efficient cyber investigationsMany organizations today are not equipped to defend against traditional cyberattacks, as demonstrated by the ever-increasing numbers of successful breaches reported daily – the Privacy Rights Clearinghouse’s latest number is 900,875,242 records breached in 5,165 attacks over the past decade – and that’s U.S. only.

Even the largest companies appear to be less equipped to deal with more sophisticated cyberattacks, like the latest IoT-based Mirai DDoS attack or the attacks detected months or years after the initial breach, such as the Yahoo and Dropbox attacks.

Inundated by alerts, analysts lack the automated and intelligence-driven processes to hone in on attacks across the kill chain and breaches continue far too long. To address this fundamental mismatch, organizations need a new perspective on the way they detect and respond to attacks.

Like police investigations in the real world, every cyber investigation starts with a lead upon which a hypothesis is built. As more evidence is gathered in the field, the case continues to build until investigators can confirm or refute the direction of the investigation. This process is iterative until a conclusion is reached, and it must be thoroughly documented for future reference. This same process needs to be followed when investigating a cyberattack.

Organizations can improve their detection, investigation and response processes and enable analysts to hone in on and stop cyberattacks more efficiently with these simple steps.

Automate where it hurts the most

To really make a difference, saving time and resources, you need to automate the time-consuming analysis and investigation stages and not just the response. By automating the collection and analysis of leads across your security infrastructure, you can reduce the number of alerts and confirm real incidents worthy of investigation. Not only will this alleviate alert overload, it sharpens the skill set of less experienced analysts and frees senior analysts to let them focus on the complex, sophisticated attacks where human judgment is required.

Document everything to show the evidence and the rationale

Documentation is essential to presenting the chronology and context of an event, including situational and environmental information, such as initial findings, areas affected and evidence to support the incident storyline. Particularly in automated investigations using machine-based analysis, it is critical to document what decisions were made during the investigation process and why. Visualization tools create representative pictures that “connect the dots,” ensuring that analysts get a complete picture without missing critical details.

This information is important when a complex incident is handed off for manual investigation as well as scenarios where an investigation is passed from one analyst to another. With all evidence fully documented, security teams are better equipped to make decisions, conduct shift handover, and create managerial reports.

Combine the strengths of humans and machines

Machine-based analysis is essential for productivity and allowing professionals to focus their skills on the more complex tasks where human experience and intuition is needed. Machines can be built to simulate the way humans investigate – automatically take a lead and confirm or refute it by gathering intelligence from multiple sensors. Once the machine has collected all the relevant pieces of evidence and automatically pieced them together into an incident, humans can use their judgment to add new leads and evidence to the incident. In a continuous, self-learning process, this new evidence can be fed back into the machine, which applies it to past and future analyses to improve threat detection.

Collect the right information

Savvy attackers use multiple methods and vectors – such as malware, phishing and social engineering – to reach their targets. They study your network topology and find the weak points in your defenses. To address this challenge, your security coverage needs to consider multiple elements including network topology, attack chain and IT assets. Whether your organization has one central site or multiple campuses, you need visibility into traffic coming into each site and among sites using a variety of attack vectors.

In terms of the attack chain, it’s becoming increasingly difficult to detect attacks at the perimeter due to the many ways in. Therefore, you need to be able to identify and verify indicators of compromise across the attack chain through detection of lateral movement and command and control communications. Your IT assets, such as endpoints, servers and files, should also be protected using endpoint analytics and forensics.

Create unified workflows and a seamless investigation workspace

Once all the evidence has been gathered from multiple sensors across your network, it needs to be brought together and presented to the investigator in a coherent and logical manner designed for attack representation. Unified workflows and a single workspace enable analysts to access information from every sensor and perform network and endpoint forensics as needed to build the attack story.

Use machines to model how attackers operate and simulate the way analysts investigate

The key to boosting the efficiency of cyber analysts is to provide them with better insight into raw data to simplify the decision-making process. Start by modeling an attack – the attack surface, the attack components, steps, methods, technology – and how all those might be linked into an attack operation. Then focus on the human investigation workflow so you can mimic it properly and scale it up with accuracy. For example, how to dissect leads into individual pieces of forensic information that can be fused, correlated, triaged and connected into an incident view or how to decide which forensic query option is the best next step at each point in the investigation flow. Then you need to figure out how to interpret and apply the results.

Holistically applying these principles to design, implementation, data modeling, APIs, user interfaces and other components will result in a purpose-built, mission-centric defense system that makes your analysts more effective and productive.

