Skip navigation

Geek Speak

10 Posts authored by: katebrew

I attended Austin BSides on March 20.  What a great event for security practitioners.  I learned more in the one day for the princely sum of $10 than many $3000 RSA trips!!

 

BSides is dominated by security practitioners sharing their expertise, rather than vendors tirelessly (and tiresomely) plugging products.

 

bsides.JPGHere is a photo from 10AM.  Note, beer has not yet been served. 


You can just feel the excitement and anticipation.




















 



Some Highlights from BSides Austin:

  • HD Moore, from Rapid7 and of Metasploit fame, delivered the Keynote.  He presented the results of his recent study, which involved probing the internet.  Yes, the whole internet.  The vulnerabilities he found were shocking.  As an aside, he showed some of the correspondence he received as a result of his probes.  Long story short, there were people who wanted him in handcuffs, until he explained the research value of his project.  Even then, it sounded like some people were still in favor of handcuffs..

.

  • Samuel Shapiro of Digital Defense covered Your Printer is why you got owned, which was a really fun talk backed up by a lot of experience and interesting stories..  Samuel nailed it: printers are just computers on the network.  Just because they talk to paper too doesn't mean they are not a target capable of being compromised, breached and used to get to other assets on the network.

 

  • At lunch, Max Westbrook, a Private Investigator, talked about his job, what he does on a daily basis and how he attained his PI license, and told us about some cases he had recently worked.

 

  • Michael Gough and Ian Robertson did a talk on the Malware Management Framework they are building.  They talked about malware (affectionately called "maulware" attacks) and how they have defeated them, without having to call out for reinforcements.  Michael has a fun and educational blog called HackerHurricane.

 

  • There was a great panel on Emerging Threats. Marcus Carey was a popular panelist, with his military and NSA experience and ThreatAgent.com, but I do have to note he was drinking Diet Pepsi whereas the other panelists were drinking beer.  Actually after about an hour, the panel became a bit more like a drinking game than a stodgy security panel, with anything from "PCI" to "Emerging Threats" becoming words demanding that all panelists drink.  Michael was the moderator and he was pretty militant enforcing that rule.

bsides.JPG

 


The Emerging Threats Panel.  Note: Beer has indeed been served.  Marcus is at the far left, nursing a Diet Pepsi as Michael enforces strict mandatory drinking requirements.























Interesting security comments / observations:

  • Unfortunately, Prevention is dead.  Total Fail.
  • When under attack and you've found the culprit, DO NOT show you hand.  Protect your assets, but let the guy think you still don't know   Force him into a small area and keep an eye on him.
  • Security practitioners tend to believe the following are threats: users, IT, management, outsiders, insiders, 4 year old children, other countries, and everyone else.  The group could not agree on any group, or anyone, to trust.


Clare Nelson of ClearMark Consulting summed it up nicely, "When I compare my RSA trip last month, the content pales in comparison with BSides. Michael did another spectacular job directing BSides Austin to make it a truly valuable learning experience. For an RSA presentation to be accepted, all of the good stuff (failure of a product to function, war stories, etc) gets filtered out! This is truly a disservice, because no one in cybersecurity can afford to buy products that don't work."

 

All in all, it was a remarkable event.  Watch out for local BSides meetings coming up in your area - they are pretty awesome.  In the meantime, you could check out our SIEM, Log & Event Manager, with a free full-function 30 day trial..

I attended the Austin ISSA-sponsored Advanced Splunk Training session on March 6.  As always, the ISSA chapter delivered meaty technical training, and it was free!  The event was co-sponsored by BSides and Splunk.

pwned-56302.jpg


While all kinds of interesting Splunk technical info was presented, for me, the most interesting part was hearing from Michael Gough and some other security practitioners at the event about what people really monitor.  As a technology provider, we are not always privy to what people are really doing with our tools, so it was an eye-opener for me.

