McAfee SIEM: Recovering a previously keyed receiver

Note: This is especially useful when replacing a downed ESM, and no backups are available or are corrupted. This may also be used if you "inherent" a receiver from a peer business unit or SOC.

Press alt and F2 keys simultaneously. Enter "root" for login name. Press enter.
Enter the old password to login
Enter the the following command to rekey the system to default. cat /etc/NitroGuard/factory-id_rsa.pub > /root/.ssh/authorized_keys2
Proceed to add the device to your new SIEM

Sign on to your ESMI
Click on the Pancake menu to open side menu
Click Configuration
Click on Local ESM
Select icon with plus sign
Select Event Receiver, Click Next
Enter Name of the receiver, click next
Enter IP address of the Receiver click next
Enter your administrative password. Confirm it by typing in in twice. Click next
If successful, you will receive confirmation

SIEM - I Thought Everyone Knew....

I recently spoke at a Information Security related “Meet Up”, and at a local SBA type of gathering for small businesses here in Kansas. I truly believe that “Awareness is the first line of defense when it comes to protecting ones identity, data and business. With that in mind, I’m will to tell, teach, guide or draw out with a crayon what I know about Information Security, what options are available, what it should cost, and even how to monitor your kids computer, tablet and smart phone use.
During these two talks, I realized something VERY sobering. Though everyone at both were comfortable with technology, and many were actively working in I.T., many had no clue about the what they could do to help protect themselves or business. They weren’t aware!!! So, I think we in the InfoSec world kind of have a responsibility to share what we know with the business community at large. More importantly, with the average end-user or home user. Remember, these are the people who eventually will be an end-point on your network as the newest employee, or their home computer may become a node in the botnet that’s scheduled to attack your network.
IT’S A WAR GOING ON PEOPLE!!!! VIVA INFOSEC!!!!
OK, OK, OK, I will try to leave the comedy out of it……I did say “Try”.
During these presentations, one question that stood out, is “What exactly is a SIEM and to be honest, why do I need one?”.

In today’s dynamic and highly competitive world, business is dependent on information & technology. This creates a set of challenges and opportunities. However, it also now adds a new set of requirements for security, information management and compliance.  The scope of these vary, based on the business, and set of compliance criteria that each business or set of data must meet. For many businesses, this is just too complicated, expensive or unrealistic. Actually, it’s a very reachable, viable concept that may be achieved via the SIEM.
So what is the SIEM, Security Information and Event Management?
A modern SIEM implementation ranges from simple and virtually free, to complex and quite expensive. Also, keep in mind that, there are no two implementations alike, and may be as unique as a fingerprint. In its most simplest form, it is a set of technologies that provide:

• Data collection \ Event Collection
• Normalization
• Indexing
• Asset Discovery
• Threat detection
• Vulnerability Assessment and Management
• Log Storage
• Correlation
• Unified view into your infrastructure

You may be saying, “Ok, Joe. That’s sounds great!!!! Uhhhh, but what does all that mean”?!
Well, it means that a SIEM in its can,

Step 1: Collect all necessary information in your environment, in whatever form it may be in.
Step 2: Turn the computerized or machine information into human language.
Step 3: Sort that information, based on how you tell it to, and store it in a database.
Step 4: Discover all the assets you have in your environment, and store that too.
Step 5: Tell you if there are any threats to those assets.
Step 6: Tell you if any of those assets are vulnerable to any know threats.
Step 7: Via BI,(Business Intelligence), or rules, or anomalies alert you when something just seems fishy.
Step 8: Display Steps 1 – 7 in 1, yes in 1 display, or dashboard, screenshot….use any term that fits. Give you the ability to SEE the results of 1 – 8

The caveat here is, the SIEM is only as good as what you put in it. As the old saying sates: “Crap in, Crap out”. The SIEM can potentially reflect not only your security readiness posture, but also the state and\or effectiveness of your processes, procedures and integration of teams and workflows. The SIEM can become invaluable based on how its implemented, maintained and managed. The scope of which, as a SIEM evangelist, I’d say is “infinite”. I know that’s saying a lot, but as your security model matures the possibilities are whatever the requirements state, and may even CREATE or add a service to your business model to offer to your clients or customers. I will explore that more in the next post.

By Joe Piggeé Sr.

ATTENTION: SIEM Engineers, Project Managers, and Compliance Auditors (CISA)

Only because I have not seen anything since this judgment was handed down, and effects SO MANY processes, procedures, and policies. Please note, this is only applicable to companies with international (cross border) presence in their transaction, monitoring and\or reporting data footprints. I decided to write a quick summary, as it will have the most impact on shops that have implemented the ITILv3 framework. Your service catalogue won’t need to change, however, your methods of delivering services will.

