February 28, 2006

AfterGlow 1.2 and Pinning Nodes

Category: Visualization — Raffael Marty @ 1:18 pm

While working on some firewall log analysis, I started working on AfterGlow 1.2, which is going to have the capability to turn of the node labels on a per node type basis. In addition, if you turn the labels off, the node also becomes much smaller.

But what was really interesting is that while I was browsing the man pages for graphviz, I discovered that fdp has a node attribute called pin. This got me quite excited. If pin is true, that node will remain at its initial position. Don’t ask me how that would work in reality? What is the initial position? How do you define that? Not sure, but I’ll figure it out. This would get me closer to the animated graphs!

Digging a bit deaper in the graphviz documentation, I realized that neato can also pin a node, by adding a ! to the pos argument of a node:
node [ pos = "2,2!" ];

To solve the animation, one probably has to generate a graph with the -Tplain option, then get the x and y coordinates (second and third argument to the node entries) of the graph and use them as input for the next graph.

February 21, 2006

AfterGlow 2.0

Category: Visualization — Raffael Marty @ 5:32 am

I just released AfterGlow 2.0. In addition, I released AfterGlow 1.1.6, a bug fix release to the 1.x releases.

The new release is AfterGlow 2.0, which is no more written in Perl, but in Java. It generates a new kind of graph output. Whereas AfterGlow 1.x generates link graphs, AfterGlow 2.0 generates TreeMaps.

This afternoon I will be talking at the EuSecWest 2006 Conference in London. The topic is “Visual Security Event Analysis” (what else ;)). The presentation has quite a lot of examples on how you can use both AfterGlow 1.x and AfterGlow 2.0.

I am looking forward hearing back from you with screenshots and use-cases of how you are using graphs to do security analysis.

AfterGlow 2.0 Output

February 18, 2006

Intrusion Detection Systems in 2006

Category: Uncategorized — Raffael Marty @ 12:32 pm

Can you tell that I was travelling again? Gives me a chance to catch up with the security magazines that pile up on my desk. And I keep getting disappointed. Well, there were a couple of good articles I read. One from Ed Skoudis about how to secure yourself against spyware. But most of the articles are horrible.

The first thing I found is in the Information Security Magazine. Somebody had a comment about Ed Skoudis and Mike Poor’s article on “IPS: Reloaded”. This person claims that in the old world, IDSs signatures had to be tuned, but in the new world of IPSs, that’s not necessary anymore. In his words: “IPS should not be judged with old IDS standards”. So what does this guy think IPSs do different than IDSs? Do you really think that for example the CISCO IPS is a completely new product and is not based on the old CISCO IDS code at all? What about all the other IPSs? I can guarantee you that you will have to spend as much time (if not more) to tune IPS signatures as you had to spend tuning your IDS. If IPS really had the magic sauce, why would IDSs not adopt that? Forget it!

In fact, this brings me to another thought that I had while I was walking the floor at the RSA conference in San Jose this week. There are all these new companies that I have never heard of. They are presenting solutions for all kinds of problems, ranging from insider threat detection to identity management. I spent quite some time trying to understand what they are doing. What I have seen is quite disappointing. Take an insider threat management company and check what they are doing. Well, they can detect credit card records on the wire, alert you on transmissions of social security numbers (SSN) or patient health records. Sounds great. But do you know what they are doing? Right. They basically take a NIDS sensor, apply some signatures which look for SSNs or credit card numbers. In fact, one of the companies showed me their signature definition and this is what you had to enter to detect an SSN:


Wow! Have they ever heard of regular expressions? What about:


This was not their worst example! Anyways. My point is that there are all these new companies that claim amazing technology, but if you look under the hood, you realize that we had the technology for YEARS! Refurbish your NIDS and you are in great shape! Why have the NIDS vendors not jumped on the wagon? I don’t know. By the way, it’s not just the insider threat companies, but also other companies. One of them sniffs the wire and decodes all kinds of application protocols to attribute user identities to IP transactions. Again, I can solve the same problem with a Sniffer. I don’t even need a NIDS for that! [Believe me, I have tried it!]

