AnsweredAssumed Answered

Is the ESA Advanced Threat Detection Who IS Service Down?

Question asked by David Waugh on Nov 1, 2018
Latest reply on Nov 5, 2018 by Marinos Roussos

Like • Show 0 Likes0
Comment • 8

Hi I check every hour if the whois service is returning a response for google.com

Sometime between 04:14 and 005:14 UTC on 1st November 2018, the service no longer seems to be working.

I can request an auth token, but dont get any response:

./cloud-whois-bank.sh google.com
Authenticate:
curl -sk -H "Content-Type: application/json" -X POST -d "{"X-Auth-Username":"BLAH","X-Auth-Password":"BLAH"}" "https://cms.netwitness.com/authlive/authenticate/WHOIS" -D /tmp/resp_headers.yQzaET -o /dev/null
Query: /usr/bin/curl -sk -H "Content-Type: application/json" -H "X-Auth-Token: eyJpc3MiOiJMSVZFX0FVVEhFTlRJQ0FUSU9OIiwic3ViIjoiV0hPSVMiLCJhdWQiOnsiTGl2ZS1Vc2VybmFtZSI6ImJhbmtvZmVuZ2xhbmRsaXZlQGJhbmtvZmVuZ2xhbmQuY28udWsifSwiZXhwIjoxNTQxMDc0MDg3MTA3LCJhbGciOiJIbWFjU0hBMjU2In0=.IfBp2rdB4oMJOCyxo42E8925g0iI+KC3jfvW12hxd/k=" "https://cms.netwitness.com/whois/query/google.com" | tr -d '\r' | python -m json.tool
No JSON object could be decoded
[328779@HO-SA-ESA ~]$ ./cloud-whois-bank.sh google.com/usr/bin/curl -sk -H "Content-Type: application/json" -H "X-Auth-Token: eyJpc3MiOiJMSVZFX0FVVEhFTlRJQ0FUSU9OIiwic3ViIjoiV0hPSVMiLCJhdWQiOnsiTGl2ZS1Vc2VybmFtZSI6ImJhbmtvZmVuZ2xhbmRsaXZlQGJhbmtvZmVuZ2xhbmQuY28udWsifSwiZXhwIjoxNTQxMDc0MDg3MTA3LCJhbGciOiJIbWFjU0hBMjU2In0=.IfBp2rdB4oMJOCyxo42E8925g0iI+KC3jfvW12hxd/k=" "https://cms.netwitness.com/whois/query/google.com"

Can anyone confirm if the whois service is actually working for them?

No one else has this question

Outcomes

David Waugh Nov 2, 2018 4:06 AM

It still seems down.....

Actions

Edward Darnell Nov 2, 2018 8:25 AM

We have had issues with the WHOIS service being up and down since early October and submitted a ticket Oct 11th about same issue. No resolution really ever came out of it for the issue.

Service always seemed to be up more than down, this one seems prolonged.

1 person found this helpful

Actions

David Waugh @ Edward Darnell on Nov 2, 2018 9:33 AM

Agreed. I opened a ticket previously and was told that this would be monitored.

This was the response I got in ticket 01181735 on 14th June 2018

"The Whois service experienced issues during that time frame. Due to malfunction of the monitoring system, the issue has not been identified immediately. The SaaS team addressed the issue with Whois service, and then made sure the monitoring system monitors the service properly."

These things happen, but being down for over 24 hours without anyone doing anything is a little troubling. It is also a design flaw that I have previously highlighted, that if the WhoIS service is down the ESA should not get increasingly behind in sessions until it eventually stops.

Anyone from RSA care to comment?

Actions

David Waugh Nov 2, 2018 11:41 AM

Just had the first confirmation from RSA Support that the WhoIs service is down.

Actions

David Waugh Nov 2, 2018 12:00 PM

Its back!!!

Actions

Marinos Roussos Nov 5, 2018 4:38 AM

I feel sorry for you that you have been trying to get answers. I've noticed , every time you've faced issues with the Whois service and asking for feedback, then it becomes clear that this is not monitored by RSA and that the phone is dead on the other end.

I would understand RSA's argument that this is a free service but if it's not reliable then it can only be used in a lab.

To PMs: In security, there is a big difference when it comes to software, you cannot use untested/unreliable/not-monitored/toy software for conducting security operations. Scoring high on Gartner is not enough to sell if customers can't trust the software and the people supporting it.

