Security, et al

Randy's Blog on Infosec and Other Stuff

Live with SecureAuth at RSA 2015

Thu, 23 Apr 2015 15:51:34 GMT

Darin Pendergraft from SecureAuth stopped by the UltimateWindowsSecurity booth (South 2240).  Visit SecureAuth in the South Hall at booth 2107 and be sure to see their interactive product demo using the Oculus Rift!


email this digg reddit dzone
comments (0)references (0)

Related:
Automating Review and Response to Security Events
Live with Dell at RSA 2015
The Growing Threat of Friendly Fire from Vendors
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log

Live at RSA: Visualize Your Network and Access Paths Correlated with Relevant Vulnerabilities

Thu, 23 Apr 2015 15:02:44 GMT

Here’s another cool thing I found, this time at Redseal’s South Booth 1107.  Their software collects configuration and state data from all your routers, firewalls and switches and builds an incredible visualization of your network and its structure.  But that’s only the beginning.  It makes it easy to color code different segments of network with classifications like DMZ, Internet and various internal zones.  Then it shows you the paths different protocols and applications can take throughout your network.  You can select any device or host and instantly trace out all possible paths that data can take to or from that node.  I wish I’d had that recently when I re-designing our 2 data centers to provide better isolation of our virtualization hosts and some labs that outsiders need to access.  It was such a nightmare to test and validate that the policies I’d architected were configured correctly and that the wrong traffic was blocked and the right traffic permitted.  For instance we needed the 2 virtualization infrastructure networks to communicate over the site-to-site VPN with each other but only allow admin access from our jumpbox.  But Redseal goes beyond this by consuming the results from any vulnerability scanner.  Redseal doesn’t just plot those vulnerabilities on your network visualization – that’s not really that hard.  Instead they analyze the vulnerabilities found by your scanner against the known access paths on your network and surface the vulnerabilities that really count = those that are accessible via the actual access paths open on your network.  Pretty cool stuff.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
Automating Review and Response to Security Events
Live with LogRhythm at RSA

Finally, a new and different way to mitigate the risk of compromised user endpoints

Thu, 23 Apr 2015 14:51:06 GMT

Here’s another find from the South Hall at RSA 2015 I came across (I’d snuck away from the UWS booth while Barry wasn’t looking.)  The 2,000+ of you who’ve attended my recent endpoint security webinars know how much I worry about endpoint security – especially user endpoints (laptops and workstations).  On my daily hike I actually puzzle over new ways to address this risk and I wish I’d come up with the idea Bromium has already implemented.  The messaging on booths here make it hard to figure out what companies do but “isolation” and “endpoint risks” caught my eye as I walked past Bromium’s booth 2007.  From talking to Bill Gardner I learned that Bromium was started by virtualization experts formerly at XenSource.  Bromium inserts a hypervisor between the metal and OS of your endpoint.  Then each application is isolated in its own micro-virtual machine.  This is something I want to learn more about.  Depending on how isolated applications really are and how clean the user experience is – this could be really awesome.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
SolarWinds Log & Event Manager Includes My Favorite Feature in a SIEM…
Virtualization Security: What Are the Real World Risks?
How Randy and Company Do IT: Server and Application Monitoring

Live with Dell at RSA 2015

Thu, 23 Apr 2015 12:09:35 GMT

Dell Software is my longest time sponsor and has made possible many hours of my real training for free ™ webinars.  We don’t usually give them much time to talk about their products on my webinars and they are really nice about that.  So I thought I’d set down for a few minutes at the UltimateWindowsSecurity.com booth here at RSA 2015 with Todd Peterson.  You never hear from Todd on the webinars but he is one of the main folks behind making them possible and he has a good perspective on Dell Software’s sizable portfolio of security products.  Our conversation centered around the Dell Software security portfolio as a whole and what makes it compelling compared to point solutions.

