April, 2009

LogLogic-Exaprotect deal reflects SIEM-log management bond

It’s not exactly a surprise that LogLogic acquired Exaprotect. The two partnered up in February to add Exprotect’s SEM engine as a module riding atop LogLogic’s log management/analysis platform.

The pending deal, announced Wednesday at RSA, is something of an indication that the log management and SIM/SEM/SIEM markets are becoming too closely integrated to distinguish. (Pick your acronym. At RSA this week, Forrester’s John Kindervag suggested “SIRS” — Security Information Reporting System, suggesting that these tools’ primary value was in reporting and compliance, rather than security).

In the end it’s all about collecting and analyzing information analysts can use for compliance, operational efficiency, forensics, and, maybe, security.

Regulatory compliance, particularly PCI, has driven sales of both log management and SIEM, transforming log management from a niche market to something of a must-have. Major SIEM vendors like ArcSight, seeing these hungry upstarts doing well, were quick to spin off separate log management products or modules to get a piece of the action.

Meanwhile, log management vendors have had some SIEM-like capability, a sort of SIEM Light. It makes sense that LogLogic is building on its success to provide a fuller package. Along with the SEM offering, the company announced  a database monitoring and auditing module (partnering with an unnamed DB monitoring partner) and Compliance Manager, automating compliance approval workflows and review tracking.

The Exaprotect acquisition also brings in Solsoft Change Manager, providing configuration management capabilities, which will round out the LogLogic package nicely for both compliance and operational control once the products are integrated.

Security bloggers, podcasters get day in sun

These days, you can’t log onto Twitter or do a Google search without crashing headfirst into something information security related. Security pros have embraced social networking in a big way, and they’re contributing a lot more to the blogosphere and Twitter arena than updates on where they’re having lunch.

Any of you who contribute or follow the active members of the security blogosphere probably know of the Security Bloggers Network. The network generally meets face-to-face at events such as RSA with a get-together known as the Security Blogger Meetup. Last night’s meetup featured the first presentation of the Social Security Awards, which recognized the best security blogs and podcasts. Alan Shimel of StillSecure, Rich Mogull of Securosis and Martin McKeay, who hosts the Network Security Podcast with Mogull, hosted the awards portion of the night; Jennifer Leggio, a longtime journalist and social media blogger, did a lot of the legwork to organize the event. A panel of journalists did the judging — and yes, a good time was had by all.

Winners were recognized in five categories:

• Best technical blog: SANS Internet Storm Center
• Best non-technical blog: Richard Bejtlich’s TaoSecurity
• Best corporate blog: Alex Eckelberry’s Sunbelt Blog
• Best podcast: Paul Asadoorian’s PaulDotCom
• Most entertaining: Mike Rothman’s Security Incite

Citrix XenApp may seem complex, but streamlines security management

Editor’s Note: Eric Ogren, a frequent contributor to SearchSecurity.com, is guest blogging today. Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. He can be reached by sending an email to eric@ogrengroup.com.

Citrix Systems’ XenApp, its flagship application delivery product line, can appear to require a complex chain of moving parts that can be difficult for prospects to understand. However, existing customers that are saving operational expenses consolidating data centers may also find improvements in the latest version of XenApp to manage user authentication and access control and conduct application auditing as a result of delivering applications from fewer virtual data centers.

Citrix announced improvements to XenApp last month. The latest release is focused on integrating the components of XenApp to enable existing customers to more easily expand the use of Citrix throughout the enterprise.

The primary security benefits of hosting applications in the data center are well known – data remains in the protected data center where it is easier to secure, the risk of data loss through insecure endpoints is dramatically reduced allowing the business to embrace a variety of user friendly devices such as smartphones and shared devices. Applications are patched and upgraded in a centralized controlled environment reducing the risk of skewed software configurations.

• Consistent authenticated access control to applications: The Citrix account authority consolidates administration of authentication, application access controls, single sign-on and user profiles. Users authenticate once to the data center where IT can then use single sign-on techniques to automate authentication to individual applications and virtual desktops. The immediate benefits of this approach is to reduce the security risk of extraneous user accounts and passwords, as well as lowering help desk costs for password support while making it easier for users to run business applications.
• Transparent auditing of application access and transactions for compliance: Citrix SmartAuditor works with XenApp 5 to log application access and record activity for compliance with regulatory requirements. Auditing may be difficult to achieve when applications are distributed throughout the enterprise, but it becomes more reasonable as applications are hosted in fewer data centers.
• Achieve Network Access Control functionality without additional NAC products: The main feature of NAC is to ensure user desktops are configured according to security policy before granting access to applications. This normally includes checks for endpoint security software, but can also include checks and remediation for custom software. IT provides users with secure virtual desktops that are compliant with the latest releases of software and up-to-date security software. XenApp 5 can stream the entire virtual desktop to the endpoint if the user needs to work disconnected from the network or needs to compensate for unreliable network performance. By packaging virtual desktop images with the most up-to-date software that has been pre-scanned for malicious code, IT gets the cost-savings benefits of automated NAC features without having to deploy additional products.

