LOGbinder Blog

Updates, Tips and News   RSS Feed  

SuperCharger for Windows Event Forwarding and LOGbinder updates

Fri, 24 Apr 2015 15:05:59 GMT

We write this month's newsletter from the bowels of the RSA Conference 2015. We met many fans and had some great conversations with the security industry’s movers and shakers. And with Microsoft’s big announcements about Exchange and SharePoint Online, and Azure AD API, we will be releasing new products to leverage that huge technology boon for security analysts. But there’s even bigger news than that. Which brings us to…

Windows Event Forwarding you can actually use for your SIEM

In a stock SIEM, organizations with 100s or 1000s of windows systems to monitor have 2 options. They can to poll each one as frequently as possible and deal with all the security, networking and bandwidth headaches that come with that effort. If not that painful scenario, the other option is to fight with server admins to put agents on their systems and struggle to keep those agents healthy, up-to-date, and sending events.

There is another way to do it that takes all those problems and kicks them to the curb. Windows Event Forwarding (WEF) requires no agents, no in-bound connections, no polling-- you eliminate all the problems with collecting Windows Events. Instead, you just tell all those Windows systems to send the important events, leaving noise behind, over a secure and resilient channel using the Windows Event code already baked into Windows.

But, (and there’s always a “but”) Windows Event Forwarding is just a foundation technology:

  • There are many disparate components to understand. Components that all need proper configuration. If one of them is wrong, you have no indication of that fact, much less why.
  • The other pain point is that while WEF can filter the noise at the source, for the ultimate in signal-to-noise efficiency ratio, somebody has to define the filters. Filtering requires both expert knowledge of the Windows Security log and the ability to codify that knowledge to the extremely arcane language used in those filters.

So, into that maelstrom of challenges LOGbinder introduces a new product that will eliminate all the pain points associated with getting Windows event logs where they belong – the SIEM. We're calling the software LOGbinder SuperCharger for Windows Event Collection. With it, we are finally making WEF easy and manageable. WEF is gold, but very few organizations are able to leverage it. LOGbinder is going make WEF accessible to everybody-- and FREE to small businesses!

You are going to love our new product.

LOGbinder announced updates to all 3 existing products. Again. And changed their names.

Some of the LOGbinder team were at RSA Conference 2015 this week in San Francisco, California, where we distributed news of our newest software updates. There were 3 main points to the release:

  1. The big news on the update front is that LOGbinder for SQL Server 2.5 brings compatibility with SQL Server 2014 and has some new events because of this compatibility. It also adds LEEF output as an option for IBM QRadar customers.
  2. Automatic mailbox audit policy configuration is a new feature introduced to LOGbinder for Exchange 3.0. This is very big news indeed for security analysts who need to monitor Exchange servers.
  3. We changed the products' name.

Existing LOGbinder customers who have current maintenance contracts will receive these major updates at no additional cost! To get the details about the new features, including a major benefit of the new mailbox audit policy configuration tool, read our news release here.

We have made a number of improvements to our software just over the last 12 months or so, which adds tremendous value to customers who purchase a support and maintenance contract.

Cloud security audit intelligence solutions

For a long time we have noticed that organizations give up a lot of security control when going to the cloud. This week Microsoft announced they were making it possible to get security audit intelligence from their cloud applications Exchange, SharePoint and even Azure AD. This is great news for just about everybody! This is something that had to happen. We think it is very significant and will move a lot of people to move to the cloud. We have been expecting this and are already developing a suite of LOGbinder solutions to leverage this technology. LOGbinder customer will be able to keep even their cloud applications under the eye of their SIEM! Look for it before the end of 2015.

Here's the relevant text from the Microsoft release from FierceCIO

To further boost transparency, Microsoft also announced a new Management Activity API to deliver a greater level of security and compliance monitoring within Office 365. Currently in preview, the RESTful API lets enterprises gain access to more than 150 types of transactions through third-party web services or in-house apps for auditing and compliance purposes. Supported services are SharePoint Online, Exchange Online and Azure Active Directory at the moment, though Microsoft says more services will be added in the future.

No; Thank You

During the RSA Conference, it was clear that LOGbinder sits in a good place in the security intelligence market. It is a small company with a lot of very happy customers who love that we solve their problem with application security intelligence. We lost count of the people who stopped by the booth and told us, “Thank you for what you do!” It was humbling, to be honest. It made us feel good. So we want to say to you what we said to the people at the booth this week. Thank You for the support and the incentive to raise the bar for application security intelligence. We take your security seriously, and work very hard to be a part of the solution. We remain grateful for the opportunity.

