Security, et al

Randy's Blog on Infosec and Other Stuff Follow @randyfsmith

LOGbinder SQL Released!

Tue, 01 May 2012 15:37:35 GMT

I am excited to announce the release of our latest audit logging agent over at LOGbinder.com...

Introducing LOGbinder SQL

Our LOGbinder SQL agent enriches SQL Server’s cryptic and generic audit messages to produce easy-to-understand audit log events. Similar to LOGbinder SP, these events can be output to the Security log a custom Windows event log, where any log management or SIEM solution can collect, alert, report, and analyze.

SQL Server Audit Log Processing

SQL Server 2008 introduced a totally new audit logging facility which is critical to enterprises storing sensitive information and/or processing important transactions in today’s demanding compliance environment.

SQL Server Audit is flexible in terms of audit policy and comprehensive in relation to the breadth and depth of objects and actions that can be audited. However, the audit data generated by SQL Server needs additional refinement and processing before it can be relied upon as a usable audit trail and managed by your existing log management/SIEM solution.

Refines the cryptic SQL audit log

The audit records generated by SQL Server audit are cryptic and difficult to understand. Basically, one log record format is used for documenting everything from an insertion on a table to a modification of a stored procedure. And while SQL Server can write events to the security log, it uses the same event ID for all events, and the IDs and keywords are not resolved. Thus, it requires in-depth knowledge of the SQL audit model in order to decipher events.

Frees SQL audit logs from their proprietary format

The preferred and highest performance option for audit log output results in a proprietary file format that cannot be parsed by log management/SIEM solutions using typical text log file-based parsing engines.

Our new LOGbinder SQL agent processes the proprietary formatted SQL Server audit log and enriches SQL Server’s cryptic and generic audit messages to produce an easy-to-understand audit log event which then outputs to the Windows event log, where any log management or SIEM solution can collect, alert, report, and analyze.

Enriches SQL audit logs without impacting SQL Server performance

LOGbinder SQL can be installed either on the SQL server itself or, to eliminate any impact on business database functions, you can deploy a separate server with the LOGbinder SQL agent, processing audit logs from multiple SQL Servers via share folders.

Connects SQL Audit to Your SIEM

LOGbinder SQL fills a critical gap between enterprise database servers and audit log management solutions, allowing you to obtain a clearly-written and easy-to-understand audit log that is accessible to your existing log management solution. Similar to our efforts with LOGbinder SP, we will be working with log management and SIEM solution providers to build recommended alerts and reports into their systems for SQL server audit logs processed by LOGbinder SQL.

Download LOGbinder SQL Now! Click here.

Or if you want further information on this new solution, please contact sales .

email this • digg • reddit • dzone
comments (0) • references (0)

Chances are Someone is Trying to Steal Your Organization’s Information

Tue, 01 May 2012 08:32:36 GMT

Originally published at Lumension.com
http://blog.lumension.com/4804/chances-are-someone-is-trying-to-steal-your-organizations-information/

Chances are someone is trying to steal your organization’s information. Instead of expending all your effort in defensive posture controls, there are ways to actively seek out and disrupt attempts to steal your organization’s information. This is called counter intelligence and the exploits of the good old cold warrior, George Smiley, should be your hero. Seriously, John le Carré novels are a good place to start if you want to understand the concept.

Wikipedia describes counter-intelligence as “measures taken to detect enemy espionage or physical attacks against friendly intelligence services, prevent damage and information loss, and, where possible, to turn the attempt back against its originator. Counterespionage goes beyond being reactive, and actively tries to subvert hostile intelligence services”.

Employing counter-intelligence techniques is recognized as an important technique in defending against economic espionage. (Googling economic espionage and corporate counter-intelligence will provide loads of information on these important concepts.) For instance check out the FBI site’s section on economic espionage which states that “The Cold War is not over, it has merely moved into a new arena: the global marketplace. The FBI estimates that every year billions of U.S. dollars are lost to foreign and domestic competitors who deliberately target economic intelligence in flourishing U.S. industries and technologies.”

