Webcast Overview:

The Top 5 Fastest ROI Projects Around Identity Assurance
Friday, December 11 at 1:00 PM EST (1800 UTC/GMT)
Featuring: Andrew Hay and Benjamin Cunningham

With budgets being frozen across all industries, executives are finding it increasingly difficult to justify new capital expenditures. Security is one area in which organizations know they cannot afford to reduce spending without increasing risk. In this seminar, we’ll discuss the top 5 identity assurance projects that will give your organization a return on investment (ROI) in the shortest amount of time possible.

You can sign up for the webcast here (it’s free): https://www.sans.org/webcasts/-top-5-fastest-roi-projects-around-identity-assurance-92943

1) Edit the interfaces file:

you@ubuntu:~$ sudo vim /etc/network/interfaces
[sudo] password for you: enter your password

2) Go to the last line of your interfaces file and add the following:

iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

3) Save and exit the file:

:wq

4) Bring your newly configured interface up:

you@ubuntu:~$ sudo ifup eth1


5) Check your interface and look for PROMISC:

you@ubuntu:~$ sudo ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:0c:29:bb:3a:cc
inet6 addr: fe80::20c:29ff:febb:3acc/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:31011 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4973602 (4.9 MB) TX bytes:796 (796.0 B)
Interrupt:16 Base address:0x2080

Now start snort, tcpdump, or whatever you want to use to start sniffing traffic using your newly configured promiscuous interface.

Question 1) Will Intellitactics’ PCI DSS Compliance reports satisfy a Qualified Security Asseessor?

Intellitactics Answer: YES

REALITY: Unfortunately not all auditors are created equal and each one has their own interpretation of what will satisfy the PCI DSS.

Question 2) Can you write your own reports?

Intellitactics Answer: OF COURSE but you won’t need to.

REALITY: I highly doubt that Intellitactics has thought of every possible reporting scenario and I have spent a fair amount of time creating my own reports based off of vendor canned reports. Never say never.

Question 3) When you’re using Intellitactics SIEM Solutions will you be able to collect ALL LOGS from any device or data source?

Intellitactics Answer: YES YES YES!!

REALITY: From my C64? Really? How about my mainframe that logs to a screen, has no unique identifiers, and no native method to ship those logs off to your product? This smacks of marketing and don’t be fooled. Always verify that your products can log to the SIEM you’re looking at and if the vendor says your custom/obscure/dated application will log to their system – ask for a proof of concept with YOUR system.

Question 4) Can you do root cause analysis?

Intellitactics Answer: YES and you can do it graphically – in the case of Intellitactics SIEM solution – a picture really is worth a thousand lines of events.

REALITY: Pictures are great for 10,000 foot views but the answer is in the data. Use flashy graphics as a starting point but don’t believe that your SIEM is smarter than a trained analyst.

Question 5) How fast is Intellitactics SIEM solutions?

Intellitactics Answer: FAST ENOUGH – Consistently for effective and efficient log and event management.

REALITY: It may be “fast enough” for the vendors benchmark tests but that doesn’t mean that it’ll be fast enough for your needs. Always challenge your vendor on their figures.

Question 6) How many devices does Intellitactics support

Intellitactics Answer: ALL the ones that are important to you and then some.

REALITY: How could a vendor know which devices, applications, logs are important to me. What’s important now won’t necessarily be what’s important in 6 months and you mean to tell me that you’ll anticipate this requirement?

BOTTOM LINE: Always challenge your vendors and get what’s right for you folks. Don’t read into the marketing.

I can’t say enough about how great both of these courses are and I hope that I fare as well on the GIAC Certified Forensics Analyst (GCFA) exam when I sit for it in the coming months. If you ever get an opportunity I strongly recommend you take both of these courses.

Steps to Install log2timeline on SIFT

1. Download the log2timeline archive to your SIFT workstation
[root@SIFTWorkstation ~]# wget http://log2timeline.net/files/log2timeline_0.33b.tgz

2. Extract the archive
[root@SIFTWorkstation ~]# tar zxvf log2timeline_0.33b.tgz

3. Change to the log2timeline directory
[root@SIFTWorkstation ~]# cd log2timeline

4. Install some of the dependancies using yum
[root@SIFTWorkstation ~]# yum install perl-DateTime perl-Net-Pcap perl-Archive-Zip perl-HTML-Scrubber perl-Image-ExifTool perl-Glib

5. Install the NetPacket::Ethernet module
[root@SIFTWorkstation ~]# perl -MCAPNPLUS -e 'install NetPacket::Ethernet'

6. Install the ExtUtils::Depends and ExtUtils::PkgConfig modules
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install ExtUtils::Depends'
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install ExtUtils::PkgConfig'

7. Install the Glib, Cairo, Pango, and Gtk2 modules
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Glib'
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Cairo'
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Pango'
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Gtk2'

8. Compile log2timeline
[root@SIFTWorkstation log2timeline]# perl Makefile.PL && make && make install

9. Execute the log2timeline script using the ‘-f list’ flag to test the installation
[root@SIFTWorkstation log2timeline]# log2timeline -f list


That’s it. If the log2timeline -f list command displayed all available log file formats you should be good to go. In my experience, if a particular module is missing you will receive an error when running this file (in a different place depending on what is missing).

Now you should probably take a snapshot of your SIFT image so that you don’t revert back and lose your log2timeline application. If you would like more information on log2timeline there is a great article here: http://blogs.sans.org/computer-forensics/2009/08/13/artifact-timeline-creation-and-analysis-tool-release-log2timeline/ and the log2timeline project page can be found here: http://log2timeline.net/.