Can you say ‘Call Centers’, Jimmy?

A couple of months ago, October 2015, the International Safe Harbor act was deemed invalid. In short, this agreement held the legal principles for the handling of personally identifiable data, or PII as its more commonly known as, and either gave access or limited methods of parsing, usage, storing etc…
This affects me, and couple peers in a Security group because we have international offices, transactions, processes and\or custom API’s that interact with this data from – “Cross Border Source Origination”.

“Who cares?”, you may say. Here are a few examples from a SIEM guy’s perspective:

As you read, please keep in mind that, in any scenario, knowing precisely where data is at any given time is key to a company being compliant and adhering to the previous EU data privacy regulations. Company’s, vested personnel, infrastructure, budgets and compliance enforcement procedures with need to be either:
·
· Revisited
· Re-validated and verified via third party resources
· Purchase more equipment
· Get more personnel
· Change, recreate or append correlation methodologies
· Change business & billing models and workflows
· Separate logging, zoning, notification and baseline logic components
· COMPLETELY redesign zones
· Purchase resources to store logs abroad
· Double the granularity of auditing
· Monitor, and log ALL flows
· Develop API’s that may interact with the dataset
Now, SLA’s, projects for deployment, security monitoring and logging will need to change current implementations, or edit any plans that may be already out of the door.

Here are some references:

• · http://thehill.com/policy/cybersecurity/258182-eu-us-strike-deal-in-principle-on-new-data-sharing-pact
• · http://thehill.com/policy/cybersecurity/258182-eu-us-strike-deal-in-principle-on-new-data-sharing-pact
• · https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles#References
• · https://safeharbor.export.gov/list.aspx
• · http://export.gov/safeharbor/eg_main_018241.asp
• · http://export.gov/safeharbor/eu/index.asp

Just a quick FYI, in case you need to scream, point fingers or just blame someone, blame Facebook. The catalyst behind this was a law suit over how Facebook handled someone’s personal data and the judge ruled in his favor. Which puts many engineers, SLA’s, projects in peril unless changed. Please take a moment to read some of the references, definitions, and FAQ’s on what you should do, by utilizing the URL’s I have included above.

Joe Piggeé Sr.
GCIH, VCP5DVC, MCSE, ITILv3
Systems Security Engineer

What does the Wassenaar Pact mean and its effect on InfoSec and Security Operations

Security Professionals Will Lose Their Collective Minds

The propositions made in the Wassenaar Pact are scary at best. As a Security professional, this would negatively impact the ability to deploy, administer, report, defend, monitor satellite locations. I know attackers the world over read this and felt a surge of joy. This will essentially stop much research, and truly put Whitehats far behind their counter parts!!!!

Excerpt from the proposal: BIS proposes to remove cybersecurity software from the mass market provision of License Exception TSU eligibility by adding a new paragraph (d)(2)(ii). This is consistent with the existing encryption exclusion.

 From <https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items> 

The changes are vague, but also completely ineffective and contradictory to the stated intent. Talk about a self-defeating. I realize that I am, "Johnny come late", when it comes to this, however the threat of inadequacy is still there and the InfoSec community needs to be aware of this. Please review be aware of the following:

• Scope of Changes
  • https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-9
  ECCN 5A001.J - Internet Protocol Network Communications Surveillance Systems
  • https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-13
  740.13 - License Exception TSU
  • https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-14
  • CyberSecurity Items That are designed or Modified to Use Cryptography or Cryptanalysis (Obviously, don't try to protect your data)
  • https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-15
  • 772.1 Definitions of Terms as Used in the EAR: Addition of Definition for “Intrusion Software”
  • https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-18

 By Joe Piggee

References:

• https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items
•  http://www.wassenaar.org/
• http://www.gpo.gov/fdsys/granule/FR-2015-05-20/2015-11642=
• http://www.wassenaar.org/publicdocuments/2013/WA%20Plenary%20Public%20Statement%202013.pdf

Test Your Computer and Remove the Superfish Software

 

Scan for Superfish

1. Click on either of the two links below.
• https://lastpass.com/superfish/
• https://filippo.io/Badfish/
2. Use either Chrome or Internet Explorer.
3. If you get a No, you're fine, but if you get a Yes, continue on.

Removal

1. Open the Windows Start menu or Start screen and search for "Uninstall a program".
2. Launch it.
3. Right-click on "Superfish Inc VisualDiscovery" and select "Uninstall," then enter your administrator password.
4. Next, you need to uninstall the certificates.
5. Head back to the Start menu and search for certmgr.msc. Launch it.
6. Click on "Trusted Root Certification Authorities" and open Certificates.
7. Look for any certificates that include Superfish Inc, and right-click to delete them.
8. Restart your browser then head back to the link to test your computer.

