DK 'Log

Interesting stuff happening around Alienvault.

2011-09-27T16:13:00.001-07:00

Can't reveal much more. Huge positive change coming on the community end :-)

RAID 11 @ Menlo Park, CA (notes and rants)

2011-09-21T17:07:00.000-07:00

I attended RAID these past couple of days and must say I come out of it with mixed feelings. I had moments of great fun, saw some good stuff but most of the conferences were waaaaaaay too theoretical for my taste.
Anyway, these notes have to be taken with a grain of salt. I know that many people have put a great deal of effort into their talks and presentations so the notes below might sound unfair. I'm not talking about the effort they did put into it or the quality of their work, my notes and comments are based on my personal liking, my personal opinion and my personal interests.

For reference, here is the RAID 11 Program.

By far the most interesting thing for me has been the Panel Discussion featuring Seth Hall (BRO IDS/NSM), Victor Julien (Suricata IDS/IPS) and Marty Roesch (Snort IDS) and the OISF Brainstorming session. Those were the things that (most of the time) considered real world, immediate application topics, with user/customer needs behind them instead of the world of theoretical "Highed" (wonder what gets them so high :P). I'm a college drop-out myself in case you didn't know...

First of all (on the Panel) I must say that Ron Gula, the panel moderator, looks much healthier than last time I saw him. He seems to be taller, long hair, etc... Sorry, bad joke, Ron was sick and couldn't make it. Hope you get better soon!

The session itself started with a quick 5 min introduction from each panel member, which was very interesting. I knew about Marty & Snort and am having more and more involvement into Suricata with Matt and Victor lately but knew little about Bro. Interesting to know a bit more.

So, without further delay, the session notes (some good stuff tho there was no bloody Suidae - Mongoose fight that many seemed to be waiting for) are below. Again, my personal opinion, comments and so on. Below these I'll put the notes on the sessions I attended (I missed the last two, had to leave) as well as some anecdotes such as "The most useless question for Day 1", "The most useless question for Day 2" and some others I'll try to think of.
Sorry if some of the questions or answers are incomplete, sometimes I couldn't resume them quick enough or follow up fast enough on the answers.

Panel Discussion notes

Legend:

M Marty
S Seth
V victor

Questions:
1: what are recent advancements in the IDS field?
M client side enhancements mainly, detecting new types of attacks that are targetting the client more and more.
S Counting stuff, providing more information, easier access to Bro data.
V (Was told by the moderator that he had already answered this on his introduction and that he'd be skipped. Too bad.)

2: open source... Advantage or nuisance of community creating rules.
Asked by the Annoying French Guy (AFG) (I never knew the name of this one, he has to be some sort of university teacher but he was really really annoying during the two days. Often asking obvious questions with even more obvious answers, seemed to be used to hear his voice more than others and felt uncomfortable in an environment where he could talk as long as he wanted).
M complicated. Customers need quality rules for Sourcefire, Community can't provide those in a reliable manner.
S never had community, building script repository with community focus
V community centric. Community rules driven, very important.

3. What prevents attackers from replicating the code and circumventing it:
S complexity prevents attackers from replicating. (That's too funny :P)
M open source no weakness. OS better for security community as it can be escrowed,
sort of like crypto systems.

4. Difference between snort and suricata. What makes suricata the next gen IDS.
V revamp the community that was being neglected by Sourcefire. Gpu, multithread,
language extensions.
M politized topic. Snort remains as it is because of performance and because of building
automated detection topics. Different focus.

5. When was the last bad bug
S never to his knowledge. Too complex? (Marty had a funny comment later on this. He says that the last time he looked at the Bro source code he fired it up in Vi, had a quick look and quickly closed it again. I believe his eyes were bleeding after that).
V some exploits, quick fixes.
M snort had them. Arbor networks analyzed snort, felt it was hard to target because of diversity of deployments.

6. Bro more user friendly, how, when new release?
S cleaning for beta, cleaning up script layer, provide an API over the scripting layer.

7. Bro vs Snort, what are tradeoffs
S tells peoples to both run snort and bro. Use bro as a post correlator.

8. All 3 products only detect simple things. Are they additional exposure?
M no, nobody targets IDS in order to access a network. Its the users who don't want to
detect more complex stuff.
S target Ids is a absurd thing since as they are isolated you'll never know if you
succeeded. Again providing examples that are out of this world, ssh login attack from
Romania.