Splunk training.JPG

 

Here are some of the things security guys monitor.  Of course they monitor other stuff too, but this is what we can share in mixed company


  • Administrators / Root logins, successful or failed.  "Power corrupts, total power corrupts totally” - even IT administrators.
  • Login attempts to disabled accounts.  Makes sense - there's usually a pretty good reason they're disabled.
  • Successful logins for certain accounts, such as those with elevated privileges, or accounts given to partner personnel
  • https accesses, especially to weirdly long URLs, which can be SQL injections
  • FTP from servers and workstations
  • Group membership changes and elevation of privilege
  • Database alerts
  • Suspicious files being executed
  • VPN logins
  • Outlook Web App (OWA)  and Remote Desktop Protocol (RDP) logins – looking for suspicious remote access
  • Servers downloading .exes from the internet.  They look for admins surfing for open source tools to keep an eye that malware hasn’t been downloaded
  • Share drive accesses at workstations and at servers; access to particular, sensitive shares.  They watch for shares being seen and crawled inappropriately.
  • Net.exe use to map and unmap network drives in Windows
  • Cscript.exe use. Cscript.exe lets you run scripts via command line and can be used in exploits
  • Services being installed from servers; noisy workstations

 

And if you are a Security Guy, please check out our SIEM, SolarWinds Log & Event Manager.  It's an understated, affordable, full-function SIEM that can help you pwn the bad guys.

jav1.jpgJavvad won “Most Entertaining Security Blogger” at RSA 2013.  We had to check that out!  Turns out, his security videos ROCK!  He explains really dry, boring and complicated security topics in a fun and completely palatable way.  Plus, with the videos, no pesky reading is involved 

 

KB:  HOW DID YOU GET STARTED BLOGGING? 

JM: In the beginning, I viewed blogging more like therapy. This was when I used to blog anonymously and it felt very liberating to be able to get topics out there and realize there were many others out there who shared the same frustrations and observations. But after that, it became a great way for me to interact with my peers and learn from them.

 

KB:  WHY DO YOU USE VIDEO BLOGS? 

JM: I’ve always been a TV / movie kind of person and always appreciated it. I’m also a big fan of youtube, and follow many vloggers. I found myself being drawn to the concept that if someone can make a highly entertaining 3 minute video on the latest Justin Beiber hair product, then surely someone can make an entertaining, yet informative video on an important topic like information security. I couldn’t really find anyone who operated in this space, so I dusted off my camera lens and thought I’d give it a go myself. Now, videos have become my preferred method of blogging.

 


KB: WHAT ARE YOUR FAVORITE TOPICS?  Can we get a sneak preview of some upcoming topics?


JM: I really enjoy it when I can take a technical concept and present it in a video that makes sense to a broad audience, for example the video I done illustrating the difference between encryption, hashing and salting (
http://youtu.be/FYfMZx2hy_8) was very well received, as was a recent video on SQL injection (http://youtu.be/exYT62Kmn4U) – over the year I plan to work through other such similar topics, i.e. the OWASP top 10.

 

 

KB: ARE THERE TOPICS YOU WON'T COVER (FOR SECURITY REASONS?)


JM: Not so much for a security reason, but I tend to stay away from topics that involve hacktivism or “state sponsored attacks”. I feel these kinds of political issues are best suited for those people who actually have some expertise in intelligence or politics. I have experience in neither, so like to keep my opinions restricted to those topics that I actually do understand. I don’t want to be that firewall admin who ends up on CNN talking about how country x is using cyber-warfare to build nuclear warheads.

 

KB: WHAT IS YOUR READERSHIP LIKE?  iS IT SECURITY PROFESSIONALS, OR ALL IT PEOPLE?

 

JM: The core of the readership is security professionals. My videos do have a slightly wider reach though, being popular with those new to security or having an interest in security.


 

KB: WHAT ARE YOUR MOST POPULAR TOPICS OF LATE?


JM: The SQL injection video was quite popular, as was a video I done on the cookie law (
http://www.j4vv4d.com/video/cookies-and-european-laws/) – oh and the continuing story of santa getting hacked every Christmas is always popular http://www.j4vv4d.com/movies/santa-gets-hacked-the-aftermath/


KB: TELL ME A LITTLE ABOUT YOURSELF.

 

JM: Nothing of note really. I own some exercise equipment at home that serve as convenient places to hang clothes to dry, dread getting the kids ready for school in the morning, and dread the school holidays even more. I enjoy watching fictional movies but reading non-fictional books.


Related blogs:

Bill Brenner, Salted Hash

Matt Simmons, Standalone Sysadmin

Bob Plankers, The Lone SysAdmin

All IT  blog spotlights

star trek.jpg

 

Let’s start with the easy stuff. Kirk, so emotional and brand-conscious -- he would buy Splunk for SIEM.  First, he would ask for the Splunk people to provide an alien chick to assist in the evaluation, but that is stuff for another blog.

