Re: LEM Thoughts of the Week: Detecting the Target Breach?
It really makes you wonder, given that this kind of stuff seems obvious, what the barrier to entry is - too much other stuff that it's low priority? Even in the Verizon report people who are collecting...
View ArticleRe: Volume of syslog/SNMP traps,LEM can handle per hour ??
It's a relatively high volume, but not unheard of for LEM. With rules/alerts you'll probably have to assign more RAM/CPU. You might want to even just to collect it, but it's hard to say, if you're just...
View ArticleRe: !LEM Thoughts of the Week: Detecting the Target Breach?
I would imagine its probably overwhelming to try and sift through all that log data for larger corporations. We generally collect around 35-40 million logs a day which I'm sure is a drop in the bucket...
View ArticleRe: !LEM Thoughts of the Week: Detecting the Target Breach?
I think it is exactly what you you have both said, it's "checkbox compliance" as well as just an archive to go back to later. The folks that I talk to here just don't seem to see the potential power...
View ArticleRe: Connector for Microsoft Threat Management Gateway Will Not Turn On
Thank you, Nicole I don't see anything in the "LEM Internal Events" that is indicative, but I do find this in the spoplog after trying to turn on the connector: Tue Feb 11 14:14:08 CST 2014) WW:STATUS...
View ArticleRe: Connector for Microsoft Threat Management Gateway Will Not Turn On
Well, that'll do it. I'll take a look and see what we can do.
View ArticleRe: Connector for Microsoft Threat Management Gateway Will Not Turn On
Figured it out - the backing code for that connector was released in a hotfix (and subsequent LEM releases). You can download and install the hotfix from here:...
View ArticleRe: Top 6 SANS Essential Categories of Log Reports 2013 in LEM
There wasn't really a good way to answer this without taking notes on all of them, so here's some (relatively) quick thinking... let me know if you want to drill into any of these or need more...
View ArticleClik here to view.
Re: !LEM Thoughts of the Week: Detecting the Target Breach?
So as this topic has caused me to look even deeper into the world of network forensics I started looking at network recording solutions that capture every packet that flows across the network. Besides...
View ArticleRe: !LEM Thoughts of the Week: Detecting the Target Breach?
You do see that solution advocated a lot by folks like Richard Bjetlich, who has the Tao of Network Security Monitoring book among others. Where it breaks down in practicality that logs have an...
View ArticleRe: !LEM Thoughts of the Week: Detecting the Target Breach?
I actually have the book Tao of Network Security Monitoring sitting on my desk though have actually read very little of it... its on the list. I took a look at that beta for DPI that you linked to;...
View ArticleRe: !LEM Thoughts of the Week: Detecting the Target Breach?
Yeah, I think the usage of DPI on the SW side is pretty new, and primarily from a network perspective, not really addressing any of the security use cases yet. Maybe someday. It would also be cool to...
View ArticleRe: !LEM Thoughts of the Week: Detecting the Target Breach?
I really LIKE the idea of packet analysis and some of the stuff he talks about in his book is really cool (or not detectable in logs), but in all practicality it might be too far down in the...
View Article"Unable to authenticate on manager: TriGeo"
G'Day, I get this now, followed by "Invalid login" every time I try to connect. It was working fine yesterday. I have tried 3 different browsers, and the SIM. I have restarted the manager, rebooted the...
View ArticleRe: "Unable to authenticate on manager: TriGeo"
So, just want to make sure I have it right - You're trying to access your original SIM appliance, which was working fine yesterday (or are you accessing the new LEM system that you are migrating...
View ArticleRe: Volume of syslog/SNMP traps,LEM can handle per hour ??
It's look LEM can handle plenty of event. Do we have any internal tool in LEM to monitor the RAM/CPU resource rater than using Orion? For data storage, seem LEM is using the FILO method to store the...
View ArticleRe: !LEM Thoughts of the Week: Detecting the Target Breach?
Here's an update from Krebs with some insight into the HVAC vendor: http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/ Spoiler: they weren't using real-time antivirus....
View ArticleRe: Volume of syslog/SNMP traps,LEM can handle per hour ??
Right now, there isn't an internal LEM tool - most customers are using the hypervisor to track memory/CPU usage (if you have Orion or Virtualization Manager you could track it there, too). It's hard to...
View ArticleClik here to view.
Re: !LEM Thoughts of the Week: Detecting the Target Breach?
Okay, at some point here we have moved beyond "yeah, they could have done a better job" to just straight up negligence.
View ArticleRe: Search pattern for file audits on specific server not carried out by one...
As a workaround, you might try building a filter, which is real-time, since I've seen a couple of threads now that don't quite match what you'd expect with nDepth. I'm going to try a couple of things...
View Article