LOGbinder Blog

Updates, Tips and News   RSS Feed  

We need your help!

Tue, 26 May 2015 14:57:26 GMT

Microsoft recently announced huge new advances in their upcoming Office 2016 products, both for cloud and on-premise versions. With these announcements came an invitation to participate in one of their software previews. The new features may allow us to deliver even better solutions for LOGbinder customers, particularly those who have (or are considering) hybrid installations of Microsoft’s enterprise software.

We want to get access to these new features immediately and could use your help to do so. Microsoft will give priority to those developers whose customers raise awareness. Therefore, it would a great help to us if you could submit your name in support of LOGbinder to receive admission into the Office 365 Management API Preview. If you want to help us out, look for the field “If you are a customer, which ISV partner are you working with?” We would really appreciate the support! The last time we asked for this kind of help it really got Microsoft’s attention. We’re listed in their system by our parent company name Monterey Technology Group, Inc. who is behind LOGbinder software. Thanks in advance!

Application security audit use-cases often demand middleware

Tue, 26 May 2015 14:57:15 GMT

No SIEM can deliver the security event data from Exchange, SharePoint and SQL Server without middleware. It’s not the SIEM’s job to address the complexities involved in collecting and translating that event data. It’s certainly not the SIEM’s fault that it needs LOGbinder to bridge the gap between the applications and a log management solution.

Some security analysts tell us that while monitoring the security events from inside the application is vital, they don’t include middleware in the initial budget because they didn’t know it was needed! This is not good. The word still needs to get around. Include LOGbinder in the initial scope when evaluating a SIEM. See here for the list of SIEMs integrated with LOGbinder software.

We hear from security analysts just about every day, from countries all over the globe. Most have found LOGbinder to be, not merely the only solution for solving their huge application security log delivery problem, but a welcomed source of added value to the mundane application security audit collection process. The cost savings associated with manual application security audit inspections and the risk mitigation more than cover the expense.

Sustainable Application Security Auditing

Tue, 26 May 2015 14:57:01 GMT

For many organizations, it is just about impossible to stay on top of all the changes that would affect application security audit policy enforcement. For example, how does an organization make sure Exchange mailbox security audit is adjusted on the mailbox of employees whose job changes (such as during a promotion)? Doing it now is hard enough, but what about as the organization grows or merges or acquires organizations? Security analysts generally have no such visibility into those type of HR events when they happen, if ever. It’s a killer problem. And that’s just for Exchange. Don’t get your people started talking about SharePoint!

Your application security event collection solution must be able to dynamically grow and change with your organization. No solution on earth is a true problem solver if it can’t keep up with the organization, if it can’t enforce the proper audit policy – on the precise object, at the appropriate time – without manual interventions.

LOGbinder software delivers sustainable application security auditing. We make automatic audit policy enforcement possible by site collection in SharePoint and by OU or group in Exchange. LOGbinder brings far greater value to organizations because it has automatic audit policy simply built-in. But more than that, we make it feasible for organizations of any size (who have a SIEM) to solve the huge complexities of security auditing of Exchange, SharePoint and SQL Server – simply, easily, and affordably. And our innovations continue to advance.

Drop us a line to start your own dialog about an application security intelligence solution for Exchange, SharePoint, SQL Server and Windows Event Forwarding.

SuperCharger for Windows Event Forwarding and LOGbinder updates

Fri, 24 Apr 2015 15:05:59 GMT

We write this month's newsletter from the bowels of the RSA Conference 2015. We met many fans and had some great conversations with the security industry’s movers and shakers. And with Microsoft’s big announcements about Exchange and SharePoint Online, and Azure AD API, we will be releasing new products to leverage that huge technology boon for security analysts. But there’s even bigger news than that. Which brings us to…

Windows Event Forwarding you can actually use for your SIEM

In a stock SIEM, organizations with 100s or 1000s of windows systems to monitor have 2 options. They can to poll each one as frequently as possible and deal with all the security, networking and bandwidth headaches that come with that effort. If not that painful scenario, the other option is to fight with server admins to put agents on their systems and struggle to keep those agents healthy, up-to-date, and sending events.

