Well I’ve been holding onto this news FOREVER and I”m glad I can finally talk about it. You may know that I’m happily employed at Q1 Labs Inc at the Integration Services Program Manager. You may also have seen the press releases recently about Juniper and Nortel partnering with Q1 Labs to sell a best in breed SIEM solution to compete with Cisco MARS but you may not know all the details. Basically what this boils down to is a good old fashioned handicap match like in wrestling 🙂
A great article by Sean Michael Kerner at the InternetNews site explains some of those details.
Juniper comments of note from the article:
Juniper Networks has utilized the QRadar technology inside of its new Security Threat Response Manager (STRM) solution, which is being announced this week. Sanjay Kapoor, director of product management at Juniper explained that STRM provides correlation rules to help IT to understand the millions of events that can occur across and network and boil them down to actionable items.
Kapoor noted that network administrators using STRM’s advanced event correlation engine could more easily identify which assets were attacked as well as what should be done to mitigate the attack.
Juniper doesn’t just take Q1 Labs solution and use it ‘as is’ rather Kapoor noted that Juniper uses it as framework that is then further customized with the benefit of Juniper’s security expertise.
“We wanted to have a strong response to Cisco MARS and this product is very competitive,” Kapoor said.
Nortel comments of note from the article:
Nortel Networks also uses Q1 Labs technology as part of an OEM partnership deal. The fact that Juniper is also a Q1 Labs partner is not a problem for Nortel.
“This is not a problem for Nortel. On the contrary, this validates our choice of technology and choice of partner,” Shmulik Nehama, director of business development and strategic alliances at Nortel told InternetNews.com.
“We have thoroughly evaluated the QRadar technology and have great appreciation to its security management capabilities. Customers are looking for solutions and QRadar is an important building block of our security solutions,” said Nehama.
Nehama added that QRadar is an important component of Nortel’s solution offering for closed-loop security management and compliance. As such it is part of Nortel’s go to market strategy and is expected to remain as such in the foreseeable future.
Don’t count out Enterasys Networks either. They’ve been a ‘Powered by Q1 Labs’ partner for quite a while as outlined in this past press release.
Enterasys comments of note from the article:
“We are proud to be the first ‘Powered by Q1 Labs’ partner and have been very pleased with the growth of our Dragon Security Command Console (DSCC) business and multi-year engineering collaboration,” said Mike Fabiaschi, CEO of Enterasys. “Our partnership with Q1 Labs and resulting unique integration with DSCC has enabled Enterasys to enhance our Secure Networks(TM) architecture with multi-vendor log management, network behavioral analysis, and security information management capabilities. What this means for our customers is a practical, achievable way to efficiently and effectively sense and automatically respond to security incidents when DSCC is deployed in conjunction with Enterasys Dragon(R) and NetSight(R) network security management software.”
Let the games begin 🙂
I’m a little confused why more snow has fallen over the past 3 months than has fallen over the past 2 years. I’m getting sick of clearing it!
Here is the list:
Birth of IPv6 – Is your organization pushing towards IPv6? I didn’t think so 🙂
Well tonight’s the night. For the first time, IPv6 domain resolution will be possible from a root server. Just a few addresses mind you, according to this article. You may ask “what took so long?”. The answer is that we did not really need it. IPv6 bakes in some security that was addressed by SSL in IPv4 so that driver did not help. The other issue, a rapidly depleting address space, was managed by NAT(Network Address Translation). But now depletion is really staring us in the face. It is getting hard to get address space. Soon you will see the first bidding wars for owners of large blocks of free IP addresses. Technically you are not allowed to sell IP addresses so don’t expect a market for them. But do expect high valuations for shells that control IP address blocks.
(IN)SECURE Magazine Issue 15 – Looks like Issue 15 is finally out.
Articles in this issue include: Proactive analysis of malware genes holds the key to network security, Advanced social engineering and human exploitation, part 1, Free visualization tools for security analysis and network monitoring, Hiding inside a rainbow, Internet terrorist: does such a thing really exist?, Weaknesses and protection of your wireless network, Fraud mitigation and biometrics following Sarbanes-Oxley, QualysGuard visual walkthrough, Application security matters: deploying enterprise software securely, Web application vulnerabilities and insecure software root causes: solving the software security problem from an information security perspective, A dozen demons profiting at your (jn)convenience, The insider threat: hype vs. reality, Interview with Andre Muscat, Director of Engineering at GFI Software, How B2B gateways affect corporate information security, Reputation attacks, a little known Internet threat, Italian bank’s XSS opportunity seized by fraudsters, The good, the bad and the ugly of protecting data in a retail environment, Interview with Mikko Hypponen is the Chief Research Officer for F-Secure, Interview with Richard Jacobs, Technical Director of Sophos and Interview with Raimund Genes, CTO Anti-Malware at Trend Micro.
A funny thing happened on the way to reviewing my logs – Interesting article from Andy Willingham on his journey implementing a SIEM solution.
At work we’re in the process of implementing a SIEM (Security Information Event Management) system. I’ll leave the vendor nameless for the moment but they have a reputation of making most everything harder than it needs to be. Until that time all logs have to be reviewed manually and obviously that means that they are not reviewed in real time. I have others that monitor most of the logs but I monitor our IPS logs from the UTM device. Usually I review them each morning when I come in but last week I didn’t get a change to so yesterday I was playing catchup.
Interesting tool – pdump.exe – I’ll have to give this a shot.
Toni at Teamfurry.com has a new tool that has some interesting functionality, it dumps process memory, but it also saves each allocated memory region to a separate file.
I’ve played with it a little bit and it seems like it has potential.
