Tag Archives: data

My latest Gartner Research:SWOT: Huawei Data Center Business, Worldwide

27 September 2017  |  Huawei’s data center business has grown rapidly worldwide, but it has so far been unable to penetrate North America. Technology business unit leaders responsible for data center business should use this note to decide how to compete or partner with Huawei….

Gartner clients can access this research by clicking here.


Configuring Logstash and Kibana to receive and Dashboard Sonicwall Logs

Note: If you want to quickly download my Logstash config and Kibana dashboards, see the end of this post.

Locate and Update your Logstash.conf File
First, you must update your logstash configuration file, generally located in /etc/logstash or /etc/logstash/conf.d/ and named logstash.conf

Add a logstash input
In logstash.conf, you must first add an input which will allow logstash to receive the syslog from your Sonicwall appliance along with a designated “listening” port. For my configuration, I set this to port 5515. In my logstash instance, I am using Suricata SELKs, so you can also see a file input for that prior to my Sonicwall input. See below (the text highlighted in RED was the text I added to the config file).

input {
file {
path => [“/var/log/suricata/eve.json”]
#sincedb_path => [“/var/lib/logstash/”]
sincedb_path => [“/var/cache/logstash/sincedbs/since.db”]
codec => json
type => “SELKS”
syslog {
type => Sonicwall
port => 5515

Insert a logstash Filter
The next step is to insert a new filter for parsing your sonicwall logs, this is so that Logstash knows how to automatically create fields so that you can filter on specific fields in Syslog. Below is the text that I added to the configuration file.  Important: You must make sure that if you have pre-existing filters, your start and end curly braces appropriately open and close and in the filter section the text below incorporated into the filter bracketed text.

if [type] == “Sonicwall” {
kv {
exclude_keys => [ “c”, “id”, “m”, “n”, “pri” ]
grok {
match => [ “src”, “%{IP:srcip}:%{DATA:srcinfo}” ]
grok {
match => [ “dst”, “%{IP:dstip}:%{DATA:dstinfo}” ]
grok {
remove_field => [ “srcinfo”, “dstinfo” ]
geoip {
add_tag => [ “geoip” ]
source => “srcip”
database => “/opt/logstash/vendor/geoip/GeoLiteCity.dat”

Configure the Parsed Output Location
Finally, you need to configure the output for the config file. The output is to send into the logstash instance. Below is the configuration for this. In this case, my logstash instance is sending to localhost because it is running on the same box.


output {
elasticsearch {
host => “”
protocol => transport

Configure the Sonicwall
Next you will need to configure your Sonicwall to send syslog messages to the logstash server. Login to your sonicwall, go to “Log->Syslog and then add a server x.x.x.x with port 5515.

Next you’ll need to turn on Sonicwall Name Resolution for Logs
Go to Log->Name Resolution and make sure to setup a DNS server to resolve names. Otherwise, the src and dst fields in the Kibana dashboards will not have names and show double IP address entries.

Finally, you’ll need to configure dashboards in Kibana. To make all of this easier, I’ve included all my files below that can be easily downloaded.

Logstash Configuration *Use Right-Click and Save As*

Kibana Dashboards
(To Import go into Kibana and select “Load” then go to “Advanced and click on “Load File”)

  • Sonic-Alerts (Filters the Top Alert Messages from the Sonicwall Syslog
  • Sonic Top (Filters the Top Source and Destination hosts and events associated with your sonicwall.


[ISN] Hackers give up when they go up against this cybersecurity company

http://fortune.com/2015/07/29/crowdstrike-cybersecurity-george-kurtz/ By Robert Hackett @rhhackett Fortune.com July 29, 2015 It’s not every day that a company can compel hackers to give up. Yet that’s exactly what CrowdStrike managed to do earlier this year. CEO and co-founder George Kurtz tells it like this: A besieged customer needed backup. So Kurtz’s team sent in reinforcements, placed its cloud-based software sensors across the breached business’s computing environment, and started gathering intel. Aha! Investigators spotted Hurricane Panda, an old Chinese nemesis that Kurtz’s crew had been battling since 2013. What happened next surprised them: When the attackers scanned an infected machine only to find traces of CrowdStrike, they fled. CrowdStrike’s reputation precedes it. The company, founded in 2011 and based in Irvine, Calif., has gone toe-to-toe with some of the world’s most sophisticated state-sponsored hacking groups. The firm analyzed the data behind the breaches of millions of sensitive records at the Office of Personnel Management, the federal agency responsible for human resources, in what may have been the biggest act of cyberespionage the U.S. has ever seen. It has published threat reports on many of the more than 50 adversaries it tracks, which include the likes of Ghost Jackal (the Syrian Electronic Army), Viceroy Tiger (an Indian intruder), and Andromeda Spider (a criminal coterie). Between 2013 and 2014 its revenue grew 142% and its customer base more than tripled, two reasons Google Capital GOOG 0.63% , the tech giant’s growth equity arm, led a $100 million investment in CrowdStrike in July, its first ever for a computer security company. Kurtz used to travel hundreds of thousands of miles a year as CTO of McAfee, now called Intel Security INTC 0.17% , to meet with beleaguered customers. It struck him that they did not need more anti-malware and antivirus products, the traditional realm of information security, so much as software oriented toward tradecraft and technique, the domain of cyberspies. Co-founder and CTO Dmitri Alperovitch, then McAfee’s head of threat intelligence, agreed. […]


