Confidential

Optional Security

Components

Confidential

Optional Security Components

• LDAP for IRGUI & WebUI (10.4+)

• SSO for the WebUI via an IDP (11.0+)

• SIEM Integration (11.0+)

• FIPS-140 Mode (11.0+)

• KMS / KMIP for Node-to-Node Communications

(11.2+)

Confidential

LDAP

• LDAP for IRGUI & WebUI in 10.4+

• Support for LDAP or LDAPS

• Works for IRGUI & WebUI

• No specifically assigning certificates currently

supported, right now will accept any presented as

of 11.3.

Confidential

Single Sign On (SSO)

• SSO for the WebUI via an Identity Proxy (IDP) in 11.0+

• SAML 2.0 compatible IDPs

– Microsoft ADFS

– OpenAM

• Only for the WebUI

• No Mixed Mode SSO/Non-SSO. All authentications

done through IDP once enabled.

• Well documented with most setup work is in the IDP

and then a few configurations within Prognosis.

Confidential

Single Sign On (SSO)• What experience should they expect.

• Like logging into Office365

• Users will still have to login again after logging into their

machine.

• As long as browser is open instance is open shouldn’t have to

login again.

• This enables the customer to implement Mutli-Factor

Authentication.

• Session Management within Prognosis 11 has not changed.

– Such as no change to inactivity timers or cookies utilized;

though there are some actions that can be taken on this

via web.config.

Confidential

KMS / KMIP Integration

• KMS / KMIP for Node-

to-Node

Communications

(11.2+)

• Only allows nodes with

current key from KMS to

communicate with

other nodes.

• Mixed mode not

supported

Confidential

SIEM Integration – Audit.log

• Configure Audit Log Roll over even without a SIEM.

• Output directly to a SIEM

• Configured within Prognosis SUBSYS Configuration

and can be plain text SysLog format over TCP/UDP

or TLS 1.2 Encrypted when pointed to a certificate.

• Audit log logs privileged events but does not log

before and after configuration states.• Note: If this feature is enabled logs will not be available locally on server. May

require external involvement to troubleshooting.

Confidential

SIEM Integration – WVLOG.txt

• Audit Log Logged and several examples are in Prognosis Help.

• WVLOG also goes to the Windows Application log, and if they are sending the Audit.log to the SIEM they are also probably

pulling the Windows Application log. – Definition of WVLOG events in multiple languages can be found here:

• Prognosis Event configuration is defined in the DEFSERR configuration file

• User interface errors and their language localization are contained in DEFSUER.

– Common ones are also in the Prognosis PCI Guide.

• It is not recommended you delete the WVLOG.txt after pulling it into the SIEM.

Confidential

Web.Config & IIS Parameters

• Prognosis utilizes IIS and the settings within IIS and the Web.Config can be

leveraged to manipulate sessions from the certificate to session timeframes.

• For Example– Does not have an inactivity timeout due to the way the web displays work, but you can

manipulate the maximum session timeframes.

– Certificate Configuration

– Change Ports

– Manipulate / Filter Content

Confidential

Maximum Session Time• The Prognosis WebUI will leave a user logged in up to a specific time.

• To adjust this open the Web.Config modifying or adding the

highlighted sections. Though this is NOT a user inactivity timeout, but

a maximum session length timeout. <httpRuntime requestValidationMode="4.0" maxRequestLength="52428800" />

<httpCookies httpOnlyCookies="true" requireSSL="true" />

<sessionState cookieName="Prognosis" mode="InProc" timeout="120"/>

<customErrors mode="On" defaultRedirect="~/error" />

<globalization culture="auto" uiCulture="auto" />

Note: The timeout parameters are in minutes.

• Prognosis does not provide at this time true inactivity timeout periods; a

work around for lack of user inactivity timers is reducing the user session

timeout and / or using Microsoft IIS Application Pool Recycling.– There is also a parameter to allow maximum time to complete login form which is in

seconds.

Confidential

FIPS 140-2 Mode

• Currently (as of 11.3) only available for Windows OS.– Linux / Unix (Future, no specific ETA)

– HP NonStop (no specific plans)

• FIPS Compliancy setting in NETWORK configuration; once

changed requires restart.

– If you attempt to use non-compliant function it will crash

Prognosis. It is basically a compliancy check.

