CyberSecurity Institute – Page 341 – Security News Curated from across the world

Using events-per-second as a factor in selecting SEM tools

Posted on November 29, 2004December 30, 2021 by admini

For the purpose of this article, they define the EPS that can be accommodated by an SEM tool more precisely as the number of security-related events a product can receive, normalize, analyze/correlate, and display or act on in the form of results within an acceptable time frame.

This direct or indirect allusion to EPS is intended to impress the prospective buyer with the performance capabilities of the product, and, beyond that, to help buyers make informed decisions that will ultimately lead to satisfaction with their purchase. For example, a very simple part of a security policy, and one that is used by most large organizations may entail logging all successful and unsuccessful login attempts from network devices such as routers, servers, firewalls, switches, etc. So for every one of these devices listed, a log message must be generated and sent to a logging server or SEM product whenever a successful or unsuccessful login attempt is made.

A more complex policy would include the information from the simple example above and in addition, might include logging Network Address Translation (NAT) entries on firewalls and routers.

Any user traversing a firewall or router with NAT logging turned on would generate a log message for each packet/session that traverses these devices.

This policy would generate significantly more events per second, and, if the information were used correctly, would also provide an additional level of information for event correlation and detection of security threats.

In either case, as soon as each of the security devices is successfully generating the correct number of log events to reflect the policy, you are ready to determine the total EPS generated by your network.

The SEM device collects this data and normalizes the signature part of this message (“Inbound TCP Denied) into a format that is independent of the vendor originating the message. If the SEM tool is not scalable (i.e., an incremental rise in frequency and total accumulated data will slow analysis), then it probably does not satisfy the requirements: a serious network event may lag significantly behind the SEM tool’s ability to analyze the problem and convey the results to the user in a meaningful amount of time.

It is fairly easy to use a tool like Nessus in “go-asfast- as-you-can mode” to cause an IDS to produce a lot of output.

Some SEM tools have the ability to suppress data from these “noisy” devices (and to then output a message like “1500 bad messages detected from IDS ….).”.

Although this is a worthwhile feature, the heuristics used to determine whether or not to deploy it need to be intelligent enough to determine when a device is genuinely noisy and when a hacker is just trying to DOS (Denial of Service) the SEM tool by flooding it with IDS messages or causing it to ignore IDS messages in order to mask malicious network activity.

The frequency of security event messages is an important factor when evaluating SEM products, not only because of your own performance expectations under normal circumstances, but also because of the potential for security messages to be maliciously generated as part of an external attack for the explicit purpose of exceeding the SEM vendor’s abilities to handle them.

If a SEM tool advertises it can handle 40,000 EPS, then the SEM vendor should provide the ability to deploy 10 SEM devices throughout the network to distribute the workload, correlating events on each device and also across devices.

Scalability is a complex topic that requires in-depth discussion that is beyond the scope of this article.

EPS is to security what miles per hour is to a sports car. EPS is an easy concept to grasp since, in the context of SEM devices, it’s just a number used to quantify the results that can be produced by a complex real-time correlation process. Networks and their security devices generate a certain number of events per second.

In order to assure a satisfying customer experience with an SEM product, it is essential to match the EPS generated by your network with the EPS that can be correlated by your SEM purchase.

The bottom line is that SEM products with higher EPS numbers at each of the relevant transition points (reception, normalization, correlation, and display) are more likely to meet the expectations and performance requirements of most networks.

The information in this article has been written for the purpose of educating the SEM tool buyer about the decision-making process that a well-informed buyer uses when evaluating SEM tools.

These questions should be asked with respect to a configuration where one SEM tool is used, then applied to a distributed configuration where numerous SEM tools are used together to handle correlation requirements beyond the capability of one SEM tool.

How many EPS are generated by the security devices on my network?

What is the EPS of SEM tool I am considering?

What was the duration of EPS testing?

http://www.scmagazine.com/features/index.cfm?fuseaction=FeatureDetails&newsUID=7a042281-34b1-446a-9148-f58e05bd11ba&newsType=Features

Growing demand for command-control services

Posted on November 28, 2004December 30, 2021 by admini

“We’re seeing something equally as important as threat mitigation, and that’s command and control,” said Phebe Waterfield, an analyst for the Boston-based research firm.

Companies are being held accountable for their security, and with accountability comes the need for a more mature process.” Waterfield reached that conclusion after talking to representatives from 606 enterprises about their security budgets over the past year.

She said a variety of people were interviewed, including chief financial officers and chief security officers. “The respondents all had input into how their company’s security dollars are spent,” she said.

While threat mitigation has been the chief concern of enterprises in recent years, Waterfield said the trend is shifting in favor of command and control companies.

The study predicts the global security market will generate $12.9 billion in revenue for 2004.

“The threat mitigation segments are perimeter firewalls, network integrity systems, application gateways and system integrity software,” Waterfield said.

Command and control, solutions for managing network security, representing 40% of the security market with an estimated $5.2 billion in revenue for 2004. “Command and control includes identity management, security event management, vulnerability assessments and patching, and intrusion detection audits,” Waterfield said. While threat mitigation services have generated more revenue and a larger market share this year, Waterfield said command and control services have shown the most growth and the feedback she received indicates the trend will continue.

