Overview - Vericept

Document Sample
Overview - Vericept Powered By Docstoc
					                                                            Vericept Solution Survey
Quantify Your Exposure Profile
Businesses of all types and sizes are confronting the complex challenge of managing enterprise risk related to the insider. This includes:

• Protecting intellectual property
• Safeguarding customer privacy
• Complying with regulations such as SOX and HIPAA
• Preventing legal liability

To manage risk you must first understand where you are vulnerable. And, you must measure your possible exposure. This is where Vericept can help.

The Exposure Assessment provides an in-depth snapshot of the risk occurring on your network including compliance violations, intellectual property theft,
acceptable use violations, internal hacker research, holes in other security products, and other areas of concern.

The Vericept Intelligent Protection Platform enables you to gain never before seen visibility to various risk points and exposure stemming from inadvertent
and/or intentional electronic communications and Internet usage. The Platform measures and quantifies your organization’s risk by accurately identifying and
capturing both the content in question as well as the user responsible.


Vericept has developed a patent-pending software platform that:
   Monitors all forms of inbound and outbound Internet traffic including:
    → Email
    → Webmail
    → Instant Messaging
    → Chat Sessions
    → FTP
    → Peer-to-Peer
    → Public Internet Forums
    → Telnet
    → Attachments
    → Web
   Intelligently analyzes the content using Contextual and Linguistics Analysis
   Captures and stores policy violations and suspicious activity
   Alerts you in real-time to specific threats as defined by you
   Generates robust, on-the-fly reports that measure your risk

Today, over 750 customers rely on our solution to identify and manage risk. The Vericept Solution enables steady-state monitoring of internal controls,
corporate governance concerns, possible compliance violations and inappropriate activity.

The Vericept Exposure Assessment Methodology
Vericept's Exposure Assessment is non-intrusive and extremely quick. Once the assessment is complete, you will have the hard facts in hand and extensive
visibility into your network. The objectives of the Exposure Assessment are to monitor, identify and highlight risk points, measure and quantify the exposure,
and to offer specific recommendations to help mitigate corporate exposure, regulation compliance concerns and legal liability.


Vericept Corporation Confidential                                                  8/4/2011                                File: c8cbb83d-c56a-4199-a11b-91b1b7570d20.xls
                                                             Vericept Solution Survey
Vericept's proven Exposure Assessment Methodology used during the assessment includes the
following phases:
1 Complete the Exposure Assessment Checklist
The Exposure Assessment Checklist provides a list of necessary items to complete before the Exposure Assessment begins. The Vericept Regional Sales
Manager will work through this list with you.

2 Exposure Assessment Kick-Off

Vericept meets with you to discuss areas of potential information and compliance risk. This meeting identifies any specific concerns, hot topics or internal
policies that are of most concern. Here you will determine which of the over 60 pre-defined categories you will be utilizing. This is the project kick-off.

3 Solution Placement and Configuration
Vericept will work with your designated IT resource(s) to determine the optimal solution placement. At this point, the Vericept solution is configured to your
environment. This ensures that you are getting visibility into the risk most important to your organization. Vericept Labs also develops a few Custom Search
Parameters to identify content or communication unique to your organization.

4 Vericept Solution Installation

Vericept installs the solution on your network. The solution is designed to work immediately out of the box. This step is very quick, typically lasting a few hours.

5 Content and Compliance Monitoring
Once installed, the Vericept solution begins to monitor and analyze all inbound and outbound Internet traffic for areas of risk and possible internal policy and
compliance violations.

6 Vericept Analysis and Uninstall
Once the monitoring is complete, Vericept analyzes the events and information captured during the assessment period. Vericept reviews the findings and
builds a detailed report summarizing your exposure and insider risk. The report highlights the areas of concern and contains recommendations for managing
the risk points found. Vericept also uninstalls the Vericept solution.

7 Exposure Assessment Report Delivery
Vericept delivers the findings of the Exposure Assessment during an executive presentation.
Upon completion, you will understand exactly what types of unauthorized activities exist, what sensitive information and documents are leaving your network
and what types of internal hacking activity is taking place. Recommended attendees include members of the executive team from Human Resources, IT,
Compliance, Finance, Legal, Corporate Governance, Internal Audit and Security.




Vericept Corporation Confidential                                                   8/4/2011                                 File: c8cbb83d-c56a-4199-a11b-91b1b7570d20.xls
                 Content, Control Discovery 360 EA / Evaluation Installation Planning
                                                                                                                                          …
Content 360 General Network                                      Egress Point 1      Egress Point 2   Egress Point 3   Egress Point 4     …
Bandwidth of connection points(s) (T1, T3, etc)?
Average sustained bandwidth of connection point(s) (in
Mbps and/or % utilization)?
What type of traffic will monitored this access point?
(SMTP, Web Traffic, IM).