(Transcript below video)

Randy:  Alright, so back at the Ultimate Windows Security Booth at RSA.  This time I’ve got Todd Peterson from Dell.  And folks, you’ve probably have, I don’t know if you’ve heard Todd before, but you’ve heard a lot of other Dell people because Dell and before that Quest have been pretty much our best and biggest sponsor of real training for free™, so thanks a lot for that through the years Todd.  But, here’s what I want to talk to you about and I’m picking this topic for you because how many security products does Dell have?

Todd: Lots.

Randy:  Yeah.

Todd:   I mean, Dell kind of has the strategy of baking security into everything they do, so you know, if you want to be really technical, every laptop, every tablet, every server, every router, every switch has security baked into it.  If you want to be a little more literal on the classic security products, firewalls, data encryption, it’s probably 40 or 50 separate offerings across the whole line.  Most of them under the Dell software group umbrella.

Randy:  So, if we want to buy “a security”, we can go to….

Todd:  Yeah, yeah I’m happy to sell you an app for security. 

Randy:  Right.  Okay, but the thing of it is, is then and you’re the perfect person to expound on this, is do we go after security piecemeal, like here’s my risk, I want to solve this problem or do we build a security stack and think strategically, how are we going to make all these pieces fit together and then the risk is time to value and functionality but we never get anything out the door?

Todd:   I think in a perfect world, you do the latter.  You plan it out, you build security from the ground up, everything fits together and works great, but we know that that never actually happens.  So you end up with a piecemeal approach with whatever the fire of the day is or you know BYOB all of a sudden comes up and you didn’t even think about that, you know 12 years ago when buying a server was your big deal and so piecemeal is the way it has to go, but if you approach piecemeal with the right strategy, there is going to be something next and you may not even know what it is.  So just make sure that you’re future looking with everything you do.  I think piecemeal can work and kind of give you that plan from the ground up, you know, result without actually having done it.

Randy:  Yeah, because what I fear is management coming and they’ve read about a breach and they’ve read what Gardner or whoever is saying at the time, we need to get control of mobile devices.  We don’t have a mobile device management.  Go get MDM and so you go and you buy a MDM point solution, you get that in place.  Iterate that a few more times and what you’ve ended up with is a whole bunch of solutions, maybe a lot of them really cool, but they were from start ups, a lot of them.  They’ve gotten bought by someone else over the years, who knows what has happened and do they all talk to each other.  Because that’s the other thing, Todd, is getting your security products to talk to each other is opening up a whole new world of synergy, so given that you’re a company with 40-50 different security products, you probably have feelings on these issues.

Todd:   Yeah, I mean obviously you want them to talk to each other, but, you know the reality is people are often, you know you have pressure, you have to solve the problem today, so you’re going to go out and you know, whoever you’re hearing the most about to solve that problem is at the top of the list.  Maybe you’ll implement them, maybe you won’t, but you know, then down in the future, the next thing comes up and that solution’s great, but the next thing can’t be solved by that solution, so you do it again.  So, what you end up with is you’re defining security and the controls that provide security, so, an identity of a person, a person’s authorizations, the way you authenticate, what it means to be somebody, you’ve defined that in each and everyone of those silos, and you’ll probably define it differently.  So then standards emerge, that if you’re able to wait for the standard to take over, that makes it a little easier.  You know, only use SAML authentication, that solves a lot of the problems.  Use other standards is the baseline.  That’s good, but a lot of times the problem can’t be solved at that time.  So you just need to look for things that are on the cutting edge of standards, but also for a strategy of not reinventing the wheel every time a security issue comes up.  You don’t want 12 Randy’s across 12 different security silos.  You want 1 Randy that’s applied 12 times to across 12 silos, if that makes sense.

Randy:   Well, that’s ironic since Dell is, would you say your core security product is your one identity solution?

Todd:  I would definitely say that. 

