Virtualized Network Security Management (vNSM)

This is a term that I’ve been throwing around for a while now so I thought I’d take the time to define it for everyone.

Virtualized Network Security Management (vNSM)
The extension of existing Network Security Management (NSM) policies and procedures to include “virtualized” deployments. This includes, but is not limited to, the collection, correlation, and normalization of:

  • logs (e.g authentication, authorization, status, etc.) generated by “virtualized” hosts (e.g. servers, workstations, etc.)
  • logs generated by non-security related applications (e.g. mail server, web server, etc.) installed on “virtualized” hosts
  • logs generated by security related applications (e.g. firewall messages, anti-virus alerts, rootkit installation prevented, etc.) installed on “virtualized” hosts
  • logs (e.g authentication, authorization, status, etc.) generated by “virtualized” network components (e.g. virtual switches, virtual hubs, etc.)
  • network flows (e.g. NetFlow) generated by “virtualized” network components
  • expected, anomalous, or malicious network communications to/from/between “virtualized” hosts (e.g. web server communicating with “virtualized” database, “virtualized” workstation retrieving file from “virtualized” FTP server, etc.)
  • logs generated from the operation of the host virtualization platform

I may expand on, or refine, this definition in the future but I wanted to make sure I had my ideas down on “paper” before I lost them.

Suggested Blog Reading – Sunday April 20th, 2008

ReadI really apologize for not posting a SBR post since February but I was a touch burnt out. Now that I’m back from vacation, expect to see more frequent posting (I promise this time…no fooling).

Here is the list:
RegRipper – Harlan Carvey has posted several posts lately (here, here, here, and here) about his RegRipper tool. I suggest you check it out.

Striving For PCI DSS Log Management Compliance Also Helps To Identify Attacks From The Outside – I haven’t read through the entire article yet but, from what I did read, it looks quite promising. I may do a full post in response to the key points in the coming days.

The second paper in my series on PCI DSS log management compliance, “Using PCI DSS Compliant Log Management To Identify Attacks From The Outside” is now available.

And, as I’ve been blogging about over the past few days, log management is about much more than systems; it is about the entire management process, and the need to have policies, procedures and address the ways in which personnel review and know how to interpret the logs.

Expanding Government Liability for Data Breach – I think “damages” are probably due to be redefined.

An interesting decision came down last week by U.S. District Court for the District of Columbia that could potentially change the financial liability of data breaches by government agencies and private corporations. For the first time, the district court held that government employees who claimed that a data breach by the Transportation Service Agency (TSA) caused them harm have a valid cause of action against the government. Recent rulings in state courts have dismissed claims for lack of merit based on insufficient proof of emotional harm or financial damage.

SANS Internet Storm Center Starts Monthly Podcast – Wow this is cool. I’m glad that this is happening.

If you dont have the time or interest to read about the latest IT security news the SANS.org podcast or some of the other security podcasts might help you keep up.

CEH/CPTS Certification != competent pentester – Tools are only good in the hands of people who are trained to use them but tools, combined with experience, will always produce superior results.

Bottom line, tools are just tools, they help humans get jobs done. They aren’t and shouldn’t be the only thing used on a pentest. The other point is experience is king, granted the original poster is getting experience, but giving CORE to a brand new tester is not going to help them get better. there is a reason A LOT of subjects are taught the hard way first then you get taught “the shortcut.” Oh, and passing a multiple choice test is not a real demonstrable measure of ability.

Network IDS & IPS Deployment Strategies from the SANS Information Security Reading Room

Solera V2P Tap – It was only a matter of time until someone invested this. I personally think that this is a great, and very useful, invention.

It looks like Solera Networks built a virtual tap, as I hoped someone would. I mentioned it to Solera when I visited them last year, so I’m glad to see someone built it. I told them it would be helpful for someone to create a way for virtual switches to export traffic from the VM environment to a physical environment, so that a NSM sensor could watch traffic as it would when connected to a physical tap.

What’s new in vulnerability management? – Curious what’s happening with your vulnerability management solution? Have a read.

For too long the vulnerability management vendors have been quiet. In fact the whole sector has taken on the “mature” label which seems to indicate there is no new innovation happening. Recently though we have seen some new announcements in this area. Also, Gartner should have a new marketscope due out soon.

The Top 10 Security Events of 2008 – Were you “where it was at”?

The event season is here, bringing a flood of security-related conferences, seminars, trade shows and other gatherings designed to help business owners and managers learn how to better protect their IT environments. Here’s a quick rundown of the top 10 events coming up in 2008. And check out theIT Security blog for live blogging and event updates.

Windows Server 2008 Security Events Posted – Awesome! Here is the link to the spreadsheet: http://www.microsoft.com/downloads/details.aspx?FamilyID=82e6d48f-e843-40ed-8b10-b3b716f6b51b&DisplayLang=en

Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference.

Check it out in the Knowledge Base.

Even better, they documented all the events in spreadsheet format, and that’s propagating to the Microsoft Download Center. I’ll publish the link when it’s online.

Loads.CC Bot Still Live, Still Targeted – More info about the Loads.CC bot that you should probably check out.

Enough has been written about the Loads.CC team to probably give you enough of a picture that you need to know. Some reports suggested they went away, but they didn’t. They’re still active. See these reports by RBN exploit, CIO magazine, 2-viruses.com, this PC Week article by Scott B, and Adam T for a good background. The team is still quite active.

Fun Reading on Security – 1 – Here’s a pile of Anton’s favorite links over the past few days.

Instead of my usual “blogging frenzy” machine gun blast of short posts, I will just combine them into my new blog series “Fun Reading on Security.” Here is an issue #1, dated April 18, 2008.

The Six Dumbest Ideas in Computer SecurityMarcus Ranum takes a run at the dumbest ideas in computer security.

Let me introduce you to the six dumbest ideas in computer security. What are they? They’re the anti-good ideas. They’re the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible – which is another way of saying “trying to ignore reality.” Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don’t fully understand the situation, but other times it’s just a bunch of savvy entrepreneurs with a well-marketed piece of junk they’re selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.

Ned on Auditing – I’m going to add this to my RSS watch list. Perhaps something good will show up from the elusive Ned that will help me out.

I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I’d point you guys there. His recent posts on auditing include a description of how to deploy the special groups logon auditing feature with group policy.

Scroll to top