I recently came across a blog post on MyDLP's website regarding sending CEF messages directly to a Logger from the open source product. I was not familiar with MyDLP before I stumbled across the post nor I have taken the time to try and deploy it in my lab to test the integration. I have not been able to find out much information about the product or the people behind it, Medra Teknoloji Ltd, from any 3rd party sources either.
I do not believe the community edition of the product will send syslog CEF events. You will need the commercial paid enterprise version to send events to ArcSight. Although I think there is a trial license of the enterprise version so it would be possible to see the quality of the events and the parsing in a proof-of-concept before committing to purchase the product. The blog post has a screen shot of a Logger search of UDP events that shows some of the information gleened from MyDLP. Every event has the same information in the Name field - "Check MyDLP Logs using management console for details." So that doesn't seem too exciting. The screen shot was also helpful in another way too. This is how I figured out the name of the company behind MyDLP, Medra Teknoloji Ltd, since their name is not mentioned anywhere on the MyDLP website or Wikipedia page. Their name shows up in the Device Vendor field.
Please note that their instructions on the MyDLP blog are for sending the events directly to a Logger verses to a syslog SmartConnector. Either way it is just a simple syslog send / receive setup.
Besides ArcSight, there are also instructions on their site for AlienVault / OSSIM integration and a video on YouTube.
Tuesday, December 31, 2013
Monday, December 16, 2013
ForeScout and Bromium Team Up for Integration
ForeScout and Bromium have announced integration of their products to fight advanced malware attacks. The announcement describes that the integration of the two solutions will provide the capability for Bromium to alert ForeScout's CounterACT in real-time if an endpoint has an advanced malware infection. ForeScout will be able to deploy its robust automation response capabilities to send an alert to an administrator as well as the end-user and can prevent the spread of the malware by quarantining the infected endpoint, for example. In addition, when CounterACT detects an endpoint without a Bromium vSentry agent installed, it is capable of the deploying the agent on devices that it will determine meet the hardware and BIOS requirements.
To add my own additional points regarding SIEM's, since ForeScout and ArcSight already have a very deep integration, the leading SIEM can be the brains of this combined solution. First, ArcSight can gather all the information about all the endpoints that ForeScout will discover on the network including those with and without the Bromium vSentry agent. This information can be stored as part of an organization's on-going compliance status and historical record. Second, ArcSight can decide what to do about the devices that do not have have the Bromium agent installed and instruct ForeScout to take action. Content can be built in ArcSight about identifying and tracking those devices that do not conform to the organization's Bromium compliance standard and how to respond through ForeScout. Third, ArcSight can retain the information about the infected machines for further analysis as well as instruct ForeScout and other products such as TippingPoint what to do in response to that infection. Last, by combining information received from all logging sources such as anti-virus, ArcSight can provide further insight to the devices that are infected or those that do not have the Bromium agent installed.
To add my own additional points regarding SIEM's, since ForeScout and ArcSight already have a very deep integration, the leading SIEM can be the brains of this combined solution. First, ArcSight can gather all the information about all the endpoints that ForeScout will discover on the network including those with and without the Bromium vSentry agent. This information can be stored as part of an organization's on-going compliance status and historical record. Second, ArcSight can decide what to do about the devices that do not have have the Bromium agent installed and instruct ForeScout to take action. Content can be built in ArcSight about identifying and tracking those devices that do not conform to the organization's Bromium compliance standard and how to respond through ForeScout. Third, ArcSight can retain the information about the infected machines for further analysis as well as instruct ForeScout and other products such as TippingPoint what to do in response to that infection. Last, by combining information received from all logging sources such as anti-virus, ArcSight can provide further insight to the devices that are infected or those that do not have the Bromium agent installed.
Subscribe to:
Comments (Atom)