The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for February, 2012

Transitioning from TSOM to QRadar – Terminology

Posted by Xavier Ashe on February 21, 2012

I am getting close to my first draft of the Tivoli Security Operations Manager (TSOM) to QRadar. Here’s a peek of one useful chart, Transition Terminology. Feedback is appreciated!

Tivoli Security Operations Manager QRadar

Action (rules)

Response

Audit (internal audit)

Audit

Atomic Threat Score

Magnitude

Auto Configuration (EAM)

Auto Discovery

Central Management Server (CMS)

Console

Condition (rules)

Condition

Conduit

Protocol

Correlation Engine

Magistrate

Device Rules

Device Support Module

Event Aggregation Module

Event Processor and Event Collector

Event Class

Category (low-level and high-level)

Event Console

No term, but its the default view once click on the Log Activity Tab

Event Element (rules)

Event Property

Event Filter (EAM)

Routing Rule

Event Filter (Powergrid, Event Viewer)

Search, Saved Search

Event Filter (Event Class)

Classification is handle automatically

Event Filter (Rules)

Rule Test

Event Rate

Events per Second (EPS)

Event Severity

Severity

Event Type

Event Name

Firewall Blocking (OPSEC)

Trusted Networking Computing (TNC) and Interface For Metadata Access Points (IF-MAP)

Geoserver

Geographic Networks

Group (user)

No equivalent

Host

Asset

Host Asset Weight

Asset Weight

Host Criticality Weight

Asset Weight

Host Investigation Tool

Right Click Menu

Host Query (rule condition)

Host Profile Tests

Keystore

No equivalent, automatically managed

Knowledge Base

Offense Notes

Location

Location

Master Netblock

No equivalent

Meta-event

Dispatch New Event

Netblock

Network (Network Hierarchy or Remote Network)

Netblock Asset Weight

Network Weight

Netblock Source Threat

Network Weight

Password Policy

No equivalent

PowerGrid

No term, but you view events in the Log Activity tab. Once you group log data using the Display list box, the log view operates similar to the PowerGrid

Reports

Reports

Role (user)

Role

Security Content (import script)

Content comes preloaded and is updated via Automatic Update.

Security Domain

Network Hierarchy

Sensor

Log Source

Sensor Class

Log Source Group

Sensor Type

Log Source Type

Simple Condition (rule)

Rule Test

State Action (complex state)

Handled automatically when you create a Function Test

State Condition (complex)

Function – Sequence Test

State Condition (simple)

Function – Counter Test

State Table

Handled automatically when you create a Function Test

Stateful Action

Handled automatically when you create a Function Test

Stateful Rules

Rules

System Configuration

System Configuration

System Status

System Monitoring Dashboard

Threat Correlation (statistical correlation)

No term, but the Magnitude is calculated in a similar manner as the Threat Score.

Threat Parameter

No Equivalent – Handled automatically

Ticket

Offense

Token

No Equivalent

Top Sources and Top Destinations

Can be viewed in the Log Activity tab

Universal Collection Agent

Adaptive Log Exporter and tail2syslog script

User Account

User Account

Vulnerability

Vulnerability

Vulnerability Import

Vulnerability Assessment

Watchlist

Reference Set

Posted in QRadar, TSOM | 2 Comments »

One day in Taipei

Posted by Xavier Ashe on February 12, 2012

Taipei 101

Taipei 101

I am on a business trip in Taipei, Taiwan this week. It’s a TSOM/TSIEM deployment that I’ve been looking forward to for several months. I arrived late Saturday night, so I had one day to get all the sightseeing in I could. It’s the best way for me to get acclimated to the 13 hour change. If I stay in the hotel, I’m bound to fall sleep way to early. Here’s where I went today. If you are reading this to reproduce my itinerary, be forewarned – I like to walk. A lot. That last message came from my feet, who are not very happy with me right now.

The main tuned mass damper atop Taipei 101

The main tuned mass damper atop Taipei 101

I started the day from The Taipei City Hall MRT station and took a leisurely walk through the business district. I finally got to my first destination, Taipei 101, the world’ tallest building with the world’s fastest elevator. Okay, it WAS the tallest building in the world from 2004-2010. Those upstarts in Dubai had to out do them. It’s still the world’s largest sundial. And is has the world largest tuned mass damper sphere. What’s that, you say? It’s a big freakin ball that hangs in the middle of the building at the top, and it keeps the building from swaying too much. In fact, I never felt it sway. Unlike the Westin in Atlanta. There’s lots for a geek to fall in love with at Taipei 101. There’s a lot of technology and a lot of meaning into every aspect of the building (example:it has 8 segments of 8 floors).