[ISN] Cybercom: Big Data Theft at OPM, Private Networks is New Trend in Cyber Attacks

http://freebeacon.com/national-security/cybercom-big-data-theft-at-opm-private-networks-is-new-trend-in-cyber-attacks/ By Bill Gertz Washington Free Beacon July 27, 2015 The commander of U.S. Cyber Command said last week that the Office of Personnel Management hack of millions of records of federal workers shows a new trend toward using Big Data analytics for both nation-state and criminal cyber attacks. “One of the lessons from OPM for me is we need to recognize that increasingly data has a value all its own and that there are people actively out there interested in acquiring data in volumes and numbers that we didn’t see before,” said Adm. Mike Rogers, the Cyber Command commander and also director of the National Security Agency. The theft of 22.1 million federal records, including sensitive background information on millions of security clearance holders, will assist foreign nations in conducting future cyber attacks through so-called “spear-phishing,” Rogers said, declining to name China as the nation state behind the OPM hacks. Additionally, China is suspected in the hack uncovered in February of 80 million medical records of the health care provider Anthem, which would have given it access to valuable personal intelligence that can be used to identify foreign spies and conduct additional cyber attacks. […]


[ISN] Smartwatches a new frontier for cyber attack, HP study shows

http://www.computerweekly.com/news/4500250398/Smartwatches-a-new-frontier-for-cyber-attack-HP-study-shows By Warwick Ashford Security Editor ComputerWeekly.com 23 Jul 2015 Smartwatches with network and communication functionality represent a new and open frontier for cyber attack, according to a study by HP Fortify. The study revealed that 100% of the tested smartwatches contained significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns. The study report entitled Internet of things security study: Smartwatches makes recommendations for secure smartwatch development and use in home and work environments. As the internet of things (IoT) market advances and smartwatches become more mainstream, they will increasingly store more sensitive information, such as health data, the report said. […]


[ISN] After Dodging the Bullet that Hit OPM, Interior ‘Owns’ Up to Cyber Problem

http://www.nextgov.com/cybersecurity/2015/07/after-dodging-bullet-hit-opm-interior-owns-cyber-problem/117904/ By Aliya Sternstein Nextgov.com July 15, 2015 Sometimes fear is the best motivator. At the Interior Department, this was the case when computer hackers stole millions of federal employee records from an Office of Personnel Management database stored inside one of Interior’s data centers. The assailants left Interior’s data unscathed. But point taken, Interior Chief Information Officer Sylvia Burns said Wednesday afternoon. The incident, part of a historic hack against the U.S. government, prompted the department to expedite a goal of eliminating wimpy passwords as the only safeguard when signing in to agency systems. The intruders, suspected Chinese spies, used a stolen password from an OPM contractor to copy OPM’s database, according to federal officials. From OPM’s network, the bad guys then scampered across the entire Interior facility’s IT environment, Burns said. All other data, however, was not compromised, she said. “When I, as a CIO for the department, learned of the intrusion, it was horrifying to me and since that time, my team and I have been on high alert working probably seven days a week, long hours to take our lessons learned and do a mitigation plan around it,” Burns said. […]


[ISN] Symantec to incubate security startups with new VC partnership

http://www.techworld.com/news/security/symantec-incubate-security-startups-with-new-vc-partnership-3619807/ By John E Dunn Techworld.com July 15, 2015 Symantec believes the future of security is out there somewhere and has set up a new partnership with VC firm Frost Data Capital to try and find it in the form of early-stage security startups. Security firms have a long track for acquiring startups for intellectual property as well as seeding the occasional spin-off. What they still struggle to do is to tap into early-stage technology in an affordable and sustainable way. Now the pair plan to incubate up to ten startups per year in the Internet of Things, big data analytics and healthcare sectors in an attempt to shorten the time it takes for the4se technologies to reach thr market. While no investment sums have been revealed it’s an obvious tryout for an emerging ‘non-traditional’ model in which venture firms provide the entrepreneurial support and a security firm such as Symantec sanity checks the security technologies and engineering […]