These professionals use them in their work, whether for pentesting, digital forensics or other cybersecurity uses.

Each distro has a specific Linux kernel design and comes with its own package manager. They can be broadly classified as:

• Debian-based distros: These are based on the Debian Project such as Kali Linux and ParrotOS.
• Arch-based distros: These lightweight but technical distributions are aimed at experienced users, among whom they are very popular.
• Computer forensic distros: These Linux forensic distros are aimed at the challenging field of computer forensics and retrieving meaningful information from tons of data.
• Other pentesting OSes: While some of those above are used widely by pentesters, there are a couple of other Linux distros that are used by experienced pentesters.

Here are eight of the best Linux distros for cybersecurity use cases, for beginners through advanced users, along with some issues to consider as you select a Linux security distro or a Linux forensic distro.

Also see the Best Penetration Testing Tools and the Best Open Source Pentesting Tools

Kali vs. Parrot: Debian-based Distros

Both Kali Linux and Parrot OS are Debian-based distros that are often used for pentesting. The two systems can be employed by intermediate and experienced security professionals. They have a relatively fast learning curve, but their approach differs.

These Linux distros have specific variations, so make sure you pick the right one. You can leverage lite editions if you prefer minimal installations, but such versions might not contain the pentesting resources you’re looking for, and you’ll probably have to install them manually.

Kali Linux

Kali Linux is by far the most widely used Linux distro in cybersecurity and in security tests. Built on Debian, it provides a range of tools for pen testing, digital forensics, network analysis, ethical hacking, security evaluations and more. While Kali has good performance, some think it requires too much customization and is missing a few features that other distros possess. Kali should not be viewed as a primary or general Linux distro, but as a tool aimed at cybersecurity. Kali celebrated its 10th year earlier this year by adding defensive open source tools, increasing its utility for security pros.

Also read: Kali Linux Penetration Testing Tutorial: Step-By-Step Process

Pros

• The distro is easy to install.
• Kali Linux provides a high level of safety (e.g., custom kernel) and is actively maintained by Offensive Security.
• There are hundreds of pre-packaged tools for pentesting, security research, forensics, web app testing, and reverse engineering.
• Support is available for various architectures and platforms, such as x86, ARM, Cloud, Mobile Android, as well as multi-language support.
• Support is available for various modes of installation like bare metal, VM, live boot, containers, WSL.

Cons

• Kali Linux is not beginner friendly despite notable enhancements in recent versions.
• It can be slower than other distros like ParrotOS for some tasks, especially on low-end systems (expect some lags).
• It isn’t the most attractive interface and some complain that it needs too much customization.
• Can be resource intensive for certain tasks.
• Lacks pre-packaged IDEs for programming.

ParrotOS Security Edition

ParrotOS offers a Security Edition that is in some ways the mirror image of Kali: It’s user-friendly and manageable for beginners and is less resource-intensive on hardware than Kali. There are five editions to choose from depending on your needs, but the cybersecurity edition is the one that is most relevant. It is used heavily in pentesting and includes pretty much all the tools included in Kali plus a few others for threat prevention, security analysis, risk assessment and Wi-Fi cracking.

Pros

• Parrot OS is easy to install, user-friendly and beginner friendly.
• The distro is privacy-focused, with features like anonymization services, telemetry, logs and trackers disabled by default.
• Parrot OS contains pre-packaged IDEs for programming.
• It is lighter than Kali and requires less memory, free space, and RAM (also GPU is not required).
• Parrot OS is secure with features like sandboxes and regular updates.

Cons

• Parrot OS adds its own commands for generic operations like upgrading packages and that entails a learning curve for some.
• Doesn’t have as extensive community support as Kali.

Arch-Based Security Distros

Arch Linux standards are the reference for many professionals. While Arch requires a good amount of patience because of its complexity, ethical hackers and pentesters that learn it get to know a lot about how to use and abuse GNU/Linux. Arch Linux distros are flexible, light and easily customizable. Users have the freedom to pick and choose and adjust the look and feel as they desire. This makes it attractive to professionals and perhaps a little scary to novices.

Black Arch

Black Arch is a pentest distro based on Arch Linux. It can be challenging to learn but boasts a number of advantages for those who make the effort. There are full and slim versions: The full one contains all available tools and a complete OS; the slim version has a lighter OS and fewer tools.

Pros

• While it is minimalist, users will find lots of packages to install.
• An existing Arch Linux install can be upgraded to Black Arch.
• Black Arch leverages continuous updates, which is part of its philosophy.
• There is no bloat or unnecessary services.
• Black Arch is a good fit for those wishing to install and test bleeding-edge resources, offering a better package manager and release system.

Cons

• Black Arch may be difficult to install and use and is not beginner friendly.
• It functions more like a hacker OS than a pentest OS.
• It does not come with its own GUI.

ArchStrike

ArchStrike is an Arch Linux repository containing a variety of tools for professionals. Another one with a learning curve, it was developed specifically with ethical hackers in mind. It comes with extra packages for pentesting and ethical hacking. ArchStrike is powered by the Openbox window manager.

Pros

• ArchStrike can be installed on existing Arch installations to turn them into hacking environments.
• It is easy to install and remove (see the new ISO installer).
• ArchStrike is made by hackers for hackers.
• There are dedicated modules for investigations.
• A hardware detection facility is available.
• It requires only a lightweight install.
• Among the many pen testing tools available are the Argus network flow analyzer and the Wireshark network scanner.

Cons

• ArchStrike is not beginner friendly.
• It’s more of a hacking toolset than a full Linux distro.

Distros for Computer Forensics

Computer forensics can be particularly challenging, as retrieving meaningful information among tons of data can take many hours.  Linux is especially popular in forensics due to its support for so many file systems. There are several Linux distros designed specifically for forensics. These Linux computer forensic distros have gained favor among those wanting to get to the bottom of breaches and incursions.

CAINE

CAINE (Computer Aided Investigative Environment) is one of the top Linux computer forensic distros. It comes with many built-in forensic investigation tools. Its investigative environment integrates with different software and forensic tools and has an easy to use graphical user interface.

Pros

• It has a user-friendly GUI.
• CAINE provides a complete investigative environment, including Autopsy and Sleuth Kit.
• It eases forensics significantly, especially memory analysis.
• All block devices are set to read-only mode by default.
• The live environment can be used to analyze running Windows installations.
• It can run via command line or GUI.
• Fulfills investigative processes like preservation, collection, examination and analysis.

Cons

• CAINE lacks documentation, which limits the kind of support users can receive.
• Some may find it challenging to install.

DEFT

DEFT stands for Digital Evidence and Forensic Toolkit. It is a distro employed by military, government officers, law enforcement, investigators, researchers, system admins, universities, and forensics specialists. The project is no longer actively maintained, but downloads can be found online in some places still. It is based on Lubuntu and has a GUI for forensic applications.

Pros

• It is user-friendly and easy to install.
• DEFT can help recover broken drives.
• Enhanced hardware detection is available.
• DEFT is especially good for advanced integrity checking, computer forensics, and incident response.
• It includes specific guides to learn how to use the environment.
• It ensures the integrity of data structures and metadata under analysis.

Cons

• Deft is not actively under development.
• Despite the guides, DEFT is not beginner-friendly and requires advanced knowledge to use it.
• Primarily aimed at forensic specialists as opposed to general IT personnel wanting to learn the basics of forensics investigations.

See more of the Best Digital Forensics Tools

Other Pentesting Distros

These last two distros may be lesser known, but they have some desirable features in their own right.

Pentoo

Pentoo is based on Gentoo Linux, a bare-bones minimalist distro for advanced Linux users. It has a distinct security focus and comes with various customized tools for Wi-Fi hacking, pentesting and security assessment.

Pros

• Pentoo is great for Wi-Fi hacking and hardware-accelerated cracking.
• It’s a relatively light distro.
• Pentoo is actively maintained, even if the project may look dead when you browse the website.
• It uses Portage as package manager, which compiles programs from sources instead of downloading binaries.
• Pentoo is worth installing on a live USB key as a complementary set of tools.

Cons

• It is not beginner friendly; good mainly for Linux enthusiasts.
• Pentoo may be difficult to install and use, but it is easier than Black Arch.

SamuraiWTF

SamuraiWTF aims to be “a complete Linux desktop for use in application security training.” WTF stands for Web Training Framework as it is a framework used to train people to learn security and penetration testing. It grew out of an Open Web Applications Security Project (OWASP) to boost cybersecurity skills on Ubuntu Linux.

Pros

• SamuraiWTF is maintained by the respected OWASP community.
• It is lightweight and easy to install, with various prebuilt images for virtual machines like Kali.
• Quick setup is possible with the CLI (command line interface), which utilizes custom “katana” commands.
• SamuraiWTF is perfect for web pentesting, with a focus on training users.
• It offers good documentation.

Cons

• SamuraiWTF is only helpful as an add-on tool.
• Once people are trained on it they will probably move on to advanced tools.

Also see the Best Vulnerability Scanning Tools and Best Open Source Vulnerability Scanning Tools

Choosing a Forensics & Pentesting Linux Distro

Choosing the right Linux forensics distro or pentesting distro is no easy task. There are many options and most can get the job done. The important factors to consider are compatibility and experience. Some distros are more compatible with various OSes and applications than others. Be sure to select a platform that fits your own environment.

Further, go easy on yourself. If you are familiar with Linux distros and Linux development, the advanced options should be fine. Even then, stick close to the distros that most align with the Linux environments you are used to working on. Also, be aware that some distributions demand a lot of performance and may struggle on aging machines.

Bottom Line: Getting Started with Pentesting and Forensics Distros

Whether you need a pentesting and forensic distro will depend on your needs and experience. Common operations like enumerating services, cracking passwords, intercepting HTTP requests, or even analyzing malware do not necessarily require a pentesting OS. Popular tools such as the Burp Suite, OWASP ZAP, Nikto, or BeEF are available as standalone apps and packages.

If you’re an absolute beginner, I would not recommend using a pentesting distro. Most pentesting distros have two major drawbacks: They can be overwhelming, and they require advanced knowledge.

You get hundreds of packages, scripts, wordlists, and other software, but it usually requires solid knowledge and experience to master each tool, prevent misuses and rabbit holes, and conduct tests in safe conditions.

You can totally use a classic distro like Ubuntu with a few packages and the right configurations and you’ll be able to achieve most tasks. Besides, if you’re new to Linux, it’s probably better to start with generic systems.

In any case, it is strongly recommended to use VMs (virtual machines). Do not install the above distros as your primary system unless you know what you are doing.