Granted, there are some new and cools things. For example companies that let you register documents and then they detect them on the wire in any variation. For example, I register my word document. Now if someone takes the document and takes a pragraph out of it or pastes it into Excel, they are still capable of detecting that the document is on the wire. That’s pretty cool!

AfterGlow 2.0

Category: Uncategorized — Raffael Marty @ 12:31 pm

I am on my way to EuSecWest 2006 in London. The big news is that I will be releasing AfterGlow 2.0. It’s a complete rewrite (really a new version) that supports the generation of TreeMaps, if you feed it a CSV file. For now Version 1.1.6 of AfterGlow will be kept concurrent to the 2.0 release. Version 3.0 will compine the capabilities of the two so that the Java version is going to be able to output not just TreeMaps, but also LinkGraphs.

Information Security Products of the Year 2006

Category: Uncategorized — Raffael Marty @ 12:30 pm

I guess the information security magazine can look into the future. They already have their product awards out for the year 2006. Reading through the different categories, I found some really strange awards. Not that I am well versed in any of the categories they awarded, but some of the choices strike me as strange: For example in the intrusion detection category, gold went to the eTrust IDS, silver to Symantec’s Intruder Alert and bronze to the ISS RealSecure Network Sensor. I never even heard of the eTrust IDS. You know what? They have one category for HIDS and NIDS. Does that make sense? Strange. I don’t get it. And again, I never heard of the eTrust IDS. And why is SourceFire or Enterasys or NFR or any of the traditional IDSs not in the list? Have you read the latest NSS report on IDSs? Why do these awards not at all match up with that report?

Then in the vulnerability scanner category, Foundstone won gold, Symantec won silver and ISS won bronze. What’s up with that? Symantec has a silver-style product for vulnerability scanning? Where is Qualys? Where is nCircle? Well, I am confused.

Good Articles

Category: Security Article Reviews — Raffael Marty @ 12:29 pm

I guess I have a tendency to write about negative articles more than about good ones. Lemme try to counterbalance this. A couple of years ago I met a gentleman called John McCumber at a DHS workshop. Very nice guy. We had some good discussions. Shortly after meeting him, I realized that he is a frequent author of articles in security magazines. I keep reading his articles and I have to say, I like them. They are generally very entertaining. He usually talks about something that happend to him in his daily life and translates that to the security world. If you have a chance read one of his articles.

ISSA: 12 Step Security Program for Small and Medium Businesses

Category: Security Article Reviews — Raffael Marty @ 12:28 pm

This guy lists 12 steps in his article about how to approach a security program. I did not read all the twelve steps, but I found the one that’s of interest to me: “Step 8: Log reporting”. I started reading the paragraph and well, you bet, I have some comments:

“Management should know where the users are going, what type of bandwidth is being used, and who is hacking into your sites.”

Do you really believe that management is interested in where every user is going and what type of bandwidth they are using? I think they have better things to do. What about deifning a policy that clearly states what employees are allowed to do, what sites are off limit and what applications are prohibited (such as file sharing)? Then you monitor the traffic and figure out who is in violation of this. That’s the report that I as a manager would be interested in. I don’t have the time to interpret log files or reports and figure out what happened. Have machines do the work for me and give me the distilled information!


Category: Log Analysis — Raffael Marty @ 12:27 pm

A horrible acronym. I know. We had a working session during the RSA conference to talk about XCCDF-P. For those not familiar with XCCDF, it has to do with policy definitions and uses OVAL to implement the checks.

XCCDF-P (which will hopefully get renamed pretty soon to something else, and hopefully not to CPN (Common Platform Names) [We already have CVE, CME, and CCE]) is an effort to standardize platform names. What’s the problem? Well, if I have two scanners analyzing a system of mine, one of them might report that I am running a “Windows 2000”, the other one might say “Win2K”. This is really the same, but how would a machine know? That’s where the standard is trying to clean things up. You wouldn’t belive how much discussion this topic actually involves. We met for about an hour and had plenty of things to discuss, not even closely getting to an agreed-upon solution. However, the problem is defined and we all agreed upon the the necessity to solve the problem! Stay put for an update soon and hopefully a quick turn around with a solution draft.