Tag Archives: SIEM

Post-SIEM black boxes

Recently, I examined some automated Post-SIEM products, described with a lot of buzz words: UEBA, threat intelligence, machine learning, etc. I would like to share my opinion about all this, from the vendor, and from the consumer side.

What’s bad with traditional SIEMs?

Some information security experts¬†[1,2,3] say, that SIEMs are very expansive and they don’t do their job properly. Traditional SIEMs usually unable to process huge amounts of mostly unnecessary logs and produce tonnes of false alarms. I’m not an expert in SIEM, but it seems to be true. Log data is useless when you just store it. And when you try to search something in it, you need to understand what exactly you are looking for and what threats are critical for your organization.

SIEM correlation features make this task much easier. But who will write the rules of this correlation? Even top SIEM vendors openly say that the most of out-of-the-box correlation rules are useless, can only be used as examples and users should develop their own rules. Of course, there are also some content and use case libraries: paid ones or free as SOC Prime Use Case Library. But in any case, the effective use of SIEM is a complex process.

Give me “real threats”

As a reaction on this, some vendors and security startups developed an easy way: solutions, that will detect only the “real threats”. Thats sounds great. Some wise application tells you what is going on in your network correlating various sources of security data, and you just work with this issues. Awesome! But how does this really work?

Continue reading

QSC16: from Vulnerability Management to IT Visibility

I want to share my impressions of QSC16 conference, where recently I had pleasure to attend. This yearly conference is held in Munich for ten years already. I was there before only one time, in 2012. It made a great impression and this year was no worse.

My photo QSC16

First of all, I should write some words about the conference itself. QSC is an acronym for Qualys Security Conference. It is clear from the name that it is fully dedicated to Qualys products.

Who might be interested in such event?

Mainly, of course, current and potential users of Qualys products, partners, competitors (from own experience, they are not welcomed there ;-)) and, I think it is the smallest group, analysts of Vulnerability Management market and Vulnerability Assessment geeks, like me. For people, who are sincerely interested in VM market changes, road show of the global VM vendor with the biggest market share (is it right, Gartner?) is a precious information source. Here you can learn about real experiences in the use of Qualys products and hear about the company’s future plans.

BTW, if you are one of those, and we do not know each other, we should definitely have a talk. ūüėČ

QSC Agenda

Why is this event important? Despite existing skepticism about mono-vendor conferences and roadshows, QSC is one of the few events in Europe dedicated to the VM, in the broad sense of the term, almost exclusively. All discussions are, of course, in the context of Qualys solutions and you won’t hear any real critics of the vendor, however questions raised there are relevant for the entire VM market.

Continue reading

Export anything to Splunk with HTTP Event Collector

In a previous post I described how to export Nessus scan reports to Splunk server using standard app. Today let’s see how to export any structured data presented in JSON, including of course Nessus scan reports, to Splunk using HTTP Event Collector.

http event collector Splunk

First of all, we should create new HTTP Event Collector

http://your_splunk_host:8000/en-US/manager/launcher/http-eventcollector

And press “New Token” button

Continue reading

Exporting Nessus scan results to Splunk

In this first post I want to write about Splunk and Nessus integration via official ‚ÄúSplunk Add-on for Tenable‚ÄĚ: how to install this application, its pros and cons.

Splunk official addon for Nessus

You can download Splunk application package for Tenable Nessus and SecurityCenter from official website here (free registration is required). All documentation is available here.

Continue reading

PHDays VI: The Standoff

A week ago I was at PHDays (Positive Hack Days) 2016 conference. For those who don’t know, there are two main events for security practitioners in Russia: PHDays in May and ZeroNights in November. Day-Night. Like this play on words. =)

phdays_logo

So, it was my 6th PHDays. I visited them all. But on this one for a first time I was as an ordinary visitor and not from organizers side. To be honest, I have never participated in organizing of PHDays, and just seen the final result. So, nothing changed much for me. As usual, organization was at very high level. And it’s not just my opinion, but the opinion of many participants.

Sad things first. And they are likely sad only for me. You know my passion to vulnerability assessment/management systems and scanners. So, despite the fact that Positive Technologies are the organizers of this event and Maxpatrol is still their’s flagman product, it was hard to hear anything related to vulnerability assessment/risk assessment/threat intelligence on PHDays. Isn’t it strange? Could you imagine this at Qualys QSC or Tenable event? Nothing much about critical controls and IT compliance in general.

It’s clear that vulnerability assessment is not already in trends in Russia. All are crazy about SIEM and slightly less about Anti-APT and SCADA security. Sad, but true.

Anyway, I have seen many interesting presentations about honeypots, computer forensics, machine learning and security startups. I also visited a SIEM roundtable with representatives of Positive Technologies, First Russian SIEM (RuSIEM), ArcSight, IBM Qradar, Splunk, and Cisco Systems. More details under the cut.

Continue reading