Category Archives: Security Tools

Security in Developer first organization…

Security in an Agile, Developer First organization is a constant ”tug-of-war” between “more security controls vs more developer usability”. The reason for this is primarily the need of Security professionals to maintain control over the “hacky” by nature developers. I am a big fan of Mordoc and the comic strip below shows exactly how this tug-of-war is:

Developers typically use a lot of tools in their machines like:

  1. Build Tools (iOS, Android EMU, IDE, VM, Containers etc.)
  2. Browsers
  3. Repo tools constantly updating
  4. Testing tools.

On such machines, there is always a risk of developers being the target to steal source code or sensitive information. In order to protect these developers, Security teams become overzealous and implement several security tools like Endpoint Security solutions (AV, EDR, HIDS etc.) and Compliance tools (DLP, Web Proxy, Patching, logging etc.).

A typical machine that has all the security tools installed and running looks something like this. This pattern is true across typical enterprise organizations.

The question always is – Where is the balance between Security controls vs Developer productivity?

I gave a talk at a conference on this topic and the slides are available here.  There are various strategies we can employ to secure the developer machines or in general any enterprise computing asset. Some of the innovative ways (they are real and implementable) we can use are described with examples. I thoroughly enjoyed working on this talk and all the associated research that went with it.

 

 

Please leave your comments below. Until next time!!!

SIEM Product Comparison – 2016

SIEM Product Comparison – 2016

We at Infosecnirvana.com have done several posts on SIEM. After the Dummies Guide on SIEM, we followed it up with a SIEM Product Comparison – 101 deck. The SIEM comparison we did was in 2014. After two years we are taking a look at the SIEM market and comparing them alongside. The leaders in this space according to Gartner are still the following products (in no order):

1. HP ArcSight – Review

2. Intel Security – Review

3. IBM QRadar – Review 

4. Splunk SIEM – Review

5. LogRhythm

In the below post, we have tried to provide detailed explanations of the Strengths and Weakness of these various SIEM products as evaluated in 2016. Finally, we provide a Scorecard for the products based on various capabilities.

HP ArcSight: Since 2014, ArcSight has come a long way. They have added quite a few features along the way that has added to their strengths. For example, Connector load balancing was definitely a welcome addition after several years of being requested.  However, the weakness list is still the same. One of things frustrating users mainly is that the Web architecture for administration and management is not as mature as the thick client.

Picture1

IBM QRadar: Since 2014, QRadar has continued to maintain its pole position in product ratings and evaluations. There have not been major product announcements after QVM and Incident Forensics other than IBM App Exchange (a Splunk App store style approach to extensions and plugins). While the strong points of IBM QRadar are still true, the weaknesses have started to crop up in areas of operational efficiency and reliability.

Picture2

Intel Security: This is one product that underwhelms when it comes to realizing its true potential. They checked all the boxes required for monitoring with ADM, DAM, DPI, ATD etc. However, the real problem with erstwhile Nitro has always been stability and management overhead. Two years later, the strengths have increased no doubt, but the weaknesses still remain around reliability.

Picture3

Splunk: This is one of the products that has gone through several changes in the past two years. They have expanded their capabilities significantly in the “App for Enterprise” space with predefined security indicators and dashboards and visualizations. They have also improved the support for packet captures and analysis. With the purchase of Caspida, behaviour analytics capabilities will come into Splunk. While the strengths column has increased, the weakness column still remains the same.
Picture1

LogRhythm: The new and upcoming unified SIEM player LogRhythm has come a long way from its humble beginnings. In the past 2 years, LogRhythm has added several new features to their product including but not limited to incident response and case management workflow,  centralized evidence locker, collaboration tools, risk based profiling and behavioural analytics to identify statistical anomalies for network, user and device activity.  This combined with ease of deployment and competitive price has definitely opened up the leaders quadrant to some exciting shake up.  Let’s take a look at the strengths and weakness for LogRhythm.

Picture2

Overall Scorecard: 

Any evaluation is incomplete without a scorecard. So we have consolidated feedback from various sources and provided a weighted score on the five SIEM products reviewed above.

Picture3

Conclusion:

Based on the review of SIEM products done this year, we feel innovation in the SIEM space has plateaued. The next generation Security Analytics and Big Data technologies are slowly becoming mainstream thereby relegating the SIEM solution purchases to a more compliance driven initiative.

Please share your thoughts on how you would rate the various SIEM products discussed here.

AlienVault SIEM – Playing with the big boys!!!

