Month: July 2015

AlienVault Setup 2: Deploying into your network

Deployment of AlienVault generally will depend on your network complexity.

For us, we only have an AIO (All In One). While this is great, the lack of sensors make network visibility limited. Basically we can see traffic within the network segment we are connected to. Another issue here is that everyone can see/ping the AV server, which generally isn’t too great. Let’s call this the Invasion Approach. Everyone sees the Alien Ship invading the network.

Another scenario would be to segment your network and deploy remote sensors in each segment and sends back data to a secure segment – we call this the Mother Ship Approach, where these little alien ships send back information to the big mother ship in space – like that Independence Day movie.

Another scenario would be to have multi-server, multi-sensors. We will call this the Divide and Conquer strategy. This makes the whole SIEM infrastructure harder to compromise, lowering its visibility to other devices and also distributes workload over different areas.

Remember – anyone hacking into the SIEM has access to a whole lot of informatin so its worth defending.

For our deployment scenario, we are deploying it for IDS, network vulnerability and asset management purposes – and will be doing it on a SPAN port in our main switch.

Now, let’s get some information.

For more details on Alien Vault products and services, please drop us an email at alienvault@pkfmalaysia.com

AlienVault Setup 1: VMWare Esxi 5.1

AV1

We decided to get an old server we had lying around the office and turn it into our AV (AlienVault) machine using a trial license (30-day full spec).

We faced several issues, which I will put it down in this article and a few others to guide others in installing AV product in their network.

1) Installing VMWare Vsphere 6.0

AlienVault is actually quite easy to install. Getting VMWare ESXi or VSphere running in an old machine was a different story. So before we even get AV up and running, we had to coax our machine to run VM. The first issue was that there was no CD drive. This wasn’t so difficult, you have basically two choices:

a) Boot with a CD, with a VMWare ISO image

b) Boot from USB, if your BIOS supports it.

As it turns out, our BIOS was able to support USB boot. So we used the extremely useful Rufus (https://rufus.akeo.ie/) tool to burn the ISO image we downloaded from at  VMWare https://my.vmware.com/web/vmware/evalcenter?p=free-esxi6.

We set up the BIOS to boot from USB and immediately got into the installation portion for VM. So far so good.

2) Unsupported network adapter

Immediately we got hit with an unsupported network adapter and basicall VMWare refused to go on. At this point we have 3 options:

a) Hack the image and inject the drivers of our network adapter in (I believe it was Realtek 8168 GB Ethernet)

b) Purchase and set up an adapter that is in the compatibility list at http://www.vmware.com/resources/compatibility/search.php

c) Downgrade VMWare 6 to 5.1 or below

Fortunately we had an older version of VMWare a few years back in our network drive and we chose to take the path of C), since Realtek was supported by VMWare then. Why they removed the support, I have no idea.

We re-did the image to 5.1 and rebooted to USB – this time, we got through without any issue, and VMWare ESXi was installed!

d) Deploying AlienVault 

Once you had your VM server up, you just download the client and deploy the AV OVF using File -> Deploy OVF Template. Of course, you obviously have to download the Trial AV first. Head over to www.alienvault.com/free-trial.

Just use default settings BUT choose ‘Thin Provisioning’ as disk format to avoid having to pre-allocate the full amount of disk space. This will allocate a minimal footprint for your image and grow as you store logs.

e) Power On — Not.

We still had some minor issues, such as the error stating that the virtual CPU configured were more than the physical – in this case, it was simply right clicking the VM – Edit Settings -> CPUs and lowering the number of CPUs from 8 to 4. You might not face this, but remember we are using a low spec system.

f) Power On — NOT again.

This time it powers up but when we try to get into AV console, we get blanked. Check the event logs. It stated:

“The CPU has been disabled by the guest operating system. You will need to power off or reset the virtual machine at this point.”

We were a little stumped at this point and googling didn’t really revealed much. More information over at

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2000542

But again, that was still not so helpful.

I chanced upon a similar issue where I recall in the earlier VM installation that VMware was complaining about this system not being able to support Hardware Virtualisation and that to ensure this was enabled in BIOS. Tinkering around the BIOS, found the setting for Intel Technology Virtualisation to be ‘disabled’.

Enabled it and it worked like a charm.

Alien Vault is finally up and ready to go! Next article, we will look into the basic functions of Alien Vault.

P/s – make sure you have a different IP setting on the AV VM image and the actual host itself. Since VMware also has a WebUI, you won’t be able to access AV if you put the same IP address.

Avant Edge is now Alien Vault

alienvault-logo

PKF Avant Edge is now a channel partner for AlienVault in Malaysia.

Over the course of 5 years since we started in 2010, we have resisted the urge to go into becoming a partner for a particular vendor. We’ve had a number of security companies calling us, and asking us if we wanted to bring in their products, given our incision into the market, especially in BFSI. But most of these products were either heavily priced or just wasn’t right for the sort of customers we know we have.