Syslog TCP survey and the Public Beta Program

Fri, 20 Mar 2015 15:34:12 GMT

We need some input from you about pushing our data to SIEM via Syslog. As you know, while we support Syslog UDP forwarding (also file outputs for both Syslog CEF and Syslog LEEF), LOGbinder does not currently support Syslog TCP output.

The questions we need your help to answer are:

  • Would you use Syslog over TCP?
  • Do you currently consume any encrypted syslog feeds with your SEIM? Which variation of syslog do you use? TLS, syslog-ng? Please be as specific as possible.

The reason we ask is that to develop Syslog over TCP raises some complicated issues that we would have to get right. What we do with the output when the TCP receiver goes down? We can’t just save up the data-- for a number of security, storage and logistical reasons. So we anticipate Syslog over TCP to allow a 2nd destination address. If both destinations are down our software would have to fail.

Another issue, perhaps a more complicated one, is the encryption of the Syslog TCP transmission, since there is no “standard” for TCP broadcast encryption. LOGbinder works with any SIEM, so you can understand our dilemma. Do we support Syslog over TLS, syslog-ng or what? And how “standard” are those implementations?

To date we’ve not had a serious request to include Syslog over TCP or encryption. We've had inquiries over the years, but in each case, when it came down to it, customers much preferred Syslog file output. Syslog over TCP has been one of those things people ask us about, but seem to have no strong feelings for. Recently the number of inquiries about Syslog over TCP has increased but we can’t tell how serious they are

We'd love to hear from our readers about this. What are your thoughts about pushing our events to SIEM via Syslog over TCP? Is it necessary? What is your experience with the various flavors of Syslog via TCP encryption?

If you wish to help us out with this topic, email Queries@LOGbinder.com. Please include the following information:

  • your current SIEM or SIEMs (and planned, if different),
  • tell us if you are a current LOGbinder customer (or VAR), and which product(s),
  • what outputs are used and/or recommended (in ranking order),
  • Answer: Is Syslog over TCP output necessary, would you prefer having over current output options, (yes, no, perhaps) and if yes (or perhaps), which encryption method.
  • any other important stuff “on topic” you want us to know.

Send email to queries at LOGbinder dot com. We really appreciate the help!

Customer feedback led to an improved product (again)

We are fortunate enough to have customers who give us feedback. We use that feedback to improve the product for everybody. A case in point from last week: One of our enterprise products was missing a critical field element when reporting 2 events. Our lab testing missed it. But a customer discovered the problem using our beta version, and within 24 hours we released an update to the beta version that fixed it!

The LOGbinder software public beta program

Our beta program has historically been a private affair for select customers. We are happy to announce that we are making our newest software available for anybody who wants to participate in the LOGbinder Software Beta Program. Simply browse to our website's Resources page then click on Version History, choosing the product you wish to evaluate. A direct link is here: https://www.logbinder.com/support/history. This page provides an excellent window into the value that support and maintenance contracts add to your licensed LOGbinder software.

Webinar: “SharePoint Defense-In-Depth Monitoring: What to Watch at the App, DB and OS Level – and How?”

Many organizations have made good progress with implementing SIEMs but remain on the bottom rung of the SIEM maturity model because they are only seeing security activity at the lowest layer: the operating system and network. Most information theft takes place at the higher layers of database and application. So why are we still so blind at those levels?

SharePoint is a great example of this dilemma because it is a high-level application with a large attack surface. Bad guys can target SharePoint at 4 levels: Application, Web server, Database and Operating system level. Which levels would your SIEM alert you to right now?Which levels do you have no clue about if you are under attack right now?

In this webinar Randy Franklin Smith will:

  • explore all 4 auditing levels of SharePoint,
  • show you how to enable auditing,
  • show which events you should be monitoring, and
  • show how to get that information into your SIEM – where it belongs.

This will be great information for security analysts who need to make the case for SharePoint security. LOGbinder is proud to sponsor this webinar.

Don't miss this Real Training For Free ™ event. Click here to register. If you can’t make the live event on April 28, 2015 at 12:00 (UTC -5:00), register anyway to get the free recorded version.

LOGbinder News – February 2015

Fri, 20 Feb 2015 14:47:16 GMT

We hear from hundreds of people who don't have a SIEM. Some ask us where to start. They've heard about starting at the “risk vs. compliance” decision point. However, we think that may be a distraction, perhaps even disingenuous to people new to SIEM. Such a statement obscures a critical, core element of security information and event management that people new to the process need to know about.