On the Maokong Gondola

On the Maokong Gondola

After that, I took a long walk to the Liuzhangli MRT station to do some urban exploring. I took the Wenhu Line to the end to ride the Maokong Gondola. I decided to wait in line for the “Crystal Cabins”, also called “Eyes of Maokong Gondola”, a plexiglass bottomed gondola. It was a great trip and the sights were as good as atop Taipei 101. I am a sucker for mountains, and these were quite nice. The gondolas go up and over several hills and traverse some steep valleys. At points the winds were really scary, but I made it up to Maokong Station safe and sound.

The "Tea House"

The "Tea House"

Now that I was safely up the mountain, I started to wander. I was heading in the direction of the Taipei Tea Promotion Center, but didn’t make it that far. I stopped off at a random tea house (this area is known at the Tea Gardens) called …wait for it… Tea House (they don’t have an English site, but they are at www.ample.com.tw). It was a very nice place and I was thankful that they had teenager on staff that spoke very good English and taught me how to make traditional tea. I had tea oil chicken (it sounded like the thing you eat in the Tea Gardens) and Oolong Four Seasons Tea, which was like a more flavorful green tea. I sat a while enjoy the quiet of the mountainside, listening to strange, but calming, birds calls.

Playing the saw in Taipei

With my unused tea in hand and a fresh water bottle, I hiked back to the Gondola station and then back to the Taipei Zoo MRT station. I went to the Zhongziao-Fuxing station to check out SOGO. It didn’t seem too different than an American mall, so I quickly left. Next stop was the Longshan Temple MRT station, and you guessed it, the Longshan Temple. As I walked to the temple, I walked through No. 12 Park. It was where all the men were. The park was jam packed with old Taiwanese men playing what looked like Xiangqi, but I wasn’t sure. It was an very interesting find, even more so when I found a street performer playing the saw. That’s some good stuff right there. I think she’s ready to move to the Appalachian Mountains.

Mengjia Longshan Temple

The Mengjia Longshan Temple

I crossed the street and entered into the Longshan Temple. It was very crowded, which made it surreal and spiritual. I walked around and took in the sounds of the chanting, the smell of the incense, and the dedication of the followers. There is something moving about watching a religious practice you know absolutely nothing about, beyond my 3rd grade teachings of “weird religions you’ll never see in the south”. They had very elaborate paper creatures, some that were hung up as to let people pray underneath them. Besides healing my spirit, I also let my feet take a rest, but not for long.

Bopiliao Historic Block

Bopiliao Historic Block

I had a pretty basic tourist map that indicated that other neat things were near. So I just picked a direction that kinda pointed me in the right direction. I didn’t find any of the things on my map. I did however find the Bopiliao Historic Block. It’s a couple of well-preserved and renovated streets and traditional shop homes from the Qing Dynasty (the last Dynasty before the Republic of China was created). It was a great discovery and I was taken on how “modern” it looked. Seems like the architecture here inspired architects back home.

Ximen Square

Ximen Square - looks familar, eh?

It was getting late in the day and I decided to call it quits. I plotted a round about way of getting to the Ximen MRT Station. I came across The Red House, which had a small bazaar around it. I browsed a bit, then tried again to get to the Ximen MRT Station. I got there, decided to take a break, and started people watching. Then I noticed something (see the picture to the left). This was Taipei’s Times Square. I sat for long enough to watch some crazy woman go ape shit on her man and to watch the crowds gather. It was time for the famed “Night Markets” of Taipei. I gathered up enough strength to do some more walking. The energy was high. The were street performers (really good ones – no saw playing), magicians, food vendors (I picked up two different types of unknown fruit), caricature artists, silhouette artists, and TONS of people. After getting nice and lost, I gave in and looked a Google Maps on my phone, only to realize that I was one block away from the MRT station.

Here’s a few things I observed today:

  • Man purses are IN. The vast majority of men younger than 40 had a man purse.
  • A high of 75 degrees F is really cold to the Taiwanese. Everyone had on jackets, many with big winter coats. I was the only person in a t-shirt. Which reminds me:
  • T-shirts do not make the cut for men’s fashion here. Everyone I saw had a collared shirt, collared jacket, or hoodie. I felt naked in just a t-shirt.
  • Electronics are more expensive here than in the US. Which I find odd, since a lot of them are made here. Example, the 360 Kinect is about $530 here.
  • There is a distinct lack of iPhones, but a smorgasbord of other devices. All of them full touch screens. Some of them have tiny iPhone sized screens, but most of them have larger screens. Some were huge phones or small tablets. I did spot one or two iPhones and at least one iPad, but this land is not dominated by Apple.

