Security, et al

Randy's Blog on Infosec and Other Stuff

Help me! Community Survey 2015

Tue, 28 Jul 2015 14:25:55 GMT

Please help me help you in the coming year. I need your help to determine which security topics to cover and to prioritize my real training for free™ sessions.

The survey will take about 15 minutes of your time, but it will make a big impact on what I do at UltimateWindowsSecurity.com. One of our best sponsors, HEAT Software (formerly Lumension), helped me design the survey and will be sharing in the analysis of it.

Besides some general questions this survey covers 3 key areas of security today: cloud, mobile and endpoint management. Your time will really help me tailor my real training for free ™ webinars to fit your needs, priorities and interests. And it will help us understand the changing world of IT and information security.

Click here to complete the 2nd Annual UWS Community Survey. All participants will receive the annual report, developed from this survey. We thank you in advance for your participation in this important survey.

 

Thanks so much for your support!
Randy Franklin Smith

email this digg reddit dzone
comments (0)references (0)

Related:
Help me! Community Survey 2015
Does Microsoft care about the Security log?
Enriching Event Log Monitoring by Correlating Non Event Security Information
Audit Myth Busters: SharePoint, SQL Server, Exchange

Enriching Event Log Monitoring by Correlating Non Event Security Information

Wed, 03 Jun 2015 09:35:13 GMT

Sometimes we get hung up on event monitoring and forget about the “I” in SIEM which stands for information. And that’s important because there are more sources of non-event security information that your SIEM should be ingesting and correlating with security events than ever before. There’s at least 4 categories of security information that you can leverage in your SIEM to do better analysis of security events:

  1. Identify information from your directory (e.g. Active Directory)

    Your directory has a wealth of identify information that can help you sift the wheat from the chaff in your security logs. Here’s one example. Let’s say you regularly import a list of all members of Administrator groups from Active Directory into your SIEM and call the list PrivliegedAccounts. Now, enhance any rules or reports looking for suspicious user activity by also comparing the user name in the event against the PrivilegedAccounts list. If there’s a match, then the already suspicious event becomes even more important since it involves a privileged user. But you also likely have certain control over privileged user sessions. The PrivilegedAccounts list helps you identify anyone (internal or external) bypassing those controls whether a malicious insider or an outside attacker ignorant of your controls. Perhaps you require all administrators to go through a clean and hardened “jump box”. You can setup a rule to identify logon sessions where the username is in PrivilegedAccounts but was not initiated from the jump box.

  2. Environmental information (both internal and global)

    A global example of environment information is geocoding. Perhaps there are certain countries that you do not do business with which also have a bad reputation for cybercrime and espionage. Another popular way to leverage geocoding is to detect when a given user is apparently in 2 places at once which can indicate compromised credentials.

    But you can also leverage organization specific (i.e. internal) environment information. For instance, perhaps all of your administrators’ workstations fall within a certain range of IP addresses. Use this information in a rule examining logon attempts to your jump box or other hardened infrastructure systems (such as the management network interface on ESXi and HyperV systems) and alert when you see attempts to access these systems from non-administrators.(As always, the real world may be a little more complicated. Case in point: you may also need to factor in logon attempts through whatever means administrators use for remote access.

  3. Threat intelligence feeds available from security organizations

    There’s a growing array of threat intelligence feeds ranging from community-based free feeds to those commercially produced and available for a fee. These feeds range from lists of IP addresses linked to command and control networks, botnets and compromised hosts to network indicators of compromise and malware signatures. We recently look at the free feeds available from ermergingthreats.net in this webinar sponsored by EventTracker. Correlating event logs from all levels of your network to threat intelligence can help you identify compromised systems and persistent attackers much earlier in the process.

  4. Internal threat intelligence.

    A. N. Ananth (EventTracker) coined this term to describe information that you can compile from your own network and systems using similar techniques as outside threat intelligence organizations. There’s no arguing the “crowd-sourced” value of external threat intelligence but such information is missing a key aspect that is addressed by internal threat intelligence. External threat intelligence tend to be “black lists” of “known bad” data. On the other hand, internal threat intelligence usually take the form of “white lists” of “known good” data. White lists tend to be much smaller, more effective and easier to tune and maintain. For instance if your SIEM can determine from past history that server A normally only communicates with 10 other hosts – that is very valuable to know – especially if your SIEM can alert you when it sees that host suddenly start sending gigabytes of data to an entirely new host on an unusual port.