For example, if you need to test for ransomware, it’s better to have it on a VM and in a sandbox environment that can be compromised without affecting your personal files. Besides, you can take snapshots to quickly restore a working environment at will. The idea is to isolate your testing environment.

We have much more content on using open source pentesting and vulnerability scanning tools. Here are a few tutorials to get you started:

• Getting Started With the Metasploit Framework: A Pentesting Tutorial
• Nmap Vulnerability Scanning Made Easy: Tutorial
• Getting Started with the Burp Suite: A Pentesting Tutorial
• Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR

This updates an August 2022 article by Julien Maury

The post 8 Best Linux Distros for Forensics & Pentesting appeared first on eSecurity Planet.

Both solutions appear in eSecurity Planet’s list of top SIEM products, and SIEM buyers often compare the two. What follows is a closer look at key features of each product, with an examination of their strengths and weaknesses.

Before we get into the details, here are a few key takeaways:

• Splunk has an advantage in cloud use cases and ease of use and deployment
• LogRhythm has the edge in security, on-premises use cases, and service and support

LogRhythm vs Splunk at a Glance

Here’s how LogRhythm and Splunk SIEM compare at a glance:

Best for Pricing: LogRhythm

SIEM products are typically pricey, and that’s also true for LogRhythm and Splunk.

LogRhythm pricing typically starts around $30,000 to $40,000, with a variety of pricing options available such as perpetual or subscription software licenses, an unlimited data plan, and a high-performance plan. Users appreciate a general lack of add-on costs, but report that enterprise pricing can climb considerably.

Splunk offers a number of security options: Splunk Enterprise Security, SOAR, Security Essentials, and Mission Control. The company no longer publishes pricing, although AWS can provide some pricing data.

Splunk offers legacy ingest pricing in addition to entity pricing and workload pricing. Workload pricing is being positioned as the more value-oriented plan. Enterprise ingest rates had started at $150 a month for 1GB of data a day, with discounts per GB as volume increases; users have reported that the cost can rise quickly.

LogRhythm’s customer base is more weighted toward small and midsize businesses, while Splunk has a much greater enterprise business, so smaller companies could find LogRhythm more to their liking. LogRhythm users typically have a higher perception of value despite large upfront costs, but Splunk’s efforts to address cost complaints make them worth a close look.

Best for Deployment and Ease of Use: Splunk

Ease of use and deployment aren’t typically terms you’ll hear in reference to SIEM solutions, and both Splunk and LogRhythm have their challenges here.

SIEM user ratings tend to be lower than other security product areas because of the sheer complexity of the solutions. In Gartner Peer Insights reviews, both Splunk and LogRhythm are among the higher rated solutions. While they may boast similar general ratings — both have been scored at 4.4 by users over the last year — they each have their areas of strength. Splunk wins on application monitoring, analytics, log management, and reporting, whereas LogRhythm wins on real-time monitoring and threat intelligence.

Users like LogRhythm’s ability as an on-premises solution that heightens the perception of what is going on with security and potential threats.

Splunk gets high marks for its extensibility, cloud capabilities and customization options. Typical comments from Splunk reviewers mention the ability to view a wide range of logs and drill down into specific times or data sources, decreased troubleshooting time, scalability, instant access to log events, and solving problems across multiple platforms. Others, however, dislike the cost of training and certification as well as the pricing for logging a lot of application events.

Due to the size and complexity of Splunk, it isn’t for beginners. It requires a high level of skilled internal resources as well as vendor support to deploy and operate. Those very familiar with the platform will find it easy. Everyone else has a steep learning curve.

LogRhythm users frequently talk about correlating logs throughout different log sources, the excellence of the support team, being a good fit for small to medium-sized companies, and good network visibility. Problems that come up from users include difficulty in deployment and configuration as well as limited cloud options.

Splunk wins overall on deployment and ease of use, thanks in part to its cloud implementation. LogRhythm users note that good support can help with challenges, and they’re generally happy with the direction and evolution of the product.

Best for Security: LogRhythm

Both vendors offer strong security. LogRhythm’s SIEM solution combines enterprise log management, security analytics, user entity and behavioral analytics (UEBA), network traffic and behavioral analytics (NTBA), and security automation and orchestration.

The product is built on a machine analytics/data lake technology foundation that’s designed to scale easily, with an open platform that allows for integration with enterprise security and IT infrastructure. That integrated approach can make for efficient security operations, from threat detection to incident response.

Embedded modules, dashboards, and rules deliver threat monitoring, threat hunting, threat investigation, and incident response. Users can swiftly search across organizational data for answers, identify IT and security incidents, and troubleshoot issues. The LogRhythm platform uses machine learning to avoid endless alerts and to accurately detect malicious activity through security and compliance use case content and prioritization of threats. The goal is to spot anomalous user behavior before data is corrupted or exfiltrated and to detect and respond to threats faster.

LogRhythm has been steadily releasing expanded capabilities and integrations for its security operations solutions. Following the October 2022 launch of the LogRhythm Axon cloud-native security operations platform, the company has introduced new visualizations and analytics that offer greater visibility into potential security risks. Designed to streamline the experience of security analysts, Axon and these updates make it easier for teams to detect, investigate, and report on potential threats.

Other recent upgrades: LogRhythm Axon provides custom and out-of-the box analytics rules, including rules for MITRE ATT&CK detections; LogRhythm SIEM now comes with improved administrative workflow for collection, shorter time to configure, deploy, and manage log sources that require Open Collector, enhanced audit logging, and an expanded library of supported log sources; LogRhythm UEBA has new detection models for Windows systems; and LogRhythm NDR offers improved blind spot detection and endpoint visibility through integration with Microsoft EDR.

The Splunk platform is also broad. It encompasses searching, monitoring, and analyzing a vast amount of IT data to identify data patterns, provide metrics, diagnose problems, and aid in business and IT decision making.

To give an idea of the scope of Splunk, it takes in SIEM as well as application performance monitoring (APM), log management, compliance, automation, orchestration, forensics, and even IT service management (ITSM) and IT operations management (ITOM). Splunk’s wide range of products and features are aggregated within the overall Splunk platform, which has two elements that can be deployed separately—Enterprise Security (which includes SIEM) and Observability.

Splunk Enterprise Security can be used to analyze, ingest, and store data for later use as well as detect issues impacting customers and conduct real-time visualization and analysis. It provides a clear visual picture of an organization’s security posture, with the ability to customize views and drill down to raw events as needed. It’s useful for ongoing monitoring as well as for troubleshooting security incidents, helping to streamline the detection and investigation processes.

Splunk offers a dashboard, prebuilt reports, custom visualizations, and an adaptive response capability that leverages machine learning to determine whether the solution can handle a particular incident on its own or if it needs human assistance. About 2,500 apps and add-ons are available through the Splunkbase app store.

This one is close, but LogRhythm gets the nod, in part for its real-time monitoring and threat intelligence capabilities.

Best for Cloud Use Cases: Splunk

Splunk does not offer on-premises appliances. It does provide software for on-site deployment, but that requires integration with whatever hardware or appliances are preferred. In any case, most users deploy it in the cloud. It can be installed directly through the cloud onto a public, private, or hybrid cloud setting. Additionally, it does not come cheap. As more modules are added, pricing rises accordingly.

LogRhythm is primarily designed for on-premises deployments, although there are cloud options, and the company has been adding them steadily over time. LogRhythm’s SIEM can be purchased as an appliance or as software, and deployment can be done in on-premises, cloud, or hybrid environments. Third-party providers offer fully hosted and managed solutions as well. According to some users, deployment can sometimes require the assistance of consultants and calls to tech support.

Splunk wins in the cloud category due to its cloud origins and deployment options. It is available as a software that can be run on-premises, in infrastructure as a service (IaaS), and as a hybrid model as well as via the Splunk-hosted software-as-a-service (SaaS) solution Splunk Cloud. Initial deployment can be accomplished easily via the cloud.

While Splunk may win for cloud use cases, LogRhythm wins for on-premises deployments.

Top Splunk and LogRhythm SIEM Alternatives

Splunk and LogRhythm SIEM tools may not be for everyone, particularly the price-conscious. Exabeam, Trellix, Sumo Logic, and Securonix are worth looking at for ease of use and value, while IBM QRadar, NetWitness, Fortinet, and ArcSight are worthy competitors for security capabilities.

See our complete list of the Top SIEM Tools & Software

How We Evaluated Splunk and LogRhythm SIEM

For our analysis, we evaluated SIEM feature sets, product breadth, performance and security test data, vendor specs, pricing data from resellers, use cases, user reviews, analyst ratings, and overall vendor strength and vision. Real-world performance can, of course, differ from product and lab specs.

The Bottom Line: Splunk vs LogRhythm SIEM

Splunk and LogRhythm both offer very good SIEM solutions that can give any organization good centralized security management.

Their strengths differ, however. LogRhythm is a good choice for small and mid-sized companies in need of good on-premises, host and network monitoring capabilities, while the product’s breadth of features could find favor with larger organizations too.

Splunk wins for cloud use cases and ease of use and deployment — with the caveat that any SIEM system will require a learning curve.

In its most recent SIEM Magic Quadrant, Gartner noted that LogRhythm’s customer base indicates that it suits midsize enterprises and smaller organizations more than large organizations. The company boasts a strong team of resellers in every region as well as plenty of managed service providers. Gartner also gave LogRhythm high marks for “mature and refined investigation and case management capabilities that assemble context and enable users to create an evidence base for case disposition.”

Another plus is the LogRhythm Labs team, which analyzes emerging threats from all corners of the web and builds rules, dashboards, reports, and compliance modules to give your organization the upper hand.

Splunk offers a full suite of security event management solutions that allow users to grow into the platform over time. Splunk’s app store leverages the company’s massive partner ecosystem to provide a wide range of integration and Splunk-specific content. A big strength of Splunk and a key differentiator is its ability to integrate data streams from a huge number of sources. Some users ingest several petabytes (PB) per day. It supports a wide range of data formats like.xml, .csv and .json file.

Splunk does a fine job of analyzing the huge number of log files generated by enterprise systems. It eliminates the need for IT to spend hours trawling through all of the logs looking for that security or performance needle in the IT haystack. It also makes use of search processing language to find terms present in log files. A wealth of real-time visualization and analysis features are available.

Overall, either would make a fine SIEM platform for any organization. But as the scoring above shows, the choice depends on the organizational footprint, application mix, preference for cloud vs. on-premises, and other factors.

