|By Hurricane Labs||
|April 12, 2012 01:07 PM EDT||
IPS Updates, Splunk, Check Point and You
How I Learned to Stop Hating the Term “Zero-Day” but Not Really
By: Bill Mathews
Zero Day attacks – you know, the ones that almost EVERY signature in your IPS claim to protect you against? Yep those guys, nasty little things. Basically, if IPS vendors are to be believed, those are the things that don’t have a patch yet and have active exploits against them. You update your IPS signatures and BOOM protection from zero day! The problem we always run into, and this is with almost every IPS vendor so I’m not just picking on Check Point here, is how do you know when an update is available? As much as most vendors would like it we are simply not logged into their console all day long so their automated “hey you have an update” thingy is not useful. This was a big problem for us because we manage a lot of firewalls so what to do, what to do. We turned to a combination of something old (RSS) something a little new (Splunk), and something really> old (email alerts.) Here was the issue and how we solved it:
Updates come out, an email goes to only one person (subscribing everyone is impractical), updates are scheduled as needed. The process is slow, too “people heavy”, and has a lot of built-in delay. This is no good when dealing with zero days.
I took Check Point’s RSS feed that announces their IPS updates and fed it into Splunk. This allowed me to index the feed and break it apart a little so I could build a dashboard around it (dashboards in Splunk are basically a collection of searches and reports.) By itself this would allow us to search across IPS updates and figure out which ones we needed, but I wanted to dig a little deeper and make the process a bit less painful. This is where Check Point helped me out a bit (and possibly other vendors do this too but I don’t know for sure), they actually have a severity tag in their RSS feed so I know how important a given new protection is (Critical, High, Medium, Low) and I could organize my dashboard accordingly.
This dashboard gives me a neat layout of my IPS protections and how important they are. This was a great jumping off point to automate my process a bit more. Next I created a Splunk alert that allows me to alert our engineers of Critical or High protections that should be pushed with some urgency while allowing for a smaller alert for protections to be analyzed a bit more before pushing. The biggest benefit to this was unknown to me at the time, but the RSS feed is updated a full 24 hours or so before that update email is sent out so we were able to get updates out a full day faster, this is huge in this allegedly zero day world.
Some future improvements might be pushing the alerts out to SMS or via our Nagzilla system. I also have, in the back of my head, an idea for relating these things to relevant hosts via Splunk’s inventory module. All in all just one way to use technology for the betterment of all mankind or something like that.
- WebRTC Summit at Cloud Expo Agenda Announced
- Google’s Enterprise Problem
- Building Video Calling with PubNub and WebRTC
- DataStax Announces New Startup Programme Offering Free Software, As Well As Free Training Courses For Cassandra Users And New Developer Tool
- Evaluation Report on Virtual Backup Software
- Get Ready to Think Out (C)loud With Cloud Sherpas’ Upcoming Webinar Series
- Series: Exchange 2013 and Lync 2013 Integration with AsteriskNOW PBX Pt. 1
- New PubNub App Template for WebRTC
- Strategic Enough to Matter, Code Halos and Mobile Apps
- GAMA : Quatre acteurs clefs, quatre stratégies différentes !
- Box and NSI Partnership Brings the Cloud to Businesses in the Middle East
- DataStax Announces New Startup Program Offering Free Software, as Well as Free Training Courses for Cassandra Users and New Developer Tool
- WebRTC Summit at Cloud Expo Agenda Announced
- OneLogin Raises $13M to Power Expansion
- Cloud Security Alliance Releases Cloud Controls Matrix, Version 3.0
- Survey Finds Large Enterprises Adopting WebRTC
- WebRTC Summit | WebRTC: Test then Disrupt
- WebRTC Summit Speaker Submissions Open
- BMC Software to Exhibit at Cloud Expo Silicon Valley
- WSO2 Expands Identity Management Capabilities Across Cloud, Mobile and Web Applications With the Launch of WSO2 Identity Server 4.5
- Twilio and LiveOps to Deliver WebRTC Deployments
- Oracle Demonstrates WebRTC Solution with CounterPath's Bria
- OpenStack for the Enterprise – Showcasing the OpenStack Ecosystem
- XIRSYS Launches WebRTC Hosting Service
- Where Are RIA Technologies Headed in 2008?
- The Top 250 Players in the Cloud Computing Ecosystem
- Dolphin Announces Open API With Over 50 Add-ons Including Dropbox and Wikipedia
- Personal Branding Checklist
- AJAXWorld 2006 West Power Panel with Google's Adam Bosworth
- Why Microsoft Loves Google's Android
- Google's OpenSocial: A Technical Overview and Critique
- Cloud Expo New York Call for Papers Now Open
- Wal-Mart To Sell $399 Ubuntu Linux-based Laptop with Google Operating System
- i-Technology Blog: Google Trends on Java, McNealy, AJAX, and SOA Give Pause For Thought
- i-Technology Blog: Is There Life Beyond Google?
- Android: Who Hates Google Over the Phone?