Educause Security Discussion mailing list archives
Re: SSNs, rootkits, Incident Response, etc...
From: Gary Golomb <coach () GWU EDU>
Date: Thu, 6 Jul 2006 18:48:55 -0400
Hey John- Blabbing inline... ;)
Very interesting. We (ISO) have been asked to run assessments on ALL (200+) servers in our environment after one of our systems was compromised. So we are trying to come up with a toolkit to scan for compromises (rootkits, Trojans, etc.) and has secure reporting abilities.
This is actually what the application was born from. It started as an automated IR program a two years ago, until we got the directive to assess the security and integrity of a little over 200 servers (controlled by other departments, not the Info Systems group), plus determine if there was sensitive data on them. We completed the total project about a year ago, but the tool at that time generated too much data and took too long to run. We're gearing up for part II of the project which now audits all desktops, meaning the size of the project has tripled in terms of numbers of systems to scan. The goal of the application now is: - Provide a means of mass-scanning (produce lightweight and only *relevant* data with secure upload) - Allow for dependable system integrity assurance (kernel- and user-levels) - Consistent sensitive data detection
One of the challenges is just finding tools that work on all our flavors...Windows, Unix (HP, Alpha), Linux, Solaris.
Ugh... Yeah... I can help you in the Win32 department. :) We have some solutions for the others, but I'm certain they're comparable to other solutions (script-based).
And the greatest challenge is finding something straightforward enough to use so we can give this to our tech's to run and they don't require a forensics' background!
That is the other primary goal of this program. Click and go. If the point is to automate [as much as possible] what experts do, then it should involve very little of the person actually running it. That data should be sent to the proper people for their analysis, but the GUI version of the program also has a live-help system that guides the end-user along and tells them what to look for. (I'm a big believer that much of what "we" do (IR and forensics) is automatable/trainable, and that reflects in this application and separates it from anything else I've ever seen like it. Certain others - I also don't care to discuss the philosophy/technology of that last sentence on this list, but thanks. I'd rather spend the time writing new code (or drinking), not emails.)
So where's the beta :)
That's something we're trying to figure out now and why I made that post. We're coming up with different business cases for different scenarios and will make a decision soon. I'll keep your contact information to let you know. I have a feeling the GUI version (standalone) should be publicly available very soon... More to come on a "beta program" for the enterprise version. -Gary
Current thread:
- SSNs, rootkits, Incident Response, etc... Gary Golomb (Jul 06)
- <Possible follow-ups>
- Re: SSNs, rootkits, Incident Response, etc... Graham Toal (Jul 06)
- Re: SSNs, rootkits, Incident Response, etc... John Tooley (Jul 06)
- Re: SSNs, rootkits, Incident Response, etc... John (Jul 06)
- Re: SSNs, rootkits, Incident Response, etc... Gary Dobbins (Jul 06)
- Re: SSNs, rootkits, Incident Response, etc... Gary Golomb (Jul 06)
- Re: SSNs, rootkits, Incident Response, etc... Graham Toal (Jul 07)
- Re: SSNs, rootkits, Incident Response, etc... Valdis Kletnieks (Jul 07)
- Re: SSNs, rootkits, Incident Response, etc... Alan Amesbury (Jul 18)