There is another way to do it that takes all those problems and kicks them to the curb. Windows Event Forwarding (WEF) requires no agents, no in-bound connections, no polling-- you eliminate all the problems with collecting Windows Events. Instead, you just tell all those Windows systems to send the important events, leaving noise behind, over a secure and resilient channel using the Windows Event code already baked into Windows.

But, (and there’s always a “but”) Windows Event Forwarding is just a foundation technology:

  • There are many disparate components to understand. Components that all need proper configuration. If one of them is wrong, you have no indication of that fact, much less why.
  • The other pain point is that while WEF can filter the noise at the source, for the ultimate in signal-to-noise efficiency ratio, somebody has to define the filters. Filtering requires both expert knowledge of the Windows Security log and the ability to codify that knowledge to the extremely arcane language used in those filters.

So, into that maelstrom of challenges LOGbinder introduces a new product that will eliminate all the pain points associated with getting Windows event logs where they belong – the SIEM. We're calling the software LOGbinder SuperCharger for Windows Event Collection. With it, we are finally making WEF easy and manageable. WEF is gold, but very few organizations are able to leverage it. LOGbinder is going make WEF accessible to everybody-- and FREE to small businesses!

You are going to love our new product.

LOGbinder announced updates to all 3 existing products. Again. And changed their names.

Some of the LOGbinder team were at RSA Conference 2015 this week in San Francisco, California, where we distributed news of our newest software updates. There were 3 main points to the release:

  1. The big news on the update front is that LOGbinder for SQL Server 2.5 brings compatibility with SQL Server 2014 and has some new events because of this compatibility. It also adds LEEF output as an option for IBM QRadar customers.
  2. Automatic mailbox audit policy configuration is a new feature introduced to LOGbinder for Exchange 3.0. This is very big news indeed for security analysts who need to monitor Exchange servers.
  3. We changed the products' name.

Existing LOGbinder customers who have current maintenance contracts will receive these major updates at no additional cost! To get the details about the new features, including a major benefit of the new mailbox audit policy configuration tool, read our news release here.

We have made a number of improvements to our software just over the last 12 months or so, which adds tremendous value to customers who purchase a support and maintenance contract.

Cloud security audit intelligence solutions

For a long time we have noticed that organizations give up a lot of security control when going to the cloud. This week Microsoft announced they were making it possible to get security audit intelligence from their cloud applications Exchange, SharePoint and even Azure AD. This is great news for just about everybody! This is something that had to happen. We think it is very significant and will move a lot of people to move to the cloud. We have been expecting this and are already developing a suite of LOGbinder solutions to leverage this technology. LOGbinder customer will be able to keep even their cloud applications under the eye of their SIEM! Look for it before the end of 2015.

Here's the relevant text from the Microsoft release from FierceCIO

To further boost transparency, Microsoft also announced a new Management Activity API to deliver a greater level of security and compliance monitoring within Office 365. Currently in preview, the RESTful API lets enterprises gain access to more than 150 types of transactions through third-party web services or in-house apps for auditing and compliance purposes. Supported services are SharePoint Online, Exchange Online and Azure Active Directory at the moment, though Microsoft says more services will be added in the future.

No; Thank You

During the RSA Conference, it was clear that LOGbinder sits in a good place in the security intelligence market. It is a small company with a lot of very happy customers who love that we solve their problem with application security intelligence. We lost count of the people who stopped by the booth and told us, “Thank you for what you do!” It was humbling, to be honest. It made us feel good. So we want to say to you what we said to the people at the booth this week. Thank You for the support and the incentive to raise the bar for application security intelligence. We take your security seriously, and work very hard to be a part of the solution. We remain grateful for the opportunity.

Syslog TCP survey and the Public Beta Program

Fri, 20 Mar 2015 15:34:12 GMT

We need some input from you about pushing our data to SIEM via Syslog. As you know, while we support Syslog UDP forwarding (also file outputs for both Syslog CEF and Syslog LEEF), LOGbinder does not currently support Syslog TCP output.

