Episode #89 of Risky Business is now available and features comments from Tenable's CSO, Marcus Ranum. Marcus recently keynoted the Hack In The Box security conference in Malaysia and spoke on many of the common misconceptions about "cyber" warfare. Marcus has also blogged here about many different topics which receive the "cyber" label including:

• Cyber-Espionage
• Cyber-Terror
• Cyber-Crime

Also featured in this episode of Risky Business is a discussion about Xen hyper-visor security and Microsoft's recent annoncment about providing free Anti-Virus.

Note: This webinar has occurred and you can hear the recorded session at this link.

Would you like to hear thought leaders from Symantec, Qualys, Tenable and Courion discuss various approaches to policy compliance? If so, please visit the http://whitehatworld.com/ website and register for the live "Policy Compliance Thought Leadership Roundtable" webinar on December 3rd, 2:00 PM EST.

Panel members include:

• Peter Distefano, Symantec
• Marcus Ranum, Tenable Network Security
• Kurt Johnson, Courion
• Terry Ramos, Qualys

In our one-hour, live panel, we will discuss the pros and cons of vulnerability scanning, configuration auditing, patch auditing, network access control, user provisioning, log analysis, agent based monitoring and how these can be used to effectively monitor and demonstrate compliance.

During the past few months, I've also had the chance to be part of several WhiteHatWorld "Thought Leadership Roundtables" which are now available in their archive section. These include:

• Web Application Security
• Vulnerabiltiy Management
• Phishing
  

 These are free one-hour webinars which have some very good insights and are vendor neutral.

Besides the monthly Tenable Enterprise Security Monitoring classes available at our Columbia training center, Tenable offers versions of the same content taught at customer locations. The obvious reason to choose our onsite training offering is that allows entire teams to be quickly trained on Security Center, Nessus, Passive Vulnerability Scanner or Log Correlation Engine without the inconvenience and cost of sending one to two students at a time to Maryland. But having just returned from an onsite class with one of our large customers, there are other aspects of onsite training than make teaching entire teams (or parts of multiple teams) on their "home turf" an interesting and rewarding experience –- both for the students and the instructor alike.

Although our students are never shy about asking tough questions or sharing war stories about how our products are being used in unique ways, I've found students are much more likely to open up about product features they really like (or don't care for so much!) when they are among their peers. Similarly, we can focus discussions around live product deployments, which can result in higher levels of student engagement. Something else I've noticed is that onsite courses often include a more diverse Security Center user base than traditional classes. In Security Center terminology, onsite classes include a great ratio of "end users" to "primary security managers." In particular, onsite classes often include members of platform teams (UNIX, Windows, Desktop, etc.) in addition to full-time security folks. In one class, the participation of non-security teams was particularly valuable for the customer, in that it provided better understanding of the value of conducting credentialed scans. Training can provide a neutral environment for discussing (and sometimes debating) the pros and cons of different approaches for using a given product. For example, understanding whether or not an organization should implement a centralized or distributed vulnerability management strategy is a frequent topic of discussion.

Although a certain amount of customization occurs in every class based on student interests or experience, onsite classes take this customization to a higher level. As part of scoping the training engagement, we define which content is critical based on which products the customer is using and the product features being used most commonly -- as well as other factors such as common target operating systems and which compliance standards organizations must adhere to. Our modular curriculum makes it easy to "cut and paste" content to build courses that meet specific customer needs, as well as make changes on the ground. For example, last week we attached an AIX workstation, as commonly deployed in the customer's environment, to the classroom network and conducted patch and configuration audits. This allowed students to see realistic scan results from targets in their own environment within the safety of a training environment.

Anyone who has taught hands-on technical classes on the road knows "setting up shop" outside the comfort is their home classroom from far from stress-free, but based on the last few onsite classes I've taught, I've found it to be well worth the additional planning and preparation necessary for a successful training experience.

