Category: Product

LogLogic’s LX2010
On the whole, we were very impressed with the LX2010, but it’s expensive compared with LogRhythm and others. IT managers–and system admins, for that matter–hate logs, because they seemingly go on forever and often provide an overabundance of useless information. Administrators get lost looking for one or two important log entries scattered through a log file with tens of thousands of entries. LogLogic’s simple-to-use Boolean search capabilities can help find that needle in a haystack.

We tested LogLogic’s LX2010, a dual-processor, 2U appliance that comes fully equipped with 2 TB of internal storage (RAID-10), dual power supplies, two bonded Gigabit NICs for log collection, and a 10/100 port for the Web-based management user interface. The 2010 can be deployed as a centralized solution for small and midsize businesses, but it’s often deployed as a remote-office log collector in a hub-and-spoke configuration, with the flagship ST2010 or ST3010 appliance serving as the hub. As an intelligent syslog server, the 2010 automatically detected and categorized incoming logs as we configured each of 10 Cisco PIX firewalls to connect to the LogLogic 2010. To ship our Windows server logs over to the 2010, it was necessary to install a LogLogic proprietary version of Lasso, an open source-based product that was built as a gateway between Microsoft’s event-logging format and syslog. Once complete, the 2010 automatically recognized and grouped all the server log data accordingly. The 2010 isn’t a security event manager, or SEM, per se, but it can be configured to alert IT in the event of a failed condition, so in a way it can perform some of the same core functions of a good SEM.

THE UPSHOT CLAIM: LogLogic aims to deliver a new level of visibility, reporting, and analytics to the massive number of logs that are typically distributed among a wide range of enterprise IT systems. Using a simple yet powerful LogLogic reporting engine that’s well suited for forensic and troubleshooting chores, administrators can locate important information often contained in logs that would otherwise be difficult to find through manual searches.

LogRhythm 4.0
IT systems can generate a ton of log events–not all of which are useful–in the name of compliance. Today’s log management systems maintain two different types of logs: raw logs that come straight from network devices; and processed data, which the log manager indexes for searching and reporting. Log managers like LogRhythm can both store raw messages and extract important data, such as IP address, user name, message importance, and message classification. Settings are defined either by log manager, the server collecting the log messages; or by log source, the program or application generating the logs, such as Windows events or Unix syslog.

LogRhythm 4.0’s other new features include log server monitoring for CPU load, memory usage, and message volume, so you can track system performance in real time. Previous versions of LogRhythm archived log messages in batches, which meant there was a time lag between when a message was received and when it was archived, and the log message had to be stored in the online database to be archived. In LogRhythm 4.0, log archiving is independent of log processing, and archiving occurs in real time. Using the Drop Log function, nothing is written to the online database, while the Drop Raw function writes the metadata to the online database and drops the raw log.

Log management vendors such as LogLogic, Prism, and Q1 Labs are adding features to simplify the process, including data mining and analysis capabilities.

http://www.informationweek.com/news/management/compliance/showArticle.jhtml?articleID=212000974

That’s an example of a reputation-based choice in selecting a restaurant,” Basant said in an interview with ZDNet Asia, during his visit to Symantec’s Kuala Lumpur office.

According to Basant, Symantec’s reputation-based approach assumes three distinct populations in its user base, which numbers in the millions. “We identify these by looking at the history of infections on their machines,” said Basant, who plays a key role in driving innovation for Symantec’s next-generation technologies, architecture and standards. The safe group encompasses “prim and proper” users who only download applications from reputable software companies, he explained, while the adventurous group is users who are generally safe, but are willing to try out online games or new programs.

Users in the unsafe crowd are those who frequent a class of websites where they can get infected easily, he added. For example, when a new program is detected, the reputation-based approach will entail looking at where the program is found among the machines of millions of Symantec users. “If a large number of the ‘safe’ machines have it, making an educated guess is to say that this is a safe program,” Basant said. “But, if you see this application only [installed] with the unsafe crowd and a few of the adventurous guys, it is almost certain that this is an unsafe program.

Asked when the new reputation-based technology will be introduced into Symantec’s Norton security products, Basant said: “[This] will happen when the product teams deem the market timing is right for it”. Bad outpacing the good In its Internet Security Threat Report Vol XIII, covering a six-month period from June to December 2007, Symantec measured the release of both legitimate and malicious software and found that 65 percent of the 54,609 unique applications released to the public, were categorized as malicious.

