Getting Help

Service - Superna ™ Eyeglass Cluster Install and Config Service Description (Ransomware Defender, Easy Auditor , Search & Recover, Golden Copy, Performance Auditor)

Home

Eyeglass Service Description

Part number “SEL-Eyeglass Cluster Addon Install Service - eyeglass-P016

Revision 2 Feb 6, 2020

Service - Superna ™ Eyeglass Cluster Install and Config Service Description

(Ransomware Defender, Easy Auditor , Search & Recover, Golden Copy, Performance Auditor)


    Overview


    This service is designed for customers who are deploying Superna Eyeglass Ransomware defender and/or Easy Auditor and need installation and configuration assistance.   

    • NOTE: This part number is used for Ransomware Defender OR Easy Auditor products.  Quantity 2 of this service is required if both products have been ordered.   

      • Scope: Covers a single clustered Eyeglass agent installation and configuration, with up to 2 collocated same site Clusters.

    • Service Delivery: Remote WebEx

    • Operating Hours: Monday to Friday 8:30 to 5:30 EDT

    • Terms and Conditions of task covered in product maintenance agreement Support Services Agreement  

    • Mandatory: Eyeglass Installation Questionnaire Form completed located here with all questions answered.  Service will not be scheduled until completed in full.

    • Exclusions:

      • NOTE: Only product documentation will be followed.  This is not a consulting service.

      • Installation Technicians are not authorized to provide design recommendations, for DR features.    

      • Hands on changes to external IT components example DNS, Isilon, Active Directory or other non Superna supplied products.

      • Service delivery requires customer to have hands on knowledge of all external IT components.

      • NOTE: This service is not a security audit.  Consulting services should be purchased.  Installation technician is not authorized to provide security advice.

    Prerequisites

    Customers must complete these steps prior to scheduled installation and configuration

    • Confirm that Eyeglass DR Edition is installed

    • Ransomware Defender and/or Easy Auditor Installation and/or Search & Recover Checklist Form has been submitted

      • HDFS license key is installed , contact Dell EMC account team to request the license key.

        • Confirmed the license key is installed before scheduled installation date by emailing sales@superna.net

      • Access Zone has been configured for the Easy Auditor database. Consult Dell documentation to complete these steps.

        • Access Zone name eyeglass with path /ifs/data/igls/analyticsdb

        • An IP pool created with 3 node members and the pool assigned to the Access zone eyeglass created in the previous step

        • 3 ip addresses allocated

        • Smartconnect name configured and DNS delegation correctly resolves with round robin IP addresses

        • NOTE: Installation cannot be scheduled until these steps are confirmed to sales@superna.net

      • On the day of installation confirm availablity of the DNS administrator to make changes if the above steps requires debugging or was misconfigured.

      • List of applications that write data to Isilon or service accounts for applications

      • Firewall ports opened as per documentation for Eyeglass Eyeglass Ports Requirements and Scalability Limits

      • Firwall ports opened as per documentation for ECA clusters. ECA Cluster application port requirements.

    ECA Cluster Install & Config Service:

    Initial Setup:

    The following are initial setup steps whether installing Ransomware Defender, Easy Auditor , or Search & Recover:

    1. Eyeglass Ransomware Defender/Easy Auditor Install Phase  - Remote Install with customer via Webex meeting to accomplish the following:

      1. Prerequisite - Gather site installation requirements from submitted Installation Checklist Form for review

      2. Prerequisite- Identify VM deployment option:

        1. VM count depends on products purchased

        2. 1 physical ESX host and 3-6 VM’s (lowest HA option)

        3. 3 physical hosts and 1 VM per host (highest HA option)