For more information on Nessus, Enterprise, and Compliance training contact your sales representative or sales@tenablesecurity.com.

Previous blogs have described how enterprise customers can use the Nessus Scanner with the Tenable ProfessionalFeed or Security Center to audit anti-virus software. Nessus has many different checks that audit systems to see if the anti-virus engine is installed, running and up to date. We’ve also described how this can be accomplished without adding an additional agent. Lastly, Nessus has many different checks that test for vulnerabilities in the actual anti-virus products themselves.

While this functionality addresses the needs of many of our customers, reporting requirements such as those in the PCI DSS have led to requests for more specific and “official” audits to simply detect if Symantec, McAfee or other common anti-virus software is present. Tenable has recently released several audit policies to look for the presence of common anti-virus products. This blog entry describes the use of these audit policies, how they can be analyzed and how these relate to a variety of compliance requirements.

Configuration Auditing Review

Tenable produces a wide variety of configuration auditing templates which can be uploaded to the Security Center or used with the NessusClient to perform analysis of Unix and Windows operating system settings. These files are called “audit” policies.

Many of Tenable’s audit policies are written with specific configuration requirements from compliance regulations and recommendations such as PCI, FDCC, NSA and CIS. Our CIS and FDCC technology has also been certified by the Center for Internet Security and a NIST certified vendor test lab. 

Below is a screen shot of the Tenable Support Portal, which offers various audit policies for download to Tenable customers:

You can see that the policies are organized with various certification and compliance bodies. For policies such as GLBA, SOX and HIPAA, there are currently no specific configuration guides but Tenable has helped many of our customers develop custom policies to use in their environments.

An entire section has been dedicated to auditing anti-virus products. Updates to the current available audit policies are announced through various RSS feeds which announce new product, log normalization, vulnerability, configuration, sensitive data and passive network monitoring rule updates.

Performing Anti-Virus Auditing

Several new audit policies are available to test for the presence of the following anti-virus technologies:

• Bitdefender
• ClamAV
• Kaspersky
• McAfee
• Norton
• Panda
• Sophos
• Symantec
• Trend Micro

Each technology has different combinations of running processes, registry settings and installation files. Tenable’s Research group has identified a variety of methods to reliably detect these different types of software in an enterprise environment and has used this information to write Nessus audit files.

Please keep in mind that over the past few years Tenable has increased the type of analysis that can be performed on anti-virus software:

• Nessus has always contained checks to look for vulnerable versions of anti-virus software.
• For the past few years, Nessus will generate an alert if it found an anti-virus software that was not running, was out of date or otherwise misconfigured

However, with these new anti-virus audit policies, organizations can choose a policy that reflects their requirement to run a specific technology.

Below are screen shots that show how these audits are run with the NessusClient and Security Center on various systems with various types of installed anti-virus technology: 

Panda AV Running	Symantec AV Not Running	McAfee AV Running

To perform these checks you need to download the audit policy for your organization’s anti-virus technology and then configure your NessusClient or Security Center with a scan policy. Configure the scan policy to specify the particular anti-virus audit file and the credentials for the target systems. Keep in mind that multiple audit policies can be run within the same scan policy on both the NessusClient and the Security Center. This could allow you to customize a scan that not only performed a patch audit, but also checked configurations against Center for Internet Security settings as well as to look for your current anti-virus software all at the same time.

Compliance and Governance Reporting

There are many different regulations that require organizations to run anti-virus software. Large organizations may have different technologies deployed in different locations, business units or IT assets. In these cases, tools like the Security Center help to perform a consistent audit against different components of the enterprise. This also makes it easier to identify enterprise-wide issues with the overall anti-virus deployment.

