The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for February, 2013

A free tool to Scan to PDF that WORKS!

Posted by Xavier Ashe on February 18, 2013

My move from running RedHat on the desktop back to Windows 7 hasn’t been too bumpy.  Only one big driver corruption issue that took me a couple of days to solve, but it seems running Windows is like riding a bike.  I have a need to scan a good bit of documents into a single Adobe PDF file.  The driver & software package that comes with my Lexmark printer only scans to individual files.  I had been using PDF Creator, which has a tool to suck up all the individual jpegs and put them in a PDF.  It was clunky, and often files would be out of order.

I went on a search today to find another tool to meet my needs.  I tried 5 different freeware or shareware programs.  The first four didn’t function in some way.  Most just errored out, one didn’t even run.  I finally found NAPS (Not Another PDF Scanner).  The only problem I have is that the default permissions on the program folder in which it runs keeps it from saving a config file.  Running it as Administrator worked for setting up my profile.  Now it runs fine as under regular permissions.

Just wanted to share to possible save someone else some time.  Cheers!

UPDATE; well, NAPS ended up being too buggy for me.  I went back to the developer page on Sourceforge and saw a comment that some one else has forked the project.  Yay, NAPS 2 is better!  Open Source FTW!

Advertisements

Posted in Personal Note | Leave a Comment »

My Evolving Security Philosophy

Posted by Xavier Ashe on February 5, 2013

From the very start of considering a move from IBM Security Systems to Bit9, I gave a lot of thought to my security philosophy.  I really do believe strongly in IBM’s security portfolio, and I wanted to make sure moving to Bit9 didn’t undercut my security philosophy.  Working for IBM taught me a lot about holistic security and how good security products are usable no matter if you have basic security maturity, or advanced.  I generally focused on the network side of security, mainly in SIEM and NIPS.  I’ve shied away from endpoint security (for the exception of dabbling in forensics and TEM), because it’s such a headache. Virus scan software is a joke, letting just about everything modern in.  Case in point with the recent attacks at the New York Times:

Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.

I see this all the time.  That’s why products like QRadar and IBM Security NIDS are so popular.  You have to fall back to the network, if can’t get control of the endpoint.  Why attack the endpoint?  It’s seems to be the easiest and most successful.  There’s typically three categories of attacks:

  1. Remote attacks launched from the internet (DoS, SQL Injection, etc.)
  2. Insider threats, and
  3. Infect an endpoint, then launch attack from within (phishing, drive-by downloads)

Network based protection is very useful at blocking and/or detecting all three of these attacks categories, but that leaves you with a perimeter based security protection.  With perimeter based security, one tries to tackle the channels of infections like email and web browsing.  There are tons of solutions that help with this, but nothing helps as soon as that endpoint walks out the door.  Network security should be used to protect infrastructure, not endpoints.

So what can be done to protect the endpoint?  IBM Tivoli Endpoint Manager does a lot to manage all the small stuff like patch management, software delivery, compliance, and virus scanning.  I say small stuff, not to dismiss its importance, but they are processes that should be in place already.  Having TEM take care of it all is just easier.

When I was at IBM and a customer was worried about the Insider Threat, we would use either TSIEM or QRadar to pull in system and audit logs.  What we usually found near pure chaos, since it’s very hard to figure out what is what within system logs.  The best approach I have found is using white list policies.  We would build profiles of acceptable behavior in an environment, filter it out, then analyze the rest.  It was a great approach and bled over into some of my other SIEM and NIPS scenarios.

The reason I bring this up is that one of the reasons I like Bit9’s software is that it employs a similar white list approach, but looks to be MUCH easier than the rat’s nest that is system and audit logs.

Let me summarize:

  • Network security is best when focused on protecting infrastructure like hosted applications and databases.  It loses effectiveness when trying to secure the endpoint.
  • As for hosted applications, security vulnerability testing and security development should be a closed loop.
  • Insider threats can only be managed if you are doing system and audit log analysis.  It’s a costly investment, but worth it to certain business sectors like banking and military.
  • Endpoint protection must include basic measures including patch management, lifecycle management, and basic written security policy.
  • I believe SIEM is critical to tie it all together and should be the single pane of glass.
  • Maturity in other security processes like identity management, access management, policy, compliance, encryption, and asset management help all your other security investments.
  • Overall security policy governance has to be tailored to the size and type of organization.

As I write this out, I see that going after endpoint security with Bit9 fits for me.  I am looking forward to learning more about its capabilities and how our customers would like to use it.

Posted in Personal Note, Security, Uncategorized | 2 Comments »

 
%d bloggers like this: