Security, et al

Randy's Blog on Infosec and Other Stuff

Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond

Thu, 15 Oct 2015 15:37:14 GMT

Every year, organizations spend millions of frustrating hours and countless sums of money trying to reverse the damage done by malware attacks. The harm caused by malware can be astronomical, going well beyond intellectual property loss and huge fines levied for non-compliance. In 2014, the cost of malware attacks and resulting breaches was estimated at $491 billion. [i] And these costs include more than just the money spent trying to directly respond to security breaches. Productivity, long-term profitability, and brand reputation are often severely impacted as well.

The malware threat is growing larger and becoming more challenging to respond to every year. It seems like every month there are more major breaches. Target, Neiman Marcus, and UPS have all been victims of costly breaches in the past couple years, with each event showing signs that the breaches could have been prevented. Phishing-based malware was the starting point 95 percent of the time in state-sponsored attacks, and 67 percent of the time in cyber-espionage attacks.[ii]

With such high-profile organizations being the target of attacks, do you really need to be worried?


It’s easy to shrug off the threat of malware and believe that the target will always be a retail organization or a huge brand name, that it will never be your organization. However, according to a 2015 Ponemon study, 80 percent of all organizations experience some form of Web-borne malware. [iii] So don’t be lulled into a false sense of security: All industries are at risk, including the financial, health care, and government sectors you hear about in the news.

And remember, these attacks aren’t confined to large, multinational corporations. Cybercriminals frequently target small and midsized businesses (SMBs). A prime example of an attack on a small business is Pennsylvania-based A cyberattack occurred in 2014, costing the company $200,000, not including lost sales after the attack while the company had to temporarily stop accepting credit card payments. Granted, this attack is not on the same scale from a total dollar perspective as the more well-publicized breaches we hear about in the media. But for a small company, an attack of this size can be just as devastating, if not more so.

Malware is not just an annoyance or minor inconvenience. It is the gateway to far more serious problems for a company and its customers. And it invades a network easily. There are many insidious ways it can infect a system email attachments, phishing email messages, various file-sharing programs, and out-of-date OS patching, to name a few. And once it affects a single computer or network node, it can quickly spread throughout your network like an out-of-control forest fire.  This is called a horizontal kill chain and features heavily in every attack we analyze.


What if there were a way to solve these potentially devastating problems before they got out of hand? Or even before they occurred in the first place? There is. This paper discusses just such a real-life situation, in which a malware attack took place but was discovered by the built-in rules of LogRhythm before any damage occurred.

The situation involves a customer of LogRhythm. LogRhythm is a leading provider of security intelligence and analytics solutions. LogRhythm empowers organizations around the globe to rapidly detect, respond to, and neutralize damaging cyber threats, giving clients the ability to catch and proactively solve problems they might not have otherwise anticipated.

What follows is a textbook example of the kind of problems LogRhythm solves on a regular basis and the risks it mitigates for its customers every day. This malicious activity could have led to a very serious intrusion with devastating repercussions, but LogRhythm caught it immediately and the client was able to research and mitigate it easily and quickly by using additional capabilities of LogRhythm including packet analysis, custom alarms and more.


It all started when the organization received a SIEM alarm from LogRhythm’s Advanced Intelligence Engine (AIE), notifying the IT team of a suspicious situation: A single domain user account had established simultaneous VPN access from two separate locations. This anomaly was caught because of a default, out of the box rule in LogRhythm as shown in Figure 1.

Figure 1: LogRhythm's AI Engine

The situation was an obvious case of compromised user credentials. A corporate end user should typically not be logging in simultaneously from two geographically separate locations. In response, the organization’s Security Operations Center (SOC) called the end user (who happened to be a technical security staff member himself) to investigate the matter. The SOC wondered if the user had set up a proxy device from home, or was perhaps using his mobile device to initiate a connection or even running his own penetration test just to play with his colleagues. The SOC determined that the end user had no malicious intent; he was using the VPN in a legitimate fashion while traveling on a business trip.

Because he was boarding a return flight soon and would not need his laptop, the SOC instructed the user to turn it off until he arrived back at the home office and could deliver it to the investigation team. Additionally, the SOC disabled the compromised Active Directory account, and the user’s computer account was removed from the network.