1 person found this helpful

Actions

David Waugh @ Marinos Roussos on Nov 5, 2018 4:43 AM

Not only is the fact that it is not sufficiently monitored that is disappointing, it is the fact that when it is down, the ESA seems to wait until it gets a response. This causes a backlog of sessions and the ESA quickly get behind by many millions of sessions. This then takes many hours for it to catch back up.

The ESA is a critical part of the solution as it generated alerts on suspicious activity.

I want to know that I can rely on the ATD service. How long is it acceptable for it to be down? 1 hour, 2 hours? 24 hours?

1 person found this helpful

Actions

Marinos Roussos @ David Waugh on Nov 5, 2018 5:01 AM

The fact that ESA is stopping when Whois goes down is a bug. If RSA don't want to admit and fix this and as a workaround suggest you to stop using the Whois service then they are worthy or their fate.

Monitoring a free service that an expensive paid service is depending on(not to mention that is crucial for security operations), should be a given and not having to cry for help on a forum or raise a RFE or other silly things like that.

Actions

8 Replies

David Waugh Nov 2, 2018 4:06 AM
Mark Correct
Correct Answer
It still seems down.....
Like • Show 0 Likes0
Actions
Edward Darnell Nov 2, 2018 8:25 AM
Mark Correct
Correct Answer
We have had issues with the WHOIS service being up and down since early October and submitted a ticket Oct 11th about same issue. No resolution really ever came out of it for the issue.

Service always seemed to be up more than down, this one seems prolonged.
1 person found this helpful
Like • Show 1 Like1
Actions
- David Waugh @ Edward Darnell on Nov 2, 2018 9:33 AM
  Mark Correct
  Correct Answer
  Agreed. I opened a ticket previously and was told that this would be monitored.
  
  This was the response I got in ticket 01181735 on 14th June 2018
  
  "The Whois service experienced issues during that time frame. Due to malfunction of the monitoring system, the issue has not been identified immediately. The SaaS team addressed the issue with Whois service, and then made sure the monitoring system monitors the service properly."
  
  These things happen, but being down for over 24 hours without anyone doing anything is a little troubling. It is also a design flaw that I have previously highlighted, that if the WhoIS service is down the ESA should not get increasingly behind in sessions until it eventually stops.
  
  Anyone from RSA care to comment?
  Like • Show 1 Like1
  Actions
David Waugh Nov 2, 2018 11:41 AM
Mark Correct
Correct Answer
Just had the first confirmation from RSA Support that the WhoIs service is down.
Like • Show 0 Likes0
Actions
David Waugh Nov 2, 2018 12:00 PM
Mark Correct
Correct Answer
Its back!!!
Like • Show 1 Like1
Actions
Marinos Roussos Nov 5, 2018 4:38 AM
Mark Correct
Correct Answer
I feel sorry for you that you have been trying to get answers. I've noticed , every time you've faced issues with the Whois service and asking for feedback, then it becomes clear that this is not monitored by RSA and that the phone is dead on the other end.

I would understand RSA's argument that this is a free service but if it's not reliable then it can only be used in a lab.

To PMs: In security, there is a big difference when it comes to software, you cannot use untested/unreliable/not-monitored/toy software for conducting security operations. Scoring high on Gartner is not enough to sell if customers can't trust the software and the people supporting it.
1 person found this helpful
Like • Show 1 Like1
Actions
- David Waugh @ Marinos Roussos on Nov 5, 2018 4:43 AM
  Mark Correct
  Correct Answer
  Not only is the fact that it is not sufficiently monitored that is disappointing, it is the fact that when it is down, the ESA seems to wait until it gets a response. This causes a backlog of sessions and the ESA quickly get behind by many millions of sessions. This then takes many hours for it to catch back up.
  
  The ESA is a critical part of the solution as it generated alerts on suspicious activity.
  
  I want to know that I can rely on the ATD service. How long is it acceptable for it to be down? 1 hour, 2 hours? 24 hours?
  1 person found this helpful
  Like • Show 0 Likes0
  Actions
  - Marinos Roussos @ David Waugh on Nov 5, 2018 5:01 AM
    Mark Correct
    Correct Answer
    The fact that ESA is stopping when Whois goes down is a bug. If RSA don't want to admit and fix this and as a workaround suggest you to stop using the Whois service then they are worthy or their fate.
    
    Monitoring a free service that an expensive paid service is depending on(not to mention that is crucial for security operations), should be a given and not having to cry for help on a forum or raise a RFE or other silly things like that.
    Like • Show 1 Like1
    Actions

Is the ESA Advanced Threat Detection Who IS Service Down?

Outcomes

Related Content

Recommended Content