Security News

HP Updates ArcSight Enterprise Security Management Platform

HP's ArcSight 6.8c release provides a new real-time correlation engine and an improved user interface. Hewlett-Packard today announced the ArcSight Enterprise Security Management (ESM) 6.8c release, providing users with a number of new and enhanced features. Updates to ArcSight ESM—the security information and event management (SIEM) technology that HP gained via a $1.5 billion acquisition in 2010—include the Correlation Optimized Retention and Retrieval (CORR) real-time correlation engine. The ArcSight ESM 6.8c release has an automated rule optimizer that evaluates rule structures against incoming data and makes them more efficient. "Essentially, this reduces the number of partial rule matches that eat up system resources, enabling the system to monitor more credible potential threats and evaluate more events within the same allocation of system resources," Jeff Whalen, senior manager, product marketing for HP ArcSight told eWEEK. The ESM 6.8c release includes the HP ArcSight Command Center (ACC), which has also been enhanced.  Users now have the ability to specify and monitor active channels of data with ACC though the browser-based Web interface. "By bringing this capability to the Web user interface, ArcSight enables additional team members to participate by utilizing this process through an easy-to-use, point-and-click interface that streamlines the detection to investigation process," Whalen said. The new ESM release also offers users the promise of improved search speed and increased storage. ESM 6.8c increases on-board storage by 50 percent, from 8TB to 12TB, giving analysts access to more information to conduct investigations and analytics, Whalen said. More storage also means more data to search through, which is why HP ArcSight also improved its search performance, he added. "In rare event search use cases, we saw up to a 1,000x faster results than the previous release of ESM," Whalen said. A key use case for ArcSight ESM is as part of a Payment Card Industry Data Security Standard (PCI DSS) compliance initiative. The PCI DSS 3.0 specification was announced in November 2013 and formally goes into effect on Jan. 1. ArcSight ESM 6.8c's feature functionality provides organizations with the framework necessary to incorporate changes in the PCI DSS 3.0 specification, Whalen said. HP has a broad security portfolio, and the integration of ArcSight ESM 6.8c with other HP products is part of the overall HP security effort. For example, with HP's TippingPoint intrusion prevention system (IPS), an ArcSight user is able to issue commands to close ports and block IP addresses when a threat is detected and can automatically do so using the HP ArcSight Threat Response Manager package, Whalen said. There is also an integration with HP Fortify to monitor applications for compromises and breaches with the HP Application View package for HP ArcSight.  "Utilizing HP Fortify runtime technology, Application View can see and log all application activity, including users, data access, source and destination IP addresses," Whalen said. Whalen added that log data can be sent to HP ArcSight for correlation as well as monitored through built-in dashboards and reports. The SIEM market is competitive and has multiple vendors, including IBM's QRadar SIEM and open-source upstarts like AlienVault. Whalen did not specifically identify the primary competition for ArcSight. "HP ArcSight already provides leading user behavior monitoring for insider threats," Whalen said. "We focused this latest release on improving the underlying, foundational technology that helps customers make the most of their deployments that sit at the heart of their security operations practice." Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.  

BlackBerry Z30 Comes to Verizon as Samsung Makes Knox Enterprise Play

Samsung has announced a partner program for Knox, enabling resellers to leverage its Android-based security solution for enterprises. The BlackBerry Z30, the company's first 5-inch BlackBerry 10 smartphone, will be available exclusively from Verizon Wireless starting Nov. 14.