Randy:  Yes.  Well let’s come back to that and talk about what is the core of a company’s security stack, but I think what you’re getting at is that to build a house, you have to put the foundation in first, you cannot say, you know, the biggest thing I need right now is a roof, and then I’ll come back and do the foundation.  There’s a sequence that you have to build things in.  Alright, with an IT environment, that’s not really the case.  You do have the option to say these are my biggest pain points.  I don’t have a roof over my head, I know I don’t have a great foundation for identity or whatever, but I need to get that roof over my head in terms of two factor authentication or mock change auditing, whatever.  I could go put that roof in and I can say I also need this door over here with a lock on it, but so that’s piecemeal, but what you’re saying is that what we want to do is be looking towards the future and saying at the end of the day we want a house that’s all connected to each other and doesn’t look like we bought a trailer and then added on a family room.

Todd:    Or worse case, you end up with 12 trailers.

Randy:  Well that’s ulgy.

Todd:  So yeah, I mean totally.  And what I would say to that foundation is as you’re putting the roof on, let’s say you’re just doing your roof, you know, you do have the opportunity at that time to form up the foundation and set it up so that when you put in the walls, when you put in this door, when you add on to the house, that those things can happen easier without re-pouring a new foundation.  So, you know, getting that foundation solid and then right along with that first big fire that you’re putting out, is probably the best approach and I would say that foundation is what I mentioned earlier…identity, role, authorizations, authentication, you know, getting those things set because if people can’t get to the stuff they need to do their job, there’s no point, that’s why it’s there.  Security is often viewed as a barrier to people doing their jobs because it’s another person saying no instead of another person saying yes.  But, if that foundation is right, there’s going to be opportunities to say yes, go way up and the opportunities for the temptation to say no unnecessarily has just disappeared. 

Randy:  Yeah, well that’s, I always go back to we’re in business to do business, not to be secure.  Secure doesn’t make money.  So I think what I’m hearing is you’re thinking about what we’re hearing from a lot of folks is the whole whether you want to call it dynamic or adaptive security, right, being able to dynamically say I need more assurance that this really is Bob, right?

Todd:  Yeah and if you think about the way security is normally implemented as a silo approach, you know, you’re on-prem you’re using a company controlled device.  There is a set of rules, you follow those rules and you’re allowed to get to something.  So you go off-prem they’ve established another set of rules for that and you follow those rules, you’re allowed, you’re using their mobile device, a different set of rules, data encryption is involved, different set of rules.  You’re coming from an IP that’s unknown to the organization of a different set of rules.  So, each of those can return a yes or no decision.  If any one of those 5 things, returns a no, the answer is no, even though I may legitimately be doing things that’s going to be absolutely secure, but one says no.  But, what if you take into account the context of the who, what, when, where, why, how and past history to make a dynamic decision in real time that says hey I know who you are, I know where you are, I don’t know you’re device, but I know that you’re history means that you’ve come in from a device like this one and so I’m going to allow you in.  So you can kind of take into account the varying strengths of the yes and no decisions to return an accurate decision that changes in real time depending on the situation.  You know, that’s I think the nirvana of security.

Randy:  So, going back to the building at your security stack and piecemeal and looking toward the future and so on, you know, what do we get if we make a commitment to Dell in terms of… you know, I have to have a lot of worry.  My supply management people have worry every time I bring in another vendor or another partner on board.  All right, how healthy are they, are they going to be in business, what’s their limits of support and so on.  So I mean, what’s codified in terms of if we come to Dell and saying if possible we’re going to try to get our different pieces of security from Dell?