9. Are self tuning systems reliable?
M self tuning is needed because people are bad at tuning IDS systems. They need to be
saved from themselves.
V focus on post infection detection instead of relaying on pre-infection.

10. Cloud impact on NIDS.
S cloud providers don't provide capability to monitor cloud, you are on your own. More
abstract examples.
M cloud complicates deployments and you have more places to detect attacks

11. AFG asks about some papers on obfuscation and why they haven't been
implemented. (for some questions this was my favorite for most useless question of the day, the winner came later tho).
M has some normalization features, it works sometimes.
V Suricata is considering normalization too.
S bro may have it, he doesn't know.

12. Integrations with online portals, querying other parts.
S bro is asynchronous, that would work.
M razorback does that.

13. Host base IDS features in those NIDSs (good candidate for most useless question but didn't quite make it)? Like unpacking JavaScript.
S nothing even planned in bro. Ossec talks.
M no open source hids. Immunet does something like that but it does it in the cloud.

14. Zero day detection. Incorporate some of those modules?
M we don't care about shellcodes that much. We care much more about detection. Immunet does that
kind of stuff with this.
S not really, too many other interesting things. (lost him here again, Seth didn't know the concept of "short answers" ;-) )

15. Reputation lists ips/dns. Plans.
V soon in suricata, Matt's baby in ETPro.
S some more confusing speech. Username intelligence.
V use it as well with suricata
M implementing it right now in Snort

16. What support do I have to port my code contributions to your systems if I don't want to write C. Example: coding some addons in python. (*very strong* contender to the most stupid, errr, useless question of the day, but again superseeded later).
M don't use python in something that requires near real time. At most you could create a lua preprocessor.
V same
S c++ and bro scripts. Broccoli to distribute packets. (had Broccoli for lunch today and that reminded me of why I hated the name: who doesn't hate Broccoli?

17. AFG attacking again. What about distributed intelligence framework?
S hope CIF does that and lots of blah
M lots of barriers which make attackers happy
V commercial feed on the framework.

18. Why not share code among systems?
M bro is different to snort. There are no common points at lower level.
V creating library, libhtp, for others to use. Same for other parts. There is a lot of
sharing.
M libdaq, other things.
S no answer.
M bin pack project

19. (We got a winner!!! price for the most useless question of day 2!) Absurd comment about IDS not being IDS, but rather intrusion detection sensor with a limited visibility of the overall picture. (For this guy Prelude was the only real thing since it would take multiple input sources. Only bad thing is that it doesn't do anything useful with those input sources....)
S people are the most importing thing. Provide that tools to the people.
V you need good cameras for a good security system.
M other systems do the correlation. IDS is context free. (<--- 100% right, stop asking IDS systems to do everything).

Well, I don't know if its reflected here but it was pretty interesting despite AFG's interventions, kudos to Marty, Seth and Victor.

I noticed an interesting trend during these three days (counting the OISF Bstorming session in): people want everything to do everything. I mean, yes, NIDS has to expand itself beyond rule based pattern matching, but if you don't limit the capabilities... where will that lead you to?
One of the good things for example is that Suricata dropped SQL output from their roadmap. You've got Barnyard2 for that, focus on your stuff and don't try to do everything...

And exactly that is what I think is Bro's problem. I've known Bro for over 12 years, I remember having tried to play with it but get frustrated in the past. Several times. Same happened with Prelude.
And the same happened to me with Snort. Once. I took it up again two years after that and was amazed on how it was going to leave Realsecure and Dragon faaaar behind (my favorites at that time.
Finally, I tried out Suricata about this time last year, didn't have a great experience, dropped it. Now we're going to really look into it again and hopefully integrate it into Alienvault / OSSIM soon.
And I'd love to give Bro another opportunity, some of the things Seth said were very interesting. Problem is that 80% of what he said was targeted at generating academic interest while 20% were real world applications.

Talking about which, I'd divide it like this (targetting real users / targetting academics):
M: 90/10
S: 20/80
V: 70/30

Again, reiterating that this is all my personal opinion.