The news comes amid reports that the Pentagon, which has purchased nearly half a million BlackBerry handsets, is moving ahead with its plan to also support iOS and Android devices. Defense Department officials say their plans are unaffected by BlackBerry's Nov. 4 announcement of its plan to remain a public company, accept a $1 billion investment and replace CEO Thorsten Heins with former Sybase CEO John Chen, Defense One reported Nov. 11. At the moment, said the report, the DOD's mobile security strategy relies mostly on BlackBerry handsets. Devices must have "authority to operate," or ATO, clearance to connect to Defense networks, and so far only BlackBerry 10-running smartphones and Playbook tablets are ATO. The report adds that the transition plan for moving to a variety of mobile platforms will mimic the DOD's transition from only PCs to also smartphones and tablets. "DOD's mobility strategy and commercial mobile device implementation plan includes reliance on multiple vendors to support its mobile communications needs," Pentagon spokesperson Lt. Col. Damien Pickart told Defense One. "The mobile-security management system is in the early stages of development. It will undergo a limited pilot, or reach 'initial operating capacity'" by Dec. 31. Pickart told PC Mag in March that the DOD planned to establish a department-wide mobile enterprise solution that would support the secure use of the latest commercial devices, as well as set up an application store and mobile-device management capabilities for approximately 100,000 multivendor devices, by February 2014. According to Defense One, the app store effort is under way, and the DOD expects to connect 300,000 approved, government-issued consumer devices by 2016. Samsung Wants the Enterprise Market Samsung has set its sights on the customers who earlier turned to BlackBerry for its security benefits. On Nov. 12, Samsung launched a Samsung Knox Partner Program, enabling resellers and independent software vendors to also offer Knox. Samsung introduced Knox at the Mobile World Congress event in February and describes it as a solution designed "from the ground up to systematically fortify Android by leveraging the hardware to provide the highest level of security." Knox resolves two of customers' major concerns, says Samsung—security and manageability—while also separating users' personal content from corporate content. "It is a truly exciting time in our journey toward winning the enterprise segment," Dr. Injong Rhee, senior vice president and head of Samsung's B2B R&D Group, IT & Mobile Division, said in a statement. "With Samsung Knox, for the very first time, enterprise IT can deploy Android devices, which are loved by consumers, for enterprise usage, ensuring highest levels of platform security and information protection." The Partner Program, he added, is a "win-win."   ${QSComments.incrementNestedCommentsCounter()} {{if QSComments.checkCommentsDepth()}} {{if _childComments}}

HP Spectre x360 15 review: A large convertible that’s easy to...

Flexibility is usually left to smaller devices, but this one’s up to the challenge.

Climate scientist targeted by lawsuit gets $250 for the hassle

Original suit officially declared a nuisance.

Malicious Brain Test App Thwarts Google Play Android Security

Check Point Software Technologies researchers disclosed a new attack, dubbed Brain Test, against Android that repeatedly got into the Google Play store. Attackers are now using increasingly sophisticated methods to get malicious applications into legitimate locations. The latest incident is a new attack against the Google Play store in which a malicious app was able to get past Google's security—not once, but twice. The malicious app is called Brain Test, and prior to its removal by Google on Sept. 15 had as many as 1 million users. According to Check Point Software Technologies, the Brain Test malware is able to place a rootkit on an infected Android device, enabling an attacker to run arbitrary code. There are multiple security mechanisms in place in Android and the Google Play site to prevent malware from running, yet the BrainTest malware was able to avoid them all using a number of different techniques. Check Point's emulation engine caught the exploitation phase of the BrainTest malware, said Michael Shaulov, head of mobile threat prevention at Check Point. That is, the malware was detected when the app was running the exploits against the kernel of the emulating device. Breaching Android security is no trivial matter, and the BrainTest malware includes four different privilege-escalation exploits in order to gain root access on a device. Shaulov noted that the need for four exploits has to do with the Android device fragmentation. "Different flavors of Android and different devices require different exploits because the kernel or drivers that are vulnerable are different," Shaulov told eWEEK. "As an example, one exploit will successfully work on a Galaxy S4 device running Android 4.4 while another exploit will run successfully on a Google Nexus device running Android 5." The inclusion of multiple privilege-escalation exploits is a similar concept to how exploit packs run against Web browsers: Cyber-criminals will pack multiple exploits (one for Internet Explorer 11, one for Internet Explorer 9, one for FireFox and one for Chrome) and will try to run them against the various browsers accessing the infected Website, Shaulov explained. From a malware payload perspective, there is a command and control infrastructure associated with the Brain Test malware, Shaulov said. It currently looks like the main purpose of the command and control is to overlay aggressive advertisements on the device and install additional applications, he added. "Given the architecture of the malware, it can be repurposed any time, as the execution logic is downloaded from the command and control," Shaulov said. Check Point identified two apps called Brain Test that were uploaded to Google Play using two different app packages: com.zmhitlte.brain and com.mile.brain. While Google has since removed the apps, there is some indication that the malware is still present in non-Google Play Android apps stores, Shaulov said. Google has a technology called Verify Apps that is used to scan Android devices for potential malware that may have come from non-Google Play sources. Shaulov noted that Check Point didn't check if Verify Apps protects against Brain Test. "In general, verify apps only checks against known hashes, so any permutation of the malware will not be identified by Google's Verify Apps," Shaulov said. Fixing the root cause of the Brain Test malware can be difficult and isn't about any one single vulnerability. "[Brain Test] uses multiple approaches and CVEs [Common Vulnerabilities and Exposures] from multiple vendors, and Google cannot patch this issue," Shaulov said. It's still unclear who is responsible for the Brain Test malware though Shaulov said the origin appears to be Chinese. Attackers in China also have been busy in recent weeks going after Apple's App Store. Apple is pulling at least 39 apps after the XcodeGhost malware was discovered that made use of a fraudulent Xcode development tool to infect applications.  Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

