SANS Security Laboratory “Thought Leaders” Article

SANSStephen Northcutt, of SANS Institute fame, recently recognized me as a Thought Leader in the area of log management. I’m quite humbled to be included with the likes of Dr. Anton Chuvakin, Jeremiah Grossman, and Ron Gula (among others).

The interview has been posted on the SANS Technology Institute site here. This has certainly made my week 🙂

Suggested Blog Reading – Sunday April 20th, 2008

ReadI really apologize for not posting a SBR post since February but I was a touch burnt out. Now that I’m back from vacation, expect to see more frequent posting (I promise this time…no fooling).

Here is the list:
RegRipper – Harlan Carvey has posted several posts lately (here, here, here, and here) about his RegRipper tool. I suggest you check it out.

Striving For PCI DSS Log Management Compliance Also Helps To Identify Attacks From The Outside – I haven’t read through the entire article yet but, from what I did read, it looks quite promising. I may do a full post in response to the key points in the coming days.

The second paper in my series on PCI DSS log management compliance, “Using PCI DSS Compliant Log Management To Identify Attacks From The Outside” is now available.

And, as I’ve been blogging about over the past few days, log management is about much more than systems; it is about the entire management process, and the need to have policies, procedures and address the ways in which personnel review and know how to interpret the logs.

Expanding Government Liability for Data Breach – I think “damages” are probably due to be redefined.

An interesting decision came down last week by U.S. District Court for the District of Columbia that could potentially change the financial liability of data breaches by government agencies and private corporations. For the first time, the district court held that government employees who claimed that a data breach by the Transportation Service Agency (TSA) caused them harm have a valid cause of action against the government. Recent rulings in state courts have dismissed claims for lack of merit based on insufficient proof of emotional harm or financial damage.

SANS Internet Storm Center Starts Monthly Podcast – Wow this is cool. I’m glad that this is happening.

If you dont have the time or interest to read about the latest IT security news the SANS.org podcast or some of the other security podcasts might help you keep up.

CEH/CPTS Certification != competent pentester – Tools are only good in the hands of people who are trained to use them but tools, combined with experience, will always produce superior results.

Bottom line, tools are just tools, they help humans get jobs done. They aren’t and shouldn’t be the only thing used on a pentest. The other point is experience is king, granted the original poster is getting experience, but giving CORE to a brand new tester is not going to help them get better. there is a reason A LOT of subjects are taught the hard way first then you get taught “the shortcut.” Oh, and passing a multiple choice test is not a real demonstrable measure of ability.

Network IDS & IPS Deployment Strategies from the SANS Information Security Reading Room

Solera V2P Tap – It was only a matter of time until someone invested this. I personally think that this is a great, and very useful, invention.

It looks like Solera Networks built a virtual tap, as I hoped someone would. I mentioned it to Solera when I visited them last year, so I’m glad to see someone built it. I told them it would be helpful for someone to create a way for virtual switches to export traffic from the VM environment to a physical environment, so that a NSM sensor could watch traffic as it would when connected to a physical tap.

What’s new in vulnerability management? – Curious what’s happening with your vulnerability management solution? Have a read.

For too long the vulnerability management vendors have been quiet. In fact the whole sector has taken on the “mature” label which seems to indicate there is no new innovation happening. Recently though we have seen some new announcements in this area. Also, Gartner should have a new marketscope due out soon.

The Top 10 Security Events of 2008 – Were you “where it was at”?

The event season is here, bringing a flood of security-related conferences, seminars, trade shows and other gatherings designed to help business owners and managers learn how to better protect their IT environments. Here’s a quick rundown of the top 10 events coming up in 2008. And check out theIT Security blog for live blogging and event updates.

Windows Server 2008 Security Events Posted – Awesome! Here is the link to the spreadsheet: http://www.microsoft.com/downloads/details.aspx?FamilyID=82e6d48f-e843-40ed-8b10-b3b716f6b51b&DisplayLang=en

Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference.

Check it out in the Knowledge Base.

Even better, they documented all the events in spreadsheet format, and that’s propagating to the Microsoft Download Center. I’ll publish the link when it’s online.

Loads.CC Bot Still Live, Still Targeted – More info about the Loads.CC bot that you should probably check out.