See the top XDR and SOAR solutions

The post LogRhythm vs Splunk: Top SIEM Solutions Compared appeared first on eSecurity Planet.

Security buyers in the market for NGFWs often compare the two, and with good reason. Palo Alto and Check Point are both Leaders in Gartner’s recent network firewall Magic Quadrant — the only other leader is Fortinet. Firewalls from both have scored high in independent testing from Cyber Ratings. Check Point and Palo Alto also receive good ratings from users, so buyers of either company’s products can have confidence that they’re getting some of the best security possible.

Not surprisingly, both are priced higher than more value-conscious solutions. Both are aimed at enterprises that have above average security needs, and for those use cases, they deliver. Nonetheless, there are some differences between the two, and we’ll address those here. Before we get into the details, here’s a high-level analysis of the use cases each vendor serves best:

• Check Point is good for both SMB and large-scale environments and gets high marks for ease of use.
• Check Point’s wide range of security offerings makes it a good fit for a company seeking a broad, integrated approach for complex and hybrid environments.
• Palo Alto can serve those markets too, but also has an edge in cloud, container and FWaaS use cases, in addition to a comprehensive security product portfolio.
• Palo Alto’s solution fits best when features, management and performance are the most important factors.
• If you’re just looking for a firewall with good security, either will do, as both are top rated by Gartner, users and independent testers.

What follows is a look at the core functionality of each solution as well as some critical strengths and weaknesses.

Also read: Fortinet vs Palo Alto: Compare Top Next-Generation Firewalls

Check Point vs Palo Alto NGFWs at a Glance

Here’s how Check Point and Palo Alto NGFWs compare at a glance:

Best for Pricing: Palo Alto

Palo Alto and Check Point are similarly priced, but we’ll give the edge to Palo Alto for reasons we’ll get to in a moment.

Palo Alto firewalls are not cheap, of course. The Palo Alto PA hardware firewall series starts around $1,000 for the PA-410, while the high-end PA-7000 series firewalls start at around $200,000 (and can cost much more with support and subscriptions). There are many options in between, as well as a ruggedized model. Palo Alto also offers virtual, container and cloud firewalls, plus other features like AIOps and SD-WAN.

Check Point’s pricing is based on the cost of the server and security gateways required, starting under $2,000 for entry level Quantum gateways, while the high-end models start at around $200,000 and up.

Pricing for both vendors is in a similar range. Product selection based on price, therefore, will find Palo Alto having the edge at certain times, while at other times, Check Point is a little cheaper.

But according to Cyber Ratings tests of enterprise firewalls and cloud network firewalls, the total cost of ownership per Mbps for Check Point has been higher than that of Palo Alto in their tests, hence the edge to Palo Alto.

Best for Ease of Use: Check Point

In Gartner Peer Insights reviews over the last year, users gave Palo Alto an impressive 4.7 for Integration & Deployment while Check Point earned a 4.4. On G2, Check Point came out ahead on ease of use and admin, and the two were tied for ease of setup.

Ease of use has come a long way in recent years, as terms like “easy to use,” “user-friendly” and “intuitive” show up in reviews of both companies’ firewalls.

Gartner noted in its December 2022 Magic Quadrant: “Palo Alto Networks’ cloud-based firewall manager, used for distributed-office and centralized-management use cases, is not on a par with on-premises management. Its cloud-based manager is used primarily for the Prisma Access product line and ‘generation 4’ models of hardware.”

Check Point reviews mention ease of use a little more often than Palo Alto but there is not much difference between the two. While users praise Palo Alto’s robust security, some say managing that ability can be too complex for a generalist.

Users of both systems say their setup process requires a little more knowledge and advanced planning than most. Once up and running, many Check Point users single out the solution’s management interface as a key strength. Palo Alto users praise the rich management features of the company’s firewalls, but some say they require some expertise to get the most from them.

So in short, we give Check Point the advantage in ease of use, and Palo Alto the edge in ease of deployment. If you run into issues, neither vendor scores high in support, but Palo Alto has the edge in support scores from users.

Best for Security: Check Point

Both vendors offer very strong security, and independent tests for both have been consistently strong.

Gartner says Check Point’s offering is a particularly good match for companies seeking an integrated and consolidated approach to security, thanks to its wide range of network, mobile, and endpoint security products.

Check Point was graded as a Leader in the latest Gartner Magic Quadrant (MQ) for next generation firewalls. However, it scored a little below Palo Alto. Gartner noted that Check Point offers “a comprehensive security portfolio,” and that the company is a good candidate for organizations with a mix of on-premises and infrastructure-as-a-service (IaaS) security needs.

Recent releases include an SD-WAN blade and Check Point Quantum Titan, which adds threat prevention from new AI Deep Learning engines, autonomous IoT security, and the ability to automatically scale or prioritize performance for peak workloads and mission critical applications.

Gartner also placed Palo Alto in the Leaders quadrant and gave it the highest ratings in its latest next-generation firewall Magic Quadrant (MQ). And it was named a Leader in a Forrester Wave for Enterprise Firewalls. Gartner says Palo Alto Networks boasts high customer satisfaction and is a solid contender for all enterprises, particularly when features and management quality are more important than price.

Palo Alto’s Pan-OS enables a platform approach. It comes with strong threat detection and prevention/advanced WildFire, AIOps, URL filtering, DNS security, CASB, IoT including Medical IoT Security, Enterprise IoT, and Zero Trust OT Security. It has introduced natively integrated web proxy capabilities for NGFW customers migrating from legacy on-premises proxy solutions to a single management platform with consistent security across touchpoints. AIOps for its NGFW processes 29 billion metrics every month across 50,000+ firewalls and shares 24,000 misconfigurations and other issues with customers for immediate resolution.

We give Check Point the edge due to its higher security scores in Cyber Ratings tests, even as Palo Alto came out ahead in value.

Check Point also came out on top in recent Miercom firewall benchmark tests sponsored by Check Point, which scored a 99.7% malware block rate versus 72.7% for the nearest competitor. Check Point also scored a 99.9% phishing prevention rate and 0.1% False Positive Detection rate.

Best for Cloud and Complex Use Cases: Palo Alto

Palo Alto has a clear edge in cloud use cases and the needs of complex enterprises. The sheer range of Palo Alto’s firewalls is impressive, spanning small offices, campuses and businesses, mid-sized organizations and enterprises, and high performance and harsh environment needs.

Palo Alto’s cloud lineup stands out, and it has the edge in container and cloud firewalls. AIOps and SD-WAN support are also standout features. Not surprisingly, Palo Alto’s customer base is skewed toward the midrange and large enterprises. Additionally, it launched a managed next-gen firewall service for AWS – Cloud NGFW for AWS – to accelerate the enterprise journey to cloud. Further standouts: its ability to translate firewall policy into best practices and offer clients a single firewall provider for hardware, software, cloud, FWaaS).

Check Point’s customer base includes a large enterprise presence too, but also a healthy number of small businesses, and ease of use adds to its small business appeal. The company provides a range of offerings for different use cases and markets but not quite as wide as Palo Alto. Both are strong contenders for cloud needs, offering virtual appliances and a wide range of cloud functionality. Check Point is behind Palo Alto on container firewalls, as it was later to the market.

Top Check Point & Palo Alto Alternatives

Check Point and Palo Alto Networks firewalls aren’t for everyone. For those seeking top performance, Fortinet is a worthy competitor, and was named by Gartner as a Leader in NGFW, along with Palo Alto and Check Point. Fortinet also offers good value. A number of other NGFW vendors may be able to compete on price, among them Cisco, Versa, Juniper, SonicWall, Sophos and Forcepoint.

See our full list of the Best Next-Generation Firewall (NGFW) Vendors for additional buying guidance.

How We Evaluated Check Point vs Palo Alto NGFWs

For our analysis, we evaluated firewall features, product breadth, performance and security test data, vendor specs, pricing data from resellers, use cases, user reviews, analyst reports, and overall vendor strength and vision.

Real-world performance can, of course, differ from product and lab specs. And no security product can stop everything, so defense-in-depth and layered detection and response technologies are things every organization needs.

The Bottom Line: Check Point vs Palo Alto Networks

The differences between Check Point and Palo Alto are small but still significant.

Check Point gets the edge on ease of use, security, breadth of features, and SME use cases. Check Point’s NGFWs leverage an application library of thousands of web applications to identify, allow, block, or limit usage of applications and the features within them, enabling safe internet use while protecting against threats and malware. The company’s SmartLog analyzer provides real-time visibility into billions of log records over multiple time periods and domains.

Recently, Check Point expanded its NGFW product lines with the introduction of new high-end platforms, and launched the Check Point Infinity Security Architecture, which is designed to protect a company’s entire IT infrastructure. Software features include autonomous threat prevention, simplified configuration, and TLS 1.3 support with detection of fake Server Name Indication (SNI).

Check Point provides several firewall lines: Quantum Security Gateway hardware appliances such as the Maestro Hyperscale product line and Lightspeed Firewall products, CloudGuard virtual appliances and cloud security products, the Harmony firewall as a service (FWaaS) line, and recent container-based firewalls. These features have been further expanded with the recent release of Quantum Titan.

Palo Alto gets the edge on overall capabilities, ease of deployment, service and support, and cloud and complex use cases. Palo Alto can serve appliance-based distributed enterprise and branch office needs too, but has an edge in cloud, container and FWaaS use cases, plus a comprehensive security product portfolio.

Palo Alto Networks’ NGFWs monitor applications, threats, and content and tie them to the user regardless of location or device type. The company’s NGFWs are available in purpose-built hardware appliances ranging from the PA-200 to the high-end PA-7000 Series, with threat prevention throughput of 100Gbps, and as virtual appliances supporting a wide range of cloud environments. Its next-generation firewalls run on its PAN-OS. The NGFWs classify all traffic, including encrypted traffic, based on application, application function, user, and content. 

Palo Alto’s Application Command Center includes visibility of sanctioned and unsanctioned software-as-a-service (SaaS) applications. Combined with automated event aggregation and filtering and drill-down options, this makes it easier to understand application flows and related risks. Such features earned Palo Alto Networks a place as a Leader in the Gartner Magic Quadrant for Network Firewalls for 11 years in a row.

The differences between the two are small and largely come down to which one best meets your needs and price points. Users can have confidence in both vendors. They may cost more than competitive offerings, but good security pays for itself in the cost savings of avoided breaches.

Read next: Sophos XGS vs Fortinet FortiGate: Top NGFWs Compared

The post Check Point vs Palo Alto Networks: Top NGFWs Compared appeared first on eSecurity Planet.

