Webinar: Anatomy of an Insider Threat

February 27, 2015

Here is a link to another blockbuster we did with Randy Franklin Smith.

In this episode we track down a real world security incident that reveals unauthorized access and disclosure of sensitive data residing on a file server. Randy shows how this would be done with native Windows tools. Then I pull the curtain from IT Search, our most recent invention and feature added to Dell InTrust.

Highly recommended for security managers, IT admins, data analysts and anybody who deals with enterprise security firsthand.




Top 10 Reports for Your Windows Server Environment

February 20, 2015

“Have you hugged your Active Directory today?”

That wouldn’t make much of a bumper sticker I suppose, but you could say that the health and happiness of your Active Directory were top of mind for us when we packed more than 140 reports into Enterprise Reporter. Continue reading here.

Dell InTrust featured in eWeek

January 22, 2015

Sean Michael Kerner wrote a column Dell InTrust Aims to Accelerate Security Discovery in the recent issue of eWeek. It features InTrust and highlights some of the new capabilities added to the latest 11.0 release.

I think that Sean captured the essence of this pivotal release. Here is a good quote:

InTrust 11.0’s enhanced IT search facility enables users to search different types of IT data from a single Web interface. Among the things that the IT search can help discover are answers to user activity questions, including understanding who has access to data, how the access was obtained and how the access was used.

InTrust 11.0 with its IT Search component does go beyond unstructured textual data in its conventional sense.  So, now not only you can search for a needle in the haystack of logs faster.  You can also make sense of all this data by putting it in a context of users, permissions and changes that make the picture of user activity so much clearer.

InTrust 11.0 is unveiled

January 20, 2015

I am so excited to witness the birth of a wholly new product!

InTrust 11.0 is not just another major version update. With its IT Search feature it has a lot more to offer customers that face security challenges, struggle with IT compliance requirements or just sink in the ridiculous amounts of disparate IT data.

I want to give a big applause to everybody who made this release possible: development teams, marketing, support and everybody who supported the idea from its very inception. I am so happy to partake in building of the future.

As always, great talent and excellent execution yields innovative products.


Webinar: Top 10 Windows and AD Security Reports

December 4, 2014

Recently, I had a chance to co present on a webinar with the widely recognized security expert Randy Franklin Smith. The topic was “Top 10 Windows and AD Security Reports”.

In the modern Windows enterprise management world with PowerShell, remote management and configurable GUI the task of automated reporting can be easily underestimated. In this webinar Randy and I show how seemingly easy reports turn into quite a lot of scripting time and knowledge. I then show how Dell Enterprise Reporter easily addresses the same challenges with built-in customizeable reports and embedded knowledge of Windows infrastructure.

The recording is available through the Dell web site 

Highly recommended for companies and IT professionals that deal with compliance audits, security assessments and want to streamline their day-to-day reporting processes.

Protecting #Point-of-Sale systems – anatomy of the recent #attacks on #retailers

February 4, 2014

We all heard about recent successes of cyber criminals at some of the popular retailers. What was not picked up by the news that well is why this happened and what can be done to prevent these Point of System terminals (PoS) from being compromised.

First of all, why PoS systems is a sweet spot for authors of POSRAM and ChewBacca malware?

There are a handful of reasons behind it.

  • Usually the risk of compromising PoS systems is underestimated. Companies tend to focus their time and IT budget on protecting critical servers and establishing perimeter security but not on workstations of their own employees and PoS terminals.
  • PoS system is the end device that actually swipe your card and thus either processes or stores critical payment card data which was the goal of the attack.
  • PoS systems have to be exposed to the Internet to be able to process payment transactions with the online payment systems such as VISA.
  • PoS systems are usually installed in locations without dedicated IT (store branches, restaurants, service agencies). IT in this case is usually outsourced to a 3rd party which needs remote access to managed systems creating a security risk.
  • PoS systems are usually connected to workstations which employees have a temptation to misuse for browsing internet when customer traffic is low.

Now what can be done to prevent consumer credit card data from being stolen?

What really helps is the autopsy of the affected systems performed by US-CERT in their recent warning to retailers.

Let’s take a closer look and see how this could have been detected and even prevented in the first place.

The US-CERT alert states that the malware used by criminals “parses memory dumps of specific POS software related processes looking for Track 1 and Track 2 data”.

Usually memory dumps are saved on a file system as system protected files. What if you could track access to those files after they were created? Who would normally need access to this cryptic data?

The official alert further states that “malicious actors could be taking advantage of default credentials to access the systems remotely” and that malware“exploits default and most likely weak credentials accessible over Remote Desktop”.

So, now if we could track remote logons under default credentials to PoS systems we’d be much better equipped!

And finally the news articles suggest that the technique used in the attacks is known as “advanced persistent threat” which is no more than a methodical attack targeting multiple systems and stretching  out in time.

Can the counter measure be as simple as alerting on attempts to guess the password of privileged accounts like Administrators across all of your PoS terminals and connected workstations?

