Posts Tagged ‘SIEM’

Protecting #Point-of-Sale systems – anatomy of the recent #attacks on #retailers

February 4, 2014

We all heard about recent successes of cyber criminals at some of the popular retailers. What was not picked up by the news that well is why this happened and what can be done to prevent these Point of System terminals (PoS) from being compromised.

First of all, why PoS systems is a sweet spot for authors of POSRAM and ChewBacca malware?

There are a handful of reasons behind it.

  • Usually the risk of compromising PoS systems is underestimated. Companies tend to focus their time and IT budget on protecting critical servers and establishing perimeter security but not on workstations of their own employees and PoS terminals.
  • PoS system is the end device that actually swipe your card and thus either processes or stores critical payment card data which was the goal of the attack.
  • PoS systems have to be exposed to the Internet to be able to process payment transactions with the online payment systems such as VISA.
  • PoS systems are usually installed in locations without dedicated IT (store branches, restaurants, service agencies). IT in this case is usually outsourced to a 3rd party which needs remote access to managed systems creating a security risk.
  • PoS systems are usually connected to workstations which employees have a temptation to misuse for browsing internet when customer traffic is low.

Now what can be done to prevent consumer credit card data from being stolen?

What really helps is the autopsy of the affected systems performed by US-CERT in their recent warning to retailers.

Let’s take a closer look and see how this could have been detected and even prevented in the first place.

The US-CERT alert states that the malware used by criminals “parses memory dumps of specific POS software related processes looking for Track 1 and Track 2 data”.

Usually memory dumps are saved on a file system as system protected files. What if you could track access to those files after they were created? Who would normally need access to this cryptic data?

The official alert further states that “malicious actors could be taking advantage of default credentials to access the systems remotely” and that malware“exploits default and most likely weak credentials accessible over Remote Desktop”.

So, now if we could track remote logons under default credentials to PoS systems we’d be much better equipped!

And finally the news articles suggest that the technique used in the attacks is known as “advanced persistent threat” which is no more than a methodical attack targeting multiple systems and stretching  out in time.

Can the counter measure be as simple as alerting on attempts to guess the password of privileged accounts like Administrators across all of your PoS terminals and connected workstations?

Having seen mentions of “security attack” and “advanced persistent threat” one might think that this is all what expensive and cumbersome SIEM solutions are for. In fact, simple to use and yet effective log management tools like Dell InTrust that are proved to work on PoS systems will give you a much faster jump start and even integrate with SIEM solution of your choice if you opt to do so.

What sets InTrust apart is its nimble agent that can be deployed to tens of thousands of workstations and PoS terminals to do what you should be doing to battle the POSRAM like attacks. So, from tracking access to critical system files and alerting on attempts to brute force passwords of default accounts to monitoring the use of removable media and tracking details of every session of the remotely logged in user,  InTrust will get you covered.

Check out this InTrust for Workstations datasheet to know about other capabilities and how they can keep your PoS systems protected.

Originally published here 

Advertisements

Big Data in the Cloud

December 25, 2012

It is hard to say which of the two buzz words tops IT news today: Big Data or Cloud? It is much easier to see how those can play nicely together.

Big Data symbolizes the explosion of computer generated data which is said to double every year outgrowing the capacity of IT data centers. Trying to cope with ever increasing data volumes and make sense of the data companies find themselves in a desperate need for high scale data aggregation, processing and analysis tools.

I won’t dare giving another definition to such a multi faceted thing as Cloud. Let me rather summarize a few of its inherent capabilities representing different levels of the cloud stack:

– On demand resource provisioning

This is a key attribute of the IaaS clouds where you can request CPU, memory and storage resources based on the application demand and release them as they become no longer needed. This is by far the most important benefit IT professionals realize from the Cloud today.

– Scalable data processing

Thanks to the bloom of open source technologies like MapReduce and their various commercial implementations scalable data processing becomes a part of the cloud development platform or PaaS.  It lets application vendors harness the power of infinite cloud resources to perform complex computational tasks on the data.

