-
Category: Uncategorized
-
Date: Wed Jan 22 2020
CVE-2020-0601 describes a vulnerability that exists in the way Windows CryptoAPI (Crypt32.dll)validates Elliptic Curve Cryptography (ECC) certificates. In short: your ECC certificates can specify known curves like prime256v1 or define your own with custom parameters. Sounds like trouble already! It turns out it is possible to pickle these parameters to clear the verification step.
When vulnerabilities like this come to light, the common reaction of security products is to scramble to release detection scripts. In Trisul’s metrics-first paradigm we try to identify new points of measurement and improve our visibilty.
Do we have this visibility ?
This vulnerability impacted ECC certificates with unnamed explicit parameters algorithm. But there are so many types of other public key algorithms , secp384r1? rsa? Curve22519? etc. If only we had these statistics already in place, we could have alerted on unusual ECC even without a CVE disclosure. We could even turn into those who spot and report the vulnerability. Now, that would be cool :-)
The question we ask
Can you tell what kind of certificates are seen in the last 24 hours ?
Most security teams are likely to come up empty. In Trisul’s metrics worldview, it is not enough to deal with the vulnerability but fix this newly revealed visibility blindspot.
Read More
-
Category: Uncategorized
-
Date: Wed Jan 08 2020
One of the hardsells in Network Security Monitoring is to convince a user that storing packet trails is a feasible proposition. Given that storing every byte that ever crossed your wire is too expensive , we have to come up with a technique to prune and keep the most useful packets. Those that are likely to of help in a future investigation.
Huge old capture files can be optimized
Some techniques :
- Do not store traffic between known trusted endpoints, such as backup servers
- Only store the first MB of every flow
The second technique is surprisingly effective because it is a well known secret in network traffic monitoring that a large majority of traffic by volume is carried by a tiny number of flows. A number of tools like [TrimPCAP from NETRESEC] apply this technique.
Trim at capture time or later
In Trisul, you can specify a policy that filters at capture time itself [Store only 1MB per flow] Yet some of our customers want full content for at least a few days and then dont mind losing a bit of resolution beyond that. Our latest release includes a free tool called trisul_flowcap that allows you to prune already captured PCAP dumps.
Read More
-
Category: Release
-
Date: Tue Jan 07 2020
Happy New Year Trisul fans. We have a new release out for you with some Enterprise features.
- HA : High availability – protects against a single probe or hub node failure by multihoming the nodes.
- DR : Disaster recovery – a complete standby replica of the primary site
- New PCAP tools
We will be sharing more technical information about these tools later this week. Here is an overview. Full release notes are available here
HA features
Read More
-
Category: Release
-
Date: Thu Sep 12 2019
We just pushed a new release of Trisul Network Analytics which will greatly enhance your network troubleshooting capabilities. This release introduces a Hop by Hop Flow analytics feature to help you hunt down connection errors.
Multihop flow details
Multihop flow analysis
In our customers, we noticed Trisul being increasingly used not just for Network Security Monitoring but also to hunt down traffic problems. A common request we hear is “Trisul is already seeing everything at a packet level, why cant you tell us why some of our connections are having problems”. You can setup Trisul-Probes at multiple vantage points in your network – flows that traverse these points are correlated and presented to you. You can compare the flow states, packets, latencies, and retransmissions at these probes.
Read More
