11 articles Tag security

“Potsdamer Konferenz für Nationale Cybersicherheit”

On Tuesday, 4th of June, the “Potsdamer Konferenz für nationale Cybersicherheit” took place at the Hasso-Plattner Institute in Potsdam, Germany. The main goal of the conference was to improve the communication between the government, economy and the different research fields in the issue of cyber-security. For us, it was interesting in two ways: finding the main actors to focus on in our research and learning how the current security situation is rated by the different organisations.

hpi

 The conference started with a few words of welcome from Director and CEO of the Hasso-Plattner Institute, Prof. Dr. Christoph Meinel. In his short Keynote, which was mostly about the work and research of the HPI IT-Security Engineering Team, he also introduced the audience to the new HPI-Vulnerability-Database.

The HPI-VDB portal is the result of research work being conducted by IT-Security Engineering Team at Prof. Christoph Meinel’s chair “Internet Technologies and Systems” at HPI. It is a comprehensive and up-to-date repository which contains a large number of known vulnerabilities of Software. The vulnerability information being gathered from Internet is evaluated, normalized, and centralized in the high performance database. The textual descriptions about each vulnerability entry are grabbed from the public portals of other vulnerability databases, software vendors, as well as many relevant public web pages, etc. A well-structured data model is used to host all pieces of information which is related to the specific vulnerability entry. Thanks to the high quality data serialized in the high performance In-Memory database, many fancy services can be provided, including browsing, searching, self-diagnosis, Attack Graph (AG), etc. Additionally, we offer many types of API for IT developers to leverage our database for their development. (http://www.hpi.uni-potsdam.de/meinel/security_tech/hpi_vdb.html)

panel

A lot more interesting speakers have been invited to talk from their perspective of cyber security. For example the director of the European Network and Information Security Agency (ENISA) Prof. Udo Helmbrecht made a keynote speech addressed to policy- and decision-makers such as the Bundesland Brandenburg-Ministerpräsident, the Federal Minister, as well as industry representatives and others.

In Focus of our research, this conference was not the very best place to lern new things. But the possibility to make new contacts and meet interesting people in generell was great and we now have a few names to work with in the future time. Also the knowledge of the actors and so called: “big player” in the business is good to have.

A short film about the conference was uploaded on youtube. This video was made by hpi tv and sums up the conference pretty well. (GER only)

Tags: , , ,

Security Log Visualization with a Correlation Engine

On the 28th Chaos Communication Congress organized by Chaos Computer Club in Berlin, network security specialist Chris Kubecka talks about how correlation and visualization of network log data from different devices can support the process of finding potential threats and malware. Usually a network is comprised of a variety of different devices that each generates log files in its own format. Having a separate console for each of these devices

Tags: , , , , , ,

LogRhythm

LogRhythm

LogRhythm is a SIEM that can be applied either in smaller organizations as a single software instance or in midsize to large organizations as a combination of different software applications. It offers log management, event management, reporting, user and file integrity monitoring. The product is easily and quickly deployed due to a helpful configuration wizard. Though LogRhythm is capable of event correlation, compared to its competitors it’s very basic and optimized for the most common use cases. Gartner has positioned the product in their Magic Quadrant for Security Information and Event Management as one of the leaders.

Tags: , , , , , , , , ,

Sentinel, Security Manager (NetIQ)

NetIQ Sentinel

The company NetIQ offers two SIEM solutions: Sentinel and Security Manager. Sentinel is a product originally offered by Novell. With the recent acquisition of the company by NetIQ there are two products overlapping in their functionality. In the future all functionality will be merged into the Sentinel solution. Sentinel’s strength lies in event correlation and real-time event management. Security Manager lacks this functionality and focuses more on host- and agentbased monitoring capabilities for server platforms, something missing in most SIEMs. Sentinel is a leader in the Gartner Magic Quadrant 2012

Tags: , , , , , , , , ,

Enterprise Security Manager (McAfee)

McAfee NitroSecurityMcAfee NitroSecurity 2

McAfee NitroSecurity is a software that offers SIEM functionality and log management in one single tool separating it from other SIEM systems. It is scalable and has a high performance, which makes it especially useful for organizations that need to analyse huge numbers of events. The company itself emphasizes the speed of the product as an outstanding feature. It is one of the five products positioned as leader in the Magic Quadrant for Security Information and Event Management.

Tags: , , , , , , ,

Q1 Labs (IBM)

IBM offers an extensive security system solution called Q1 Labs. This includes several products for different security aspects, like, for example, QRadar Log Manager for collecting, archiving and analyzing network and security event logs or QRadar SIEM for real-time analysis of security alerts and correlating data from different sources to detect any threats. The product distinguishes itself from other products by its ability to collect and process NetFlow data, by deep packet inspection (DPI) and behavior analysis for all supported event sources. According to Gartner it can be considered one of the leaders in the field (Gartner 2012).

QRadar SIEM Dashboard

Tags: , , , , , , ,

HP Enterprise Security Products and ArcSight

ArcSight ESM DashboardIn their business unit ESP (Enterprise Security Products) Hewlett Packard offers several security tools in three different areas: Application Security (Fortify), Information Security (ArcSight) and Network and Cloud Security (Tipping Point). While Fortify is targeted at software security, ArcSight can be considered a SIEM (Security Information and Event Management) system. TippingPoint is a defense system against cyber attacks and threats.
According to Gardner ArcSight can be considered as one of the leaders in the field of SIEMs. There are different ArcSight SIEM solutions available depending, if you are  interested in recording and analyzing log information or if you are focussing on real-time security events. The choice for one of the solutions is also dependent on the size of your network.

Though ArcSight is one of the most popular products on the market on the market it has its shortcomings:

“ArcSight Enterprise Security Manager is complex in terms of deployment and performance management.”

Tags: , , , , , , , ,

Splunk

splunk_dashboard 2 splunk_dashboard

Splunk is a general tool for analysing data in huge IT infrastructures. It consists of different tools that can be utilized in different contexts. With the “Splunk App for Enterprise Security” potential threats and security incidents can be observed, analysed and classified. Users of the app are presented with a web dashboard that visualizes different aspects of the network.

Tags: , , , , , , , , , ,

Snort – Intrusion Detection System

snorby2

BASE

Snort is an open source intrusion detection/prevention system (IDS/IPS) developed by Sourcefire. It is the most used IDS/IPS worldwide. Snort alone has no GUI to interact with, but it’s possible to connect several other Network Security Monitoring systems with it, like Snorby, BASE, OSSIM.

Tags: , , , , , , ,

ACARM WUI

ACARM_Heatmap

ACARM (Alert Correlation, Assessment and Reaction Module) is a tool that correlates alerts sent by host and network sensors into groups and in that way reducing the amount of messages that need to be viewed by a sytem administrator. There is a Web GUI that let’s the admin observe the different kinds of alerts with different graphical representations like, for example, pie charts, bar charts or more advanced. Different kinds of alerts are color coded on a color scale from green to red, green being just information, while red being critical.

Tags: , , , , , , , ,