Security, et al

I’m excited to announce the release of LOGbinder EX for Exchange Server which bridges the gap between Exchange and your SIEM. 

With today’s ever-growing compliance burden and threat-scape, obtaining visibility into the dominant messaging platform is crucial to security and business risk management for most organizations.

Thankfully, Exchange Server provides an audit trail of non-owner access to mailboxes as well as privileged activity by Exchange administrators.  

With mailbox auditing, you can detect

·         Users viewing an executive’s confidential email

·         Impersonated, fraudulent emails

·         Administrators exporting copies of entire mailboxes

·         Deletion of emails to cover up evidence

With administrator auditing, you can detect

·         Exports of mailboxes

·         Copies of entire mailbox databases

·         Security configuration changes to Exchange

·         Access control changes to groups, roles, and permissions

·         Modifications to Exchange policies involving retention, mobile device policy, information rights management, federation, and more

But, like many application audit logs today, the information is trapped within the application and specific to Exchange, audit logs are actually maintained in mailboxes. Applications benefit from internal audit capability but ultimately audit logs should be copied as frequently as possible to a separate, isolated log management system.

LOGbinder EX efficiently process native Exchange audit data and translates cryptic codes, yielding an easy-to-understand Exchange audit log to the Windows event log or syslog where any log management/SIEM solution can take over with collection, alerting, reporting, and secure archival. LOGbinder EX performs these functions on both the administrator audit log and the mailbox audit log.

LOGbinder EX can be installed on most any server in your domain; there's no need to install it on any of your Exchange servers thus preventing impact on production mail flow.

Exchange audit logs need to be monitored and they belong in your SIEM.  Use LOGbinder EX to bridge the gap.

It’s been a huge project to record, edit, embellish and enhance but we are finally done.  My 3-day Security Log Secrets course on the Windows Security Log is now available in my unique On-Demand, Interactive format.  We call it “on-demand” because you can take the course anytime.  We call it “interactive” to emphasize this is no passive, couch-potato DVD viewing experience.  My On-Demand Interactive courses provide highly interactive training designed to closely duplicate the live, instructor-led learning experience.

Security Log Secrets On-Demand Interactive (SLS-OI) is like in-person training you can take anytime, anywhere:

·         Get the same CPE credit

·         Get the same courseware

·         Watch me teach the same material

·         Perform the same hands-on exercises

·         If you get stuck, watch me perform the exercise

·         Stay engaged with frequent flash quizzes

·         Got a question? Ask me via the Q&A forum

Security Log Secrets is fun and fascinating and you can get the full details of the Security Log Secrets course here, and my On Demand Interactive training platform here, but what I want to focus the rest of this email on is how I’m going to help as many of you as possible get this training. Which of the following fits your circumstance?

1.       For my most loyal webinar attendees, those of you that have attended 50 or more live webinars, you get SLS-OI free, and that’s true going forward from this point.  You can get a transcript of your attendance any time.  Congrats to: Christopher, “J”, Paul, Peter, Hugo, Steve , Jeff and others!  Here’s what to do:  Email a copy of your transcript to Bridget at info@ultimateWindowsSecurity.com and enroll using “Purchase Order” as the method.  We will take care of the rest.  The same goes for the rest of you when you reach 50 live attended webinars. 

2.       For anyone who has purchased my Security Log Resource Kit in the past, we’re giving you 50% off!  Email your coupon code request to Bridget at info@ultimateWindowsSecurity.com and be sure to include the email address used when you purchased the kit so that we can verify.  We’ll respond with a coupon code. 

3.       Are you out of work in this tough economy?  I realize you need to keep your skills current but don’t have an employer to assist with the expense.  Send Bridget at info@ultimateWindowsSecurity.com some kind of documentation (redacted of course) that verifies your status.  If you do that and if you were already on this email list prior to today we will find a way to make it work. 

4.       Can’t get your boss to pay for the course but have 2 or more colleagues who’d like the course too?  Send us an email with how many are in your group and we’ll arrange a group discount.  10% off for everyone for each person in your group up to 50%.  Again, email info@ultimateWindowsSecurity.com and Bridget will take care of you.

5.       Feeling left out?  Feel the love instead.  Take 25% off SLS-OI, if purchased in February 2013 with coupon code LOVE.

You get the idea I’m passionate about the security log? I really want as many people as possible to have professional-grade competence in this area. It’s good for business, it’s good for the industry, and it’s good for us geeks.

Any don’t let my discounts suggest SLS-OI is expensive.  It’s actually about half the cost of other premium, on demand infosec training (which by the way doesn’t include a hands-on lab like mine).  But we have to keep the lights on at the UltimateWindowsSecurity.com datacenter so thanks, thanks and thanks again for your support!

These discounts are only good through the end of February so don’t delay.

See you out there keeping the bad guys at bay,

Randy

P.S. Interested in SLS-OI as a long term training resource for everyone in your department?  Email pbrander@logbinder.com with department size and Phil can provide a quote.

This code signing hack at Adobe and the available information still leave a lot of unanswered questions.  No one I’ve talked to has been able to get to the bottom of it.  Here’s what have put together.

One of their code-signing servers got hacked and was used to sign some malicious software.  We know of 3 files and their hashes which are listed at http://www.adobe.com/support/security/advisories/apsa12-01.html. 

Were other files signed?  We do not know.

How can I protect against the 3 files we know were signed?  Create Software Restrictions in Group Policy based on the file hashes.

How can I protect against any other files that were signed? Intelligent whitelisting – join me for my webinar tomorrow to learn more.

Can you add the relevant Adobe certificate to your Untrusted Certificates store?  Adobe says doing that won’t stop the malware signed with the certificate but will create a “negative impact on the user experience and execution of valid Adobe software signed with the impacted certificate. Adobe does not recommend using the Untrusted Certificate Store in this situation.” http://forums.adobe.com/message/4741942#4741942. 

What exactly is the “negative impact”?  I assume legit Adobe apps won’t run…

What do I need to do?  Adobe says we need to install updated versions of about 30 applications.  http://helpx.adobe.com/x-productkb/global/certificate-updates.html#main-pars_header_8

What will happen if I don’t update those applications?  What is the risk of not updating? I can find no explanation at all on this.  The FAQ specifically asks this question but I don’t get much from the answer: Adobe is issuing updates for all impacted products to provide customers with software code signed using a new digital certificate. To determine whether an update signed using a new digital certificate is available for your Adobe software installation, please refer to Security certificate updates.

I’m going to cover all the issues in more depth in tomorrow’s webinar and provide short term tactical suggestions and long term strategic recommendations for this new kind of threat that leverages compromised software vendor update infrastructures to deliver and/or trick your computers into running malicious code.

Lumension has agreed to sponsor this webinar and their software update and application whitelisting experts will be joining me.

Please don’t miss this timely real training for free (TM) session.

I just wanted to let you all know that I have a few new partners that have joined our SIEM Synergy Partner Program over at LOGbinder.com.  I would like to welcome SolarWinds and Prism Microsystems as certified partners along with our existing partner GFI. 

How does this program benefit you as the end user?

At my software company LOGbinder, we've worked closely with these vendors to not only integrate LOGbinder into their SIEM solutions but also package together some prebuilt rules, alerts and reports.  This allows you to install LOGbinder in your environment and then have my recommended reports and alerts at your fingertips in no time.

Don't see your SIEM solution listed as a partner?

Not a problem.  At LOGbinder we currently have a long list of prospective partners who we are working with to get certified as a SIEM Synergy Partner.  Send us an email and let us know who your SIEM solution provider is and we'll let you know if we're already working with them or if we need to reach out to them to get started.  Are you a SIEM provider and want to work along with us to get SP, SQL, or EX logs in to your SIEM; simply email us and we'll get the process started.

We have some other important news coming soon so you may want to subscribe to my list over at LOGbinder.  Click here to do so.

Dynamics CRM 2011 keeps us sane here at Monterey Technology Group, Inc as we manage a wide array of product and service offerings with a handful of people.  But CRM is missing some key features that seem like no brainers.  Thankfully I've found solutions to each (been using them since CRM 4.0) and thought I'd share them. 

1. No way to print a quote to PDF and email it from within CRM in one step - crazy I know!  Solution: ePDF from http://downloads.mycrmgroup.com/.  Incredibly easy to install!  Great support!

2. Moving invoices from CRM to QuickBooks.  OK this isn't a missing feature but definitely a needed integration link.  Solution: Inogics Inolink http://www.inogic.com/integration_quickbooks.htm.  Involved install process and you will probably need support but they are responsive and it does work.

3. Converting incoming emails to CRM Queues to Cases - crazy I know!  For this I use c360's EmailToCase.  Least favorite solution and company out of the 3 but it gets the job done and their support staff do respond.

I think all of these support CRM Online in addition to on-premise.

Introducing:  LOGbinder SQL - SQL Audit Policy Wizard

Our totally free SQL Audit Policy Wizard steps you through the process of implementing SQL Server 2008 auditing. You can use our recommended baseline audit policy or customize it to fit your requirements.

After selecting your SQL Server and fine tune your desired audit policy, SQL Audit Policy Wizard automatically creates the necessary Server Audit and Server Audit Specification objects on your SQL server and optionally enables them so that auditing begins automatically.

You can also see the actual Transact-SQL generated by the wizard for learning purposes or for further customization. SQL Server 2008 Audit Policy Wizard even allows you to modify existing audit objects.

Get the wizard now, for free - no trialware expiration, etc.

I'm excited to announce that my software company, LOGbinder, has just released LOGbinder SQL as beta.  If you need audit logging for SQL Server you will be interested to know about SQL Server 2008's new audit foundation and how LOGbinder SQL allows you to connect SQL's audit capability to your existing SIEM/log management solution:

Introducing LOGbinder SQL

SQL Server 2008 introduced a totally new audit logging facility, which is critical to enterprises storing sensitive information and/or processing important transactions in today’s demanding compliance environment. SQL Server Audit is flexible in terms of audit policy and comprehensive in relation to the breadth and depth of objects and actions that can be audited. However, the audit data generated by SQL Server needs additional refinement and processing before it can be relied up on as a usable audit trail and be managed by your existing log management/SIEM solution.

The audit records generated by SQL Server audit are cryptic and difficult to understand. Basically, one log record format is used for documenting everything from an insertion on a table to giving a user ownership rights to a database. And while SQL Server can write events to the security log, it uses the same event ID for all events, and the IDs and keywords are not resolved. Thus, it requires in-depth knowledge of the SQL audit model in order to decipher events.

Our LOGbinder SQL agent enriches SQL Server’s cryptic and generic audit messages to produce easy-to-understand audit log events. Similar to LOGbinder SP, these events can be outputted to the Security log a custom Windows event log, where any log management or SIEM solution can collect, alert, report, and analyze. Here is an example of an event:

Raw Audit Event from SQL Server

event_time:2010-09-16 12:35:30.0787755
sequence_number:1
action_id:APRL
succeeded:true
permission_bitmask:0
is_column_permission:false
session_id:54
server_principal_id:260
database_principal_id:1
target_server_principal_id:0
target_database_principal_id:0
object_id:7
class_type:RL
session_server_principal_name: ACMESP\Administrator
server_principal_name: ACMESP\Administrator
server_principal_sid:0
database_principal_name: dbo
target_server_principal_name: ACMESP\Administrator
target_server_principal_sid: 0
target_database_principal_name: public
server_instance_name: SPDEV\SQL08ENT
database_name: AuditTest
schema_name:
object_name: MyAudit
statement: EXEC sp_addrolemember N'MyAudit', N'public'
additional_information:
file_name=c:\sql audits\AuditAll_12633920-
FB34-4FAA-8F96-E9F8FED158A9_0_ 129276798828120000.sqlaudit
audit_file_offset=1536

Same Event After LOGbinder SQL Processing

Event ID: 24020
Add member to database role succeeded
A principal was successfully added to a database role
Action Group: DATABASE_ROLE_MEMBER_CHANGE_GROUP
Occurred: 9/16/2010 12:35:30.0000000 PM
Session ID: 54
User: ACMESP\administrator
Server: SPDEV\SQL08ENT
Database: AuditTest
Member
Name: public
Domain name: n/a
Role
ID: 7
Name: MyAudit
Statement: EXEC sp_addrolemember N'MyAudit', N'public'

*Learn more about LOGbinder SQL and download the beta today! Click Here.

Endpoint malware is getting more and more sophisticated and more and more vendors and content/file types are being targeted. The signature based model of classic antivirus (AV) and the teams and infrastructure behind it are increasingly stretched to keep up with the pace and sophistication of today’s financially motivated malware developers. 