Janeway would write her own SIEM, and fail wildly.  Tuvo
k would shrug it off as just another failure...  Chakotay would support Janeway in her wild failure, calmly saying some native stuff to soothe her.


But Picard, he would be likely to buy SolarWinds Log & Event Manager (LEM) for his SIEM.  Understated, full-function SIEM.  He would weigh the pros, the cons, and he would hate the hype and high prices other vendors demand for SIEM.

 

Spock would likewise choose LEM.  So would Data.  The logical guys would choose LEM.  They would likely create an Excel pivot table to prove this was the right decision.  Heck, Data could do SIEM himself, but that would distract him from achieving humanity.

 

Troy would intuit the failures of others, and feel the pain of ArcSight, and its 18 month deployment.  She would feel the pain of LogRhythm, being out there all alone.

 

Scotty would say, “Captain, it will take 48 months to implement SIEM with ArcSight, but I can do it in 18 months.”

 

Riker would say, “What is a SIEM?  Let's send Captain Picard to Raisa to get one!"

 

Q would say, “When will the human race figure out LEM is the obvious choice?   Let’s hold court.”

On the other hand, Worf would just phaser all the computers and be done with it...  An attractive option.  An extremely attractive option.   Since that is not an option for you,
please check out LEM. phaser.jpg

katebrew

MARS Need(ed) Women!

Posted by katebrew Feb 26, 2013

Well, I guess technically  MARS doesn't need anybody anymore, since Cisco is in the slow process of killing it.

 

cdn3.jpgCisco Security Monitoring, Analysis and Response System (MARS) is a SIEM product, and by many accounts, well-liked.  As early as 2008, however, rumors of trouble in Cisco-MARS-land began to surface.  The actual announcement about End of Sale / End of Life (EOS/EOL) came from Cisco on December 3,2010.  Now, the last date of support is not until June 30, 2016, but most people who were using MARS are actively looking for a replacement. 

 

Surprise! SolarWinds has a product to replace MARS.   Cisco MARS aficionados – check out a full comparison with  Log and Event Manager (LEM)

 

Or, if you prefer movies to reading, here's the slide version of the information on MARS and LEM.

 

As for the famous movie, it was filmed in Texas during a two week period in 1966, and released in 1967, with a title similar to the title of this blog.  Would you believe it was made for only $20K?  The movie, not the blog .

Last Friday I got to see a presentation by Tom Ervin, a Cyber Squad Computer Scientist with the FBI in San Antonio hack into computers in a demo at the local InfraGard meeting.  It was pretty cool - at one point Tom asked for a volunteer / victim, who was seated before a PC near the front. On the main display, Tom acted as the "hacker."  First the hacker sent the victim an email that looked like it was from a family relative, Uncle Bud.  This would be fairly easy for the hacker to figure out the victim has an Uncle Bud, given social media methods.  So, the victim gets this friendly note that looks like it's from Uncle Bud, inviting him to click on a flash Christmas card.  The victim, being a nice guy and not wanting to insult Uncle Bud, clicks on the link.  The hacker, using the flash Trojanizer utility, is then emailed lots of info about the victim's computer, including IP address and port number, as a result of the victim clicking on that link.  


The hacker then uses SubSeven, a Remote Administration Tool (RAT), to connect with the victim's PC and see all kinds of info on that PC and take control.  Subsequently, the hacker opens a Keylogger app and is able to see the victim's keystrokes in real time.  That means credentials.  Awfully dangerous if the victim is opening an online banking application!

 

In this demo, the hacker activated the webcam and could even watch the victim.  Creepy.


Now, the hacker tools Tom was using are common ones, and up-to-date endpoint security, such as AV, would have stopped these particular hacking tools from working.  The tools he was using were "old news" that can be defeated.  They're still usable by real hackers, because there are always people who don't keep their endpoint security up-to-date.  In addition, there are always newer, more sophisticated tools.  Tom, being with the FBI and all, did not want to publicize the newer, nastier hacking tools, which is nice.  But they are out there...

infragard2.gif


Tom's presentation was given at the InfraGard Austin meeting.  InfraGard is a collaboration between the FBI and private industry members who are involved in protecting critical infrastructure.  Critical infrastructure includes things like water supplies, communications systems and information technology. Important things that would appreciably hurt our lifestyles, if hacked.