– By default turned off

Confidential

Securing the Files & Data

Confidential

Securing the OS

• Application Whitelisting

• File Integrity Monitoring (FIM)

• Disabling Unnecessary Services

• Critical Logs

• Critical Backups

Confidential

Application Whitelisting• Almost all Prognosis executables run out

of the Server and Server\x64 folders under the Prognosis root folder

• Almost all executables run by Prognosis follow the naming convention

ir<name>.exe

• These executables read and write to files in the sub-directory tree of Server\Configuration under the Prognosis root folder.

• Most Prognosis executables are deployed in production builds with their accompanying debug files (.PDB) to assist in troubleshooting.

• PDBs should not be deleted and have not been identified to date as a security risk.

Confidential

Programs to Secure• Some executables

pose higher risks than

others and should be

restricted to:

– The service account

Prognosis runs under.

– Administrators

– Users Prognosis runs

commands as with

stored credentials.

• ircmdgwy.exe

• irtrace.exe

• ircnfutl.exe

• irpqlcli.exe

• irperl.exe

• irclean.exe

• irtea*.exe

• node.exe

Confidential

File Integrity Monitoring• File Integrity Monitoring

can be performed on

key sets of files but not

on the entire directory

as several files change

constantly.

• All *.ini files

• The Prognosis security

guide contains a good

list as well as some

exclusions.

Confidential

Anti-Virus/Malware & Endpoint• Anti-virus/malware and End-point protection can be

utilized on Prognosis but need to include the

exclusions listed under FIM as well as ensure they do

not place locks on any files at any time.

• Some specific tools versions have at times caused a

system outage on customer systems when these

exclusions have not been applied! – Not in the FIM list but very important is an exclusion on “irfilmon.sys”

Confidential

Disabling Unnecessary Services• CRITICAL: DO NOT GET DELETE HAPPY!

– Prognosis installs all of our products with each installation depending on whether you chose “Monitoring” or

“Managing Node” and are simply enabled via license and

configuration.

– Just because it’s a different product line doesn’t mean you

can delete it.

– If you delete files or content it WILL break upgrades and

patches.

Confidential

Disabling Unnecessary Services• Cleanups that make the most difference:

– Minimize Navigation Views available to profile in the WebUI.• Do not delete them, just disable them.

– Disable unnecessary extractors that may be running.• Such as Web Search Analysts

– Modify Prognosis SUBSYS components to only run necessary

services and adjust memory appropriately.

– If system resources are limited, you can also modify .ini files to limit Prognosis data collection.

Confidential

Key Log Locations• C:\Prognosis\WebUI\IIS\Logs

• C:\Prognosis\User Interface\Log

• C:\Prognosis\Server\Log

• C:\Prognosis\Server\Configuration\Automation\Logs

• C:\Prognosis\Server\Configuration\audit– Prognosis SIEM configuration is only Auditlog.txt content.

• C:\Prognosis\Server\Configuration\wvlog.txt– Much of Wvlog.txt still goes to Windows Application Event Log

– If SIEM if configured for Prognosis the Windows event log will also likely go

to a SIEM but WVLog.txt will still be present.

Confidential

Logging Records• CMD* : Command executions issued by Prognosis

and partial output.

• PROB* : Primarily for Analysts and Tracing, but you

will see activities done by the analysts and

thresholds occurring within them.

• Automated*: Background Summary activities

• Automation*: Node.js activity log.

• PrognosisErrorLog: The Prognosis WVLOG.txt and all

but the last column brought into a Prognosis

Record.

Confidential

Backups: Run an IRFAX Regularly!

• It backs up:

– Configuration

– Encrypted Passwords

– Error Logs

– .INI Files

– Running Thresholds and

Analysts

• It does not backup

– Displays

– Databases

– Customizations

– WebUI Content /

Customizations

– IRRBS

To ensure the integrity and reducing MTTR for Prognosis run an IRFAX no less than monthly and keep at least 3 previous copies on file.

Confidential

Backups: Key Files• Configuration (including subsys security & password)

– ..\Prognosis\Server\Configuration\F0*

– ..\Prognosis\WebUi\IIS\Administration\*.* (including all sub-directories)

– ..\Prognosis\WebUI\IIS\Dashboards\decorator.xml

– PLUS product specific .ini files!

• Security– ..\Prognosis\Server\Configuration\irrbs

– ..\Prognosis\Server\Configuration\irgui.scb

– ..\Prognosis\Server\Configuration\PRGNINI.ini

– ..\Prognosis\Server\Configuration\PrivacySettings.ini

– ..\Prognosis\WebUI\IIS\*.config

Note: All but the F0* files should have FIM enabled on them to detect change; some files names also differ slightly on non-Windows platforms.

