IT: Appliance sprawl – Where is the concern?

Over the past few years you have seen an increasing drumbeat in the IT community to server consolidation through Virtualization with all the trumpeted promises of cheaper, greener, more flexible customer focused data centers with never a wasted CPU cycle. It is a siren song to all IT personnel and quite frankly it actually looks like it delivers on a great many of the promises.

Interestingly enough, while reduced CPU wastage, increased flexibility, fewer vendors are all being trumpeted for servers there continues to be little thought provided to purchasing hardware appliances willy-nilly. Hardware appliances started out as specialized devices built or configured in a certain way to maximize performance – A SAN device is a good example, you might want high speed dual port Ethernet and a huge disk capacity with very little requirement for a beefy CPU or memory. These make sense to be appliances. Increasingly however an appliance is a standard Dell or rack mounted rack mounted system with an application installed on it, usually on a special Linux distribution. The advantages to the appliance vendor are many and obvious — a single configuration to test, increased customer lockin, and a tidy up sell potential as the customer finds their event volume growing. From the customer perspective it suffers all the downsides that IT has been trying to get away from – specialized hardware that cannot be re-purposed, more, locked-in hardware vendors, excess capacity or not enough, wasted power from all the appliances running, the list goes on and on and contains all the very things that have caused the move to virtualization. And the major benefit for appliances? Easy to install seems to be the major one. So to provision a new machine, install software might take an hour or so – the end-user is saving that and the downstream cost of maintaining a different machine type eats that up in short order.

Shortsighted IT managers still manage to believe that, even as they move aggressively to consolidate Servers, it is still permissible to buy an appliance even if it is nothing but a thinly veiled Dell or HP Server. This appliance sprawl represents the next clean-up job for IT managers, or will simply eat all the savings they have realized in server consolidation. Instead of 500 servers you have 1 server and 1000 hardware appliances – what have you really achieved? You have replaced relationships with multiple hardware vendors with multiple appliance vendors and worse when a server blew-up at least it was all Windows/Intel configurations so in general so you could keep the applications up and running. Good luck doing that with a proprietary appliance. This duality in IT organizations reminds me somewhat of people that go to the salad bar and load up on the cheese, nuts, bacon bits and marinated vegetables, then act vaguely surprised when the salad bar regimen has no positive effect.

-Steve Lafferty

100 Log Management Uses #49 Wireless device control (CAG control 14)

We now arrive at CAG Control 14. – Wireless Device Control. For this control specialty WIDS scanning tools are the primary defense, that and a lot of configuration policy. This control is primarily a configuration problem not a log problem. Log Management helps  in all the standard ways — collecting and correlating data, monitoring for signs of attack etc. Using EventTracker’s Change component, configuration data in the registry and file system of the client devices can also be collected and alerted on. Generally depending on how one sets the configuration policy, when a change is made it will generate either a log entry or a change in the registry or file system. In this way EventTracker provides a valuable means of enforcement.

By Ananth

Can you count on dark matter?

Eric Knorr, the Editor in Chief over at InfoWorld has been writing about “IT Dark Matter” which he defines as system device and application logs. Turns out half of enterprise data is logs or so-called Dark Matter. Not hugely surprising and certainly good news for the data storage vendors and hopefully for SIEM vendors like us! He described these logs or dark matter as “widely distributed and hidden” which got me thinking. The challenge with blogging is that we have to reduce fairly complex concepts and arguments into simple claims otherwise posts end up being on-line books. The good thing in that simplification, however, is that often gives a good opportunity to point out other topics of discussion.

There are two great challenges in log management – the first is being able to provide the tools and knowledge to make the log data readily available and useful, which leads to Eric’s comment on how Dark Matter is “Hidden” as it is simply too hard to mine without some advanced equipment. The second challenge, however, is preserving the record – making sure it is accurate, complete and unchanged. In Eric’s blog this Dark Matter is “widely distributed” and there is an implied assumption that this Dark Matter is just there to be mined – that the Dark Matter will and does exist and even more so, it is accurate. In reality it is, for all practical purposes, impossible to have logs widely distributed and expect them to be complete and accurate – this fatally weakens their usefulness.

Let’s use a simple illustration we all know well in computer security — almost the first thing a hacker will do once they penetrate a system is shut down logging, or as soon as they finish whatever they are doing, delete or alter the logs. Let’s use the analogy of video surveillance at your local 7/11. How useful would it be if you left the recording equipment out in the open at the cash register unguarded – not real useful, right? When you do nothing to secure the record, the value of the record is compromised, and the more important the record the more likely it is to be compromised or simple deleted.

This is not to imply that there are not useful nuggets to be mined even if the records are distributed. Without attempting to secure and preserve the logs, logs become the trash heap of IT. Archeologists spend much of their time digging through the trash of civilizations to figure out how people lived. Trash is an accurate indication of what really happened simply because 1) it was trash and had no value and 2) no one worried that someone 1000 years later was going to dig it up. It represents a pretty accurate, if fragmentary, picture of day to day existence. But don’t expect to find treasure, state secrets or individual records in the trash heap however. The usefulness of the record is 1) a matter of luck that the record was preserved and 2) directly inverse to the interest of the creating parties to modify it.