    The bottom line is that your SIEM needs as much data (both event and non-event) as possible and it needs to be effective at correlating it into valuable situational intelligence. Don’t stop at logs. Look for other kinds of security information from your directory, the local and global environment and threat intelligence from the security community and internal.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
How Randy and Company Do IT: Server and Application Monitoring
Virtualization Security: What Are the Real World Risks?

Don’t Create a Different sudoers File for Each System

Wed, 06 May 2015 17:53:34 GMT

For compliance and protecting root access on UNIX and Linux you can’t live without sudo. I’ve written and done several webinars recently on how to implement sudo so that

  • no one ever logs on with root
  • you can implement least privilege instead making everyone all powerful
  • enforce accountability over privileged users with a high integrity audit trail of every command executed

But most folks have more than one system to manage. It might be simple to start off using sudo by maintaining a different sudoers file on each system. As you setup sudo on each system you just copy and paste portions of sudoers from another system already set up. But that is a bad pitfall you do well to stay out of. Usually the differences in sudo policy between each system are important but subtle; most of your sudoers policy can be re-used across systems. Creating independent but substantially similar sudoers files leads to management headaches and security risks because files inevitably become out-of-date and inconsistent as roles, users and security needs change.

Thankfully sudo is designed to support multiple systems. For instance you can use the Host_Alias directive to define groups of systems and then assign the same rule(s), once, to all appropriate systems via the Host_Alias.

That’s how sudo supports multiple systems within the sudoers file but how do you get all your systems to share the same sudoers file? One way is maintaining the file on system and using a variety of file copy utilities to physically copy sudoers to each system. But sudo also supports storing your sudoers policy in your LDAP directory. http://www.sudo.ws/sudo/man/sudoers.ldap.html. This isn’t as simple as it sounds because it does involve schema changes which many admins fear.

In my next webinar with BeyondTrust I’ll explore how to manage sudo on multiple systems. Please tune in.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Virtualization Security: What Are the Real World Risks?
SolarWinds Log & Event Manager Includes My Favorite Feature in a SIEM…
How Randy and Company Do IT: Server and Application Monitoring

Mirazon – Great Folks for Unraveling Microsoft Licensing

Wed, 06 May 2015 15:50:40 GMT

Microsoft licensing is complex, confusing and time consuming. “I just want the license key – legally!”, right? While trying to figure out how I could get a legal copy of Windows 8.1 Enterprise for a friend (they need Windows To Go Creator), I came across this article at http://www.mirazon.com/windows-8-1-enterprise-get/, I also got this newer article from Seth http://www.mirazon.com/windows-8-1-enterprise-licensing-now-a-stand-alone-product/. I still had some questions and so I took them up on their offer to “guide you through the confusing terrain of Microsoft licensing so you can avoid unnecessary purchases” and emailed them. Got a reply back from Seth the same day. Fast and accurate. It’s not just about the money saved on unnecessary licensing mistakes but it’s also the time and effort saved researching stuff you really don’t want to learn about anyway! Thanks, Seth and Mirazon!http://www.mirazon.com/category/microsoft-licensing/

email this digg reddit dzone
comments (0)references (0)

Related:
Virtualization Security: What Are the Real World Risks?
Mirazon – Great Folks for Unraveling Microsoft Licensing
Automating Review and Response to Security Events
Live with Dell at RSA 2015

Live with SecureAuth at RSA 2015

Thu, 23 Apr 2015 15:51:34 GMT

Darin Pendergraft from SecureAuth stopped by the UltimateWindowsSecurity booth (South 2240).  Visit SecureAuth in the South Hall at booth 2107 and be sure to see their interactive product demo using the Oculus Rift!



Randy: Alright so we’re back at the Ultimate Window’s Security Booth at RSA. I’ve got with me this time Darin Pendergraft from SecureAuth. Darin we’re talking about authentication and there’s a lot of people doing authentication nowadays. Everybody seems to recognize, all of a sudden, that we need strong authentication which usually means a second factor.

Darin: Right.

Randy: So I just want to talk to you about what’s different with how you guys are doing it. First of all, I think maybe the first thing we need to get across is companies that have enterprise security requirements, that require them to control certain things on premise, you know, that’s a sweet spot for you – an on premise solution.