Well tomorrow I start my TSOM/TSIEM project and will probably work most nights on my other pet projects (like getting that TSOM/TSIEM to QRadar Transition Redpaper finished!). I am uploading all my photos to my Flickr account, if you care to see more. My sore feet and I are going to bed.

Posted in Uncategorized | Tagged: , , | 2 Comments »

Transitioning From TSIEM and/or TSOM to QRadar – Intro

Posted by Xavier Ashe on February 7, 2012

Hello SIEM world. I have been working with IBM SIEM products for years now and we have come along way. Some products can grow with the changing tides of customer needs, while other times we must leapfrog the competition and acquire a new technology. I am so excited to get to work with the new products from Q1 Labs, QRadar and QRisk Manager. We still have TSIEM and TSOM available, but a couple of customers have asked me about transitioning to QRadar. I will be at IBM Pulse this year covering the topic. I’ve decide to post my materials here as I develop them.

Tivoli Security Operations Manager, or TSOM, is used for automating the tasks of a Security Operations Center (SOC), big or small. It’s real-time and statistical correlation allows customers to automate many responses to events and manage large amounts of data from a vast collection of endpoints, mostly networking and security devices. It enabled security personnel to quickly drive to the source of a problems or flag it as a false positive.

Tivoli Security Information and Event Manager, or TSIEM, is used to develop rich reporting for user based activities. The tool collects from operating systems, databases, and applications, allowing customers to track user activities throughout their network. The resulting reports were meaningful and concise, allowing for reports to be consumed by non-technical staff and auditors to pass compliance.

To get the best of both worlds, we integrated the two to get a powerful, flexible architecture. The two products work very well together, getting the best out of both worlds, security and user compliance. I’ve deployed this dual architecture all over the world (and still have at least more more to do this year).

Now we have added QRadar from Q1 Labs to the mix. QRadar is a powerful security analytics tool that brings unbridled flexibility to the SIEM space. It’s distributed architecture allows for 10-20 times (at least) the events per seconds that TSOM or TSIEM could do, opening the door to new environments for SIEM. One of my favorite features is the Netflow and QFlow analyzers. I’ll be posting a customer story soon about how the combination of event data and flow data allowed us to find an infected host behind a firewall and Citrix server. With QRadar, you get ease of use, tons of automatically updated security content, plus enough flexibility to get this old services guy excited. As the product stands today, I can configure it to do some amazing things. Plus the roadmap is chock full of even more features.

So while you can still get TSOM and TSIEM from IBM, I can see the excitement around QRadar. It’s a whole new class of product and I join you in the excitement. As I develop material around transitioning, I’ll post it here. I think I’ll probably end up writing another Redpaper, like I did when we transitioned from Tivoli Risk Manager to TSOM. If you are going to be at IBM Pulse, please drop me a line. I’d love to hear how you’re using the tools and how I can be of service. Just think about it like this: Go to Pulse and get free consulting!

Posted in IBM, QRadar, Security, Security Intelligence, TSIEM, TSOM | Leave a Comment »

Leaving Vegetarianism to Eat Healthier

Posted by Xavier Ashe on February 4, 2012

My first beef in twenty years.

My first beef in twenty years.

As of this year, I have been a Vegetarian for twenty years. The beginning wasn’t that noble. I was a teenager and wanted to empress this pretty ballerina. It didn’t really work, but the move helped me start forming my self image. I dived into Native American spirituality and explored other aspects of the new age culture. I stood firm on three reasons that kept true for the last twenty years.

  1. Killing another animal is profound and should be done with respect for the life you are taking.
  2. Most the meat available is from factory farms. There are many reasons to despise these places.
  3. As poor as I eat, if I ate meat too, I’d be huge. I’m still the fattest vegetarian I know.

As my life started to settle down after marriage, house, and twins, I looked for ways to slow down and enjoy life. I wanted to improve myself in ways that would effect my children. They pick up on so much that I do. It’s my job as a parent to make the right choices for myself, as well as them.