Todd:   Well, obviously we would like that, but the advantage is Dell is a very mature, very stable company that’s not going anywhere and has a long legacy of very happy customers including customer service excellent support and each of the acquisitions that they’ve made have been of companies with an equal to a lesser degree, but an equal reputation, so they acquired Quest, which is where I came from.  You know, Quest has some of the industry leading customer satisfaction numbers on a software site.  The security software, being Identity Access Management stuff, is the leading satisfaction among the questions. So all of these things come into play that you know, you’re going to eventually have to buy a firewall if you don’t already have one or you may have to upgrade your firewall.  You’re going to have to buy something for identity and access management, something for privilege management, something for authentication.  You’ll probably eventually need a data encryption type of solution.  You’re going to need security baked into your servers and your laptops and your tablets and your desktop computers.  If that ultimately is in the same place and you know it’s not going anywhere, then you already trust and you know you can continue to trust, that really alleviates a lot of the danger, a lot of the risk and a lot of the worry of am I really going to be secure next year with the decision I make today?  With Dell, we feel and I think that history proves that yeah you’re set for years and years and years and years, at least from a peace of mind state.

Randy:   Well, it is, I’m always amazed.  I can never keep track of all the different security solutions that you have and you’re starting to make them talk to each other more too.

Todd:   Yeah, absolutely.

Randy:  I think that’s important and that’s something maybe that I had wished for more in former days and I’m seeing more now, so…

Todd:  Yeah, for example a lot of our authentications solutions, our multifactor authentication our federations’ solution are beginning to be reused by other Dell technologies.  So the Dell Case MDM solution uses our single sign on federation.  The Dell SonicWall firewalls use our multifactor authentication.  You know, all they’re offerings, the Dell offering for medical organizations uses our signal sign on solutions.  So you know there’s a lot of places where this 1+1=3 can come to pass because it’s, you know, all offered by the same organization.

Randy:   And that’s what I would want and expect if I’m going to make a commitment and say all right, I’m not just going to automatically go out there and get the cheapest, newest and best of breed solution for each piece of the puzzle.  I want that synergistic benefit of going with a vendor.  If I’m going to go with one vendor, then I’m hoping for that synergy along with products.  The more of their products I use, the more of that 1+1=3. 

Todd:  Yeah, and the treads continue, you know where I mentioned earlier that adaptive context way of security.  Right now that involves few of our identity and access management solutions and our firewalls and the SecureWorks Counter Threat platform.  In the future that can expand to where the firewall is actually enforcing, not just helping make a decision, where an encryption solution from Dell is enforcing in addition to helping to make a decision and it can go anywhere and then when we build an API into it, then it can actually go beyond Dell and you can build your own contributive piece to that context where it thinks.  So you know we are excited about that, but you know it all comes down to it’s one big stable strong company that can provide it to you.

Randy:   That’s cool.  Folks normally you’re used to seeing me or at least listening to me more, but this is an opportunity I get to talk to the people like Todd that make all the real training for free™ webinars possible and I said let’s just talk about their products a little bit.  So thank you, thanks for all the great webinars that you’ve sponsored over the years.  We get lots of people that come up and say I go to every single one of your webinars and when we need answers especially on windows security log, they come here, but you guys are the ones that make that possible, so thanks.

Todd:   Thanks for allowing us to do it.  We find a lot of value in it as well.

Randy:  Well, take care.

Todd:  Thanks Randy.

email this digg reddit dzone
comments (0)references (0)

Related:
Automating Review and Response to Security Events
Live with Dell at RSA 2015
The Growing Threat of Friendly Fire from Vendors
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log

Live at RSA: Stopping Key Logging and Screen Scraping

Thu, 23 Apr 2015 10:43:55 GMT

As you know I view compromised user endpoints (aka workstations and laptops) as the biggest risk facing us today.  And that’s why I love application control (aka whitelisting) from UWS sponsors like (Lumension and Bit9+CarbonBlack).  But there’s one single silver bullet – defense-in-depth right?  One of the scary things bad guys can do once they have code running on your user’s endpoint is log key strokes, change your keystrokes and record (aka scrape) your screen – and even potentially re-write your screen. So it was cool when, while wondering the booths at RSA 2015 I met Mark L. Kay, of StrikeForce Technologies, who is a kindred soul on this concern.  Their GuardedID software is designed to prevent “malicious keylogging programs by encrypting every keystroke at the point of pressing the keys, and rerouting those encrypted keystrokes directly to your Internet Explorer browser through its own unique path”.  The products appear to be targeted primarily at consumers but Mark told me they do have enterprise customers and their website does have an Enterprise section showing how to deploy GuardedID by group policy.  If you are at RSA 2015 check them out at booth 1227 in the South Hall. 