Teams often need a variety of tools to perform a full penetration test, so using the wide range of open-source pentesting tools helps them keep their costs down. And many pentesters are already familiar with well known tools like Nmap and Metasploit.

Many of the tools below are included in Kali Linux, a dedicated Linux operating system for pentesting and ethical hacking. Installing Kali can remove the hassle of downloading and installing these tools separately.

The emphasis here is on open-source pentesting tools, so pricing is free but we note where there are paid levels and services too. For commercial pentest tools offering greater breadth and support, see Best Penetration Testing Tools.

Also read:

• What Is Penetration Testing? Complete Guide & Steps
• How to Implement a Penetration Testing Program in 10 Steps

Top Penetration Testing Categories

We have grouped the tools below according to their function in a pentest exercise. Some may fall into multiple categories and there is some overlap between categories, but this list represents our assessment of the major function accomplished by each specific tool. Here are the major categories, which link to the best tools within each category.

• Best web app scanning tools: ZAP, Nikto2, W3af, WPScan
• Best password crackers: John the Ripper, Medusa, Ncrack, Rubeus
• Best pentesting frameworks: Burp, Metasploit, Fiddler
• Best wireless network scanning tools: Hashcat, Aircrack-ng, wifite
• Best exploitation tools: BeEF, SQLmap, SET
• Best sniffing tools: Ettercap, Tcpdump, Wfuzz
• Best network scanners and enumeration tools: Nmap, Wireshark, Gobuster, Amass

4 Best Web App Scanning Tools

These are open-source pentest tools used for testing the security of web-facing applications, servers, and other assets. The top four options include OWASP, Nikto2, W3af, and WPScan.

OWASP

The Open Web Application Security Project (OWASP) maintains Zed Attack Proxy (ZAP), which stands between the tester’s browser and a web application to intercept requests, modify contents, or forward packets, among other tasks.

Pros

• Actively maintained by OWASP teams
• Comprehensive and full of features, such as spider, passive and active scans, application programming interfaces (APIs), request editor, marketplace, plug-ins, and many more
• Supports multiple programming and scripting languages
• Provides graphical and command-line interfaces (CLIs) as well as good documentation
• Convenient for various levels, from beginners to security teams

Cons

• Can be harder to install and less comfortable than premium products such as the Burp Suite
• Needs additional plugins to provide some features

Nikto2

Nikto is a light web server scanner that works with command lines to identify common web flaws, such as server misconfigurations. It can be installed with Kali Linux or as a single package with the command sudo apt install nikto.

It performs tests against multiple items, including thousands of potentially dangerous files and common gateway interfaces (CGIs), and it checks for outdated versions of servers and version-specific problems on hundreds of servers. It also checks for configuration items such as the presence of multiple index files and HTTP server options and will attempt to identify installed web servers and software.

Pros

• Straightforward and covers common needs
• Can test intrusion detection systems (IDS)
• Supports files for input and output

Cons

• Beginners might get confused
• No graphical user interface (GUI)
• No known community or support

W3af

w3af, or Web Application Attack and Audit Framework, is a scanner with a framework to analyze applications and generate reports with its findings. Once the app is mapped, the tool sends crafted requests to trigger specific bugs in the code, such as SQL injections, and to report positive cases.

Pros

• Easy to learn and use
• Generates helpful reports
• Automates many tasks
• Provides a complete documentation

Cons

• The GUI can be challenging

WPScan

WPScan is a popular security tool for WordPress. It can be used with pentesting distributions like Kali Linux, with Docker, or as a binary.

A quick scan can reveal typical flaws of WordPress installations, such as the use of the XML-RPC protocol or outdated dependencies, but it can also perform brute-force attacks efficiently. Behind the scenes, the CLI tool uses the WordPress Vulnerability Database API to retrieve WordPress vulnerability data in real time.

Pros

• Comprehensive with good documentation
• Entirely built for WordPress

Cons

• Free plan has limited API quotas
• A lot of prerequisites if users don’t use Kali Linux
• No GUI

Pricing Upgrades: The CLI tool is free but limited; premium small business and enterprise versions are available.

4 Best Password Crackers

Password cracking consists of retrieving passwords stored in computer systems. System administrators and security teams as well as hackers can use these tools to spot weak passwords. John the Ripper, Medusa, Ncrack, and Rubeus are the top password crackers.

John the Ripper

John the Ripper is one of the most popular free password crackers included in Kali Linux, but it also has a premium version. It combines several approaches to password cracking into one package.

It also supports hundreds of hash and cipher types, including for user passwords of Unix flavors, macOS, Windows, web apps, groupware, database servers, network traffic captures, encrypted private keys, filesystems and disks, archives, and document files.

Pros

• Supports multiple hash and cipher types
• Highly flexible configurations
• Can crack common variations such as mangling rules (e.g., Pa$$w0rd)
• Takes the best aspects of various password crackers and unites them into one package

Cons

• Can be hard to learn, set up, and configure
• Has the same privileges of the user running it, so cannot read shadow passwords
• Only penetrates passwords, nothing else

To learn how to use John the Ripper and hear more about its pros and cons, read John the Ripper: Password Cracking Tutorial and Review.

Medusa

Medusa is a powerful brute-force tool with interesting features included in Kali Linux. This command-line tool can also be installed as a Linux package using the command sudo apt install medusa.

Pros

• Easy to learn and use
• Fast and concurrent
• Supports thread-based parallel testing like simultaneous brute-force attacks
• Offers the ability to resume an interrupted Medusa scan
• Can be extended easily

Cons

• Supports fewer operating systems and platforms than other tools
• Lack of documentation

Ncrack

Ncrack, which is included in Kali Linux, can test all hosts and devices in a network for weak passwords. It’s a set of command lines that can scan large networks, allowing sophisticated brute-force attacks.

Pros

• Light yet powerful
• One of the most widely used by professionals
• Can be easily used along with Nmap and is maintained by the same creators
• Can save output in files
• Can resume an interrupted attackers with the –resume option
• Can attack multiple hosts

Cons

• No graphical interface

Rubeus

Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is open-source and licensed under the BSD 3-Clause license.

It is especially aimed at ever-more popular Kerberos use cases, which is a ticket-based network authentication protocol used in Active Directory (AD) that is commonly misconfigured. Rubeus exploits the resulting vulnerabilities and performs functions such as crafting keys and granting access using forged certificates.

Pros

• Good for Kerberos flaws
• Includes modifications to Rubeus’ approach to Kerberoasting
• Versatile and dropped on the victim’s machine to perform various AD-related attacks

Cons

• Can be detected in a number of methods, either from the host, network, or domain perspectives
• Can be caught during initial weaponization of the code itself through the use of sensitive APIs

For an explanation on how to test your organization’s security services using Rubeus and other pentesting tools, read Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR.

3 Best Pentesting Frameworks

Pentesting frameworks are collections of security tools that can be used to run penetration tests. The best ones, including the Burp Suite, Metasploit, and Fiddler, cover both scanning and exploits.

The Burp Suite

Burp is a top-rated software suite for attacking that can be found in the Kali Linux community edition. It’s a tremendous tool in the pentesting arsenal that can do advanced scans, but one of the most classic uses is traffic interception, such as for HTTP requests.

The web vulnerability scanner within Burp Suite uses research from PortSwigger to help users find a wide range of vulnerabilities in web applications automatically. Burp Scanners crawl engine cuts through obstacles like CSRF tokens, stateful functionality, and overloaded or volatile URLs. It can handle dynamic content, unstable internet connections, API definitions, and web applications.

Pros

• Used by most security teams, researchers, and professionals as well as attackers
• Comprehensive
• Easy to use and configure
• Its embedded Chromium browser renders and crawls JavaScript
• A crawling algorithm builds up a profile of its target in a similar way to a tester
• Uses location fingerprinting techniques to identify hidden areas

Cons

• Harder to learn and master than other scanners
• Many features aren’t available in the community edition (free), and the enterprise edition is relatively expensive
• An all-in-one solution with tons of features that won’t be used by many businesses
• As it tries to be everything, it should be viewed as primarily a vulnerability scanner with some penetration tools that attack the exploits it uncovers. But it should be used in conjunction with other pentesting tools

Pricing Upgrades: In addition to the free community tools, PortSwigger offers pro and enterprise versions of Burp.

Metasploit

Metasploit, developed by Rapid7, is a well-known exploitation framework that’s also included in Kali Linux. It provides useful modules and scanners to exploit vulnerabilities.

With this modular exploitation approach, a particular vulnerability can be combined with a user-selected payload module and an automatically selected encoder module. Upon success, the user can adapt and customize their workflow by using one of the many post-exploitation modules provided by Metasploit Framework.

Further, Metasploit is backed by a huge open-source database of known exploits, and provides IT with an analysis of pentesting results, so remediation steps can be done efficiently.

Pros

• Used by most security teams, researchers, and professionals as well as attackers
• Comprehensive
• Convenient to emulate compromised machines
• Users can create infected payloads with a graphical interface with the payloads GUI or in the pro version
• Can be easily combined with Nmap
• Includes post-exploitation tools such as keyloggers, packets sniffers, or persistent backdoors
• Tests can be automated
• Everything is unified to provide a seamless experience for the user, particularly when compared with stand-alone public proof-of-concept code
• With an established Meterpreter or Secure Shell (SSH) session, users can send all traffic through one or more sessions depending on their Metasploit-global routing configuration

Cons

• It makes hacking a lot easier, including for beginners and script kiddies
• Paid versions are expensive
• Can be challenging to use at first
• May occasionally have scaling challenges in very large environments

Pricing Upgrades: In addition to the open-source framework, Rapid7 also offers a professional version.

Fiddler

Fiddler is a useful collection of manual tools for dealing with web debugging, web session manipulation, and security and performance testing. This includes:

• Watcher to observe browser interactions with a website, scan requests and responses, and flag potential vulnerabilities
• x5s to evaluate website vulnerabilities due to cross-site scripting bugs caused by character-set related issues
• intruder21 for fuzz testing of web applications, generating fuzzed payloads and launching them against a website
• Ammonite, which detects common website vulnerabilities including SQL injection, OS command injection, cross-site scripting, file inclusion, and buffer overflows

Pros

• Good web debugging proxy
• Can automate SSL decryption
• Users can choose to either decrypt all processes, only browser traffic, only non-browser traffic or remote clients

Cons

• Not designed to be a pentest tool but helps to scan for vulnerabilities
• Probably most useful for those deploying the paid version on the .NET framework, as that comes with many automation features

Pricing Upgrades: While Fiddler is free, a paid version by Telerik can be integrated into .NET applications.