Darin: On premise solution is a virtual machine, so you know it’s housed on your hardware. You do have a physical appliance option for folks that want that. But we really feel that having that control is important to our enterprise customers.

Randy: The other thing we were talking about is two factor authentication and strong authentication, is all obviously that is one of the pain points we’re trying to solve.  One of the big risks we’re trying to mitigate, but with SecureAuth you’re not done once you’ve delivered two factor authentication.

Darin: That’s right.

Randy: Tell me more about how you said that’s really just the beginning.

Darin: Right, right… You know with strong authentication the point is to protect the business and to make it harder for the attackers to get in. Getting that set up is important but what’s really important is then to start to understand the context of the authentication, who is using that credential? Where did they log in from last? Did they use a device we’ve seen before? And we call that adaptive authentication, because the level of, you know, risk really determines how easy or how hard we make for someone to log in. That’s something we firmly believe. We can’t just set the system up and let it run, because any system that is static like that, will be defeated. Right?

Randy: Right.

Darin: So our system really takes every authentication into account. We look at the context around it and then we either step it up in this situation that we see something that’s a little out of the ordinary. You know, if you log in here from San Francisco and then all of a sudden there’s a log in from somewhere in Eastern Europe… you know, that’s unusual.

Randy: Sure.

Darin: So we shouldn't just allow you to put your password in to get in – we should really challenge you and send you to that second factor.

Randy: So we could almost call it “Just in time Authentication”….

Darin: Yeah, Just in time is a good way to look at it.

Randy: ….that it’s appropriate for the dynamics for that moment for that user and all the other dynamics. I think that you talked about velocity…

Darin: Geo velocity…

Randy: Is this a device that we've never seen them on but we can add those things together and do it dynamically. Yeah, I can see the value of that. The other thing that I thought was important for folks trying to sort out, ‘how are all of these authentication companies different’-- is form factors. You've got flexibility… you want to talk about that?

Darin: Absolutely, we are always asked, “What’s the best second factor?” To be honest, the best second factor is the one that fits your use case the best. At SecureAuth, we don’t rely on any one technique for the second factor. We can send a text to your phone. We can use a hardware token that you've got from a third party. You know, it really depends on that use case. We have some customers that want a very good user experience so they want a really low friction second factor. In those situations, we rely on a device fingerprint to recognize the device to see if it’s been jailbroken and to see if there’s anything usual about it. In other situations and in very high security situations, our customers are very comfortable with having a hard token or a card or something like that. In SecureAuth we let the customer to decide what they want to do. We really fit the second factor to the use case so that the end users really feel like they are getting security and they’re not being put, unnecessary, through hardship. That it fits kind of the risk profile.

Randy: Do you see companies using a variety of form factors for different sets of users within the organization?

Darin: Yeah and because of the way our product is architected, you can mix and match. We have a lot of hybrid environments. We have some folks that are traveling a lot and they have everything on their phone and they say, “That’s what I want to do.” And yet, we also have sales people that are mainly, you know, laptop people or Blackberry people potential, right? So we can work with different form factors for those folks.

Randy: Gotcha…Well, there’s other reasons why a variety of form factors is important. We like to use a phone at my company, as a second factor. But if that phone is down, we don’t want to have to provision something else. So we don’t we have folks carry a one-time password token with them but they don’t need to touch it unless something happens to the phone.

Darin: In that situation, what our customers have done is they’ll actually… the customer’s administrative staff will present you with two or three different options so if your phone is lost or you leave it at home, so it’s not compromised or lost, or maybe you just don’t have it…

Randy: Yeah…

Darin: A lot of times when you’re presented with that second factor dialogue it’ll say: “Receive a call on your office phone” or “Receive a call on another number” or “Answer a question…” Like you said, have a one time PIN. So we can give you the flexibility to shut certain channels off or form factors off or offer the end user the option of two or more.

Randy: Well, cool. I appreciate your time and hopefully folks this useful to you if you’re trying to sort out differences in strong authentication offerings and I look forward to working more with you more, Darin.

Darin: Thanks, Randy. It’s a pleasure to be here, thanks.

email this digg reddit dzone
comments (0)references (0)

Related:
Automating Review and Response to Security Events
Live with Dell at RSA 2015
The Growing Threat of Friendly Fire from Vendors
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log

Live at RSA: Visualize Your Network and Access Paths Correlated with Relevant Vulnerabilities

Thu, 23 Apr 2015 15:02:44 GMT

Here’s another cool thing I found, this time at Redseal’s South Booth 1107.  Their software collects configuration and state data from all your routers, firewalls and switches and builds an incredible visualization of your network and its structure.  But that’s only the beginning.  It makes it easy to color code different segments of network with classifications like DMZ, Internet and various internal zones.  Then it shows you the paths different protocols and applications can take throughout your network.  You can select any device or host and instantly trace out all possible paths that data can take to or from that node.  I wish I’d had that recently when I re-designing our 2 data centers to provide better isolation of our virtualization hosts and some labs that outsiders need to access.  It was such a nightmare to test and validate that the policies I’d architected were configured correctly and that the wrong traffic was blocked and the right traffic permitted.  For instance we needed the 2 virtualization infrastructure networks to communicate over the site-to-site VPN with each other but only allow admin access from our jumpbox.  But Redseal goes beyond this by consuming the results from any vulnerability scanner.  Redseal doesn’t just plot those vulnerabilities on your network visualization – that’s not really that hard.  Instead they analyze the vulnerabilities found by your scanner against the known access paths on your network and surface the vulnerabilities that really count = those that are accessible via the actual access paths open on your network.  Pretty cool stuff.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
Automating Review and Response to Security Events
Live with LogRhythm at RSA

Finally, a new and different way to mitigate the risk of compromised user endpoints

Thu, 23 Apr 2015 14:51:06 GMT

Here’s another find from the South Hall at RSA 2015 I came across (I’d snuck away from the UWS booth while Barry wasn’t looking.)  The 2,000+ of you who’ve attended my recent endpoint security webinars know how much I worry about endpoint security – especially user endpoints (laptops and workstations).  On my daily hike I actually puzzle over new ways to address this risk and I wish I’d come up with the idea Bromium has already implemented.  The messaging on booths here make it hard to figure out what companies do but “isolation” and “endpoint risks” caught my eye as I walked past Bromium’s booth 2007.  From talking to Bill Gardner I learned that Bromium was started by virtualization experts formerly at XenSource.  Bromium inserts a hypervisor between the metal and OS of your endpoint.  Then each application is isolated in its own micro-virtual machine.  This is something I want to learn more about.  Depending on how isolated applications really are and how clean the user experience is – this could be really awesome.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
SolarWinds Log & Event Manager Includes My Favorite Feature in a SIEM…
Virtualization Security: What Are the Real World Risks?
How Randy and Company Do IT: Server and Application Monitoring

Live with Dell at RSA 2015

Thu, 23 Apr 2015 12:09:35 GMT

Dell Software is my longest time sponsor and has made possible many hours of my real training for free ™ webinars.  We don’t usually give them much time to talk about their products on my webinars and they are really nice about that.  So I thought I’d set down for a few minutes at the UltimateWindowsSecurity.com booth here at RSA 2015 with Todd Peterson.  You never hear from Todd on the webinars but he is one of the main folks behind making them possible and he has a good perspective on Dell Software’s sizable portfolio of security products.  Our conversation centered around the Dell Software security portfolio as a whole and what makes it compelling compared to point solutions.

(Transcript below video)

Randy:  Alright, so back at the Ultimate Windows Security Booth at RSA.  This time I’ve got Todd Peterson from Dell.  And folks, you’ve probably have, I don’t know if you’ve heard Todd before, but you’ve heard a lot of other Dell people because Dell and before that Quest have been pretty much our best and biggest sponsor of real training for free™, so thanks a lot for that through the years Todd.  But, here’s what I want to talk to you about and I’m picking this topic for you because how many security products does Dell have?

Todd: Lots.

Randy:  Yeah.

Todd:   I mean, Dell kind of has the strategy of baking security into everything they do, so you know, if you want to be really technical, every laptop, every tablet, every server, every router, every switch has security baked into it.  If you want to be a little more literal on the classic security products, firewalls, data encryption, it’s probably 40 or 50 separate offerings across the whole line.  Most of them under the Dell software group umbrella.

Randy:  So, if we want to buy “a security”, we can go to….

Todd:  Yeah, yeah I’m happy to sell you an app for security. 

Randy:  Right.  Okay, but the thing of it is, is then and you’re the perfect person to expound on this, is do we go after security piecemeal, like here’s my risk, I want to solve this problem or do we build a security stack and think strategically, how are we going to make all these pieces fit together and then the risk is time to value and functionality but we never get anything out the door?