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Automating Review and Response to Security Events
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
Live with LogRhythm at RSA

Live at RSA: FIDO authentication protocols and checking in real-time for user presence

Thu, 23 Apr 2015 10:30:32 GMT

There are a LOT of authentication companies at RSA 2015 this year.  It’s been fun learning the difference between them – and there are big differences.  

Arshad Noor from open source company StrongAuth (South Hall booth 2332), came by the UltimateWindowsSecurity.com booth (South 2240) and briefed me on the relatively new FIDO (Fast IDentity Online) authentication protocols.  FIDO protocols are interesting for a lot reasons but what Arshad said about “user presence” got my attention.  One of my top concerns is how a compromised user endpoint can effectively defeat even the strongest authentication schemes.  (2 Factor, SSO, Federation and Cloud Identity are Awesome but it’s all for Naught if You Leave this One Backdoor Open ) If your endpoint is compromised, malware can wait until you authenticate and then piggy back off that authentication using a host of different methods.  So you have to attack that on 2 different fronts: preventing malware and for really high value operations you need to get reassurance at that moment in time that the user is present and the one initiating that operation.  Just checking for user presence still doesn’t solve for every sophisticated scenario but it gets you a lot closer.  But as with all things security, if you aren’t careful you end up making things so inconvenient for the user that you get in the way of business and asking users to go all the way back through onerous authentication steps at seemingly random times is a great way to get in the way of business.  So that’s why Arshad got my attention when he mentioned “user presence”.  

FIDO makes it easy for an application, including web applications, to reach out to the users FIDO compliant token and ask for real-time user presence verification.  It’s up to the token vendor how to implement this but the example Arshad talked about was a simple token started flashing and LED.  All the user has to do is touch the token to say “yes, I’m here and initiating this transaction”.  Then the token signs the verification response with its private key tied to that application and user and sends it back to the server.  That’s got to be the lightest weight 2nd factor user presence check I’ve seen.  I’ll be talking a lot more about the risks at the intersection of authentication and endpoint security but if you’d like to learn more about the FIDO protocols visit the FIDO Alliance.    

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
Virtualization Security: What Are the Real World Risks?
Automating Review and Response to Security Events

Live with Duo Security at RSA 2015

Thu, 23 Apr 2015 10:11:16 GMT

Duo Security is a cloud-based 2-factor authentication service that I’ve been following for some time.  I sat down with Ash at the UWS booth here at RSA.  (#2240 South Hall).  Here's the #1 thing you need to know about Duo Security.  It's the easiest and fastest 2-factor authentication solution I've seen.  Here’s some highlights of our discussion about some of the cool things I like about Duo Security and their new Platform product.

Duo Security is close by at #2345 in the South Hall.

(Transcript below video)

Randy Smith:  Ash, Randy Smith here.

Ash:  Hi, Randy  it’s good meeting you.

Randy Smith:  Yeah, I’ve got Ash here at the Ultimate Window’s Secruity.com booth here at RSA. Ash is with DUO Security. I don’t know if you’re familiar with DUO. I wanted to talk to you guys because we’ve actually been using DUO security as one of our authentication solutions for quite awhile. And I don’t want to steal your thunder but what I love about it is that it’s service based. It’s just a token that runs right on your smart phone and it’s so easy to install.  Alright, so anyway, like I said, I think it’s a neat solution, but how did you get started? Let me let you put it in your own words, what makes you different from a lot of the other solutions out there?