30% off WeMo Wi-Fi Smart Plug, Works with Amazon Alexa –...

Did you forget to turn off the window A.C.? How about that curling iron? Want the living room lamp to turn on when the sun goes down—automatically? The Wemo Switch gives you control of your lamps and small appliances whenever you want, wherever you choose, with tons of options for scheduling and automation. Paired with Amazon Alexa, you can control your lamps and appliances with just the power of your voice. When Wemo works with Nest Thermostat, you can set your lights to turn off automatically when you leave the house, and on when you get home again. No central hub or subscription is required. Wemo also has an on/off switch on the unit, in case the Wi-Fi goes down. This smart plug is currently discounted 30% down to just $34.99.  For more information and buying options, see the discounted WiFi Smart Plug on Amazon.To read this article in full or to leave a comment, please click here

Continuous monitoring has great promise, says IA specialist

Continuous monitoring is fast becoming a security buzzword, but it is a way for security professionals to regain lost ground, according to Bill Hargenrader, information assurance manager at Booz Allen Hamilton. “It’s the only way to take back some of what we have lost to attackers who have too many tools at their disposal,” he told information security professionals at the (ISC)2 Security Congress 2013 in Chicago. According to the US National Institute of Standards and Technology (Nist), the aim of continuous monitoring is ongoing awareness of information security, vulnerabilities and threats to support risk management decisions. But to Hargenrader, it is about having an advanced, persistent monitoring system to identify the security gaps and hit back at advanced, persistent attackers. However, he admits up front that it is impossible for any organisation to monitor everything all the time due to a lack of time and resources. Like most security, this requires choices to be made based on risk, which determines whether to include internal as well as public-facing web servers, the sample size and the frequency of checks. A good place to start when aiming to achieve continuous monitoring is a risk management framework that will set the strategy and risk tolerances for the organisation, said Hargenrader. Continuous monitoring promises more effective management of information security risk and up-to-the-minute risk posture awareness for better decision-making Continuous monitoring promises more effective management of information security risk. “The more you know, the more you can manage,” he said. It also promises up-to-the-minute risk posture awareness for better decision-making, especially if all the information can be fed into a single dashboard. The overall result should be improved protection of all information assets, with the potential added bonus of eliminating accreditation cycles common in military environments. “Because assessment and authorisation are ongoing, there is no need for annual accreditation cycles, which saves money, time and resources,” said Hargenrader. However, he also admits that achieving continuous monitoring is not without its challenges. First, integrating monitoring of all controls into a single dashboard can result in an information overload. Second, integrating physical and manual checks can be difficult, and not all systems are interoperable. Third, implementing a continuous monitoring framework organisation-wide can be a challenge because the larger the organisation, the greater the number of likely complications. The first step is to define a continuous monitoring strategy and establishing a programme that will support that strategy. Next is putting systems in place, and once they are up and running, analysing the data to identify where the gaps are and where things are not performing up to requirement. “Additionally, organisations should monitor their