Todd:   I think in a perfect world, you do the latter.  You plan it out, you build security from the ground up, everything fits together and works great, but we know that that never actually happens.  So you end up with a piecemeal approach with whatever the fire of the day is or you know BYOB all of a sudden comes up and you didn’t even think about that, you know 12 years ago when buying a server was your big deal and so piecemeal is the way it has to go, but if you approach piecemeal with the right strategy, there is going to be something next and you may not even know what it is.  So just make sure that you’re future looking with everything you do.  I think piecemeal can work and kind of give you that plan from the ground up, you know, result without actually having done it.

Randy:  Yeah, because what I fear is management coming and they’ve read about a breach and they’ve read what Gardner or whoever is saying at the time, we need to get control of mobile devices.  We don’t have a mobile device management.  Go get MDM and so you go and you buy a MDM point solution, you get that in place.  Iterate that a few more times and what you’ve ended up with is a whole bunch of solutions, maybe a lot of them really cool, but they were from start ups, a lot of them.  They’ve gotten bought by someone else over the years, who knows what has happened and do they all talk to each other.  Because that’s the other thing, Todd, is getting your security products to talk to each other is opening up a whole new world of synergy, so given that you’re a company with 40-50 different security products, you probably have feelings on these issues.

Todd:   Yeah, I mean obviously you want them to talk to each other, but, you know the reality is people are often, you know you have pressure, you have to solve the problem today, so you’re going to go out and you know, whoever you’re hearing the most about to solve that problem is at the top of the list.  Maybe you’ll implement them, maybe you won’t, but you know, then down in the future, the next thing comes up and that solution’s great, but the next thing can’t be solved by that solution, so you do it again.  So, what you end up with is you’re defining security and the controls that provide security, so, an identity of a person, a person’s authorizations, the way you authenticate, what it means to be somebody, you’ve defined that in each and everyone of those silos, and you’ll probably define it differently.  So then standards emerge, that if you’re able to wait for the standard to take over, that makes it a little easier.  You know, only use SAML authentication, that solves a lot of the problems.  Use other standards is the baseline.  That’s good, but a lot of times the problem can’t be solved at that time.  So you just need to look for things that are on the cutting edge of standards, but also for a strategy of not reinventing the wheel every time a security issue comes up.  You don’t want 12 Randy’s across 12 different security silos.  You want 1 Randy that’s applied 12 times to across 12 silos, if that makes sense.

Randy:   Well, that’s ironic since Dell is, would you say your core security product is your one identity solution?

Todd:  I would definitely say that. 

Randy:  Yes.  Well let’s come back to that and talk about what is the core of a company’s security stack, but I think what you’re getting at is that to build a house, you have to put the foundation in first, you cannot say, you know, the biggest thing I need right now is a roof, and then I’ll come back and do the foundation.  There’s a sequence that you have to build things in.  Alright, with an IT environment, that’s not really the case.  You do have the option to say these are my biggest pain points.  I don’t have a roof over my head, I know I don’t have a great foundation for identity or whatever, but I need to get that roof over my head in terms of two factor authentication or mock change auditing, whatever.  I could go put that roof in and I can say I also need this door over here with a lock on it, but so that’s piecemeal, but what you’re saying is that what we want to do is be looking towards the future and saying at the end of the day we want a house that’s all connected to each other and doesn’t look like we bought a trailer and then added on a family room.

Todd:    Or worse case, you end up with 12 trailers.

Randy:  Well that’s ulgy.

Todd:  So yeah, I mean totally.  And what I would say to that foundation is as you’re putting the roof on, let’s say you’re just doing your roof, you know, you do have the opportunity at that time to form up the foundation and set it up so that when you put in the walls, when you put in this door, when you add on to the house, that those things can happen easier without re-pouring a new foundation.  So, you know, getting that foundation solid and then right along with that first big fire that you’re putting out, is probably the best approach and I would say that foundation is what I mentioned earlier…identity, role, authorizations, authentication, you know, getting those things set because if people can’t get to the stuff they need to do their job, there’s no point, that’s why it’s there.  Security is often viewed as a barrier to people doing their jobs because it’s another person saying no instead of another person saying yes.  But, if that foundation is right, there’s going to be opportunities to say yes, go way up and the opportunities for the temptation to say no unnecessarily has just disappeared. 

