LOGbinder Blog

Updates, Tips and News   RSS Feed  

LOGbinder News – February 2015

Fri, 20 Feb 2015 14:47:16 GMT

We hear from hundreds of people who don't have a SIEM. Some ask us where to start. They've heard about starting at the “risk vs. compliance” decision point. However, we think that may be a distraction, perhaps even disingenuous to people new to SIEM. Such a statement obscures a critical, core element of security information and event management that people new to the process need to know about.

SIEMs and the use-cases that drive their deployment are very complex. Their complexities often overshadow a hidden complexity until too late, when the budget is gone and the primary use-case is unresolved.

Security tools exist to secure something. SIEMs should monitor that something. What is it? Information. The OS, firewall, router tables—all that is a secondary, or perhaps even tertiary target. Organizations must secure and closely monitor information inside their applications. Therefore, any SIEM solution you propose to buy should include the middle-ware that all SIEMs need to monitor the information the bad guys want.

The last thing a CTO or CIO wants to hear, after exhausting the budget to get the SIEM running, is that the audit logs from mission critical apps like Exchange, SharePoint and SQL Server are missing from the story. At the end of the day, the most valuable bytes are the combined bytes of sensitive information stored in enterprise applications. The rest is just data.

So, if you are looking for a SIEM solution, where should you start?

Start by looking for the SIEMs that have integrations you can trust to get the application audit logs where they belong. Our suggestion: the only SIEMs to consider are the SIEMs with LOGbinder integration. Start there, and then start the evaluation process that suits your needs.

Technical features coming to Exchange auditing

Many of you may have attended or downloaded the Exchange mailbox auditing Ultimate Windows Security webinar last month. (Here's the link if you didn't.) We described how to configure Exchange auditing, and some of the complexities of the audit process. We also showed you a beta version of an upcoming LOGbinder EX 3.0 release. The update is still being tested, but thought we'd include a partial list of the new features.

  • Mailbox Audit Policy Wizard. This is the big news of the new release. For any of you that have configured Exchange Mailbox Auditing via PowerShell, you know this can be very tedious and time consuming. It no longer has to be. Using the built in Mailbox Audit Policy wizard, LOGbinder will configure audit policy on mailboxes that are members of selected groups or organizational units. You may select groups, organizational units, or both. Keep in mind it is best to use a fewer number of groups/units, since the greater number of groups/units, the longer it will take LOGbinder to examine them.
  • Mailbox Audit Policy Enforcement. Once a day, LOGbinder service will check audit policy on mailboxes that are members of selected groups or organizational units. If policy does not match, LOGbinder will set audit policy, afterward reporting on the results.
  • Recipient for audit emails. Since Exchange will send audit logs via email, it must use a mailbox as an intermediate step to audit logs processing. In the past (and currently), the address had to be the default administrator mailbox. Now with LOGbinder EX 3.0, use any email address, provided it has permissions to receive audit logs and the LOGbinder service has access to the mailbox's items.
  • Processing of new Exchange audit events. Added events 25661-25686, from Exchange service packs.
  • Adjusted formatting of events. For events that list mail items, instead of including redundant XML, extract the subject lines of each item and present as a list.

Customers with current support and maintenance contracts will receive this update at no additional cost. Which is an incredible value.

LOGbinder News – January 2015

Sat, 24 Jan 2015 10:39:35 GMT

We closed out 2014 as another record year in terms of sales and product updates, but took no time to relax. New releases are just around the corner, and some new products are also in the works. We are very excited about 2015 and look forward to delivering more powerful and important solutions to your organization.

Webinar Training: Mailbox auditing with Exchange

Management is increasingly concerned about who is accessing other people’s mailboxes – especially those belonging to key executives. Exchange provides mailbox auditing that allows you to track particular events – which is great – but there's no way to manage audit policy at the group or OU level native to Exchange. So how do you ensure auditing is enabled consistently and thoroughly on all desired mailboxes for the correct people and actions?

LOGbinder is sponsoring an Ultimate Windows Security webinar specifically to address that challenge. Randy Franklin Smith will explain how mailbox auditing works and show examples of audit reports you can get from Exchange. He will also show you how to configure audit policy with Set-Mailbox. You will also learn about different methods for ensuring audit policy configuration such as:

  • Making mailbox audit policy configuration part of the new user provisioning process
  • How to handle issues like job changes and transfers that could affect audit policy
  • How to catch inappropriate changes to mailbox audit policy
  • Running a daily script to check and configure audit policy on all mailboxes

Since LOGbinder is sponsoring this Real Training For Free® webinar, Randy will briefly show you how LOGbinder automatically manages mailbox audit policy based on rules you can define at the OU or group level as well as how LOGbinder pulls cryptic mailbox audit events from Exchange and feeds them to your SIEM for correlation with the rest of your security logs.

Register for Managing Mailbox Audit Policy in Exchange 2013. Produced by Randy Franklin Smith's Ultimate Windows Security, the live event will be on Thursday, January 29, 2015 at 12:00 PM EST (GMT -5:00). Can’t make the live event? Register anyway to get a link to the recorded version (which includes the Q&A content).

Registration link: https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=293&source=sp

LOGbinder Version History

You can now see the features added to each new version of LOGbinder. Some customers requested a version history to ensure they were running the most recent version and to make sure they fully utilized new features. You can access this information for all LOGbinder software via the Resources page, or click here to jump directly to it.

A Look Ahead

Very soon we plan to release some significant updates to our software, particularly the Exchange and SQL Server solutions. (Recall that last year’s LOGbinder SP 5.0 release was an epic one.) In addition to the new mailbox auditing feature, a new application to monitor cloud-based Exchange is near completion. SQL Server 2014 compatibility is also in development. Plus we have something exciting in development to make it easy to deploy multiple LOGbinder products.

But we also have some very cool, totally new application security software in development, to add to the Exchange, SharePoint and SQL Server applications. If you read this newsletter you may have already picked up some clues, but there is one product we hope to announce that will blow your socks off.

We plan to release all of these enhancements and offerings during 2015!

2015 Events – Which ones will you attend?

One of the things we really like doing is meeting security analysts face-to-face. We plan to attend security events this year, but haven’t decided which ones are the best. It’s surprisingly hard to find events that specifically focus on security. How do you rank the upcoming events, and which ones do you plan to attend this year? Drop Zack a line to let him know. He’d love to meet you in person!

Thank you very much for your support. We are very eager to continue working with you on application security intelligence.

December 2014 LOGbinder Newsletter: QRadar fully supports Exchange, SharePoint and SQL Server audit; Tech resources for security analysts

Fri, 19 Dec 2014 20:59:06 GMT

So far, 2014 has been a great year for application security intelligence. All the major SIEM providers offered new or additional integrations for LOGbinder. Hundreds more organizations deployed LOGbinder for their SIEM and many of them received significant features and updates from prior versions. We're thrilled with the results and hope you are too!

We are very excited to let you know that IBM Security's QRadar product team produced DSM integrations with all 3 LOGbinder products. This brings Exchange, SharePoint and SQL Server security audit logs to the QRadar-based SOC. In addition to the Device Support Module (DSM) support, LOGbinder has also received LEEF certification. The implications are huge. Now QRadar customers can consume critical security audit logs from their enterprise applications with minimal setup and configuration. LOGbinder collects, translates and delivers the audit information via LEEF-certified output. QRadar consumes that information and allows analysts to easily prioritize and present critical security correlations where, when and to whom it matters most.

To get the IBM Security QRadar DSM Configuration for Exchange, SharePoint and SQL Server, click the following links:

Curious about what SIEM solutions have solid Exchange, SharePoint and SQL Server security audit capability? More news is coming next month, but the full list is AccelOps, AlertLogic, AlienVault, Blue Lance, EventTracker, GFI EventsManager, IBM Security QRadar, HP ArcSight, LogPoint, LogRhythm, McAfee ESM (formerly Nitro), RSA Security Analytics (formerly enVision), Solarwinds LEM and Splunk.

What's coming with LOGbinder EX

Exchange audit is increasingly critical to security analysts. This means the demands on LOGbinder EX have increased too. Our development team has responded with new features, now in our labs for testing, to help security analysts dial-in on the new pain-points and remove them. Now, directly from the LOGbinder interface, security analysts can configure mailbox audit policy and autofill the PowerShell and Exchange server URL fields. These changes offer more than merely convenience. These new features allow far better mailbox “on-boarding” (and whatever the opposite of that is). And it makes it easier for security analysts to do their job; no more slow dances or hat-in-hand sessions with the Exchange admin(s).

Quick reference guide to security audit resources

This year LOGbinder sponsored Ultimate Windows Security webinars that many of you attended. Thank you! These webinar recordings still pack a punch with great information. So you will have these links in once place, we list them below. (You can still get the recordings. They're free.)