Approx. number of users monitored at connection point?
Does the monitored traffic contain VLAN encapsulated
traffic? If yes, will there the need to monitor more than
one VLAN? Can the switch de-encapsulate the VLAN
traffic?
Traffic Routing
Is this point of monitoring going to be made via a switch
connection or in-line tap?
All traffic on one line, or split Tx and Rx?
   If split, can an aggregator be used?
Does the network failover from location to location?
       If so, should we account for failover in sizing?
What devices are between the monitoring point and
Egress?
If via Switch:
Is the switch a "managed" switch (i.e., can it be accessed
and configured)?
Does the switch at the point of monitoring have port
mirroring/spanning capabilities?
Will multiple switches be monitored via RSPAN
configuration?

Does the insertion point use a fiber or copper interface?
  - If fiber, what connector type is used (SC or ST)?

  - If fiber or copper, is the connection full or half duplex,
and is there a speed at which the NIC should be set to?
  - If fiber, will the prospect or Vericept provide the fiber
NIC card?


Vericept Corporation Confidential                                         8/4/2011                                                      Page 3
   - If fiber, the prospect is required to provide fiber
network cables using the appropriate connectors
(Vericept provided fiber NICs utilize SC connectors). Are
the appropriate network cables/connectors available?
If via In-Line TAP:
Does the tap-supplied traffic need to be aggregated for
full monitoring capability (Vericept utilizes a single
network port for monitoring)?
If aggregation is required, is a hub or other aggregating
device available?

Does the insertion point use a fiber or copper interface?
  - If fiber, what connector type is used (SC or ST)?

   - If fiber or copper, is the connection full or half duplex,
and is there a speed at which the NIC should be set to?
   - If fiber, will the prospect or Vericept provide the fiber
NIC card?

   - If fiber, the prospect is required to provide fiber
network cables using the appropriate connectors
(Vericept provided fiber NICs utilize SC connectors). Are
the appropriate network cables/connectors available?
Additional Information
Can you put the Vericept devices(s) names in your DNS
Table?

Vericept appreciates the required network configuration
be completed before the date of install. In the event of
network configuration issues, will a network
engineer/analyst be available during the EA installation to
assist with any additional configuration changes?

NOTE: The Vericept device is typically placed in a secure
data center. The physical installation and configuration of
the Vericept device takes approximately 45 to 90 minutes.
Will the necessary facility access and any required
personnel escort be available?
Firewalls



Vericept Corporation Confidential                                 8/4/2011   Page 4
Are there any firewalls performing Network Address
Translation before the monitoring port and Internet
Access point? For example, Will the Vericept device be
between your firewall and ISP or will the Vericept device
sit between your Core switch router and firewall that is
performing NAT?
Proxy/Cache Servers
Are there any Proxy/Cache servers between the
monitoring port and the IAP? Note: If the monitoring port
is between the Proxy/Cache Server and the IAP, the
Vericept device may be unable to determine source
and/or destination IP addresses.
SMTP

Is SMTP formatted e-mail available at the insertion point?
Please provide the IP address of the e-mail server, and/or
the address of proxy/filtering devices providing e-mail.
Note: client-to-client/client-to-email-server traffic may be
unavailable for monitoring as it is typically encrypted.

Are there any spam filters in place between the monitor
port and the IAP? Ex. (Looking in direction from
demark to Core/Switch Router ) Will the Vericept device
sit after your spam and anti-virus device closet to the end
user or (Looking in direction from Core/Switch Router
to demark ) Will the Vericept device sit after the Spam
filter but before Internet Access point?
Do you wish to exclude incoming e-mails? Note: Filtering
incoming e-mails will help to eliminate events in the
Vericept environment due to spam.
Monitoring Parameters
Is there any specific network traffic that you want/don’t
want to monitor? Please specify servers, IP addresses,
ports, protocols.




Vericept Corporation Confidential                              8/4/2011   Page 5
In order to monitor event collection rates and the general
health of the Vericept device can remote access to the
Vericept System be available during the EA period? Is
there any specific client-side software required for access
(e.g., specific VPN clients)? Will the firewall policy allow:
Port 443 (HTTPS) for adjusting and configuring the
Vericept application. Port 22 (Secure Shell) for monitoring
and managing the Vericept hardware/ OS.
Server Network Installation Specs                             Console                        Collector 1   Collector 2   Collector 3
IP Address
Fully Qualified Domain Name (No special Chars)
Subnet Mask
Gateway IP Address
Domain Name Server IP Address