To protect the targeted few, Basant said Symantec’s security products leverage behavioral-analysis technologies and, in the near future, will tap reputation-based security, which does not depend on a signature but behavior or prevalence to determine whether a program is legitimate.

http://news.zdnet.com/2424-9595_22-243676.html

“By bringing together these two best-of-breed technologies, customers can dramatically improve their awareness of and response to security incidents,” said Jeff Scheel, senior vice president of business development, ArcSight.

The newly released version of Fidelis XPS also includes enhancements to reporting and alert management capabilities, enabling business and technical users alike to manage and analyze alert information and trends through the redesigned workflow including incident handling and forensics analysis. “By utilizing these two best-of-breed technologies with the ability to share technical alerts and vital information from end-to-end, an organization can realize the value and full potential of maximum risk reduction in their data security investments.”

http://software.einnews.com/article.php?nid=6924

The Altor VF is a software security appliance that runs in a virtualized environment and enforces security policy on a per virtual machine (VM) basis. Unlike existing firewalls designed for physical networks, the Altor VF virtual firewall can secure Live Migration – a technology designed to trigger automatic movement of VMs across physical servers, but capable of inadvertently moving an application to a less trusted network. The Altor VF was purpose-built for the virtual environment – enabling tighter security policy and greater ease-of-use than existing virtual firewalls adapted from their physical firewall counterparts.

Traditional firewalls not only provide security to physical networks, they also provide visibility to the traffic running through them and export some of that data to 3rd party products to aggregate and correlate data across the network. The Altor VF extends visibility into the virtual environment – providing NetFlow statistics, Sys Log, and other network statistics on a per application basis and exporting that data to 3rd party products such as those from ArcSight and Mazu Networks (Please see separate releases for details).

Through its partnership with Juniper Networks, the Altor VF enables Juniper IDP appliances to extend their protection into the virtual environment (Please see separate releases for details). “Our other network security vendors did not offer viable options, especially regarding VMotion.

“With Altor’s solution we now have total visibility into, and far greater control over, our virtualized infrastructure,” said Nicholas Portolese, senior manager, data center operations at Nielsen Mobile.

“IT administrators are challenged with the differences between virtual and physical networks, and recognize that new approaches are necessary to meet the management challenges of virtual infrastructure,” said Mark Bowker, an analyst at Enterprise Strategy Group.

http://www.tmcnet.com/usubmit/2008/10/14/3701166.htm

MessageLabs’ subscribers turn over the management of their e-mail and Web traffic security to the company and do not have to install on-site equipment.

The acquisition of MessageLabs gives Symantec an alternative e-mail security offering to BrightMail, the company’s antispam and antivirus appliance. “We think the opportunity to expand our footprint in the rapidly growing software-as-a-service market is significantly enhanced by this team becoming part of Symantec,” Symantec CEO John Thompson said in a conference call to discuss the deal.

MessageLabs’ service will be integrated into the Symantec Protection Network, an online-based backup, data-restoration and remote access service launched in April 2007 for small to midsize businesses. Adrian Chamberlain, CEO of MessageLabs, will lead the team and report to Enrique Salem, Symantec’s chief operating officer.

The company reported $145 million in revenue for fiscal year 2008, which ended July 31.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9116620&taxonomyId=17&intsrc=kc_top

This is a pervasive problem that requires a holistic approach, starting with a ‘best practices’ DNS architecture and including processes and systems to quickly patch production DNS systems when new vulnerabilities and exploits are released… We are committed to providing solutions that not only address today’s threats but that also provide a lasting ability to provide protection as new attacks emerge.”

The Infoblox appliance-based solution provides protection against the DNS exploit and also provides features that will be essential for detecting and thwarting future attacks. Infoblox’s newest NIOS release, version 4.3r2, includes security features that monitor DNS protocol traffic, provide reports and proactive alerts when an attack is in progress, and a means to automatically mitigate attacks. Infoblox grid technology patch and upgrade appliances with a single command, in a production network, without incurring DNS service downtime.

Infoblox’s NIOS operating system enable administrators to obtain a detailed view of the devices actually connected to the network; reconciliation makes it easy to align the Infoblox IPAM database with the actual state of the network, providing a means to find lost assets and detect rogue devices. Further, it allows customers to have multiple instances of the same network address space in a single grid with a common management interface; multiple networks can be viewed and managed simultaneously, without opening and closing different configuration sets.

http://it.tmcnet.com/topics/it/articles/41236-infoblox-unveils-dns-firewall-address-dns-vulnerability-concerns.htm