The following compliance standards specifically require anti-virus deployment and directly state that organizations need to demonstrate compliance with these requirements:

• PCI DSS is the most common commercial regulation that mandates anti-virus software on all systems that process cardholder data. Section 5.1 requires anti-virus to be deployed on all systems and section 5.2 requires that these systems be monitored to verify that they are running and generating logs. These new anti-virus audit policies make it very easy to demonstrate compliance with PCI DSS anti-virus reporting requirements. If the scans performing these audits are part of your daily or weekly operations, non-compliant systems can be detected very quickly.
• GLBA specifically states that remote users who commute over a VPN must have anti-virus protection installed. If these computers are part of a domain, they can be regularly scanned with credentialed checks with Nessus, even over a VPN.
• NIST special pub 800-53 (FISMA) section SI-3 specifically requires federal organizations to take measures to provide protection from malicious software. A comprehensive solution such as Tenable’s product suite can help demonstrate SI-3 compliance and also detect when zero-days and worms penetrate the anti-virus technology.
• COBIT section DS5.9 calls out a similar need for protecting the network from malicious software.
• NERC section R4 also calls for the use of anti-virus software on “critical cyber assets” used in the production of reliable electrical power.

Tenable offers the “Real-Time Compliance Monitoring” paper which provides much greater detail on how Tenable’s scanning, logging, configuration auditing and anomaly detection technologies map into the requirements of each of these regulations. We’ve also recently expanded and updated the coverage for PCI 1.2 in a separate “Real-Time PCI Compliance Monitoring” paper. Both of these can be requested from Tenable’s sales staff via email.

For More Information

Previous blogs on auditing anti-virus software with Nessus may be found at these links:

• Auditing Anti-virus Software without an Agent
• Auditing Anti-virus Software Products with Nessus

We have also talked about auditing the security of your anti-virus vendor, and how to analyze network traffic and logs to see if they have been targeted by botnets:

• Hunting Symantec Worms
• Detecting Compromised Windows Hosts

As always, if you want to learn more about Nessus and all of Tenable’s products and you don’t have a lot of time, we’ve prepared several informative product demonstration videos located at http://www.nessus.org/demos/.

Tenable's Chief Security Officer, Marcus Ranum, was recently interviewed by CSO Online for their "What Happens Next" security predictions series. Previous interviews included Whit Diffie, Chris Hoff and many other security experts. Read the full interview here.

Tenable Network Security has partnered with IANS to sponsor two executive level PCI discussions in New York City and Atlanta. Both events are this week, and we have limited seating available for corporations who are facing the challenges of being and demonstrating PCI compliance. Questions to be answered at the roundtable include: 

1. How close are my peers getting to “complete PCI compliance”?
2. How much are my peers spending on PCI compliance?
3. Which sections of the PCI DSS are causing my peers the most confusion?
4. What are the best technical solutions in the market today for PCI compliance?
5. What can I do to monitor my compliance with PCI DSS on an ongoing basis so that I know I’ll pass my quarterly audit?
6. Which other security software companies are my peers finding most valuable?

IANS roundtables are invitation-only gatherings known for their innovative moderated discussion format. You will meet with other senior IT managers and business leaders for an in-depth and dynamic discussion. This is an opportunity to join a community of your peers in an effort to address current issues, brainstorm on new ideas and drive effective solutions.

The New York event occurs Wednesday, November 5th at 3:00 close to the Grand Central Terminal. The  Atlanta roundtable occurs downtown at 3:00 on Thursday November 6th.

If you are interested in receiving and invitation to either event, please contact Tenable or IANS.

Tenable is proud to announce the release of the Log Correlation Engine version 3.0. This blog entry highlights some of the LCE 3.0 enhancements and new features, plus some of the new functionality which will be made available with the upcoming release of Security Center 3.4.3.

If you are not familiar with the LCE, this product is an upgrade to the Tenable Security Center that can process logs from 100s of different applications, devices, operating systems and security monitoring technologies. Every log is normalized, correlated for a wide variety of security and compliance behaviors and analyzed for anomalies. The LCE is very easy to install and has very high performance in both processing logs in real-time and also analyzing millions of events in just a few seconds. Typically, our customers who add on an LCE to their Security Center not only experience higher performance over their existing SIM solution, they also drastically reduce the number of appliances or servers required for operation. 