Once the laptop was received, IT ran a full antivirus scan and found no suspicious files or programs on the system. The IT team then placed the unit in an isolation/test lab for observation before reimaging it, because they wanted to identify the source of the problem and take steps to prevent it in the future. So, the computer was isolated and observed with LogRhythm’s network monitoring probe running.

At many organization management frequently over-relies on antivirus and assumes the organization is protected from any sort of malware damage. This is a serious misconception.

This particular threat was polymorphic in nature and as the name implies, it has the ability to change or “morph” regularly, thereby altering the appearance of its code. This characteristic bypasses detection by traditional antivirus tools and signatures. In our scenario, a more advanced scanner was deployed, and a file related to the threat was indeed found.

A proven, reliable antivirus solution is an important network security tool that you need on your network, but in today’s virulent, ever-changing threat landscape, it by no means provides the comprehensive protection you need. There is no substitute for comprehensive monitoring by a SIEM with a wealth of built-in knowledge about cryptic security logs and intelligent, pre-built rules to catch unusual activity.

Adobe Flash was suspected as the malware’s entry point because Shockwave was found to be improperly patched during a patch-scanning assessment of the computer.  (Figure 2) Unusual, irregular browser helper objects were also found; this situation is common when malware wants to hijack and redirect a browser session or send a user to a malicious site.


The organization used LogRhythm to initiate a full packet capture and deep packet inspection (DPI) of all traffic initiated during tests on the computer. A common destination IP address was found that did not belong to the organization. Naturally, this address raised suspicions: All traffic from the isolated laptop was going to the same IP address (which did not belong to the organization), indicating a possible hidden proxy mechanism on the isolated computer. See Figure 3.

Figure 3: A DPI showed traffic consistently going to the same IP address

Running ipconfig/displaydns showed that all traffic from the computer resolved to a common host record. Obviously, this was a glaring red-flag. Because the computer was sending every outbound packet to the same IP address, the problem was identified as intentional DNS poisoning.

It was important to the SOC to find out where the traffic was headed. Studying the IP address itself, the team identified a proxy IP address (DHCP lease) from an ISP in the United States. The SOC then contacted the ISP, which confirmed that the server was a compromised computer on its watch list.

The ISP then notified its customer (who had no malicious intent) that their server was hosting a compromised node (which was redirecting traffic to a location in Finland). The customer then took the server off the network and got the situation resolved.

Cybercriminals had been capturing and redirecting traffic through illegally compromised systems and would have had many opportunities to do harm, but they were thwarted in this case.


The investigation team uploaded the suspicious files to the antivirus community for the purpose of building awareness and with the hope that the community could create and deploy signatures and other heuristics to combat the malware threat.

Finally, to help prevent the same problem from happening again, the organization used LogRhythm to create a DPI rule to flag, alert, and capture proxy traffic and the same malware, should it reappear. (Figure 4) The computer that experienced the suspicious activity was reimaged, and patching was tightened on it and on computers across the company for potential Flash- and Shockwave-related problems for even greater risk mitigation.

Figure 4: A DPI rule monitors for traffic sent to the malicious IP address

None of the organization’s vital information was compromised, because the suspicious activity was caught so quickly and aggressively, and because effective action was taken so promptly. What could have been a major incident, or even a catastrophic data breach, was a mere bump in the road.


Malicious external attackers will use any means to access corporate information. Delivery mechanisms such as phishing-based attachments and malware-laden websites allow attackers to enter the figurative four walls of your organization. Unpatched applications such as Flash and Java allow access to credentials, the underlying operating system, data, and applications, giving the external attacker the ability to not just access corporate data but, as in the case of the scenario above, the ability to pass any obtained information outside the corporate walls for further malicious use. It all starts with one compromised endpoint.

Organizations can no longer rely simply on signature-based scanning of machines to identify malware. Polymorphic malware takes on an infinite number of forms, making it difficult to identify. And malware doesn’t exist for the sake of just existing; it has a purpose in mind that always involves taking something from you. So, a comprehensive approach to protecting your organization will entail not just looking at malware as a set of files to be detected, but also looking at it in terms of the actions it takes. You should be looking for ways to detect those actions on your network with the same determination with which you’d use an antivirus scanner to look for malware executables.

By taking this approach to thwarting malware, LogRhythm’s customer was able to automatically identify and address a potential issue the moment it arose, well before any damage could be done. Expanding your anti-malware efforts beyond simple machine scans to include scanning the network for malware activity will create a layered defense, ensuring the greatest effort in stopping malware in its tracks.