Confidential

Backup Locations

• Displays– ..\Prognosis\User Interface\My Displays & Customizations\

• Thresholds and Analysts

– Running ones are captured as part of an IRFAX

• Databases– Where ever you store them, best practice is to NOT store them

under the ..\Prognosis\ directory; but the default is

..\Prognosis\Server\Configuration\<database name>.

– Ideally they should be stopped when backing up the directory,

but not always required but do require a full backup each time..

Not just a differential.

Confidential

Backup Locations

• Customizations

– Typically stored in a customizations directory

• WebUI Content

– Dashboards needs to be republished from a Display

regardless in most cases, but backing up the following is

important for all users.

• WebUI\IIS\Dashboards\user\*.owl & *.xml

Confidential

Middleware & Encryption

Confidential

Middleware and 3rd Party Tools

• You should be aware of which middleware

and 3rd party tools are in Prognosis.

– Generally you can ‘patch at will’ if these 3rd party

tools show up in security scans.

– Prognosis bundles its own versions of some of the

tools which should not be patched. They are

denoted with IR<app> or Prognosis <app>.

– IR generally updates middleware component

versions and patches in point releases vs.

patches.

Confidential

Open Source Tools• Prognosis uses the following tools:

– Microsoft .NET (all)

– Perl (all) – (irperl)

– Node.JS (10.3+)

• Patch base and modules but do not upgrade

core version (i.e. 6.x to 8.x)

– MongoDB (11.0+) – UC S4B Only

– RabbitMQ (11.2) (Prognosis RabbitMQ)

– Postgres (11.3+)

Confidential

Encryption

• OpenSSL Libraries

– Used for Passwords & Node-to-Node

Encryption

• Variants: Pre-10.3, 10.3-10.5, 11.0+

• Some cross-version compatibility.

– TLS

• TLS 1.2 Only (11.0+)

• TLS 1.0 & 1.1 (Up to 10.5)

Confidential

Encryption

WebUI

.NET Encryption

PrognosisAES256-CFB-SHA256AES256-CFB-HMAC

Base64PRNG

Key Generation

(Linux/Unix/NSK)

OpenSSLAES256-CFB-HMAC

Base64PRNG

Key Generation

(Windows)

OpenSSL FIPS

Crypto Library

NetRouter Pconnect PQL Passwords Pace XML

Prognosis is now using a single standard Cryptography Library for all platforms.

FIPS is only support on the Windows Platform in P11.

Confidential

Protecting the Data

Confidential

Multi-tenacy

• Prognosis Meta Data

“.CustomerName”

provides row-level data

segmentation for SOME

records.

• Generally set in the

code or in some cases

the configuration of a

collector.

Confidential

Multi-tenacy

• Can be set on a

monitoring node for all

collectors in PRGNINI.ini

• Otherwise

accomplished hard

coding values and

cryptic prompt values

in presentation layer

Confidential

Data Masking• PrivacySettings.ini offers

pattern data masking.

• By default collectors

mask Bank Card

information by record

in the collector

• Other data can be

masked using

configuration and this

will be system wide.

Confidential

Data StorageImportant: Prognosis databases can be opened by anyone with a compatible Prognosis version to read the database.

• Utilize Prognosis Subsys Security to lock this down AND

• Create directory(s) outside of the Prognosis directory structure and store all databases there and secure them appropriately to the local Prognosis service account.– This is needed because by default Prognosis stores databases in the root

of the Configuration directory as it is there in all installations (except NonStop).

– Bonus: This will also speed up upgrades as lot.

Confidential

Release Cycle

Confidential

Approximate Release Cycle

• Prognosis Versions

– 11.3.0

– 11.1.0p01

– 10.5.1p09

– 9.1.0sp4

• Versioning

– 11.#.# Major

– ##.1.# Minor / Point

– ##.#.1 Sub-Release

– ##.#.#p01 Patch

– ##.#.#sp1p# Service Pack

– Hotfixes – Not versioned

Confidential

Approximate Release Cycle

• Major– As required

– Usually several years apart

– Examples: 11.0, 10.0, 9.x.. etc

• Minor / Point– 2-4 times per year.

– Examples: 11.0.0, 11.1.0, 11.2.0

• Sub-Release– Rapid Release Version

– Limited Distribution

– As Required

– Examples: 11.0.1, 11.1.1

• Hotfix– Only As required

– Very Limited Distribution

Confidential

Version Releases

• Patches are:– Roll-ups of previous patches

– New patches

– New Functionality

Important: Patches are specific to the minor/point and sub-release version. So though there may be an overlap in patches numbers between a for 10.5.1 should not be applied to 10.5.0 for example and vice-versa unless explicitly instructed to do so.