Customers who use the LCE along with the Security Center, Nessus and the Passive Vulnerability scanner, have an immense amount of configuration and activity information at their fingertips which is a key part of Tenable's Unified Security Monitoring strategy. Having this information in one spot allows an organization to react faster to incidents and trends that impact their security or compliance status. 

The following items detail the major changes existing LCE customers will be able to take advantage of with this new release.

User Based Activity Tracking

User tracking by IP address is now part of the LCE daemon and not a separate TASL script. Previously, we had blogged about this correlation feature for LCE 2.0. However, in LCE 3.0, this functionality is built into the actual daemons.

As part of the LCE's normalization of logs, any log that can identify where a user is, such as a login to an authentication system or authenticated emails, can be used to tie that user to a specific IP address. When LCE encounters a log that has no username field, it will assign the username of the user most recently associated with the source IP of the incoming log, or associated with the destination IP of the log if a destination IP is provided but a source IP is not.

For example, a remote user might connect to the corporate email server when sending authenticated SMTP email. If configured to treat SMTP email logs as a source to track user identities from, the LCE would automatically learn the user IDs and their IP addresses. Once this occurs, any other log, such as the user visiting the corporate web server, or performing some sort of activity picked up by the corporate NIDS, would be associated with that user ID. 

When a user changes IP addresses a “user-ip-change” event is written to the database. For example this following example log occurred after a user authenticated to a Blue Socket network device:

Network user IP address change: user danny has changed from 192.168.20.10 to 192.168.10.101 with event BlueSocket-User_Login (5.5.5.5:0 -> 127.0.0.1:0)

There may be perfectly valid reasons for a user to access the network from a different IP address, but this can also indicate that a user’s credentials have been compromised. In DHCP environments, or in places where a user might move their system from a physical LAN to a wireless LAN, this type of tracking allows an analyst to know exactly who had which IP address and at which time while at the same time, associating specific users to normalized logs.

In Security Center 3.4.3, user tracking will further be exposed for analysis. Analysts will be able to sort any type of log activity (netflow, firewall, logins, IDS events, .etc) based on automatically detected users as shown below:

USB Device Activity Tracking

LCE 3.0 Windows agents can now make use of Windows Management Instrumentation (WMI) functionality to monitor local and remote systems for USB device, CD-ROM disc and DVD disc activity. WMI has several functions, dependent on the Windows version, that allow for the monitoring of media insertion and removal from a system. These functions allow the LCE to detect the insertion or removal of USB devices that can be mounted as a volume. For each occurrence of such activity, a log entry will be generated similar to the following:

This feature is particularly useful for organizations that are required to demonstrate PCI compliance (protection of cardholder data). Such organizations can use this feature to generate an alert when USB devices are inserted or removed.

This new functionality becomes part of Tenable's ability to "detect change" across user accounts, software applications, servers and the network.

Windows systems can be monitored with a local LCE agent. The same agent can also be configured to monitor multiple Windows servers through the use of credentials.

LCE Daemon Improvements

LCE now contains several additional configuration options to allow for better management of clients and data handling:

• Old silos can be automatically saved rather than overwritten. In SC 3.4.3, these silos can also be specified from the GUI for analysis of historical saved data.
• Plugins and TASL scripts can be set to automatically update on a regular basis.
• LCE can now manage and more easily configure up to 8,192 LCE clients.
• The LCE daemon can be configured to listen on multiple addresses.
• The stats daemon is now configured from the same configuration file as the LCE.
• Normalization rules can now accept DNS names in logs in addition to IPv4 addresses. The LCE will intelligently perform high-speed DNS lookups and cache their results for a configurable amount of time.