ABOUT Logrhythm

LogRhythm, a leader in security intelligence and analytics, empowers organizations around the globe to rapidly detect, respond to and neutralize damaging cyber threats. The company’s award-winning platform unifies next-generation SIEM, log management, network and endpoint monitoring and forensics, and security analytics. In addition to protecting customers from the risks associated with cyber threats, LogRhythm provides innovative compliance automation and assurance, and enhanced IT intelligence.

Consistently recognized by third-party experts, LogRhythm has been positioned as a Leader in Gartner’s SIEM Magic Quadrant report for four consecutive years, named a “Champion” in Info-Tech Research Group’s 2014-15 SIEM Vendor Landscape report and ranked Best-in-Class (No. 1) in DCIG’s 2014-15 SIEM Appliance Buyer’s Guide, awarded the SANS Institute's "Best of 2014" award in SIEM and received the SC Magazine Reader Trust Award for "Best SIEM Solution" in April 2015. Additionally, the company earned Frost & Sullivan’s SIEM/LM Global Market Penetration Leadership Award and been named a Top Workplace by the Denver Post. LogRhythm is headquartered in Boulder, Colorado, with operations throughout North and South America, Europe and the Asia Pacific region.


[i]  IDC, The Link Between Pirated Software and Cybersecurity Breaches (2014)

[ii]  Verizon, Data Breach Investigations Report (2015)

[iii]  Ponemon, State of the Endpoint Report: User-Centric Risk (2015)

email this digg reddit dzone
comments (0)references (0)

Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond
Live with Dell at RSA 2015
SolarWinds Log & Event Manager Includes My Favorite Feature in a SIEM…
How Randy and Company Do IT: Server and Application Monitoring

Strengthen your defenses where the battle is actually being fought – the endpoint

Tue, 29 Sep 2015 08:32:38 GMT

Defense-in-depth pretty much backs up the thought that every security technology has a place. But are they all created equal? Security is not a democratic process and no one is going to complain about security inequality if you are successful in stopping breaches. So I think we need to acknowledge a few things. Right now the bad guys are winning on the endpoint – in particular the workstation. One way or another they are getting users to execute bad code on their workstation. Having achieved a beach head, they work their way out across our network following a horizontal kill chain until they reach “the goods”. Next generation firewalls, identity and access control and privileged account management all have a part to play in detecting and slowing down this process. But we are not doing enough on the endpoint to recognize malicious code and key changes in user and application behavior. The strength of NGFWs is their eye in the sky ability to watch network traffic as a whole. But they can’t see inside encrypted packets and they don’t know which program inside the endpoint is sending or receiving observed packets. Much less can an NGFW tell you when that program appeared on the endpoint, how it got there, who executed it and so on.

So am I arguing for collecting endpoint security logs? Including workstations? Well that’s a start. But getting all your workstation security logs is challenging and may not meet your requirements because native logs do lack important information. If you have more than a handful of workstations, forget trying to collect their logs using any kind of pull/polling method; it just isn’t going to work. If you stick with native logs you need implement Windows native Event Forwarding which is a great technology but right now lacks management tools. So for most organizations that means agents.

Historically there’s been a lot of push back to deploying YAA (yet another agent) on workstations simply for the purpose of collecting logs. And I have to agree that going to the trouble of installing and maintaining an agent on every workstation when all you get is it’s native logs is a tough proposition.

That’s why I like what EventTracker has done with EventTracker 8 and the powerful detection, behavior analysis and prevention capabilities in their new agent. Basically it goes like this:

  1. We are losing the war on the endpoint front
  2. Ergo, we need to beef up defenses on the endpoint
  3. But native logs aren’t valuable enough alone to justify installing an agent
  4. Conclusion: increase the value of the agent by doing more than just efficiently forwarding logs

EventTracker 8’s Windows agent does much more than just forward logs. In fact, maybe we shouldn’t call it an agent. Perhaps sensor would be a better term.

One of the key things we need to do on endpoints is analyze the programs executing and identify new, suspect and known-bad programs. With native logs all you can get is the name of the program, who ran it and when (event ID 4688). The native log can’t tell you anything about the contents (i.e. the “bits”) of the program, whether it’s been signed, etc. Here’s what EventTracker 8 does every time a process is launched. It takes the process’s signature, pathname and md5 hash. It compares that information against:

  • A local whitelist
  • National Software Reference Library
  • VirusTotal

This is stuff you can only do if you have your own bits (i.e. an agent) running on the endpoint. You can’t do it with native logs and or with an NGFW. Here’s an example “synthetic” event generated by EventTracker that says it all:


I wish Windows had that event.

