What To Do When Logs Don’t Help: New Whitepaper

Here is a hard problem: you MUST log, but there are no logs to enable. Or, what is no less common, logs are so abysmal that they don’t help – and don’t fit the regulatory mold (example: PCI DSS Requirement 10.2 and 10.3). Or, logs are “out there in the cloud” and you cannot get them, but compliance is here and requires them.

What to do?

The answer to this eternal question is in my new whitepaper that I have written for Observe-IT (observeit-sys.com)

Executive summary:

This paper covers the critical challenges implementing PCI DSS controls and suggests creative solutions for related compliance and security issues. Specifically, the hard problem of security monitoring and log review in cloud, legacy, and custom application environment is discussed in depth. Additionally, clarification of key PCI DSS compensating controls is provided. This paper will help you satisfy the regulatory requirements and improve security of your sensitive and regulated data.

Short version [PDF] (5 pages)

Extended version [PDF] (13 pages)

As usual, the vendor was paying the bill, but thinking and research are all mine (SecurityWarrior Consulting)

Enjoy!

Possibly related posts / past whitepapers:

• Two New Logging Resources Published 
• New SIEM Whitepaper on Use Cases In-Depth OUT! 
• Another Fun SIEM Whitepaper

The Honeynet Project Releases New Tool: PhoneyC

As promised, I will be reposting some of the cool new announcements from The Honeynet Project here on my blog since I now serve as Project’s Chief PR Officer.

Here is one more: a release of a new tool called PhoneyC, a virtual client honeypot.

PhoneyC is a virtual client honeypot, meaning it is not a real application (that can be compromised by attackers and then monitored for analysis of attacker behavior), but rather an emulated client, implemented in Python. The main thing it does is scour web pages looking for those that attack the browser.

It can be run, for example, as: $ python phoneyc.py -v www.google.com

By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.

Download version 0.1 (a contained readme contains installation instructions) here: phoneyc_v0_1_rev1631.tar_.gz

v0.1 feature highlights include:

* Interpretation of useful HTML tags for remote links

- hrefs, imgs, etc ...

- iframes, frames, etc

* Interpretation of scripting languages

- javascript (through spidermonkey)

- supports deobfuscation, remote script sources

* ActiveX vulnerability "modules" for exploit detection

* Shellcode detection and analysis (through libemu)

* Heap spray detection

PhoneyC is hosted on http://code.google.com/p/phoneyc/ from which the newest development version can be obtained via SVN. For any issues turn to the Google Group dedicated to the project: http://groups.google.com/group/phoneyc.

Possibly related posts:

• The Honeynet Project Annual Conference (invite-only) and a Public Day in Paris, March 2011