After this I wanted to have a laaaarge listing of conferences with a format like this:

Title

Presenter:
Start:
English:
Theory:
Practical value:
End:
Slide usefulness:
Q&A beating recvd:

If there's a lot of interested I'll put it up, but I think it doesn't provide a lot of value since most of my valuations are under 5 in a 0 to 10 scale. Having said that, I really enjoyed 4 talks due to it's obvious practical applications:

Klimax

Presenter: Stefano Ortolani
Start: 10:35
English: good (not loud enough)
Theory: very good
Practical value: high
End: 10:56
Slide usefulness: ok, text at the bottom, appealing
Q&A beating recvd: none
7

Dymo

Presenter: Bob Gilbert
Start: 13:53
English: first good and loud english
Theory: very interesting, well explained.
Practical value: little, only implemented for Windows XP. Big potential. Hard to maintain label DB.
End: 14:15
Slide usefulness: good, text at bottom
Q&A beating recvd: some, tcp issue with changing identity after socket establishment.
8

Cross domain collaborative anom detect

Presenter: Nathaniel Boggs
Start: 15:30
English: native
Theory: interesting
Practical value: some, interesting idea. Compare logs on different hosts/web servers,
matching logs across then could be unknown stuff.
End: 15:56
Slide usefulness: good, little bottom text
Q&A beating recvd: stupid attack from audience accusing them of not setting up a good baseline. Hostility could be felt coming from the italian guy. Some beating received.
7

Environment sensitive malware

Presenter: Martina Lindorfer
Start: I arrived late
English: ok
Theory: nice
Practical value: good, Jaime has implemented similar stuff already.
End: 09:58
Slide usefulness: nice slides, text at bottom
Q&A beating recvd: none, AFG asking some useless stuff.
7

Last quick note: Jaime wanted to ask Martina during the Q&A if she wanted to marry him (good looking, good knowledge in an area he's very interested in too) but he chickened out at the end.

Here we got the winner of the most useless question/comment of day one btw. There was an Italian guy who was attacking Nathaniel for not having set a right baseline for tests, and it was set in a previous paper. Lesson for AIG: Do your research before blaming others...

Conclusion

It's been a great experience, some interesting talks but far too theoretical for my taste, as stated earlier.

The location was a bit weird, it ressembled more a dinner place than a conference room (the same building had a much better conference room but we couldn't use it).

What I take with me is being happy about Suricata continuing to grow in the right direction, having met Matt, Victor and Marty again and having getting to know some interesting people. Aah, and having "give Bro another chance, again" on my todo list again :-)

OISF/Suricata Brainstorming session

2011-09-19T18:35:00.000-07:00

Just attended the OISF Suricata brainstorming session, it was really fun (unlike the RSA one ;-)).

Happening at the same venue than RAID 11 (which I'll be attending with Jaime too), it was 3+ hours of brainstorming, discussing IDS/IPS and learning about a bunch of new concepts.

I think they're doing a real good job on it and the community driven roadmap is something I wish I had been able to do 8 years ago, in the early OSSIM stages.

Anyway, we'll accelerate the inclusion of Suricata into OSSIM for sure after what we've seen today, and I'm really looking forward to see the new features implemented :-)

To blog or not to blog?

2011-09-19T18:30:00.000-07:00

I've got a doubt here. I really like G+ (http://gplus.to/dkarg) and I also want to Blog again about various things... but I have no idea how to get the best of both without repeating work.

I guess for now I'll be posting here and sharing on G+ :-)

3.0 is out!!!

2011-09-16T15:10:00.000-07:00

We're proud to announce the immediate availability of our newest release. This release has huge improvements, but the best way to check it out is:

Enjoy :-)

Top 5 reasons for choosing Alienvault

2011-01-13T11:14:00.000-08:00

This was a response from a customer whom I'm keeping anonymous unless he wants to step up, I was glad to read that and it always feels good to have this type of feedback.

Sure...here they are in order of importance to me.

1. - Industry standard open source software - I don't care who you are, if you are in IT or Security, you have heard of Snort, Nagios, ntop, etc.

2. - Support - I wanted something that was supported by people who were proud of their product and who actually care about it's success.

3. - It works! - Issues with getting the hardware aside, the performance and stability of OSSIM is either on par or beyond other commercial products

4. - Time to implement - We got the systems up and going in our production environment in 2 days, the tuning is ongoing, but it was exceptionally quick to implement.

