Log Analysis

Detecting Snowden - The Insider Threat

by Paul Asadoorian
February 12, 2014

Tenable's scanning, sniffing, and logging products can comprehensively identify a variety of potentially malicious activity, including activity generated by malicious insiders like Edward Snowden. Tenable's SecurityCenter Continuous View solution can further automate the detection of events coming from scanners, intrusion detection systems, malware, compliance violations, and much more.

Detecting Errata Security's Port 22 Internet-Wide Scan

by Ron Gula
September 18, 2013

The security researchers at Errata Security performed an Internet-wide port 22 scan to gather SSH daemon banner information. The scan happened on September 12th from with a tool named masscan. If you run a SIM, a network IDS or any type of passive network monitoring, this is a really easy and safe "known" to go and see if your monitoring is configured correctly. It is the proverbial “shooting fish in a barrel” example where you can show that your network security monitoring is in fact working.

Prove You’re Watching 100% of your Network

by Ron Gula
June 11, 2013

How hard is it for you to prove that you are performing vulnerability scans, network monitoring and log analysis for 100% of your network? If your organization hasn’t automated this process, or it is relying on periodic manual processes, chances are you are blind in some areas and don’t know it.

Log Correlation Engine 4.2 Released

by Jack Daniel
May 29, 2013

Tenable has released the Log Correlation Engine, version 4.2.  This major release provides several significant new features and enhancements, including:

Automatic Asset Discovery

Assets are detected and identified through inspection of log files.  Logs from systems including DNS and DHCP servers, firewalls, and web filters will include information on all devices actively communicating on the network.  LCE 4.2 uses this information to deliver complete asset discovery.

Is the Passive Vulnerability Scanner an Intrusion Detection System?

by Ron Gula
April 29, 2013

When I was at RSA earlier this year, I gave a variety of media interviews and product demos about Tenable solutions. I demonstrated Nessus detecting malicious processes and the Passive Vulnerability Scanner (PVS) providing an audit trail of all network activity that led up to the infection. I also showed how the Log Correlation Engine (LCE) correlated PVS logged DNS queries to known botnets.

Recap: Geeking Out II with Marcus

by Marcus J. Ranum
April 15, 2013

Ron and I spent most of the webcast rotating around the theme of detection algorithms: how do you determine what is normal and what is not? We started off with one of my favorite questions, "Are there only two algorithms? Statistics - of some sort - or matching?"

New "Geeking Out" Interview Series

by Marcus J. Ranum
March 19, 2013

In case you didn't know, I have been hosting a series of "Geeking Out..." interviews, with a couple of my friends in the industry. What I want to do with the series is conduct focused interviews with practitoners who are out there dealing with the tough problems in our field; I'll ask them what works and what doesn't and why, and we'll all get a chance to learn and have an interesting conversation.

#1 Nessus is an Enterprise Tool - Top Ten Things You Didn't Know About Nessus

by Paul Asadoorian
October 18, 2012

The final installment in our "Top Ten Things You Didn't Know About Nessus" video series describes how Nessus is used in the enterprise. Additional products from Tenable, such as, SecurityCenter, the Passive Vulnerability Scanner (PVS), and the Log Correlation Engine (LCE), are used to fill the gaps and extend the functionality of your vulnerability management program.

The video covers how you can overcome problems such as:

0-Day Java Vulnerabilities and Dealing with Vulnerable Client Software

by Paul Asadoorian
September 4, 2012

0-day or Not, Clients Are Vulnerable

Whenever there is a new vulnerability in popular software found on users’ desktops, such as Java, Adobe Reader, Adobe Flash, or Mozilla Firefox, the media goes into a frenzy and a lot of articles are published on the topic (often not containing much useful information). The most recent case is a particularly nasty vulnerability affecting Oracle Java, which can be successfully exploited on Windows, OS X, and Linux. While this vulnerability is generating buzz, it’s not all that different from any other popular software in use on users’ desktops that contains a vulnerability. Additionally, there is likely a population of exploits for such software that has yet to be disclosed and is being bought and sold on the black market. In fact, journalist Brian Krebs interviewed the creator of the Blackhole exploit kit who stated, "he was surprised that someone would just leak such a reliable exploit, which he said would fetch at least $100,000 if sold privately in the criminal underground."

Furthermore, it has been known for some time that a Java applet can be used to trick clients into running a malicious payload. Functionality within the Social Engineering Toolkit (SET) allows you to construct a fake website and distribute such a payload. The difference is that the user will have to click "Allow" for this action to occur. While this will decrease the success rate of malware deployment using this method, it will work on Windows, OS X, and Linux.

Log Correlation Engine Version 4 Now Available

by Dale Gardner
June 27, 2012

One of the more vexing challenges security practitioners and managers face is determining –- quickly and accurately –- which of the myriad of events, alerts, and warnings they receive on a continuous basis is most deserving of their attention. Tenable's Unified Security Monitoring (USM) solution uniquely solves that challenge by integrating active and passive vulnerability management with SIEM capabilities –- providing a contextualized and prioritized view of events and activity.