Control 360
Number of Email Gateways or Bridgeheads:
Describe any other mail-server devices, relays, etc.
If more than one, is aggregation possible?
Average and peak number outbound emails per hour:
Average and largest number outbound email size:
% requiring self remediation (Assume 10%):
% requiring encryption (Assume 10%):
% requiring quarantine (Assume 5%):
Entrust, Voltage, BlueCoat or Other Integration:
When % self remediation and encryption aren’t available, assume 10% for each and 5% for quarantine


Discovery 360
Number of file-shares / systems to be scanned:
Volume of data on those file-shares:
Periodicity of scanning:
Available bandwidth between file-share and Discovery:




Other Installation Considerations




Vericept Corporation Confidential                                                 8/4/2011                                             Page 6
The Vericept EA systems are either 1U or 4U devices.
For the short term nature of the EA assessment, rails are
typically not installed – the device is often placed atop
other systems within a rack environment, or placed in
some other appropriate location within a non-office
environment. The 1U devices use a single power
connection; a standard three-prong, 110V outlet is
required. The 4U devices use dual power connections; If
being deployed in a managed data center, what requests /
procedures need to be performed to ensure sufficient
resources are available before the EA starts?

Internet access is required to review event. If your
organization has secured http proxies, we will require a
minimum of three accounts for access to the Internet.
What process is needed to secure them by the time the
EA starts?


Access to a keyboard, monitor, and mouse will be
required for final configuration of the device. Once
completed and the system is operational, these devices
will no longer be required. These services can be
provided via a KVM switch, however certain switches
have caused issues in the past (such as corrupted video
display) such that distinct devices were required.


For copper environments, two RJ-45, straight-through
cables are required to connect the device to the network.
In fiber environments, one RJ-45 and one fiber cable
would be required. Vericept normally ships one cable with
the system, but additional cables should be available in
the event the Vericept cable is of insufficient length.

Information Source
Complete by Date
EA Install Date
Exposure Assessment or Software Pilot
Vericept SC
Customer Contact
Vericept Corporation Confidential                           8/4/2011   Page 7
Desktop 360° Evaluation Questionnaire
Version 1, Jan’07

General Evaluation (EVAL) Description and Requirements

Thank you for participating in a Vericept Desktop 360° Evaluation. We appreciate your confidence in our
solution and look forward to working with you. The purpose of this document is to provide you with
information about our EVAL processes and to gather technical requirements needed for a successful
assessment.

The Vericept Solution provides a means for intelligently monitoring and controlling data–at-rest and data-in-
use on desktops and laptops. The Vericept Desktop solution is deployed as an agent on endpoints that are
managed from a central server. The Vericept endpoint agent operates in stealth mode hidden from users
and monitors and controls content based on group policies managed from a management center. Vericept
will monitor for sensitive files on the initial and incremental scans, control removable media and drives
(USBs), and monitor user. The same Vericept Information Privacy and Compliance policies used for the
network and email control products are also used for the desktop solution.



Desktop Questionnaire Overview

The answers provided on this Questionnaire help to ensure the Vericept device is deployed properly within
your desktop environment. We would also like to have the information on file should your organization opt
to purchase the Vericept Solution – this will assist our installation teams in the preparation for the install of
the production environment.


Once Vericept receives this document, it will be reviewed by our Solution Consultant for completeness. The
Solution Consultant may contact you, or someone in your organization for further clarification or additional
information. We would appreciate your help in ensuring that the appropriate network resources have been
configured and are available at the time of the Assessment installation. This will allow us to complete the
installation in a timely fashion and prevent extended interruption of you, or your staff’s, time.



Please feel free to contact your Solutions Consultant or Account Manager should you have any questions
about the completion of this form.




Vericept Corporation Confidential                      8/4/2011 File: c8cbb83d-c56a-4199-a11b-91b1b7570d20.xls
EVAL System Installation Parameters
General Desktop Infrastructure
Operating System(s) used on your desktops and
laptops?
(Include version and service pack level)
How many systems/users will be monitored in
production?
How many systems/users will be monitored in the
Exposure Assessment?
Are there systems with multiple users logged in
simultaneously? If so what are the maximum
number of users logged into the same system?

Desktop System Specifications
What are the minimum system specifications
       Processor (type, speed, #)
       System memory (MB)
       Disk space (MB)
What are the typical system specifications
       Processor (type, speed, #)
       System memory (MB)
       Disk space (MB)



Desktop Management
What tools do you use to distribute agents to
desktops?
(ie. Microsoft SMS, Altiris, etc)
Do you use .msi or .exe files to distribute agents to
desktops?
What is your policy for the reboot of desktops after
a push installation?

Desktop Applications
Since the desktop agent needs to operate with
other application in the Desktop drive chain, it is
beneficial to get a list of applications used un your
standard desktop load.

