Event Monitoring

Detecting Errata Security's Port 22 Internet-Wide Scan

by Ron Gula on September 18, 2013

The security researchers at Errata Security performed an Internet-wide port 22 scan to gather SSH daemon banner information. The scan happened on September 12th from with a tool named masscan. If you run a SIM, a network IDS or any type of passive network monitoring, this is a really easy and safe "known" to go and see if your monitoring is configured correctly. It is the proverbial “shooting fish in a barrel” example where you can show that your network security monitoring is in fact working.

Log Correlation Engine 4.2 Released

by Jack Daniel on May 29, 2013

Tenable has released the Log Correlation Engine, version 4.2. This major release provides several significant new features and enhancements, including: Automatic Asset Discovery Assets are detected and identified through inspection of log files. Logs from systems including DNS and DHCP servers, firewalls, and web filters will include information on all devices actively communicating on the network. LCE 4.2 uses this information to deliver complete asset discovery. User Account Enumeration User accounts are continuously discovered through log analysis and are identified for audit and reporting...

Recap: Geeking Out II with Marcus

by Marcus J. Ranum on April 15, 2013

Ron and I spent most of the webcast rotating around the theme of detection algorithms: how do you determine what is normal and what is not? We started off with one of my favorite questions, "Are there only two algorithms? Statistics - of some sort - or matching?" I think that, by the time we were done, the two approaches had withstood the argument. We also dug into some of the issues in designing large-scale log analysis systems, and how to tier architectures, do your filtering at the edges of the network, and where to maintain copies of the actual logs themselves. On the algorithms side, we...

New "Geeking Out" Interview Series

by Marcus J. Ranum on March 19, 2013

In case you didn't know, I have been hosting a series of "Geeking Out..." interviews, with a couple of my friends in the industry. What I want to do with the series is conduct focused interviews with practitoners who are out there dealing with the tough problems in our field; I'll ask them what works and what doesn't and why, and we'll all get a chance to learn and have an interesting conversation. The series is being done as a webinar and audio will be available after the webinar. Since it's a webinar, there's an opportunity for listeners to ask questions. We'll almost certainly never be...

Information Sharing: Learn From Past Mistakes

by Marcus J. Ranum on March 7, 2013

I've been asked repeatedly for my opinion about the APT1 report , and every time I try to respond I find myself waffling. The reason is simple: I think the report is a good thing, a sign of deep dysfunction in security, a stimulant to information sharing, an indicator of failed foreign policy, a brilliant marketing maneuver and a bit of business as usual. It's hard to pull those together into a simple, "yes, it's a good thing!" answer. If nothing else, it's going to serve as a stimulant for worthwhile discussion for at least the next 5 years. One possibility is that it will be the only such...

Active and Passive Mandiant APT1 Detection

by Ron Gula on February 20, 2013

The Mandiant APT1 report contains a tremendous amount of detail about attacker techniques, indicators of compromise, and possible adversaries. Most interesting was the large amount of technical detail provided about the indicators of compromise – domain names, SSL certificates, file hashes, and more. Tenable's research team leveraged this information into a wide variety of reporting and detection tools which are now available in Nessus and SecurityCenter.

Monitoring the Life of a Java Zero-Day Exploit with Tenable USM

by Randal T. Rioux on October 25, 2012

Not too long ago, CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU #636312) was issued for a flaw discovered in Oracle Java (JDK and JRE 7 U6 and before), as well as version 6 U34 and before. This is a client-side vulnerability, which requires a user to initiate activity to be exploited. I will avoid dissecting the flaw in detail, as this information is widely available on the Web (a particularly good write-up is here ). Keep in mind that Java is platform independent, and so is this exploit. The example here uses Internet Explorer on Windows 7 (with Java SE 7u3). However, Linux and OS X users shouldn’t feel excluded on this one! With Tenable's Unified Security Monitoring (USM) platform, comprised of SecurityCenter (SC), the Passive Vulnerability Scanner (PVS), and the Log Correlation Engine (LCE), we can track this exploit from start to finish.

Uncovering SSL Anomalies In Your Network Using SecurityCenter

by Paul Asadoorian on October 23, 2012

Looking in More than One Place Nessus, PVS, and LCE offer several methods for auditing SSL protocol usage on your network(s). SSL is commonly used to secure websites, but also protects email, file sharing, and many other services. This post lists some generic SSL capabilities found in all Tenable products, and shows how you can combine them to generate useful reports and dashboards. On the vulnerability identification side, Nessus uncovers many issues with SSL certificates, such as outdated certificates, unsigned certificates, and much more (see the screenshot below for more examples). SSL implementations shipped with appliances often use unsigned certificates, and rely on the administrator to install their own valid certificate. Without a properly signed certificate, man-in-the-middle attacks become considerably easier. If you’re an e-commerce shop, improper SSL implementations will also cause you to become non-compliant with PCI DSS standards. A sample of Nessus plugins associated with identifying problems with SSL certificates. (Click for larger image)

Tenable Releases SecurityCenter Continuous View

by Dale Gardner on August 9, 2012

Today, Tenable announced the availability of a new edition of SecurityCenter, called Continuous View. This edition of SecurityCenter uniquely encompasses both scanning and monitoring, with the inclusion of Tenable's Passive Vulnerability Scanner (PVS). That makes SecurityCenter Continuous View uniquely capable of addressing vulnerability, configuration, and compliance management requirements for emerging technologies like mobile devices, cloud-based services, social applications, and virtual systems. The flexible licensing approach provided by SecurityCenter Continuous View allows enterprise customers to deploy PVS in much the same way as they do with Nessus within SecurityCenter, pretty much as many as needed. Existing SecurityCenter customers can upgrade to a ContinuousView license and begin to enjoy the benefits of continuous monitoring with PVS. These include: Real-time identification of server and client vulnerabilities Identification of mobile devices and their vulnerabilities Passive discovery of all internal and external web servers and databases Identification of trust and communication paths Passive monitoring of virtual environments

Log Correlation Engine Version 4 Now Available

by Dale Gardner on June 27, 2012

One of the more vexing challenges security practitioners and managers face is determining –- quickly and accurately –- which of the myriad of events, alerts, and warnings they receive on a continuous basis is most deserving of their attention. Tenable's Unified Security Monitoring (USM) solution uniquely solves that challenge by integrating active and passive vulnerability management with SIEM capabilities –- providing a contextualized and prioritized view of events and activity. USM helps users quickly focus their attention and energies on the most pressing security issues, as well as...