Currently I have the logs being sent to the pfsense system log.  I haven't been able to find any splunk docs properly parsing out the snort data.  Before I configured splunk to sort out the firewall data, I had to edit 2 files, which are (I imagine) instructions on how to parse the data properly:

props.conf

transforms.conf

This then formats the reports in Splunk.  I imagine I can do something similar with the snort rules.  The snort logs come in looking like this:


I may just have to read up on the use of the transforms and props files. 

https://discussions.apple.com/thread/4076267?start=0&tstart=0

That might help.  Seems that it does.  If it doesn't, I would recommend picking up an Alfa USB adapter.  Not only is it supported in BT but it also has interchangeable antennas.

And Thomas makes a valid point.  I actually had a recruiter contact me about a gig 8 minutes from my house (current commute is 1 hour).  Of course I said hell yeah (well not really I was reserved) and sent my updated resume over.  But because I didn't have "GSEC or CISSP" my resume was a little light.  Though I don't believe he actually read the resume or understood half the stuff on it.  Told my last boss about that he was a bit shocked.  I moved on and told the recruiter well if he doesn't find someone or the choice doesn't work out, give me a call.  Then said to myself, I don't want my next boss to be that type of manager.

But either case, if I decide to go into freelance consulting, clients will want to see something like a CISSP on my credentials, so it is like a necessary evil.

Thanks for the input guys! 

I did consider the CISSP, I should just bite the bullet and go for it.  Figure get the week boot camp and hammer out the test.  Although, if I do the self study, I can probably get them to pay for the exam and then I will have extra training money left and use that for a content rich course of some sort.

I just lack peers to discuss these types of topics with locally.  In my group I am the technical lead for most of the InfoSec projects and operational stuff.

So I was able to take some time during a company shutdown week and do some network redesign in the home.  I took an Atom based "Shoebox" system and finally built myself a pfSense firewall.  I added Snort as well (built-in version to pfSense).  More on my adventure here.  I then spent a couple days just staring at the new found wonders of real logs!!!  I used some of the built-in look-ups and seeing who was scanning my IP.  I also threw Snort on but due to some frustrations, I placed it in detection mode. I will eventually go back to and turn up the prevention setting. 

So I had all this new logging capability, but really didn't have anything in place to collect it for analysis.  That was where Splunk came, pretty cool product if you have never used it.  It is primarily a log collection/reporting tool with a number of 3rd party applications that can be loaded in.  One in particular that I found useful, was the Google Maps App.  I then configured pfSense to Syslog the Firewall logs and configure Snort to send it's alerts to the System Log.  Then I setup the UDP listener in Splunk to pull the pfSense logs in.  Now for the fun part, Google Maps setups up Geo_IP plotting.  The simple search rule was basically showing all pfsense-firewall block activity.  I still haven't written this up, but I will eventually. 

This information is nifty but I am much more interested in the Snort data.  Unfortunately the Snort data was not being completely parsed in Splunk like the Firewall data.  I have been trying to find information on how to do this, but I have not had any real luck.  Splunk does have an app for Snort, but it seems it may be designed for the stand-alone.  I was thinking there may be much more I can configure for Snort behind pfSense but haven't gone down that route. If any one has any ideas on parsing out the Snort data, I'd be interested in hearing them.

So I am looking at what to pick for training this year, provided we have a budget for it.  I am torn between a few SANS courses, 2 of which do not have any GIAC certs associated but provide some much needed information.  Those would be SEC575 (mobile security) and 579 (Virtualization/Private Cloud).  575 would benefit my current role at the company.  579 peaks my interest much more because I love me some virtual machines and the architecture behind a properly implemented solution.  As for the cert paths I was looking at SEC501 (Adv Sec Essentials), mostly to formalize my training as a defender. The other option was FOR610 (malware analysis), main goal is to get more formal training on this topic which has been an ongoing self-study effort.

So do I go for the straight up informational training?  Or go for a cert path?  Any choice will help the company really.  I am the only technical/architecture security guy, so increasing my knowledge helps improve things as a whole.  Though if I was to go completely selfish, I would choose FOR610 for both the experience and the cert.  SEC579 would be a close 2nd.

Any thoughts?

RIM has always been the EZ-Mode for Mobile security I think, compared to Apple/Android.  I am in the middle of doing a mobile device security assessment between tablet platforms.  Luckily Android is out per the corp response.  But that still leaves us with Apple and Windows.  Apple is proven technology, but their love for the enterprise is non-existent.  MS has huge support for the enterprise and will sometimes jump through hoops to customize something, but their tech has not been out long enough.  In either case both solutions require a 3rd party MDM/MAM solution to secure the devices.  I would love to say "get whatever, we only support VDI or Citrix with no local data storage" but not quite there yet.

I like the way you think H1t M0nk3y!  It's one thing to scan and assume but a whole other thing to test beyond that of the scanner.  Sometimes a scanner like Nessus may just guess at the vulnerability by factoring what it does know.  But other times it sends test data, I've personally seen this when I ran it against some public facing Web App servers.  I turned on the Web App Testing setting and then reviewed the results.  Basically it did the quick tests for XSS and SQLi where appropriate.  Not enough to break anything but, like nmap, just a quick sample request to see if the vulnerability exists.  Other results you see it makes its decision based on OS, service version etc.. 

Check their site out for answers: https://www.pcisecuritystandards.org/approved_companies_providers/become_qsa.php

Based on the language there, I'd say you would need to be an employee of a vetted QSA firm.

Yeah BES is pretty cut and dry.  Keep it patched and configure the policies correctly, then there isn't much to worry about.  Granted you compromise a BES server and you have a nice MIM for the corporate email.  Compared to the other mobile solutions out there, BES is still top notch for securely sending data to your mobile workforce.  Not to mention you have the ability to centrally manage the phones without adding other 3rd party solutions.  As much as I hate the blackberry phone itself, I can't argue about the security of the device.  Going to a full Microsoft solution, you still need something to manage the applications and other non-Exchange related data.  Though that all may be changing with Windows 8 mobile and Exchange 2010.  MS has InTune which comes in local or cloud flavor (pick your debates for that one).  Depending on the cost, it may make moving platforms to Windows mobile a considerable idea.  I think BES currently runs almost 100 bucks a license for SMBs, 500 or more drops to 55 a license.  For a Windows 8 solution, ActiveSync would be use to talk to Exchange.  That should still have the ability to lock and remote-wipe a device.  But managing the device configurations would require a subscription to InTune which is 6-11 per device per month.  So the an org with 500 devices is looking at 65K a year to manage them.  Exchange and ActiveSync are already bought and paid for.  BES I believe is a one time cost with yearly support costs.  So MS is looking a bit higher in the price tag. 

Anyway sorry a bit off topic, but good things to way if an organization is thinking of moving away from BES in order to look at a BYOD type solution or switch to Microsoft only platform. 

Welcome to the forum!  It is a great community!

Great man!  Glad we could help!

Greater Hartford area, Connecticut.  Happy New Year all!

Excellent Article Paul...

Obstacle 1: agree and will add this can also benefit the person if they may have done the opposite before leaving a company.  Force resignation and all.  But certainly tracking the bad apples would be beneficial and hold them accountable for their decisions.  I believe a bonus should be earned if you not only help make the company money but also help prevent the loss of said money. 

Obstacle 2: I am finding this to be a reality.  I find it more trying to defend against advanced attacks when you can't even implement security 101.  Thankfully though where I am the audits are taken pretty seriously and are usually addressed within the first few months after.  But that may be only because the current auditors are not as well trained.  I am finding auditors are becoming much more technically savvy and are looking for things they never did in the past.  I've seen a few IT folks move over to audit mainly because you no longer need to fix the problems but you can just report them.  Maybe they are sick of trying to fix them only to be told it costs too much blah blah blah.  It certainly is easier to click a check box, specially if you know where to look.

Obstacle 3: Agree as well, but how do we do this?  Do we sacrifice skills training for business classes?  Do we take one of the SANS MGT courses over a SEC or FOR course?  Do we go for an MBA or a MIA? Or do we look at day long workshops to help gain a better focus? I personally don't want to leave the trenches anytime soon, but I find I am being asked to do so although I am not a manager nor care to be.  Then again, do I have the aptitude to stay in the trenches?  I think so, I just started in InfoSec (well in concentrating on it), and I have no desire to put down the keyboard just yet.

Obstacle 3: so long as the staff is up to par and keeps improving their skill sets.  I think heavy reliance on outsourcing your support causes this competitive advantage to decline.  I am currently seeing the situation where ALL of your IT knowledge is in the hands of the outsourced company and almost known exists with your FT IT staff.  I think it is important to keep the skills up on both sides so you essentially have FTEs with the knowledge to do the job, but they send the work to the out-sourced staff to carry out.  They then can focus their time on developing new and better solutions for the company, they may even develop a new product or service from this.


Obstacle 4: Partially agree on this one.  This forum clearly shows there is a large number of new people wanting to be "hackers" or pen testers, but seem to lack the base skills and understanding about the systems they want to hack. I partially agree because I think both the technical and business skills are needed equally.  The DoD description of what they need does not reflect their target.  They want highly trained people fresh out of college?  We all know that typical MIS/CS majors graduate with information that is probably 5 yrs out-of-date.  Unless of course they were gaining some real world experience during school, but even those entry level security jobs require experience.  Essentially you want to groom people for these jobs.  Moving those with a strong base knowledge about technology into a security focused job then giving them incentives to build the business skills for that key person we need in that board room.  Again how do you do that with someone who wants to stay in the trenches or has no desire to be in that board room mainly because they think nothing will get done either way?

Obstacle 5: Agree with this, my drive is not being bored.  I think anyone with a legitimate love for what they do, do it for that simple fact.  I think having a love for all things InfoSec related is no different.  We enjoy a challenge, that is a real challenge.  I think in most enterprises the challenge isn't developing the solution, it is dealing with the red tape around getting it approved.  We also love seeing something we created get implemented successfully.  But if we are tasked to come up with a solution to something and then not see it implemented or implemented poorly, we are left with a bitter taste in our mouth. 

As you had mentioned before there have been a lot of great talks at the security cons about what is wrong with the industry.  In most cases those speakers are preaching to the choir.  There are probably many of us that do know how to speak the business to the C-Levels, but are they truly listening?  Do they even care?  Have they ever seen something like the anatomy of a virus?  Seeing something so small destroy a company because a single simple patch was not installed or proper network ACLs were not in place to prevent the spread of a worm?  I like the point about the Security managers need to be able to tell someone above them - "No we cannot do that and here's why..."  If they are worth their salt, they shouldn't need to worry about finding another job if they are fired for disagreeing.  Which brings us back to the first obstacle, sure I was asked to resign but here is why and hand over the sign documents.

There are probably many different ways to approach an internet cafe.  AV on the client systems is a must.  Then again if you are using non-Microsoft based systems, you can alter your plan.  A system being down is money not being made I would gather.  So to ensure up-time, why not Wyse Terminals that talk back to vmware Virtual Desktop Infrastructure?  or hell something that boots into live USB/CD things.  Nothing is persistent and all you need is a shell of a system to run them.  Again, all depends on what you are looking to serve out of the cafe. 

If you go with full bore MS Windows, keep a clean image of the client so you can quickly bring up a system in the event of corruption.  Use a managed anti-virus solution such as Symantec Endpoint Protection.  Create a minimal Firewall and IPS policy for the clients to prevent spread of malware from a compromised system.  All of this depending on your budget.  There are more budget friendly products out there.  I believe Trend Micro's enterprise AV is fairly cheaper than Symantec.  There also may be small business level products that support 50 or less systems at a much better cost ratio. 

If you want to see what is going on in the network, putting in an Open Source Security solution could be an option.  Remember you are serving the internet as a service.  So you don't want to hamper that service too much.  You definitely want to lock down the POS system you will be using, so you might want to check around the globe to see what products are out there and how they may be configured.  What better way to capture CCs than at the source of their use?