Rebecca Herold’s 2008 speaking dates – If you’re in the area I strongly suggest you drop by and check out one of Rebecca’s presentations.
January 18: The Importance of Verifying Third Party Security Programs
Learning event at the Grand Rapids, Michigan ISSA chapter meeting
Web Site: http://www.gr-issa.org/February 21: Anatomy of a Privacy Breach
Learning event at the University of California, Berkeley
Web Site: http://www.truststc.org/seminar.htmMarch 18: Anatomy of a Privacy Breach
Learning event at the Iowa ISACA chapter meetingApril 27: The 30 Second Security Pitch
Learning event at the CSI SX conference
Web Site: http://www.csisx.com/conference/view-by-day.phpApril 30 & May 1: Executive Summit: Security and Privacy Collaboration
2-day learning workshop at the CSI SX conference
Web Site: http://www.csisx.com/conference/workshops.phpJuly 23 & 24: Executive Summit: Security and Privacy Collaboration
2-day learning workshop hosted by the Charlotte, North Carolina ISACA chapter.
Getting over the hump with vulnerability counts – What is more important? The total number of vulnerabilities or the number of highly exploitable vulnerabilities?
Should our vulnerability counts be going up or going down? That is an important question every security professional should be considering when laying out a security program.
If you believe vulnerability counts should be increasing, then presumably you believe that we are only covering the tip of the iceberg with respect to the total number of vulnerabilities in production. In this case, you are taking a short-term view of what is happening in security – it is okay to be hoping the counts increase in the short term, but eventually you want them to decrease (right?).
Give yourself a little time with SQL Injection – Interesting article on blind SQL injection.
I was recently involved in web application assessment and discovered something that I wanted to pass along. Keep in mind that this has probably been utilized before, but it is something that I just noticed so … I wanted to throw it out for your amusement.
To set the stage, I had been looking at this application for quite some time and had an idea that SQL Injection might exist, but I was having much difficulty determining if the injection was actually present. The application was catching errors, displaying 404’s, (etc) and really not displaying any good data to make a decision. So …. the question was … if the application is catching our errors and really not giving us anything to work with … how could we ask the question to the database to indicate if we were actually getting our requests processed by the database server?
Answer? Time.
Security Metrics – How Often Should We Scan? – Personally, I think your frequency of scans should be dictated by the criticality of the systems, the type of systems, the data stored on the systems, and of course…your documented security policy.
I get this question from Nessus users and Tenable customers very often. They want to know if they are scanning too often, not often enough and they also want to know what other organizations are doing as well. In this blog entry, we will discuss the many different reasons why people perform scans and what factors can contribute to their scanning schedule.
German Police Creating LE Trojan – “Law Enforcement Trojan”? I’m not sure if this will fly.
German cops are pushing ahead with controversial plans, yet to be legally approved, to develop “remote forensic software” – in other words, a law enforcement Trojan. Leaked documents outline proposals by German firm Digitask to develop software to intercept Skype VoIP communications and SSL transmissions. A second leaked document from the Bavarian Ministry of Justice outlines costing and licensing proposals for the software. Both scanned documents (in German, natch) have found their way onto the net after being submitted to Wikileaks…
From the SANS Information Security Reading Room:
Spending for IT security gains ground in 09 budget – I can’t remember a time when security/IT/(random item) spending wasn’t “gaining ground”.
New details on federal IT spending plans, made available by the Office of Management and Budget today, show that $103 out of every $1,000 requested for IT spending next fiscal year — or about $7.3 billion in total — will be devoted to improving IT security. That is 9.8 percent more than what was slated for fiscal 2008, and 73 percent more than the $4.2 billion budgeted for cybersecurity in fiscal 2004.
DFRWS 2008 Announcement – I need to come up with a paper for this 🙂
The DFRWS 2008 CfP and Challenge have been posted!
The CfP invites contributions on a wide range of subjects, including:
- Incident response and live analysis
- File system and memory analysis
- Small scale and mobile devices
- Data hiding and recovery
- File extraction from data blocks (“file carving”)
And here’s a couple that should be interesting:
- Anti-forensics and anti-anti-forensics
- Non-traditional approaches to forensic analysis
Submission deadline is 17 Mar, with author notification about 6 wks later.
Python for Bash scripters: A well-kept secret – Good post for all of us who know Bash scripting but want to break into Python.
Python is easy to learn, and more powerful than Bash. I wasn’t supposed to tell you this–it’s supposed to be a secret. Anything more than a few lines of Bash could be done better in Python. Python is often just as portable as Bash too. Off the top of my head, I can’t think of any *NIX operating systems, that don’t include Python. Even IRIX has Python installed.
The Flow of MBR Rootkit Trojan Resumes – Why…won’t…this…die?
Back in final weeks of 2007 the GMER team discovered the emergence of a new rootkit that hooked into the Windows master boot record (MBR) in order to take control of a compromised computer. The people responsible for this threat kept busy cranking out newly compiled versions of this Trojan in the weeks following its discovery. However, near the beginning of January the output of new variants mysteriously halted. Taking a quick look at the following table of Trojan.Mebroot sample data it appears as though a massive QA plan was performed by the gang, starting back in November 2007.
A Practical Approach to Managing Information System Risk – Another paper to check out.
The mantra spinning around in the heads of most security managers affirms that managing security is about managing risk. Although they know this is the right approach, and they understand the importance of balance in designing and implementing security controls, many of them—including me—came up through the ranks of network engineering, programming, or some other technical discipline. While this prepared us for the technology side of our jobs, the skills necessary to assess and understand business risk arising from the use of information systems were not sufficiently developed.