“But, wait. There’s more!”

Visibility inside the programs running on your endpoints and being able to compare them against internal and external reputation data is extremely valuable to detecting and stopping attacks. But if we have a good agent on the endpoint we can do even more. We can analyze what that program is doing on the network. What other systems is trying to access internally and where is it sending data out on the Internet? Here’s an example of what EventTracker 8 does with that information. How would you like to know whenever a non-browser application connects to a standard port on some unnamed system on the Internet? Check out the event below.

If you are up on malware techniques, though, you realize that discreet EXEs are not the only way attackers get arbitrary code to run on target systems. They have developed many different ways to hide bad guy code inside legit processes. One thing EventTracker does to detect this is by looking for suspicious threads injected into commonly abused processes like svchost.exe. EventTracker also does sophisticated analysis of the user too – not just programs – and alerts you when it sees suspicious combinations of user account, destination and source IP addresses.

EventTracker combines all the data that can only be obtained with an endpoint agent with general blacklist data from outside security organizations and specific whitelist data automatically built from internal activity. This is a great example of what you can do once you have your own code running on the endpoint. Combine native logs from each endpoint with all this other information and you are way ahead of the game.

email this digg reddit dzone
comments (0)references (0)

Live with Dell at RSA 2015
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond
Virtualization Security: What Are the Real World Risks?

Making SIEM better by focusing on the top 3 blind spots

Mon, 21 Sep 2015 17:28:31 GMT

To be even better, your SIEM needs more intelligence without noise. Like the universe we live in, the area that must be monitored for APTs constantly expands. It is hard to focus on the significant security events when the field of view keeps getting larger.

The key to information security is what you focus on must be worth catching. Enforcing systemic, organizational proficiency to focus on the narrower relevant field is absolutely crucial to organizations’ security practice.

Focus on the Top 3 Blind Spots

A lot of the organizations we talk to are finding a way to address that challenge of making their SIEM better, not burdened. They do it by dedicating their primary effort to solving the SIEM’s top 3 blind spots:

  1. Applications,
  2. the cloud, and
  3. failure to monitor all the Windows endpoints

We believe in this so much it’s where we are putting all our money. Here’s how:

LOGbinder provides the market-leading solution for SIEM’s to have visibility into what’s happening inside Exchange, SharePoint and SQL Server. Soon after the public availability of Exchange 2016, SharePoint 2016 and SQL Server 2016 (expected mid-2016), LOGbinder intends to release compatible updates to its core products. We already have these versions in development and are excited about their potential to help make your SIEM better. Our SIEM integrations help you isolate and monitor only what’s important.

Microsoft’s cloud-based products, especially Office 365 and Azure are hugely attractive to organizations of all sizes. Their limitation has been a lack of audit capability, but that is soon to change. Microsoft expects to release (also mid-2016) a completely new and very good audit function to both Office 365 and Azure’s Active Directory. LOGbinder is poised to deliver a matching solution to put cloud-based application security intelligence where it belongs – your SIEM. We are investing significant resources with the plan to deliver the solution 30 days after public availability.

By the way (and this is important), it is going to require special effort on the part of all of us in the IT security business to pitch in and make cloud security audit and monitoring possible. LOGbinder will provide the audit data from cloud, as well as guidance about what to watch. But… you should talk to your SIEM product development team today to make sure they are talking to LOGbinder and working on their integration for LOGbinder’s cloud-based solutions.

The 3rd problem area for SIEM security intelligence is monitoring all Windows endpoints. If you don’t know which endpoint is installing a new program...

Your SIEM is perhaps your greatest bandwidth hog as it is, adding all that traffic from the endpoints isn’t feasible, right? But that’s not a good enough reason; nobody wants to have to explain a data breach because of it. The real reason is probably a financial one. LOGbinder has developed a solution and is devoting significant money to bring that solution to market early in 2016. We discussed it at length at the recent HP Protect conference. We call it SuperCharger for Windows Event Collection. It is software that – with no agents and no polling – uses the native Windows event functionality to deliver only the relevant security events to the SIEM from all the Windows endpoints with no noise! It’s really cool and we’re super-excited. So are our SIEM partners who’ve taken the time to talk to us about it.