We also did not want to compromise our audit and assessment integrity by carrying too many third party technologies, as we will end up giving recommendations that suit the margins we are getting on each box.

So from the onset, our vision is to give independent advisory, and if there is a great product that comes along, worth recommending, we would do that.

Well – we have been evaluating Alien Vault for a few months now, and about a month ago, we contacted the channel director in the region and asked if he was interested in getting together for a chat. Our philosophies meet. We need to get good products out there that suit our customers – not that suit our margins. Because Avant Edge’s main business is in compliance management and advisory, we don’t have too much stake in pushing Alien Vault down our customer’s collective throats. We are willing to give a demo, or a trial, and if it suits, it suits. If not, let’s move on. Unlike traditional SIs who build consultancy surrounding the technology products, we build products surrounding our consulting services. A slight difference is there.

So over the next few articles, aside from our usual foray into PCI and PDPA, expect a little more on our experience in AlienVault. We believe in hands on experience, so we’ve already set up a trial box in our labs and we are going to walk through the technical details in this blog.

Stay tuned! If you need more information, contact us at alienvault@pkfmalaysia.com. Yes. We started a new mail group for this!

PCI-DSS Applicability to Hosting Providers and Data Centers

MDCA-final_FINAL-logo-300x199

Recently I was invited to speak in the quarterly meeting for the Malaysian Data Center Alliance (MDCA) regarding the applicability of PCI-DSS to their business.

More and more we are getting questions from traditional data center and hosting businesses on whether they should go for PCI-DSS and whether we can help them.

Here’s a quick FAQ for these businesses:

a) Why do Data Centers need PCI?

Actually – you don’t. PCI-DSS is applicable to businesses dealing with payment card data – storing, transmitting and processing. These are probably your clients – and in general, where they need to be PCI certified, they want to ensure their ‘providers’ – such as yourself – are certified as well.

The pressure for compliance does not come from the payment brands for data centers – instead in almost all cases, they come from the customer themselves.

b) So what benefit do I get from PCI?

The move of hosting providers to become PCI compliant is in parallel to the move of businesses to offload their servers and infrastructure to the ‘cloud’, or to third party providers to host their applications. The cost savings vs building their own data centers from ground up makes sense to most entities, except for large payment companies and banks. Even so, some of these larger entities will outsource their disaster recovery site to a third party – and if they deal with credit card, then that DR site needs to be compliant as well.

c) So should I be spending money on this compliance?

From a data center perspective, there is no direct requirement to be PCI compliant. However, if their customer is going for PCI-DSS compliance, and the data center is NOT compliant, then the data center is obligated to participate in the customer’s PCI program. While this might be manageable for a small group of customers, the idea of managing multiple customers projects and participating in such projects over the long run is not feasible. Therefore, more and more data centers and hosting providers are moving to become ‘PCI Certified’ themselves. Doing so, basically requires them to just show their certificates to their clients instead of participating in their individual compliance programs. Some of the largest success stories of PCI certified hosting/infra are Amazon Web Services and Microsoft Azure Trust Center.

d) SO…how much will it generally cost?

This is very subjective because even hosting providers and DCs have scope. However, the general rule of thumb is that the less visibility you have on card data and less services you offer, the less it will cost. For instance – if a data center only offers M&E and Physical room for client. This against another data center that offers those AND an internet gateway to get out and IPS/IDS, firewall etc. The latter DC will be up against Requirement 1, requirement 3, requirement 9 and other related requirements, while the first one will probably just need to deal with Requirement 9. You could be looking anywhere between RM30K – RM40K for the entire compliance program. (Gap, Remediation, Certification, Scans etc)

This might sound like an awful lot, but the whole program consist of two assessments from QSA (Gap and Cert) and a whole lot of other services during remediation. A typical onsite security assessment is around 18 – 20K already from any of the big 4 firms. And they usually just send their juniors who are just out of college and generally still staying with their parents. Here you get a full fledge QSA and director or senior management level guys supporting the audit. We take it extremely seriously, and we don’t send out pencil pushers with a little checkbox and hardly a stubble under their chin. Penalty for PCI is very very serious and we need to ensure all our clients get the best possible support.

e) Are you open for a quick meeting onsite?

Of course. Drop me an email at pcidss@pkfmalaysia.com and we will get working on it!

Personal Data Protection Act Training

personal-data-protection-act

We recently provided PDPA training to a public listed company. Unlike the normal awareness training or the dragging-through-the-entire-Act training that we are accustomed to, we have made this specifically for internal auditors on how to build an audit program surrounding PDPA (utilising AICPA GAAP and several other programs), as well as demonstration of some tools to hack/gather personal information and also some tools to prevent/monitor people hacking/gathering personal information.

The full training program is here

Assessing Compliance of PDPA in Your Organization

 

© 2020 PKF AvantEdge

Theme by Anders NorenUp ↑