How can you implement counter-intelligence? It depends upon your role and scope within the organization. Is your mandate limited to cyber threats or information security in general? Either way, the first place to start is training employees. Wide scope training would include helping people understand elicitation techniques (aka social engineering). The bad guys know how to exploit someone’s desire to be polite, desire to be important or even someone’s tendency to correct others. The FBI even provides a brochure on elicitation techniques, how to detect and deflect them. Cyber scope training should help end-users be more information security aware with how they respond to email, phone calls and social networking contacts. Start by showing employees how they can be profiled by criminals who are a member of your organization through who to establish a “beach-head”. As the RSA advanced persistent threat of last year proves, the initial target doesn’t need to be someone with direct access to the desired information. So both management and the rank and file need to understand that everyone is a target. Provide your people with an easy way to report suspicious contact attempts whether from the cyber or “real” worlds.

But how can you take counter-intelligence to the next level? Here are 2 within the scope of cyber security. The first is an adaptation of the old honeypot server concept of the nineties used to research web server attacks. Take the same concept but apply it to the internal network and change the purpose to detection. There’s no need to set up a separate server – in fact it may be better not to. Instead, plant honeypot resources throughout your production systems.

For instance, on file servers, create special folders intermingled with real production file folders. In these honeypot folders put a collection of file formats such as MS Office documents, PDFs or other files specific to your industry – AutoCAD files for instance. You can create similar lists and document libraries in SharePoint or tables on database servers. Open up access permissions so that anyone can access them. (If possible allow access to list the contents without giving access to the actual content of the data. In Windows, this is the difference between List and Read access on a folder. This way it will be more difficult for attackers to recognize the data as being fake.) Then enable auditing on those honeypot resources and start monitoring attempts to access this data.

Remember that our goal is to catch outsiders whether in the form of an active human intruder or any type of malware designed to collect desirable information and send it back to the attacker. This particular operation is not designed to catch the dishonest insider. To prevent the audit system from being over whelmed with false positives caused by innocent employees they need to be trained recognize these honeypot resources for what they are and to stay out of them. Perhaps you include specific but bogus abbreviation in the name of all such resources like “ACT”. Employees that see “Transmogrifier Plans ACT” will know to avoid that folder even if there really is a Transmogrifier project at your organization. (If there is, please let me know because I would love to have one).

Here’s a more strategic counter-intelligence operation taken from the pages of The Spy Who Came in from the Cold. In this famous le Carré novel, British intelligence officer Alex Leamas is recalled to headquarters after his East Berlin spy network is rolled up by East German counter-intelligence officer Hans-Dieter Mundt. But instead of being assigned a desk job he is offered an opportunity to get revenge. In a brilliantly conceived plot he takes on the role of an embittered has-been, forced into retirement and betrayed by his own government – a tempting target for Mundt.

You can hang out tempting targets for your attackers too. In consulting projects we created fake corporate personas complete with email addresses, phone extensions, corporate directory entries and social networking presences. Given them key jobs in important departments. Too look real, these take some work and need regular updating. Monitor their voice mail and email and social network presence for messages. When you get activity from people inside or outside the organization, it’s like a fisherman getting a nibble on his line. It will take time to determine if it’s the species you are fishing for or just a passing nibble from someone innocent.

Chances are that your people are going to be targeted. Take advantage of that by putting your own Alec Leamas out there to distract and trap them. Chances are someone is going to penetrate your preventive controls. If you can detect them in your network before they get too far you are still ahead of the game. Maybe you can even waste their resources and time by feeding them misleading information and even eroding their credibility with their masters. Wouldn’t that be fun?

Originally published at Lumension.com
http://blog.lumension.com/4804/chances-are-someone-is-trying-to-steal-your-organizations-information/

email this • digg • reddit • dzone
comments (0) • references (0)

previous | next