We are very excited about the opportunities now (and soon to be) available for SIEM security analysts. Putting meaningful security event logs in the SIEM where they belong is our passion.

LOGbinder is committed to making your SIEM even more powerful by feeding it more intelligence without the noise.

Note: The statements in this post about our new product delivery dates are “forward-looking”. We can’t predict the future with certainty. Our plans are presented here, and we expect to be able to make those plans a reality. But like all future plans, they are vulnerable to unanticipated events.

email this digg reddit dzone
comments (0)references (0)

Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond
Live with Dell at RSA 2015
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
Automating Review and Response to Security Events

Are You Listening to Your Endpoints?

Tue, 04 Aug 2015 13:24:52 GMT

There’s plenty of interest in all kinds of advanced security technologies like threat intelligence, strong/dynamic authentication, data loss prevention and information rights management. But so many organizations still don’t know one of the basic indicators of compromise on their network – new processes and modified executables. This is so important because in every high profile case of data breaches over the past few years a common thread has been the presence of a malicious program that provided the attackers with persistent access to the internal network of the victim organization.

Moreover, some security technologies – such as strong authentication – are no defense if you have malicious code running on the endpoint of a strongly authenticated user.

So rapid detection of malicious code is paramount. The importance can’t be over-stated. Detecting malicious code isn’t easy and traditional signature-based AV is only going to catch comparatively “old” and widely distributed malware. It isn’t likely to catch the targeted attacks we are up against today in which the bad guy uses shrink wrapped tools to build and package unique malicious agent to use against your organization.

How do you detect and even prevent malware like this? Like everything it takes a defense-in-depth approach. Advanced 3rd party application white- and advanced memory protection are very effective. But whether you have such technologies deployed or on the radar, your SIEM solution can provide you early warning when new software is observed on your network.

The key thing is to look for Event ID 4688 in the Windows security log. Compare the executable name in that event to a list of whitelisted EXEs you expect to see –or better yet a list of executables that automatically builds from past events.

You want these events from every possible system – including workstations. If you are concerned about the amount of log data involved, I should mention that the sponsor of this article, EventTracker, provides an agent that can efficiently forward just the relevant events you want from thousands of endpoints.

Will there be false positives? Yes – especially until you refine your rules to take into account patches. Will this catch every malicious agent? Of course not. After all, there are multiple ways to insert malicious code on an endpoint and some are completely in-memory with no new executable involved. 3rd party advanced memory protection products or Microsoft’s EMET can provide some help with detecting memory exploits though and using your SIEM to collect and monitor those events is the obvious thing to do if you use EMET or another memory protection technology.

Some malware embeds itself in the existing, trusted EXEs and DLLs so it makes sense to monitor for modifications to such files. Again you want this from your workstations – not just server endpoints. Getting EXE/DLL modification events requires either Windows file monitoring or a file integrity monitoring (FIM) solution. Enabling auditing of just EXE and DLL files with Windows file auditing though is not that easy. You can’t configure audit policy on files with Group Policy without also impacting permssions. So widely distributed scripts would be required. FIM is definitely and easier route. Again, it’s worth mentioning that EventTracker’s agent includes FIM monitoring making it easy to catch changes to existing software as soon as it happens.

email this digg reddit dzone
comments (0)references (0)

Live with Dell at RSA 2015
Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond
SolarWinds Log & Event Manager Includes My Favorite Feature in a SIEM…
Everything Matters

Help me! Community Survey 2015

Tue, 28 Jul 2015 14:25:55 GMT

Please help me help you in the coming year. I need your help to determine which security topics to cover and to prioritize my real training for free™ sessions.

The survey will take about 15 minutes of your time, but it will make a big impact on what I do at One of our best sponsors, HEAT Software (formerly Lumension), helped me design the survey and will be sharing in the analysis of it.

Besides some general questions this survey covers 3 key areas of security today: cloud, mobile and endpoint management. Your time will really help me tailor my real training for free ™ webinars to fit your needs, priorities and interests. And it will help us understand the changing world of IT and information security.

Click here to complete the 2nd Annual UWS Community Survey. All participants will receive the annual report, developed from this survey. We thank you in advance for your participation in this important survey.