SIEMs and the use-cases that drive their deployment are very complex. Their complexities often overshadow a hidden complexity until too late, when the budget is gone and the primary use-case is unresolved.

Security tools exist to secure something. SIEMs should monitor that something. What is it? Information. The OS, firewall, router tables—all that is a secondary, or perhaps even tertiary target. Organizations must secure and closely monitor information inside their applications. Therefore, any SIEM solution you propose to buy should include the middle-ware that all SIEMs need to monitor the information the bad guys want.

The last thing a CTO or CIO wants to hear, after exhausting the budget to get the SIEM running, is that the audit logs from mission critical apps like Exchange, SharePoint and SQL Server are missing from the story. At the end of the day, the most valuable bytes are the combined bytes of sensitive information stored in enterprise applications. The rest is just data.

So, if you are looking for a SIEM solution, where should you start?

Start by looking for the SIEMs that have integrations you can trust to get the application audit logs where they belong. Our suggestion: the only SIEMs to consider are the SIEMs with LOGbinder integration. Start there, and then start the evaluation process that suits your needs.

Technical features coming to Exchange auditing

Many of you may have attended or downloaded the Exchange mailbox auditing Ultimate Windows Security webinar last month. (Here's the link if you didn't.) We described how to configure Exchange auditing, and some of the complexities of the audit process. We also showed you a beta version of an upcoming LOGbinder EX 3.0 release. The update is still being tested, but thought we'd include a partial list of the new features.

  • Mailbox Audit Policy Wizard. This is the big news of the new release. For any of you that have configured Exchange Mailbox Auditing via PowerShell, you know this can be very tedious and time consuming. It no longer has to be. Using the built in Mailbox Audit Policy wizard, LOGbinder will configure audit policy on mailboxes that are members of selected groups or organizational units. You may select groups, organizational units, or both. Keep in mind it is best to use a fewer number of groups/units, since the greater number of groups/units, the longer it will take LOGbinder to examine them.
  • Mailbox Audit Policy Enforcement. Once a day, LOGbinder service will check audit policy on mailboxes that are members of selected groups or organizational units. If policy does not match, LOGbinder will set audit policy, afterward reporting on the results.
  • Recipient for audit emails. Since Exchange will send audit logs via email, it must use a mailbox as an intermediate step to audit logs processing. In the past (and currently), the address had to be the default administrator mailbox. Now with LOGbinder EX 3.0, use any email address, provided it has permissions to receive audit logs and the LOGbinder service has access to the mailbox's items.
  • Processing of new Exchange audit events. Added events 25661-25686, from Exchange service packs.
  • Adjusted formatting of events. For events that list mail items, instead of including redundant XML, extract the subject lines of each item and present as a list.

Customers with current support and maintenance contracts will receive this update at no additional cost. Which is an incredible value.

LOGbinder News – January 2015

Sat, 24 Jan 2015 10:39:35 GMT

We closed out 2014 as another record year in terms of sales and product updates, but took no time to relax. New releases are just around the corner, and some new products are also in the works. We are very excited about 2015 and look forward to delivering more powerful and important solutions to your organization.

Webinar Training: Mailbox auditing with Exchange

Management is increasingly concerned about who is accessing other people’s mailboxes – especially those belonging to key executives. Exchange provides mailbox auditing that allows you to track particular events – which is great – but there's no way to manage audit policy at the group or OU level native to Exchange. So how do you ensure auditing is enabled consistently and thoroughly on all desired mailboxes for the correct people and actions?

LOGbinder is sponsoring an Ultimate Windows Security webinar specifically to address that challenge. Randy Franklin Smith will explain how mailbox auditing works and show examples of audit reports you can get from Exchange. He will also show you how to configure audit policy with Set-Mailbox. You will also learn about different methods for ensuring audit policy configuration such as:

  • Making mailbox audit policy configuration part of the new user provisioning process
  • How to handle issues like job changes and transfers that could affect audit policy
  • How to catch inappropriate changes to mailbox audit policy
  • Running a daily script to check and configure audit policy on all mailboxes

Since LOGbinder is sponsoring this Real Training For Free® webinar, Randy will briefly show you how LOGbinder automatically manages mailbox audit policy based on rules you can define at the OU or group level as well as how LOGbinder pulls cryptic mailbox audit events from Exchange and feeds them to your SIEM for correlation with the rest of your security logs.