The questions we need your help to answer are:

  • Would you use Syslog over TCP?
  • Do you currently consume any encrypted syslog feeds with your SEIM? Which variation of syslog do you use? TLS, syslog-ng? Please be as specific as possible.

The reason we ask is that to develop Syslog over TCP raises some complicated issues that we would have to get right. What we do with the output when the TCP receiver goes down? We can’t just save up the data-- for a number of security, storage and logistical reasons. So we anticipate Syslog over TCP to allow a 2nd destination address. If both destinations are down our software would have to fail.

Another issue, perhaps a more complicated one, is the encryption of the Syslog TCP transmission, since there is no “standard” for TCP broadcast encryption. LOGbinder works with any SIEM, so you can understand our dilemma. Do we support Syslog over TLS, syslog-ng or what? And how “standard” are those implementations?

To date we’ve not had a serious request to include Syslog over TCP or encryption. We've had inquiries over the years, but in each case, when it came down to it, customers much preferred Syslog file output. Syslog over TCP has been one of those things people ask us about, but seem to have no strong feelings for. Recently the number of inquiries about Syslog over TCP has increased but we can’t tell how serious they are

We'd love to hear from our readers about this. What are your thoughts about pushing our events to SIEM via Syslog over TCP? Is it necessary? What is your experience with the various flavors of Syslog via TCP encryption?

If you wish to help us out with this topic, email Queries@LOGbinder.com. Please include the following information:

  • your current SIEM or SIEMs (and planned, if different),
  • tell us if you are a current LOGbinder customer (or VAR), and which product(s),
  • what outputs are used and/or recommended (in ranking order),
  • Answer: Is Syslog over TCP output necessary, would you prefer having over current output options, (yes, no, perhaps) and if yes (or perhaps), which encryption method.
  • any other important stuff “on topic” you want us to know.

Send email to queries at LOGbinder dot com. We really appreciate the help!

Customer feedback led to an improved product (again)

We are fortunate enough to have customers who give us feedback. We use that feedback to improve the product for everybody. A case in point from last week: One of our enterprise products was missing a critical field element when reporting 2 events. Our lab testing missed it. But a customer discovered the problem using our beta version, and within 24 hours we released an update to the beta version that fixed it!

The LOGbinder software public beta program

Our beta program has historically been a private affair for select customers. We are happy to announce that we are making our newest software available for anybody who wants to participate in the LOGbinder Software Beta Program. Simply browse to our website's Resources page then click on Version History, choosing the product you wish to evaluate. A direct link is here: https://www.logbinder.com/support/history. This page provides an excellent window into the value that support and maintenance contracts add to your licensed LOGbinder software.

Webinar: “SharePoint Defense-In-Depth Monitoring: What to Watch at the App, DB and OS Level – and How?”

Many organizations have made good progress with implementing SIEMs but remain on the bottom rung of the SIEM maturity model because they are only seeing security activity at the lowest layer: the operating system and network. Most information theft takes place at the higher layers of database and application. So why are we still so blind at those levels?

SharePoint is a great example of this dilemma because it is a high-level application with a large attack surface. Bad guys can target SharePoint at 4 levels: Application, Web server, Database and Operating system level. Which levels would your SIEM alert you to right now?Which levels do you have no clue about if you are under attack right now?

In this webinar Randy Franklin Smith will:

  • explore all 4 auditing levels of SharePoint,
  • show you how to enable auditing,
  • show which events you should be monitoring, and
  • show how to get that information into your SIEM – where it belongs.

This will be great information for security analysts who need to make the case for SharePoint security. LOGbinder is proud to sponsor this webinar.

Don't miss this Real Training For Free ™ event. Click here to register. If you can’t make the live event on April 28, 2015 at 12:00 (UTC -5:00), register anyway to get the free recorded version.

previous | next

powered by Bloget™