Thanks so much for your support!
Randy Franklin Smith

email this digg reddit dzone
comments (0)references (0)

Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond
Help me! Community Survey 2015
Does Microsoft care about the Security log?
Enriching Event Log Monitoring by Correlating Non Event Security Information

Enriching Event Log Monitoring by Correlating Non Event Security Information

Wed, 03 Jun 2015 09:35:13 GMT

Sometimes we get hung up on event monitoring and forget about the “I” in SIEM which stands for information. And that’s important because there are more sources of non-event security information that your SIEM should be ingesting and correlating with security events than ever before. There’s at least 4 categories of security information that you can leverage in your SIEM to do better analysis of security events:

  1. Identify information from your directory (e.g. Active Directory)

    Your directory has a wealth of identify information that can help you sift the wheat from the chaff in your security logs. Here’s one example. Let’s say you regularly import a list of all members of Administrator groups from Active Directory into your SIEM and call the list PrivliegedAccounts. Now, enhance any rules or reports looking for suspicious user activity by also comparing the user name in the event against the PrivilegedAccounts list. If there’s a match, then the already suspicious event becomes even more important since it involves a privileged user. But you also likely have certain control over privileged user sessions. The PrivilegedAccounts list helps you identify anyone (internal or external) bypassing those controls whether a malicious insider or an outside attacker ignorant of your controls. Perhaps you require all administrators to go through a clean and hardened “jump box”. You can setup a rule to identify logon sessions where the username is in PrivilegedAccounts but was not initiated from the jump box.

  2. Environmental information (both internal and global)

    A global example of environment information is geocoding. Perhaps there are certain countries that you do not do business with which also have a bad reputation for cybercrime and espionage. Another popular way to leverage geocoding is to detect when a given user is apparently in 2 places at once which can indicate compromised credentials.

    But you can also leverage organization specific (i.e. internal) environment information. For instance, perhaps all of your administrators’ workstations fall within a certain range of IP addresses. Use this information in a rule examining logon attempts to your jump box or other hardened infrastructure systems (such as the management network interface on ESXi and HyperV systems) and alert when you see attempts to access these systems from non-administrators.(As always, the real world may be a little more complicated. Case in point: you may also need to factor in logon attempts through whatever means administrators use for remote access.

  3. Threat intelligence feeds available from security organizations

    There’s a growing array of threat intelligence feeds ranging from community-based free feeds to those commercially produced and available for a fee. These feeds range from lists of IP addresses linked to command and control networks, botnets and compromised hosts to network indicators of compromise and malware signatures. We recently look at the free feeds available from in this webinar sponsored by EventTracker. Correlating event logs from all levels of your network to threat intelligence can help you identify compromised systems and persistent attackers much earlier in the process.

  4. Internal threat intelligence.

    A. N. Ananth (EventTracker) coined this term to describe information that you can compile from your own network and systems using similar techniques as outside threat intelligence organizations. There’s no arguing the “crowd-sourced” value of external threat intelligence but such information is missing a key aspect that is addressed by internal threat intelligence. External threat intelligence tend to be “black lists” of “known bad” data. On the other hand, internal threat intelligence usually take the form of “white lists” of “known good” data. White lists tend to be much smaller, more effective and easier to tune and maintain. For instance if your SIEM can determine from past history that server A normally only communicates with 10 other hosts – that is very valuable to know – especially if your SIEM can alert you when it sees that host suddenly start sending gigabytes of data to an entirely new host on an unusual port.

    The bottom line is that your SIEM needs as much data (both event and non-event) as possible and it needs to be effective at correlating it into valuable situational intelligence. Don’t stop at logs. Look for other kinds of security information from your directory, the local and global environment and threat intelligence from the security community and internal.

email this digg reddit dzone
comments (0)references (0)

Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond
Live with Dell at RSA 2015
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
How Randy and Company Do IT: Server and Application Monitoring

Don’t Create a Different sudoers File for Each System

Wed, 06 May 2015 17:53:34 GMT

For compliance and protecting root access on UNIX and Linux you can’t live without sudo. I’ve written and done several webinars recently on how to implement sudo so that

  • no one ever logs on with root
  • you can implement least privilege instead making everyone all powerful
  • enforce accountability over privileged users with a high integrity audit trail of every command executed

But most folks have more than one system to manage. It might be simple to start off using sudo by maintaining a different sudoers file on each system. As you setup sudo on each system you just copy and paste portions of sudoers from another system already set up. But that is a bad pitfall you do well to stay out of. Usually the differences in sudo policy between each system are important but subtle; most of your sudoers policy can be re-used across systems. Creating independent but substantially similar sudoers files leads to management headaches and security risks because files inevitably become out-of-date and inconsistent as roles, users and security needs change.