• Version Releases– Minimally twice a

year.

– Expect a release in

June and December.

• Hotfixes are:– A hotfix is a out of band /

unofficial patch.

– They are not cumulative

and address specific issues.

– They are not guaranteed to

redistributed in an official

patch for that particular

release of the product.

– May need to be reapplied

after patching or

upgrading.

– May be customer specific.

– Are usually built for a

specific version and patch

level.

Confidential

Patch Releases

• Patches:– Require a restart of

Prognosis to apply

but not a restart of

the system.

• See online help

for additional

information on

applying

patches.

– Generally do not

contain ‘new’

functionality.

– Minor / Point Version

Specific:

• 'z1110' - specifies

Prognosis version 11.1.0

• 'p05' - specifies patch

number 5.

• Important: Patches are specific to the point

release, so though there is

overlap patches for 10.5.1

should not be applied to

10.5.0 for example.

Confidential

Patch Releases

– Released for all

platforms at the

same time.

• Even if there are not

changes for that

platform.

– Prognosis patches

are cumulative.

• Unless specifically

noted the latest can just be applied.

• Patch Release– Current Minor version

• Approximately

Monthly

– Previous Minor

Version

• As required

– Other Supported

Versions

• Critical Only

Confidential

Patch Naming Conventions• Patches are:

• Platform Specific

• Released for all platforms at

the same time, even if there

are not changes for that

platform.

• All Prognosis patches are

cumulative.

• Require a restart of

Prognosis to apply but not a

restart of the system.

• Generally do not contain

new functionality.

• A patch file is only

valid for a specific

version of Prognosis.

• All patches have a

patch number. This

may not be the same

number in a different

version.

• A patch file is only for

a specific target

Operating System

platform.

Confidential

Client Considerations

• Desktop Clients– Users utilizing the Desktop client need to

be on the same minor version or greater

than the servers in which they connect.

– It is generally best practice to keep their

patch level similar to the newest level.

– There is no way to install multiple versions

of the client on the same workstation

without use of a Virtual Machine.

• Servers– Managing Node

Servers can manage

monitoring nodes of a

lesser version.*

– In Tiered Managing

Node deployments

intermediate nodes

should be on similar

version.

* = If Compatible

Confidential

Supported Versions

Full Support Essential Support Sustaining Support End of Life (EoL)11.110.4+

10.2, 10.3 10.0, 10.19.1 SP4 (NSK)

All other 9.x8.x

Full Support Essential Support Sustaining Support End of Life (EoL)11.x10.4+

10.2, 10.3 10.0, 10.1 9.x

11.1 (Nov-23-2016) 11.0 (June 28, 2016) 10.5 (Dec 16, 2015) 10.4 (Jun 30, 2015)Current:Patch 1Jan 15-2017

Last Patch:Patch 5Nov 30, 2016

Last Patch:Patch 6June 27, 2016

Last Patch:Patch 7April 14, 2016

11.2 : On the release of P11.2, the support matrix will likely be as follows:

Supported PlatformsFor detailed platform support information, please refer to the release notes of that latest version.Definitions of the support level are also defined in support documentation. As well be sure refer to the supported platform and component guides on https://online.prognosis.com.

11.1 : With the release of P11.1, the supported versions are:

Supported PlatformsAs of February 03, 2017 this information is being provided for example purposes.Best practice is to try to upgrade Prognosis at least every 12-24 months or within a couple of point releases.

Note: Prognosis 10.0.0 was GA in November 2013

Confidential

Support Levels Defined

Full Support

Full Support includes all support services. This includes, but is not limited to:

• Assistance using the product• Providing workarounds and/or existing fixes/patches• Creation of new fixes/patches at IR's discretion

Essential Support

Under Essential Support, we will:

• Provide assistance using the product, though priority will be given to customers running the current release

• Make all existing fixes/patches available• Provide workarounds where possible• ONLY create new fixes/patches for Priority 1 and 2 issues where no workaround can be

made available. No fixes for Priority 3 and 4 will be created

Sustaining Support

Under Sustaining Support conditions, we will:

• Provide assistance in using the product, though priority will be given to customers running the current release

• Make all existing fixes/patches available• Provide workarounds where possible• May direct customers to upgrade to the current release

End of Life (EOL)End of life, product is obsolete

Confidential

Upgrade to 11.0 Considerations• Consult IR for full details, but high level:

– Node-to-Node and Password Encryption

changes and so there are identified

incompatibilities for certain functions or in

general.