The time has come for a new approach to cyber defense – let the automated system do the heavy lifting, and then empower your analysts to use their intuition and experience to stop the attacks in their tracks.

Help Net Security

Oracle on Monday announced it is buying Dyn, a Web traffic management firm recently hit with a cyber attack that closed off the internet to millions of users.

Business software and hardware titan Oracle did not disclose financial terms of the deal to acquire US-based Dynamic Network Services Inc, or Dyn.

Oracle planned to enhance its own offerings with Dyn's expertise in monitoring, controlling, and optimizing cloud-based internet applications and managing online traffic.

"Dyn's immensely scalable and global DNS is a critical core component and a natural extension to our cloud computing platform," Oracle product development president Thomas Kurian said in a release.

Dyn was the target of cyber attacks that pounded the underpinnings of the internet in October, crippling Twitter, Netflix and other major websites with the help of once-dumb devices made smart with online connections.

The onslaught incapacitated a crucial piece of internet infrastructure, taking aim at a service entrusted to guide online traffic to the right places by turning website names people know into addresses computers understand.

The hacker was probably a disgruntled gamer, an expert whose company closely monitored the attack said last week.

Dale Drew, chief security officer for Level 3 Communications, which mapped out how the October 21 attack took place, told a Congressional panel that the person had rented time on a botnet -- a network of web-connected machines that can be manipulated with malware -- to level the attack.

Using a powerful malicious program known as Mirai, the attacker harnessed some 150,000 "Internet of Things" (IoT) devices such as cameras, lightbulbs and appliances to overwhelm Dyn systems, according to Drew.

Dyn has more than 3,500 customers including Netflix, Twitter, and CNBC, making tens of billions of online traffic optimizing decisions daily, according to Oracle.

view counter

© AFP 2016


SecurityWeek RSS Feed

In the U.S., the post-Thanksgiving shopping blitz of Black Friday often serves as a make-or-break event for many retailers. Indeed, Black Friday is the day when retailers start to make a profit for the year.

No further explanation is needed to understand why retail cybersecurity is so important. Since the arrival of the browser, online shopping has evolved. In 2005, the National Retail Foundation (NRF) coined the term Cyber Monday to describe the Monday after Thanksgiving and Black Friday, and over the years it has evolved into a major concern for security-conscious businesses.

Retail Cybersecurity Is a Big Deal

According to Practical Ecommerce, the 2015 shopping weekend saw billions of dollars of sales, of which more than $ 10.4 billion was attributed to in-store sales and $ 5.77 billion to online sales. Meanwhile, comScore reported nearly $ 70 billion in desktop and mobile online sales between Nov. 1 and Dec. 31, 2015.

Everyone knows that criminals follow the money. Before the internet, we read about robberies of brick-and-mortar establishments. Now, with an anticipated $ 70-plus billion in online sales in just a 60-day period, we find that criminals have adjusted and moved online. In 2014, the number of daily attacks decreased during the timeframe surrounding Black Friday and Cyber Monday. Similarly, 2015 saw no major upticks in cybercrime, though small and medium-sized businesses found themselves in the bull’s-eye.

Verizon’s “2016 Data Breach Investigations Report” noted that “around 90 percent of all security incidents in the retail sector involved denial-of-service (DoS), point-of-sale (POS) or web app attacks.” The report explained that it took 79 percent of the organizations weeks or more to recognize that a crime occurred. In contrast, the holiday shopping period lasts for only eight weeks.

Passing on Passwords

Retailers should update their technologies. Security experts have been imploring retailers to move away from password-only environments. A 2012 Institute of Electrical and Electronics Engineers (IEEE) paper titled “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes” describes the ongoing, decades-old struggle to replace passwords with other authentication tools.

We asked John Haggard, chief executive officer (CEO) of Nymi and a global authority on authentication, for his thoughts on how retailers might protect themselves and, by extension, their customers. Here’s what he had to say:

“The single biggest corrective step a organization can make to secure its environment is to ensure all identities, including employees, partners, customers and especially machines, are correctly authenticated. This sounds simple, but it is incredibly difficult to break the addiction to passwords that is the current champion of authentication.

“What’s worse, the industry is getting organizations hooked on the multifactor alternative, which is arguably worse in today’s environment. With passwords, everyone knows the problem. With one-time codes, organizations believe they have plugged the hole when in fact they haven’t. Despite this warning, organizations should set a key objective that simply states, ‘Authenticate correctly and effortlessly.’

