Splunk + Hadoop = Security

Splunk recently announced the beta release of Hunk: Splunk Analytics for Hadoop.  As a security practitioner, this new product has some exciting implications.

For some time, security practitioners have desired to store large volumes of data, in case it would ever be needed for incident response, (anti-) fraud investigations or other uses. In an ideal world, you’d have six months to a year’s worth of data stored for investigations, however the realities of SAN costs only make it realistic to have maybe 30 days worth of data stored.

With the arrival of Hadoop several years ago, there was finally a cost effective option for storing large volumes of data on commodity hardware. The only issue is that Hadoop is primarily …

» Continue reading

More Breaches and More Accusations Against the Chinese

This past week several very prominent American news organizations publicly admitted having their computer systems hacked into, and explicitly blamed the Chinese government:

Chinese hackers suspected in attack on The Post’s computers” – The Washington Post

A Cyberattack From China” – The New York Times

Chinese Hackers Hit U.S. Media” – The Wall Street Journal

There are several aspects of these events that seem to herald a change in this now familiar story of computer breaches reportedly being conducted by the Chinese.  First is the public acknowledgement of the targeting of an apparent industry / sector – by that sector itself.  (Obviously, the oil and financial services sectors have been explicitly targeted previously, but …

» Continue reading

Another Wireless Security Problem

For years now, information security professionals have worried about the security of wireless connectivity to our organizational networks.  “Wireless” has typically been defined, informally at least, as Wi-Fi.  We have tended to discount security concerns about Bluetooth because of its supposedly short range – officially stated as approximately 1 to 100 meters, depending upon class of the device.  That is in spite of the known threat of so-called Bluesniping.  (See, for example, “Rifle’ Sniffs Out Vulnerability in Bluetooth Devices”.)

Because most WI-FI WAPs (wireless access points) have very limited processing and storage capabilities, authentication to WAPs is generally handled as a shared secret by the WAP itself, or through the external interface of a firewall connecting to an …

» Continue reading

Structured Threat Information eXpression (STIX)

As we enter a new year, there is acronym that you need to be familiar with: STIX.  STIX is the  Structured Threat Information eXpression language; it is not a program, policy, system, or application.  It is XML for security.

The goal of STIX is to automate the sharing of cyber attack information.  And, while the language is new, the concept is not.  In fact, we’ve already been down this path at least twice before.  ‘First’ (though there may have been earlier efforts) we had IODEF, Incident Object Description Exchange Format (RFC 5070) in December 2007.  Then we had RID, Real-time Inter-network Defense (RFC #6046) in November 2010.

So, while there is clearly a need …

» Continue reading