– Once converted to new formats cannot be

converted back to pre-11.0 formats.

Confidential

Patch / Upgrade Summary• Customers should plan to upgrade Prognosis

at least a point release at least every 12-18

months.

• Customer should check for patches

quarterly.

• Security fixes are usually contained in

patches and upgrades; though sometimes a

hotfix is available.

Confidential

Usage Analytics

-

What do we collect

and why it is

important to

enable it.

25-May-2017 C.R.Souser – IR Confidential

Confidential

Applicability of Usage Analytics

▪ 11.1

▪ Page View if WebUI (Client Side)

▪ 11.2

▪ Page View if WebUI (Client Side)

▪ Quantity of Alerts Generated & UC Endpoints Monitored (Quantity & Type/Subtype) - (Server Side)

▪ Allows you to enable or disable usage analytics via WebUI Admin Global Configuration

▪ 11.3 IRGUI Windows Desktop Client

▪ Page View (Client Side)

▪ Alert Modification / Stop / Start frequency.

▪ Future:

▪ Expanding to use of active components utilized within a license beyond screens (i.e. Thresholds/Analyts/Dispman/etc)

▪ Security Configuration Statistics on # of Roles and Users Assigned to each role.

▪ Database size and records involved.

Versions

Confidential

Applicability of Usage Analytics

Viewing Analytics

▪ Are not locally cached or collected locally and is generated ‘client side’; not server side information.

▪ Thus, it is not visible locally to the customer, though 11.2 does add Prognosis databases used to capture and generate the statistics.

▪ As of 01-Oct-2017 there are no plans for IR to make this information available to the customer.

▪ Visible only to IR staff with appropriate access in Customer Profiles.

Confidential

Usage Analytics

▪ Usage analytics provides anonymous page hit information by users within Prognosis. While it may not be useful in all cases, it may help IR to understand how the users are using Prognosis and improve the product. ▪ Page Usage

▪ If the screen is a customized version of the screen

▪ If users are tending to navigate to the wrong screens to find information.

▪ What is sent to IR if Usage Analytics is enabled:▪ Client Side: Customer License Unique name only

▪ Client Side: External Public IP address of the end user (no internal IP addresses)

▪ Client Side: Page Visited with data and time in View Systems & Admin pages.

▪ Client Side: Non-User reversible unique user identifier that is used to purely quantify the number of users.

▪ Server Side: In 11.2 forward the quantity of alerts generated and in UC also the number of endpoints monitored.

Important: Client side usage analytics and are generated from the end users’ workstation.

No Personally identifiable information (PIFI), usernames, server names, screen data, or other server side information about yourenvironment is passed in the information to IR.

Ensure Usage Analytics is Enabled in Prognosis 11.1 Forward

Confidential

Summary

*Masked Information is from custom dashboard name that contains customer name.

Confidential

Recent Activity

*Masked Information is from License Key that contains customer name.

▪ We can see License Key Name and the Page Visited.

▪ Pages utilized in a session; a usage event is generated on a “user action” like clicking on a link or switching pages.

Confidential

A individual users activity

*Masked Information is from License Key that contains customer name.

▪ We can see License Key Name

▪ Pages utilized by the unique user as identified by the web browser; different browsers on the same machine may identify the user/machine as different.

Confidential

Machine Level Detail

*Masked Information is from License Key that contains customer name.

▪ We can see License Key Name, Products, Current Patch version, and Expiration

▪ Pages utilized by the unique user as identified by the web browser; different browsers on the same machine may identify the user/machine as different.

Confidential

Additional Information

• Learn More in:

– Prognosis Security Guide

– Prognosis Online Community Forums

– Questions:

• Christopher R. Souser– Christopher.Souser@ir.com

– LinkedIn: https://www.linkedin.com/in/christopherrsouser

Confidential

Next Steps

• Please Rate the Class

• Take the Knowledge

Reinforcement Test

• Log On to Online.Prognosis.com

to download slides & ask

questions

• Every class rating gets you a

chance to win prizes!

Confidential

Test Your Knowledge in the App

• How do you obtain the Prognosis Security Guide?

• How often should you be updating the a point release of Prognosis?

• Does Prognosis UA communicate any confidential data to IR?

• Is SSO Supported in the IRGUI?

Confidential

Questions?