“This likely will never be solved 100 percent for any given period of time, therefore a constant evaluation of the authentication position can be captured by reviewing the data on incorrect authentications. A full 63 percent of breaches can be traced back to this issue, according to the Verizon study. The name of the game is to reduce the attack profile while preserving productivity.

“Passwords are in the red (as in your blood red), one-time passwords (OTPs) are yellow/red and Fast ID Online (FIDO) authenticators are green. Start by setting the objective and developing discipline to understand issues and then support vendors that are trying to help you get there. You get to give feedback and request/demand improvements — staying stuck isn’t a good strategy.”

POS systems are a primary area of concern. Every retailer should separate its POS infrastructure from its corporate infrastructure. Tripwire recommended including monitoring and two-factor authentication for all users accessing the POS environment in addition to segregating the infrastructure.

This begs the question, would retailers know if their POS infrastructure was compromised? Do they have a plan to respond to indicators of compromise? Does your response plan affect your ability to conduct commerce?

Customer Trust and Engagement

The NRF created a comprehensive playbook for its members that highlighted three key areas in which retailers need to focus: trust, community and anticipation. Customers will quickly lose trust in retailers that don’t focus on securing their environments and technologies.

How retailers engage their customer will speak volumes to how seriously they take security. Are you asking the customer to provide data that you are not able to protect? Do you send emails containing hotlinks to get your customer to click and buy? Do your privacy and terms of service statements clearly articulate how you protect customers’ data? Can customers quickly engage with your support teams if they report cybercrime? Are your support teams trained to handle social engineering attempts to access customer accounts?

Improve Online Habits for the Holidays

First and foremost, only deal with retail organizations you trust. Understand how they operate. More importantly, understand that every entity can be spoofed in email or online.

Practice good online hygiene as part of the overall retail cybersecurity solution. Resist the urge to click on Cyber Monday coupons in emails — type the URLs into your browser window instead. Ensure your devices are up to date with both your security suite and your operating system. Download apps only from trusted environments.

We asked Rebecca Herold, The Privacy Professor and industry thought leader on privacy, what consumers can do to protect their online engagements. Not surprisingly, her advice addressed the need for authenticating yourself with the vendor.

“Use two-factor authentication wherever it is offered,” Herold advised. “This way, if a password is one of the factors and the password file gets hacked, that second factor will help to prevent unauthorized access into your accounts.”

Speaking of passwords, remember to use a unique password for every online account. It sounds cumbersome, but give it some thought. If you reuse passwords and the password file of the company with the least secure infrastructure is compromised, then your user ID and password combination are the keys to all your other accounts, especially for those that lack two-factor authentication.

The holiday season is upon us. Make it a joyous occasion by keeping your company, customers and yourself safe online.

Security Intelligence

Authored by David Shipley, Director of Strategic Initiatives, Information Technology Services, University of New Brunswick.

Embracing Cognitive Security Solutions

In many organizations, security is assumed rather than actively pursued. It is my job to make sure that isn’t the case. As the data center for three other universities in our province, my security team at the University of New Brunswick (UNB) protects a large digital bank of information with a fraction of the security resources of larger organizations. We have to protect student records, proprietary research material and other assets that criminals value highly.

A university is like the Mos Eisley spaceport of cybersecurity. We have every bad thing you could imagine: malware, vulnerable devices, patching issues and bring-your-own-device (BYOD) everywhere. We are, by our nature, open and transparent, yet we are supposed to be secure. Those two things do not go well together; we exist in that uncomfortable friction. Because of that, however, we are the perfect breeding ground for new ideas.

After the Gold Rush

We are faced with an exponentially growing volume of attacks due to the proliferation of new tools for cybercriminals. Today, the barriers to entry for cybercrime are tremendously low, creating a kind of gold rush. I feel this is due to a number of different factors, including the lack of a real, global cybercrime framework and national policing resources to address incidents and attacks. I am also worried about the amount of money that cybercriminals are obtaining to reinvest into their capabilities, widening the gap between the attackers and the attacked.

We are outgunned and need new capabilities to use as force multipliers to level the playing field with cybercriminals. UNB is exploring cognitive security solutions with IBM to augment our capabilities to deal with these challenges. UNB is one of eight universities in North America chosen by IBM to help adapt Watson cognitive technology for use in the cybersecurity battle. We are feeding real data into the Watson system as a natural extension of the work we are doing for security information and event management (SIEM).

Stop Fighting Fires

We have high expectations for cognitive security solutions in the coming years. The technology has so much potential to address our labor shortage gap, reduce our risk profile and increase our efficiency of response.