There are also significant file system changes from LCE 2.x to LCE 3.0, most notably in the product name and installation directories. Starting with LCE 3.0, the application files are stored under the /opt/lce directory instead of the /usr/thunder directory. This brings the application in line with standard RedHat application distributions.

LCE Daemon Performance Improvements

The LCE 3.0 daemon also offers enhanced performance compared to LCE 2.0.

• Separate processes are now used for log normalization and correlation. This leverages multiple core and multiple CPU systems more efficiently.
• The correlation engine is 10x faster than the one shipped with LCE 2.0.
• All TASL scripts automatically log performance statistics for analysis.
• Indexing and compression of the LCE silos is 50% faster than with LCE 2.0.
• More compression is used on disk. 

In addition, each LCE client will report the CPU, memory and disk usage of the server it is running on along with their heartbeat message. In Security Center 3.4.3, the status of all LCE clients can be displayed by an administrator as well.

LCE Client Enhancements

Package Distributions

The LCE Clients have also been enhanced. One of the most noticeable improvements is the inclusion of client start-up files (known as RC files) that ensure that the client is started on system reboot and provide a cleaner mechanism for starting the LCE Clients. All clients are now installed as managed applications. This makes remote installation, common configuration and upgrades easier.  

Heartbeats

Each LCE client that communicates with the LCE Server periodically sends a heartbeat message, indicating that the connection is active. This option enables the Security Center to display information about the connection activity, hostname and IP address of the LCE client and the revision number of the application and includes performance statistics on the LCE host.

Passive SYSLOG Monitoring

The Tenable Network Monitor (an LCE agent that sniffs network traffic) can be configured to sniff SYSLOG messages and treat them as if they were being sent directly to the LCE. This is a very easy way to monitor SYSLOG messages being sent to a corporate Splunk system or another type of log aggregation point.

WMI Windows Event Log Monitoring

The LCE 3.0 Windows agent can also monitor the event log of multiple remote Windows systems via WMI. 

Upcoming Security Center 3.4.3 Features for LCE 3.0

Version 3.4.3 of the Security Center will be available shortly and contains several enhancements that LCE users should be aware of. These include:

• The ability to query multiple LCEs at the same time and aggregate their results. This increases your overall storage of online events and also dramatically decreases query times and report generation. 
• Raw logs can be searched. For any displayed SYSLOG message, strings can be used to search for more exact matching. This is extremely useful for finding logs with specific user names, DNS lookups to known hostile malware locations and much more.
• The SC 3.4.3 LCE user interface has been enhanced to show more event information, to have time lines on all activity graphs and to have a more intelligent navigation and query system.
• There are also new GUI elements that take advantage of sorting any set of events by the associated user name and to perform queries against older archived data silos of normalized and indexed events.

For More Information

LCE 3.0 installation and upgrade instructions are available on the Tenable Customer Support Portal. After upgrading to version 3.0, it is recommended that users perform a plugin update and then manually audit their TASLs to see if they want to remove or replace any of them with the new ones which are now available.

Tenable has updated all documents detailing the LCE’s deployment, configuration, user operation and overall testing. These documents are listed here and are available on the Tenable Customer Support Portal:

• Log Correlation Engine Administration and User Guide – additional information for installing, configuring and operating the LCE
• Log Correlation Engine Client Guide – how to configure, operate and manage the various Unix, Windows, netflow, OPSEC and other clients
• Log Correlation Engine Log Normalization Guide – explanation of the LCE’s log parsing syntax with extensive examples of log parsing and manipulating the LCE’s .prm libraries
• TASL Reference Guide – explanation of the Tenable Application Scripting Language with extensive examples of a variety of correlation rules
• Log Correlation Engine Statistics Daemon Guide – configuration, operation and theory of the LCE’s statistic daemon used to discover behavioral anomalies

Please contact Tenable Support for any questions regarding the upgrade to LCE 3.0. Potential customers interested in evaluating or upgrading to the LCE should contact our sales staff.