AlienVault Logo

At Infosecnirvana, we did a post on SIEM Comparison – 101 and a lot of readers where interested in evaluating AlienVault SIEM and how it stacks up against the Usual suspects like ArcSight, QRadar, McAfee Nitro, Splunk etc. Well, we listened and this post is about our take on AlienVault SIEM, its strengths, weakness and many more.

Introduction:

AlienVault is the enterprise avatar of Open Source SIM (OSSIM). AlienVault has a number of software components, which when put together provides what is now called a Unified Security Management tool or USM in short. The components are:

  • Arpwatch, used for MAC address anomaly detection.
  • P0f, used for passive OS detection and OS change analysis.
  • PADS – Passive Asset Detection System, used for service anomaly detection.
  • OpenVAS, used for vulnerability assessment and for cross correlation of (Intrusion detection system (IDS) alerts vs. Vulnerability Scanner) information.
  • Snort, or Suricata used as an Intrusion detection system (IDS), and also used for cross correlation with Nessus.
  • Tcptrack, used for session data information which can grant useful information for attack correlation.
  • Ntop, for recording traffic patterns between hosts and host groups, and statistics on protocol usage. .
  • Nagios, used to monitor host and service availability information based on a host asset database.
  • OSSEC, a Host-based intrusion detection system (HIDS).
  • Munin, for traffic analysis and service watchdogging.
  • NFSen/NFDump, used to collect and analyze NetFlow information.
  • FProbe, used to generate NetFlow data from captured traffic.
  • AlienVault also includes lot of proprietary tools, the most important being a powerful correlation engine.

The combinations of all these tools have been seamlessly put together in AlienVault USM and is really a winner in the SME segment of the market. They have a nice feature set, and with the entire re-organization, additional funding, infusing new leadership etc. had made AlienVault a serious contender in the SIEM space. They are the sole contender in the Visionaries Quadrant in the 2014 Gartner Report. In short, it is like the UTM of SIEM technology. Now, is that good? Or is that bad?

Lets see!!!

What is good?

  • Flexible Deployment Architecture – This is where the Open Source roots really start to flex their muscles when it comes to AV USM.  The 3 main components of the Architecture are as follows:
    1. AV Sensor – AV Sensors perform Asset Discovery,
      Vulnerability Assessment, Threat Detection, and Behavioral Monitoring in addition to receiving raw data from event
      logs and helping in monitoring network traffic (including Flow). The sensors also perform Normalization of the received raw events and communicates them to the AV Server for correlation and reporting.
    2. AV Server –  AV Server is the Central management console that provides USM capabilities under a single GUI. The Server receives normalized data from the sensors, correlates and prioritizes the events and generates Security Alerts or Alarms. The server also provide a variety of reporting and dash-boarding capabilities as well.
    3. AV Logger –  AV Logger provides the capability to archive log files for purposes of forensic analysis and to meet compliance requirements for long term retention and management.

All the architecture components including the Sensor, the Logger, the Correlation Engine etc, can be deployed tier based, isolated or in a consolidated All-in-One style. This wide variety of deployment options help customers to have flexible and open architectures. This also in a way helps control cost depending on the budget at hand. Very rarely can products boast of such flexibility.

  • A Jack of All… – The best thing about AlienVault USM is being a “Jack of All” solution. They provide SIEM, HIDS/NIDS, FIM, NetFlow, Asset management, Vulnerability Management etc. under one USM platform. None of the commercial SIEM vendors like ArcSight, McAfee, etc. can boast of such diverse feature set. QRadar in my opinion is the closest to AV USM in terms of feature diversity. While all the features are formerly isolated Open Source community projects, the USM does a good job of integrating them in to a feature set. While they are not great as individual parts, they more than make up as a sum of the parts.
  • OTX – Open Threat Exchange is a wonderful community sharing platform that helps clients to share IP and URL reputation information so that all AV customers can benefit. This is true community sharing modeled on the likes of the Splunk Community (for app development). This has the potential to grow into a large source of Real World Intelligence and what AlienVault intends to do with this data remains to be seen. For now, it is being used by USM Correlation engine to provide better context and content for Security monitoring. AlienVault Labs, is also utilizing this infrastructure to constantly update Detection rules for malware vectors, vulnerability exploits etc. QRadar and ArcSight provide Intelligence, but it is commercial intelligence and not community intelligence. With community intelligence, you get more hits than misses.
  • Multi-Tenancy – While this feature may not elucidate an interest from many readers, those who have worked in an MSSP environment can understand why this is a very important feature to have. AV USM does support Multi-Tenancy out of the box. This, when combined with the Architecture flexibility provide great MSSP models to sell and operate. The key is to understand how the multi-tenancy works. Basically, a single database is used to store data of several customers using a Data isolation Logic and Permission control. The data isolation logic is based on Entities created in USM (Assets, Users, Components Assigned (Sensors) etc. are grouped together as a Single Entity) and  Permissions (applied in a granular fashion to data sets related to the Entities). QRadar, ArcSight and other major SIEM products provide this as well.
  • Price: One of the areas where AV USM benefits is Price. They are affordable while offering a whole lot of SIEM features. Mostly, this turns out to be the deciding factor for Small and Medium Enterprise segments. QRadar, ArcSight and Splunk are some of the most expensive SIEM products out there in the market and not everyone has the budge to buy them. In such cases, AV USM is a very cost effective alternative.
  • Customization: Again, this is one point where AlienVault outshines the competition in capability of customization. We have seen several customers who are using AV USM with heavy customization to perform threat detection, Asset Discovery, Threat scoring, APT detection etc. This flexibility is really desired by Security analysts and AV USM is making good on this promise.