Cognitive systems can leverage unstructured data to provide the context behind attacks and provide an informed second opinion to increase our confidence for making decisions. I read a lot on a daily basis, but that might help me discover roughly 1 percent of what is out there in terms of the latest threats and risks at any given time. How am I supposed to apply only 1 percent against hundreds of active offenses on a daily basis? I hope cognitive security solutions can enable me to take a more holistic view of my cybersecurity situation.

Ultimately, I believe that these Watson-based solutions will allow security professionals to move to a higher level of value for their organizations. Cognitive solutions can help them get away from merely firefighting and into tackling longer-term strategic issues, such as user behavior and organizational culture, that can change the outcome of the present one-sided battle.

Read the IBM Executive Report: Cybersecurity in the cognitive era

Security Intelligence

ICS Cyber Security Conference

Admiral Michael Rogers, Director of the U.S. National Security Agency (NSA) and Commander, U.S. Cyber Command to Keynote SecurityWeek's 2016 ICS Cyber Security Conference on Oct. 25

Security professionals from various industries will gather next week at the 2016 edition of SecurityWeek’s ICS Cyber Security Conference, the longest-running event of its kind. The conference takes place on October 24-27 at the Georgia Tech Hotel & Conference Center in Atlanta, Georgia.

SecurityWeek is honored to host Admiral Michael S. Rogers, Director of the U.S. National Security Agency (NSA) and Commander, U.S. Cyber Command, as our keynote speaker.

The event kicks off on Monday with a series of open and advanced workshops focusing on operational technology (OT), critical infrastructure, SCADA systems, and management. Participants will have the opportunity to learn not only how an organization can be protected against attacks, but also how attackers think and operate when targeting control systems.

Following his keynote on Tuesday, Admiral Rogers will take part in a conversation and questions session with SecurityWeek's Mike Lennon and conference attendees.

On the same day, Yokogawa’s Jeff Melrose will detail drone attacks on industrial sites, ICS cybersecurity expert Mille Gandelsman will disclose new vulnerabilities in popular SCADA systems.

ICS Cyber Security ConferenceIn addition to an attack demo targeting a Schweitzer SEL-751A feeder protection relay, the day will feature several focused breakout sessions and a panel discussion on risk management and insurance implications.

The third day of the event includes presentations on PLC vulnerabilities, attacks against air-gapped systems, cyberattack readiness exercises, and management issues.

Also on Wednesday, ExxonMobil Chief Engineer Don Bartusiak will detail the company’s initiative to build a next-generation process control architecture. Breakout sessions will focus on risk management, incident response, safety and cybersecurity programs, emerging technologies, and the benefits of outside cybersecurity services in the automation industry.

On the last day of the ICS Cyber Security Conference, attendees will have the opportunity to learn about the implications of the Ukrainian energy hack on the U.S. grid, practical attacks on the oil and gas industries, and how technologies designed for video game development and engineering can be used to simulate cyberattacks and evaluate their impact.

Speakers will also detail the status of ICS in developing countries, the need for physical security, the implications associated with the use of cloud technologies in industrial environments, and the implementation of a publicly accessible database covering critical infrastructure incidents. 

Produced by SecurityWeek, the ICS Cyber Security Conference is the conference where ICS users, ICS vendors, system security providers and government representatives meet to discuss the latest cyber-incidents, analyze their causes and cooperate on solutions. Since its first edition in 2002, the conference has attracted a continually rising interest as both the stakes of critical infrastructure protection and the distinctiveness of securing ICSs become increasingly apparent.

Register Now

*Additional reporting by Ed Kovacs

view counter

For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the enterprise IT security space and the threat landscape. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

If time is money in business, speed is security in infosec. HawkEye Analytics Platform is the big data component of the HawkEye set of security tools from Hexis Cyber Solutions, while HawkEye G offers integrated threat detection and automated response. Both are designed to provide comprehensive products to critical requirements in big data security analytics while putting an emphasis on speed.

HawkEye AP: Big data security analytics

HawkEye AP is a layered data management platform providing core services from data ingestion up through reporting and analysis. The foundation of the data management system is the Event Collection component, an extraction, transformation and load service that includes connectors to over 250 types of source systems. These sources include Windows servers, web servers, firewalls, databases, logs, NetFlow sources and SNMP sources.

The platform is designed to parse through hundreds of different data formats automatically. Data ingested by the event collection component is stored in the platform's vent data warehouse, a write once database optimized for columnar storage. The write once feature ensures the integrity of data by preventing tampering at the lowest levels of data access. It also allows database designers to avoid the overhead mechanisms needed in other databases that support update operations. The Event Database supports standard SQL and business intelligence tools so customers deploy third-party reporting tools to support their security reporting.

