5 min
SIEM
5 Ways Attackers Can Evade a SIEM
I've been in love with the idea of a SIEM
since I was a system administrator.
My first Real Job™ was helping run a Linux-based network for a public
university. We were open source nuts, and this network was our playground.
Things did not always work as intended. Servers crashed, performance was
occasionally iffy on the fileserver and the network, and we were often
responding to outages.
Of course, we had tools to alert us when outages were going on. I
5 min
IT Ops
Analysing Hystrix metrics with Logentries
We’ve been using Hystrix in
production here at Logentries for over a year now [shameless plug: I briefly
talked about this
at a Clojure Ireland meetup recently :)] and have found it useful not only for
bulkheading requests, but
for getting fine-grained metrics for internal API calls.
Netflix has also open-sourced a funky dashbo
1 min
Nexpose
Configuring the SNMP request timeout
The SNMP protocol is very common, has many implementations and is deployed in
diverse networks. In some cases it responds very promptly, in others it is
relatively slow to respond. We found that in some environments a 1 second
request timeout was insufficient, so in Nexpose 6.1.1 we have changed the
default to 3 seconds in order to improve the service and related vulnerability
detection.
This, however, can have a major impact on scan times on port 161 and may not be
desirable on networks with l
5 min
Rapid7 Culture
Rapid7 Belfast Office First Hackathon!
What an exciting year 2015 has been to work at Rapid7! We had our IPO and made
two awesome acquisitions' in NT OBJECTives (NTO) and Logentries. Another of the
many notable events that have occurred over the past 18 – 24 months has been the
growth seen in the size of the products team. At the core of this expansion has
been the Belfast R & D office, which has now been established for almost 2
years. Leonardo da Vinci said, “One shall be born from small beginnings which
rapidly become vast.” This
12 min
Apple
Reduced Annoyances and Increased Security on iOS 9: A Win Win!
Introduction
Early this year, I posted an article
on iOS Hardening that used animated GIFs to explain most of the recommended
settings.
Since then, iOS 9 was released, bringing along many new features
, including better support for
Two-Factor Authentication, as iMessage and FaceTime now work without the need
for app-specific passwords, and as your trusted devices now automatically get
trusted when you authentic
4 min
IT Ops
Introducing LEQL: percentile() & median
While analyzing data, it’s important to use a variety of calculations to ensure
you get the best insights. Today, we’re excited to announce the availability of
our two newest LEQL functions: percentile() and median.
percentile() allows you to calculate the number below which a given percentage
of your log entries fall. To use a real world example, what was the longest
response time for 95% of my application’s users? Similarly, median (or the 50th
Percentile) gives you the middle number in a s
4 min
Vulnerability Management
How Adaptive Security fits into your Vulnerability Management Program
Building an Application Vulnerability Management Program, found in the SANS
Institute Reading Room (
https://www.sans.org/reading-room/whitepapers/application/building-application-v
ulnerability-management-program-35297), identifies vulnerability program
management as a cyclical process involving the following steps:
* Policy
* Discovery and Baseline
* Prioritization
* Shielding and Mitigation
* Eliminating the Root Cause
* Monitoring
While the use of Nexpose applies to several of these
4 min
IoT
The Internet of Gas Station Tank Gauges -- Take #2
In January 2015, Rapid7 worked with Jack Chadowitz and published research
related to Automated Tank
Gauges (ATGs) and their exposure on the public Internet. This past September,
Jack reached out to us again, this time with a slightly different request. The
goal was to reassess the exposure of these devices and see if the exposure had
changed, and if so, how and why, but also to see if there were other ways of
identifying potentially exposed
2 min
Authentication
Understanding User Behavior Analytics
Hey everyone! I'm pleased to announce that we've put together another pretty fun
research report here in the not-terribly-secret overground labs here at Rapid7:
Understanding User Behavior Analytics. You can download it over here
.
Modern enterprise breaches tend to make heavy use of misbehaving user accounts.
Not the users -- the people typing at keyboards or poking at their smartphones
-- but user accounts.
2 min
CIS Controls
Use DHCP Discovery to Implement Critical Security Control 1
The number one critical security control from the Center for Internet Security
recommends actively managing all hardware devices on the network:
CSC 1: Inventory of Authorized and Unauthorized Devices
Actively manage (inventory, track, and correct) all hardware devices on the
network so that only authorized devices are given access, and unauthorized and
unmanaged devices are found and prevented from gaining access.
http://www.cisecurity.org/critical-controls.cfm
Here a some of the reasons y
3 min
Exploits
What is SQL Injection?
The SQL Injection
is one of the oldest and most embarrassing vulnerabilities web enabled code
faces. It is so old that there really is no excuse for only a niche of people
(namely web security professionals) to understand how it works. Every time I
think we've beat this topic to death, SQL Injection finds its way back into the
news. This post is my attempt to help anyone and everyone understand how it
works and why it's such a persist
2 min
Nexpose
Changes to OVAL in Nexpose 6.0.6
Rapid7 has made it a priority to support security industry standards, including
the Open Vulnerability and Assessment Language (OVAL). Those of you who use
Nexpose to measure policy compliance, either by using the built-in CIS, DISA,
and USGCB policies, or by writing your own custom policies, are using OVAL for
these policies.
A decision by the National Institute of Standards and Technology (NIST) has made
it necessary for us to make changes in our OVAL implementation. These changes
affect po
2 min
Nexpose
Update Tuesday, November 2015
November sees a mix of remote code execution and elevation of privilege
vulnerabilities enabling an attacker to gain the same rights as the user when
the victim opens specially crafted content, such as a webpage, journal file or
document containing embedded fonts. These vulnerabilities affect Internet
Explorer (7 and onwards), Edge, and Windows (Vista and onwards). It is
advisable for users and administrators to patch the affected platforms.
Microsoft includes 12 security bulletins, a third of
1 min
Verizon DBIR
Getting Started with VERIS
We did a webcast with @hrbrmstr @gdbassett from the Verizon team last week,
discussing how to get started VERIS, the Vocabulary for Event Recording and
Incident Sharing.
If you joined us, thanks for coming out. We've attached an Excel spreadsheet
with a couple of examples to help you get started at VERIS level 2, a couple of
layouts to consider using... and we will be providing some updates. Special
thanks to Judy Nowak for her hard work on the spreadsheet -- be looking for a
blog post from her
4 min
Replacing Pedantry with Positive Interaction
The recent vBulletin hack is the most recent case of a compromise being labeled
as a ‘sophisticated attack.' Predictably, the internet exploded with people
complaining about this label, stating that it was just SQL Injection. The same
thing occurred with the news of the TalkTalk breach. Before that, the
Playstation Network breach comes to mind, although there have surely been many
in between. I will issue my mea culpa right now. I have publically blasted
people for this in the past. But today I