Product Update: Reconsider Event Classifications

Recently, the engineers at MetaFlows have improved the Event Classification Menu within the MetaFlows software, allowing each user to further customize events through actions and event views.  This introduces four key features to the Event Classification Menu that users will find helpful in employing the MetaFlows IDS.

Classifications Window.png

The first improvement allows users to see a comprehensive list of their classifications.  Now, users can access a new classification interface that breaks the classifications down by action.  There are seven action types:  Highlight, Block, E-mail, Ignore, Delete, Rank, and Disabled.  The Highlight function matches the records in the Real-Time, Historical, and Reports with the selected color.  The Block action triggers the Soft IPS for matching records, causing connections matching the classification to be blocked.  The E-mail function produces a PDF report of matching records that will be sent every ten minutes, or as frequently as possible.  The Ignore action ignores events that match the classification.  The Delete function removes matching records from the browser in order to free up memory.  The Rank action increases the priority/rank of the records that match the classification.  The Disable function allows a user to disable a classification without deleting it.

Classifications_list.png

The Search functionality of the classification interface now allows users to search against a classifications’ name, category, IP address, IDS alerts, service alerts, and log message values.  All a user has to do is type a value into the Search field to find classifications to match that query.  The search will match against values in the classification name, category, addresses, and events field.

Classification_options_panel.png

Once upon a time, deleting a classification was an irreversible action.  Now, that can be undone.  If the user deletes a classification only to realize later that they need it, they can restore the classification from the Trashed Classifications list.

Transferring classifications is now much easier.  By employing the Upload Classifications feature, a user can transfer classifications in bulk between two different domains.  The option is listed as the Upload Classifications button and selecting this opens the uploader.  Classifications must be in JSON format and contain all the required information for the classification.

More information regarding the recent improvements in the Event Classification menu can be viewed on the MetaFlows User Manual.  If using any of the four new features causes any confusion, or if there are any questions, do not hesitate to contact the MetaFlows team for assistance.

Feature Highlight: Snort Rule Editor

Recently, the Snort Rule Editor as a part of the Rules Management Interface has been updated.  This redesign allows for increased flexibility and provides the user with more of a handle on the IPS rules settings.

How It Works

Entering the Rules Management Interface is easy and can be accessed from two possible locations.  From the View Sensors page, the user can select the Edit Rules link to enter the Rules Management Interface. The user can also navigate to the Rules Management Interface from the Main Menu link.

Upon selecting the Rules Management Interface, the user will be prompted to select a sensor from the dropdown and then choosing the Load Rules button.  From there, the user will be able to manage the rule sets on a sensor-by-sensor basis.

Selection_003

After selecting a sensor, the user will have the option to modify properties of the rule sets, and issue commands to the sensors with the tools on the Menu Bar. In order for the changes made in the rules interface to take effect, commit the changes using the Save button.  (Please note that the Save/Cancel options only appear if the rules have been modified.) After selecting the Save option, a window will appear indicating that the changes are being verified. This process ensures that there are no issues with any changes that were made to the rule sets and that the sensor will correctly load the rules. Once the Save process is finished, the user will be prompted to reload the sensor.

To update the rule files, select the Get Updates button on the Snort Rules Controls. Most of the sensor controls buttons will be disabled/greyed out, and the Get Updates button will have a spinner icon until the update process finishes.  Next, the page will refresh to indicate if the updates were applied successfully. After the Get Updates process completes, select to Save the changes and Reload the sensor configuration for the changes to take effect.

Get_updates_1Get_updates_2

The Rule File List portion of the interface displays a complete listing of all the rule sets in the sensor configuration.  The local.rules file contains the pass rules (if any) that have been generated using the Tune IDS feature and any rules that were uploaded by the user.

Rules_listings_per_file

In the Rule List, each rule can be enabled or disabled by selecting the checkbox under the Active column next to each rule. If the checkbox under the Drop column next to a rule is checked, the sensor will drop flows that trigger the rule. Although we only recommend it for advanced users, each specific rule can also be edited by clicking on the rule itself. This will open the Rule Editor window, displaying the original rule, the editor, and some statistics that have been collected for that rule. Advanced Snort users can use the Rule Editor to make changes to the content of individual rules. When modifications are made, the Diff section will show changes to a rule since the most recent Save of the rule sets.

Manual_rule_editor

Pass Rules inform the IDS system that packet matching these rules should not generate alerts. These are helpful for eliminating false positives without having to disable the offending rule altogether. The Pass Rules have system-generated SIDs so that they do not conflict with the original rules that to which they refer. The user can utilize the tuning interface to add pass rules to the local.rules file. Please remember to Save any changes to the rule sets through the Rules Management Interface.

Selection_004

For users that want to run a reduced rule set for performance reasons, there is an Automatic Tuning option under the Bulk Edit menu. This option will disable rules that are unlikely to trigger based on our observations across all customer networks.  After clicking on the Automatic Tuning option, the changes will be merged with any prior changes that have made, meaning that rules that have specifically enabled will stay enabled. If the user wants to revert to a default minimal set, they should consider first using the Rules Defaults option.  Once the Automatic Tuning has processed the rules, it will then automatically fetch the latest updates and disable all of the appropriate rules.  To complete this process, the user will need to select Save so that the changes are committed.

Full color images and even more detailed instructions regarding The Rules Management Interface can found in the MetaFlows Wiki.

Common Threads in Black Hat 2015

130659908_922e26a071_oWhen discussing the need for tighter, and better cyber-security one of the common themes discussed at Black Hat centered around the lack of research and preparation on the part of software developers.  Katie Moussouris, in speaking at the special event, “Beyond the Gender Gap:  Empowering Women in Security,” mentioned that her career revolved round encouraging software developers in major corporations to address security at the design stage or as early as possible in the development phase.  The issue with this, of course, is that if a potential exploit is discovered, the individual responsible for that discovery would receive no credit for it. The fix would simply exist as a part of an after-thought – thus encouraging the habit of sitting still, waiting for the problem to become evident, and then offering a security patch.  When internal efforts fail, it would behoove developers to seek outside assistance.  However, this solution is one that is not readily accepted.  In the panel, Moussoris cited Microsoft’s initial commitment to not pay individuals to hack their product, and the challenges she faces in encouraging software developers in their creation of their Bug Bounty programs on sites such as Moussoris’ HackerOne.

In the instance that companies like Adobe institute their Bug Bounty programs, they range in effectiveness as participants can be awarded in everything from cash to a high-five for their efforts.  However, when one considers how many vulnerabilities continue to crop up in Adobe’s software, a high-five may not be enough.  Given the compromises that their Flash updates have caused, it is clear that Adobe’s approach is failing.  The gravity of this issue is especially evident as Cisco’s most recent Midyear Security Report and resulting blog entry call upon companies, “To reduce the occurrence of these common code errors, software developers should participate in regular security training to build awareness of current vulnerabilities, trends, and threats.”  Although the ball for creating, publishing, and updating secure software lies within the hands of software developers, only a naïve or irresponsible user would sit back and wait for the developers to handle it.

The pro-active approach, on the user end, is to assume that every software system is inherently flawed and problematic – to have a security solution already in place that can detect when employing a new software system has unintended and quite possibly, disastrous consequences. Defensive security systems must be flexible enough and powerful enough to meet evolving threats coming from an onslaught of flawed software systems and riddled web user interfaces, that can catch users unaware but ideally, not unprepared.

As the Internet of Everything becomes more of a reality, it is the onus of the user to make sure that they are meeting the challenges that come with it.  Conferences like Black Hat open up the dialogue by asking important questions, the most resounding being, “What do you plan to do to keep your information secure?”  In a room full of options, this question may seem both overwhelming and considerably difficult.  No one can afford to spend money on services that (while not being comprehensive) will not work with others, in accidentally duplicating coverage, or even investing in a system that flat does not meet the demands of a connected world.

Finding solutions and making connections are why security professionals attend Black Hat.  At the MetaFlows kiosk, our engineers were able to explain to professional after professional as to why the SaaS model works and how the MetaFlows MSS is a cooperative solution that pulls from a variety of sources, partnering with Emerging Threats, Cyber-TA, and Virus Total, to name a few.  As Microsoft plans to release Windows 10 and Adobe continues to update their products, it is imperative that every user have a security plan in place to protect the integrity of their data.

MetaFlows: SC Magazine Innovators Hall of Fame

sc_logo_21413_345884Our friends at SC Magazine have inducted us into the SC Magazine Innovators Hall of Fame. It is nice to be recognized for our innovations. Importantly, this is purely based on their journalistic curiosity; we give them props for performing their reviews based on sound technical knowledge. We refuse to pay money for recognition. You might think we are old-fashioned but this is how we roll at MetaFlows.hall_of_fame_495827

Their article also points out the importance of monitoring beyond the network perimeter using multi-session correlation. If you are not sure what multi-session correlation can do for you, it is best for you to put it to the test. You will be amazed of what you can find out about your network.