Managed security services, the use of external expertise in operating and improving the performance of security processes. This component includes augmenting in-house operational staff, enhancing security response, reducing operational expenses and improving the security process and strategy,” Waterfield said.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1028712,00.html

Got Spyware? Integrated Approach Is Key

Posted on November 26, 2004December 30, 2021 by admini

TippingPoint Technologies launched spyware protection for its UnityOne intrusion- prevention systems. Earlier in the month, Check Point Software Technologies unveiled similar antispyware capabilities for its VPN-1 device.

And solution providers say they’re seeing the need for perimeter security devices that protect against spyware as well as other threats go through the roof.

Today, vendors such as Secure Computing and Internet Security Systems, which have incorporated firewall, VPN and antivirus capability into one box for years, are now adding new capabilities to fight adware, keystroke loggers and other forms of malware.

“As a network administrator, you don’t want this conga line of boxes that you have to manage,” said Richard Hanke, vice president of product management at Fortinet, the Sunnyvale, Calif., company credited with inventing the integrated security appliance.

Across the industry, spyware has risen steadily since January—a recent study co-sponsored by America Online and the National Cyber Security Alliance indicated that eight out of 10 computers are infected by some form of spyware. Then came innovation in the form of point solutions. Earlier this month, Computer Associates International and McAfee each released spyware-specific solutions for enterprises and consumers.

While Fortinet is relatively new to the antispyware movement, fellow Silicon Valley vendor BlueCoat has been incorporating spyware protection in its ProxyAV device for years.

http://www.crn.com/showArticle.jhtml;jsessionid=DWELBERQ4QWKYQSNDBCSKHSCJUMEKJVN?articleID=54200212

Virus names could be standardized

Posted on November 25, 2004December 30, 2021 by admini

The letter, signed by representatives of the DHS, Symantec, Microsoft, McAfee, and Trend Micro, said the industry hopes to address “the challenges surrounding the ‘Virus Name Game’,” with a pilot program coming as early as January.

At first, Common Malware Enumeration (CME) will be confined to “major” threats. Names are often derived from the filenames, the content of the email the worm attaches itself to, or plaintext found inside the code.

http://www.cbronline.com/article_news.asp?guid=11D11704-DE5B-45BD-AF4B-45D8F44E055C

Companies dig deep for ethics compliance

Posted on November 24, 2004December 30, 2021 by admini

Over the next two years, more than half of U.S. and European multinational companies expect to boost their spending on compliance by 23 percent, according to a new survey of business executives by management consultant PricewaterhouseCoopers.

Nearly all respondents said they plan to make improvements to their company’s compliance efforts, with the average expenditure rising 9.9 percent.

But 44 percent of senior executives said their companies do not have a clear view of its total compliance spending.

Even at companies that do say they have a clear view, executives likely aren’t accounting for other costs, such as those for remediation, penalties, fines, lost revenue and lost management time.

Thirty-two percent of executives described their compliance programs as “very efficient,” while 59 percent rated their programs as “somewhat inefficient.”

The Sarbanes-Oxley Act, passed in 2002, is designed to prevent financial malpractice and accounting scandals. A key provision of the law, Section 404, which took effect Nov. 15, requires publicly traded companies to put in place controls over the flow of financial information.

“Companies are spending significant sums of money–even more than they realize–in order to improve compliance effectiveness and efficiency, but executives are finding that they are not receiving the return on investment they expected,” Dan DiFilippo, head of governance and compliance issues at PricewaterhouseCoopers, said in a statement. “The risks are just too great for companies to operate with ineffective compliance programs.”

External requirements and regulations account for 74 percent of total compliance costs, according to the survey.

U.S. multinationals spend a higher percentage on external requirements than their European counterparts, while European companies spend a higher percentage on compliance with internal guidelines, including ethics rules, codes of conduct and risk management rules. In the United States, compliance with Sarbanes-Oxley regulations accounts for 54 percent of total compliance spending. In Europe, that figure is 12 percent.

http://news.com.com/Companies+dig+deep+for+ethics+compliance/2100-1014_3-5465982.html?part=rss&tag=5465982&subj=news.1014.5

Security ‘biggest threat’: Microsoft’s Vamos

Posted on November 24, 2004December 30, 2021 by admini

Steve Vamos told attendees at an Australian Information Industry Association event in Adelaide yesterday the security issue was “essentially …

Vamos’ blunt comments come as Microsoft struggles to deal with a raft of flaws uncovered in its flagship Web browser, Internet Explorer (IE), attempts by malicious code writers to disrupt its monthly patching cycle and security researchers’ preparedness to disclose vulnerabilities to all community members at the same time rather than give the vendor some lead time to devise a fix before going public. The Microsoft Australia boss also launched an assault on the software heavyweight’s other bugbear of the moment, competition from Linux and open source solutions.

The use of open source software by government agencies was very much at the forefront of the recent federal election campaign, with all major political parties detailing publicly their policy stance on the issue. The federal government in late August released a guide saying it was preparing a range of tools to help agencies evaluate emerging open source solutions against more familiar proprietary software “on an informed basis”.

“…my view is very straightforward…that whatever alternatives our customers have, be they open source or not, if they are better value for money and better fit for purpose than what Microsoft have, then we’ve got a problem.” Vamos said he viewed the shift to the use of software as a service as “a much bigger movement” than the open source community. The Microsoft boss also said in the corporate arena, rather than just having the chief information officer pushing the IT agenda in the top team, every member of that team had to sign up to it.

http://www.zdnet.com.au/news/security/0,2000061744,39167795,00.htm