I've just read today about the natural integration between Qualys and Imperva, two of the  vendors that I work with and I highly appreciate.

Timing is great for Imperva because the proactive services offered by Imperva's Discovery and Assessment Server had no real correspondence in web application world and that's why QualysGuard Web Application vulnerability scanner fits like a glove.

To put it in their words,

The integration of QualysGuard Web Application vulnerability scanner and Imperva’s SecureSphere Web Application Firewall (WAF) significantly reduces the need for disruptive patching of vulnerabilities. Organizations can use QualysGuard to scan their Web applications for vulnerabilities and then import the scan results into SecureSphere WAF. SecureSphere WAF provides instant mitigation for imported vulnerabilities using a “virtual patch,” which limits the window of exposure and reduces the security risk on the business.

On the other hand QualysGuard gets a couple of benefits suchs as :
- World wide recognition for it's new Web Application Scanner which is the latest addition to the QualysGuard scanner family .

- Sales support from Imperva's Channel . I know I will present this combination (Qualys and Imperva) to all my Imperva customers, whenever possible because I believe I's an effective web application security solution

Here is a short whitepaper (pdf) on this topic.

• RT @ArcSight "Entrepreneur of the Year" – Hugh Njemanze, ARST CTO & VP of R&D – new post from blogger Lisa Kost | http://bit.ly/9JKCWf #
• "Pro CERT – First Romanian Commercial CERT | Dragos Lungu Dot Com" ( http://bit.ly/9I00pF ) #
• RT @pentestit UPDATE: Maltego v3! – get it at – http://pentestit.com/2010/06/17/update-maltego-v3/ #
• RT @securitypro2009 MANDIANT Unveils Web Historian 2.0 http://bit.ly/dBLjL3 #

Powered by Twitter Tools

It brings me great pride and joy to announce the public release of Pro CERT ( Provision Computer Emergency Response Team), the first commercial CERT structure in Romania.

Quoting from Pro CERT RFC2550 charter :

Pro CERT is a project initiated and sponsored by Provision Software Division SRL, the largest privately owned Romanian IT security company.

"Pro CERT offers assistance and coordination in early detection and handling of computer and network security incidents for all it’s constituents. Pro CERT primary constituency include all networks and systems belonging to Provision Software Division SRL and it’s customers.A secondary goal in terms of constituency is represented by the Romanian TLD : .ro for which Pro CERT aims to be a certified  point of contact for incidents targeting or initiated from Romania.

Pro CERT is dedicated to preventing security incidents by offering direct proactive measures and security quality management services. Pro CERT operates under the authority of Provision’s Managed Security Services business division, which manages the operational authority between Pro CERT and each of its constituents trough individual SLAs. 

Pro CERT core activities imply close cooperation with all large ISP's abuse teams from Romania and abroad, direct contact and data exchange in order to prevent and recover from security incidents that affect Pro CERT’s constituents.

Pro CERT operates under the restrictions imposed by Romanian law. This involves careful handling of personal data as required by Romanian Data Protection laws, but it is also possible that – according to Romanian law – Pro CERT may be forced to disclose information due to a Court's order. "

Just like the Oscar winners, I would like to thank my team without whom none of this could have happened . It's a young project but we are very ambitious and we have set our goals high !  Please contact me directly,leave comments or register on www.pro-cert.ro  if you would like to cooperate with Pro CERT.

Please find below the opening presentation I gave on Provision Security Days conference about Pro CERT.
 

Do you like my presentation ? Thanks !

For a long time I wanted to write a review on GFI EventsManager 2010 and I'm glad I'm doing it because for me it's a very good example of software built the right way for the right job at the right time.

Having spent my last 5 years working with SIEM giants like ArcSight and RSA EnVision, I have experienced first hand the benefits and sometimes the downfall of  SIEM / ESM solutions.

GFI EventsManger takes a simple and robust aproach to log and event management and this is shown in the way it does the collection of data, the analysis, storage and reporting.

The collection of data is done agentless which is a big plus and the solution  can collect and process Windows events, W3C event logs, Syslog messages, SNMP Trap and SQL Server logs.  This allows one to collect more data from the different hardware and software systems that are most commonly available on a typical corporate network.

GFI EventsManager offers one of the best asset management interface allowing one to group assets (servers, workstations, netowrk devices) and quickly display events filtered by numerous criteria.

The list of supported devices can be found here (a bit outdated, needs an update to 2010 version) and it includes top vendors in all major security domains :access control, perimeter, endpoint , directory services, content filtering, IDS / IPS, operating systems and much more.

The solution uses two collection engines, the Event Retrieval Engine and the Event Receiving Engine which cover all supported log formats, either passively such as Syslog and SNMP or actively connecting systems handling W3C and Windows events.

Once the events have reached them main processing unit, GFI EventsManager will run a set of event processing rules on the collected events. The solution ships with a rich set of out-of-the-box rules such as :

• Classifying the events as Critical, High, Medium, Low or Noise (which are discarded)
• Filtering events based on specific criteria
• Triggering email, SMS and network alerts on key events
• Triggering remediation actions such as the execution of executable files or scripts on key events
• Optionally archiving collected events in the database backend.

GFI EventsManager uses a MS-SQL database backend which can quickly fill up so the solution provides functionality to disk-archive the main stream of events and save only the important alerts in the database.

Accessing the data is straight forward using Event Browsing which does a great job at presenting the events is an easy-to-read format. Event Browser can also be used as a forensics analysis tool because of it's ease of use in drilling into recorded events.

Reporting is done via  the GFI ReportCenter framework which offers consistent reporting features for many GFI products. There is a dedicated ReportPack for GFI EventManager which loads in the reporting framework so you can benefit from the framework powerful reporting features tailored to the specific data provided by EventManager.

Reports can be scheduled and can be sent by email or exported as to various formats including HTML, Adobe Acrobat (PDF), Excel (XLS), Word (DOC), and Rich Text Format (RTF).

Conclusion
GFI EventManager 2010 is a very efficient and effective log and event management tool which covers most of the daily security monitoring activities. However, there is room for expanding this product by adding support for more log formats (ODBC, flat text, vendor specific protocol like CheckPoint OPSEC, etc). Also event normalization and aggregation could improve the in-memory correlation for more complex AI alerts .

Licensing is very affordable for this class of products and it's based on number of nodes reporting events. Also, don't forget that you can always download a full working evaluation version from here .