3 Best Wireless Network Scanning Tools

Wireless network scanning tools test the security of wireless networks by cracking network passwords and testing the strength of encryption protocols. The top wireless network scanning platforms are Hashcat, Aircrack-ng, and wifite.

Hashcat

Hashcat provides advanced password recovery features and lets testers crack Wi-Fi passwords or password-protected documents such as ZIP files. It’s already included in Kali Linux, but users can install it as a package using the command sudo apt install hashcat.

Pros

• A typical hacker’s tool
• Not limited to brute-force attacks

Cons

• No GUI, but there are third-party integrations
• Requires relatively advanced technical knowledge

Aircrack-ng

Aircrack-ng is the go-to tool for analyzing and cracking wireless networks. All of the various tools within it use a command-line interface and are set up for scripting. Aircrack-ng’s main focuses include:

• Packet capture and export of data to text files for further processing by third-party tools
• Replay attacks, de-authentication, fake access points, and others via packet injection
• Check Wi-Fi cards and driver capabilities (capture and injection)
• Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access Pre-Shared Key (WPA-PSK) for WPA and WPA2 cracking

Pentesters can use it to attack and crack the WPA and WEP protocols. It is open-source and available from SecTools.

Pros

• Good tool for 802.11 wireless local area networks (LANs) to to sniff wireless packets, intercept them, and log traffic passing through, as well as manage wireless drivers and recover lost keys
• Has been extended beyond Linux to include Windows, OS X, FreeBSD, OpenBSD, NetBSD, Solaris, and eComStation 2

Cons

• Cannot monitor or conduct pentesting on non-wireless networks

wifite

Wifite is a wireless network auditor that deals with current or legacy attacks against WEP and WPA2. It can be used as an automated wireless attack tool.

Pros

• Good for retrieving the password of a wireless access point such as a router

Cons

• Mainly designed for use with pentesting distributions of Linux
• Wifite must be run as root by the suite of programs it uses
• Difficult to run downloaded scripts

3 Best Exploitation Tools

Exploitation tools can test everything from user susceptibility to phishing and spoofing to application and database security. BeEF, SQLmap, and SET are the most useful exploitation tools available.

BeEF

As many apps are web-based, adversaries use browser exploitation. BeEF, or Browser Exploitation Framework, makes classic tasks such as enumeration, phishing, or social engineering seamless.

This software provides testers a user-friendly GUI and practical client-side attack vectors to target different contexts and achieve various tasks, such as stealing credentials. BeEF also offers a user guide for anyone with questions from basic utilization to development.

Users can find it in Kali Linux, but it can also be installed as a package using the command sudo apt install beef-xss.

Pros

• Full of advanced features, such as fake password manager logins and redirect with iFrames
• Clever interface to visualize everything from the victim’s browser to the attacker’s logs
• Particularly convenient for demonstrations
• Provides prebuilt web pages for various traps such as fake login forms
• Can bypass a victim’s firewall
• Provides a comprehensive network module, such as for host discovery

Cons

• Basic phishing modules will perform poorly with cybersecurity-aware employees

SQLmap

SQLmap is included in Kali Linux, but it can also be installed from the GitHub repository. It automates the process of detecting and exploiting SQL injection flaws and database server takeovers.

Pros

• Can detect various types of SQL injections
• Supports an extensive range of databases
• Provides advanced features, especially for search and enumeration

Cons

• No GUI; it’s CLI-only, but there are third-party integrations

SET

SET, or Social Engineer Toolkit, focuses on the human factor, as scanners won’t do social engineering pentests. Users will be able to create payloads, phishing pages like Google login, and other web attacks.

Pros

• The sets of command lines, used in place of a GUI, has a nice format
• Comprehensive
• Straightforward but powerful

Cons

• Based on human mistakes, which is often the weakest link, but some attacks don’t need this step

3 Best Sniffing Tools

Packet sniffers can analyze and intercept network traffic to steal data and passwords and launch man-in-the-middle attacks. When searching for a top sniffing tool, consider Ettercap, Tcpdump, and Wfuzz.

Ettercap

Ettercap is a packet sniffer that allows users to modify data on the fly and run man-in-the-middle (MITM) attacks. A common usage is to intercept passwords with ARP (Address Resolution Protocol) poisoning or spoofing, which attackers place between the victim and router to divert the traffic.

Ettercap can be used with Kali Linux or installed as a stand-alone software on a pen-testing distribution using the command sudo apt install ettercap-common.

Pros

• A typical hacker’s tool
• Will put security systems such as EDR (endpoint detection and response) to the test
• GUI and command lines

Cons

• Users need to be already inside the network to run the attack
• The interface could be more polished
• Can be hard to learn and master

Tcpdump

Tcpdump is a powerful command-line packet analyzer developed by the same people as libpcap, a portable C/C++ library for network traffic capture. It prints out a description of the contents of packets on a network interface, preceded by a timestamp.

Pros

• Can save packet data to a file for later analysis
• Reads from a saved packet file rather than reading packets from a network interface
• Can read a list of saved packet files

Cons

• Command line only
• Can impact performance at times

Wfuzz

Wfuzz is helpful to run brute-force attacks on various elements such as directories, scripts, or forms. Like many other tools in our list, it can be found in Kali Linux, but users can run it with the command sudo apt install wfuzz.

Pros

• Accepts wordlists
• Allows customized configurations
• Documented

Cons

• Significantly slower than other options
• Requires more central processing unit (CPU) power and random access memory (RAM)

4 Best Network Scanning and Enumeration Tools

Network scanning and enumeration tools probe networks and traffic for weaknesses and vulnerabilities. Nmap Free Security Scanner, Wireshark, Gobuster Directory Scanner, and Gobuster Directory Scanner are leading network scanning and enumeration tools.

Nmap Free Security Scanner

Nmap, included in Kali Linux and also available via nmap.org, is a free package of command lines that can be run in a terminal to achieve various tasks, such as discovering open ports, which allows users to detect vulnerabilities. This tool is helpful for scanning large networks fast.

Behind the scenes, Nmap uses raw IP packets to identify available hosts and services on the network. As well as a port scanner, it aids pentesting by flagging the best areas to target in an attack, which is useful for ethical hackers in determining network weaknesses.

Pros

• A comprehensive, free, and open-source solution
• Can be combined with a GUI such as Zenmap
• Full of advanced networking features
• Accepts custom scripts
• Can scale to scan huge networks but can also be deployed against single hosts

Cons

• Can be hard to configure and master, especially for those not familiar with Linux; however, it does run on other OSes
• The extensive range of commands and options can overwhelming
• Detection tools will likely spot and log Nmap scans
• Although Nmap is a scanner, it doesn’t probe for and penetrate vulnerabilities though it does point out where weaknesses might lie

Wireshark

Wireshark is probably the most popular network protocol analyzer. It’s a packer scanner, or sniffer, that can be found in Kali Linux, but users can also install it as a stand-alone software or package in most operating systems.

Wireshark is often used to point out what is happening with the network and to assess traffic for vulnerabilities in real time. By reviewing connection-level information as well and the constituents of data packets, it highlights their characteristics, origin, destination, and more.

Pros

• Rich interface with lots of panels and removable tabs
• Can see the finest details
• Assesses traffic vulnerabilities in real time
• Can be used to assess wireless networks
• Runs on Windows, Linux, Mac, and most other OSes
• Output can be exported to XML, PostScript, CSV, or plain text

Cons

• Harder to learn and master than other mappers
• Captures all requests on the network, so you have to know how to fine-tune it and use filters
• While it flags potential weaknesses, a pentesting tool is still required to exploit them

Gobuster Directory Scanner

Gobuster can be used with Kali Linux, but users can also install it as a package using the command sudo apt install gobuster. It is efficient software that can be used to enumerate hidden directories and files quickly.

Many web apps use default directories and filenames that are relatively easy to spot. As a result, the tool can use brute-force techniques to discover them.

Pros

• Accepts Wordlists and additional packages via the command sudo apt install seclists
• Can extract lots of information such as directories, subdomains, and virtual hosts
• Able to hide status and process such as with proxies and user agents
• Spots backup and configuration files
• Can save output results in files

Cons

• Some Gobuster modules have limited options
• Robust installations will likely make enumeration more difficult or perhaps block it

Amass

Amass is an open-source network mapper that is particularly efficient for DNS (Domain Name System) and subdomain enumeration.

Pros

• Actively maintained and updated to keep up with the latest techniques and methodologies
• Backed by OWASP
• Good documentation
• Combines various reconnaissance and gathering techniques
• Similar features as Nmap, even on the scripting language

Cons

• While the commands are straightforward, analyzing the data will be hard for beginners

Other Penetration Testing Technologies

There are a number of complementary technologies often used by organizations to address security holes. Breach and attack simulation, for example, can be something of an automated, continuous pentesting tool. Others include vulnerability scanning tools and vulnerability management solutions. And IT asset management and patch management are important tools for staying on top of known vulnerabilities.

Cyber criminals are constantly adjusting their tactics to maximize effectiveness. Hence, penetration testing is an evolving field. Here are some of the top trends, defenses and tactics to keep in mind:

• Testing the external attack surface is necessary, as more assets are exposed to the internet and are regularly changing.
• Greater test frequency is needed to align with software development sprints.
• Penetration testing as a service (PTaas) provides integration with organizational defect tracking systems and can programmatically submit vulnerabilities to be tracked and remediated through the development team’s defect tracking system.
• DevOps also needs to perform pentesting, as development and security have become intertwined.
• Automation should be used where possible to close the security gap and speed up the remediation process.
• Testing the supply chain is a necessary response to breaches such as SolarWinds and Kaseya.

Bottom Line: Open-Source Penetration Testing Tools

Penetration testing is a critically important practice for keeping networks safe from intruders. While there are some comprehensive paid offerings, many pentesting teams prefer the widely used open-source tools that they’re already familiar with. With a wide range of open-source tools to choose from, pentesters can accomplish comprehensive testing of their environments by using a number of free tools. But whether you use open-source tools, commercial tools, or even third-party services, pentesting is something every organization with a network needs to do regularly.

Also read:

• 10 Best Open-Source Vulnerability Scanners for 2023
• Nmap Vulnerability Scanning Made Easy: Tutorial
• Getting Started with the Burp Suite: A Pentesting Tutorial
• Getting Started With the Metasploit Framework: A Pentesting Tutorial

This updates a February 2022 article by Julien Maury.

The post 24 Top Open Source Penetration Testing Tools appeared first on eSecurity Planet.