Register for Managing Mailbox Audit Policy in Exchange 2013. Produced by Randy Franklin Smith's Ultimate Windows Security, the live event will be on Thursday, January 29, 2015 at 12:00 PM EST (GMT -5:00). Can’t make the live event? Register anyway to get a link to the recorded version (which includes the Q&A content).

Registration link: https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=293&source=sp

LOGbinder Version History

You can now see the features added to each new version of LOGbinder. Some customers requested a version history to ensure they were running the most recent version and to make sure they fully utilized new features. You can access this information for all LOGbinder software via the Resources page, or click here to jump directly to it.

A Look Ahead

Very soon we plan to release some significant updates to our software, particularly the Exchange and SQL Server solutions. (Recall that last year’s LOGbinder SP 5.0 release was an epic one.) In addition to the new mailbox auditing feature, a new application to monitor cloud-based Exchange is near completion. SQL Server 2014 compatibility is also in development. Plus we have something exciting in development to make it easy to deploy multiple LOGbinder products.

But we also have some very cool, totally new application security software in development, to add to the Exchange, SharePoint and SQL Server applications. If you read this newsletter you may have already picked up some clues, but there is one product we hope to announce that will blow your socks off.

We plan to release all of these enhancements and offerings during 2015!

2015 Events – Which ones will you attend?

One of the things we really like doing is meeting security analysts face-to-face. We plan to attend security events this year, but haven’t decided which ones are the best. It’s surprisingly hard to find events that specifically focus on security. How do you rank the upcoming events, and which ones do you plan to attend this year? Drop Zack a line to let him know. He’d love to meet you in person!

Thank you very much for your support. We are very eager to continue working with you on application security intelligence.

December 2014 LOGbinder Newsletter: QRadar fully supports Exchange, SharePoint and SQL Server audit; Tech resources for security analysts

Fri, 19 Dec 2014 20:59:06 GMT

So far, 2014 has been a great year for application security intelligence. All the major SIEM providers offered new or additional integrations for LOGbinder. Hundreds more organizations deployed LOGbinder for their SIEM and many of them received significant features and updates from prior versions. We're thrilled with the results and hope you are too!

We are very excited to let you know that IBM Security's QRadar product team produced DSM integrations with all 3 LOGbinder products. This brings Exchange, SharePoint and SQL Server security audit logs to the QRadar-based SOC. In addition to the Device Support Module (DSM) support, LOGbinder has also received LEEF certification. The implications are huge. Now QRadar customers can consume critical security audit logs from their enterprise applications with minimal setup and configuration. LOGbinder collects, translates and delivers the audit information via LEEF-certified output. QRadar consumes that information and allows analysts to easily prioritize and present critical security correlations where, when and to whom it matters most.

To get the IBM Security QRadar DSM Configuration for Exchange, SharePoint and SQL Server, click the following links:

Curious about what SIEM solutions have solid Exchange, SharePoint and SQL Server security audit capability? More news is coming next month, but the full list is AccelOps, AlertLogic, AlienVault, Blue Lance, EventTracker, GFI EventsManager, IBM Security QRadar, HP ArcSight, LogPoint, LogRhythm, McAfee ESM (formerly Nitro), RSA Security Analytics (formerly enVision), Solarwinds LEM and Splunk.

What's coming with LOGbinder EX

Exchange audit is increasingly critical to security analysts. This means the demands on LOGbinder EX have increased too. Our development team has responded with new features, now in our labs for testing, to help security analysts dial-in on the new pain-points and remove them. Now, directly from the LOGbinder interface, security analysts can configure mailbox audit policy and autofill the PowerShell and Exchange server URL fields. These changes offer more than merely convenience. These new features allow far better mailbox “on-boarding” (and whatever the opposite of that is). And it makes it easier for security analysts to do their job; no more slow dances or hat-in-hand sessions with the Exchange admin(s).

Quick reference guide to security audit resources

This year LOGbinder sponsored Ultimate Windows Security webinars that many of you attended. Thank you! These webinar recordings still pack a punch with great information. So you will have these links in once place, we list them below. (You can still get the recordings. They're free.)

LOGbinder's core competence is application security audit technology for SIEMs. Not blog writing. But every now and then we fuse the use-case and technical know-how into a blog post. There's some good stuff there:

Thank you for your support. We'll catch up next year.

previous | next

powered by Bloget™