      3. Prerequisite - Deploy OVA (vcenter administrator required)

        1. Require 3-6 VM ip addresses

        2. Require Eyeglass IP address

        3. Require open ports between Agent and Eyeglass,  Agent and cluster as per installation guide

        4. Require Access Zone (HDFS enabled) to be created for Agent database

        5. Create IP pool with at least  3 nodes in the IP pool and  3 IP addresses

      4. Install OVA with above prerequisites

      5. Test connectivity ip and ports between components (Eyeglass, Agent and cluster)

      6. Installation Completed

    2. Configuration Phase - Webex

    1. Apply License to Eyeglass

      1. Verify license

    2. Edit configuration file on agent startup (api token created in Eyeglass)

    3. Startup clustered agent code

      1. Validate correct startup

      2. Validate DB create on HDFS Access Zone

      3. Validate Service heartbeat in Eyeglass with Service Manager Icon

      4. Validate shutdown and restart of cluster success

    4. Configure Isilon to audit files in an Access Zone for testing phase

      1. Configure Turboaudit with NFS mounts on audit directory on all ECA nodes

      2. Enable auditing on one or more access zones

    5. Verify audit messages are being processed
    6. Completed



    Go to the Ransomware Defender Section if the product was purchased​

    Go to the Easy Auditor Section if the product was purchased

    Go to the Search & Recover Section if the product was purchased

    Go to the Golden copy Section if the product was purchased

      Ransomware Defender Section:

      This only applies if the service was purchased with Ransomware Defender.

      1. Test and Configuration Phase - Ransomware

        1. Configure Security Guard feature

          1. Validate successful execution

          2. Configure schedule

          3. Knowledge transfer on log file validation for Security guard

        2. Enable monitor mode to baseline user behavior

        3. Review Security assessment on enforcement section in the admin guide

          1. Customer to decide on Low , Medium or High risk profile.  Review decision criteria in the admin guide. How to determine threat response settings to meet your Company’s Risk Profile

          2. Update check list in installation document this section was reviewed

          3. Configure settings as per customer risk profile decision.

        4. Over 2-3 weeks schedule validation sessions on the installation

          1. Collect support logs

          2. Explain whitelist settings to customer and future behaviours that have lockout that may require ongoing whitelist updates.

          3. Make whitelist changes from analysis of statistics and user behaviors detected apply to installation.  Repeat process until detections are set correctly for customer environment

      2. Knowledge Transfer Phase - Ransomware

        1. How to enable production mode

        2. Operational cluster management section

          1. Start, stop, upgrade

        3. How to process  security incidents workflow from the admin guide How to respond to Security Events for Warning, Major or Critical Events

        4. How and when to make whitelist changes when introducing new server applications that write data to Isilon.

          1. Enable monitor mode

          2. Monitor application and events

          3. Exit monitor mode when application workflow does not generate security incidents

        5. How to use ECACTL CLI and key command troubleshooting

          1. Start cluster ecactl cluster start

          2. Stop cluster ecactl cluster down

          3. Check for running containers ecactl containers ps

          4. Get stats on running containers ecactl stats

        6. UI walk through ransomware

          1. Active Events

          2. Event History

          3. Settings

          4. Statistics

            1. Licensing

          5. Managed Services Icon

          6. Security Guard

      3. Service complete



      Easy Auditor Section:

      This only applies if the service was purchased with Easy Auditor.

      1. Test and Configuration Phase - Easy Auditor

        1. Verify audit data is being stored in the analytics database with query interface

        2. Run test user query report

        3. Run test path based report

        4. Run one builtin report as example

        5. Test Where did my folder go?

          1. Rename a directory or drag and drop a directory

          2. Run search in Where did my folder go?

        6. Review test wiretap functionality on a path with a test user mounting and accessing files

          1. Verify user activity is visible in the UI

          2. Review decode of open files and actions

      1. Knowledge Transfer Phase - Easy Auditor

        1. How to build a query and filter on user, path, file extension, file action

        2. How to run query  reports

          1. How to save queries

          2. How to load queries and edit them

          3. Review how to filter with Excel CSV from admin guide for detailed filtering

        3. How to run  builtin reports

          1. Describe purpose of each builtin report available

        4. Cluster Operations

          1. How to use ECACTL CLI and key command troubleshooting ECA cluster issues

          2. Start cluster ecactl cluster up

          3. Stop cluster ecactl cluster down

          4. Check for running containers ecactl containers ps

          5. Get stats on running containers ecactl stats

      2. Service complete


      Search & Recover Section:

      This only applies if the service was purchased with Search & Recover.

      1. Configuration Phase - Search & Recover 
      1. Download: The OVA can be downloaded by following the normal download instructions here.
        1. The menu item to select is VMware OVF installers and select the Eyeglass Search & Recover download
      2. Deploy to vCenter: During deployment to VMware enter the IP address information for each node, Enter cluster name all lowercase with no special characters.