Ash:   Sure, so a couple of things.  By the way, thanks for having me here.  We do two factor authentication and that’s what the company started as almost five years ago.   What we did is take this very reliable two factor authentication security control and make it radically easy. So when you request for a two factor authentication people are used to typing in a six digit number and typically get a SMS or hardware token. We took that away and the end user gets something like this… a push notification. All the end user does is hit the green button, right?  If it’s not the authentication they are requesting for they hit the red button. That’s all they do and boom you’re in.  It looks very easy in the front end but in the back end it’s really secure. When they hit the green button, they’re actually signing with their private key on the device and telling them, “Yes, this really me.” So that’s what the company really started with almost five years ago.

Randy Smith:    The other thing I love is there’s nothing to install except the agent, if you call it that, maybe you have a different word that you prefer. Put the agent on each server you want to control  access to. So whether we are using it for our terminal services remote access or different servers for remote desktop. Also we’ve got it integrated into the back end of our website, but that’s all there was to install. Everything else we manage from the cloud.

Ash:   That’s absolutely right, Randy. A lot of our customers get the whole department up and running in three or four hours or less than 4 hours. We have cloud based that allows us to do this. We even have something called the “DUO five minute challenge.” If you Google for it you’ll find it. It tells you how to get DUO up and running in less than five minutes. You know, we take pride in that but I think it’s one of those secure controls that you want to get up and running as fast as possible.

Randy Smith:   So what is it again that you support?

Ash:    We support all VPNs: Cisco, Juniper, FI. We support RDP from Microsoft. We also support a bunch of web applications. Also a bunch of product applications like Office 365, Google and Google applications, Amazon AWS and so on. Recently we also started supporting all the SSO. If you are using something like OneLogin or Ping or Autha then we work out of the box with all of these as well.

Randy Smith:    So, but, you’ve got this new thing “platform”. What’s that?

Ash:   Yep. So platform is a new addition that we launched last week, we’re very excited about it. It takes us beyond 2FA in securing access. It’s kind of a cliché when you say we secure access for any device and any user or any application but that’s really what we’re doing. So some of the functionality that you get is without installing any agent or any MDM on your mobile device, you can get visibility into on one or all of the devices our users may have. Are they IOS devices or are they Android devices and what version of it? Are they jail broken? Are these free login phones.  It’s kind of a mobile compliance without installing a MDM agent. You can also secure access to cloud through policy and control. A typical thing is I want to block users from China logging into my Salesforce.com and you can set that up just by click of a policy down.

Randy Smith:    So you are able to leverage the fact that you already have an app running on that device so you can do more than just ask the user is it okay to log on.

Ash:    That’s absolutely right. You know, one thing that a lot of people do not understand is that the kind of API’s, IOS and Androids have and the kind of querying and control you can do just through the API’s. We no longer live in the world of Windows XP where you need an agent for everything. So the app we have on the device talks through the API that does all the querying. These are API’s that were released like ten months ago. So we’re taking advantage of all the API’s and eliminating the need of a ticketing agent or an MDM agent and just doing the right security stuff on the device.

Randy Smith:    Alright, well I’m going to be real interested to see what you can do with that.  Well, cool. Thanks. It was nice to meet you and we’re looking forward to learning more about your platform.

Ash:    Be sure to look on duosecurity.com Thank you.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Automating Review and Response to Security Events
The Growing Threat of Friendly Fire from Vendors
Virtualization Security: What Are the Real World Risks?

Best Practices Primer for Managed File Transfer

Wed, 22 Apr 2015 17:02:46 GMT


  • Why managed file transfer matters
  • The basics of file transfer security and compliance
  • How to improve IT agility with managed file transfer automation
  • Key requirements for managed file transfer solutions
Download now or get your signed copy at booth 2138 South Hall at RSA 2015.

email this digg reddit dzone
comments (0)references (0)

Related:
Virtualization Security: What Are the Real World Risks?
Auditing File Shares with the Windows Security Log
Chances are Someone is Trying to Steal Your Organization’s Information
Chances are Someone is Trying to Steal Your Organization’s Information

Live with LogRhythm at RSA

Tue, 21 Apr 2015 16:03:25 GMT

Dave Pack from LogRhythm dropped in to see me at the UltimateWindowsSecurity.com booth (come see us at booth 2240 South hall) booth here at RSA.  As you know LogRhythm has been sponsoring my real training for free webinars for many years and is one of my favorite SIEMs so I thought I’d do a quick interview to see what’s new at LogRhythm.

Video transcript:

Randy:  Alright, so we’re live here at RSA at the UltimateWindowsSecurity Booth and I got David Pack here.  We’ve done a lot of webinars together in the past on the Windows Security log.  LogRhythm has got an awesome SIEM.  You know how much I love it for a number of reasons.  So what’s new?  What are you guy’s doing?  What’s some big stuff?

David:  Yeah, so what we’re really focusing on is building a workflow to handle the full threat life cycle.

Randy:  Ok.

David:   You know, everything from that initial detection to providing the tools to validate and qualify the detection, moving it into case management where evidence can be gathered and you know, a true, full picture of the story be put together and then ultimately adding on automated response actions to that.  You know, the whole goal is to lower the time to detect these events and then also lower the time to respond to these events, get them identified and cleaned up as quickly as possible.

Randy:  So, you know, what is that that you’re doing?  Are you building, you know, I can take notes and I can add stakeholders to this incident and document what is my resolution?

David:  That’s right.  It’s a fully integrated case management feature within the SIEM and you know, the workflows are, you can add evidence, different types of evidence.  It could be log data, it could be raw logs, it could be attachments, it could be notes.  Add different collaborators in.  You could get to the case from a URL where you add an external collaborator that doesn’t actually have an account with a log in.  You might need HR to come do one specific task.  You can add them and then do their task and move on.

Randy:   Yeah, because what if you’ve got a company that is already using another collaboration tool, like, I hate to use other product names while I’m interviewing a good sponsor friend, but you know, like Asana, Wrike, because you know we are looking at using that kind of stuff, but that’s cool you could just create a new task or project over there if there’s other stakeholders that you don’t want in your SIEM.

David:  That’s right.

Randy:  And just put that URL there. 

David:  Yeah, and there’s an API to integrate and some integration in the works with some of those other popular ticketing and case management type systems that are out there. So we kind of understand we need to play well with other solutions.  This is really supposed to be the start at least of that threat management life cycle.

Randy:  I like that.  So instead of just hey there’s something you need to look at and then you’re on your own.  We’re going to facilitate the whole process because that’s really only the beginning, the alert in the SIEM or that light on the dash board, really that’s just beginning.

David:  That’s right.  What we were seeing, a lot of people were dropping alerts or you know, they’d start working on one and got pulled away to do something else, came back and a different alert may have came in and that initial one kind of was forgot about, so they didn’t really have a place to, alright let’s start a case here, formal workflow, formal collaborators, a place to gather other types of evidence and workflow and pull it all together.

Randy: I like it.  What about knowledge management.  Do you still work in the knowledge engineering area?

David: It’s LogRhythm Labs.

Randy: So, I’m always interested in that because obviously what built UltimateWindowsSecurity and what my folks, my audience is always interested in is how do we interpret log data and you guys have made such a big investment over the years with a whole department devoted to getting that knowledge and codifying it inside a log rhythm.  So, I’m always interested in hearing what’s new there.

David: So that’s still happening.  That’s just an ongoing investment, you know, we write all the parsing and normalization rules.  That’s really what enables our real time analytics engine to do its job, basically adding structure to all its log data.  So that’s an ongoing thing, something we always do for everything that can generate a log out there.  The other half of LogRhythm Labs is really focused on the security analytics, the actual analytic rules that are finding bad things that are happening.  So one of the things we’ve recently done is developed what we call a security analytics co-pilot service where we will help organizations get these analytical modules properly deployed in their environment, up and running.  We will have periodic check-ins to help them understand what is the meaning when this alert fires.  We’ll give them some recommended actions to take.  Okay, you might want to joule down on the impacted hose and then pivot off to this user and really kind of be their analytics co-pilot, help them get the most they can out of all the content that Log Rhythm Labs is producing.