continuous monitoring programme so that it can be updated and improved so that it will mature as it goes,” said Hargenrader. He recommends that organisations use a reference model, such as the continuous monitoring framework published by Nist. “Don’t try to reinvent the wheel, and use existing automated systems wherever possible, only buying new systems where absolutely necessary,” said Hargenrader. For the ultimate implementation of continuous monitoring, organisations will require an underlying aggregate framework to pull all the information together. “This is neither easy, nor is it inexpensive,” said Hargenrader. For operational controls that require manual logging, such as backups for multiple remote sites, a spreadsheet on a SharePoint site can be used. “It’s not pretty, but it works,” he said. Hargenrader admitted that continuous monitoring as it is now will not solve every problem, but he believes it can be a big step forward. He said organisations should look to the medical and physical security industries that have a well-established history in continuous monitoring for methodologies that could help them leap forward. “The challenge is strong, but the promise is great, which makes continuous monitoring worth pursuing,” said Hargenrader. He also believes that as more organisations pursue the goal of continuous monitoring, it will provide enough incentive for security suppliers to develop the necessary tools to make it a reality. Email Alerts Register now to receive IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from

IT Security Spending to Rise, with Focus on Mobile

[unable to retrieve full-text content]Respondents in a recent Gartner IT Key Metrics Survey indicate that, overall, organizations will spend an average of $381 per employee on IT security.

Coming soon: Slow, heavy, shrieking, autonomous robot rent-a-cops

Mountain View company unveils the five-foot-tall, 300-pound K5 robotic patrol.

In Instagram age, like and share photos, but don’t forget context

Enlarge Image "Accounts that tend too much towards the commercial or that feel too much like product placement, eventually people just unfollow," says Instagram co-founder Mike Krieger. Sportsfile (Web Summit) DUBLIN -- Smartphones and mobile apps,...

Facebook has stopped SHA-ring, a year later than it promised

The Social Network™ revoked its SHA-1 certs in November, but promised to stop serving traffic with the algo last year Facebook's quietly taken its SHA-1 certificates out behind the data centre with an electrified degaussing machine. The SHA-1 hashing algorithm was declared unreliable back in 2005.

By 2010, hackers cracked a password hashed with SHA-1 using just US$2 of resources rented from Amazon Web Services.
In 2015 researchers blew the whole routine with $75,000 of AWS resources. Which is why the likes of Microsoft, Mozilla and Google have all named kill dates for their wares' use of the hashing function. Facebook did likewise in 2015, promising deprecation by October 1, 2015. It now turns out The Social Network™ kept SHA-1 around a little longer, as a new post reveals the company was worried that some of its users accessed its services on devices that devices could not support TLS certificates that improve on SHA-1. The post by production engineer Wojciech Wojtyniak also reveals that the company stopped serving SHA-1 traffic in November, “and there has been no measurable impact.” “As a result, we are going to revoke our SHA-1 certificates,” Wojtyniak writes. “We look forward to the industry's movement toward greater use of stronger certificates like SHA-256.” ® Sponsored: Want to know more about PAM? Visit The Register's hub

​Earthwave founder Minassian launches new security venture LMNTRIX

Carlo Minassian is back in the cybersecurity startup scene with a new adaptive threat response platform after his three-year stint with the global giant that acquired his managed security services firm Earthwave.