Enough has been written about the Loads.CC team to probably give you enough of a picture that you need to know. Some reports suggested they went away, but they didn’t. They’re still active. See these reports by RBN exploit, CIO magazine, 2-viruses.com, this PC Week article by Scott B, and Adam T for a good background. The team is still quite active.

Fun Reading on Security – 1 – Here’s a pile of Anton’s favorite links over the past few days.

Instead of my usual “blogging frenzy” machine gun blast of short posts, I will just combine them into my new blog series “Fun Reading on Security.” Here is an issue #1, dated April 18, 2008.

The Six Dumbest Ideas in Computer SecurityMarcus Ranum takes a run at the dumbest ideas in computer security.

Let me introduce you to the six dumbest ideas in computer security. What are they? They’re the anti-good ideas. They’re the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible – which is another way of saying “trying to ignore reality.” Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don’t fully understand the situation, but other times it’s just a bunch of savvy entrepreneurs with a well-marketed piece of junk they’re selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.

Ned on Auditing – I’m going to add this to my RSS watch list. Perhaps something good will show up from the elusive Ned that will help me out.

I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I’d point you guys there. His recent posts on auditing include a description of how to deploy the special groups logon auditing feature with group policy.

Enterasys, Juniper, and Nortel vs. Cisco…SIEM Handicap Match?

Well I’ve been holding onto this news FOREVER and I”m glad I can finally talk about it. You may know that I’m happily employed at Q1 Labs Inc at the Integration Services Program Manager. You may also have seen the press releases recently about Juniper and Nortel partnering with Q1 Labs to sell a best in breed SIEM solution to compete with Cisco MARS but you may not know all the details. Basically what this boils down to is a good old fashioned handicap match like in wrestling 🙂

handicap match

A great article by Sean Michael Kerner at the InternetNews site explains some of those details.

Juniper comments of note from the article:

Juniper Networks has utilized the QRadar technology inside of its new Security Threat Response Manager (STRM) solution, which is being announced this week. Sanjay Kapoor, director of product management at Juniper explained that STRM provides correlation rules to help IT to understand the millions of events that can occur across and network and boil them down to actionable items.

Kapoor noted that network administrators using STRM’s advanced event correlation engine could more easily identify which assets were attacked as well as what should be done to mitigate the attack.

Juniper doesn’t just take Q1 Labs solution and use it ‘as is’ rather Kapoor noted that Juniper uses it as framework that is then further customized with the benefit of Juniper’s security expertise.

“We wanted to have a strong response to Cisco MARS and this product is very competitive,” Kapoor said.

Nortel comments of note from the article:

Nortel Networks also uses Q1 Labs technology as part of an OEM partnership deal. The fact that Juniper is also a Q1 Labs partner is not a problem for Nortel.

“This is not a problem for Nortel. On the contrary, this validates our choice of technology and choice of partner,” Shmulik Nehama, director of business development and strategic alliances at Nortel told InternetNews.com.

“We have thoroughly evaluated the QRadar technology and have great appreciation to its security management capabilities. Customers are looking for solutions and QRadar is an important building block of our security solutions,” said Nehama.

Nehama added that QRadar is an important component of Nortel’s solution offering for closed-loop security management and compliance. As such it is part of Nortel’s go to market strategy and is expected to remain as such in the foreseeable future.

Don’t count out Enterasys Networks either. They’ve been a ‘Powered by Q1 Labs’ partner for quite a while as outlined in this past press release.

Enterasys comments of note from the article:

“We are proud to be the first ‘Powered by Q1 Labs’ partner and have been very pleased with the growth of our Dragon Security Command Console (DSCC) business and multi-year engineering collaboration,” said Mike Fabiaschi, CEO of Enterasys. “Our partnership with Q1 Labs and resulting unique integration with DSCC has enabled Enterasys to enhance our Secure Networks(TM) architecture with multi-vendor log management, network behavioral analysis, and security information management capabilities. What this means for our customers is a practical, achievable way to efficiently and effectively sense and automatically respond to security incidents when DSCC is deployed in conjunction with Enterasys Dragon(R) and NetSight(R) network security management software.”

Let the games begin 🙂

Scroll to top