Randy:  That’s cool.  You know, the fact that you guys, I know that I always harp on this, but it’s still, I think, core to what makes LogRhythm what it is and it’s the normalization and categorization, but here’s the thing that always gets me.  Alright, parse as many log sources as you can, but when you come up with a threat signature, you don’t have to write that threat signature for every log source out there that produces those kind of events, right?

David: That’s right.  

Randy:  Can you just explain how the fact that the events are normalized allows you really write that threat signature criteria or rule one time?

David: Right, so you know, so all of these rules are basically working against the normalized layer of data, LogRhythm terminology.

Randy: A log on is a log on is a log on.

David: A log on is a log on.  Every log that comes through the system is identified and what we call a common event, where a log on is a log on regardless of the operating system or the application.  So the rule might say, you know, X number of failed logons followed by logons, so classic use case, but because we’re normalizing everything across the board, it works against everything.

Randy:  Yeah, yeah, that’s cool.  Well, I love that.  I also love the fact, let me just put a plug in for my software company LogBinder.  You guys have integrated and normalized the events that our software LogBinder generates from SharePoint, SQL Server and Exchange right into the rest of everything else that LogRhythm can show you.  And so, we’ve got some customers in common that are using that to good effect.

David:  Absolutely, yeah, yeah it’s great data for SOC to have or an IT organization to have access to and it’s pretty difficult to get to work without a product like yours, you know, working with a product like ours.

Randy:  Yeah.

David:  It’s a great relationship.

Randy: Some good synergy.

David: A lot of good value there, absolutely.

Randy: Alright, well thanks, I know you have to get back to your booth.  Thanks for coming by, David.

David: Thanks Randy.  Thanks for having me.

If you are at RSA come see me at booth 2240 in the South Hall and LogRhythm is at 1207 South hall.  

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
How Randy and Company Do IT: Server and Application Monitoring
Virtualization Security: What Are the Real World Risks?

At the End of Day You Can’t Control What Privileged Users Do: It about Detective/Deterrent Controls and Accountability

Tue, 31 Mar 2015 17:19:33 GMT

Sudo is awesome and so is every other technology that helps you implement least privilege over admins. But at the end of the day you are just getting more granular with the risk but the risk is still here. Take a help desk staffer who needs to handle forgotten password resets for end users. Giving a privileged user like that just the authority she needs to get her job done is way less risky than giving her full root authority. But there’s still risk, right? If she is dishonest or becomes disgruntled she can reset the password of your chief engineer or CEO and access some heavy duty information.

So with any trusted user (whether a privileged admin or end user whose responsibilities require access to sensitive resources) you are ultimately left with detective/deterrent controls. You can’t prevent a user from trying to use whatever authority they have for evil but at least you can audit their activity. Ideally this gives you the chance to detect it and respond and at the very least it ensures accountability which is an important deterrent control. After all if you know everything you do is being recorded and subject to review, you think more than twice about doing something bad.

Besides being in control against malicious insiders, a privileged user audit trail is irreplaceable in today’s environment of advanced and persistent attackers. Such attackers actively try to gain privileged access so you also need the ability to actively monitor privileged user activity for quick detection of suspicious events.

In past webinars with BeyondTrust I’ve talked about how to use sudo to control what admins can do. In this webinar I’ll look at how to audit what admins do inside Linux and UNIX with sudo’s logging capabilities.

Click here to register now.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
Virtualization Security: What Are the Real World Risks?
Automating Review and Response to Security Events

previous | next

powered by Bloget™

Search


Categories
Recent Blogs
Archive