Having seen mentions of “security attack” and “advanced persistent threat” one might think that this is all what expensive and cumbersome SIEM solutions are for. In fact, simple to use and yet effective log management tools like Dell InTrust that are proved to work on PoS systems will give you a much faster jump start and even integrate with SIEM solution of your choice if you opt to do so.

What sets InTrust apart is its nimble agent that can be deployed to tens of thousands of workstations and PoS terminals to do what you should be doing to battle the POSRAM like attacks. So, from tracking access to critical system files and alerting on attempts to brute force passwords of default accounts to monitoring the use of removable media and tracking details of every session of the remotely logged in user,  InTrust will get you covered.

Check out this InTrust for Workstations datasheet to know about other capabilities and how they can keep your PoS systems protected.

Originally published here 

Lessons learned from the trench: counting user clicks can protect you from class action lawsuits

February 21, 2013

In my previous post I gave you an example how logon events could become a cornerstone of a real life security investigation. It turns out tracking down employee hired outsourcers breaking into your network  is not the only way this “attribute of every hacker movie” can save organizations a lot of money. Ever thought how logon events could play a vital role in class action lawsuits? Read on.

The second story is never less interesting. A major telecom provider was featured in a case with its call center employees, which felt frustrated with unachievable performance objections and of course underpaid. According to those that filed a class action suite they had to work off the clock to take care of their email and other preparatory tasks before they logged on to the system to answer the calls. Apparently, the company has been employing some kind of time tracking system that compared the employee logon time in the beginning of the day with the time they logged off before they left for the day. Why did this turn out to not be enough?

Well, first of all this is not solely a technology issue. It might start in a way employees approach their job responsibilities, plan their day and even receive instructions from management. I am not going to dive into this aspect of the problem.

What I would find interesting is how this time tracking system accounts for things that happen in between those two official markers of the day: logon and logoff. What happens when employees finish their calls and take time to check email on their smartphones? What happens when they leave for lunch? What happens when they forget to logoff before they leave their workplace for the day? It is not only about logons and logoffs any more but rather about counting “periods of user activity” when employees are actively interfacing with the business application.

As you can see, logon events can find a great use in the situations you never expect up front. Usually, you have to have a technology in place that would remove the pain of managing these events from thousands of systems and make sure that you can get meaningful insight into this data when the time comes.

Need references? Check out Dell InTrust that recently received exciting new features including “superior user logon tracking”. It is superior because it tracks a lot more than native logon and logoff events can do. Not only does it capture the exact duration of each user logon session and factors in events like workstation lock, accidental system shutdown and screensaver activity, but It also lets you build daily and weekly reports showing the total time users were found actively logged on to their desktops.

With this patent pending InTrust technology in place every user check in and check out at her desktop is accounted for. By capturing critical user activity data and storing that in a tamper proof archive you gain critical evidences admissible in the court of law.

This post was originally published here.

Lessons learned from the trench: outsmarting the boss will not outsmart #eventlogs

February 12, 2013

Just like accountants have to keep company invoices organized in files and save them from the sun and moisture, IT admins should take good care of logon events and diligently keep them on a big server in an armored dark room. Who knows when and how they might come in handy.

Storing logon events alone is quite a big deal considering the amount of data you have to cope with. But in this post I want to touch on an even more challenging aspect of this – making sense of logon events, which as it turns out can save you from a lot of trouble.

There was a case study published by the Verizon security team that was called on site of one unnamed critical infrastructure company in the US to conduct an investigation of very strange VPN server activity originating from China. As it turned out it was an unnamed employee referred to as ”Bob” who was lazy enough to outsource his work from his office in the US to someone in China and not smart enough to do it in a very straightforward way – ship his RSA token so that outsources could get access to the company’s network on Bob’s behalf.

Giving Bob a credit, his business model has been undetected for several years. The guy is described as “Mid-40s software developer versed in C, C++, Perl, Java, Ruby, PHP, Python, etc. Relatively long tenure with the company, family man, inoffensive and quiet. Someone you wouldn’t look at twice in an elevator”.  So while he was watching cat videos on Reddit in his earned spare time developers in China were checking in the code of an internal application. We can only guess how much review that code received from Bob and how much room was left for introducing malicious code that could have been exploited.

But how did the company not detect for so long this side business of Bob that might have put it at great risk of security exposure?  And how could it have been detected? Logon events are a key. Obviously, Bob was logging to the same corporate network as guys in China he paid to do the job. Obviously, those two events happened to coincide in time more than once. Would not two logon events coming for the same employee ID from different IPs at the same time have looked suspicious to an IT admin had he received report at least once a week? It surely would!  And after reading those reports he’d be one step to tracing down where exactly those logon events were coming from – just take a closer look into the VPN logs.

You might wonder if there is a technology you can rely on to bring similar incidents to your attention and possibly prevent them from happening. Web search results will promptly suggest a battery of SIEM vendors that boast automatic security incident detection and resolution. Although it might pay off for most common patterns of attacker’s behavior, incidents like this one would usually go unnoticed by SIEM. The only practical way to battle those today is to put the right forensics analysis tools in the hands of a human being and let the combination of technology and human brain find the needle in a haystack.

