TekStream Partners with Hyland to Provide Content Services

TekStream Partners with Hyland to Provide Content Services

TekStream now offering Hyland implementation and support services

ATLANTA, GA, February 28, 2019 — TekStream, an Atlanta-based technology company, and Hyland, a leading provider of information management solutions, are partnering to help organizations achieve their digital transformation goals by enabling seamless, end-to-end content management for their entire ECM process.

TekStream leverages a combination of business-consulting, implementation, managed services and recruiting expertise to help organizations manage the massive volumes of applications, content, Internet-based services, and machine data that have been created over the past decade as well as take advantage of next generation cloud-based solutions. Our implementation services for Hyland OnBase, an enterprise information platform, are designed to help our clients make the most out of their Hyland OnBase solutions while providing strategic vision and “Best Practices” to ensure their success.

“As a Hyland Partner, TekStream is committed to working hand-in-hand with our clients to create an approach and architecture that best fits both immediate needs and future growth,” said Troy Allen, Vice President of TekStream. “TekStream is able to leverage business consulting and technical implementation expertise along with Hyland OnBase product expertise to help organizations efficiently implements information management solutions from a department level to full-scale enterprise solutions. More importantly, we help customers find new ways to leverage those assets to fuel innovation, improve new customer relationships, improve business processes, and reduce costs as they look towards the next 5-10 years of growth.”

Our core offerings with Hyland include:
• Business Strategy and Design Services
• Enterprise Content Management Solutions
• Contract Management Solutions
• Case Management Solutions
• Accounts Payable Solutions
• Enterprise Portal Solutions
• Managed Services and Support
• Business and Technical Training

About TekStream
TekStream is an Atlanta-based technology solutions company that offers business and digital transformation, managed services, and recruiting expertise to help companies manage their applications, business processes, content, human capital, and machine data as well as take advantage of next-generation cloud-based solutions. TekStream’s IT consulting solutions combined with its specialized IT recruiting expertise helps businesses increase efficiencies, streamline costs, and remain competitive in an extremely fast-changing market. For more information about TekStream Solutions, visit www.tekstream.com or email Shichen Zhang at shichen.zhang@tekstream.com.

About Hyland 
Hyland is a leader in providing software solutions for managing content, processes, and cases for organizations across the globe. For over 25 years, Hyland has enabled more than 19,000 organizations to digitalize their workplaces and fundamentally transform their operations. Named one of Fortune’s Best Companies to Work For® since 2014, Hyland is widely known as both a great company to work for and a great company to do business with. For more information, please visit Hyland.com.

# # #

Using Splunk to Monitor USB Removable Storage Devices

Windows Event Log Monitoring

Abstract

Information security is only as effective as physical security policies. Splunk continues to be a valuable tool in providing insight into risk and threat detection. As more security operation centers (SOC’s) look to limit sensitive data being exposed, USB removable storage devices (thumb drives, external hard drives, cell phones with high capacity storage, and SD cards) introduce risk. These devices are helpful in providing a backup location for important documents and files. They can help in moving data from one system to another. They can also be used to steal data, or move them into an unsecured location. Using Splunk, a security team can now monitor when these devices are plugged into systems.

Using Windows

Windows information on USB devices can be found here:

Information on USB devices in Windows needs to be enabled before moving forward. The current default in administrative policy is to have this feature disabled. Enabling this feature will require administrative access to Windows.

Test Procedures

Devices
By default, the Windows logging option for operations is disabled. This means there is no historical data to draw upon. Once operational logging is enabled, it’s important to generate data by plugging in different devices. Record the time a device was plugged in, when the device was stopped via software, and when the device was physically removed.

Time – Insert Time – Stop Time – Remove Device
10:20am 10:23am 10:24am Generic USB Drive
10:29am 10:30am 10:31am Kingston Micro SD Card
10:33am 10:36am 10:37am Seagate USB External Drive
10:45am 10:52am 10:53am Western Digital External Hard Drive Micro USB

Different devices should produce different results, especially when vendor ID and device ID is recorded. A list of USB ID’s can be found here:
http://www.linux-usb.org/usb.ids

Adding Data to Splunk

Perform a series of tests (inserting and removing USB devices), and generate a log full of events to be exported. While it’s possible to ingest the data through the Splunk Add-On for Windows, doing so without the add-on will require exporting the log as a text file, where the fields were separated by Tab.
In Splunk, add the data using the UI. Select Add Data, and the Upload.