I have tried getting into a regular exercise routine. I kept with several different programs for months, but saw little difference in my weight. I also used the exercise as an excuse to eat even worse (I’m burning extra calories, right?!). The only time I really felt a difference was when I was single and on the prowl. I’m married and lazy now.

My trips overseas helped me get some perspective. I have always been struck by grocery stores in many part of the world have 80% FOOD. Not processed food, but real food. I realized that I don’t eat real food. I mostly at things that come out of a box. Even when I cook, I take several things out of different boxes. This bothered me, but I no idea how to change it. I had grown up in the world of supermarkets and worldwide food transport. There are no seasons, all the “fresh” food looks perfect, and 80% of a grocery store is processed food. And nearly everything has some type of corn and/or soy by-product.

Leah and I also started going to Ner Tamid, a Jewish Congregation here in West Cobb. I was really struck by a good explanation of why reform Jews follow Kosher rules. It’s all about mindful eating. When you set forth and think about the foods available to you, and you stop and ask your self if it follows God’s laws, you think about God. You’ve now brought your spirituality to the table. I liked that idea. I don’t give much thought to my eating. I just eat want I want as long as it’s not meat. I wasn’t giving much thought what goes in my body. I wanted to have food be a more important part of my life, to know where it came from, what it does to my body, and what it may do to my children eating this over a lifetime.

I knew I wanted to make a change, but I didn’t know how. Then Leah stumbled on the Paleo plan – a way of eating that mimics the way our human ancestors ate for the vast majority of human existence. The more we read about, the more it made sense for us. I wasn’t a real vegetarian, I was more like a starch and carb-o-tarian. Once I was better educated about how our bodies deal with starches and carbs, I knew I needed to shift.

There are a ton of different Paleo diets out there with slightly different takes on the same premise. Leah and I decided on the Whole30 plan.

There was a big problem. It’s a hunter and gatherer diet. Hunter’s ate meat. Plus, once Leah named out all the restrictions, I realized that was nearly my entire diet. I knew I ate poorly, but never this poorly. The decision was surprisingly simple once it came to it. I had a diet plan that I liked and I wanted to make a change. Then when I realized I had reached my 20th year as a vegetarian, it all came to a head.

I started a few weeks ago. I removed dairy and sugary food. Within 2 weeks I noticed a change in my face. At 3 weeks, I weighed myself and had loss 6.5 pounds. I felt good and it was pretty easy. A week ago I cut out grains, legumes, and everything else on he paleo plan. I accidentally picked up some older slacks for work on Thursday and was delighted to see they fit.

Today I had my first bite of beef in 20 years. It was a bunless grass fed beef burger at Yeah Burger. It was very tasty. Eating meat will round out my diet and help my body reset it’s metabolism and glucose tolerance.

Leah and I also watched Food Inc the other night. It made me realize that I can eat meat and do so in a humane and sustainable manner. Since then we found a local butcher that had all sorts of local humanely raised meats. Plus, we found a farm only 15 minutes away from out house that sells locally.

It all feels good. I feel confident that I can stick with this. It’s a bit tough when I am traveling to find something, but I am getting better at it. And it forces me to be midful, to remind myself that this is good for me, my wife and my kids. I lasted 20 years skipping out on meat. Let’s see if I can do 20 years of mindful eating.

EDIT: I just found this on the Whole30 website and it’s a good summary:

I eat real food – fresh, natural food like meat, vegetables and fruit. I choose foods that are nutrient-dense, with lots of naturally occurring vitamins and minerals, over foods that have more calories but less nutrition. And food quality is important – I’m careful about where my meat, seafood and eggs come from, and buy organic local produce as often as possible.

This is not a “diet” – I eat as much as I need to maintain strength, energy, activity levels and a healthy body weight. I aim for well-balanced nutrition, so I eat both animals and a significant amount of plants. I’m not lacking carbohydrates – I just get them from vegetables and fruits instead of bread, cereal or pasta. And my meals are probably higher in fat than you’d imagine, but fat is a healthy source of energy when it comes from high-quality foods like avocado, coconut and grass-fed beef.

Eating like this is ideal for maintaining a healthy metabolism and reducing inflammation within the body. It’s good for body composition, energy levels, sleep quality, mental attitude and quality of life. It helps eliminate sugar cravings and reestablishes a healthy relationship with food. It also works to minimize your risk for a whole host of lifestyle diseases and conditions, like diabetes, heart attack, stroke and autoimmune.

Posted in Personal Note | 6 Comments »

 
%d bloggers like this: