28 Temmuz 2013 Pazar

Splunk App for SQL Injection

SQL Injection Search that you can download from Splunkbase.
Install the app and provide either of the two form search dashboards the name of your sourcetype representing your web logs (e.g., access_combined) and the name of the field in the sourcetype that represents the URI query string (e.g., uri_query). One form search uses patterns to detect if possible SQL injection attacks have happened and other uses a statistical pattern of the URI query string field’s average length to find outliers. See below for an example screen output as I provide a sample log file in the logs directory for you to try out before you try it with your your own data. Simply enable the input in inputs.conf and restart Spunk.

SPLUNK + HADOOP = Security

Splunk recently announced the beta release of Hunk: Splunk Analytics for Hadoop.  As a security practitioner, this new product has some exciting implications.
For some time, security practitioners have desired to store large volumes of data, in case it would ever be needed for incident response, (anti-) fraud investigations or other uses. In an ideal world, you’d have six months to a year’s worth of data stored for investigations, however the realities of SAN costs only make it realistic to have maybe 30 days worth of data stored.
With the arrival of Hadoop several years ago, there was finally a cost effective option for storing large volumes of data on commodity hardware. The only issue is that Hadoop is primarily a storage solution, not an analytics solution. While Hadoop components can perform analytics operations in batch-mode, those components are difficult to use
The beta release of Hunk spans this chasm. Hunk creates and manages virtual indexes for Hadoop providing interactive data analysis. In other words, security practitioners can now have their “cake” and “eat” it too. Organizations can finally store large volumes of sensor log data in a cost effective manner and still be able to analyze that data easily.
Being able to combine security analytics with operational analytics is increasingly important for security reasons. The reality of information security today is that security-relevant data is found not only in security product logs (e.g., firewalls, IDS / IPS, anti-malware, etc.) but also in operational IT system logs (e.g., routers, load balancers, applications, etc.).
Looking forward, being able to combine these data sources to identify security-relevant data will only become more important as the Internet of Things increasingly pervades our lives and organizations. The need to store and analyze ever increasing amounts of data in near real time is quickly moving from a best practice to a requirement. Hunk is helping organizations keep pace with that reality.

14 Temmuz 2013 Pazar

Websense Endpoint v7.7.3.1631 Yayınlandı.

Ürünler: Data Security; Web Security ve Web Filter; Web Security Gateway; Web Security Gateway Anywhere

Websense Endpoint v7.7.3.1631 MyWebsense.com adresinden download edilebilir durumda.
Endpoint v7.7.3.1631 Windows ve Mac tabanlı platformlar için tasarlanmıştır.

Version ile birlikte, Windows 8 ortamında çalışan Websense endpoint client için daha çok gelişmiş bir destek sağlanmıştır. Web Endpoint, Remote Filtering Client ve Data Endpoint.
Websense Endpoint Package Builder ile oluşturulmuş Websense endpoint client'lar artık internet tarayıcısının monitor edilmesi ve birçok windows depolama uygulamasını, kullanıcı için tanımlanmış yeni bir ekran üzerinden izleyebilecektir. Bu işlem desktop PC ile de gerçekleştirilebilir.
Version Mac endpoint client'lar içinde önemli iyileştirmeler içermektedir.

Genel Özellikler:
* Endpoint yazılımı artık Windows 8 işletim sistemi üzerine kurulabilmektedir.

13 Temmuz 2013 Cumartesi

Fox News-themed Malicious Email Campaign

Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, discovered an interesting malicious email campaign using spoofed email addresses from Fox News domains in an attempt to ultimately lure victims to websites hosting the Blackhole Exploit Kit. Should the exploit and compromise be successful, a malicious payload related to the Cridex family appears to be delivered which, as detailed in an earlier Websense Security Labs blog, is typically used to steal banking credentials as well as the exfiltration of personally identifiable information (PII) and other confidential data for criminal gain. These emails, discovered early on the morning of June 27th,  featured “breaking news” subjects and mimicked legitimate news content related to the US Military moving into Syria in order to entice the victim to 'click' on the malicious links. The campaign appears to have targeted a variety of industries and countries, as of 1600 PST on June 27th, the Websense ThreatSeeker® Intelligence Cloud had detected and blocked over 60,000 samples.

Malicious Email Sample;

Splunk Conf 2013 Las Vegas

3+ days, 100+ sessions, 1,400+ peers - Continue your #datajourney at .conf2013

Where will your data take you? The first stop on your journey should be .conf2013. Join us September 30-October 3 for three action-packed days of Splunk goodness. The 4th Annual Splunk Worldwide Users' Conference is the best way to deepen your practical knowledge of Splunk, learn best practices and check out new solutions, apps and add-ons. Connect with hundreds of your peers, see how others apply Splunk technology to real-world projects and become more involved in the Splunk community. Together, we'll find ways for our data to show us new approaches, opportunities, and innovations.

The conference features three days of breakout sessions, plus two pre-conference days for Splunk University--aka Splunk hands-on training classes.


6 Temmuz 2013 Cumartesi

RSA ECAT at Blackhat Las Vegas 2013

The RSA ECAT team will be at the RSA booth at BlackHat USA in Las Vegas this year, with our own pod. We’ll have live demos of the newest release of ECAT (stay tuned) and experts on hand to parry your IR and malware analysis questions. This year’s event will be hosted as usual at Caesars Palace in Las Vegas, Nevada July 27 – August 1st and offer multi-day training sessions, Briefings tracks with the latest research, and workshop tracks dedicated to practical application and demonstration of tools. More details on our Speaking of Security Blog post here https://blogs.rsa.com/th_event/black-hat-usa-2013/


Indexes Any Data from Any Source

Splunk Enterprise collects and indexes any machine-generated data from virtually any source, format or location in real time. This includes data streaming from packaged and custom applications, app servers, web servers, databases, networks, virtual machines, telecoms equipment, operating systems, sensors and much more.

index any data