Randy:  Yeah, well that’s, I always go back to we’re in business to do business, not to be secure.  Secure doesn’t make money.  So I think what I’m hearing is you’re thinking about what we’re hearing from a lot of folks is the whole whether you want to call it dynamic or adaptive security, right, being able to dynamically say I need more assurance that this really is Bob, right?

Todd:  Yeah and if you think about the way security is normally implemented as a silo approach, you know, you’re on-prem you’re using a company controlled device.  There is a set of rules, you follow those rules and you’re allowed to get to something.  So you go off-prem they’ve established another set of rules for that and you follow those rules, you’re allowed, you’re using their mobile device, a different set of rules, data encryption is involved, different set of rules.  You’re coming from an IP that’s unknown to the organization of a different set of rules.  So, each of those can return a yes or no decision.  If any one of those 5 things, returns a no, the answer is no, even though I may legitimately be doing things that’s going to be absolutely secure, but one says no.  But, what if you take into account the context of the who, what, when, where, why, how and past history to make a dynamic decision in real time that says hey I know who you are, I know where you are, I don’t know you’re device, but I know that you’re history means that you’ve come in from a device like this one and so I’m going to allow you in.  So you can kind of take into account the varying strengths of the yes and no decisions to return an accurate decision that changes in real time depending on the situation.  You know, that’s I think the nirvana of security.

Randy:  So, going back to the building at your security stack and piecemeal and looking toward the future and so on, you know, what do we get if we make a commitment to Dell in terms of… you know, I have to have a lot of worry.  My supply management people have worry every time I bring in another vendor or another partner on board.  All right, how healthy are they, are they going to be in business, what’s their limits of support and so on.  So I mean, what’s codified in terms of if we come to Dell and saying if possible we’re going to try to get our different pieces of security from Dell?

Todd:   Well, obviously we would like that, but the advantage is Dell is a very mature, very stable company that’s not going anywhere and has a long legacy of very happy customers including customer service excellent support and each of the acquisitions that they’ve made have been of companies with an equal to a lesser degree, but an equal reputation, so they acquired Quest, which is where I came from.  You know, Quest has some of the industry leading customer satisfaction numbers on a software site.  The security software, being Identity Access Management stuff, is the leading satisfaction among the questions. So all of these things come into play that you know, you’re going to eventually have to buy a firewall if you don’t already have one or you may have to upgrade your firewall.  You’re going to have to buy something for identity and access management, something for privilege management, something for authentication.  You’ll probably eventually need a data encryption type of solution.  You’re going to need security baked into your servers and your laptops and your tablets and your desktop computers.  If that ultimately is in the same place and you know it’s not going anywhere, then you already trust and you know you can continue to trust, that really alleviates a lot of the danger, a lot of the risk and a lot of the worry of am I really going to be secure next year with the decision I make today?  With Dell, we feel and I think that history proves that yeah you’re set for years and years and years and years, at least from a peace of mind state.

Randy:   Well, it is, I’m always amazed.  I can never keep track of all the different security solutions that you have and you’re starting to make them talk to each other more too.

Todd:   Yeah, absolutely.

Randy:  I think that’s important and that’s something maybe that I had wished for more in former days and I’m seeing more now, so…

Todd:  Yeah, for example a lot of our authentications solutions, our multifactor authentication our federations’ solution are beginning to be reused by other Dell technologies.  So the Dell Case MDM solution uses our single sign on federation.  The Dell SonicWall firewalls use our multifactor authentication.  You know, all they’re offerings, the Dell offering for medical organizations uses our signal sign on solutions.  So you know there’s a lot of places where this 1+1=3 can come to pass because it’s, you know, all offered by the same organization.

Randy:   And that’s what I would want and expect if I’m going to make a commitment and say all right, I’m not just going to automatically go out there and get the cheapest, newest and best of breed solution for each piece of the puzzle.  I want that synergistic benefit of going with a vendor.  If I’m going to go with one vendor, then I’m hoping for that synergy along with products.  The more of their products I use, the more of that 1+1=3. 

Todd:  Yeah, and the treads continue, you know where I mentioned earlier that adaptive context way of security.  Right now that involves few of our identity and access management solutions and our firewalls and the SecureWorks Counter Threat platform.  In the future that can expand to where the firewall is actually enforcing, not just helping make a decision, where an encryption solution from Dell is enforcing in addition to helping to make a decision and it can go anywhere and then when we build an API into it, then it can actually go beyond Dell and you can build your own contributive piece to that context where it thinks.  So you know we are excited about that, but you know it all comes down to it’s one big stable strong company that can provide it to you.

