Zen 2.0

Earlier we mentioned that EMC is buying Network Intelligence, well, there’s a bunch of analyst/editor comments out now.

EMC and Network Intelligence: What it Means.

In the last few months, Novell bought e-Security and IBM got GuardedNet through its acquisition of Micromuse. Cisco grabbed Protego about and year ago and rumor has it that Oracle is about to buy either NetForensics or Intellitactics. It’s likely that HP, McAfee, and BMC are looking at other leaders like LogLogics as well as network behavior specialists like Mazu and Q1.

Building The New EMC, One Acquisition At A Time

Interesting comments from Dennis Hoffman, vice president of information security at EMC

Network Intelligence plays in three areas of the security industry, he said. The first is log management, a space where the leader is another company, LogLogic, San Jose, Calif., Hoffman said.

The second is event management, or the real-time processing of data for security purposes. “ArcSight is the leader,” Hoffman said. “There are lots of others in this space, too. Names you’ve never heard of.”

The third is security information management, which includes the reporting and forensic analysis of where security problems occur. Network Intelligence is the leader here, Hoffman said.

On a side note, here’s an article about ArcSight.

Ray Lane buys dinner – Who buys ArcSight?

One of ArcSight’s board members told me the company is hitting close to the $75m revenue number, that’s getting close to the magic $80m to $100m level that could initiate an IPO–except that the IPO market is in the doldrums.

Rumor has it that EMC is buying the SIEM vendor Network Intelligence for between $150 to $175 million. NI’s revenue is said to be around $20 to $25 mil. That’s 7x revenue, which is not bad at all.

[Update: Announcement was made today on the NI acquisition by EMC. Interesting how the NI story is hidden inside a much bigger story. Does that indicate what's to come? That NI is going to just be a small piece of the EMC security story? The PR doesn't even mention the price. However, Reuters' piece mentions the $175m figure.]

Some links I’ve collected, nowhere near comprehensive but they have served me well.

• Eric Fitzgerald’s Windows Security Logging and Other Esoterica – Always a great blog to get all kinds of good info on Windows events. Eric’s a Program Manager for Windows Core Security. He’s pretty active on the loganalysis list as well and always gives out great tips.
• Windows & Active Directory Auditing
• Top 5 Security Settings to Audit
• Windows Security Logging and Other Esoterica : What is up with Audit Collection Services?
• Software Update Services White Paper – Lots of info here that talks about the different event IDs related to SUS
• Randy Franklin Smith’s Security Log Encyclopedia – The one and only resource you need if you want a good categorization of windows events
• Microsoft Events and Errors Message Center – Find detailed message explanations, recommended user actions, and links to additional support and resources.
• Automating Windows Patch Management: Part II – Some more event IDs here…
  

There are plenty of links out there. Can you add to this list?

There’s a very interesting thread being discussed on the log-analysis list. The topic is on “Log integrity handling on central logsystem.”

I think the general consensus is that log signing ALONE is not going to be enough, and that signing just the filtered log is also not enough.

Very interesting read. Should definitely check it out.

I agree with Marcus… log signing [alone] is not going to make or break
a court case — it [alone] might almost be asking for trouble.

As I pointed out later in my earlier response, the big deal is to get
all possible logs, even if they don’t appear relevant to the particular
matter — so you can show the trace, other anomalies (or lack of other
anomalies).

[Ok, full disclosure, I work for LogLogic, so feel free to junk this if you consider all vendor speak spam ]

A quick bit of news, LogLogic today open sourced (GPL) Project Lasso, a centralized Windows event collector. The original code base came from SNARE but now due to the different nature of the collection mechanism, there’s about 20-25% of the SNARE code left in it. Most of the common code are around message expansion. In fact, the Lasso messages will appear to the users exactly the same as SNARE. So if you already have a parser that can parse SNARE messages, you can parse Lasso messages as well.

Lasso is a LogLogic-sponsored and community-supported collector that can
- perform multi-threaded remote event collection of multiple Windows machines
- reliable transportation using TCP syslog (syslog-NG compatible)
- data buffering when network connection is down
- support for custom application event logs

We are trying to get this on sourceforge, but those guys are a bit slow in setting up new projects. So for now, you can download the binary and source from http://loglogic.com/logforge/.

I would love to hear your thoughts and comments. Don’t feel obligated to love it, you can bash it as well if we did something stupid. We are always looking to make it better.

Some one on the loganalysis mailing list posted a link to a Google Labs paper: Interpreting the Data: Parallel Analysis with Sawzall. It talks about a distributed aggregation and filtering method using Google’s Sawzall interpreted language. Very interesting paper, the concept of applying distributed computing resources to do work in parallel is not new. LogLogic [...]

Just picked up this book. . Will let you know how it reads.

Another bit of voice from DEMO 2006…An interview by Podtech…

Here’s a MP3 of the LogLogic demo at DEMO 2006, courtesy of TJ’s Weblog. (I trimmed the MP3 to contain just the LogLogic portion, hope that’s ok with TJ. )

A vulnerability has been reported in Cisco Security Monitoring, Analysis and Response System (CS-MARS), which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to CS-MARS appliances being shipped with a default password for an undocumented administrative root account that is intended for debugging purposes. This can be [...]