LOGbinder's core competence is application security audit technology for SIEMs. Not blog writing. But every now and then we fuse the use-case and technical know-how into a blog post. There's some good stuff there:

Thank you for your support. We'll catch up next year.

November 2014 LOGbinder Newsletter: Windows Event Collection and your SIEM; 2 Tech Tips for security analysts

Mon, 24 Nov 2014 19:34:00 GMT

Is Windows Event Collection a problem for you? We hear (a lot) that organizations struggle with collecting Windows Events. It’s not that their SIEM struggles, but rather there is a gap in the technology to deliver Windows Event Collection (WEC) data from hundreds or thousands of machines to SIEM at sufficient speed.

We like to solve problems yet to be solved, and therefore would love to hear from you about your experience with WEC. Would it help you to have a LOGbinder for Windows that could deliver relevant security events to your SIEM? If so, what SIEM do you use?

This issue strikes at the very heart of our core belief that important security event information should be in the SIEM. We love SIEMs and we love solving the little problems so the SIEMs and their security analysts can pay attention to the big stuff.

What your SIEM doesn’t know about endpoints can kill you. If your SIEM (or your security analysts) don’t have the security event information from all those Windows machines in the organization in a timely manner – whether they are remotely connected or not – and if that’s a big problem for you, please tell us. If it’s not a problem, please tell us that, too, and also which SIEM you use. We’ll share that with our audience.

This brings us to another topic related to what SIEMs do (and don’t do).

It’s not your SIEM’s fault that it can’t consume audit logs from Exchange, SharePoint, SQL Server or even SAP via normal collection means. No SIEM can do this. Sometimes people forget that a SIEM’s job is to provide the analysis tools; it’s not the SIEM’s job to change hats and perform ad hoc coding to address all the different application audit log frameworks. For that, you need the insight and best effort from a subject matter expert focused on getting the information to a SIEM. Which is exactly where LOGbinder came from, the insight and effort of an application security subject matter expert.

Tech Tip: Manage the audit performance by tweaking the amount of excess information attached to the audit

One of the new features of LOGbinder SP 5.0 is the ability to dial-back internal processing to tweak audit performance.  LOGbinder SP allows the control of how many lookups it should perform in order to obtain additional information while translating raw audit events to easy-to-understand audit entries. Examples of this could be resolving a user ID to user name or an object GUID to the actual name of the object. We include recommendations to help guide you in our LOGbinder SP Getting Started Guide. See pages 8 and 9 for details.

It’s Renewal Time

For many of you, this month is the month to renew your support and maintenance contract. There are good reasons for doing so. For one thing you fix your support costs and get help immediately. For another, you have access to software updates at no additional cost. This year has seen major updates to LOGbinder software and we’re not done yet. We expect to release automatic mailbox audit policy management for Exchange from within the LOGbinder EX application! This is a huge advance, for not just LOGbinder EX but for Exchange Auditing in general, and customers who are current with their support and maintenance contract get it for no additional money.

Where to find information about LOGbinder events

Every month we answer about 150,000 questions about events. But where do you go if you have a specific question about an event reported by LOGbinder? Some of our SIEM Synergy partners have collaborated with us to provide a hyperlink within their application to take you directly to the relevant event ID page. So when you see an event you wish to research, clicking on the hyperlinked Event ID will take you directly to the details page on Ultimate Windows Security’s Online Encyclopedia.

But what if your SIEM doesn’t have a hyperlink to the right page? You can still get the information by browsing to UltimateWindowsSecurity.com and clicking on Security, then Encyclopedia. (https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx) Once there, select the source of the event (All Sources, Windows Audit, SharePoint Audit, SQL Server Audit or Exchange Audit). If you want to narrow the list use the drop-down box on the right, else browse the list of events and click on the appropriate one to get the full details. We list the events in numerical order, so they’re easy to find. (By the way, when you get a chance, send a note to your SIEM’s product manager to ask them to finish their integration so you can save yourself the trouble next time when you need the event information.)

If you still can’t find your answer there then click on the blue “Ask a question about this event” button and post your question in the Ultimate Windows Security forum.  LOGbinder is now sponsoring an Exchange, SQL and SharePoint forum there and you can expect a quick response from one of our technical engineers. 

Tech Tip: How to find the status of Exchange Server 2013 audit log requests

Exchange Server’s audit function is asynchronous. Which makes sense for Exchange but causes security analysts heartburn who have to “wait in faith”. The good news is that you can see the status of those audit requests via a PowerShell cmdlet, but the bad news is that only Exchange 2013 supports it. In Exchange 2013, you can retrieve a list of current audit log searches with the Get-AuditLogSearch cmdlet.

