Monday, March 3, 2014

The importance of log management

Deploying a SIEM when you have not proper log management in place, is certain to fail. I have heard this fact always, but I didn't realize it until I became involved in a SIEM evaluation project. The log management infrastructure and its processes is necessary for a successful SIEM deployment.

Sunday, March 2, 2014

SIEM evaluation

During recent months, my focus has been the evaluation of some Security Information and Event Management (SIEM) products. It is interesting and full of new experiences. I create a baseline feature list for the SIEM products, which is derived from multiple products and best practices.
The baseline is comprised of 5 susbsystems:
  • Log management and analysis
  • Event correlation
  • Management console/dashboards
  • Reaction 
  • Knowledge base
For each subsystems, a number of basic features are defined.
I am also preparing to perform the evaluations is a lab environment. As a result, I am setting up a testing environment with my team to provide different logs to the products.
I recommend the contents presented by Dr. Anton Chuvakin as a very useful reference.   

Thursday, May 23, 2013

Microsoft SQL Server security tips

SQL server secyrity is one of my favorite topics. I have seen lots of applications that use the Microsoft SQL server as the database, and suffer from basic security issues regarding the configurations of the database engine. Fortunately I found a series of security tips here at mssqltips.com.  

Monday, April 29, 2013

Think like a hacker, write secure code!

Each program as a target for a security pen tester can be viewed as a new experience. But beyond the special characteristics of each target, I always see the big mistake that causes most of the vulnerabilities discovered:
"The programmers do not think as a hacker". Unfortunately most of the programmers write the code in a way that is suitable for a utopia. In such utopia, no one wants to bypass the guards, everyone is honest and respects the rules...
Perhaps the most important role of a programmer in the security program is to learn the art of thinking like a hacker.

Sunday, April 7, 2013

Windows Forensics (2)

I am collecting the tools and useful information on windows forensics. Thanks to Microsoft and the security community, there are amazing free tools, guideline, blog posts, etc. around the topic.
For the first post, I recommend this:
Use PowerShell to Perform Offline Analysis of Security Logs

Friday, April 5, 2013

Windows forensics (1)

Windows Forensics Toolchest (WFT) is an interesting and easy to use set of forensics tools that are suitable for use in a live windows system. You should prepare the tools for each windows version separately, as well as the common tools such as sysinternals suit.  The native windows tools such as cmd.exe is better to be copied from a trusted source other than the target system. The features set are available here.