Thankfully sudo is designed to support multiple systems. For instance you can use the Host_Alias directive to define groups of systems and then assign the same rule(s), once, to all appropriate systems via the Host_Alias.

That’s how sudo supports multiple systems within the sudoers file but how do you get all your systems to share the same sudoers file? One way is maintaining the file on system and using a variety of file copy utilities to physically copy sudoers to each system. But sudo also supports storing your sudoers policy in your LDAP directory. This isn’t as simple as it sounds because it does involve schema changes which many admins fear.

In my next webinar with BeyondTrust I’ll explore how to manage sudo on multiple systems. Please tune in.

email this digg reddit dzone
comments (0)references (0)

Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond
Live with Dell at RSA 2015
Virtualization Security: What Are the Real World Risks?
SolarWinds Log & Event Manager Includes My Favorite Feature in a SIEM…

Mirazon – Great Folks for Unraveling Microsoft Licensing

Wed, 06 May 2015 15:50:40 GMT

Microsoft licensing is complex, confusing and time consuming. “I just want the license key – legally!”, right? While trying to figure out how I could get a legal copy of Windows 8.1 Enterprise for a friend (they need Windows To Go Creator), I came across this article at, I also got this newer article from Seth I still had some questions and so I took them up on their offer to “guide you through the confusing terrain of Microsoft licensing so you can avoid unnecessary purchases” and emailed them. Got a reply back from Seth the same day. Fast and accurate. It’s not just about the money saved on unnecessary licensing mistakes but it’s also the time and effort saved researching stuff you really don’t want to learn about anyway! Thanks, Seth and Mirazon!

email this digg reddit dzone
comments (0)references (0)

Virtualization Security: What Are the Real World Risks?
Mirazon – Great Folks for Unraveling Microsoft Licensing
Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond
Automating Review and Response to Security Events

Live with SecureAuth at RSA 2015

Thu, 23 Apr 2015 15:51:34 GMT

Darin Pendergraft from SecureAuth stopped by the UltimateWindowsSecurity booth (South 2240).  Visit SecureAuth in the South Hall at booth 2107 and be sure to see their interactive product demo using the Oculus Rift!

Randy: Alright so we’re back at the Ultimate Window’s Security Booth at RSA. I’ve got with me this time Darin Pendergraft from SecureAuth. Darin we’re talking about authentication and there’s a lot of people doing authentication nowadays. Everybody seems to recognize, all of a sudden, that we need strong authentication which usually means a second factor.

Darin: Right.

Randy: So I just want to talk to you about what’s different with how you guys are doing it. First of all, I think maybe the first thing we need to get across is companies that have enterprise security requirements, that require them to control certain things on premise, you know, that’s a sweet spot for you – an on premise solution.

Darin: On premise solution is a virtual machine, so you know it’s housed on your hardware. You do have a physical appliance option for folks that want that. But we really feel that having that control is important to our enterprise customers.

Randy: The other thing we were talking about is two factor authentication and strong authentication, is all obviously that is one of the pain points we’re trying to solve.  One of the big risks we’re trying to mitigate, but with SecureAuth you’re not done once you’ve delivered two factor authentication.

Darin: That’s right.

Randy: Tell me more about how you said that’s really just the beginning.

Darin: Right, right… You know with strong authentication the point is to protect the business and to make it harder for the attackers to get in. Getting that set up is important but what’s really important is then to start to understand the context of the authentication, who is using that credential? Where did they log in from last? Did they use a device we’ve seen before? And we call that adaptive authentication, because the level of, you know, risk really determines how easy or how hard we make for someone to log in. That’s something we firmly believe. We can’t just set the system up and let it run, because any system that is static like that, will be defeated. Right?

Randy: Right.

Darin: So our system really takes every authentication into account. We look at the context around it and then we either step it up in this situation that we see something that’s a little out of the ordinary. You know, if you log in here from San Francisco and then all of a sudden there’s a log in from somewhere in Eastern Europe… you know, that’s unusual.

Randy: Sure.

Darin: So we shouldn't just allow you to put your password in to get in – we should really challenge you and send you to that second factor.

Randy: So we could almost call it “Just in time Authentication”….