The concentration of hosted applications and virtual desktops in the datacenter is a concept that delivers incremental security benefits with the fundamentals of user identity management, controlling application access, managing the integrity of software configurations and auditing business activity. This is in addition to the operational benefits of efficient administration, equitable service to users, and lesser operating expenses. As you plan to virtualize more applications and increase the density of applications per server, be sure to also look at opportunities to streamline security services and plug security gaps in user and device management.

Proof the Conficker worm not a major threat

Kaspersky Lab researchers found a small number of unique IP addresses on the peer-to-peer network, suggesting the worm isn’t as large as previously thought.

It seems that Conficker/Downadup isn’t all that it was cracked up to be. Dennis Fisher of Kaspersky Lab’s Threatpost.com confirms what some have been suspecting all along: The Conficker botnet is much smaller than security researchers originally believed. An analysis by Kaspersky Lab researchers found “200,652 unique IP addresses on the P2P network, which comprises machines that are infected with the latest variant of Conficker,” according to Fisher’s post.

In a blog post, Kaspersky Lab virus analyst Georg Wicherski wrote that “only a fraction of the nodes infected with earlier variants have been updated with new variants.” Wicherski used a custom application to monitor the network. He noted in his post that Brazil and Chile stand out in terms of having the most numbers of P2P nodes.

Back in January I wrote about my access to TippingPoint’s ThreatLinQ service. ThreatLinQ can be accessed by TippingPoint IPS customers. The ThreatLinQ data I saw suggested to me the threat wasn’t a major one.  ThreatLinQ is essentially a portal that shows global threat data caught in TippingPoint’s DVLabs’ IPS filters. It can rank threats on a global scale and by country. It also shows how other TippingPoint customers are using their IPS and what is being blocked by default.

The time period I had a view of the global Conficker data was Jan. 26/27. This was a time period when most security researchers said Conficker infections had peaked and some, including researchers at F-Secure, noted the botnet could be as large as 10 million machines.

At the time, the TippingPoint IPS honeypots found ranked attempts to attack the Microsoft RPC vulnerability at No. 5 of all threat’s globally. It wasn’t even close. Attempted attacks were in the hundreds of thousands versus the MS-SQL: Slammer-Sapphire Worm which was picked up globally more than 32 million times in TippingPoint’s honeypots.

I noted that Brazil, Chile and some countries in Asia and Eastern Europe seemed to have the most Conficker infections. They were in countries where software pirating is rampant and machines are not likely to get the MS08-067 RPC patch.

Conficker may have been a worm that fascinated researchers because it spread so quickly, but once the spotlight was shined on it, it sputtered out. Why? The Conficker Working Group appeared to have a good handle on this one and perhaps their efforts to disrupt the worm from receiving its orders worked. Researchers told me the P2P method of receiving its orders is just too slow for Conficker to be a major threat.

Twitter worm attack highlights social network flaws

A worm attack designed by a 17-year-old hoping to promote a rival social network wreaked havoc on Twitter, but also highlighted the importance of finding and repairing Web application flaws.

A 17-year-old hacker claimed responsibility for attacking the Twitter microblogging service, crippling thousands of accounts with a worm designed to promote his social network.

The worm spread via a social engineering technique. The hacker first tricked users into clicking on a link to a rival social network. The link infected machines and exploited a cross-site scripting error to use the victim’s profile list to broadcast the malicious link to other users.

The attack was another example of the threat against social networks, where users post data that could be harvested and potentially valuable on the black market. Users of Facebook, MySpace and other social networks have been targeted by phishing attacks serving up malware designed to steal address books and other sensitive data. Experts say it’s easy to be duped by a malicious link or fall victim to Web application attacks within social networks.

In a message to Twitter users, the company’s co-founder Biz Stone said the attack was similar to the Samy worm, which spread on MySpace. “No passwords, phone numbers, or other sensitive information was compromised as part of these attacks,” Stone wrote in a blog entry.

The attack began at 2 a.m. on Saturday. It spread for about 3.5 hours until Twitter’s security team could identify and eradicate the worm. About 90 accounts were compromised. A second wave compromised another 100 accounts. Attacks continued with another wave on Sunday and again on Monday prompting the security team to delete about 10,000 tweets that could have continued to spread the worm.

“Every time we battle an attack, we evaluate our Web coding practices to learn how we can do better to prevent them in the future,” Stone said. “We will conduct a full review of the weekend activities. Everything from how it happened, how we reacted, and preventative measures will be covered.”

The attack is a reminder of the need to address Web application errors now, so developers of these applications clean up their poor coding practices. The OWASP Foundation has taken the lead on spreading the word to developers and companies using Web applications about the importance of security. But volunteers can’t do it all on their own. At some point social networks may need to band together to mop up coding errors and guard against attacks in a coordinated manner. They owe it to their customers, who have remained loyal even in the face of ongoing threats.