Christophe's life log

A good place between Twitter and Facebook for logging

Free SIEM iPhone App, Direct Message to get your Log Caliper promo code (only in the US)

Log_caliper

Log Caliper 1.1 is now available, I added support of Bytes/s, KiloBytes/s, KiloBits/s, MegaBits/s and GigaBits/s and extended the database with common products average log size. I'm really having fun to code this App and now start to design the v 2.0 so any feedback welcome. You can download it on the itunes App Store. If you leave in the US and you want a promo code, just send me a direct message via Twitter and I will send you one.

What the future of User Interface for SIEM products could be?

San_francisco_crimespotting_ma

Even after log filtering, aggregation, prioritization and correlation, Security Information and Event Management users are still dealing with log data explosion and it's difficult for them to see quickly what, where and when security events appear on the network. Although SIEM products are acquiring maturity and provide now many values added, I'm still convinced that existing products on the market still lack in data visualization capability. 

The San Francisco Crimespotting gives us a good insight of what the next generation of SIEM user interface could be. This is an interactive map of crimes in San Francisco (the Oakland map is also available) and an innovative way to visualize data over the time and space. This information is for sure very useful for people that are (or plan) living there but I'm more interested in the data visualization model and I can easily imagine applying it to the Security Event Management world. 

Crimespotting inspires a new approach of Security Event visualization, I can conceive a map of business asset, application, users, servers and network devices completely explorable - with the possibility to pan and zoom, select date ranges in the past, and view specific kind of alert based on a category (or a taxonomy). As with Crimespotting, I can also envisage to share links directly to a particular view of the map, which is important for incident handling or log forensics. 

This tool is using the Adobe Flash technology which is not yet common in enterprise class product but starts to be adopted by some vendors for specific part of the GUI (i.e. dynamic dashboard). Do you think Flash is a good solution to present complex problem? Do you have other example like this? 

What Twitter's administrators should have done today? #twitter #log

via slideshare.net

Today Twitter (and Facebook) have been targeted by a Distributed Denial Of Service attack (DDOS). There are several techniques to mitigate a DDOS but I'm interested by one: the IP black-listing that can be address by both Security Event Management and Network Configuration and Change Management solutions.

This short presentation describe how SEM and SCM work together to mitigate DDOS.

How to decoy a weak log management solution? #log #loglogic

 

It’s usually not easy to explain people how log injection attacks are used to decoy a weak log management system. I see in this video an example of what this kind of attack can be in the real world. 

 This crew creates the illusion of an escape attempt that may divert security guard attention. In the Log Management world this kind of “attack” is called Log Injection: invalid entries taken from user input are inserted in logs that monitoring systems will misinterpret. This trick allows an attacker to mislead detection engine or administrators and covers his traces.

Fake logs can be created using simple log injection techniques that work in the same way as SQL injection. In this example, I just pass the user name in a way that would trick a log analysis tool, making it thinking that the source IP of the connection is not what it really is: 

[chris@host log]$ ssh "myfakeuser from 10.1.1.1 port 123 ssh2" @192.168.5.1

Logs on the SSH server look likes that:

Aug 5 14:54:00 host sshd[5870]: Invalid user myfakeuser from 10.1.1.1 port 123 ssh2 from 192.168.50.65

Aug 5 14:54:03 host sshd[5870]: Failed password for invalid user myfakeuser from 10.1.1.1 port 123 ssh2 from 192.168.50.65 port 34813 ssh2

The attacker faked the username and the source IP address to trick the security analyst and to hide his own activity. The usage of an advanced Log Management solution will prevent this kind of attack, actually it should be able to recognized misformatted logs.