  Vericept can perform a basic interoperability test
  prior to the Exposure Assessment. If you wish to
  take advantage of this, please consult the
  Solutions Consultant to plan the logistics.

Provide a list of applications (including product
name and version) installed on your desktops:

        Antivirus:
        Anti-Spyware:
        Disk encryption:



Vericept Corporation Confidential                       8/4/2011 File: c8cbb83d-c56a-4199-a11b-91b1b7570d20.xls
         Configuration maintenance tools:
         Local backup applications
         Remote backup applications
         CD mastering applications
         Compression applications
         Encryption applications
         Desktop firewalls Sharepoint or other
     collaborative applications
         …

User applications
       Microsoft Office?
       Internet Browsers
       …
Do you use virtualization software on user
desktops?
(ie. VMWare)
Do you use Active Directory for group policy
management?

Content Information
What are the typical quantities of content on your
desktops:
     Folders
     Files
     Overall disk usage

What is the typical and maximum directory depth
on user desktops?

Additional Information
Are systems deployed across multiple time zones?

What is the user profile for users logging into their
desktops/laptops?
Is there a corporate policy advising users to logoff,
lock screen, or power down at the end of the day?



Server Deployment
If the EVAL will be for < 50 systems, the server can
be loaded on a user system running the following:

       Microsoft Windows Server 2003-R2
     Server with 2 gigahertz (GHZ) or higher processor clock
 speed recommended; Intel XEON/Pentium/Celeron family,
 AMD K6/Athlon/Duron family, or compatible processor
 recommended.
     Microsoft Windows 2003 Release 2 or 2000 Server SP4
 Operating System installed and configured.
     1 gigabytes (GB) of RAM or higher recommended.




Vericept Corporation Confidential                               8/4/2011 File: c8cbb83d-c56a-4199-a11b-91b1b7570d20.xls
       100 megabytes (MB) of available hard disk space
 (application).
       500+ megabytes (MB) of available hard disk space
 (data).
       100Mbit Network interface (1Gbit preferred)
       Direct HTTP access (via the network adapter) from the
 Client to the Server must be supported (use of most firewalls
 is supported, use of proxy servers is unsupported).


Note:
To facilitate the EVAL installation, we recommend
running the Desktop Server software on a pre-
installed desktop server running VMWare. See
details below.

Client Deployment
The Desktop Client software should be loaded on
desktops or laptops meeting the following
requirements:
            200 MHz or higher Intel Pentium/Celeron family
        or AMD K6/Athlon/Duron family processor
            Microsoft Windows XP SP2 or Windows 2000
        SP4 operating system installed and configured

             256 MB of RAM or higher
             100 MB of available hard disk space
              Network adapter appropriate for the type of local-
        area, wide-area, or home network you want to connect
        to, and access to the appropriate network
        infrastructure
             Direct http access (via the network adapter) from
        the Client to Server must be supported (use of most
        firewalls is supported, use of proxy servers is
        unsupported)


Currently Installed Devices (please specify make, model, version, etc.)
Firewalls
Are there any firewalls in use between the clients
and the Desktop server?
Proxy/Cache Servers
Is there a proxy server installed between the clients
and the Desktop server?


Information Source
Completed by: <Customer Name>
Date: <Date>



Other EVAL Information and Requirements

The standard Vericept EVAL system requires a Desktop Server and multiple Desktop Clients.




Vericept Corporation Confidential                                   8/4/2011 File: c8cbb83d-c56a-4199-a11b-91b1b7570d20.xls
Desktop Server:

We recommend using a pre-installed desktop server running VMware This allows you to run the Desktop
server on a wide range of existing hardware you likely already have available.


Specifically you will need to provide:
VMWare Workstation version 5.5 (http://www.vmware.com/products/ws/). A 30-day trial version can be
downloaded for free; or you can purchase a seatr license for less than $200

A suitable host server or desktop for running VMWare. Example host operating systems supported by
VMWare are: SUSE Linux, Red Hat Linux, Windows Server 2003, and many others. See VMWare web site
(http://www.vmware.com/pdf/ws55_manual.pdf) for a complete list.

Access to the host server or desktop for VMWare and Desktop Server software installation


Configuration of the network on the Desktop Server will require:
Connectivity to the corporate network to which the desktops/laptops are connected
Either a static or DHCP IP address
Direct HTTP access (via the network adapter) from the client to the server. Use of firewalls is supported;
use of proxy server s is unsupported.

Vericept will provide:
Windows Server 2003-R2 license for the EVAL period
Desktop Server software packaged for VMWare
EVAL installation support and training


Desktop Clients:

We recommend running the Desktop Clients on Desktops or Laptops meeting the requirements listed in the
Client Deployment section above. Once the Desktop Server software has been loaded, the clients can be
loaded using either push or pull methods.