While traditional BI reporting tools may be helpful in some cases, the volume of data and fine grained attributes captured in security event information can make it difficult to find useful information. The analysis component of the HawkEye AP incorporates user management and some reporting functionality specifically designed for security information. These reporting tools further support a Dashboard, Reports and Investigation module that provides an HTML5 console for a single point of access to security data.

HawkEye G: Threat detection

To further support analysis and reduce the volume of data infosec professionals have to contend with, the HawkEye AP provides a thread detection component called HawkEye G. This incorporates machine learning and statistics techniques to help identify patterns, classify data and help infosec professionals focus on the most informative parts of all available security data.

HawkEye AP, coupled with HawkEye G, offers a comprehensive platform for big data security analytics. While HawkEye AP collects data from servers and network devices, HawkEye G includes endpoint agents for gathering data in real time for user devices. HawkEye G also has modules for detecting events at network edges as well as from third-party platforms.

Significant security events are usually a small percentage of all events recorded. Searching for malicious activity on an active business network is a prime example of searching for the proverbial needle in the haystack. HawkEye G incorporates a proprietary ThreatSync technology that verifies threats to reduce false positives using host and network correlation techniques. It also prioritizes events to help infosec professionals focus on the most important threats.

HawkEye also includes policy driven automated response to events. This can be especially important when infosec staff is limited and automated responses are needed to keep up with suspicious events on the network.

Pricing, support and deployment

Hexis Cyber Solutions' HawkEye AP is a software platform that is designed to sit between an enterprise's security operations center and the existing networking and security infrastructure. In addition to the HawkEye AP platform, Hexis also offers a managed service option for those who would rather delegate management and maintenance to the vendor.

Pricing is available by contacting Hexis Cyber Solutions directly. The company offers 24-hour support through its customer portal as well as phone support during normal business hours or 24/7, depending on your service-level agreement. Hexis Cyber Solutions' professional services group is available to help with planning, implementation and ad hoc analysis. The company also partners with EMC, Palo Alto Networks, SourceFire and Cerner.


Big data security analytics requires both scalable data management and advanced analysis tools that support infosec operations. The combination of HawkEye AP and HawkEye G cover both of those fundamental requirements. HawkEye G will be especially appealing to organizations that want the ability to query an event database using standard business intelligence reporting tools. For its part, the managed service option will likely appeal to small and midsize businesses that want the capabilities of the HawkEye platform, but do not have resources on staff to manage and maintain a big data security analytics platform.

Editor's note: The HawkEye G technology was recently acquired by WatchGuard. It's unclear how this will affect its integration with HawkEye AP.

Next Steps

In part one of this series learn about the basics of big data security analytics

In part two discover the business case for big data security analytics

In part three find out how to evaluate big data analytics platforms

In part four compare the top big data security analytics products

This was last published in September 2016

SearchSecurity: Security Wire Daily News

The head of the UK’s new National Cyber Security Centre (NCSC) has detailed plans to move the UK to "active cyber-defence", to better protect government networks and improve the UK’s overall security.

The strategy update by NCSC chief exec Ciaran Martin comes just weeks before the new centre is due to open next month and days after the publication of a damning report by the National Audit Office into the UK government’s current approach to digital security.

Martin called for the "development of lawful and carefully governed offensive cyber capabilities to combat and deter the most aggressive threats".

Active cyber defence means hacking back against attackers to disrupt assaults, in US parlance at least. Martin defined the approach more narrowly as "where the government takes specific action with industry to address large-scale, non-sophisticated attacks".

During his speech at the Billington Cyber Security Summit in Washington DC, NCSC's Martin also floated the idea of sharing government network security tools such as DNS filters with private-sector ISPs, as previously reported.

Security vendors praised the UK government's more pro-active approach to cybersecurity, arguing it’s (if anything) overdue.

“The Government is right to look for innovative ways to disrupt organised cybercrime,” said Paul Taylor, partner and UK Head of cyber security at management consultants KPMG. “It’s crucial that we stay one step ahead of attackers and that takes constant innovation and coordination. No one is immune from cyber-attacks but UK small businesses are especially vulnerable as the reality is that many struggle to deal with an onslaught of ransomware and cyber enabled frauds.”

Taylor also backed the greater sharing of information security intelligence, a key plank in the NCSC’s policy that’s viewed with suspicion by privacy advocates*.