– Rich data analytics services

The underlying cloud infrastructure enabled a plethora of cloud services collectively known as SaaS that use on demand resources and scalable data processing algorithms to exploit domain specific knowledge and provide actionable insight into data of a different kind.

Looking at all these features of the cloud it becomes apparent that it has a lot to do with big data and that the latter can be well managed in the cloud. Here are just a few examples that show how big data problems can be effectively solved in the cloud.

1. Cloud based data migration services is a natural fit especially if migrated data itself finds a new home in the cloud.

OnDemand Migration for Email is a cloud based service from Quest Software that automates migration of large on-premise email workloads such as Microsoft Exchange mailboxes to the cloud based email systems like Microsoft Office 365. The service relies on the elasticity of Microsoft Azure to provide unique benefits to its customers such as predictable project deadlines, controlled costs and ease of migration. Since the migrated data ultimately settles in a secure cloud email system it largely alleviates concerns about security of data trusted to the cloud service for the time of migration.

2. Application performance monitoring services like Quest Software’s Project Lucy exploit multi tenant nature of the cloud based services to define the “golden standard” of application performance and pinpoint performance degradation long before it adversely affect its users. Project Lucy correlates application performance metrics and configuration snapshots collected from its entire customer base – something that would never be possible for application performance monitoring solutions isolated within a customer’s own data center. Cloud skeptics are left with nothing to be concerned about. No personal identifying data leaves organizational boundaries and only averaged out application performance metrics and anonymous configuration options get sent to the cloud.

3. SIEM solutions like Dell SecureWorks also find a good use of the cloud technology for the threat monitoring use case. SIEM need to reduce overwhelming amounts of logs generated by applications, systems and network devices to detect and respond to security threats. There are two ways to do that: monitoring patterns of known malicious activity and continuous evaluation of user behavior profiles aka advanced persistent threats. Both tasks are very resources intensive and subject to a lot of false positive conclusions. Cloud based SIEM can leverage dynamic resource provisioning and cross customer threat correlation to significantly reduce the risk of false positives while ensuring adequate resources to deal with spikes in log volumes.

 

Don’t get me wrong. Cloud is not a panacea for all big data issues. There are many factors that have to be carefully considered before letting your data rest on the shoulders of the mighty cloud. Data privacy and ownership, data retention costs, cloud provider SLAs are just to name a few. However, there are quite a few of cases where cloud based services can help you manage and make sense of the data and I think it is safe to say that we’ll see more of those services in the future.

Event Log Management as a Service

May 12, 2010

One of the exciting projects I’ve been involved in at Quest is the whole SaaS initiative called Quest OnDemand in general and Event Log Management Service built on top of it and named InTrust OnDemand in particular. InTrust OnDemand was first announced at the PDC in the end of 2009. Now the service is in the limited beta and applications can be submitted through www.quest.com/ondemand.

Dmitry Sotnikov did an excellent job white boarding the OnDemand framework architecture and performing a live demo of it. Inspired by his demo and videos like this I thought it would make sense to record a  5 minute walkthrough of InTrust OnDemand that would give an idea what the service is to those of you awaiting the beta application being approved.

Here is what I came up with after endless attempts to narrate a good enough voice without too much of the accent and background noise. Still leaves much to be desired but hopefully hits the goal. You be the judge.

Introduction

April 30, 2010

Hi there!

I’m very excited yet a little bit confused to start my professional blog. The main idea of the blog is to explode and develop my areas of interest to which I include Software as a Service  (SaaS),  Security Information Event  Management (SIEM), Information Security and Systems Management in general.

Today I’m a Senior Program Manager at Quest Software, smart systems management company. My job lets me stay on the edge of new technologies and explore what hides behind such buzz words as Cloud Computing became these days. I hope you’ll be hearing a lot from me on this topic later on.

I hope that someone who will happen to read this blog will find the content useful.   After all I don’t find it worthwhile to write for the sake of writing. So, your feedback and comments are greatly appreciated.

Stay tuned.