What is bad?

  • But King of None… – As mentioned in the good, being a jack of all is well suited for certain organizations, but without a mature functionality and expertise in any of those areas is a strong negative. For example, the correlation engine is no where close to the likes of ArcSight , QRadar or Splunk etc. The threat Intelligence is not as good as QRadar, McAfee, RSA etc. And so on and so forth. So when it comes to critical functionality expertise, AV USM is found lacking.
  • Database: – AV USM is using MySQL for its database. All the issues related to a structured DB for log collection, storage and management come to haunt AV USM as well. All SIEM logs are stored in the MySQL database and this causes an issue in terms of scalability, especially with High log volume environments because backup and restore is time and CPU/RAM consuming. USM can hugely benefit from moving to a Non-DB Log storage architecture, thereby giving more flexibility in data management, but will AV take that route is doubtful. Based on their product direction, they are looking at Percona Server to replace MySQL. While it is a good move, it is still customized MySQL replacement, and may not add much desired scale to the product.
  • Product Stability: – The biggest issue, we have seen with the product is its poor stability. With way too many components, myriad integration, a ton of scripts, the product is really unstable. Every version upgrade is a nightmare. Re-installation or Re-start is the most common solution for the product to start working again. In a mission critical environment, this is a complete NO-NO.  One of the most common and frequently failing component is the DB. Issues like DB corruptions, Access issues, disk errors, unresponsive queries etc. really test the patience of end users on a regular basis. This in our opinion is the most damning negatives about AV USM.
  • Integration: – While AV USM is known for being customization friendly, the amount of Out-of-the-box plugins for Log Monitoring and Correlation is limited to the well known products. It does not have comprehensive integration capabilities with say legacy applications, Directory services, databases etc that other SIEM vendors boast of. Similarly, it relies mostly on its own “pre-packaged” tools for data enrichment and hence has poor “Third Party” Integration capabilities. However, if you really are a developer of open source products, the integration challenge can be overcome. But how many are willing in the real world enterprise?
  • Correlation & Workflow: – What good is a SIEM product if it cannot perform advanced Correlation and Operational workflow? AV USM has a strong foundation in Correlation using XML driven Directives and Alarms thresholds. However, when it comes Head-to-Head with the Industry leaders like ArcSight, QRadar, Splunk etc. it falls terribly short. We particularly like the Cyber Kill Chain flow which a lot of customers are using for complete visibility, but this is not the end game in real world enterprise operations where not always all the data points required for the directive is available. Same thing goes for the workflow, where the integration with external ticketing or issue tracking system is very limited and hence acts as a deterrent in large scale deployments.
  • Technical Support: – One of the common issues we hear about AV support is that it is of inconsistent and poor quality. Most of the times, the solutions rely on re-install or re-start or a bug-fix, because there are way too many components to troubleshoot and this leaves support to resort to re-install or re-start, without thorough root cause analysis.
  • Product Vision Stagnation: – This may not be much of an issue for potential users of AV USM, however it is important to note that the product has not gone through major leaps in the last 4 years. It had more than 3 major releases and 20+ minor releases, but nothing path breaking has been brought to the market. It has still remained in the “promising products to watch” for way too long. One of the main reasons we think is because of economies of scale. Since they are priced lower and cater to SME segment, the amount of money invested in development is less and hence the result.

Conclusion: 

In short, we we would like to conclude saying that AV USM is  definitely a great addition to organization who want cost effective, quick and easy SIEM solutions. However, it still has to go a long way in competing with the big guns out there for it lacks both in firepower as well as range. So what do you think about AlienVault? Feel free to post your comments below.

Until next time… CIAO!!!