ATTENTION: SIEM Engineers, Project Managers, and Compliance Auditors (CISA)

Only because I have not seen anything since this judgment was handed down, and effects SO MANY processes, procedures, and policies. Please note, this is only applicable to companies with international (cross border) presence in their transaction, monitoring and\or reporting data footprints. I decided to write a quick summary, as it will have the most impact on shops that have implemented the ITILv3 framework. Your service catalogue won’t need to change, however, your methods of delivering services will.

Can you say ‘Call Centers’, Jimmy?

A couple of months ago, October 2015, the International Safe Harbor act was deemed invalid. In short, this agreement held the legal principles for the handling of personally identifiable data, or PII as its more commonly known as, and either gave access or limited methods of parsing, usage, storing etc…
This affects me, and couple peers in a Security group because we have international offices, transactions, processes and\or custom API’s that interact with this data from – “Cross Border Source Origination”.

“Who cares?”, you may say. Here are a few examples from a SIEM guy’s perspective:

As you read, please keep in mind that, in any scenario, knowing precisely where data is at any given time is key to a company being compliant and adhering to the previous EU data privacy regulations. Company’s, vested personnel, infrastructure, budgets and compliance enforcement procedures with need to be either:
·
· Revisited
· Re-validated and verified via third party resources
· Purchase more equipment
· Get more personnel
· Change, recreate or append correlation methodologies
· Change business & billing models and workflows
· Separate logging, zoning, notification and baseline logic components
· COMPLETELY redesign zones
· Purchase resources to store logs abroad
· Double the granularity of auditing
· Monitor, and log ALL flows
· Develop API’s that may interact with the dataset
Now, SLA’s, projects for deployment, security monitoring and logging will need to change current implementations, or edit any plans that may be already out of the door.

Here are some references:

• · http://thehill.com/policy/cybersecurity/258182-eu-us-strike-deal-in-principle-on-new-data-sharing-pact
• · http://thehill.com/policy/cybersecurity/258182-eu-us-strike-deal-in-principle-on-new-data-sharing-pact
• · https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles#References
• · https://safeharbor.export.gov/list.aspx
• · http://export.gov/safeharbor/eg_main_018241.asp
• · http://export.gov/safeharbor/eu/index.asp

Just a quick FYI, in case you need to scream, point fingers or just blame someone, blame Facebook. The catalyst behind this was a law suit over how Facebook handled someone’s personal data and the judge ruled in his favor. Which puts many engineers, SLA’s, projects in peril unless changed. Please take a moment to read some of the references, definitions, and FAQ’s on what you should do, by utilizing the URL’s I have included above.

Joe Piggeé Sr.
GCIH, VCP5DVC, MCSE, ITILv3
Systems Security Engineer

What does the Wassenaar Pact mean and its effect on InfoSec and Security Operations

Security Professionals Will Lose Their Collective Minds

The propositions made in the Wassenaar Pact are scary at best. As a Security professional, this would negatively impact the ability to deploy, administer, report, defend, monitor satellite locations. I know attackers the world over read this and felt a surge of joy. This will essentially stop much research, and truly put Whitehats far behind their counter parts!!!!

Excerpt from the proposal: BIS proposes to remove cybersecurity software from the mass market provision of License Exception TSU eligibility by adding a new paragraph (d)(2)(ii). This is consistent with the existing encryption exclusion.

 From <https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items> 

The changes are vague, but also completely ineffective and contradictory to the stated intent. Talk about a self-defeating. I realize that I am, "Johnny come late", when it comes to this, however the threat of inadequacy is still there and the InfoSec community needs to be aware of this. Please review be aware of the following:

• Scope of Changes
  • https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-9
  ECCN 5A001.J - Internet Protocol Network Communications Surveillance Systems
  • https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-13
  740.13 - License Exception TSU
  • https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-14
  • CyberSecurity Items That are designed or Modified to Use Cryptography or Cryptanalysis (Obviously, don't try to protect your data)
  • https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-15
  • 772.1 Definitions of Terms as Used in the EAR: Addition of Definition for “Intrusion Software”
  • https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-18

 By Joe Piggee

References:

• https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items
•  http://www.wassenaar.org/
• http://www.gpo.gov/fdsys/granule/FR-2015-05-20/2015-11642=
• http://www.wassenaar.org/publicdocuments/2013/WA%20Plenary%20Public%20Statement%202013.pdf

Test Your Computer and Remove the Superfish Software

 

Scan for Superfish

1. Click on either of the two links below.
• https://lastpass.com/superfish/
• https://filippo.io/Badfish/
2. Use either Chrome or Internet Explorer.
3. If you get a No, you're fine, but if you get a Yes, continue on.