Each InfraGard chapter is linked with an FBI Field Office and provided access to experts from the agency to help mitigate threats to the US critical infrastructure.  The Austin chapter is linked with the FBI office in San Antonio.  InfraGard members are vetted at time of application, and then have the capability to contribute to the security and protection of our infrastructure and key resources


At this InfraGard meeting, aside from two demos, Tom also discussed the trends the FBI is seeing.  Social engineering is not new, but it is growing with social media and associated scams.  He also discussed Spam scams, including an example of how the stock market was influenced with such a scam.  He also discussed how he investigates suspected malicious code in his role at the FBI, including the tools he uses.  Another interesting point was around anti-detection and anti-debugging tools and techniques, which attempt to make the malware "hard to find."  Tom mentioned that in his role, it's important to be able to attribute malware to its source, so such countermeasures make attribution increasingly difficult.


If all this talk of malware is making you concerned about the security of your own IT security infrastructure, please check out this whitepaper, IT Security Management Checklist - 9 Key Recommendations to Keep your Network Safe.


On a lighter note, you might also check out this short video from MAD Security about the dangers of USB Devices.  No cats were harmed in the making of the film


Tom Endean recently published a review of Log & Event Manager (LEM) Sys Admins - Tom Endean.PNG

 

It is a comprehensive look at LEM, from installation to utilization.  The review includes details on the real time analysis and nDepth search features of LEM.  It has a couple of fun examples of LEM in action with Active Response:

 

  • Showing LEM catching a user who is playing an unauthorized game at work.  LEM terminates the game and scolds the user in an alert window on the offending machine.
  • Showing LEM notifying Tom Solarwinds via email that a user has been added to the Domain Admins group.

 

Check it out, it is well-written and entertaining, with a dash of British Humor.  It's also a great intro to LEM.

 

katebrew

LEM v. Splunk

Posted by katebrew Jan 24, 2013

I’ve been at SolarWinds almost 4 weeks now and I’ve been sitting in on a lot of prospect sales calls, to get a feel for SolarWinds Log & Event Manager (LEM) customers and their use cases for SIEM and Log Management.  A surprising number already have Splunk, but it does not appear to be satisfying them.

LEM, like most SIEMs, does not prevent someone from breaking in to your IT house.  LEM will bite intruders pretty hard if you tell it to....

5196-pitbull-thumb-336x403.jpg

Upon installation, Splunk is like starting with a blank spreadsheet

Splunk provides a 367 page search manual of syntax descriptions and usage examples.  Contrast this with LEM, which uses a drag-and-drop interface and is highly visual for administrators and security professionals.  It employs visual search tools such as word clouds, tree maps, bubble charts and histograms, all available without additional work.

 

In addition, LEM comes with over 700 rules, filters and reports to provide security and compliance best practices.  While “security-in-a-box” might be the panacea that isn’t here yet, LEM is moving fast in that direction.

 

Splunk doesn’t do In-Memory Correlation 

With Splunk, you need to wait until data has been indexed and written to the database prior to any analysis.  LEM performs in-memory event correlation allowing you to analyze millions of events across your infrastructure in real-time.  This is important when you not only want to use log files for forensics and compliance, but you also want to provide automated responses to anomalous behavior the SIEM detects.

 

Splunk doesn’t provide automated responses

Splunk requires that the user manually respond to actions and incidents.  LEM includes a library of built-in active responses that allow it to automatically respond to anomalous behavior and security incidents.  For example, upon seeing multiple attempted failed logins from multiple IP addresses, LEM can disable the account.

 

The capability to take proactive measures to improve security without human involvement is critical, as many customers do not have legions of security professionals on staff. If an incident occurs in the middle of the night, most customers would prefer the software to take immediate action. In addition, the definition of an incident is easily customized, as is the automated response to take with LEM.

 

Splunk doesn’t defend against USB abuse

LEM protects against end-point data loss and the introduction of malware with a built-in USB defender technology that tracks unauthorized USB activity and can take immediate action.  A typical use case is that if a USB is inserted into a sensitive group of endpoints, LEM will disable the USB, preventing both data loss and the introduction of malicious code.  Based upon my initial research, it appears that Splunk does not offer this feature.

 

Splunk may require additional installation assistance

Splunk offers “Splunk Professional Services” to deliver deployment and advisory services, which may be required based upon your configuration needs.  SolarWinds takes a different approach, allowing customers to be up and running quickly using a virtual appliance deployment model, easy-to-use web based console and intuitive interface.  Almost all LEM customers do a free 30 day trial prior to purchase and find out quickly that it truly is easy to deploy themselves, rather than going back to management and asking for professional services dollars to get going.