5. - Personal attention - Being supported by Dom and Santi, the guys who have been with the project since inception was a huge thing for me, they obviously care deeply about the company and it's customers.

6. - Cost - The cost of entry into the SIEM arena for most companies is a huge barrier, with OSSIM, that barrier has been all but removed.

7. - Your daughter being a bad-ass hockey player was cool! (you can quote me on this one!) :o)

Company status update

2010-12-27T10:26:00.000-08:00

2010 has been an incredibly exciting year for Alienvault. The goals were set high and a lot of new stuff was supposed to happen, looking back at it now I first realize what we have achieved and how much work we've put into it.

On October 2009 both the Alienvault CEO and CTO joined a trip to Silicon Valley promoted by the "Comunidad de Madrid", where we visited some company incubators, Google offices and did some other stuff. But that trip was our eye opener, we needed to be competing in the US market with a stronger local presence, so Alienvault LLC got up and running.

The first public presence for this branch of Alienvault (originally founded on March 2007 btw) was at RSA 2010. It was fun but B-Sides, where I gave a Crappy talk :P, was much more interesting. But this is about the Company, so being there on the floor and sharing exhibit space with the other big players in the SIEM marketing was definetively a huge step forward.

So after the RSA (where it was four of us, our former VP of Sales and Marketing, our CEO, our future VP of Marketing and myself) I promptly decided to stay for a bit longer in the US and get the company rolling; this was too exciting.

So said and done, tons of paperwork to get going, getting an accountant and finding an office for the future HQ of the company.

Along the way we had the incredible luck of finding a VP of Sales in Jim Watts, who quickly implanted a very effective sales model in the US, and a VP of Marketing in Chris Blask.
The change of VP of Sales made us grow over 900% from Q4 2009 to Q4 2010 and the change of VP of Marketing will end up in a brand new web image we're going to release early next year.

We found some nice offices around July too, at 1901 South Bascom Avenue, Suite 220, Campbell, CA 95008, closing down the Atlanta office and covering East, Mid and West of the US with 3 very high level Sales Directors, which will futher help us grow that part over here.

Marketing and finance people also joined us in order to complete, along with an increase of pre/post/support people, a great team with which to head into 2011, with a ton of great prospects along the road :-))

Some OSSEC <--> AlienVault screenshots :-)

2010-12-15T11:45:00.000-08:00

I recently tweeted about this, we're preparing a much tighter integration of OSSEC during this next release, starting with a web based management interface for:

Rules
Agent connection, crypto stuff
Agentless
OSSEC configuration
Processes

Bundled with the reporting and analysis capabilities we've already got this makes for the perfect OSSEC companion.

Below are some teaser screenshots :-) (Devel guys will kill me, I should be completing the task definition instead of blogging about it...)

Screenshots:

May Poll results... a tad late

2010-12-15T11:27:00.000-08:00

The outcome of the poll is clear: documentation is a must. We've been working on the installation and are pretty close to finish a very detailed user guide too. Updates to the wiki have happened and more interesting things in this direction will follow.

I for myself intend to continue with the tutorial series since I've heard good feedback on them.

I'm alive!

2010-12-15T11:16:00.000-08:00

Finally I'll very soon get some more time (thanks to aliensanti :P) to write and am really excited about this opportunity, really missed it.

My first three posts will be status updates:
- Company status update
- Product status update
- Personal status update

On all three areas there have been big and exciting changes which I'd like to share :-)

Best wishes to everybody!

May poll of the month: on OSSIM improvements.

2010-04-30T01:27:00.000-07:00

I must say I really like this blogspot thing, nifty add-ons for the blog. I found a "polling one" and intend to run a poll each month and post the results and impressions on a summarized post.

This month's poll is about OSSIM improvements: where do you think the most improvement is required?
Thanks for any feedback on this, if you specify "Other" please comment on this post about what you meant.

How would you describe OSSIM?

2010-04-29T23:07:00.000-07:00

We're currently giving http://www.alienvault.com a minor facelift.

What we want to feature there is nice things actual users can say about OSSIM. So if you're a happy OSSIM user and don't mind being quoted (anonymous references are welcome of course) on our frontpage, please comment on this post so that we can get your feedback.

The only think we'd require is a bit of context about yourself (we're using OSSIM in this 10000 user educational network, I've been managing OSSIM for a bank, etc...)