Removal

1. Open the Windows Start menu or Start screen and search for "Uninstall a program".
2. Launch it.
3. Right-click on "Superfish Inc VisualDiscovery" and select "Uninstall," then enter your administrator password.
4. Next, you need to uninstall the certificates.
5. Head back to the Start menu and search for certmgr.msc. Launch it.
6. Click on "Trusted Root Certification Authorities" and open Certificates.
7. Look for any certificates that include Superfish Inc, and right-click to delete them.
8. Restart your browser then head back to the link to test your computer.

*Note in some instances, it has been reported, you may ultimately be forced to install a fresh OS in order to remove Superfish completely.

 

Hope this helps.

By PePeLePuu, the dancing Engineer

Joe Piggeé

McAfee SIEM Q&A Part 2

Q.  What is the difference between the (Events) and (Event Logs)?

A. These are actually tables, in the SIEM database that have their own separate retention policies etc. In general, best practice dictates that you at a minimum backup the Events, and events logs. You'd want to have these available for reference during cause analysis activities. I believe they are Alerts, Connections and uhhh. Can't remember the other one.

Q.  If I only backed up the (ESM settings), and we suffered an ESM meltdown. Would a recovery of the (ESM settings)

          to a new ESM restore: data sources, rules, custom rules, alarms, views, zone configurations, asset sources, system profiles, etc...?

A. Yes, theoretically. However, in a lab environment, I've had to re-key all the devices after restoring. 

Note: A standard backup saves all configuration settings, including those for policy. When you add a new ESM device, Backup & Restore is enabled to backup every 7 days. You can back up events, flows, and logs received by the system. The first backup of event, flow, or log data saves only data from the start of the current day. Subsequent backups save data starting at the time of the last backup.

McAfee SIEM Q&A

You should also add to your maintenance tasks, "Exporting your DataSources". As a foot note, all datasources are defined in a file named thirdparty.conf with the following format for each datasource:

# Data source configuration for ERC-2600
# Applied: 02/12/2015 18:20:19
# ESM:
# ESM buildstamp: 9.4.2 20150127184901
# Receiver:
# Receiver buildstamp: 9.4.2 20150127184901
[DataSource Name Displayed in ESM System Tree]
id=2
ipsid=144182258301927424
created=1387472852
# Windows Event Log - WMI
type=43
type_orig=43
disabled=no
ip_address=192.168.1.8
collector=wmi
parser=wmi
protocol=wmi
elm_logging=yes
parsing=yes
hostname=server01.joeslab
pool=ELM-StoragePoolNAme
use_rpc=no
wmi_interval=600
wmi_logs=Active Directory Web Services,Application,DFS Replication,Directory Service,DNS Server,HardwareEvents,Internet Explorer,Key Management Service,Security,System,Windows PowerShell
wmi_password=U2FsdGVkX18OTHISISNOTAREALPASSWORDPm+NonX01kRUzi6FS0c7Iw==
wmi_username=daminname\ServiceAcct
wmi_version=0
device_status_traps=no
override=