Read the article at SC Magazine’s Website

Connecting the Dots

3d network connections isolated in white backgroundOne of the most important lessons from cyber-war fighters is that relying on a single mechanism to defend your enterprise is naive. In fact, the more disparate and heterogeneous the network defense mechanisms, the better. MetaFlows fully embraces this concept by providing several detection mechanisms that work together:

  • IDS behavioral analysis looking for multiple symptoms that indicate a compromised host.
  • Using up to 50 different antivirus solutions at once to find bad content on the network.
  • Honeypots continuously mining for new threats.
  • Flow and log analysis.

These are just a few things that MetaFlows does.

Until now, MetaFlows has used these mechanisms independently to find and defeat threats. Our multifunctional approach has proven to be very effective. Many customers characterize the MetaFlows Security System as “The Last Line of Defense”. But now, we just upped the ante!

Leveraging our multifunctional view, we now also support behavioral correlation to combine disparate intelligence sources. Our Correlation Engine Rule (CER) specification now allows you to connect the dots across the different functional paradigms. But enough smoke and mirrors! Here are some REAL examples.

Data Exfiltration

  1. Detect the external hosts that are scanning your network.
  2. If any of these hosts exchange more than a few thousand packets with an internal host, flag the internal host as compromised.

Notice that (1) is an IDS function while (2) is a flow analysis function.

Zero-day Infection of Something That Cannot Be Executed in a Sandbox

  1. Host A downloads a bad .exe from server B.
  2. Host C (an Apple computer) downloads a JAR file from server B.
  3. Host C is talking to a known Command & Control site.

(1) is detected by a virus scanning application, (2) is detected with L7 analysis, (3) is detected by an IDS rule.

These examples demonstrate why traditional defenses are inadequate. Correlated together, these rules give you a powerful view of exactly what is happening on your network. You really need a multifunctional system that can connect the dots.

The Never Ending Cycle of Prey and Predator: The Malware War!

Malware is not new and yet ever-evolving. Companies need to strengthen security practices and tools in order to stay ahead, or at the least, stay in the game! With attacks and costs sharing an rising trajectory, information security should be the top of every IT director’s list. Read about it from the perspective of a CSO:

Malware: War without End

Find out how the MetaFlows Security System is keeping steady in the war against Malware and defeating enemies with innovative and cost efficient technology!

WakingShark II: Stress Testing the City of London

The City of London underwent a massive cyber attack- on purpose! In a great feat of preemptive security hundreds of people, from hackers to holy grail financial institutions, participated in a collaborative attack to test various organizations and government institutions’ preparedness. More cities and organizations should be testing their mettle in such a way.

Waking Shark II – Stress Testing the City of London

 

 

See how the MetaFlows Security System can put your network to the test. Find out what you are not seeing in our Free 14 Day Trial.

Security and The Internet of Things

In a world where, increasingly, EVERYTHING is linked together by internet, bluetooth, and technology at large, security is at its utmost importance. However- and who is to say whether we choose ignorance as bliss or just are too trusting- many do not even realize how much of their private lives are basically on a buffet table at a party hosted by Internet.

An interesting look at the expansion and effects of “The Internet of Things.”

Insecurity and the Internet of Things Part 1: Data, Data Everywhere

Feature Spotlight: Global Enterprise Solution

Global Enterprise Solution

The MSS Global Enterprise (MSS GE) is a complete turn-key security system intended for large Enterprise or Government networks, and includes advanced Malware/Botnet detection, Intrusion Prevention, Log Management/SIEM, and integrated vulnerability assessment. The MSS GE controller can be deployed either as a high performance Appliance (starting at 1200 Events/Second) or as an Amazon EC2 instance (AMI). The MSS GE sensors can be easily provisioned on off-the-shelf hardware (up to 10 Gbps per sensor) running Linux CentOS/RedHat, high-performance Appliances, VMware or on Amazon EC2.

ges image

Web Security Console

  • Real Time SIEM, Flow & Log management
  • Multi-user Online Collaboration
  • One-click Remediation
  • Highly Customizable
MSS GE Controller

  • Deploy as an Appliance or as an Amazon EC2 Instance
  • Predictive Event Correlation quickly finds Malware
  • Centralized Sensor Provisioning
Daily Intelligence Feeds

  • Behavioral Malware Detection
  • Zero-day/APT Intelligence
  • Vulnerability Scanning
  • Geo-location Intelligence

 

Old Dog, New Tricks: Reengineering Human Behavior Can Foil Phishing

No, UPS does not have a package waiting for you and that prince in Nairobi does not really want to give you $50,000, no matter how well thought out his plan is.

The article below details how, with just a bit of training, even your typical end-user can become more savvy and avoid those pesky phishing emails, thus saving your network from nonsense.

Reengineering Human Behavior Can Foil Phishing

Find out how the MetaFlows Security System, by utilizing Network Level AntiVirus and an Internal File Carver, can notify on and prevent pesky phishing scams.