Log Caliper 1.1 is now available, I added support of Bytes/s, KiloBytes/s, KiloBits/s, MegaBits/s and GigaBits/s and extended the database with common products average log size. I'm really having fun to code this App and now start to design the v 2.0 so any feedback welcome. You can download it on the itunes App Store. If you leave in the US and you want a promo code, just send me a direct message via Twitter and I will send you one.
Even after log filtering, aggregation, prioritization and correlation, Security Information and Event Management users are still dealing with log data explosion and it's difficult for them to see quickly what, where and when security events appear on the network. Although SIEM products are acquiring maturity and provide now many values added, I'm still convinced that existing products on the market still lack in data visualization capability.
The San Francisco Crimespotting gives us a good insight of what the next generation of SIEM user interface could be. This is an interactive map of crimes in San Francisco (the Oakland map is also available) and an innovative way to visualize data over the time and space. This information is for sure very useful for people that are (or plan) living there but I'm more interested in the data visualization model and I can easily imagine applying it to the Security Event Management world.
Crimespotting inspires a new approach of Security Event visualization, I can conceive a map of business asset, application, users, servers and network devices completely explorable - with the possibility to pan and zoom, select date ranges in the past, and view specific kind of alert based on a category (or a taxonomy). As with Crimespotting, I can also envisage to share links directly to a particular view of the map, which is important for incident handling or log forensics.
This tool is using the Adobe Flash technology which is not yet common in enterprise class product but starts to be adopted by some vendors for specific part of the GUI (i.e. dynamic dashboard). Do you think Flash is a good solution to present complex problem? Do you have other example like this?
It’s usually not easy to explain people how log injection attacks are used to decoy a weak log management system. I see in this video an example of what this kind of attack can be in the real world.
This crew creates the illusion of an escape attempt that may divert security guard attention. In the Log Management world this kind of “attack” is called Log Injection: invalid entries taken from user input are inserted in logs that monitoring systems will misinterpret. This trick allows an attacker to mislead detection engine or administrators and covers his traces.
Fake logs can be created using simple log injection techniques that work in the same way as SQL injection. In this example, I just pass the user name in a way that would trick a log analysis tool, making it thinking that the source IP of the connection is not what it really is:
[chris@host log]$ ssh "myfakeuser from 10.1.1.1 port 123 ssh2" @192.168.5.1
Logs on the SSH server look likes that:
Aug 5 14:54:00 host sshd[5870]: Invalid user myfakeuser from 10.1.1.1 port 123 ssh2 from 192.168.50.65
Aug 5 14:54:03 host sshd[5870]: Failed password for invalid user myfakeuser from 10.1.1.1 port 123 ssh2 from 192.168.50.65 port 34813 ssh2
The attacker faked the username and the source IP address to trick the security analyst and to hide his own activity. The usage of an advanced Log Management solution will prevent this kind of attack, actually it should be able to recognized misformatted logs.
The new SEM v3.3 provides two new single correlation rules to detect users that are sharing their logins and passwords on the network or user accounts that has been compromised. Let's try it on your network! ;-)
This presentation in an introduction to LogLogic Security Event Manager. It includes 5 screencasts describing correlation, incident management and reporting capabilities.
I met recently folk from a start-up called commonIT, they develop a very interesting technology, their idea is to put the web browser in the cloud. The solution called "Virtual Browser" solves the security issues on the web browser, which is the universal client to "cloud computing".
If you are interesting by cloud computing, you should definitively put them on your radar.
