24 posts categorized "Cyber Attacks & Defenses" Feed

How To Combat Monitoring & Security Tool Overload! (by Keith Bromley)

How To Combat Monitoring & Security Tool Overload 

I have a fundamental question for you. Are you managing your security and monitoring tools or are they managing you? We all want to say that WE are in control, correct? Unfortunately, data from two EMA investigations shows that this might not be the case. It is summarized in this infographic – How to Combat Monitoring and Security Tool Overload.

The number of security and monitoring tools that IT personnel use is increasing. According to the EMA Network Management Megatrends 2016 Report, the average number of security and monitoring tools used by an “average” enterprise (1,000 to 4,999 employees) ranges anywhere from 4 to 15 different tools. In 2014, the average enterprise used 3 to 10 different tools (according to EMA). So in two years, there has been an increase of around 25 to 30% in the number of tools being used.

This causes IT several problems like:  

  • Getting the proper access to good quality monitoring data
  • The sheer volume of tools makes it hard for IT to manage them
  • And a mixture of virtual and physical tools is making the situation even more confusing

Continue reading " How To Combat Monitoring & Security Tool Overload! (by Keith Bromley)" »

Understanding Network Visibility Use Cases! (by Keith Bromley)

Understanding Network Visibility Use Cases!


Network visibility is fast becoming a key component of network and security planning. This is because network visibility is more than just network monitoring. It is about understanding the network—how is it actually performing, are there any current problems, where do future pain points lie, and how do I optimize my resources?  IT’s fundamental challenge is to ensure that the infrastructure beneath their applications is reliable, fast, and secure.

As we all know, network blind spots get in the way. Common sources of blind spots include:  Silo IT organizations, SPAN port overloading, rogue IT, SSL encrypted data, data overload of monitoring equipment, and network and equipment complexity. These blind spots directly correlate to network problems and outages, increased network security risk, and potential regulatory compliance issues.

Encrypted data further exacerbates the situation. According to a Bluecoat infographic, half of all network security attacks in 2017 will use encrypted traffic to bypass controls. In addition, internal and external SLA’s and customer quality of experience have become increasingly important for IT. These requirements are forcing IT to gain an even better insight and understanding of the network to maximize performance. What no IT team wants to find out is that all of their assumptions and architecture designs are based on incorrect or missing data. When this happens, it results in higher solution costs, confusion, rework, customer dissatisfaction, performance problems, and unplanned outages.

Continue reading "Understanding Network Visibility Use Cases! (by Keith Bromley)" »

Find Breaches Faster Using Indicators of Compromise! (by Keith Bromley)

Find Breaches Faster Using Indicators of Compromise!

Every network has blind spots. In fact, blind spots have become a serious security issue for enterprises and service providers. According to the 2016 Verizon Data Breach Investigation Report, most victimized companies don’t discover security breach themselves. Approximately 75% have to be informed by law enforcement and 3rd parties (customers, suppliers, business partners, etc.) that they have been breached. To make matters worse, the average time for the breach detection was 168 days, according to the 2016 Trustwave Global Security Report.

Whether you think that security breaches are inevitable or not, you still need to be able to mitigate any damage done by quickly detecting and remediating all breaches. One fast way to do this is to capture application level traffic running on your network and analyze it from a macroscopic point of view—using indicators of compromise (IOC). Security breaches almost always leave behind some indication of the intrusion, whether it is malware, suspicious activity, some sign of other exploit, or the IP addresses of the malware controller.

A visibility architecture that uses application intelligence can be used to capture the IOC needed. The breadcrumbs are there, they just need to be illuminated. What if you could reduce the 168 day average to 168 seconds?

If you are not familiar with application intelligence, this is basically the real-time visualization of application level data. This includes the dynamic identification of known and unknown applications on the network, application traffic and bandwidth utilization, detailed breakdowns of applications in use by application type, and geo-locations of users and devices while accessing applications.

Continue reading "Find Breaches Faster Using Indicators of Compromise! (by Keith Bromley)" »

SCADA/ ICS – Are We Scared Yet? (by Tim -The Oldcommguy®)

Industrial Control Systems / SCADA – Are we scared yet?

What would happen if a hacker took over control of a nuclear power plant and used it for blackmail or destruction?

What devices control refineries and power plants, even our drinking water purification facilities?

SCada, ICS scaryWell these and many other life necessities are run and controlled by SCADA (Supervisory Control and Data Acquisition systems) or ICS (Industrial Control Systems). SCADA and like systems have been around monitoring and controlling our industrial, power and refinery world since the 1960’s.

I actually worked for a SCADA research and monitoring company in that era designing and testing production monitoring tools for the oil industry, from acquisition to refinement requirements but all were Industrial grade level

What is Industrial Grade Level – mainly it is the operating temperature from -40CF to +85C and Military level is -55C to +125C and other factors that would be needed for down hole operations (Drilling), mine operations and even space operations which can include high pressure, shock, mechanical stress, certain types of vibrations, non-vaporizing humidity to near 100%...many different factor for the many different arenas.

Continue reading "SCADA/ ICS – Are We Scared Yet? (by Tim -The Oldcommguy®)" »

LMTV LIVE | SpyGOOSE from Thomason Technologies (with Dave Thomason)

YouTube Live Event: Tuesday, August 30, 2016 - 9:30 AM PST

416939David Thomason, CEO of Thomason Technologies, will be announcing a new product for the passive monitoring of industrial networks. SpyGOOSE is their proprietary software which in the past has been distributed with their industrial IPS, the TTL1000. Today, Dave will discuss the general availability of the stand-alone version of this software.

Click to read other LMTV posts by contributors of LoveMyTool »

A Closer Look at UDP Sessions (by Dr. Jin Qian)

A Closer Look at UDP (User Datagram Protocol) Sessions

For many network and security professionals, analyzing network packets for trouble-shooting and security investigation is a daily routine.  One of the most common actions in the analysis is to “follow” a TCP session: display all the packets belonging to a TCP session.

It's well known that a TCP session consists of all the TCP packets that have the same tuple:  from a client IP and port  to a server IP and port or, conversely, from a server IP and port to a client IP and port.   For a UDP session, many professionals will likely think that the same principle will work for UDP, just as in the case of TCP, but unfortunately, that is not the case.  A UDP session is only defined by the client IP and port.  As a result, packets from the same UDP session can be to/from different server IP and port pairs.

 Super graphic and discussion from https://elguber.wordpress.com/

Some readers may wonder why this communication method for UDP sessions is the way it is. The answer lies in the network programming: when an application needs to communicate using UDP, it will bind to a local IP and port. After the binding, this socket can send to and receive from any server and port pair. In other words, all the packets from/to the local IP and port will be relevant to the same UDP-based application.

With this understanding, let's look at two network scenarios.


Continue reading "A Closer Look at UDP Sessions (by Dr. Jin Qian)" »