Specifically you will need to provide:
Desktop and laptop hardware meeting the requirements listed in the Client Deployment section above.

Vericept will provide:
EVAL installation support and training




Vericept Corporation Confidential                   8/4/2011 File: c8cbb83d-c56a-4199-a11b-91b1b7570d20.xls
Network Configuration – Vericept Monitoring Point

Please provide a simplified network diagram showing devices listed below.
If available, please include illustrations of how the devices are physically installed.
A Microsoft Visio drawing, or other electronic illustration, will help to properly establish the point of installation.
Below is a simplified diagram showing a monitoring point for a Vericept device and it’s relation to e-mail servers, proxies
and NAT devices.




paste additional diagrams below:




Vericept Corporation Confidential                                         8/4/2011                                            Page 13
Vericept Corporation Confidential   8/4/2011   Page 14
                                          Customer Pre-EA Checklist

            Chceklist for Prospect
  Number    Item                                                              Date   Response   Comment
    1       NetQ-EA worksheet completed?
    2       Net Diagrams worksheet completed?
    3       Space and power obtained for all Vericept devices?
    4       Monitor/keyboard available for Vericept devices?
    5       Data Center access obtained for Vericept personnel?
    6       Network addresses secured for all Vericept devices?
    7       Switch mirror port(s) reconfigured for Vericept device(s)?
    8       Is Internet access, Proxy account secured for reviewers?
    9       Confirm receipt of Vericept device(s).
    10      Unpack and physically install Vericept device(s). Save shipping
            containers for return.




Vericept Corporation Confidential                                8/4/2011                                 Page 15
                   Content & Control 360 Proposal / Deployment Installation Planning
General Network                                                   Egress Point 1        Egress Point 2       Egress Point 3       Egress Point 4       …
                                                                                                                                                       …
Bandwidth of Connection Points(s) (T1, T3, etc)?                                   0                     0                    0                    0
95% time.- sustained bandwidth (in Mbps and/or %                                   0                     0                    0                    0
utilization of the line)
What type of traffic will monitored this access point?                             0                     0                    0                    0
(SMTP, Web Traffic, IM).
Approx. number of users monitored?                                                 0                     0                    0                    0
Does the monitored traffic contain VLAN encapsulated                               0                     0                    0                    0
traffic? If yes, will there the need to monitor more than
one VLAN? Can the switch de-encapsulate the VLAN
traffic?
Traffic Routing
Is this point of monitoring going to be made via a switch                          0                     0                    0                    0
connection or in-line tap?
All traffic on one line, or split Tx and Rx?                                       0                     0                    0                    0
   If split, can an aggregator be used?                                            0                     0                    0                    0
Does the n/w failover from location to location?                                   0                     0                    0                    0
       If so, should we account for failover in sizing?                            0                     0                    0                    0
What devices are between the monitoring point and                                  0                     0                    0                    0
Egress?
If via Switch:
Is the switch a "managed" switch (i.e., can it be accessed                         0                     0                    0                    0
and configured)?
Do the switched at the point of monitoring have port                               0                     0                    0                    0
mirroring/spanning capabilities?
Will multiple switches be monitored via RSPAN                                      0                     0                    0                    0
configuration?
Does the insertion point use a fiber or copper interface?                          0                     0                    0                    0

  - If fiber, what connector type is used (SC or ST)?                              0                     0                    0                    0
  - If fiber or copper, is the connection full or half duplex,                     0                     0                    0                    0
and is there a speed at which the NIC should be set to?

  - If fiber, will the client or Vericept provide the fiber NIC                    0                     0                    0                    0
card?




Vericept Corporation Confidential                                            8/4/2011                                                                  Page 16
  - If fiber, the client is required to provide fiber network          0      0   0   0
cables using the appropriate connectors (Vericept
provided fiber NICs utilize SC connectors). Are the
appropriate network cables/connectors available?

If via In-Line TAP:
Does the tap-supplied traffic need to be aggregated for full           0      0   0   0
monitoring capability (Vericept utilizes a single network
port for monitoring)?
If aggregation is required, is a hub or other aggregating              0      0   0   0
device available?
Does the insertion point use a fiber or copper interface?              0      0   0   0

   - If fiber, what connector type is used (SC or ST)?                 0      0   0   0
   - If fiber or Copper, is the connection full or half duplex,        0      0   0   0
and is there a speed at which the NIC should be set to?

   - If fiber, will the client or Vericept provide the Fiber NIC       0      0   0   0
card?
   - If fiber, the client is required to provide fiber network         0      0   0   0
cables using the appropriate connectors (Vericept
provided fiber NICs utilize SC connectors). Are the
appropriate network cables/connectors available?

Additional Information
Can you put the Vericept devices(s) names in your DNS                  0      0   0   0
Table?
Vericept appreciates the required network configuration be             0      0   0   0
completed before the date of install. In the event of
network configuration issues, will a network
engineer/analyst be available during the EA installation to
assist with any additional configuration changes?

NOTE: The Vericept device is typically placed in a secure              0      0   0   0
data center. The physical installation and configuration of
the Vericept device takes approximately 45 to 90 minutes.
Will the necessary facility access and any required
personnel escort be available?

Firewalls




Vericept Corporation Confidential                                  8/4/2011               Page 17
Are there any firewalls performing Network Address                  0      0   0   0
Translation before the monitoring port and Internet Access
point? For example, Will the Vericept device be between
your firewall and ISP or will the Vericept device sit
between your Core switch router and firewall that is
performing NAT?
Proxy/Cache Servers
Are there any Proxy/Cache servers between the                       0      0   0   0
monitoring port and the IAP? Note: If the monitoring port
is between the Proxy/Cache Server and the IAP, the
Vericept device may be unable to determine source and/or
destination IP addresses.
SMTP
Is SMTP formatted e-mail available at the insertion point?          0      0   0   0
Please provide the IP address of the e-mail server, and/or
the address of proxy/filtering devices providing e-mail.
Note: client-to-client/client-to-email-server traffic may be
unavailable for monitoring as it is typically encrypted.

Are there any spam filters in place between the monitor             0      0   0   0
port and the IAP? Ex. (Looking in direction from
demark to Core/Switch Router ) Will the Vericept device
sit after your spam and anti-virus device closet to the end
user or (Looking in direction from Core/Switch Router
to demark ) Will the Vericept device sit after the Spam
filter but before Internet Access point?

Do you wish to exclude incoming e-mails? Note: Filtering            0      0   0   0
incoming e-mails will help to eliminate events in the
Vericept environment due to spam.
Monitoring Parameters
Is there any specific network traffic that you want/don’t           0      0   0   0
want to monitor? Please specify servers, IP addresses,
ports, protocols.
In order to monitor event collection rates and the general          0      0   0   0
health of the Vericept device can remote access to the
Vericept System be available during the EA period? Is
there any specific client-side software required for access
(e.g., specific VPN clients)? Will the firewall policy allow:
Port 443 (HTTPS) for adjusting and configuring the
Vericept application. Port 22 (Secure Shell) for monitoring
and managing the Vericept hardware/ OS.


Vericept Corporation Confidential                               8/4/2011               Page 18
Server Network Installation Specs                         Console           Collector 1       Collector 2       Collector 3
IP Address                                                              0                 0                 0                 0
Fully Qualified Domain Name (No special Chars)                          0                 0                 0                 0
Subnet Mask                                                             0                 0                 0                 0
Gateway IP Address                                                      0                 0                 0                 0
Domain Name Server IP Address                                           0                 0                 0                 0
Installation Considerations
The Vericept EA systems are either 1U or 4U devices.
For the short term nature of the EA assessment, rails are
typically not installed – the device is often placed atop
other systems within a rack environment, or placed in
some other appropriate location within a non-office
environment. The 1U devices use a single power
connection; a standard three-prong, 110V outlet is
required. The 4U devices use dual power connections; If
being deployed in a managed data center, what requests /
procedures need to be performed to ensure sufficient
resources are available before the EA starts?

Internet access is required to review event. If your
organization has secured http proxies, we will require a
minimum of three accounts for access to the Internet.
What process is needed to secure them by the time the
EA starts?

Access to a keyboard, monitor, and mouse will be required
for final configuration of the device. Once completed and
the system is operational, these devices will no longer be
required. These services can be provided via a KVM
switch, however certain switches have caused issues in
the past (such as corrupted video display) such that
distinct devices were required.


For copper environments, two RJ-45, straight-through
cables are required to connect the device to the network.
In fiber environments, one RJ-45 and one fiber cable
would be required. Vericept normally ships one cable with
the system, but additional cables should be available in
the event the Vericept cable is of insufficient length.


Information Source

Vericept Corporation Confidential                                   8/4/2011                                                      Page 19
Complete by Date                                                                                     0
EA Install Date                                                                                      0
Exposure Assessment or Software Pilot                                                                0
Vericept SC                                                                                          0
Customer Contact                                                                                     0

Identity Match
How many domains? How many Domain Controllers?
What vendor?
How many DHCP servers and what vendor?
How are DCs and DHCP servers geographically
distributed?
Are there any Proxies, Cache Engines or other NAT’ing
device between users and the attach point?
Is Citrix in use within the organization?
If so, is egress possible (hosted IE or Outlook)?


