Shadow Tap sensors are devices you place on your network in order to detect malicous behaviour or corporate policy violations. Shadow Tap sensors report all alerts to your Shadow Tap account as well as email and text if configured.
Ideally you will want one sensor per subnet of your network. For networks that only have one subnet, only a single sensor is needed. Shadow Tap is not your typical IDS and does not need port mirroring to be configured in order to do its job!
Shadow Tap sits on the network like any other device such as a desktop or server. When malicous users or malware compromise a network they will scan its subnet in order to identify further machines to compromise and infect. Once these malicous actors scan the Shadow Tap sensor it will immediately send out alerts to the dashboard as well as email and SMS if configured. Malware and hackers won't know that Shadow Tap is deployed before its too late thus providing you early detection on threats that may go unoticed for months. With over 65,000 signatures of known attack vectors built in and updated nightly, Shadow Tap provides enterprise level protection with minimal costs.
The alerts and device information you provide on the website are stored on Shadow Tap's secure servers and don't require you to setup devices or datastores on your network. However Shadow Tap is aware that customer may want to house the data internally and not have it sent outside the organizations datacentre. For this reason Shadow Tap offers a fully inhouse solution that is setup by our team and ensures all your data remains inhouse. Contact email@example.com in order to get a quote on inhouse installations.
Shadow Tap sensors can be added by simply clicking the "ADD SENSOR" button in the dashboard. There is no current maximum for the amount of sensors you can deploy on a network.
Shadow Tap's main benenfit is its ease of deployment. Simply plug in or power on a sensor and follow the onscreen instructions in order to register it. Once a device is registered you control all its functionality through the dashboard. Hardware sensors can be setup in under a couple minutes while the virtual sensors can be deployed in under 30 seconds for power on. Shadow Tap sensors are configured by default to watch the network for over 12,000 signatures, created and vetted by the global information security community that are actionable events. You can further configure each individual sensor or all sensors at once to enable up to 65,000 different rules covering everything from the latest threats as identified by the security community on a nightly basis to corporate policy violations such as Dropbox or Skype. Most importantly, Shadow Tap is fairly priced and much cheaper than any comparable solution.
1. SSH into box using root as the user name and "st-19999" as the password if the device has not been registered (reset state)
2. type "nano /etc/dhcpcd.conf" without the quotes into the command line once logged in.
3. Add the following lines with the proper IP (ip_address), Gateway (Router) and DNS (domain_name_servers) to the end of this file
interface eth0 static ip_address=192.168.0.10/24 static routers=192.168.0.1 static domain_name_servers=192.168.0.1
4. Press CTRL+X then press "Y" to save your changes.
When the device is loaded select option "3" to setup a static IP address. Set the gateway, netmask, broadcast and DNS servers, secondary DNS (optional) and IP address to assign. Once the changes are made select "Y" to save your changes. Please wait for the system state to finish saving before proceeding to obtain a device ID. This can take up to a couple minutes.
Shadow Tap sensors are set to alert as soon as malicous traffic is seen by it. Even if your network is was compromised before installing Shadow Tap as soon as malware or malicous users scan for vulnerable hosts they will alert you of this activity allowing you to act.
Shadow Tap does not view or care about encrpyted traffic. Shadow Tap is simply looking for exploit attempts or network scans by malicous users or malware on your network which have a known signature. Shadow Tap sensor's rulesets are updated nightly providing you the most up to date protection fast!
Shadow Tap offers a hardware and software version of its sensors. Hardware sensors are plug and play while software sensors will require virtualization software such as VMWare ESX or Oracle Virtual Box to deploy.
Shadow Tap utilizes the Snort ruleset and emerging threats rules which currently sits at over 65,000 known attack vectors and behaviour traits. By default with no configuration Shadow Tap sensors at set to detect the security related exploit attempts (#3 below). There are three options to choose from without adding additional rules as described below:
1. Connectivity - You run a lot of real time applications (VOIP, financial transactions, etc), and don't want to run any rules that could affect the current performance of your sensor. This category focuses on the high profile most likely to affect the largest number of people type of vulnerabilities.
2. Balanced - You are normal, you run normal stuff and you want normal security protections. This is the best policy to start from if you are new, old, or just plain average. If you don't have any special requirements for super high speeds or super secure networks start here.
3. Security - You don't care about dropping your bosses email, everything in your environment is tightly regulated and you don't tolerate people stepping outside of your security policy. This policy hates on IM, P2P, vulnerabilities, malware, web apps that cause productivity loss, remote access, and just about anything not related to getting work done. If you run your network with an iron fist start here.
There are two current versions of Shadow Tap sensors. The hardware version is a modified Raspberry PI which just needs a network connection and power provided by a USB cable. The virtual appliance (OVA) requires a minimum of 1 core, 4GB of ram and 1GB of disk space. The use of a virtual appliance allows users to have multiple network segments all monitored by one Sensor or easily deploy sensors to multiple segments without the need for a hardware device.
Ensure that your sensor has connectivity to the internet and "LOGGING" is "ACTIVE" in the dashboard under "My Sensors." You must allow the device access to port 443 on www.shadowtap.com and port 3306 to events.shadowtap.com in order for the device to be able to register and log alerts. If these are confirmed, try to reset the box and reregister it with www.shadowtap.com once a device ID has been generated on it. Remember Shadow Tap sensors by default are set to only look for known malicous traffic and no alerts is a good thing!
In order to factory reset your device you will need to SSH into the sensor if using a hardware sensor using the user name "st_main" with the password "st-19999" if the device has not been registered. If the device has been registered the password for "st_main" will be the device ID as shown on the top of the screen including dashes and all uppercase characters.
Please send an email to firstname.lastname@example.org for any assistnace setting up your Shadow Tap sensor.
Please complete this form to request a free one month trial, if you don't love it send it back at no charge!
Copyright © Shadowtap Security LTD - All rights reserved