Dell InTrust is a perfect example of such technology. Unlike traditional SIEM solutions it zeroes in on interactive analysis of diverse event data, capturing all aspects of user activity. Thanks to its revolutionary event compression and indexing you can easily sift through billions of event records in a matter of seconds. What is more important is that you won’t have to seek advice of event log experts every time you encounter an unfamiliar event. InTrust and its integration with Dell ChangeAuditor lets you speak the simplified event log language: who did what, when, where and from what workstation.

This is just one of the examples that shows how strong forensic analysis and rich event data specifically around logon activity can save companies a lot of money and even protect its IP. In my next blog post I’ll continue on this topic and share another lesson we learned from the trench.

The post was originally published here.


Linking Logon/Logoff Events and Everything in Between

January 10, 2013

Webcasts are always fun.  Webcasts with the recognized Windows Security log expert Randy Franklin Smith are double fun!

Last year Randy and I did one of those on the topic that never seems to fade away – Logon/Logoff Events. If you want to take a deep dive in the mysterious world of logon/logoff events in Windows, understand what you can and what you cannot get from the native events and watch a “Breaking Bad” like IT  investigation episode involving rogue admins as suspects, logon events as evidences and Dell Quest products as intelligence tools you better watch this recording – Linking Logon/Logoff Events and Everything in Between.

I really enjoyed this one. Great host, great audience, great questions and of course great technology!

Big Data in the Cloud

December 25, 2012

It is hard to say which of the two buzz words tops IT news today: Big Data or Cloud? It is much easier to see how those can play nicely together.

Big Data symbolizes the explosion of computer generated data which is said to double every year outgrowing the capacity of IT data centers. Trying to cope with ever increasing data volumes and make sense of the data companies find themselves in a desperate need for high scale data aggregation, processing and analysis tools.

I won’t dare giving another definition to such a multi faceted thing as Cloud. Let me rather summarize a few of its inherent capabilities representing different levels of the cloud stack:

– On demand resource provisioning

This is a key attribute of the IaaS clouds where you can request CPU, memory and storage resources based on the application demand and release them as they become no longer needed. This is by far the most important benefit IT professionals realize from the Cloud today.

– Scalable data processing

Thanks to the bloom of open source technologies like MapReduce and their various commercial implementations scalable data processing becomes a part of the cloud development platform or PaaS.  It lets application vendors harness the power of infinite cloud resources to perform complex computational tasks on the data.

– Rich data analytics services

The underlying cloud infrastructure enabled a plethora of cloud services collectively known as SaaS that use on demand resources and scalable data processing algorithms to exploit domain specific knowledge and provide actionable insight into data of a different kind.

Looking at all these features of the cloud it becomes apparent that it has a lot to do with big data and that the latter can be well managed in the cloud. Here are just a few examples that show how big data problems can be effectively solved in the cloud.

1. Cloud based data migration services is a natural fit especially if migrated data itself finds a new home in the cloud.

OnDemand Migration for Email is a cloud based service from Quest Software that automates migration of large on-premise email workloads such as Microsoft Exchange mailboxes to the cloud based email systems like Microsoft Office 365. The service relies on the elasticity of Microsoft Azure to provide unique benefits to its customers such as predictable project deadlines, controlled costs and ease of migration. Since the migrated data ultimately settles in a secure cloud email system it largely alleviates concerns about security of data trusted to the cloud service for the time of migration.

2. Application performance monitoring services like Quest Software’s Project Lucy exploit multi tenant nature of the cloud based services to define the “golden standard” of application performance and pinpoint performance degradation long before it adversely affect its users. Project Lucy correlates application performance metrics and configuration snapshots collected from its entire customer base – something that would never be possible for application performance monitoring solutions isolated within a customer’s own data center. Cloud skeptics are left with nothing to be concerned about. No personal identifying data leaves organizational boundaries and only averaged out application performance metrics and anonymous configuration options get sent to the cloud.

3. SIEM solutions like Dell SecureWorks also find a good use of the cloud technology for the threat monitoring use case. SIEM need to reduce overwhelming amounts of logs generated by applications, systems and network devices to detect and respond to security threats. There are two ways to do that: monitoring patterns of known malicious activity and continuous evaluation of user behavior profiles aka advanced persistent threats. Both tasks are very resources intensive and subject to a lot of false positive conclusions. Cloud based SIEM can leverage dynamic resource provisioning and cross customer threat correlation to significantly reduce the risk of false positives while ensuring adequate resources to deal with spikes in log volumes.


Don’t get me wrong. Cloud is not a panacea for all big data issues. There are many factors that have to be carefully considered before letting your data rest on the shoulders of the mighty cloud. Data privacy and ownership, data retention costs, cloud provider SLAs are just to name a few. However, there are quite a few of cases where cloud based services can help you manage and make sense of the data and I think it is safe to say that we’ll see more of those services in the future.