Pulse

Threat Management System

Introduction

The information security world has grown immensely in the last 10 years, going from a dark art form where the key players all communicated in the same IRC channels to a huge industry where information overload is not just a possibility, but an eventuality. Everyone has a list of vulnerabilities, a compilation of exploits, a selection of custom gathered, analyzed, and aggregated information. Eventually a security analyst gets so much visibility into the security landscape that they can't take any more, and information overload, a security news Denial of Service if you will, takes place. Yet as security analysts, architects, and developers we are constantly called to be on the cutting edge, know everything that's happening, and it becomes a balancing act. With dozens of sites each producing dozens of advisories a day it becomes impossible to keep up.

While the amount of information is large and wild the problem is really quite small and defined. Security professionals need to keep up with what's going on, not every single xss vulnerability under the sun, but just the vitals, the information security pulse of the Internet. This is where Vulnerable Minds Pulse gets it's name and focus, to provide information security professionals the information they need about the current state of Internet security. By aggregating the many feeds that information security professionals rely on and then paring them down to only the most critical information Vulnerable Minds Pulse meets this need, giving users the ability to get what they need most, the pulse of the threat landscape.

Pulse is the need to know information about the threat landscape facing the Internet. By aggregating and analyzing the top vulnerability and malicious code news from commercial, government, education, and open source sources Pulse provides a complete picture of today's vulnerabilities that may become tomorrows exploits.

Technology

Creating Pulse was not so much a programming exercise as a challenge in getting multiple Web2.0 technologies to work together. While RSS is a language spoken by many applications, especially in this Twitter/Digg/Google Apps age, it is limited in what it will speak to. Using raw feeds into a feed reader is simple, but manipulating, the information is difficult. A number of solutions have presented themselves, many of which we have made use of.

First of all the basis of Pulse is RSS. Acting as our model in the MVC framework RSS is used at the start of the system to deliver the initial information and later as what we expect will be the main output type by which people consume Pulse. (http://en.wikipedia.org/wiki/RSS_(file_format))

Yahoo Pipes - Created by Yahoo as a mash-up creation tool Pipes is the analysis engine being used by Pulse to separate the wheat from the chaff. Each feed is different and must be treated as such, Pipes allows this by allowing manipulation of individual XML attributes. These manipulations can be combined and then output in a variety of formats, created the combined and modified RSS for delivery to Tumblr. (http://pipes.yahoo.com)

Tumblr - The presentation/view layer of Pulse, Tumblr provides an ideal delivery system on a number of levels. Tumblr accepts RSS feeds, making it easily compatible with the output of Yahoo Pipes, our analytics system. Tumblr also provides various forms to access Pulse, on the main page (http://pulse.vulnerableminds.com), the cellphone friendly mobile page (http://pulse.vulnerableminds.com/mobile), and via a combined RSS feed (http://pulse.vulnerableminds.com/rss). Tumblr does all this with minimal setup and little maintenance, making it easy to add and remove content, modify feed handling, and change the look of the site.

Google Reader - Pulse renders a valid RSS feed usable by any syndication reader, but when it comes to features, ease of use, mobility, and integration with the rest of our (admittedly Google-centric) online tool set Google Reader shines. Accessible from any computer with an Internet connection (and many without thanks to Gears) Google Reader is ideal for reading and sharing content. Future upgrades of Pulse will make use of some of Google Readers advanced features, both for reading, but also for adding content to Pulse.

Methodology

The Vulnerable Minds Pulse is focused on two key types of information: malware advisories and vulnerability advisories. There are plenty of great sites to get news (securls by the GNUCitizen guys is a VM favorite), but new threats can often get lost in the long paragraphs and corporate sponsorships. Mailing lists (check out Daily Dave, scary smart people on there) are excellent, but often so flooded with spam that it's easy to lose the one important email of the day in the flood of junk. Blogs provide lots of insight into various topics, often by the people in the center of it (a la Matasano and the Blue Pill fiasco), but can never cover everything and always have a healthy dose of personal opinion. The many vulnerability lists are excellent sources of information but like mailing lists are all too often flooded with spam, usually in the form of yet another XSS attack in yet another seldom used web application.

Pulse seeks to meet the need in between all of these, providing a clear, objective, relevant view of the current and upcoming threats to information security. Drawing upon all of these sources tempered by analytics provided via Pipes, Pulse delivers timely vulnerability and malicious code information in a variety of useful formats, without spam or opinion. By adding analysis provided via Yahoo Pipes this is all done with minimal spam, providing just the high end vulnerabilities and exploits for the important applications.

Pulse

Introduction

Technology

Methodology

Change Log

Version 1

Categories