Every quote that makes it onto the page will be sent one of our upcoming Unofficial Official Alienvault t-shirts and a little stress-relieving alien, due to be released this summer ;-)

US Open Source Think Tank 2010 wrap-up

2010-04-18T18:36:00.000-07:00

The main reason I switched over to blogger.com is because I wanted to talk about this truly amazing event I attended this weekend, the OpenSource Think Tank.

The private, invitation-only event was held at the Meritage Resort in Napa, California. A perfect venue for such an event IMHO. The event was organized by the Olliance Group and DLA Piper, sponsored by a number of open and not-so-open source companies, you can see a list on the main Think Tank Site. (Thanks a ton to the sponsors btw).

The three day event started with a 90 minute drive from Sunnyvale to Napa on a sunny Thursday morning (we followed this route) in the company of my Fiancee. There was no additional charge for bringing another person around so I thought putting her into the Spa was the best way of ensuring she wouldn't complain about myself working through the weekend :-)

Day one

Upon arrival the place confirmed what we had seen on the web already, it was a beautiful place surrounded by vine-yards in the middle of Napa Valley. I already had checked the list of speakers and assistants (quite astonishing, I won't be naming anybody but the list included CEOs, CIOs, CTOs, legal experts, investors and senior executives from top companies and agencies) so I was excited about the people I'd be meeting, the conversations we'd be having and the overall knowledge sharing that would be happening at the event. And I wasn't disappointed...

On the first day we listened in to what three CIOs of some very big US companies had to say about OpenSource in their environment. Interesting stuff was said and I already started learning a lot. Food was ok (was going to have much better food the day after) and we jumped directly into our first business case.

The business cases were fun and challenging at the same time. There were 8 tables with around 8-12 people on each having to work on a some sample scenarios involving mobile platforms. We got one of the toughest IMO, we had to build a mobile solution for our own company.
The group was amazing and one hour later we already had developed a full mobile multi-platform ERP ready for our global corporation. After that, a 5 minute presentation was made by someone at each table, which was quite funny. Lawsuits were thrown around, hilarious marketing speeches (SuperFluffy on steroids, lol) and a good share of know-how brought up an interesting evidence: there's little room right now for OpenSource in the mobile market.

Following this there was an insightful panel on cloud+opensource which I can't talk about, a couple of talks by some of the main sponsors (Oracle & Microsoft) which led to the interesting part of the day: the opening reception (sponsored by Geeknet, the people who run sourceforge.net among others. Having them buy me beer and wine made me forgive them a bit for the nightmares we're facing with CVS downtime lately >5 days in a row at some times).
The reception was held under a wine-yard in a cave and I was able to start meeting very interesting people. The place was a bit loud tho, the echo made having a good conversation almost impossible.

9pm was my limit tho, it had been an exhausting first day. I heard some people went on until late-late in the night, ending up in a small Deli in Napa ;-). Missed some fun there...

Day Two

The second day started early in the morning with the key activities during the weekend: a business case on the State of California and their OpenSource usage policy. Half of our group was split up and we had to merge with a new group. Interesting stuff, I missed my old group but in the end I think the new group was better suited for the subject at hand, there was a very strong representation of many areas with an incredible level of expertise. I felt a bit awkward and tried to share my limited knowledge (compared to that of those people around the table) in order to get a successful business case in the end.
This business case was real competition btw, with a prize luring on the last day and the judges being no others than the State CTO and CIO, iirc.

Our group ("Table 5" from now on) performed incredibly well. I won't disclose any detail about the exact content of our case and pitch but I want to express my sincere admiration to the coordinator of the group, who wrote down the slides on a whiteboard and pitched them the day after and the co-presenter. Everybody was amazing in the group but them two had to present our stuff and put it into the right light, and they did incredibly well the third day.

Another workshop went after this one, with the same group. But after the State of CA one this was a bit "light". We handled it in about 30 minutes doing all the possible options from various angles.

After this we were done (around 1pm) and after all this hard work attendees had to make a choice:

Run around in the sun hitting a white ball with wooden or iron sticks
Try out the wines in one of the best wine regions of the world

I don't have to say which one I chose, right? :-P (I'm biased, I don't know how to play golf tho I'd love to learn, so my decision was a no-brainer).