The emergence of MDR was in many ways inevitable. Security has become so time-consuming and complex that many organizations have realized, vital though the function is, that it lies well beyond their core competency and has become a distraction to their regular business model. And the cost of starting their own security operations center (SOC) is so daunting that the thought of outsourcing the function to a managed security services provider (MSSP) has become increasingly attractive.

Given the nearly impossibly job of staying on top of cyber threats, it’s not surprising that security services now comprise 45% of the $188 billion security and risk management market, according to Gartner. And leading the way with the fastest growth rate is MDR.

What is MDR?

MDR offers the functions of a security operations center (SOC) — monitoring, detecting, analyzing, investigating, and leading the response to cyber threats in order to mitigate and contain them — except they do it via remote monitoring of logs, endpoint agents and other means.

MDR services gather data from logs and other sources of contextual information, and skilled experts analyze it as part of incident management. MDR providers utilize a range of advanced technologies like behavior analytics, AI and machine learning to stay on top of threats. These services can cover on-premises environments, remote assets, cloud assets, and industrial control and operational technology environments.

MDR providers offer a range of technology, staff and services, such as:

• 24/7 SOC coverage and analytics
• A service provider owned and managed technology stack
• Real-time threat monitoring, detection, investigation and mitigation
• Staff that engage with customer data and intervene as needed
• Orchestration and centralization of threat detection and response
• Monitoring of cloud infrastructure and SaaS applications such as Microsoft 365, Google Workspace, Workday, Salesforce, and Box
• Routine threat hunting of customer environments

How Managed Detection and Response Works

MDR gives organizations the ability to set up a security operations center (SOC) function to stay on top of threats around the clock, something even large enterprises struggle to do.

When a threat is detected, MDR analysts offer remediation guidance to the customer and conduct an extensive investigation and analysis to identify the extent of the threat. Ideally, dedicated MDR analysts develop a deep understanding of the customer’s environment, in essence giving the customer its own SOC without the 7-figure startup cost.

“MDR blends the necessary people, expertise, processes, and technology to rapidly detect, analyze, investigate, validate, and respond to threats across the modern environment – endpoint, network, application, and cloud services layers,” said Jeremiah Dewey, Rapid7’s Senior Vice President for Managed Services Delivery.

MDR, Dewey added, is a partnership that strengthens an organization’s security posture by addressing three core approaches to security: Proactive, reactive, and strategic. This partnership aligns MDR teams where they can have the most impact and helps internal teams focus on other vital security and business priorities. Rapid7 offers an MDR buyer’s guide (gated) looking at critical considerations, common RFP questions, and more.

The InsightIDR XDR platform is at the heart of Rapid7’s MDR service

Jeff Pollard, an analyst at Forrester Research, adds that skill in threat hunting has become more important than ever. He said many service providers say they offer threat hunting as part of MDR, but a large number only provide automated systems that do a light form of threat hunting. Certainly, automation and AI play an important part in the best systems. But what differentiates the top-notch ones from the rest is the human touch.

“MDR vendors emerge from plenty of different backgrounds,” said Pollard. “Threat hunting, performed by humans, is a must-have for any MDR provider.”

Top 4 Benefits of MDR

MDR has many benefits. But the most important involve adding critical security analyst capabilities to your team.

• You engage a team of security intelligence experts who are experienced at dealing with the latest attack vectors across hundreds of different customer sites and environments.
• You fill gaps in security coverage across nights and weekends in addition to adding greater security during business hours.
• You have access to the latest tools and technologies, and the confidence that they’re up to date.
• You can free your IT staff from security worries and duties that they may not be fully equipped for so they concentrate on projects that have strategic importance to the business.

The Two Common Problems MDR Addresses

Modern businesses are under assault on all fronts by cyber attackers who live and breathe the latest tactics, techniques and procedures (TTPs) that give them an advantage in their efforts to breach enterprise and SMB defenses. Few businesses can match that with the same level of dedication and resources on the defensive side. Businesses want their IT personnel adding value, not putting out security fires. MDR providers solve those problems by offering a team of security pros dedicated to defenses and threat hunting, giving you instant SOC capabilities.

The other common problem managed detection and response addresses is the cybersecurity skills gap. There are huge numbers of unfilled security positions across the IT and enterprise landscape. To find the best talent, you have to be willing to pay top dollar. Many businesses can’t afford that, and those that can must compete against the likes of Silicon Valley titans and financial services giants. Those that do manage to lure great security resources have to work overtime to try to retain them. Headhunters are always on the prowl with lucrative offers for cybersecurity stars. MDR solves these personnel headaches by paying for the talent as a service, leaving the hiring headaches to the service provider.

And managed security service providers seem to do a good job with all those challenges: The majority of MSSPs that participated in MITRE’s first-ever MSSP security evaluations last year posted strong results.

See the Top Managed Detection and Response (MDR) Services

MDR vs. Other Types of Security

MDR is one way to augment cybersecurity resources, but it’s not the only one. Here are a few of the services it competes with.

What Is the Difference Between MDR & MSSP?

An MSSP is a blanket term for a cybersecurity services provider that can offer a range of specialized services, such as SOC-as-a-Service (SOCaaS), MDR, or management of various security tools. MDR is a specific service – often considered a targeted subset of an MSSP offering – that in-house security teams may leverage to help detect and respond to threats and breaches.

MDR, then, is one service that an MSSP can offer, albeit one that offers security at a deeper level than most MSSPs. Not all MDR or MSSP services are created equal, however. There are differences in a service provider’s ability to effectively detect, investigate, respond, and collaborate with the end customer.

“Generally speaking, legacy MSSPs manage multiple security technologies and relay alerts or notifications to the customer,” said Rapid7’s Dewey. “It is up to that organization to take those notifications to the next step of response.” 

In recent years, though, some MSSPs have evolved their services by incorporating more elements of MDR to take on triaging, response, and mitigation of threats. At the high end, MDR supplies a dedicated, deep level of threat detection and response expertise and service depth that can only be provided by expert specialists.

See the Top Managed Security Services Providers (MSSPs)

What Is the Difference Between MDR & Managed SIEM?

Security Information and Event Management (SIEM) is a centralized security management system that ingests log data from a wide range of network hardware and software systems and analyzes that data in real time. A SIEM’s purpose is to correlate events and spot anomalies or patterns of behavior that may indicate a security breach – using intelligence feeds to ensure that it is aware of new threats as they emerge – and to present that log data in a manageable and easily understood form so that it can be interpreted effectively by security staff. They are also used to collect log information from security and other systems to generate reports for compliance purposes.

But SIEM management demands expertise, such as the ability to correlate data across systems and recognize when an alert should be acted on immediately. Thus, managed SIEM services take care of the management of that technology for customers. Some providers also deliver MDR services using SIEM technology. For example, Rapid7’s MDR service leverages XDR as well as SIEM technology (InsightIDR) to aggregate data and use it to drive detection and response outcomes.

“An MDR service should be focused on the outcome – rapid detection, investigation, and response to threats in the environment – not just keeping a technology stack running,” said Dewey.

Managed security services can also address smaller but still important tasks such as managed firewalls or patch management services.

Also read:

• Choosing a Managed Security Service: MDR, Firewalls & SIEM
• Vulnerability Management as a Service (VMaaS): Ultimate Guide

What Is the Difference Between EDR, MDR, and XDR?

Don’t be fooled by the “DR.” Despite similar acronyms, MDR, EDR and XDR are quite different.

Endpoint detection and response (EDR) is a technology solution aimed at securing and centrally managing endpoints across a network, something like antivirus software on steroids for enterprises.

Extended detection and response (XDR) platforms tied together a range of security tools to effectively work across the modern IT environment – endpoints, networks, applications, users, and the cloud.

EDR and XDR are both tools, and tools require people to manage them and make them effective.

MDR, on the other hand, is a service that combines technology (often with EDR and XDR solutions as core components) with security experts and processes to deliver outcomes that go beyond the capabilities of a single tool.

The best approach is one that uses comprehensive detection and response visibility, with layers of security to increase the depth of defenses. Even if you already have tools like EDR, XDR, SIEM and firewalls, an MDR service can help you get the most of them while augmenting your IT staff.

“By using an MDR service as a partner in security operations, customers can realize the benefits of EDR or XDR while having that team of experts to better detect and respond to threats that can come from an endpoint, as well as network, user, and cloud threats,” said Dewey.

Who Should Use an MDR Solution?

There are many types of buyers of MDR services. But a common thread among them is that security teams often find it difficult to fully operationalize their security programs. The costs to stand up a SOC, implement the right technology, and drive an effective security process can be daunting. Keeping up with a rapidly changing threat landscape only grows more difficult as the cybersecurity landscape morphs in ever-more malicious directions.

“Use MDR services to obtain 24/7, remotely delivered, modern security operations center capabilities when there are no existing internal capabilities, or when the organization needs to accelerate or augment existing security operations capabilities,” said Gartner analyst Peter Shoard.

MDR providers help organizations face these challenges by bridging the security achievement gap and operationalizing the program. Even large internal operations teams use MDR as a second set of eyes. As MDR service providers often see hundreds, if not thousands of customer environments, that scale can be useful for those wanting to stay on top of what is happening across the threat landscape.

MDR offerings differ from provider to provider. They are not one-size-fits-all services. Some offer only basic MDR functions. Others may want a provider to take on management of other technologies such as firewall management or IT management and administration or break/fix capabilities. In the latter case, they should seek out an MDR provider that can proficiently, and cost effectively, provide deep expertise across detection and response along with other security and IT disciplines.

Care should be taken in selecting MDR providers. As their numbers increase, so do the range of styles of services they offer. Gartner recommends that users assess how the provider’s containment approach integrates with existing organizational policies and procedures. Further tips include investigating whether the provider’s technology stack or supported set of technologies are a good fit with existing security technologies and controls as well as the on-premises and cloud environments in use. Some vendor MDR offerings are more suited to certain platforms than others. Similarly, certain providers have a firm focus and experience in specific verticals.

MDR may not be for everyone. Those lucky enough to possess a large, skilled cybersecurity team with the bandwidth to stay on top of every aspect of security can perform the services of MDR or an MSSP as well, and depending on the team and the organization’s commitment, possibly better.

Bottom Line: Managed Detection & Response

There is no doubt that MDR will be adopted by many more organizations in the near future. According to Shoard, half of all organizations will be using MDR services for threat containment and mitigation within two years. By then, the market will be worth more than $2 billion annually, up from $1 billion in 2021. Other analysts say the MDR market is as big as $5 billion. Whatever the source, it’s growing significantly faster than the cybersecurity market as a whole.