For more tips on application security intelligence, be sure to watch our blog updates at www.logbinder.com/Blog and sign up for the Real Training for Free™ webinars at Ultimate Windows Security’s web site.

October 2014 LOGbinder Newsletter: Feedback Makes Customer Happy; New SIEM integrations

Thu, 30 Oct 2014 11:04:20 GMT
Remember when we said that we loved feedback and wanted to hear from you about the pain points? Here's an example of what we try to do when you send us that feedback. We got a call from a LOGbinder SQL customer with a production environment problem that didn't show up during his evaluation in a test environment. While diagnosing the problem (it turned out to be a GPO issue at the customer's location) we saw that the input window was too narrow to display all of the long file name, which was a major pain. Our development team made the correction to the source code and we got the new bits to the customer that same day! The customer was happy, and the developers got the satisfaction of delivering a solution that made a real difference.

So please keep that feedback coming. We sweat even the small stuff if it helps you get application security intelligence where you need it – your SIEM.

People who speak our language

LOGbinder has some great value-added resellers who speak our language. They totally get that your SIEM needs to have application security intelligence. And many of them are translating LOGbinder sales material into languages other than English.

If you or a colleague prefer German for example, click Innovative SIEM-Integration von Microsoft-Daten to get what our VAR in Germany, iT-CUBE has put together. It's great!

IT Guard also has translated our sales materials in to Russian to get the word out in that country. They have done a great job with their web site.

If you like your English with an Australian accent, you can't do better than talk applications security intelligence with the SIEM experts at Shelde. In fact, you North American and European readers, when you can't sleep for thinking about a SIEM issue, chances are the Shelde guys down under are just starting their day and would love to help.

Our sales team is working to form partnerships with smart security consultants and resellers all over the globe. Do you have a firm you like to work with that we should know? Tell us.

Tech Tip: Why i:0#.w| in front of user names in LOGbinder SP?

The other day someone asked why LOGbinder SP puts the characters ” i:0#.w| ” in front of the usernames. For example, instead of LB\capt.kirk ” as the username, it would show i:0#.w|LB\capt.kirk ”.

LOGbinder does not do this; it actually comes from SharePoint. This is how SharePoint 2010 and SharePoint 2013 encodes identity claims. It's SharePoint's way of representing the authentication method used in SharePoint. Here is an article on what it means: http://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-2013-claims-encoding-also-valuable-for-sharepoint-2010.aspx

New SIEM integrations are publicly available

Many SIEM product developers have recently told us about new integrations for LOGbinder solutions. We're going to be telling everybody about these developments as soon as the documentation is complete. In the meantime, here are the highlights about what's new:      
  • Logpoint has fully integrated all 3 of the LOGbinder products.
  • LogRhythm has completed their 2nd LOGbinder integration, the one for LOGbinder EX and they are working on the LOGbinder SQL integration.
  • McAfee ESM is now fully supporting all three LOGbinder products.
  • IBM's QRadar product team approved our LEEF implementation. (see note below) QRadar now has integration for LOGbinder SP and LOGbinder EX and are working on an integration for LOGbinder SQL.
  • Solarwinds has also completed their 2nd LOGbinder integration for LOGbinder EX and plan to work on LOGbinder SQL integration.
  • Our Splunk app for LOGbinder is in beta testing. Let us know if you want to kick the tires.
Note: All 3 LOGbinder products now in beta have LEEF output options. We expect to release these new versions publicly within the next 2 weeks.

Of course, LOGbinder works with any SIEM, and we have Recommended Rules and Alerts for all our products to help users when no custom integration exists for their SIEM. (Click here to get them.)

Options for SQL Server auditing

We know this is a huge topic. We sponsored an Ultimate Windows Security webinar about SQL Server auditing on October 16 that had one of the biggest registration and attendance counts of the year. Apparently more and more, people focus on getting SQL Server audit done right. If you missed the webinar, you can still get the information. If you or someone you know needs to get up to speed on SQL Server audit click here to get the recorded version. The recording captures all of the good questions and answers.

Don't forget to check out our blog post comparing SQL Trace to SQL Audit. It's great info.

Did we say that the Splunk app is ready for beta testing?

The new Splunk app for LOGbinder is available if you want to try it out. We'd love to hear some feedback from more beta testers.

previous | next

powered by Bloget™