      3. Add License keys:
        1. Download  keys using supplied token in process here.
        2. Copy the license zip file to node 1 using SCP or Winscp utility to copy the zip file using Secure Shell protocol, login with ecaadmin and password above
      4. Apply License keys:
        1. Follow add license keys CLI instructions section "Licensing CLI Commands " in the Admin Guide.
      5. Add cluster:
        1. Follow add cluster CLI instructions section "Adding, Viewing Clusters " in the Admin Guide.
      6. Add Path to be indexed:
        1. Follow the instructions to add a folder for indexing in the section "How to add a folder path to be Indexed" in the Admin Guide.
      7. Start Indexing Jobs:
        1. Follow the instructions to start indexing job in the section "How to start a full index job on a path" in the Admin Guide.
      8. Monitor Indexing Statistics:
        1. Follow the instructions to monitor indexing progress of the folder path added above in the section "How to Monitor Index Jobs" in the Admin Guide.
      1. Test Phase - Search & Recover 
      1. Login and try some searches:
        1. open a browser https://x.x.x.x (ip is node 1 of the cluster)
        2. Enter an AD user login using DOMAIN\user or user@example.com (note domain name must be uppercase) and then password.
        3. Try a search for data in the path you indexed.
        4. NOTE: The user you login must have Share permissions to the path was added to be indexed data
      2. Advanced Feature Walkthough
        1. Try a file size range search
        2. Download the results to CSV
        3. Download a script with example ISI command isi get -D        and output to a results file >> results.txt


      1. Knowledge Transfer Phase - Search & Recover  
        1. Explain Solutions available witht the product. Guide here.
        2. Explain how to use the diagnostic tools and how to access. Guide here.
        3. Explain index process for full versus incremental and lag to detect changed files.
        4. Demonstrate how to generate a support backup and how to download from the admin download page Guide here
        5. Explain how to download CSV and large scripts from the admin download page. Guide here.
        6. Explain how to set the results location FQDN for smartconnect and how SMB share names are inserted dynamically. Guide here.
        7. Explain where to find advanced field search syntax examples and search rules with wildcards. Guide here.
        8. Explain the security modes on indexed folders, guide Here.

      Golden Copy Section

      This only applies if the service was purchased with Golden Copy.

      1. Configuration Phase - Golden Copy 
      1. Download: The OVA can be downloaded by following the normal download instructions here.
        1. The menu item to select is VMware OVF installers and select the Eyeglass Golden Copy download
      2. Deploy to vCenter: During deployment to VMware enter the IP address information for each node, Enter cluster name all lowercase with no special characters.

      3. Add License keys:
        1. Download  keys using supplied token in process here.
        2. Copy the license zip file to node 1 using SCP or Winscp utility to copy the zip file using Secure Shell protocol, login with ecaadmin and password above
      4. Apply License keys:
        1. Follow add license keys CLI instructions section "Licensing CLI Commands " in the Admin Guide.
      5. Add cluster:
        1. Follow add cluster CLI instructions section "Adding, Viewing Clusters " in the Admin Guide .
      6. Add Path to be copied:
        1. Follow the instructions to add a folder for archiving in the section "How to manage folders to be copied or synced" in the Admin Guide .
      7. Start Archiving Jobs:
        1. Follow the instructions to start indexing job in the section "archive (start a copy job)" in the Admin Guide  .
      8. Monitor Archive jobs:
        1. Follow the instructions to monitor indexing progress of the folder path added above in the section "How to monitor copy job performance and job log" in the Admin Guide .
      9. Verify Copy Jobs and How to Review reports:
        1. Review summary copy reports
        2. Review detailed copy reports
      1. Test Phase - Golden Copy 
      1. Login and try monitor copy reports:
        1. open a browser https://x.x.x.x (ip is node 1 of the cluster)
        2. eccaadmin and password
        3. Start a file copy,  monitor the copy, review copy logs
      2. Advanced Feature Walkthough
        1. How to configure folders for S3 storage types (add, modify , delete)
        2. Walk through folder flags and meaning of how to configure features


      1. Knowledge Transfer Phase - Golden Copy  
        1. Explain best practices and when to use copy, vs sync mode
        2. Explain use cases for deferred delete, Airgap
        3. Explain single file restore
        4. Explain bulk restore and commands
        5. Explain rate limiting options for bandwith
        6. Explain concurrent file copy settings and impact of increasing
        7. Explain Isilon node use case
        8. Explain load balancing copies to target storage


      Copyright Superna LLC