Monthly Archives: July 2015

A risked-based approach to SIEM rollout hardly makes sense

25 July 2015

I had a lot of discussions about SIEM rollout in the past weeks. One approach is to watch only Windows server systems that store business critical information or provide critical infrastructure services. Why should we waste time and effort on information not critical for business? That sounds convincing, in particular with a risk based approach in mind.

My approach goes far beyond this. I strongly recommend to watch all windows server system through SIEM.

The reason is quite simple: In a Windows server network lots of user accounts and technical accounts are used for administrative tasks. In general, this accounts are globally defined (in the Windows Active Directory) and member of the individual server’s administrators group. And, in general, this accounts are used for all systems, even for those storing business critical information.

If one assumes the about 10% of a company’s servers manage business critical information, hacking attempts on 90% of the servers will remain undetected. An attacker who hijacks one of the non-critical systems, and starts a DLL injection attack on the Windows Local Security Service lsass.exe to extract plain text passwords from memory, will have access to all of your systems within minutes.

But if you watch all servers through your SIEM system you will get a security incident within seconds after the hacking attempt takes place. With well-defined security incident processes in place you may be able to prevent the worst.

This reminds me of the report ‘Dissecting the Top Five Network Attack Methods: A Thief’s Perspective’ I read this week:

I love breaching a company that spends tons of money on gear but can’t get it working together. I know I leave traces, but by the time the admins connect all the dots, I’m long gone.

In the case above the admins do not even have the chance to connect all the dots because they are almost blind.

Have a good weekend!

To be successful a SIEM implementation should follow the ISO 27001 approach

20 July 2015

Last Wednesday I participated in a workshop on Production IT Security in Frankfurt. The presentations about Security Assessments, SIEM solutions, Next Generation Firewalls and Threat Intelligence were very interesting, but, as always, I got the most valuable information from the discussions with the other attendees during coffee break. It was really amazing to hear that the attendees, although they came from different companies, talked about the same mostly negative experiences in their SIEM projects.

During my ride back to Leverkusen I had time to think about this. Expectation management was a big issue in the discussions. The PowerPoints of the vendors suggest a quick and easy installation and start-up, and with some days training in Big Data methods the SIEM operator can set up dashboards which show the current security status of your company. Far from it!

The key capabilities of a SIEM solution are:

(1) Data aggregation and correlation:  Collect event data from various sources, correlate them, and integrate them with other information sources to turn the data into useful information.

(2) Compliance: Gather compliance data to support security, governance and auditing processes.

(3) Retention and Forensic analysis: Long term storage of historical event data for correlation over time and forensic analysis in the case of a security incident.

(4) Dashboard: Turn aggregated and correlated data into informational charts to aid security staff in identifying abnormal usage patterns.

(5) Alerting: Automated analysis of correlated events and production of alerts, to notify recipients of immediate issues.

The implementation of each function requires a big effort in preparation and operation. Let me show this by the means of two examples:

(4) Dashboard. In order to find abnormal usage patterns you have to define normal usage patterns first. This takes not only time. It is really hard to find relevant patterns from the ocean of events that systems create during normal operation. To ensure fast start-up it is required to cleanup your systems of e.g. event errors created by mis-configured services before you start operation.

(5) Alerting is probably the most interesting capability of a SIEM system. It allows you to act directly upon security incidents. To get the most of alerting you have to set up an incident response process, ideally depending on the classification of the information assets to prevent wasting of time and effort.

This requires that all assets are listed in an asset repository, classified and an asset owner is assigned, before your SIEM solution goes into production.

In addition it is required that your SIEM operations group is sufficiently staffed, the operators are well-trained, and enabled to take proper actions on an incident, e.g. alerting your server operators or shutting down a server to prevent larger damage.

Sounds like the preparations required for the implementation of an Information Security Management System due to ISO 27001.

With this my advice is: For a successful and quick SIEM implementation you should follow the major steps for implementation of an ISMS.

Bonne semaine!

Bromium Partners to Bring Micro-virtualization to Windows 10

14 July 2015

This is perhaps the most exciting news of the year. Bromiums micro-virtualization technology in connection with the latest security technology of Windows 10 and integrated in Microsoft System Center – sounds like the next generation endpoint security solution that we so desperately need.

In particular because signature based anti-malware solutions can be tricked by simple means. For details see the cyber arms post Anti-Virus Bypass with Shellter 4.0 on Kali Linux.

Take care!

Firefox Browser Console provides valuable hints on Phishing Sites

11 July 2015

When a serious company requests login data the network connection is always secured. Clear indicator of a secured network connection is that the URL starts with the https protocol. In addition, the certificate information besides the URL provides reliable information about the company and the site which runs the service.

Secure Connection Indicators

Secure Connection Indicators

The missing https protocol and certificate information in phishing URLs like is a clear indicator that someone tries to trick you.

Firefox Browser Console is a useful little helper in identifying phishing sites. Programmers use an input box of type password when they ask for a password. With this the Firefox programmers defined a simple rule:

Password fields present on an insecure (http://) page are a security risk.

When Firefox loads a phishing site the code on the site is inspected. Firefox detects an input box of type password and outputs a warning on the Browser Console because the network connection is not secured:

Firefox Browser Console Security Warning

Firefox Browser Console Security Warning. Click to enlarge.

I would appreciate it if the Firefox programmers would warn the users with a message box of such security risks, and block loading of such sites. This would be a great step forward because malicious URLs are often difficult to recognize in emails.

Take care!

Nomination for the “Most-Slanting-Phishing-Site-of-the-Year” award

10 July 2015

I am receiving about 20 phishing mails a week. Most attackers invest a lot of effort in their counterfeits but, sometimes they overshoot the mark. My July candidate for the Most-Slanting-Phishing-Site-of-the-Year award is:

Most-Slanting-Phishing-Site-of-the-Year award  - July 2015 candidate

Most-Slanting-Phishing-Site-of-the-Year award – July 2015 candidate

Earlier this week the Italian company Hacking Team was hacked. The attackers made more than 400GB of confidential company data available to the public. The leaked data included tools and exploits provided by the company to carry out attacks, among them a new Flash Player zero day affecting Flash Player up to version

Two critical vulnerabilities in as many weeks, that’s really annoying. The problem with the latest Flash Player attacks is that the payload is hidden in Flash Player SWF files. Thus, basically every SWF file might carry a malicious payload…

… It’s definitely time to solve the Flash Player problems once and for all.

Have a good weekend.

I haven’t missed it – The first week without Adobe Flash Player

4 July 2015

In my last week’s post I raised the question whether it might not be useful to solve the endless problems with Flash Player once and for all by just deactivating this add-on.

I haven’t missed Flash Player on my iPad II so far. Regarding usage at home my expectations were clear: The world would not change dramatically. But I hadn’t any clue about the changes at work. Is Flash player often used as add-on in business applications or in the company Intranet?

On Monday morning I started a self-experiment and deactivated Flash Player on my company PC.

Now it’s time to draw a first summary: My expectations were clearly exceeded. Deactivating Flash Player has absolutely no impact on my daily work. I found only one intranet site where  Flash Player was used.

I will continue this experiment for some weeks. My feeling is that Flash Player can be disabled with little or no impact on business. Moreover, it is important to design new sites and applications without using Flash videos.

If you manage to waive Flash Player the attack surface of your system as well as the effort for patching will be reduced dramatically.

Happy 4th of July!