*Note in some instances, it has been reported, you may ultimately be forced to install a fresh OS in order to remove Superfish completely.

 

Hope this helps.

By PePeLePuu, the dancing Engineer

Joe Piggeé

McAfee SIEM Q&A Part 2

Q.  What is the difference between the (Events) and (Event Logs)?

A. These are actually tables, in the SIEM database that have their own separate retention policies etc. In general, best practice dictates that you at a minimum backup the Events, and events logs. You'd want to have these available for reference during cause analysis activities. I believe they are Alerts, Connections and uhhh. Can't remember the other one.

Q.  If I only backed up the (ESM settings), and we suffered an ESM meltdown. Would a recovery of the (ESM settings)

          to a new ESM restore: data sources, rules, custom rules, alarms, views, zone configurations, asset sources, system profiles, etc...?

A. Yes, theoretically. However, in a lab environment, I've had to re-key all the devices after restoring. 

Note: A standard backup saves all configuration settings, including those for policy. When you add a new ESM device, Backup & Restore is enabled to backup every 7 days. You can back up events, flows, and logs received by the system. The first backup of event, flow, or log data saves only data from the start of the current day. Subsequent backups save data starting at the time of the last backup.

McAfee SIEM Q&A

You should also add to your maintenance tasks, "Exporting your DataSources". As a foot note, all datasources are defined in a file named thirdparty.conf with the following format for each datasource:

# Data source configuration for ERC-2600
# Applied: 02/12/2015 18:20:19
# ESM:
# ESM buildstamp: 9.4.2 20150127184901
# Receiver:
# Receiver buildstamp: 9.4.2 20150127184901
[DataSource Name Displayed in ESM System Tree]
id=2
ipsid=144182258301927424
created=1387472852
# Windows Event Log - WMI
type=43
type_orig=43
disabled=no
ip_address=192.168.1.8
collector=wmi
parser=wmi
protocol=wmi
elm_logging=yes
parsing=yes
hostname=server01.joeslab
pool=ELM-StoragePoolNAme
use_rpc=no
wmi_interval=600
wmi_logs=Active Directory Web Services,Application,DFS Replication,Directory Service,DNS Server,HardwareEvents,Internet Explorer,Key Management Service,Security,System,Windows PowerShell
wmi_password=U2FsdGVkX18OTHISISNOTAREALPASSWORDPm+NonX01kRUzi6FS0c7Iw==
wmi_username=daminname\ServiceAcct
wmi_version=0
device_status_traps=no
override=


Q  If I were to restore from a (Full backup of data), then would all the Event Summary's, Flow Summary's, Flow Distributions, Restore?
A. Yes. All of these are essentially database tables.
Q.When a (Full backup of data) is done, is there any compression on that data?
A. Yes, not certain about the ratio.
Q. Is there a good way of estimating how much space to allocate for a remote full backup?
A. No, because that is dependent on too many variables, Speak with your SAN or storage engineers as well.
Q. Backup location options for remote locations are: CIFS or NFS, I assume a CIFS or NFS share can be setup on a SAN?
A. Yes
Q. When a (Full backup of data) is done, does that include the ESM database, active partitions, inactive partitions?
A. Yes and No. Yes, to all active data. No because, When an active partition reaches its maximum size, it becomes
inactive and is deleted.
Q. Does it make sense to still conduct Full backups of data when we have an ELM, (seems redundant)?
A. Yes. They are two completely different things. The ELM holds RAW, unparsed data. The data on an ESM is "Relational" and parsed.
Q. I'm a bit confused on the relationships between:
  ○ System Properties>System Information>Backup and Restore
  ○ System Properties>Database>Archival
  ○ System Properties>Database>Data Storage
A. The relationship is
○ Backup & Restores - Tell the system how and where to backup, and where to find backups for restoring
○ Archival - Tell ESM how, and where to store archived data, and also where or not you want archived data to be included in views.
○ Data Storage - The easiest explanation is to say "Data Connections". For example, If you has a DAS (Directly Attached Storage), SAN connection, or iSCSI storage devices, you might have active partitions configured on to the DAS, backup to the SAN and store archive  on the isci
Q.  Is there a recommendation on sizing inactive partitions?
A. Not really. It depends on the environment, and configuration. Note this can affect queries, as this ultimately states how much data to keep on hand, or on the system before archiving. When you open a view and define a time period of say "All", it will query data on the system AND Archived data. You type of connection to external storage contributes to this decision as well.
Hope this helps!
PePeLePuu
The Dancing Engineer!!!!