Any business struggling to keep its head above the dangerous waters of cyber threats should seriously consider handing over security duties to an MDR provider. With the right provider in place, the organization is freed to focus on what it does best – provide products and services to its clientele.

Read next: Managed SIEM: A Faster Way to Great Security

The post What Is Managed Detection and Response? Guide to MDR appeared first on eSecurity Planet.

The TIP provides security professionals with accelerated analysis of how threats might impact the organization and how to counter those threats. This article provides more in-depth information on the product and its features.

For a comparison with other TIP products, see our complete list of top threat intelligence companies.

Company Description

Spun out from the U.S. National Security Agency (NSA) in 2009, LookingGlass Cyber Solutions provides three threat intelligence analysis products: a threat intelligence platform (scoutPrime), a threat modeling tool (scoutThreat), and an attack surface monitoring solution (scoutInspect). LookingGlass is a privately-held company based in Reston, Va., with an estimated 300 employees and more than $100 million in funding.

Product Description

The LookingGlass scoutPrime tool incorporates more than 100 threat feeds to provide the latest intelligence on malware, indicators of compromise (IoCs), malicious URLs, and malicious entities. Augmenting it is a worldwide team of security analysts who continuously enrich the data feeds and provide customers understanding and response capability into cyber, physical and third-party risks.

With this TIP, analysts can deliver guidance to stakeholders via flexible analyst workflow, third-party risk monitoring, and customizable threat intelligence scoring. “Prioritized, relevant and timely insights enable customers to take action on threat intelligence across the different stages of the attack life cycle,” the company says.

scoutPrime also delivers the following features:

• Dynamic internet footprinting: monitor and analyze internet-accessible assets and networks to detect connections to known command-and-control nodes
• Risk scoring and prioritization: a proprietary Threat Indicator Confidence score ranks threats based on the attack surface, an organization’s environment, and threat landscape
• Integration with additional tools such as geolocation, pDNS, Shodan, and WhoIs/Reverse WhoIs
• Data aggregation: Aggregates, indexes, and normalizes data sources, proprietary indicators, and intelligence feeds
• Real-time alerts available through email for new vulnerabilities, exceeded thresholds, and workflow triggers
• Relationship monitoring classifies assets into groups and subgroups to monitor and develop categorized risk profiles
• APIs and integrations export threat intelligence to security appliances
• Reporting: Unlimited automated and on-demand management reports and scorecards

Agents

LookingGlass does not use agents.

Markets and Use Cases

LookingGlass is suitable for all verticals, with particular uptake when utilizing it in a third-party risk monitoring capacity. With roots in the NSA, the four main sectors adopting LookingGlass include defense, energy, financial, and government.

Applicable Metrics

LookingGlass scoutPrime scales to meet the demands of global top 50 companies. More than 140 sources of threat data are gathered, ingested, aggregated, normalized, enriched and analyzed to create threat intelligence.

Security Qualifications

STIX & TAXII 2.0 compliant. It is deployed in secure governmental agencies and healthcare facilities.

Intelligence

It includes machine-readable threat intelligence.

Delivery

scoutPrime is a cloud-hosted SaaS product.

Pricing

No specific pricing details are available through the LookingGlass website. Documentation shows that scoutPrime licenses scoutPrime separately as part of the LookingGlass Suite.

This article was originally written by Drew Robb on July 18, 2017, and updated by Chad Kime on February 10, 2023.

The post LookingGlass Cyber Solutions: Threat Intelligence Review appeared first on eSecurity Planet.

Since the acquisition, Palo Alto Prisma has added Twistlock’s functions to a larger suite of cloud-based functions known as Prisma Cloud. It is a cloud-native security platform with security and compliance coverage for users, applications, data, and the cloud technology stack.

Twistlock was featured on our list of the top container and Kubernetes security vendors, where Prisma Cloud now takes its place.

What Is Twistlock Container Security?

The Twistlock Cloud Native Cybersecurity Platform provided full lifecycle security for containerized environments. From pipeline to perimeter, Twistlock helped customers deploy containers at scale and secure the entire cloud native stack, from the host OS to serverless functions.

As part of the Prisma Cloud, it helps organizations manage rules governing Docker configurations, containers, images, nodes, plugins, and services. They can take advantage of integration with secrets management tools like CyberArk and HashiCorp. They can also ingest Kubernetes audit data and surface rules to identify events to alert on.

Palo Alto integration efforts have resulted in a platform that provides full visibility into all dependencies from containers during the build, deploy, and run phases. Prisma Cloud aggregates and prioritizes vulnerabilities continuously in CI/CD pipelines and containers running on hosts or on containers as a service, in public and private clouds.

What Are Twistlock’s Key Features?

The Twistlock Platform began as a vulnerability management and compliance tool across the container lifecycle, scanning images and serverless functions to prevent security and compliance issues from progressing through the development pipeline. It also offered continuous monitoring of all registries and environments, defense in depth, cloud-native firewalls, and access control for containers, as well as automated, machine-learning driven runtime defense.

Palo Alto’s Prisma Cloud includes all these features but goes well beyond them to provide protection for critical applications, whether they are in containers, in multi-cloud, or hybrid environments. Prisma Cloud’s capabilities include:

• Securing deployments with Open Policy Agent and craft rules in Rego policy language
• Surfacing all audit alerts and activities in a single pane of glass for analysis
• Scanning container images and enforces policies as part of CI/CD workflows
• Continuously monitoring code in repositories and registries
• Securing managed and unmanaged runtime environments
• Combining risk prioritization with runtime protection at scale
• Full life cycle security for repositories, images, and containers
• Establishing risk prioritization across all known CVEs, remediation guidance, and per-layer image analysis with vulnerability Top 10 lists
• Controlling the alert and blocking severity level for individual and groups of services during build time and runtime
• Minimizing false positives
• Integrating vulnerability management to scan repositories, registries, CI/CD pipelines and runtime environments

How Well Does It Perform?

Container scans by Prisma Cloud consume 10-15% of memory and 1% of CPU and take about one to five seconds per container. Prisma Cloud tested performance in a scaled-out environment that replicates a real-world workload and configuration. The test environment built on Kubernetes clusters consisted of 20,000 hosts, a console with 16 vCPUs and 50 GB memory, defenders with 2 vCPUs and 8 GB memory running in a container-optimized OS.

A total of 323 images and 192,087 containers were involved – with a density of 9.6 containers per host. The measured resource consumption came out at 1,474 MiB of RAM and 8% of the CPU for the console, and 83 MiB RAM and 1% CPU for the defender. According to Forrester Consulting’s 2021 study, Prisma Cloud helped organizations improve SecOps efficiency, improve DevOps productivity to enable DevSecOps, reduce material data breaches, and improve compliance productivity.

How Is It Delivered?

Prisma Cloud can serve the Kubernetes, Docker, VMware Tanzu, and Red Hat OpenShift container platforms. As the name implies, it is SaaS-delivered via the cloud.

How Much Does Prisma Cloud (formerly Twistlock) Cost?

No pricing data is available on Prisma Cloud.

This article was originally written by Sean Michael Kerner on Dec. 26, 2018 and revised by Drew Robb on Feb. 10, 2023.

Are There Alternatives to Twistlock?

The post Twistlock: Prisma Cloud Container Security Overview and Analysis appeared first on eSecurity Planet.

For a comparison with other TIP products, see our list of the top threat intelligence companies.

Company Description

Anomali was created in 2013 and has since grown to 250+ employees. It is privately held with several venture capital investors. It has offices in Redwood City, Belfast, Singapore, and Dubai. Anomali’s series D funding raised $40 million in 2018, raising the total funding to more than $96.3 million since launch.

Product Description

The Anomali suite of threat intelligence solutions empower organizations to detect, investigate and respond to active cybersecurity threats. The ThreatStream threat intelligence platform (TIP) aggregates and optimizes millions of threat indicators and integrates with internal infrastructure to identify new attacks, discover existing breaches, and enables security teams to quickly understand and contain threats before affecting the whole network.

Other Anomali tools include:

• STAXX, a free tool to collect and share threat intelligence using STIX and TAXII standards for machine-readable information formatting
• Lens, a commercial product that uses Natural Language Processing (NLP) to scan unstructured data to identify threats

Until August 14, 2022 Anomali provided a free, out of the box intelligence feed, Anomali Limo. Anomali indicates a replacement may be in development, but has not yet provided any details. However, Anomali continues to provide secure threat sharing for ISACs and threat sharing networks.

Anomali ThreatStream features include:

• Automated collection of threat data from hundreds of sources and in multiple formats – notably Anomali Labs, open-source OSINT feeds, and information sharing and analysis centers (ISACs)
• Threat data is contextualized with relevant actors, campaigns, as well as tactics, techniques, and procedures (TTPs)
• Normalization, enrichment, de-duplication of data, and removal of false positives at scale
• Threat intelligence scoring using machine learning (ML) algorithms to rate confidence in the score that reflects the severity of the threat
• Global intelligence feed ROI optimizer to assess sources
• Turnkey threat feed integration for security tools such as SIEMs, SOARs, firewalls, IPS, endpoints, etc.
• Security tool integration for inbound data ingestion and outbound response orchestration
• Flexible integrations using RESTful API and SDKs
• Workflows and functionalities to analyze and share data
• Brand monitoring (automatic search for typosquatted domains & compromised credentials)
• Sandboxing (research malicious indicators directly within the ThreatStream platform)
• Extracting data from suspected phishing emails for immediate blocking
• MITRE ATT&CK mapping of global threats
• Visual link analysis to connect indicators to associated higher-level threat models
• Integrated sandbox to investigate suspicious files
• Share threat visibility and identification with more than 2,000 other organizations in ThreatStream Trusted Circles
• Threat bulletins and other finished intelligence products for publishing reports to stakeholders
• Flexible deployment options: cloud-native, virtual machine, on-premises private instance, or even ThreatStream AirGap – a completely stand-alone instance

Additional optional features can include commercial threat feeds and other applications available from the Anomali App Store (some include trial periods).

Anomali describes ThreatStream as “a central platform for collecting, managing, and sharing threat intelligence. Integration with common security solutions ensures that organizations can identify and respond to the threats relevant to their environment.”

Agents

Anomali ThreatStream does not use agents.

Markets and Use Cases

Anomali says it provides value for any organization across any industry vertical that is looking to leverage threat intelligence. Anomali’s ThreatStream Platform is used by many the Fortune 100 companies and and banks.