“A new partnership between Government and industry is needed to protect our society, take the offensive against criminals, and work together to disrupt digital crime,” Taylor explained. “At the moment many companies are reluctant to share information on attacks they’ve suffered, we need to build a safe space for Government and industry to share intelligence so that we have the best chance of tackling cybercrime.”

Matt Walker, VP Northern Europe, HEAT Software, noted that stronger defences were needed as government services such as universal credit become available online.

“The protection of citizens’ information from the threat of cyber-attack needs to become a higher priority for central and local government as we continue to move more and more interaction online,” Walker said. “The universal credit system alone will pay out seven per cent of UK GDP– making it a target for online fraud. Equally, the ransomware attack that locked Lincolnshire County Council out of its own systems for days had repercussions for mission-critical services such as health and social care.”

The NCSC will act as a hub for sharing best practices in security between public and private sectors as well as taking a lead role in national cyber incident response. The organisation will report to GCHQ, the signals intelligence agency.


*The US's Cybersecurity Information Sharing Act was bitterly but ultimately unsuccessfully opposed by privacy activists.

Sponsored: Boost business agility and insight with flash storage for analytics

The Register - Security

Businesses and government agencies are at risk of an increasing array of information security threats such data theft, malware, denial-of-service attacks and even compromise by insiders. No single security control or policy can address all threats. Instead, IT needs to deploy multiple measures. A key challenge for InfoSec professionals is to collect and integrate data on security events from the array of security controls deployed to protect assets. This is where security analytics comes in.

NetBeat MON from Hexis Cyber Solutions, is a security analytics product designed to help protect medium-sized businesses, specifically ones with multiple locations.

In a nutshell, NetBeat MON is a monitoring appliance that observes network activity within any network and its devices. Hexis presents the benefits of the product as supporting "network hygiene." That is, understanding and managing the contents of network traffic using tools such as packet capture and analysis, network flow analysis and intrusion detection.

Combining open source tools

Hexis Cyber Solutions did not reinvent the proverbial wheel when it comes to network monitoring, but it did combine well-established open source tools to bring cost-effective, consolidated monitoring to a broader market. NetBeat MON combines the features of five open source network monitoring tools: ntop, Wireshark, Suricata, Snorby and dumpcap.

  • Ntop is a network traffic sorting tool that supports IPv4 and IPv6. The tool allows you to sort IP traffic using multiple criteria, including source, destination and protocol.
  • Wireshark is a network protocol analysis tool that allows for both live traffic capture and offline analysis, including voice over IP. Information captures with Wireshark can be viewed in either a GUI or the TTY-mode TShark utility, and packet lists can be assigned a color scheme to help with sorting and analysis.
  • Suricata is a tool developed by the Open Information Security Foundation. The tool is used for monitoring network traffic, as well as providing combined intrusion detection system/intrusion prevention system functionality. Admins can also write rules to specific protocols, as opposed to receiving ports.
  • Snorby is a network security monitoring tool built using Ruby on Rails. Reporting features include the ability to classify events into predefined or custom categories for future reports. Additionally, the tool can integrate with OpenFPC, a packet capture tool.
  • Lastly, dumpcap is a tool for network traffic dumping. Dumpcap captures packet data in pcap-ng files, although libpcap formatting is also available. Features include customizable UIs, automated patching and remote management, as well as analysis, NetFlow and packet capture capabilities.

Deployment options

The deployment of NetBeat MON is dependent upon an organization's operation. The product requires the deployment of individual appliances at each of its locations. These appliances are either configured as a Master or a Minion unit upon setup -- the capabilities and duties of each unit follow. The Master unit will most likely be deployed at an organization's central office, allowing for centralized management of the Minions.

Each unit offers 8x DIMM RAM slots, 4 x 3.5-inch hard drive bays (hot-swappable), and an Intel i350 Dual Port GB Ethernet port. The NetBeat MON racks are built on Intel Xeon processors. See here for a full specification list.

As for purchasing and support, the NetBeat MON appliance is available only through channel partners. Single-call support is provided for one year after purchase, after that it is $ 1,500 per unit per year. The Hexis support team can answer questions regarding the open source tools that make up NetBeat MON, but does not provide direct support. Hardware issues are solved by sending the malfunctioning device back for repair.


No business or organization is too small to be the target of malicious cyber activities. Small and midsize business with limited resources can leverage open source security analytics tools without breaking their capital expenditure budgets.

Unfortunately, unless someone on staff is familiar with the implementation details of the range of open source tools in use, then deploying and maintaining a set of well integrated applications is difficult. NetBeat MON relieves some of that burden with a consolidated package of security analytics tools that does not demand an enterprise-scale budget to pay for it.

