LOGbinder Blog

Updates, Tips and News   RSS Feed  

Technical Note: No “Send-As” audit events in Exchange Server 2013

Mon, 19 Oct 2015 12:39:04 GMT

Some customers have reported “Send-As” events missing from Exchange Server 2013. This issue occurs when the user and the mailbox are located in different Active Directory sites. Microsoft resolved this issue in the Cumulative Update 10 for Exchange 2013. See this KB article for more information about the problem and solution: https://support.microsoft.com/en-us/kb/3074823

Getting SIEM-ready for cloud and on premise security audit

Mon, 19 Oct 2015 12:37:51 GMT

This would be a good time to make sure your SIEM solution’s product team is getting ready to correlate the security audit events that will soon be available from a certain “Mobile first, cloud first” company based in Redmond, Washington USA. With the new 2016 family of on premise products, the support window for the older versions is reduced. But more than that, the new releases and functionality are inexorably pushing organizations to the cloud.

If you thought BYOD was your troublesome dinner guest to conventional IS/IT and InfoSec, cloud-based apps will be your rebellious teen-ager who is the apple of his grandparents’ eye. Microsoft executives receive a lot of attention from the editors and reporters your C-suite people read, and it would seem all they can talk about are features and benefits of their cloud-based enterprise applications. So expect internal pressure to increase. Here are some things to know:

  • LOGbinder will bridge the gap between your SIEM and the new cloud applications, and we are well-along with our new product development; you will have that easy button to push when you’re ready. LOGbinder’s output will be optimized for the SIEMs that work with us on the project.
  • Your SIEM should be preparing now to do something smart with the new events and scenarios these cloud apps will script. The SIEM product development team should be talking to Randy Franklin Smith about the coming new world order in terms of recommended rules and alerts for cloud security audit.

Exchange Server 2016: “Forged in the cloud” and released for public availability

Mon, 19 Oct 2015 12:35:51 GMT

Microsoft released Exchange 2016 on October 1, 2015 announcing “enhanced security and compliance features” related more to document management and archiving than security audit events; they do not appear to add events nor substantially change the audit function of the application.

Our development team is actively working to deliver a version of LOGbinder for Exchange that will include compatibility with Exchange 2016.

Features of Microsoft’s latest Exchange Server release have been known for some time. However, some new features won’t be fully understood or utilized until the release of SharePoint 2016 and Office Online Server. For details from Microsoft about the current Exchange 2016 release, see “What’s new in Exchange 2016” from TechNet. Pay particular attention to the “Discontinued features” content.

LOGbinder’s formatted output is an unsung hero

Mon, 19 Oct 2015 12:35:07 GMT

Security analysts need to be confident in their audit monitoring performance. Anybody can rotate car tires, but only a professional can properly rotate and balance the wheels to improve tire performance and safety. The same is true with application audit log parsing. For most SIEM security analysts, only LOGbinder delivers the performance and stability that security and compliance policies demand.

Not all that long ago data analysts and early log management platforms were stuck with “garbage in” problems. Remember when it was problematic even to import a text file, leave alone the esoteric ones with packed headers and binary fields? Headers were missing, delimiter collisions were constantly causing headaches, file parsing was a resource hog, and transport speed was something you could experience only from the bridge of U.S.S. Enterprise NCC-1701-D. It is still a difficult process, but LOGbinder’s formatted output has made all that a distant memory for a lot of people.

Our developers put extensive thought into how to best present security audit events for SIEMs to consume. LOGbinder software presents a robust and meaningful file (or UDP stream), thoughtfully formatted for SIEM consumption. The result is speed, of course, but also stability at any processing speed.

This comes up because recently we were asked to help a customer to achieve a log consumption rate of 1 GB/minute! We’re working on the challenge (and think we’ll exceed the customer requirement) but the thing is we can do it because already our carefully crafted output formats will allow it. No other “home grown” solution can come anywhere close to that value proposition.

Perhaps it is easy to undervalue just how sublime it is to have a log input option That. Just. Works.

If your stakeholder confidence is vital enough, your organization’s reputation is important enough, only LOGbinder is strong enough to reliably feed your SIEM.

Making SIEM better by focusing on the top 3 blind spots

Mon, 21 Sep 2015 09:25:49 GMT

To be even better, your SIEM needs more intelligence without noise. Like the universe we live in, the area that must be monitored for APTs constantly expands. It is hard to focus on the significant security events when the field of view keeps getting larger.

The key to information security is what you focus on must be worth catching. Enforcing systemic, organizational proficiency to focus on the narrower relevant field is absolutely crucial to organizations’ security practice.

Focus on the Top 3 Blind Spots

A lot of the organizations we talk to are finding a way to address that challenge of making their SIEM better, not burdened. They do it by dedicating their primary effort to solving the SIEM’s top 3 blind spots:

  1. Applications,
  2. the cloud, and
  3. failure to monitor all the Windows endpoints

We believe in this so much it’s where we are putting all our money. Here’s how:

LOGbinder provides the market-leading solution for SIEM’s to have visibility into what’s happening inside Exchange, SharePoint and SQL Server. Soon after the public availability of Exchange 2016, SharePoint 2016 and SQL Server 2016 (expected mid-2016), LOGbinder intends to release compatible updates to its core products. We already have these versions in development and are excited about their potential to help make your SIEM better. Our SIEM integrations help you isolate and monitor only what’s important.

Microsoft’s cloud-based products, especially Office 365 and Azure are hugely attractive to organizations of all sizes. Their limitation has been a lack of audit capability, but that is soon to change. Microsoft expects to release (also mid-2016) a completely new and very good audit function to both Office 365 and Azure’s Active Directory. LOGbinder is poised to deliver a matching solution to put cloud-based application security intelligence where it belongs – your SIEM. We are investing significant resources with the plan to deliver the solution 30 days after public availability.

By the way (and this is important), it is going to require special effort on the part of all of us in the IT security business to pitch in and make cloud security audit and monitoring possible. LOGbinder will provide the audit data from cloud, as well as guidance about what to watch. But… you should talk to your SIEM product development team today to make sure they are talking to LOGbinder and working on their integration for LOGbinder’s cloud-based solutions.

The 3rd problem area for SIEM security intelligence is monitoring all Windows endpoints. If you don’t know which endpoint is installing a new program...

Your SIEM is perhaps your greatest bandwidth hog as it is, adding all that traffic from the endpoints isn’t feasible, right? But that’s not a good enough reason; nobody wants to have to explain a data breach because of it. The real reason is probably a financial one. LOGbinder has developed a solution and is devoting significant money to bring that solution to market early in 2016. We discussed it at length at the recent HP Protect conference. We call it SuperCharger for Windows Event Collection. It is software that – with no agents and no polling – uses the native Windows event functionality to deliver only the relevant security events to the SIEM from all the Windows endpoints with no noise! It’s really cool and we’re super-excited. So are our SIEM partners who’ve taken the time to talk to us about it.

We are very excited about the opportunities now (and soon to be) available for SIEM security analysts. Putting meaningful security event logs in the SIEM where they belong is our passion.

LOGbinder is committed to making your SIEM even more powerful by feeding it more intelligence without the noise.

Note: The statements in this post about our new product delivery dates are “forward-looking”. We can’t predict the future with certainty. Our plans are presented here, and we expect to be able to make those plans a reality. But like all future plans, they are vulnerable to unanticipated events.

previous | next

powered by Bloget™