Darin: Yeah, Just in time is a good way to look at it.

Randy: ….that it’s appropriate for the dynamics for that moment for that user and all the other dynamics. I think that you talked about velocity…

Darin: Geo velocity…

Randy: Is this a device that we've never seen them on but we can add those things together and do it dynamically. Yeah, I can see the value of that. The other thing that I thought was important for folks trying to sort out, ‘how are all of these authentication companies different’-- is form factors. You've got flexibility… you want to talk about that?

Darin: Absolutely, we are always asked, “What’s the best second factor?” To be honest, the best second factor is the one that fits your use case the best. At SecureAuth, we don’t rely on any one technique for the second factor. We can send a text to your phone. We can use a hardware token that you've got from a third party. You know, it really depends on that use case. We have some customers that want a very good user experience so they want a really low friction second factor. In those situations, we rely on a device fingerprint to recognize the device to see if it’s been jailbroken and to see if there’s anything usual about it. In other situations and in very high security situations, our customers are very comfortable with having a hard token or a card or something like that. In SecureAuth we let the customer to decide what they want to do. We really fit the second factor to the use case so that the end users really feel like they are getting security and they’re not being put, unnecessary, through hardship. That it fits kind of the risk profile.

Randy: Do you see companies using a variety of form factors for different sets of users within the organization?

Darin: Yeah and because of the way our product is architected, you can mix and match. We have a lot of hybrid environments. We have some folks that are traveling a lot and they have everything on their phone and they say, “That’s what I want to do.” And yet, we also have sales people that are mainly, you know, laptop people or Blackberry people potential, right? So we can work with different form factors for those folks.

Randy: Gotcha…Well, there’s other reasons why a variety of form factors is important. We like to use a phone at my company, as a second factor. But if that phone is down, we don’t want to have to provision something else. So we don’t we have folks carry a one-time password token with them but they don’t need to touch it unless something happens to the phone.

Darin: In that situation, what our customers have done is they’ll actually… the customer’s administrative staff will present you with two or three different options so if your phone is lost or you leave it at home, so it’s not compromised or lost, or maybe you just don’t have it…

Randy: Yeah…

Darin: A lot of times when you’re presented with that second factor dialogue it’ll say: “Receive a call on your office phone” or “Receive a call on another number” or “Answer a question…” Like you said, have a one time PIN. So we can give you the flexibility to shut certain channels off or form factors off or offer the end user the option of two or more.

Randy: Well, cool. I appreciate your time and hopefully folks this useful to you if you’re trying to sort out differences in strong authentication offerings and I look forward to working more with you more, Darin.

Darin: Thanks, Randy. It’s a pleasure to be here, thanks.

email this digg reddit dzone
comments (0)references (0)

Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond
Automating Review and Response to Security Events
Live with Dell at RSA 2015
The Growing Threat of Friendly Fire from Vendors

Live at RSA: Visualize Your Network and Access Paths Correlated with Relevant Vulnerabilities

Thu, 23 Apr 2015 15:02:44 GMT

Here’s another cool thing I found, this time at Redseal’s South Booth 1107.  Their software collects configuration and state data from all your routers, firewalls and switches and builds an incredible visualization of your network and its structure.  But that’s only the beginning.  It makes it easy to color code different segments of network with classifications like DMZ, Internet and various internal zones.  Then it shows you the paths different protocols and applications can take throughout your network.  You can select any device or host and instantly trace out all possible paths that data can take to or from that node.  I wish I’d had that recently when I re-designing our 2 data centers to provide better isolation of our virtualization hosts and some labs that outsiders need to access.  It was such a nightmare to test and validate that the policies I’d architected were configured correctly and that the wrong traffic was blocked and the right traffic permitted.  For instance we needed the 2 virtualization infrastructure networks to communicate over the site-to-site VPN with each other but only allow admin access from our jumpbox.  But Redseal goes beyond this by consuming the results from any vulnerability scanner.  Redseal doesn’t just plot those vulnerabilities on your network visualization – that’s not really that hard.  Instead they analyze the vulnerabilities found by your scanner against the known access paths on your network and surface the vulnerabilities that really count = those that are accessible via the actual access paths open on your network.  Pretty cool stuff.

email this digg reddit dzone
comments (0)references (0)

Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond
Live with Dell at RSA 2015
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
Automating Review and Response to Security Events

previous | next

powered by Bloget™


Recent Blogs