Editor's note: Hexis Cyber Solutions was recently acquired by WatchGuard, which may impact the NetBeat MON security analytics product line.

Next Steps

Part one of this series explains the basics of security analytics products

Part two of this series examines the use cases for security analytics

Part three of this series looks at how to procure security analytics products

Part four of this series compares the best security analytics products on the market

This was first published in September 2016

SearchSecurity: Security Wire Daily News

At the G20 summit on Tuesday, President Obama said he had been talking to other heads of state about cybersecurity and avoiding a potential cyber arms race, but experts say it may be too late.

President Obama said nations should focus more on the dangers of non-state actors rather than repeating the mistakes of the Cold War in cyberspace. However, President Obama also began his comments by claiming the U.S. has more cyber "capacity than any other country, both offensively and defensively."

Experts said comments like this and the constant attribution of cyberattacks to countries like Russia and China are proof that the cyber arms race has already begun.

Michael Patterson, CEO of Plixer, said the cyber arms race is close to 10 years old at this point.

"The cyber arms race is on and has probably been accelerating since before the 2008 explosion on the Baku-Tbilisi-Ceyhan oil pipeline in Turkey that is thought to have been perpetrated by the Russians," Patterson told SearchSecurity, although the attribution of that attack to Russia has since come under question. "It was the United States and Israel that launched the Stuxnet attack in 2010 against Iran.  Everyone better believe that the race is on and has been for a while."

Dwayne Melancon, vice president of products for Tripwire, said it is unlikely that a cyber arms race would develop into a cyber-Cold War simply because nations won't hesitate to use their cyberweapons.

"If this truly becomes a cyber arms race akin to the nuclear arms race that would mean nations would develop weapons, use them to threaten other nations, and almost never use them to attack. However, I don't think that is what will happen with cyber arms -- I think they'll be used anyway," Melancon told SearchSecurity. "After all, the perceived consequence and damage seems much less outrageous when you think of cyber arms, at least at face value. Of course, cyber security researchers know that cyber weapons could cause death, destruction and chaos if deployed against critical infrastructure, systems affecting public safety, and so forth."

From cyber arms race to cyber-Cold War

John Dickson, former U.S. Air Force CERT and principal of Denim Group Ltd., based in San Antonio, said he thinks we're already in a cyber-Cold War -- though he would like a better term for it -- and to the point where a cyberattack could prompt a physical response, which pushes the need for more accurate cyber attribution.

"I'm not sure we've seen a case to date where physical destruction caused by a cyberattack was serious enough where a nation state would seriously consider striking back with what the military calls a 'kinetic' attack, or via conventional warfare," Dickson told SearchSecurity. "I suspect that will likely happen at some point, which is when incorrect attribution will really be substantially more critical. If terrorists or nation states brought down an airliner or opened up a dam causing downstream death and destruction, there would likely be pressure to retaliate in the physical realm with military force. If we, or another nation state, misread attribution, the results could be potentially devastating and could escalate to a much larger military conflict."

Brian NeSmith, the CEO of Arctic Wolf Networks, Inc., said there is no such thing as a cyber-Cold War.

"In preparation for a cyberwar, nations would be penetrating an adversarial nation's critical infrastructure and planting cyber-nuclear bombs," NeSmith said. "In a cyberwar, the 'invasion' would occur way in advance of the actual attack, and there would likely be no time to mount a defense before critical infrastructure is destroyed and real lives lost."

Jonathan Sander, vice president of product strategy for Lieberman Software, said the steps toward a cyber-Cold War may have already begun.

"One could say that the separation likely to result from a cyber-Cold war has already begun in the form of the 'Great Firewall of China,'" Sander told SearchSecurity. "The Chinese attempt to sever its cyber ties has many analogs to the USSR's iron curtain -- complete with resistance fighters, defections (both information and people), and espionage bringing things through the wall now and then."

Sander added that it may be impossible to imagine the political aspects of a cyber-Cold War, but the social impacts are easier to imagine.

"During the first Cold War, we saw some of the greatest physicists in the world stuck on [the] opposing side of an iron curtain. Science thrives on collaboration, and separation can be devastating to overall progress," Sander said. "With some of the greatest minds in computer science spread throughout all of the major players, and bitter rivals, that would be on sides of this cyber-Cold War, the chilling effects on overall progress may be a predictable outcome."

John Bambenek, manager of threat systems at Fidelis Cybersecurity, said a cyber-Cold War could be advantageous because it would force people to prepare for cyberattacks.