The very friendly chauffeur brought us to the "Cline Cellars" where we had a good share of wine tasting. I don't want to talk bad about the wine but I must admit their miniature collection was way more interesting than the wine we were given to taste.

One hour later we were carried over to the next Winery, the "Jacuzzi Winery" (those guys actually invented the Jacuzzi itself, I was pretty amazed). The wine here was much better tho the location was a bit awkward, being a replica of the old home of the Jacuzzi Family back in Italy.

Next step: the gala dinner.

The third winery of the day proved to be the most amazing one. Artesa Vineyards & Winery. Maria (ref: Fiancee) and me decided to take our car to the place in order to be able to leave whenever we wanted, so we arrived on time (and the rest of the group about 20 minutes later). The place was breath-taking.
If you look at their site you'll have an idea about the architecture, we were in the middle of the green mountains and wineyards, catching a grasp of San Francisco on the horizon while the sun was setting... incredible.

The dinner itself was incredible (This picture resembles the most to what we had) and the wines great. So was the company on the table, I were lucky and had the chance to chat with some of the people I had met before.

The most exciting moment of the eve was when @paulsalazar brought his telescope and we were able to watch Saturn and learn a couple of things about astronomy. Cheers again Paul.

To the hotel after this, the day was over and the next day was the judgement day: the State of CA business case pitches.

Day Three

I woke up a bit late on Saturday, missed 60% of the talk that was going on during the breakfast and really regret it. It was a couple of well know VC representatives talking about exit strategies involving OpenSource companies. Very enlightening.

After this, the moment of truth. I can't explain it but I was very nervous about all the pitches going on, everybody was presenting their idea very well and while I was sure we had one of the best cases, I was getting scared about all the good pitches I were seeing. Our speaker seemed to be very nervous too (more on this later) which made me think he lost confidence on what we had worked on the day before.
Presentations were rolling out one after another and our turn came. R and K did incredibly well, all my fears were gone and when I came back to the table we had another surprise: Table 5 had been the last one to expose their case, which is wonderful. We no longer had a doubt that we would win (as I write this the winners haven't been published so I might have to eat my words in a couple of days) since everything fit into the right place.

Another business case followed but IMO it wasn't as well explained as the other one. We had some discussion and finally took our hypothetical company straight into cloud business. Anyway, SweetCRM was the clear winner of the round :-)

That was it I thought, we're done. Three days of hard work, amazing talks, amazing people and I were exhausted. But one final event remained, which proved to be one of the best during the whole weekend. Guess what? More wine tasting :-)

This time the selected Winery was none other than the Andretti Winery. Do you know Mario Andretti? the guy who has won races in every important motorsports category (F1, Indy, Sportscar and NASCAR), who is a F1 champion, won the Indy-500, etc....
Well, it's his winery, and we missed him by one day (he was going to be there on Sunday). A shame.
Nonetheless, the eve was amazing. A small group of people remained (about 20) but the conversation was great, the food was great, the wine was great and so was the venue. The best way to finish off three unforgettable days in my life.

Conclusion

First thing I want to say is although it seems that the only thing we did there was tasting wine, nothing more distant from reality. It was hard work and it was an honor to be among some of the brightest people I've ever met in my life.

The only reason I talk longer about Wine than about what happened is because of the closed nature of the event we were requested not to disclose names (not many at least :P) or quote people.
Because of this I can't name all the interesting people I've met but if some of you read this and we've been chatting, you'll know that I'd be mentioning you at this point.

Last but not least, thanks a ton Andrew for letting me be part of this.

New life, new blog platform

2010-03-15T11:16:00.000-07:00

I decided to move from the old blogging platform to blogger.com.

I did setup pyblosxom for http://www.alienvault.com/blog/dk but I noticed that I was getting more and more tired of having to edit the html manually, copy it to the host, preview it, move it to the right place, etc, etc...

So here is this new iteration of the blog, I hope I'll have a chance to post much more often now with this. Focus will still be around OSSIM, Alienvault and personal rants, but as said, I expect to write more often now.

Thanks a ton to all that have read the stuff I posted in the past and are still hanging around :-)

For those new to the blog, the old one will be around for a long time at http://www.alienvault.com/blog/dk.

Dominique

PS: More info about the "new life" part as soon as I can talk about it ;-)