Randy:   That’s cool.  Folks normally you’re used to seeing me or at least listening to me more, but this is an opportunity I get to talk to the people like Todd that make all the real training for free™ webinars possible and I said let’s just talk about their products a little bit.  So thank you, thanks for all the great webinars that you’ve sponsored over the years.  We get lots of people that come up and say I go to every single one of your webinars and when we need answers especially on windows security log, they come here, but you guys are the ones that make that possible, so thanks.

Todd:   Thanks for allowing us to do it.  We find a lot of value in it as well.

Randy:  Well, take care.

Todd:  Thanks Randy.

email this digg reddit dzone
comments (0)references (0)

Related:
Automating Review and Response to Security Events
Live with Dell at RSA 2015
The Growing Threat of Friendly Fire from Vendors
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log

Live at RSA: Stopping Key Logging and Screen Scraping

Thu, 23 Apr 2015 10:43:55 GMT

As you know I view compromised user endpoints (aka workstations and laptops) as the biggest risk facing us today.  And that’s why I love application control (aka whitelisting) from UWS sponsors like (Lumension and Bit9+CarbonBlack).  But there’s one single silver bullet – defense-in-depth right?  One of the scary things bad guys can do once they have code running on your user’s endpoint is log key strokes, change your keystrokes and record (aka scrape) your screen – and even potentially re-write your screen. So it was cool when, while wondering the booths at RSA 2015 I met Mark L. Kay, of StrikeForce Technologies, who is a kindred soul on this concern.  Their GuardedID software is designed to prevent “malicious keylogging programs by encrypting every keystroke at the point of pressing the keys, and rerouting those encrypted keystrokes directly to your Internet Explorer browser through its own unique path”.  The products appear to be targeted primarily at consumers but Mark told me they do have enterprise customers and their website does have an Enterprise section showing how to deploy GuardedID by group policy.  If you are at RSA 2015 check them out at booth 1227 in the South Hall. 

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Automating Review and Response to Security Events
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
Live with LogRhythm at RSA

Live at RSA: FIDO authentication protocols and checking in real-time for user presence

Thu, 23 Apr 2015 10:30:32 GMT

There are a LOT of authentication companies at RSA 2015 this year.  It’s been fun learning the difference between them – and there are big differences.  

Arshad Noor from open source company StrongAuth (South Hall booth 2332), came by the UltimateWindowsSecurity.com booth (South 2240) and briefed me on the relatively new FIDO (Fast IDentity Online) authentication protocols.  FIDO protocols are interesting for a lot reasons but what Arshad said about “user presence” got my attention.  One of my top concerns is how a compromised user endpoint can effectively defeat even the strongest authentication schemes.  (2 Factor, SSO, Federation and Cloud Identity are Awesome but it’s all for Naught if You Leave this One Backdoor Open ) If your endpoint is compromised, malware can wait until you authenticate and then piggy back off that authentication using a host of different methods.  So you have to attack that on 2 different fronts: preventing malware and for really high value operations you need to get reassurance at that moment in time that the user is present and the one initiating that operation.  Just checking for user presence still doesn’t solve for every sophisticated scenario but it gets you a lot closer.  But as with all things security, if you aren’t careful you end up making things so inconvenient for the user that you get in the way of business and asking users to go all the way back through onerous authentication steps at seemingly random times is a great way to get in the way of business.  So that’s why Arshad got my attention when he mentioned “user presence”.  

FIDO makes it easy for an application, including web applications, to reach out to the users FIDO compliant token and ask for real-time user presence verification.  It’s up to the token vendor how to implement this but the example Arshad talked about was a simple token started flashing and LED.  All the user has to do is touch the token to say “yes, I’m here and initiating this transaction”.  Then the token signs the verification response with its private key tied to that application and user and sends it back to the server.  That’s got to be the lightest weight 2nd factor user presence check I’ve seen.  I’ll be talking a lot more about the risks at the intersection of authentication and endpoint security but if you’d like to learn more about the FIDO protocols visit the FIDO Alliance.    

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
Virtualization Security: What Are the Real World Risks?
Automating Review and Response to Security Events

previous | next

powered by Bloget™

Search


Categories
Recent Blogs
Archive