Control 360
Number of Email Gateways or Bridgeheads:
Describe any other mail-server devices, relays, etc.
If more than one, is aggregation possible?
Average and peak number outbound emails per hour:
Average and largest number outbound email size:
% requiring self remediation (Assume 10%):
% requiring encryption (Assume 10%):
% requiring quarantine (Assume 5%):
Entrust, Voltage, BlueCoat or Other Integration:
When % self remediation and encryption aren’t available, assume 10% for each and 5% for quarantine


Discovery 360
Number of file-shares / systems to be scanned:
Volume of data on those file-shares:
Periodicity of scanning:
Available bandwidth between file-share and Discovery:




Vericept Corporation Confidential                                                   8/4/2011             Page 20
            Checklist for SCs Before, During, and After
            Installation
            Prior to Installation
  Number    Item                                                           Date   Response   Comment
     1      Prospect completed the NetQ-EA worksheet?
     2      Prospect completed the Net Diagrams worksheet?
     3      Prospect completed Checklist-Prospect worksheet?
     4      If either (1), (2), or (3) have not been completed, SC to
            conduct phone call(s) to gather required information.

     5      Verify that the prospect's expectations have been set
            appropriately. If the installation is an EA (verses a Pilot)
            this needs to be communicated up front.
     6      Validate the configuration of the prospect's network and
            the placement of the Vericept device(s). This validation
            should include a diagram (theirs with our device
            placement, or one created from the contents of the NetQ-
            EA) that clearly shows where our device(s) will be
            relative to other devices on their network.

     7      Request appropriate EA hardware through Alison
            Lueker.
     8      Provide Alison the appropriate shipping address(es).
     9      Verify hardware has been shipped and obtain tracking
            information.
    10      Request and download Vericept license file for prospect.

    11      Final Pre-call - Call prospect and confirm all items on
            Prospect checlist. Address any open items. Consider
            delaying EA if resources issues can not be resolved. Do
            not go with critical items for success

            During Installation
  Number    Item                                                           Date   Response   Comment
     1      If switch mirror port(s) have not been configured,
            appropriate access to configure switch.
     2      Gather the appropriate IP, gateway, and DNS
            information.
     3      Power on and configure Vericept collector device(s).
            Connect the management cable to eth0 and the mirror
            port cable to eth1. Verify that:
               You can ping the gateway and DNS server(s).
               tcpdump -i eth1 produces acceptable traffic.
               tcpdump -i eth1 port 25 sees email traffic.
               tcpdump -i eth1 port 80 sees http traffic.
     4      Power on and configure the Vericept console device.
            Connect the management cable to eth0. Verify that:
               You can ping the gateway, DNS server(s), and
               collector (s).
     5      Install Vericept license file on Vericept device(s).
     6      From console, run both status and traffic tools. Confirm
            the following:
               All appropriate Vericept processes (web server,
               database, SNMP, raw data collection, data analysis)
               are running (ANR might be disabled and is ok.)




Vericept Corporation Confidential                         8/4/2011                                     Page 21
              TCP/IP traffic is being captured in both directions
              Confirm capture of multiple IP addresses; confirm with
              prospect network admin that they are internal user
              workstations, not servers. Run traffic with a filter on an
              internal subnet if needed.
              Confirm capture of multiple protocols like HTTP (port
              80, 8080) and SMTP (port 25).
              With prospect network admin, look for IP addresses of
              server traffic that Vericept device(s) should ignore.

     7      Confirm logs being created, to/from multiple internal IP
            addresses, to/from multiple email accounts
     8      Perform Category tuning if required.
     9      Add Custom Categories and/or SC Toolbox CANDL
            rulesets.
    10      Setup additional filters to not monitor or only monitor
            specific network traffic. MUST HAVE FILTER TO NOT
            MONITOR INCOMING EMAIL. Example of syntax: not
            port 25 and dst host <IP of mail server> or not port 25
            and dst net 10.0.0.0/8. Always confirm step 4

    11      From UI, periodically check Traffic Volume to make sure
            device is keeping up with the traffic. This can also be
            done through the console with df command and others.
            If traffic is too much, a decision has to be made to either
            leave device monitoring ever

            After Installation
  Number    Item                                                           Date   Response   Comment
     1      1-2 days after installation, confirm steps 4 and 5 from
            above.