 Steve Lafferty

Security threats from well-meaning employees, new HIPAA requirements SMB flaw

The threat within: Protecting information assets from well-meaning employees

Most information security experts will agree that employees form the weakest link when it comes to corporate information security. Malicious insiders aside, well-intentioned employees bear responsibility for a large number of breaches today. Whether it’s a phishing scam, a lost USB or mobile device that bears sensitive data, a social engineering attack or downloading unauthorized software, unsophisticated but otherwise well-meaning insiders have the potential of unknowingly opening company networks to costly attacks.

These types of internal threats can be particularly hard to detect especially if a company has placed most of its efforts on shoring up external security. For instance, some cyber gangs in Eastern Europe have come up with a pretty clever method to swindle money from small US companies. They send targeted Phishing emails to the company’s treasurer that contains a link which, when opened, installs malicious software that harvests account passwords. Using this information, the criminals initiate wire transfers in small enough amounts to avoid triggering anti money laundering procedures. In cases like these, traditional defenses (firewalls, anti-virus etc) prove to be useless as legitimate accounts are used to commit fraud. This story is not uncommon. In a study conducted by Ponemon Institute earlier this year, it was found that over 88% of data breaches were caused by employee based negligence. In another survey of over 400 business technology professionals by Information Week Analytics, a majority of respondents stated that locking down inside nodes was just as vital as perimeter security.

Employees, the weakest link

Let’s take a look at some of the easy ways that employees can compromise a company’s confidential data without really meaning to.

Social engineering attacks – In its basic form, this refers to hackers manipulating employees out of their usernames and passwords to get access to confidential data. They typically do this by tracking down detailed information that can be used to gain the trust of the employee. With the growing popularity of social networking sites, and the amount of seemingly innocent data that a typical employee shares on these sites, this information is not hard to track down for the resourceful hacker. Email addresses, job titles, work-related discussions, nicknames, all can provide valuable information to launch targeted phishing attacks or trick emails that lead an unsuspecting employee to hand over account information to a hacker posing as a trusted resource. Once the account information has been obtained hackers can penetrate perimeter defense systems. Read more

Industry News

SANS interviews Ananth, CEO of Prism Microsystems, as part of their Security Thought Leader program
Ananth talks with Stephen Northcutt of SANS about trends in Log Management/SIEM, cloud computing, and the “shallow-root” problem of current SIEM solutions

Court allows suit against bank for lax security 
In a ruling issued last month, the District Court for the Northern District of Illinois, denied a request by Citizens Financial Bank to dismiss a negligence claim brought against it by Marsha and Michael Shames-Yeakel. The Crown Point, Ind. couple — customers of the bank — alleged that Citizens’ failure to implement up-to-date user authentication measures resulted in the theft of more than $26,000 from their home equity line of credit.

HITECH Act ramps up HIPAA compliance requirements
The American Recovery and Reinvestment Act of 2009 (ARRA) includes a section that expands the reach of the Health Insurance Portability and Accountability Act (HIPAA) and introduces the first federally mandated data breach notification requirement.

Note: While this article is a few months old, it is a must-read. In particular, the part about (stiffer) penalties being funneled back into the Department of Health and Human Services’. HIPAA has essentially been a toothless tiger, this could be a sign that it is getting new teeth.

Former IT Specialist Hacks into Charity’s Network
A computer specialist has been arrested and indicted for breaking into his former employer’s computer network one year after he was let go. The admin is accused of causing significant damage by deleting records and crippling critical communication systems such as email and telephone.

Did you know? EventTracker offers advanced protection from insider threats, whether it’s a malicious employee or ex-employee looking to steal confidential data or an unsophisticated employee that accidentally causes a breach

Attackers target Microsoft IIS; new SMB flaw discovered
Microsoft updated an advisory, warning customers that attacks have been detected against a zero-day flaw affecting its FTP Service in Microsoft Internet Information Services (IIS). Meanwhile, new exploit code surfaced last weekend, targeting a zero-day vulnerability in Microsoft Server Message Block (SMB).

Did you know? EventTracker’s integrated file integrity and registry monitoring module detects Zero-day attacks that evade signature based solutions such as antivirus.

100 Log Management Uses #48 Control of ports, protocols and services (CAG control 13)

Today we look at CAG Control 13 – limitation and control of Ports, Protocols and Services. Hackers search for these kinds of things — software installs for example may turn on services the installer never imagined may be vulnerable, and it is critical to limit new ports being opened or services installed. It is also a good idea to monitor for abnormal or new behavior that indicates that something has escaped internal controls — for instance a system suddenly broadcasting or receiving network traffic on a new Port is something suspicious that should be investigated, new installs or new Services being run is also worth investigation — we will take a look at how Log Management can help you monitor for such occurrences.

By Ananth