On the other hand patch management is getting more complicated as the bad guys target more and more software vendors.  Moreover both patch management and AV are reactive – not proactive. 

A fundamentally different approach to combating end-point malware is application whitelisting.  Not only is application whitelisting proactive but in contrast to the negative security model used by AV and patch management, whitelisting uses a positive security model to stop malware. 

Traditional approaches to application whitelisting can prove to be maintenance nightmares, impact productivity and cause dissatisfaction among end-users. 

But these challenges can be overcome by an advanced implementation of whitelisting that incorporates more intelligence into trust decisions and that addresses the realities of PC environments. 

These thoughts are prompted by the fact that I just completed a whitepaper for Lumension entitled: “Using Defense-in-Depth to Combat Endpoint Malware: A Technical Paper”.  While researching for this paper I was impressed with the grasp of the issues that Lumension’s team has on endpoint security and the challenges associated with whitelisting.

Whitelisting is a challenge because it’s tougher than you might think to define what software should be allowed to run throughout your network.  Lumension’s Intelligent Whitelisting takes the concept of a static application whitelist and applies it to the real world of hundreds or thousands of unique, ever changing PCs with a practical approach that provides immediate whitelisting benefits to any population of PC without the upfront burden of analysis and testing necessary with traditional whitelisting.  They do this by

1.       Acknowledging the uniqueness of each PC by implementing an automatically customized local whitelist on each computer.

2.       Recognizing trusted agents of change so that patches, enhancements and new applications can be installed without any manual effort required to update whitelist rules.

3.       Allowing you to take a more practical, value driven approach by implementing whitelisting progressively rather than as a point-in-time, do-do-die cutover.

With endpoint malware more dangerous than ever, patch management and AV remain indispensable defenses but are insufficient by themselves due to their reactive nature and negative security model.  Application whitelisting provides the vital 3rd layer of proactive, positive security model defense.

Please request my whitepaper which expands on these issues in much more depth.  Click here to get Using Defense-in-Depth to Combat Endpoint Malware: A Technical Paper.

I am excited to announce that my first On Demand, Interactive course – Audit and Assessment of Active Directory – is now finished and ready for the first trainees.  And you have an opportunity to get this training for free if you agree to keep record of how many hours it takes you to complete the course.

This is the on demand, interactive version of the course I’ve used to help IT auditors learn how to audit AD since AD first came out in 2000.  Of course I’ve updated the course many times to keep up with AD over the years.  For more information on Audit and Assessment of Active Directory visit: http://www.ultimatewindowssecurity.com/itaudit/training/aaad/default.aspx

My On Demand, Interactive (OI) courses are much more than a mind numbing web based training course.  They are the very next best thing to in-person training in the same room. 

·        Best of Both Worlds - Randy's On-Demand Interactive courses provide the same content as the in-person course without the hassle and expense of travel.

·        No Passive DVD Viewing Experience - More than a long, passive DVD viewing experience, On-Demand Interactive are highly interactive training courses designed to closely duplicate the live, instructor-led learning experience.

·        Same as Live Training

-       Get the same printed courseware

-       Watch Randy teach the same material

-       Perform the same hands-on exercises.

-       If you get stuck, watch Randy perform the exercise.

-       Got a question? Ask Randy via the Q&A forum.

For more information on my On Demand Interactive courses visit: http://www.ultimatewindowssecurity.com/training/oioverview.aspx.

There’s one more step in the course development process before I open AAAD-OI for general availability.  I need  a few of you to take the course for free and keep track of your hours.  Then I will average those hours and to come up with the number of continuing professional education hours the course provides.  This is required in order for the course to qualify as CPE credits for your various certifications. 

If you volunteer and are subsequently chosen to take the course and record your time spent in training we won’t charge you.  That’s right you’ll get the training for free.  If you volunteer but aren’t chosen there is no obligation but I’ll send you a discount coupon code as our way of saying thanks for making yourself available.

To volunteer fill out this 9 question survey here http://www.surveymonkey.com/s/5NQC3L3

Remember, there’s no obligation with filling out the survey except to take the course for free if chosen.  If you aren’t chosen we will still send you a discount coupon code as our thanks.  Please volunteer now for your chance to get this high quality training for free.  Visit http://www.surveymonkey.com/s/5NQC3L3