Based on how the data was exported from Windows, select the following sourcetype:

Structure >> TSV (Tab-Separated Value)

Create a new index, such as “wineventlog”, to group the events and make searching easier.

Event ID

Identifying Microsoft’s Event ID’s is one of the requirements in identifying when a USB device has been inserted. This helps to better refine a search for qualifying events, eliminating non-useful events from the group. A search was used in Splunk to count the number of event id’s seen in the logs.

The values of the event ID’s are:

1000 Startup of the driver manager service. The Driver Manager service started successfully
1003 Creation of a new driver host process. The Driver Manager service is starting a host process for device (Device){GUID}.
1004 Creation of a new driver host process. The host process ({GUID}) started successfully.
1006 Shutdown of a driver host process. The host process ({GUID}) is being asked to shutdown.
1008 Shutdown of a driver host process. The host process ({GUID}) has been shutdown.
2000 Startup of a new driver host process. The UMDF Host Process ({GUID}) is starting up.
2001 Startup of a new driver host process. The UMDF Host Process ({GUID}) started successfully.
2003 Loading drivers to control a newly discovered device. The UMDF Host Process ({GUID}) has been asked to load drivers for device (Device).
2004 Loading drivers to control a newly discovered device. The UMDF Host is loading driver WUDFUsbccidDriver at level 0 for device (Device).
2005 Loading drivers to control a newly discovered device. The UMDF Host Process ({GUID}) has loaded module C:\windows\System32\USER32.dll while loading drivers for device (Device).
2006 Loading drivers to control a newly discovered device. The UMDF Host successfully loaded the driver at level 0.
2010 Loading drivers to control a newly discovered device. The UMDF Host Process ({GUID}) has successfully loaded drivers for device (Device).
2100 Pnp or Power Management operation to a particular device. Received a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device).
2101 Pnp or Power Management operation to a particular device. Completed a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device) with status 0x0.
2102 Pnp or Power Management operation to a particular device. Forwarded a finished Pnp or Power operation (RequestMajorCode, RequestMinorCode) to the lower driver for device (Device) with status 0x0.
2105 Pnp or Power Management operation to a particular device. Forwarded a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device) to the lower driver with status 0xC00000BB
2106 Pnp or Power Management operation to a particular device. Received a Pnp or Power operation (RequestMajorCode, RequestMinorCode) for device (Device) which was completed by the lower drivers with status 0x0
2900 Shutdown of a driver host process. The UMDF Host ({GUID}) has been asked to shutdown.
2901 Shutdown of a driver host process. The UMDF Host ({GUID}) has shutdown.

*Value labels represented inside < >, actual events will have specific values in place.

In reviewing the events, we concluded Event ID’s 1003, 2003, and 2102 provided the best group of events to identify when a device is inserted and removed, without being overly verbose. If Event Filtering is available prior to being ingested into Splunk, these events would be the most valuable. From what we have seen, 1003 seems to capture USB Removable Drives, but will not capture mobile devices. In addition, 2003 seems to capture MTP devices.

Splunk

The Search
Ultimately, the data with corresponding Event ID’s were used to formulate a search which would return relevant information about when a USB device was inserted or removed.

Line Notes

The Results

Future Consideration

In the search, important fields are pulled out which are not heavily used in the search above. GUID, Vendor ID, Product ID, device names can all be used to further elaborate on devices specifics, and correlate these events with other actions. The process GUID may be linked to a different process, potentially one which reveals actions taken from or to the removable USB device. It’s worth exploring further, and getting a more detailed analysis on USB Mass Storage Devices.

Want to learn more about using Splunk to monitor USB removable storage devices? Contact us today!

[pardot-form id=”17340″ title=”Blog – Pete Chen – Using Splunk to Monitor USB Removable Storage Devices”]