Blogs: Security

Fellow Splunkers,

Thus begins my first blog post as an employee of a publicly traded company.  Given that, I would like to let you all know that [REDACTED - lstein].  Now that I have cleared the air, let’s move on.

It has never been more true: the more things change, the more they stay the same.  While Splunkers around the globe were partying like it was 1999, I was on the way to my second straight National Collegiate Cyber Defense Competition in San Antonio, Texas (aka the Alamo City).

UPDATE

When you think about it, the fine levied by the HHS Office of Civil Rights isn’t all the cost of this HIPAA violation for BlueCross BlueShield of Tennessee. Turns out this was pricier than we thought. According to the law firm of Wilson Sonsini Goodrich and Rosati….

“BlueCross had self-reported the underlying incident under HIPAA’s requirements, and incurred more than $17 million in direct expenses relating to its investigation and remediation of the incident. The HHS investigators faulted BlueCross BlueShield for failing to implement appropriate administrative safeguards to protect information by storing protected health information on unencrypted computer hard drives. Under the settlement, BlueCross BlueShield also agreed to review and revise its healthcare information privacy and security policies, and…

“The United States confronts a dangerous combination of known and unknown vulnerabilities in the cyber domain, strong and rapidly expanding adversary capabilities, and limited threat and vulnerability awareness.”^[1]

I recently listened to the final set of hearings on The Cyber Security Act of 2012. The bill was developed, “…in response to the ever-increasing number of cyber attacks on both private companies and the United States government.” The bill is really about critical infrastructure protection as may be managed, owned or operated by either the government or the private sector.  It’s a bi-partisan bill and combines efforts from past sessions from the Senate Committees on Commerce, Homeland Security and Governmental Affairs, and Intelligence Committees. The bill would empower the Department…

As I often visit customer sites that have data to send to Splunk from security devices, I find that vulnerability scanners seem to have a lower priority than IDS, IPS, etc. in terms of usage. Some places do not seem to utilize a scanner at all. I find that slightly odd as discovering a security issue yourself through the use of tools used the right way is much better than someone else finding your security holes. Moreover, as a former colleague once informed me, a lot of the appliances that are brought into a data center, including security collection appliances, may have been built with unpatched older operating systems meaning these should be the first targets for a vulnerability assessment.…

“Security!  Security!  Security!”

Fellow Splunkers,

Yes, the old proverb is still true – there is perhaps nothing that gets the heart racing quite like… announcing new security features in enterprise software!  So fasten your seatbelt while I tell you about some of the exciting new features that made it in to Splunk 4.3.

There is a lot to like in Splunk 4.3 for security use cases, but three items should be of particular interest to security professionals.

Sparklines – Adding Time to Tables for Reporting

I use tables of information in several of the security reports I create. Usually I’ll want to track a particular type of event and include the number of times it happens along with an average over a period of time. This allows me to benchmark a particular threshold and use that as the impetus for an investigation. For example:

I want to track the number of successful accesses against assets where critical data is stored over a twenty-four hour period by user. My table will contain the name…

The recent article, “China Hackers Hit U.S. Chamber,” in the Wednesday, December 21, 2011, online version of the Wall Street Journal highlights yet another in a growing list of cyber attacks against US companies.

According to the article, the attack apparently started with a spear phishing scheme and social engineering tactics targeting a single employee in 2009. The attack followed a typical path of spreading to other systems, hiding behind credentialed activity, creating backdoors for access, reporting back to the attacker weekly, and granting the attacker remote access to Chamber member information and business policy documentation.  The bad guys even gained access to an HVAC system at a housing unit owned by the Chamber.

There are some notable takeaways…

In, What Security Pros Don’t Know: Glaring Knowledge Gaps Present a Challenge, by Upasana Gupta (http://blogs.govinfosecurity.com/posts.php?postID=1110&rf=2011-12-03-eg&elq=a212d1567d31469ab06ce37d28596e45&elqCampaignId=909) she posts some very interesting survey results:

“More than half of nearly 2,000 IT security folks attending the recent Cisco Live and Black Hat USA conferences say, in response to a survey, they have no idea which internal apps and assets on their networks are accessible to outsiders. Six of 10 report they don’t know the capabilities of the tools they use, and fewer than half say they understand how network configuration changes affect the systems they support.”

This really shows a frightening lack of alignment between the business, security, network and operations teams. This lack of visibility is something sophisticated attackers count…

Several people have asked for my feelings about the sale of Q1 Labs to IBM and Nitro Security to Intel/McAfee.  In general, I can understand why Nitro and Q1 may have concluded that this is a good time to sell their businesses.

Personally, I classify these two companies as very good at what they do—to watch for what I’d call ‘known threats’ as reported from other signature and rule based systems.   At the same time, traditional SIEM vendors such as Q1 and Nitro face many stresses.  I believe that both Nitro and Q1 are challenged by ongoing support for specific data types, scalability, and new threats—namely Advanced Persistent Threat (APT) style malware deposited on systems using social engineering that can…

Splunk users are familiar with real-time indexing, real-time search, and with release 4.2, real-time alerts. I’d like to take these concepts of real-time monitoring one step further to provide pro-active status of an entity while a search is being processed for entities (i.e., ip address, URL, hostname, etc) that are already in your index. I call this real-time status. For instance, suppose you already have URL’s indexed via Apache or IIS log files. Among the many things these events provide you are the HTTP status codes for the indexed URL’s per event. This only tells you the status code at the time of indexing. What used to be not found (code 404) could now as we speak be OK (code…