Q  If I were to restore from a (Full backup of data), then would all the Event Summary's, Flow Summary's, Flow Distributions, Restore?
A. Yes. All of these are essentially database tables.
Q.When a (Full backup of data) is done, is there any compression on that data?
A. Yes, not certain about the ratio.
Q. Is there a good way of estimating how much space to allocate for a remote full backup?
A. No, because that is dependent on too many variables, Speak with your SAN or storage engineers as well.
Q. Backup location options for remote locations are: CIFS or NFS, I assume a CIFS or NFS share can be setup on a SAN?
A. Yes
Q. When a (Full backup of data) is done, does that include the ESM database, active partitions, inactive partitions?
A. Yes and No. Yes, to all active data. No because, When an active partition reaches its maximum size, it becomes
inactive and is deleted.
Q. Does it make sense to still conduct Full backups of data when we have an ELM, (seems redundant)?
A. Yes. They are two completely different things. The ELM holds RAW, unparsed data. The data on an ESM is "Relational" and parsed.
Q. I'm a bit confused on the relationships between:
  ○ System Properties>System Information>Backup and Restore
  ○ System Properties>Database>Archival
  ○ System Properties>Database>Data Storage
A. The relationship is
○ Backup & Restores - Tell the system how and where to backup, and where to find backups for restoring
○ Archival - Tell ESM how, and where to store archived data, and also where or not you want archived data to be included in views.
○ Data Storage - The easiest explanation is to say "Data Connections". For example, If you has a DAS (Directly Attached Storage), SAN connection, or iSCSI storage devices, you might have active partitions configured on to the DAS, backup to the SAN and store archive  on the isci
Q.  Is there a recommendation on sizing inactive partitions?
A. Not really. It depends on the environment, and configuration. Note this can affect queries, as this ultimately states how much data to keep on hand, or on the system before archiving. When you open a view and define a time period of say "All", it will query data on the system AND Archived data. You type of connection to external storage contributes to this decision as well.
Hope this helps!
PePeLePuu
The Dancing Engineer!!!!

McAfee SIEM: Rebuild Index –ESM

Problem:
I came in this morning and, after signing in to the ESMWGUI\ Dashboard, noticed there weren’t any new events after a certain time. I also notice I had some red flags. Hmmmm, so I troubleshoot.
Resolution:
Phase I – Open System Log

Open ESM Properties, by clicking on the icon of a window in the top right corner.
2. Open System Log
3. Look for obvious errors. Example: Could not submit auto flow retrieval, exclusive job already in progress

Phase 2 – Check Database Health

1. Open ssh session
2. Stop cpservice	McAfee-ETM-6000 ~ # service cpservice stop
3. Check database health using DBCheck	McAfee-ETM-6000 ~ # DBCheck -d '/usr/local/ess/data/ngcp.dfl' -p 'LOCDB327|CPDB126' –t or use DBCheck -d ngcp.dfl -c | grep not
4. While doing the previous action keep an eye on the error log	vi /usr/local/ess/data/NitroError.Log
5. Observe errors, similar to these
	NitroX.MakeTableRecord Access violation

Phase 3 – Rebuild Index

1. Navigate to the location of the index	McAfee-ETM-6000 ~ # cd /usr/local/ess/data
2. Create a copy of the current index files, and confirm this was completed.	/usr/local/ess/data # mkdir copy_ngcp /usr/local/ess/data # cp ngcp.cfg copy_ngcp /usr/local/ess/data # cp ngcp.cfd copy_ngcp /usr/local/ess/data # cd copy_ngcp/ /usr/local/ess/data/copy_ngcp # ls <output> ngcp.cfd ngcp.cfg
3. The simplest thing to do is to simply type reboot

PePeLePuu – The Dancing Engineer!!!!
By. Joe Piggee

Migrate VMWare box to VirtualBox

VMware Player is only free for personal non-commercial use. It's not so hard to migrate your VMWare box to VirtualBox, but it you used a SCSI disk in VMWare, you will see the error below when trying to run converted box in VirtualBox:

Could not find a storage controller named 'SCSI Controller'."

The instructions below will guide you through the converting process.

VMWare

• Boot the VM
• Uninstall vmware tools
• Shutdown
• Edit VM settings -> remove the HD
• Edit the_machine.vmdk
• change ddb.adapterType from "buslogic" or "lsilogic" to "ide"
• Edit VM settings -> add an HD, type IDE from existing file the_machine.vmdk
• Boot the VM
• Shutdown

Now you can convert the box from VMWare to Open Virtualization Format.

$ ovftool -o the_machine.vmx the_machine.ovf Opening VMX source: the_machine.vmx Opening OVF target: the_machine.ovf Writing OVF package: the_machine.ovf Transfer Completed Completed successfully

VirtualBox

The last step is to import the OFV in VirtualBox and install guest additions.

• File -> import appliance -> the_machine.ovf
• VM settings -> storage -> add attachment -> CD drive
• Boot the VM
• install guest additions from CD