Vericept Corporation Confidential                          8/4/2011                                    Page 22
Settings of Actual
Categories
Categories                     Standalone   Collector 1   Collector 2   Collector 3
Adult                          high         high          high          high
Backdoors                      on           on            on            on
Confidential                   off          off           off           off
Conflict                       medium       medium        medium        medium
Credit Card Number             on           on            on            on
Disgruntled                    medium       medium        medium        medium
Driver's License - AR          on           on            on            on
Driver's License - CA          on           on            on            on
Driver's License - IL          on           on            on            on
Encrypted - IM                 on           on            on            on
Encrypted - Other              on           on            on            on
Encrypted - PGP                on           on            on            on
Encrypted - S/MIME             on           on            on            on
Encrypted - SSH                on           on            on            on
Encrypted - SSL                on           on            on            on
Full File Match                off          off           off           off
Gambling                       medium       medium        medium        medium
Games                          medium       medium        medium        medium
Gangs                          medium       medium        medium        medium
GoToMyPc Client                on           on            on            on
GoToMyPc Server                on           on            on            on
HL7                            on           on            on            on
Hacker Research                on           on            on            on
IM & Chat                      on           on            on            on
Info Hiding Research           on           on            on            on
Keylogger                      on           on            on            on
Log Wiping Code                on           on            on            on
Mailing Lists                  on           on            on            on
Mergers & Acquisition          off          off           off           off
NMAP                           on           on            on            on
P2P File Share                 on           on            on            on
P2P Research                   on           on            on            on
PHI                            on           on            on            on
Partial File Match             off          off           off           off
Personal Information           on           on            on            on
Plagiarism                     medium       medium        medium        medium
Racism                         medium       medium        medium        medium
Resignation                    low          low           low           low
Root Activity                  on           on            on            on
SAM Cracking                   on           on            on            on
Shopping                       low          low           low           low
Sniffer Code                   on           on            on            on
Social Security Number         on           on            on            on
Source Code - C/C++/Java       on           on            on            on
Source Code - COBOL            on           on            on            on
Source Code - Perl             on           on            on            on
Source Code - Visual Basic     on           on            on            on
Sports                         low          low           low           low



Vericept Corporation Confidential               8/4/2011                              Page 23
Stack Smashing Code            on       on        on       on
Streaming Media                on       on        on       on
Substance Abuse                high     high      high     high
Suspicious FTP                 on       on        on       on
Suspicious HTTP Response       on       on        on       on
Suspicious IMAP                on       on        on       on
Suspicious POP                 on       on        on       on
Suspicious SUID Root           on       on        on       on
Suspicious Shell               on       on        on       on
Suspicious VNC                 on       on        on       on
Trading                        low      low       low      low
Unauthorized FTP               on       on        on       on
Unauthorized General           on       on        on       on
Unauthorized IMAP              on       on        on       on
Unauthorized POP               on       on        on       on
Unauthorized Web               on       on        on       on
Violent Acts                   medium   medium    medium   medium
Weapons                        medium   medium    medium   medium
Web & Blog Postings            on       on        on       on
Web-mail - Receive             on       on        on       on
Web-mail - Send                on       on        on       on
Windows Enumeration SMB        on       on        on       on
Windows Enumeration Textual    on       on        on       on




Vericept Corporation Confidential          8/4/2011                 Page 24
          off        off
          on         low
                     medium
                     high




Vericept Corporation Confidential   8/4/2011   Page 25
           Default Network Category Settings


          All categories in the AUM product with a sensitivity setting of Low/Medium/High should be
          set to Low with the exception of those categories where the client has expressed little/no
          interest in capturing events. For these categories, set the sensitivity to Off. (eg. If
  1       monitoring of SHOPPING is not of interest to the prospect, set the sensitivity to Off.)


          All categories in the IPCM product with a sensitivity setting of Low/Medium/High should be
  2       set to Medium. Any category in this product with an On/Off setting should be set to On.

  3       All categories in the PSM product should be set to On.

          Any categories that may not be meaningful to the prospect should be set to Off. (eg. in a
          business account it makes little/no sense to turn on PLAGARISM ). This will help to
          improve throughput of the device and be one less category that appears during the EA
  4       Report presentation.

          Make every effort to determine where in the data stream the Vericept device(s) are located
          and filter out incoming emails as they can account for a significant number of events that
          have little to do with the actual issues at the prospect. If positioned after a SPAM filter then
          consider NOT filtering. Otherwise, include the following line in the Data Controls>Filters
  5       section:

          not (dst host <mail-server-IP> and dst port 25) where mail-server-IP is the IP address
          of the email server.
          Example:      not (dst host 192.169.1.1 and dst port 25)

          Note that you may need multiple lines such as the above if the enterprise has multiple
          email servers deployed. Also note that this implies that we are positioned between the IAP
          and the email server. You may need to adjust other filter parameters if we are located
          elsewhere in the network.


          As with all sales engagements, you may need to deviate from this policy as the
          requirements of the prospect change. Be prepared to make adjustments to the category
  6       settings based on the specific "pain points" of the prospect or as the situation requires.




Vericept Corporation Confidential                    8/4/2011                                                Page 26

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:44
posted:8/4/2011
language:English
pages:26