Christophe’s posterous
A good place between Twitter and Facebook for sharing stuff
Filed underSecurity
Marketing of Antivirus software: Attractive or disgusting?
Snap from today at the Secureworld expo Bay Area.
What the future of User Interface for SIEM products could be?
Even after log filtering, aggregation, prioritization and correlation, Security Information and Event Management users are still dealing with log data explosion and it's difficult for them to see quickly what, where and when security events appear on the network. Although SIEM products are acquiring maturity and provide now many values added, I'm still convinced that existing products on the market still lack in data visualization capability.
The San Francisco Crimespotting gives us a good insight of what the next generation of SIEM user interface could be. This is an interactive map of crimes in San Francisco (the Oakland map is also available) and an innovative way to visualize data over the time and space. This information is for sure very useful for people that are (or plan) living there but I'm more interested in the data visualization model and I can easily imagine applying it to the Security Event Management world.
Crimespotting inspires a new approach of Security Event visualization, I can conceive a map of business asset, application, users, servers and network devices completely explorable - with the possibility to pan and zoom, select date ranges in the past, and view specific kind of alert based on a category (or a taxonomy). As with Crimespotting, I can also envisage to share links directly to a particular view of the map, which is important for incident handling or log forensics.
This tool is using the Adobe Flash technology which is not yet common in enterprise class product but starts to be adopted by some vendors for specific part of the GUI (i.e. dynamic dashboard). Do you think Flash is a good solution to present complex problem? Do you have other example like this?
What Twitter's administrators should have done today? #twitter #log
via slideshare.net
Today Twitter (and Facebook) have been targeted by a Distributed Denial Of Service attack (DDOS). There are several techniques to mitigate a DDOS but I'm interested by one: the IP black-listing that can be address by both Security Event Management and Network Configuration and Change Management solutions.
This short presentation describe how SEM and SCM work together to mitigate DDOS.
How to decoy a weak log management solution? #log #loglogic
It’s usually not easy to explain people how log injection attacks are used to decoy a weak log management system. I see in this video an example of what this kind of attack can be in the real world.
This crew creates the illusion of an escape attempt that may divert security guard attention. In the Log Management world this kind of “attack” is called Log Injection: invalid entries taken from user input are inserted in logs that monitoring systems will misinterpret. This trick allows an attacker to mislead detection engine or administrators and covers his traces.
Fake logs can be created using simple log injection techniques that work in the same way as SQL injection. In this example, I just pass the user name in a way that would trick a log analysis tool, making it thinking that the source IP of the connection is not what it really is:
[chris@host log]$ ssh "myfakeuser from 10.1.1.1 port 123 ssh2" @192.168.5.1
Logs on the SSH server look likes that:
Aug 5 14:54:00 host sshd[5870]: Invalid user myfakeuser from 10.1.1.1 port 123 ssh2 from 192.168.50.65
Aug 5 14:54:03 host sshd[5870]: Failed password for invalid user myfakeuser from 10.1.1.1 port 123 ssh2 from 192.168.50.65 port 34813 ssh2
The attacker faked the username and the source IP address to trick the security analyst and to hide his own activity. The usage of an advanced Log Management solution will prevent this kind of attack, actually it should be able to recognized misformatted logs.
LogLogic Security Event Manager detects user account hijacking and sharing
The new SEM v3.3 provides two new single correlation rules to detect users that are sharing their logins and passwords on the network or user accounts that has been compromised. Let's try it on your network! ;-)
Just been targeted by a Skype phishing scam... fortunately I'm not using Windows
Screencast of LogLogic Security Event Manager
via slideshare.net
This presentation in an introduction to LogLogic Security Event Manager. It includes 5 screencasts describing correlation, incident management and reporting capabilities.
Met folk from commonIT and discussed about virtualization of the web browser
I met recently folk from a start-up called commonIT, they develop a very interesting technology, their idea is to put the web browser in the cloud. The solution called "Virtual Browser" solves the security issues on the web browser, which is the universal client to "cloud computing".
If you are interesting by cloud computing, you should definitively put them on your radar.
http://commonit.com/index2_en.html
If you are interesting by cloud computing, you should definitively put them on your radar.
http://commonit.com/index2_en.html
Phishing Facebook Attack
via slideshare.net
[French] Great presentation about lastest Phishing Facebook Attacks, I know in my circle of friend at least 10 members of these "fun" Facebook groups!