Applicable Metrics

ThreatStream consumes both structured and unstructured data from hundreds of threat intelligence feeds, processing millions of Indicators of Compromise (IOCs).

Intelligence

Anomali’s ThreatStream platform utilizes MACULA, a machine learning algorithm, to score and weight indicators and remove false positives. The ThreatStream platform automates traditionally manual data curation tasks. It also integrates with other security products, including SIEMs, firewalls, endpoint products and more.

ThreatStream Trusted Circles enable an organization to share threat visibility and identification with more than 2,000 other participants. Organizations can also acquire premium threat feeds in the Anomali App Marketplace.

Delivery

ThreatStream is available as a SaaS, for virtual machines, on-premises, or even as an air-gapped solution. On-premises and air-gapped solutions allow customers to acquire threat information without sharing data or permitting internal threat information from leaving their network.

Pricing

Pricing for the ThreatStream Platform varies based on the customer environment. Anomali does not publish pricing on their own website, but the AWS marketplace shows a 12 month subscription to Threatstream Enterprise for 3,500 employees is $150,000.

This article was originally written by Drew Robb on July 18, 2017, and updated by Chad Kime on February 8, 2023.

The post Anomali ThreatStream: Threat Intelligence Product Overview and Insight appeared first on eSecurity Planet.

SolarWinds lacks the full security suite presence of some competitors, but is well-integrated across a variety of bonus IT operation capabilities such as threat intelligence platform capabilities, privileged access management, USB security, and botnet detection.

These additional capabilities make  the SolarWinds SEM a good fit for SMEs who may lack their own internal security teams — and particularly those looking for integrated IT management capabilities too. The company targets tightly resourced, budget-conscious security teams, in organizations with up to 10,000 employees, and often cites compliance as a driver.

For a comparison with other products, see: 

• Top 10 SIEM Products
• Top Threat Intelligence Companies

Company Description

Since 1999, SolarWinds has been providing management and monitoring software for security, networks, servers, applications, storage, databases, virtualization and the cloud. It trades on the NYSE under the symbol SWI.

Product Description

SolarWinds Security Event Manager (SEM) is composed of several key elements:

• Manager for central management, log and event management, and storage
• Console and user interface
• SEM Agents for real-time event collection from endpoints, encryption and compression of data

Network traffic, application, and virtualized platform monitoring can be tied into SEM through the SolarWinds Virtualization Manager, the Network Performance Monitor, and the Server & Application Monitor. SolarWinds Security Event Manager (SEM) 2022.4 supports log forwarding to other applications, as well as SolarWinds SEM deployments on Azure.

SolarWinds SIEM Features Rated

Threats Blocked: Good. SEM ships with hundreds of predefined correlation rules, including authentication, change management, network attacks, and more. SolarWinds SEM also integrates with online threat feeds and can notify and respond to inbound/outbound traffic and authentication attempts with known bad IP addresses for threats such as ransomware, malware, spam, phishing, and more.

Breadth of Sources: Very good. SolarWinds SEM includes seven hundred log parsers. There is a process in place for users to request new connectors or updates to existing connectors. SolarWinds SEM supports a variety of event sources, including nonevent data sources that can be integrated into its analytics and correlation rules.

Throughput: Good. While SolarWinds SEM can support several thousand nodes, it rarely sees users exceed 2,000 EPS. Most customers store between 2 to 8 TB of data, but users have the option of scaling beyond 8 TB.

Value: Good. SolarWinds provides good value in overall cost and time to implement.

Implementation: Best. Users praise the product’s ease of implementation. SolarWinds SEM is deployed as a self-contained virtual appliance, which includes the SolarWinds SEM database, correlation engine, and all other components required. It can be deployed typically within minutes. Analysts have complimented SolarWinds on its simple architecture, easy licensing, and robust out-of-the-box content and features.

Management: Good. Ease of use is an area of frequent praise, but there are some limitations in its ability to integrate with third-party advanced threat detection, threat intelligence feeds and User Behavior Analytics (UBA) tools.

Support: Very good. SolarWinds has been recognized for its technical support and customer success programs globally. An assisted onboarding program provides access to implementation experts who work with users to understand their goals, assist in installing and configuring the product, and help optimize their environments based on business needs.

Scalability: Good. SEM’s architecture scales horizontally to support thousands of nodes, but may not scale as well vertically.

Intelligence

SolarWinds Security Event Manager customers leverage pre-defined correlation rules targeted at user and system change monitoring. These rules include direct change auditing (user permission, metadata, group memberships, etc.) and system change auditing (policies, files, etc.). Thresholds for behavior can be applied to differentiate normal from abnormal behavior.

Delivery

Virtual appliance for VMware and Hyper-V platforms, plus a deployment option for Azure.

Agents

The SolarWinds SIEM platform employs agents.

Pricing

SolarWinds SEM does not explicitly list pricing on their website, however, they allow potential customers to browse products and generate a quote. Subscription licenses for one to five years start at $2,877; perpetual licenses start at $5,607 for the software and one year of support with options to purchase yearly ongoing maintenance and support.

The SolarWinds license is based upon the number of nodes (server, network device, desktop, laptop, etc.) sending log and event information and tiered pricing is available for bulk-use discounts or multiple-software license discounts. License costs include log management, agents, connectors, file integrity monitoring, USB Defender, external threat feeds, and all SIEM components.

A Workstation Edition license enables SolarWinds SEM customers to extend deployments to Windows workstations. Consulting and professional services are typically not required.

For more analysis of SolarWinds Security Event Manager, see SolarWinds vs Splunk: Top SIEM Solutions Compared.

This article was originally written by Drew Robb on November 5, 2018, and updated by Chad Kime on February 7, 2023.

The post SolarWinds Security Event Manager – SIEM Product Overview and Insight appeared first on eSecurity Planet.

For a comparison with other TIP products, see the complete list of top threat intelligence companies.

Product History

Internet Security Systems developed X-force in 1996 and ISS was later acquired by IBM in 2006, after which the X-Force brand became part of IBM Security. The X-Force Exchange threat intelligence platform (TIP) was launched in 2015 to open up the wealth of threat intelligence collected by IBM X-Force to the public to support collaborative defense.

Product Description

IBM X-Force Exchange provides collaborative threat intelligence through a cloud-based platform that enables security analysts to research threat indicators and accelerate responses to attacks. It offers intelligence on:

• IP and URL reputation
• web applications
• malware
• vulnerabilities
• spam

Users can then enhance their security insights with machine-generated intelligence and curated human-generated insights from IBM X-Force researchers available via public case file collections on the latest malware campaigns and threats.

“Users can collaborate with peers to validate threats and develop response plans using private groups and shared collections, and strengthen their existing security solutions with threat intelligence delivered through open standards,” said Sam Dillingham, Senior Offering Manager, IBM Security.

Agents

X-Force Exchange is a cloud-based platform, and does not deploy via agents.

Markets and Use Cases

In 2015, when IBM launched the X-Force Exchange it noted that six of the world’s top 10 retailers and five of the world’s top 10 banks were part of the 1,000+ organizations contributing to the X-Force Exchange threat database. In 2016, IBM also announced shared threat intelligence feeds with Check Point. With integrated workflow support through private groups and Collections, X-Force Exchange appeals to organizations that need to support a streamlined security investigation process.

One retailer, noted Dillingham, replaced multiple threat intelligence feeds with X-Force Exchange to dramatically reduce their investigation time. This retailer is using shared collections to gather threat intelligence, letting the security team focus on applying the intelligence rather than on the mechanics of gathering it.

However, for organizations that want to incorporate multiple feeds, external feeds can also be fed into an organization’s X-Force Exchange dashboard. The TIP will then generate a consolidated threat feed based on all information sources.

Applicable Metrics

As a cloud based platform, X-Force Exchange scales to support any size organization. Customersare allowed unlimited queries via the platform itself per month or through the Advanced Threat Protection Feed. The X-Force Exchange Commercial API supports usage-based billing. As noted above, additional third-party threat intelligence feeds can be brought into X-Force Exchange using the Threat Feed Manager once a user provides their credentials or API key for those feeds via the platform.

Security Qualifications

Depending upon the chosen edition, the IBM X-Force Exchange can meet the standards necessary to satisfy global compliance standards such as: ISO 27001, ISO 27017, ISO 27018, and both the EU-US Privacy Shield and Swiss Privacy Shield frameworks.. As a threat intelligence platform, X-Force Exchange can provide automated threat feeds to other qualified security systems such as firewalls, network intrusion detection (IDS) and prevention systems (IPS or IDPS), etc.

Intelligence

Users can enhance their network security insights with machine-generated intelligence. Threat intelligence from X-Force Exchange is also used by IBM QRadar Advisor with Watson so security analysts can leverage machine learning on the QRadar SIEM platform and the QRadar SOAR (Security Orchestration, Automation and Response) product.

All threat intelligence produced is cross-correlated against relevant sources used by X-Force Exchange, and this analysis is automated into reports that provide real-time visibility into risk score, activity history, geography, associated indicators, categorization and other pertinent threat intelligence. Customers of the X-Force Exchange Commercial API and the X-Force Exchange Enterprise API can also access additional reports and Indicators of Compromise (also available for the Advanced Threat Protection Feed) produced by X-Force IRIS (Incident Response and Threat Intelligence Services).

Delivery

X-Force Exchange is a cloud-based solution, accessible via a web browser or through an API interface to interface directly with existing security solutions.

Pricing

IBM X-Force Exchange is free to use via a guest login through the web interface at xforce.ibmcloud.com. A free X-Force Exchange non-commercial API is also available for limited use. For commercial use, IBM publishes information on four editions, but requires direct contact to obtain a quotation.

• X-Force Exchange
  • Cloud based intelligence sharing platform
  • Unlimited record access
  • Limited Support
• Advanced Threat Protection Feed
  • Unlimited Record Access
  • Threat feed for internal security tool integrations
  • RESTful API in JSON format
• X-Force Exchange Commercial API
  • For integration with commercial applications
  • Perform bulk-queries for IPs and URLs
  • Usage Based records
  • RESTful API in JSON format
  • Includes X-Force IRIS (incident response service) reports and indicators of compromise
• X-Force Exchange Enterprise API
  • Unmetered bulk usage of threat feeds and premium content
  • Unlimited Records
  • RESTful API in JSON format
  • Includes X-Force IRIS (incident response service) reports and indicators of compromise

This article was originally written by Drew Robb on July 18, 2017, and updated by Chad Kime on February 1, 2023.

The post IBM X-Force Exchange Threat Intelligence Platform appeared first on eSecurity Planet.