"In a cyber-Cold War scenario we would be spending real time and effort in securing our systems and educating the public in the very simple things they can do to protect themselves -- patching systems, avoiding phishing," Bambenek told SearchSecurity. "The hacking of the Illinois State Board of Elections, for instance, could have been prevented by the most basic SQL injection prevention techniques. What we have now is open conflict and the time for preparation is over."

The risks of faulty cyber attribution

Cyber attribution methods recently came under fire after confusion as to who was responsible for the DNC hack with some experts saying cyber attribution was an impossible task while others said the key was in human intelligence gathering and not focusing too much on technical evidence, which can be spoofed.

Melancon said the cyber arms race "is a perilous path for nations to walk -- and the error-prone nature of attribution make it even more perilous" because cyber attribution is "extremely hit or miss."

"It is unlikely you'll know exactly who the perpetrators are unless they are: careless; not very good; or really want you to know they did it," Melancon said. "Often, security investigators arrive at conclusions like, 'I really think so-and-so did it,' but most of the time the evidence is insufficient to know for sure."

Patterson said being accurate with cyber attribution is currently difficult and may even be an "impossible task."

"Attackers often bounce from one country to the next before launching an attack.  Hackers purposely put comments in their code to imply a different language other than their native tongue," Patterson said. "No one wants to get caught and cybercrime makes it relatively easy to cover your tracks."

Dickson said the only way to truly confirm cyber attribution as accurate would be to reveal "certain intelligence collection sources and methods to do so."

"Recall that during the Cuban Missile Crisis -- the U.S., at the United Nations Security Council, revealed compelling photo reconnaissance evidence that the Soviet Union had deployed certain ballistic missiles in Cuba. The downside of providing this evidence was that it provided certain adversaries insight into our national photographic intelligence collection capabilities," Dickson said. "If the United States were really interested in blaming the Russians or Chinese on a particular intrusion, they would risk revealing certain intelligence sharing relationships, national capabilities, and overall context that would provide more insight for subsequent attackers."

Sander said the Cold War shows a "perfect example of what the cyber-Cold War could bring if there was an incorrect attribution.

"In 1979, NORAD nearly reacted with deadly force to a software glitch that, a bit too much like the movie War Games, mistook a simulation for a real attack," Sander said. "If an attribution makes the powers-that-be think it's an enemy attack and not some bad guys doing cybercrime, then they may go a step further than they did in 1979 and hit the big red button. One hopes that in a cyberwar the red button means letting loose cyber weapons and not nuclear devastation. But it's also good to remember that cyber systems control all our power, water, heating, and even nuclear facilities today."

Sander said even if cyber attribution could accurately identify who performed the attack, that doesn't necessarily translate to knowing if the attacker was hired by someone else.

"Pinning down the attribution of cyberattacks so you know exactly who is behind them is much more art than science right now. And often it's the art of politics," Sander said. "The trouble is that even if you get the technology parts of attribution perfectly, which is a massive challenge, you may still not know who was behind the attack. The bad guys often call in cyber contractors. If you can somehow manage to get past all the evasion and misdirection of professional cyber criminals, then you have only found the fingers on the keyboard not the mastermind."

NeSmith said, "Incorrect attribution is like pronouncing someone guilty when in fact they are innocent. It can only lead to ill will and get in the way of what's really needed, which is a productive dialogue, collaboration and a common set of rules everybody will follow."

Next Steps

Learn more about DoD security panels calling for new cyber-defense and offense.

Find out how we lost the plot of the decade-old "cool" cyberwar.

Get info on Microsoft's calls for an independent body to address cyber attribution.

SearchSecurity: Security Wire Daily News

Saudi cyber experts held urgent talks on Tuesday after government facilities were hacked, official media reported.

The cyber attacks "in recent weeks targeted government institutions and vital installations in the kingdom," the Saudi Press Agency reported, without identifying the targeted agencies.

It said the kingdom's Cybersecurity Centre "held an urgent workshop with a number of parties" to discuss the results of its investigations.

The attacks originated abroad and subjected users' accounts to viruses which spy on information, it said.

Experts outlined how the attacks occurred and presented "necessary procedures to fix and to protect those sites", Saudi Press Agency said. It gave no indication as to the source of the hacking.

In June a major Saudi newspaper said hackers briefly seized control of its website to publish false information.

Four years ago, a damaging malware assault hit the state oil company Saudi Aramco. US intelligence officials believed it was linked to Iran.

view counter

© AFP 2016


SecurityWeek RSS Feed