Log Analysis

Detecting Snowden - The Insider Threat

by Paul Asadoorian on February 12, 2014

Tenable's scanning, sniffing, and logging products can comprehensively identify a variety of potentially malicious activity, including activity generated by malicious insiders like Edward Snowden. Tenable's SecurityCenter Continuous View solution can further automate the detection of events coming from scanners, intrusion detection systems, malware, compliance violations, and much more.

Detecting Errata Security's Port 22 Internet-Wide Scan

by Ron Gula on September 18, 2013

The security researchers at Errata Security performed an Internet-wide port 22 scan to gather SSH daemon banner information. The scan happened on September 12th from with a tool named masscan. If you run a SIM, a network IDS or any type of passive network monitoring, this is a really easy and safe "known" to go and see if your monitoring is configured correctly. It is the proverbial “shooting fish in a barrel” example where you can show that your network security monitoring is in fact working.

Prove You’re Watching 100% of your Network

by Ron Gula on June 11, 2013

How hard is it for you to prove that you are performing vulnerability scans, network monitoring and log analysis for 100% of your network? If your organization hasn’t automated this process, or it is relying on periodic manual processes, chances are you are blind in some areas and don’t know it.

Log Correlation Engine 4.2 Released

by Jack Daniel on May 29, 2013

Tenable has released the Log Correlation Engine, version 4.2. This major release provides several significant new features and enhancements, including: Automatic Asset Discovery Assets are detected and identified through inspection of log files. Logs from systems including DNS and DHCP servers, firewalls, and web filters will include information on all devices actively communicating on the network. LCE 4.2 uses this information to deliver complete asset discovery. User Account Enumeration User accounts are continuously discovered through log analysis and are identified for audit and reporting...

Is the Passive Vulnerability Scanner an Intrusion Detection System?

by Ron Gula on April 29, 2013

When I was at RSA earlier this year, I gave a variety of media interviews and product demos about Tenable solutions. I demonstrated Nessus detecting malicious processes and the Passive Vulnerability Scanner (PVS) providing an audit trail of all network activity that led up to the infection. I also showed how the Log Correlation Engine (LCE) correlated PVS logged DNS queries to known botnets.

Recap: Geeking Out II with Marcus

by Marcus J. Ranum on April 15, 2013

Ron and I spent most of the webcast rotating around the theme of detection algorithms: how do you determine what is normal and what is not? We started off with one of my favorite questions, "Are there only two algorithms? Statistics - of some sort - or matching?" I think that, by the time we were done, the two approaches had withstood the argument. We also dug into some of the issues in designing large-scale log analysis systems, and how to tier architectures, do your filtering at the edges of the network, and where to maintain copies of the actual logs themselves. On the algorithms side, we...

New "Geeking Out" Interview Series

by Marcus J. Ranum on March 19, 2013

In case you didn't know, I have been hosting a series of "Geeking Out..." interviews, with a couple of my friends in the industry. What I want to do with the series is conduct focused interviews with practitoners who are out there dealing with the tough problems in our field; I'll ask them what works and what doesn't and why, and we'll all get a chance to learn and have an interesting conversation. The series is being done as a webinar and audio will be available after the webinar. Since it's a webinar, there's an opportunity for listeners to ask questions. We'll almost certainly never be...

#1 Nessus is an Enterprise Tool - Top Ten Things You Didn't Know About Nessus

by Paul Asadoorian on October 18, 2012

The final installment in our "Top Ten Things You Didn't Know About Nessus" video series describes how Nessus is used in the enterprise. Additional products from Tenable, such as, SecurityCenter, the Passive Vulnerability Scanner (PVS), and the Log Correlation Engine (LCE), are used to fill the gaps and extend the functionality of your vulnerability management program. The video covers how you can overcome problems such as: Launching scans that will run faster and fit into your maintenance windows and patch management cycles Allowing different groups within your organization to manage their...

0-Day Java Vulnerabilities and Dealing with Vulnerable Client Software

by Paul Asadoorian on September 4, 2012

0-day or Not, Clients Are Vulnerable Whenever there is a new vulnerability in popular software found on users’ desktops, such as Java, Adobe Reader, Adobe Flash, or Mozilla Firefox, the media goes into a frenzy and a lot of articles are published on the topic (often not containing much useful information). The most recent case is a particularly nasty vulnerability affecting Oracle Java, which can be successfully exploited on Windows, OS X, and Linux. While this vulnerability is generating buzz, it’s not all that different from any other popular software in use on users’ desktops that contains a vulnerability. Additionally, there is likely a population of exploits for such software that has yet to be disclosed and is being bought and sold on the black market. In fact, journalist Brian Krebs interviewed the creator of the Blackhole exploit kit who stated, "he was surprised that someone would just leak such a reliable exploit, which he said would fetch at least $100,000 if sold privately in the criminal underground." Furthermore, it has been known for some time that a Java applet can be used to trick clients into running a malicious payload . Functionality within the Social Engineering Toolkit (SET) allows you to construct a fake website and distribute such a payload. The difference is that the user will have to click "Allow" for this action to occur. While this will decrease the success rate of malware deployment using this method, it will work on Windows, OS X, and Linux.