 

 

Now, just to focus on cool LEM features


LEM provides log collection, storage, analysis, real-time correlation and automated responses.  LEM is not a spreadsheet approach to SIEM.

Key differentiators:

  • LEM automatically indexes data from security appliances, firewalls, intrusion detection systems, servers and apps and normalizes log data into common formats to help identify problems.
  • LEM also provides 300+ audit-proven report templates and a console that enables you to customize reports for your organization’s specific needs.  Great management reporting can make the difference between a successful implementation and one that is perceived as a failure.  If you happen to have a manager who loves status updates, you will appreciate the automated reporting capabilities in LEM.
  • LEM enables organizations to proactively defend and mitigate security threats with continuous real-time intrusion detection from multiple domains and systems.  LEM enables you to analyze millions of events across you infrastructure with real-time, in memory, non-linear, cross-domain and multi-dimensional correlation.
  • In terms of log file storage, LEM stores log data in a high-compression data store. The user is not troubled with maintenance and administration, and retention requirements are easy to specify.

 

 

More on LEM v. Splunk

 

 



Meeting Security and Compliance Customer Needs

NEW positive logo print tag for EasyStreet.jpg

 

EasyStreet uses SolarWinds Log & Event Manager (LEM) to provide Security Information and Event Management (SIEM) to their private cloud customers. As a cloud services provider, EasyStreet offers a spectrum of services, with SIEM and Log Management as recent additions.

 

I spoke with Byron Anderson to find out the backstory.  Here’s Byron:

ByronA.JPG

“It all started with a single healthcare customer with a private cloud and mandatory HIPAA regulatory requirements. The customer had one employee spending over a half-day per week manually reviewing log files. Needless to say, manually reviewing log files is yawn-provoking and generally not a good use of human time. So, EasyStreet came up with a new offering for this customer to provide log management using SolarWinds LEM.”


“After this initial implementation, more customers came to EasyStreet with compliance and SIEM needs. EasyStreet now has two distinct markets for their offering in their private cloud customer base: customers needing SIEM for security analysis and automated response, and customers needing to comply with standards such as HIPAA and PCI. At this point, EasyStreet has several customer deployments and several more in the pipeline.”


EasyStreet sets up and configures the LEM appliance for the customer. A dedicated LEM appliance is required for each customer. They also provide configuration services that leverage LEM capabilities and intrinsic best security and compliance practices while adding value in tailoring LEM for each particular customer. EasyStreet creates Service Level Agreements (SLAs) and escalation policies for each of their customers.

 

Each customer has unique needs, including:

  • Whether EasyStreet or the customer does ongoing monitoring
  • Notifications required
  • Reporting required

 

Read Log & Event Management for Security & Compliance to learn more about working with EasyStreet to implement SolarWinds LEM at your company.   Or read more on SolarWinds LEM to learn more about product capabilities.

Walking the Line between being Interesting and being Mean

bill brenner.jpg

 

I just had the pleasure of speaking with Bill Brenner, author of the Salted Hash – IT security news blog on CSO.  It’s one of my favorite security blogs, because it has new security stuff (not a rehash of old boring topics, pardon the pun), it’s painless to read and consistently intriguing.

 

Bill’s been blogging on security since 2005.  He is, in fact, not only a blogger but a journalist, reporter, columnist and podcaster with over 20 years of journalism experience.  His favorite blog subject is helping security professionals communicate more effectively – a problem which is exacerbated by the colorful personalities and Rockstar egos abounding in the security profession.

 

Some of Bill’s recent posts are on IT security things you might expect, like “new security features in Firefox 18,” and “Your January 2013 Patch Tuesday update.”, but also peppered in there are provocative topics like “When American drones kill American citizens.”   The blog is great for security admins and engineers to keep up on current events.

 

Bill’s also a judge for the Security Blogger Awards, which has a meetup at the yearly RSA show.  In his spare time, Bill also plays a guitar, has a passion for Heavy Metal, and writes a non-security blog about breaking down stigmas associated with mental illness called THE OCD Diaries.

 

Other blogger profiles:

Ryan Adzima, The Techvangelist

Tom Hollingsworth , The Networking Nerd

Scott Lowe, blog.scottlowe.org

Matt Simmons, Standalone SysAdmin

Filter Blog

By date: By tag: