"PCI Compliance" Book Is Here!

Finally, the PCI book is here in the flesh. I decided to use this opportunity to try video on my blog. Here it is:

Possibly related posts:

• “PCI Compliance” Book 30% Discount code

  
  

Log Management + SIEM = ?

Lately, something made me think of using log management WITH security information and event management (SIEM) - I suspect it was either this or maybe this zombie here. I did spent some time in my career building SIEM tools and then spent some building log management. Nowadays, their “separate identities” are pretty much widely accepted; even “Big G” combines them in the same document, but calls them out by name separately (this, BTW, took about 2 years of fierce arguments back in 2005-2007 :-))

In any case, my recent bout of thinking revealed four scenarios, crudely depicted on the image to the right:

Those are:

1. Log management as a foundation and SIEM as [one of the] applications: this is what I call “a common sense scenarios” since it is so …well… common sense. It can also be called “grow up to SIEM.” By some strictly unscientific estimates (=random guessing), it accounts for maybe up to 50% of SIEM deployments. This is the case where an organization gets a log management tool and slowly realizes the need for correlation, visualization, monitoring workflows, etc.
2. SIEM and log management deployed together alongside and at the same time: this is what I call “emerging scenario” since more people now get both at the same time (from same or different “best” vendors). I have no idea about the percentage of adoption here, but likely vendors who offer SIEM and LM can attest to the growth of this scenario. Indeed, if you somehow realized the need for correlation, you better save all the logs and have an ability to perform efficient search and raw data analytics.
3. SIEM=LM: this scenario means that either you are small (and use the same tool that can handle simple SIEM and log management functions) or, if you are large, you’ve been duped by the vendor who said “they are the same thing” [today they are still not and a smart vendor won’t tell you this – eventually maybe they will be…]. Admittedly, “one box with SIEM+LM functionality” can work in principle and for smaller environments, but typically there are too many things competing for CPU, RAM, network and disk (e.g. correlation and indexing are both resource hogs…). Still, this might well be the #1 by the number of deployments due to its applicability to smaller (and thus more numerous) environments.
4. SIEM deployment with LM as an archive: this scenario arises when somebody buys a big fat SIEM – and then, over time, realizes that something is missing. As a result, a log management tool is deployed to "dump” all logs into and (sometimes) perform analysis of the raw logs that SIEM “rejects” (i.e. doesn’t know how to parse, normalize, categorize, etc). Specifically, incident response and PCI DSS come to mind here.
5. “SIEM Shield” [UPDATED!]: the final 5th scenario is so obvious, I completely forgot about it :-). While it is similar to both #2 (simultaneous SIEM and log management deployment) and #4 (log management as an archive for a SIEM), it is also distinctly different – and VERY common. In this case, an inherently more scalable log management tool is deployed in front of SIEM (typically after SIEM is first implemented, which is similar to scenario #4) to serve as a shield and filter to protect a less scalable SIEM tool from extreme log flows. It is not uncommon to only send every 10th event received by the “log shield” to a SIEM, hiding behind it. At the same time, all received events are archived, just like in case #4.

Obviously, it goes without saying there are lots of “log management only” (still growing) situations and some “SIEM only” (likely shrinking) deployment scenarios. But their are not the subject of today’s note here.

BTW, today is my birthday :-) … and I am writing about SIEM. How cool is that?

Possibly related posts:

• On SIEM Complexity
• All posts on SIEM.

“PCI Compliance” Book 30% Discount code

I have not yet received my copy of “PCI Compliance” book, but I was told it is OUT in the flesh.

During the entire “launch month” – December 2009 – you can get the book at 30% off using discount code: SYNGRESS30 

Here is some more info:

• Book website (check out a couple of free PCI DSS sample policies there!)
• Official page of “PCI Compliance” at Amazon
• Book page at Syngress website (has full book Table of Contents); for the above discount code, you have to buy it from here.
• My co-author’s Branden Williams website and blog.

BTW, we worked really hard on the book (and then the editors worked on us :-)) - despite this, some typos are unavoidable. Please report them and we will add them errata pages.

Enjoy!

Monthly Blog Round-Up - November 2009

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is my attempt to remind people of useful content from the past month! If you are “too busy to read the blogs,” at least read these.

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics.

1. Top spot this month (by far!) is deservedly taken by “Smart vs Stupid: But Not Why You Think So!” You need to go read it to know why it is so awesome :-)
2. “Top Log FAIL!” is still hot! The post summarizes the most egregious, reckless, painful, negligent, sad, idiotic examples of “Log FAIL.”
3. “On SIEM Complexity” is next – it is a piece about Security Information and Event Management (SIEM) and why it is / is perceived as “very complex.”
4. “Open source SIEM theme continues to drive a lot of traffic – it looks like folks are still desperately googling for it. “Why No Open Source SIEM, EVER?” post takes the spot in Top5 this month again. The older inspiration for this post is “On Open Source in SIEM and Log Management.”
5. “SIEM Bloggables” post covers key SIEM use cases – it is part of the presentation which is yet to be posted.
6. “More PCI Devil Defense” is the next iteration in the ongoing industry discussion of the value of PCI DSS for information security.

This month I am also continuing a new tradition: I am going to thank my top 5 referrers this month (those that are actual humans, that is). So, thanks a lot to the following people whose blogs/resources sent most visitors to my blog:

1. Gunnar Peterson
2. Dancho Danchev blog
3. Richard’s TaoSecurity blog
4. Dmitry Evteev blog
5. Adam O’Donnell blog

Thanks for all the link-love!

See you in December when I will post both monthly and annual blog round-ups (see my previous annual “Top Posts” - 2007, 2008)

BTW, somebody said that this year is a good year to post not only next year’s annual security predictions, but also next decade security predictions. Now, that is what I would call super-fun! :-)

Possibly related posts / past monthly popular blog round-ups:

• Monthly Blog Round-Up – October 2009
• Monthly Blog Round-Up – September 2009
• Monthly Blog Round-Up – August 2009
• Monthly Blog Round-Up – July 2009
• Monthly Blog Round-Up – June 2009
• Monthly Blog Round-Up – May 2009
• Monthly Blog Round-Up – April 2009
• Monthly Blog Round-Up – March 2009
• Monthly Blog Round-Up – February 2009
• Monthly Blog Round-Up - January 2009
• Monthly Blog Round-Up - December 2008
• Monthly Blog Round-Up - November 2008
• Monthly Blog Round-Up - October 2008
• Monthly Blog Round-Up - September 2008
• Monthly Blog Round-Up - August 2008
• Monthly Blog Round-Up - July 2008
• Monthly Blog Round-Up - June 2008
• Monthly Blog Round-Up - May 2008
• Monthly Blog Round-Up - April 2008
• Monthly Blog Round-Up - March 2008
• Monthly Blog Round-Up - February 2008
• Monthly Blog Round-Up - January 2008
• Monthly Blog Round-Up - December 2007
• Monthly Blog Round-Up - November 2007
• Monthly Blog Round-Up - October 2007
• Monthly Blog Round-Up - September 2007
• Monthly Blog Round-Up - August 2007

Obligatory “added everywhere” posts :-)

• I might be available for fun consulting projects related to PCI DSS, log management, SIEM, etc. Please see the services list at my consulting site.

“Leaving Vendorland” or Consulting Full-Throttle

I have a horrible confession to make: I was “vendor scum” for most of my security career. All good things come to an end – replaced by better things, of course.

Since departure from my last job, I discovered the world full of exciting projects where I can be incredibly useful. For some logging projects, I can be more useful than anybody else in the world (and, no, this is not my ego talking).  At the same time, I discovered many jobs at “wonderful” large companies, where everything developed two years after the market is considered “innovation.” Maybe this is why I don’t really believe in security market consolidation: BigCo=slow while threat=fast leads to some nice EPIC FAIL of “consolidation.” In any case, I’ve seen a lot of fun projects, and not enough fun jobs. Thus I decided to start developing my own consulting practice. 

With this post, I am “officially” announcing my switch to consulting (even though I’ve been busy consulting for a couple of months already). Here is a quick summary of my services, also posted at Security Warrior Consulting site:

• Technology vendor services: compliance strategy for a security product, security and compliance content development, “thought leadership” webinars, training and writing, etc.
• End-user organization services: development of logging strategy, logging policy, log review procedures, planning of log management architecture, etc.

Go see more details on my new consulting site or look at the full services menu [PDF]. At this time, I am working on a couple of very fun projects, but will look for more work along the above lines in the future.  If you have anything of that sort for me, please get in touch (email, other methods)!

Finally, if I discover new fun security things to build and evangelize,  I will once again join the noble ranks of vendor scum…

BTW, our “PCI Compliance” book should be out any day now and our book website is “ready for business.” Time to get back to work on that logging book…

Possibly related posts:

• Not at Qualys Anymore

Two Fun PCI Appearances

FYI, this week I spoke at these two fun PCI DSS events (both virtual):

• PCI 2010: Trends and Technologies by BankInfoSecurity.com
• PCI 360: Multiple Perspectives by ISC(2)/BrightTalk

If you are into that sort of thing, check them out.

BTW, the PCI book is about to be printed – and our official PCI book website is almost ready!

Fun Reading on Security and Compliance #21

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #21, dated November 23, 2009 (read past ones here).

This edition of dedicated to all the folks who write blogs, but never read blogs. Shame on you :-)

1. The “60-minute-gate”: start here, then comments here and here.
2. Hilarious SIEM/log management video (“I need an outlet for my detective instincts”).
3. Did somebody finally beat “the Levin record” (which seems not really his now) from 1994? Stealing $9m purely through computers is kinda cool :-)
4. This shit is deep: data breaches cause data abuse (fraud, etc), says recent research. Captn Obvious award does not go unclaimed :-)
5. Detecting Malice eBook is out.  Get it!
6. NIST SCAP Conference presentations are finally posted (including mine). Check them out here.
7. Privacy and future shock discussion: read this (“Forget Privacy, It Is Just An illusion”), then this (“Gartner Gets Privacy Dead Wrong”), then this (“Bob Blakley Gets Future Shock Dead Wrong”). Fun to read and think about.
8. “HIPAA teeth” and HITECH act, very interesting. Also, this says that “57% of the survey respondents said they would make additional investments in security tools or technologies” [due to HIPAA/HITECH]. Is this for real?
9. Various smart people beat up risk assessment: here (“The practice of risk analysis is one of the root causes of our failure to match security countermeasures to the emerging threats. It depends on too many unrealistic assumptions”) and here (“I think one of the “hot” areas that I care about is being able to quantify risk. I personally don’t think this can be done because I’ve had too many customers show me their risk measuring systems and I’ve found fault with them.”) And then some other people defend it.
10. Gunnar’s cloud wisdom: Part 1,2,3a, 3b. Did I mention it is awesome?
11. Dave for the n00bs. Useful read, and not just for the n00bs: “Please please please please PLEASE do not come out of school with a degree in “Information Assurance” or some other bullshit and tell me you are a security professional.”
12. As I think more about SIEM, I find this old Decurity post very insightful, even though its enlightened creator has been absorbed by the EMC machine :-)
13. “The Art and Science of Infosec” is surprisingly insightful. Key quote: ”too many security folk, especially consultants and auditors, seem to fall into the trap of having the science drive their work more than the art.”
14. I read this (“Is Your Response Time Less Than 120 Days?” that talks about a security monitoring tool which was “mistakenly turned off for a four month period.”) and it reminded me of my old paper on "the fallacy of real-time” (here). Why obsess about sub-second correlation on your SIEM, if your “process” is to respond to events months after they happen? I like to call it “Is CNN your IDS?” syndrome. :-)
15. “Change the game” or “raise the bar”?

PCI DSS section:

1. I can’t think  why I haven’t highlighted it earlier: “Will PCI Mandate The Use Of Data Discovery Tools?” It is from Branden “Awesome” Williams, now of EMC.

Enjoy!

Possibly related posts:

• All other security reading posts.

Smart vs Stupid: But Not Why You Think So!

This slightly rambling post was born out of some fun conference discussions and well as pondering the “PCI is the Devil” theme. So, some interesting dichotomy was born as a result. Let’s temporarily call it “smart” vs “stupid” security, but if offensive labels … well.. offend you, you can pick something else instead :-)

The table below shows some concepts loosely associated with each security paradigm (of course, this whole thing is a gross oversimplification, but useful for our purposes nonetheless):

“Smart” Security	“Stupid” Security
Incident response	Badness prevention
Risk (to the extent understood … which is often not much)	Compliance, “doing the minimum checklist”
C of C-I-A, moving to I	A of C-I-A
Monitoring for attacks	“Nobody wants to hack us”
Logging + log analysis	No logging
Application security	Network security
System perimeter, application perimeter, network perimeter, “data perimeter”	Network perimeter
Firewalls, SSL, AV, IDS/IPS, WAF, SIEM, DLP, DAM, SDLC, VM, etc	Firewalls, SSL, AV
People	Boxes
Visibility (striving for it) – know control is impossible	Control (failing with it)  - afraid of visibility
Metrics (striving for it)	FUD
Want to know how secure they are	Afraid to know – but want to just “be secure”
0wned (know it, care to have less of it)	0wned (don’t know and don’t care)

Now, forget my “offensive” column labels that I added to purposefully confuse you :-) Even though security literati prefer to call the left column “smart”, “correct”, “good”, “risk-based”, “new school”, etc while label the right column “stupid”, “wrong”, “evil”, “checklist-based”, etc, it is more useful to think of the left as “RARE” and of the right as “TYPICAL” if you consider the organizations of all sizes.

However, things are actually a bit worse, even “TYPICAL” security from the right column is more than some smaller organizations have.  And this is where PCI DSS comes in, an angel with a flaming sword :-) In this context, PCI is a noble attempt to bring many organizations to somewhere better than the above “typical” level. And this is why I think it is awesome.

P.S. If  you were expecting a post on why PCI sometimes IS the devil, that will come later :-)

Possibly related posts:

• More PCI Devil Defense
• All posts tagged “musings”

SANS Log Management Class in Sacramento

FYI, I will be teaching my SANS class SEC434 called “Log Management In-Depth: Compliance, Security, Forensics, and Troubleshooting” on December 2nd in Sacramento.

Details: “This first-ever dedicated log management class for IT and security managers will cover system, network, and security logs and their management at an organization. We will start with the basics, like making sure that logs exist, and then go on to touch upon everything from managing log storage, to analysis techniques, to log forensics and regulatory issues related to logging.

In the beginning, we will cover various log types and provide configuration guidance, describe a phased approach to implementing a company-wide log management program, and go into specific tasks that IT and security managers need to be focusing on a daily, weekly, and monthly basis in regards to log monitoring.

A unique and comprehensive section that covers the hot topic of using logs for regulatory compliance, such as PCI DSS, will also be presented. Everybody knows that logs are essential for resolving compliance challenges; this class will teach you what you need to concentrate on and how to make your log management compliance-friendly.

The class will also touch upon various uses of logs for incident response, forensics, and operational monitoring. Common logging mistakes, learned from many years of working with logs, will also be explained.”

Sadly, the class is NOT public, but open to employees of the State of CA only (this time). The next time the class will be taught at SANS CDI 2009 (sign up!)

On SIEM Complexity

I love Laura Ries (@lauraries). Not in that way, but I think she is the source of non-trivial marketing awesomeness (despite her iPhone fiasco).

In any case, here are three pictures from her recent presentation:

Note that on the 3rd picture she uses the line that I’ve heard many times, but never fully accepted: “Changing the reality doesn’t change the perception.”  This is pretty darn profound – and darn hard to accept for folks of the scientific or engineering persuasion.

What is has to do with Security Information and Event Management (SIEM)? You know, “SIEM is very complex.” Everybody “knows” it.

At a conference in Scotland last week, I was leading a roundtable on SIEM  and I started the discussion with this provocative question: “Is SIEM ‘a MUST-have’ or ‘a nice-to-have’?” No offense to my friends at SIEM vendors (you know I love you too :-)), but 100.00% of those who responded chose “nice-to-have” and, respectively,  0.00% picked “must-have.” One person added that it would indeed be “nice”, but only if it will solve problems that his organization is having and at a reasonable cost. And another person stated that “SIEM is very complex” (with the implicit assumption that anything that complex cannot really be mandatory). And yet another got upset that his auditor requested that he “needs to get correlation” without explaining what it was…

BTW, yet another person brought tears to my eyes by saying that “on the other hand, log management IS a MUST-have” for incident response, accountability and other uses, but this is a different story altogether.

So, “simple to use SIEM” is “a luxury Hyundai” or (new meme alert!) “an anti-Unicorn” – you might find it, smell it, touch it, BUT still refuse to believe in it. That, my friends, is why (deep insight alert!) enterprise SIEM vendors don’t have much success with their SIEM appliance offerings (note that I am talking about their SIEM appliances and not their log management appliances; those are doing fine). Remember that “old school” SIEM vendors all started with ambitions of being an “HP OpenView of security” (EPIC FAIL alert!) which exudes pure complexity…

Personally, I’ve seen some decent attempts to make appliance SIEM easier, but my suspicion is that today the theme of “SIEM is complex” is exceedingly powerful and mere reality will not overcome it.

What can we do about it?

First, if we are to believe esteemed Ms Ries, fighting it with facts will not work. Perception will beat reality and you into bloody pulp. So, “but, dude, our SIEM really IS SIEMmple” won’t fly.

Second, we can focus on how amazingly NICE it is, without being a MUST-have. Stop obsessing about your SIEM not being a MUST-have like, say, iPhone or, say, Twitter :-) In many cases other than SOC building, SIEM’s purchase justification is fuzzy at best, despite more than 10 years of concerted vendor efforts with “ROI”, “TCO”, etc. Or such justification is based on a compliance shortcut which then backfires. In fact, “SIEM is not for everyone” might not be a bad slogan to use… or maybe “grow up to SIEM!” BTW,  I’ve heard of cases where SIEM was deployed even before NIPS/NIDS (or at the same time), and this shows that some organizations place fairly high priority on it.

Third, we can we sidestep the whole “must vs nice” debate and focus on specific problems that SIEM solves. You know, well-tuned correlation engine really can tell you about “bad shit” happening on your network! And it can simplify your daily workflow. And enrich logs with a lot of useful context information. And help with incident response (well, log management is better in that case).  If SIEM focuses on solving particular problems and solving them well, then the customer will have to decide whether solving that problem is a must for them or would just be nice. And the whole debate will change in a useful direction!

Fourth, you can focus on log management. Easy, huh? :-) And then decide which of your customers are ready for SIEM and who think of it as “sufficiently nice”  to deploy – then you can have them “grow up to SIEM.” Log management is – or, at least, at some point will be – for everybody who has logs and that is pretty much everybody…

 

Finally, I’d like to invoke a curse of unspeakable evil: if you sell an appliance SIEM that has a  license-based “hard throttle” which causes you to silently (!) drop incoming logs when 10% (!) of the EPS rate [that your customer paid for!] is exceeded and you are reading this post, please die a painful and embarrassing death. You are an offense to common sense! Also: dear appliance SIEM buyers – please ask your vendor what happens if the EPS rate that you paid for is exceeded…

Possibly related posts:

• SIEM Bloggables
• All SIEM posts

FUDSec FUD Piece Reposted – With Comments

My fudsec post (reposted below for backup purposes with a two week delay) was not “an endorsement” of FUD, it was a reminder to many overly excited folks that FUD is largely all we have today – and there are signs that change just ain’t coming.  As I hinted in  my quick follow-up (“Smelly Goat vs Flying Unicorn”), I am not defending Fear/Uncertainty/Doubt for the merits, I am explaining that we are largely stuck with it, for now. Another way to explain is to quite Churchill, as I do in the comments. Those who know me can confirm that I am a huge proponent of metrics (but also highly skeptical of some metrics ever being achievable).

Here are some of the insightful responses to it:

• Just say ‘no’ to FUD from New School of Security (personally, I think that “trumping with ethics” is a low card in intellectual arguments! IMHO it is one step above name calling)
• On smelly goats, unicorns, and FUD from New School of Security.

 A Treatise on FUD

FUD or Fear/Uncertainty/Doubt triad seems better known than the other security triad: C-I-A. It seems inextricably linked with security industry as well as with security technologies. After all, don’t we reach for some extra safety and security if we fear something, feel uncertain about something or doubt something?

While few CSOs and security leaders admit that they build their security programs based on FUD, below we will hypothesize that FUD is indeed a meta-level above risks, threats, vulnerabilities as well as compliance mandates. FUD’s role in security today probably overshadows the role of any other factor we know. To put more substance into our discussion, here are some well-known examples where fear, uncertainty and doubt manifest themselves:

· Fear

• Getting compromised by attackers
• Failing an audit
• Suffering big loss
• All of the above: Failing an audit + getting hacked + being dragged into a media circus

· Uncertainty

• Keeping a security leadership job
• “Keeping the wheels on” for security infrastructure
• In case of an incident, loss amount is uncertain
• Threats and their impact

· Doubt

• Security mission success
• Effectiveness of security measures
• Support of senior management

Further, many people view using FUD for driving security spending and security technology deployments as the very opposite of sensible risk management. However, FUD is risk management at its best: FUD approach is simply risk management where risks are unknown and unproven but seem large at first glance, information is scarce, decisions uncertain and stakes are high. In other words, just like with any other risk management approach today! Big Hairy Ass Risks (BHARs) dominate both the FUD-infested security vendor materials as well as internal CSO presentations. Note that very few of the BHARs are truly imminent and thus fall out of FUD realm as there is no uncertainty about them - just like only few people develop phobias of poisonous snakes (which would be a very useful phobia to have).

In light of this, we have to accept that there are benefits of FUD – as well as risks.

The benefits of FUD stem from the above view of security which is defined as “being free from danger” or ”measures taken as a precaution” against something bad.

First, in the world we live in, FUD works! Demonstration of a BHAR followed by technology purchase or control implementation does reduce possible loss of not only due to said BHAR, but also due to other threats (if BHAR ends up being completely mythical). Such implementations often also deliver other useful things for the organization. It is worthwhile to remind that “FUD selling” applies to CISOs no less than to “enterprise software” sales people. It also applies to “fear of auditors” as well as “fear of attackers” – both drive security adoption, even if lately the former seems to be winning.

Second, keep in mind that many of the BHARs are both genuinely scary and, in fact, likely. Scaring a company into updating its anti-malware tools (despite all the concerns about their relative efficiency) or into deploying tools to collect and analyze logs is excusable, at the very least.

Third, many proclaim that people need to be naturally drawn towards doing "the right thing" after being educated about what the right thing might be and scaring people into action is not that efficient. The technical answer to such concern is a resounding “Ha-har-ha!!!”

Finally, for years FUD was used to sell insurance as well as safety features in cars and other products, legal services, to make people update their boring DR and BC plans, and other good things. Fear might not be a very positive emotion to experience, but acting out of fear has led to things that are an overall positive, all the way down to resolving political tensions out of fear of a nuclear war…

Admittedly, Fear/Uncertainty/Doubt approach has issues as well. The key issue with FUD is its “blunt weapon” nature. It is a sledgehammer, not a sword! If you use FUD to “power through” issues, you might end up purchasing or deploying things that you need and things that you don’t.

Second, it is well-known that magic of FUD wanes if you invoke it too often. If you scare your customers or your management into taking your product or your security agenda seriously, they are almost guaranteed to stop listening to you at some point. However, if enough BHARs manifest , FUD approach will continue to be fairly productive. One can get desensitized upon hearing that "sky is falling" too often, but here is the thing: I am willing to take the risk of such "desensitization" given that sky is indeed "not quite stable."

Third, FUD power – as any other power – corrupts whoever wields it too often. If you end up scaring people into action or spreading uncertainty, you might well lose an ability to win security arguments any other way. Also, if fear is a motivation for every decision you make, checking into a mental institution is not a bad idea. You might actually be paranoid!

Finally, I’d like to bring up the good old “greed vs fear” model for advancing security, last mentioned at BlackHat by one of the speakers. As “greed-based” ROI scams fail to move security ahead, the role of fear has nowhere to go but up. In other words, all of us get to pick out favorite 3 letter abbreviation – and I’d take honest FUD over insidious ROI any day…

To conclude, fighting FUD is a noble pursuit; Don Quixote thought the same about fighting windmills. Even if objective metrics will ever replace FUD as the key driver for security, we have a bit of time to prepare now. After all, in that remote future age interstellar travel, human cloning, teleportation and artificial intelligence will make the life of a security practitioner that much more complicated…

Original post.

More PCI Devil Defense

Our paper “PCI: No Angel, but Not the Devil Either” just went up on “CSO Magazine” online (and a few other sources), check it out. It debates this piece which quotes Joshua Corman of The 451 Group. Sorry, Josh, we had to argue with the imperfect retelling of your words, so some points might not have came out well… Hopefully, we can have a real industry-advancing debate at some point!

In any case, I am getting a bit tired defending PCI DSS (ya know, “I’d rather be logging” :-)) from smart people who should (IMHO) know better. As I am doing it, I am also looking for some sort of “root of PCI hatred” in order to dislodge it and stop this frenzy once and for all (the whole thing reminds me of Harry Harrison “Deathworld” Jason dinAlt saga)

Here is what occurred to me recently: I used to think that “security perfectionism” drives a lot of attacks on PCI (“it sucks because it is does not ‘guarantee’ ‘perfect’ security”). But some old Scottish whiskey made me realize that it is more subtle than that – it is not perfectionism per se, but “enterprise security disease.”

Let me explain. If your entire security career happened while working at, selling to or advising global organizations about information security, it is highly likely that your brain has adjusted to that reality. But there is another reality – and, darn, it is big.

Here is an example: next time you are having lunch somewhere and paying with a credit card, think: do there folks have a network IPS? Web application security scanner? SIEM perhaps? A DAM tool? Information risk protection strategy? BTW, the answer would be “No, no, no and no and no.” Their security is anti-virus (deployed on most systems and updated on some), filtering router with NAT (and with a very open ruleset) and a few other “bulletproof” shields of that sort.

PCI is truly a beam of light (an annoying one…) for them – it motivates them to learn about all the wonderful security things they should be doing. Risk management? Pah. Threat posture? WTH. Encryption? Stop cursing. Firewall? Yes, we have it.

Here is how I presented this side of a debate in a recent argument I had (via email), numbers are from my favorite source of security stats (that is srand(), as you know :-)):

• 198x-1992: 99% of people just say 'screw information security'
• 1996-1999: massive email viruses hit; 98% of people still say 'screw security'
• 2002-2004: worms hit; 97% of people still say 'screw security'
• 2005-2007: spyware hits, botnets start their ominous rise, 96% of organizations still say 'screw security'
• 2007-2008: data losses hit, massive data theft happens, 95% of organizations still say 'screw security'
• 2007-2009: PCI DSS spreads. Oops! Now only 30% say 'screw security.' The rest has to at least pay it some lip service and raise their “wooden shields.” Hurray!

That is the main reason I think PCI magick has the blinding power of pure awesomeness.

BTW, I am working on a post that clarifies this “enterprise security thinking” a bit more. Also BTW, if you are looking to use PCI DSS as a general security or data security framework, go here.

Possibly related posts:

• My PCI Myths deck
• Five Reasons to Dislike PCI DSS – And Why They Are WRONG!

SIEM Bloggables

I was working on a presentation related to Security Information and Event Management (SIEM) the other day. Even though it was intended for a particular audience, a few pieces of it are generic enough to be shared with the world at large. Hopefully said world at large will find it useful for planning SIEM deployments, analyzing your requirements, improving SIEM product design, etc.

So, in no particular order:

What SIEM MUST Have Today?

1. Log and Context Data Collection
2. Normalization (including event categorization)
3. Correlation (what used to be bundled under “SEM”)
4. Notification/alerting (“SEM”) [the role of real-time processing seems to be shrinking, as I predicted in 2004 - that surprised everybody including myself]
5. Alert/event prioritization (“SEM”)
6. Reporting (“SIM”) [including visualization]
7. Security role workflow [from security analyst roles to incident responder (my classic piece on using SIEM for incident response, BTW) to security manager and – rarely! – the CSO]
8. Everything else is icing on the cake!

Key SIEM Use Cases

1. Security Operations Center (SOC): real-time views, analysts online 24/7, chase alerts as they “pop up” [this was the original SIEM use case when SIM started in the 1990s; nowadays it is relegated to the largest organizations only]
2. Mini-SOC / “morning after”: delayed views (“analyst comes in the morning”), analysts online 1-3/24, review alerts and reports then drill-down as needed
3. “Automated SOC” / alert + investigate: configure SIEM to alert based on rules and forget until the alert, investigate alerts, review reports weekly/monthly [this is the use case that many users want and few SIEM products can deliver…]
4. Compliance status reporting: review reports/views weekly/monthly, no security operation focus [it might be common, hopefully the organization can later transition to any of the use cases 1.-3.]

Two Types of Users To Make Happy – with SIEM or Log Management

“Minimalist”	“Analyst”
•Still evolves from “logs are dirt” to raw collection •Pure compliance focus – “deliver me from evil… eh… auditors” •Collecting logs •Checkbox mentality •Less mature; needs more hand-holding	•Evolved to “so we have them collected – now what?”; now stuck •“Compliance+” or pure security/operational focus •Using logs (analysis) •Situational awareness mentality •More mature; needs more “cool tools”

Enjoy!

Book Review: “The myths of Security” by John Viega

My review for “The myths of Security” by John Viega has been posted to Amazon; I gave it 4 out 5 stars.

Think about this book as a printed collection of blog posts – some a dozen pages, some half a page. John’s essays – all 48 of them - read like a typical blog: fun views on hot subjects, controversial opinions, new ideas for the future, dispelled myths, cool technology ideas, etc. I definitely enjoyed reading the book, even if most of the material was at least somewhat familiar to me.

For starters, this was the first time that I have seen a book written by somebody employed by a major antivirus company, who would agree that antivirus solutions don't work too well and slow down systems. It was very impressive to read that the author himself does not use an antivirus solution and didn’t even use one when he' was in charge of building one! (Understandably, he does recommend that consumers use one on their systems)

The following are some of my fave chapter highlights. “Security:”Nobody Cares” is one of my favorites; it covers why people, on average, don’t care about information security. His analysis matches that of some other industry thinkers, but it is presented well in the book.

I also enjoyed his thinking about why Microsoft antivirus solution would never pick up and never present a threat to the big AV vendors. In his opinion, most people do not trust Microsoft as a security brand. He thinks that customers would always go to security specialist and not to MS for antivirus tools, even if such specialist is located in Russia or Czech Republic. Also, it looks like the 30% success ratio for antivirus solutions is pretty much a commonly accepted number nowadays; it is mentioned in the book more than a few times.

One chapter that made me angry was chapter 7 on Google. He basically makes the insinuation that the Google in particular and pay-per-click advertising in general motivates people to hack into systems; a view as illogical as it is silly.

In chapter 26, John has an interesting idea for a Social Security number replacement scheme. Many other chapters contain ideas for improving major parts of security technology, even if in some cases the author has to disclaim them with his disbelief about their implementation potential.

It is quite interesting that in chapter 28 John dispelled the myth that including security early in the application design is cheaper. Compared to ignoring the problem until notice from customers, it is certainly more expensive. He touches most other known security industry “pain points” such as vulnerability disclosure. He proposes to replace “responsible disclosure” with a new scheme from my view looked kinda similar, less dangerous for the world at large but less motivating to software vendors. He also discusses whether disclosing vulnerabilities reduces or increases the risk for consumers (in his view seems to increase it).

Closer to the end of the book chapters get shorter and shorter. For example, chapter 42 ends up being half of a page in length. It pretty much states that he would sacrifice some privacy for more functionality and so would most of the others, which seem to be a very popular view nowadays.

I was very happy to find that he devoted an entire chapter - 2 pages in length - to criticizing academic security research (one of my pet peeves!). He says “lots of academics are reinventing what security industry has been doing for years. “ [They are also reinventing a lot of “epic FAIL”, proven to not work.] The book also mentions that there is nowhere near enough data sharing between security industry, where the problems are, and academia, where - supposedly - the brains are.

Other reviewers have pointed out that it is not clear what is the audience for the book. Many of the chapters seemed written for the “curious consumer” while others are clearly intended for security practitioners or even security managers and imply a degree of IT industry savvy.

Finally, I have to say that multiple mentions of McAfee did not annoy me at all. I fully realize that if somebody employed by the vendor criticizes the very livelihood of that vendor (classic signature AV, in this case), you must throw your employer a major bone. You absolutely have to mention your employer positively to counterbalance the criticism and he does – in many chapters.

To conclude, I read books on information security for fun. This book was a lot of fun to read even if I did not agree with some of his opinions. It is well-written, has light writing style and touches most if not all controversial issues in security; the book also has a lot of fun novel ideas for the future to think about.

Releasing Many Of My Security Papers!

As you can guess, I have written a lot of fun security stuff over the years. I’ve been “liberating” my content for the community to read, starting from presentations (via Slideshare)

Now, I am releasing most of my old paper content as well:

• My DocStoc collection
• My Scribd collection
• My Slideshare collection

Feel free to check these periodically as I will be adding old papers from my collections for a long time (they also get auto-dumped to Twitter). BTW, I am doing it despite the fact that some of my writing from 2002 is quite embarrassingly naive :-) But I never, ever misspelled HIPAA! Never!

Notable papers released:

• Automated Incident Handling Using SIM (now known as SIEM :-))
• Log Data Mining  /awesomeness alert! :-)/  - and related presentation on log data mining.
• Where Logs Hide: Logs in Virtualized Environments
• Discovery of Compromised Machines
• Trends in database log management 
• Buy vs. Build vs. Outsource: What’s Your Best Log Management Strategy? – and related presentation on the same subject.
• [very old, but still fun piece] On covert channels
• PCI DSS Myths – and related presentation on PCI myths
• “Security First” or “Compliance First”
• All presentations – there are pretty much all fun!

Go dig thru it, but keep in mind, old security stuff gets stale fast. So, while reading it, keep this in mind.

Possibly related posts:

• Everything tagged security reading.

Monthly Blog Round-Up – October 2009

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is my attempt to remind people of useful content from the past month! If you are “too busy to read the blogs,” at least read these.

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics.

1. “Top Log FAIL!” is hot! The post summarizes the most egregious, reckless, painful, negligent, sad, idiotic examples of “Log FAIL.”
2. Open source SIEM theme continues to drive a lot of traffic – it looks like folks are still desperately googling for it. “Why No Open Source SIEM, EVER?” post takes the spot in Top5 this month again. The older inspiration for this post is “On Open Source in SIEM and Log Management.”
3. “MUST Read on Walmart Intrusion” includes the juicy bits from the full story at Wired. Some amazing examples of “log FAIL” are mentioned there, BTW.
4. “Open Source CLOUD SIEM, Anybody?” post is where I shared some ideas on how to go about building an open source SIEM/SIM/SEM tool using cloud computing. It seems to have attracted a lot of attention. And it should have :-)
5. “Compliance != Security, Does Security = Compliance?” contains some fun analysis of situations where not only “compliance != security”, but also “security != compliance.”  This theme will definitely be explored in the future.

This month I am also starting a new tradition: I am going to thank my top 5 referrers this month (those that are actual humans, that is). So, thanks a lot to the following people whose blogs/resources sent most visitors to my blog:

1. Dancho Danchev blog
2. Dmitry Evteev blog
3. Martin McKeay blog
4. Kevin Riggins Infosec Ramblings blog
5. Richard’s TaoSecurity blog

Thanks for all the link-love!

See you in November. Also see my annual “Top Posts” (2007, 2008)

Possibly related posts / past monthly popular blog round-ups:

• Monthly Blog Round-Up – September 2009
• Monthly Blog Round-Up – August 2009
• Monthly Blog Round-Up – July 2009
• Monthly Blog Round-Up – June 2009
• Monthly Blog Round-Up – May 2009
• Monthly Blog Round-Up – April 2009
• Monthly Blog Round-Up – March 2009
• Monthly Blog Round-Up – February 2009
• Monthly Blog Round-Up - January 2009
• Monthly Blog Round-Up - December 2008
• Monthly Blog Round-Up - November 2008
• Monthly Blog Round-Up - October 2008
• Monthly Blog Round-Up - September 2008
• Monthly Blog Round-Up - August 2008
• Monthly Blog Round-Up - July 2008
• Monthly Blog Round-Up - June 2008
• Monthly Blog Round-Up - May 2008
• Monthly Blog Round-Up - April 2008
• Monthly Blog Round-Up - March 2008
• Monthly Blog Round-Up - February 2008
• Monthly Blog Round-Up - January 2008
• Monthly Blog Round-Up - December 2007
• Monthly Blog Round-Up - November 2007
• Monthly Blog Round-Up - October 2007
• Monthly Blog Round-Up - September 2007
• Monthly Blog Round-Up - August 2007

Obligatory “added everywhere” posts :-)

• I am not at Qualys anymore and looking for the next big security idea to work on! Meanwhile, I might be available for fun consulting projects related to PCI DSS, log management, SIEM or other fun security things.

Smelly Goat vs Flying Unicorn

On FUDSec FUD piece and “data-driven” security.

Q: If you ride a smelly, ugly goat along the road and then meet  a  handsome stranger who promises to give you a new ride: a beautiful unicorn that can fly, teleport, butt enemies with its horn and doesn’t need any cleaning, should you take it?

A: No! Unicorns are mythical creatures. Please keep your goat for now :-)

Notes from CSI2009 Annual Conference

If you’ve ever been to a ghost town before,  you didn’t need to go to CSI this year. It seemed to have only a few people even at HOT topics. Initially I thought that it was because I spent only the last day of the show there, but others told me that it was not the case. I saw a ghost of risk management there, BTW…

Other people’s impressions:

• Rafal Los on CSIAnnual (some observations about lack of passion, which I didn’t notice since I spoke on PCI DSS and PCI=passion :-))
• TechRumble on CSI (some fun cloud stuff that I missed at the show is mentioned there; quote: “Today even a 1-person startup can compete with Google and IBM in terms of infrastructure”)

Also, if you’d like to see my “PCI DSS as a framework for security” presentation (with voice and all!), go here. It is essentially the same presentation that I gave at CSI, minus some magic tricks I played on the live audience :-)

BTW, if you suffer from mild voyeurism, you can see a picture of me giving this presentation here (yes, I had explosions and demons in my PCI presentation :-)).

Possibly related posts:

• All conference stuff
• Notes from NIST SCAP 5th Security Automation Conference (a day before CSI2009)

Notes from NIST SCAP 5th Security Automation Conference

Sadly, I only had one day to spent at this fun event, but it was definitely well worth it. I missed some of the keynotes as I was speaking with various people, so the first presentation I went to was supposed to be about “HBSS Open Framework.” In this reality :-), it was replaced by John Pescatore from Gartner. He started to go about FISMA and NIST 800-53 (and even FDCC) popping up in commercial space (contractors mostly), but then  quickly boosted into the cloud :-)

One fun thing he sad was that what he used to call “nightmare [cloud] scenario” is now called “everybody scenario.”  His theme was that we used to think that security needs to be included when new [cloud] infrastructure is being built BUT (!) this moment is slipping away FAST! He even uttered that we need to “inject security back” as cloud train is speeding out of the station.  His vision can be summarized as  “MySecurity.cloud” – some kinda SaaS service that you go “through” before accessing other cloud services. He then quickly summarized what is the status of such “cloud exodus” now: vulnerability management is "”fully gone”, various filtering (“network security in the cloud”  - he called it “MitM security”) is going now, what will go next (log management or SIEM)?

Another interesting thought was about “full stack, continuous VM” – don’t just check for presence  of Skype (for example – he really means “all apps” including consumer apps on work PCs!) or for vulnerabilities in Skype, but check whether Skype is configured securely. He also show this fun chart:

/\ | axis: value to business
high	embrace	contain
low	disregard	block
	low	high	axis: security pressure ->

[I love how Gartner folks can visualize something complex into a neat chart…]

Another insightful thought from him was that the world has shifted away from directories. There is “no directory for cell phone” – instead  “ring of trust” such as Facebook is it…

Next I went to see Ed Bellis  fling some SCAP goodness. The main idea is that one can build a tool to automate the layer of tasks and issues above vulnerability assessment. Basically, the whole workflow from discovery –> remediation task planning –> fixing the issue –> retest –> validate + track everything for all regular and custom web application vulnerabilities. I find it really, really curious that VM vendors didn’t do it like this …. So, this was very useful and checking the slides

when posted will come hand. I found it interesting that there is absolutely no reconciliation between “security asset management/discovery” with “real IT asset management.” IMHO it drives the nail into a coffin of “IT ops and security convergence” theme that many folks adore … Also, web application flaw severity scoring is still a big hole. Where is CWSS when you need it? :-)

Next I made a mistake of going to a vendor presentation. It was so salesy I almost puked :-) BTW, the name of the vendor rhymes with “BigAss.” Please, dear BigAss folks, next time send somebody who can talk substance and not just that you are “strong in government!”

As far as trend watching, for a brief second I sensed that “SCAP use outside of the government” is an emerging trend, but it really isn’t. Using CVE and other identifiers as well as CVSS for scoring – outside the government or anywhere else for that matter – does not SCAP use make. It is simply called “common sense” :-) Now, if you found some use for the juiciest pieces of SCAP – OVAL and XCCDF – then we are talking…

Next I went to CEE presentation and my log standards challenges presentation. Obviously, this was the highlight of the day. At this stage, BTW, now I am convinced we can win this one and start standardizing the logs! In particular, we will release the architecture specification in about a week or two.

I am writing this on the train to CSI2009, notes from that show will come tomorrow…

Presentation from NIST SCAP

As mentioned before, here is my presentation from 5th Annual IT Security Automation Conference in Baltimore, MD on Oct 26-29, 2009.

LogChaos: Challenges and Opportunities of Security Log Standardization

View more presentations from Anton Chuvakin.

Onto CSI2009 tomorrow; my PCI presentation there is going to be totally awesome :-) It will feature … The Devil!!!

Also, events notes from the NIST event will follow later.

See you there!

Top Log FAIL!

The Wal-Mart story inspired me to summarize the most egregious, reckless, painful, negligent, sad, idiotic examples of “Log FAIL.”  Here they are:

1. Logging disabled: if you got a system which had operational logging enabled by default and then you turned it off before deploying in production – congratulations! You truly earn your title of a Log Idiot! :-)
2. Logging not enabled: this is more sad than anything else … and the person who will suffer the most from this is likely the one who has caused it. After all, you’d need those logs at some point yourself. There is nothing sadder than see a person having to explain to management, police, FBI, press, QSA, SEC, whoever: “Well, logging … was … never … enabled!”  (check out this motivational horror story)
3. No log centralization: Windows admins, read this one – logs on the machine that crashed, was 0wned or even stolen will do you absolutely no good. It used to be that only Unix administratory can do this (via the magic of /etc/syslog.conf line “*.*    @loghost.example.com”), but you, on the Windows side, could not. Please notice that the world is different now!  (check out this deck on benefits and tips related to log centralization)
4. Log retention period too short: the picture on the right should make this item (as well as the one above) painfully clear: doing “the right thing” and building the centralized logging infrastructure and then limiting the retention to 30 days is still “log FAIL.” Many, many scenarios today require logs from the past – for the juiciest examples check all the recent “compromised in 2006 – discovered in 2008” stories (see some here in this deck)
5. No logging of “Granted”, “Accepted”, “Allowed”, etc: I don’t even know where to start on this one – maybe thus: logging a firewall “connection blocked” events simply means that the firewall was doing its job, logging “connection allowed” shows that somebody is now in your network… The same  idea applies to logging “login failed” and missing “login successful” – please make really sure to always log both (read this tip for more examples, instructions and ideas)
6. Bad logs: if you are in operations, this is truly not your fault. But if you are in development – it probably is. Creating such logging classics as “failed successfully”  and “login failed” [with no actual user name recorded] are fine examples of this “log FAIL.” Be aware that our work on CEE will fix it eventually, but more hilarity will have to transpire before it happens (see this deck for  some ideas on how not to engineer logging and how to do it – and for some examples of hilarity, of course)
7. No log review or nobody is looking at logs: I am saving this “log FAIL” for last;  logs are created to be reviewed, monitored, searched, investigated, etc and NOT – I assure you! – to simply use up disk space (check my famous “Top 11 Reasons to Look at Logs” as well the classic “Top Logging Mistakes” for more info on this one)

BTW, check out Branden’s musings about the same subject  here.

Possible related posts:

• Another One from "Ignore Logs at Your Peril"
• Are YOU Ignoring Logs?
• Again, On Criticality of Logs
• Top 11 Reasons to Analyze Your Logs
• Everything tagged “logging” (a lot!)

Fun Reading on Security and Compliance #20

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #20, dated Oct 25, 2009 (read past ones here).

This edition of dedicated to all the folks who write blogs, but never read blogs. Shame on you :-)

1. Very, very bold statement: “Why On-Premise Log Management is Destined for Extinction” from my friends at AlertLogic: “why, for all but the largest organizations, hosting your own log management solution in your data center simply won’t be a practical solution”
2. Some fun metrics-related reading: “A Bit on the State of Security Metrics” (quote: “Security is a complex system based on a combination of biological (people) and computing elements. Thus our ability to model will always have a degree of fuzziness.”) and Metricon 4.0 slides (some exude pure awesomeness).
3. Cyber Security Awareness Month is almost over. Here is my token tribute to it – a link to SANS “month of tips”” Day 1 - Port 445 - SMB over TCP, Day 2, etc. (BTW, here is somebody making fun of the whole thing)
4. This is hot shit (“5 Mistakes a Security Vendor Made in the Cloud”) and the sad part is that I know what the vendor is… Quote: "The client now doesn't trust itself and blocks everything." Good news? It was fixed quickly :-)
5. Securosis shares a very useful tip on database logging: “Database Audit Events” (full lists here) for popular databases
6. From the bizarro world, comes this LinkedIn thread: “When will Information Security professionals stop talking about ROI?”
7. Burton Group weighs in on SaaS security; key quote: “[cloud] vendors will provide the controls they feel are necessary to get and retain customers. They will provide proof to the customers of the controls if asked and as long as the proof does not increase their costs too much.”
8. Richard encounters a “data idiot” and beats him into the pulp: “"Protect the Data" Idiot!”, “"Protect the Data" from Whom?” (the answer to “How do you protect yourself from nation-state actors?” is revealed…) and “"Protect the Data" Where?” Read it!
9. Philippe on the shift to the cloud [PDF]. Quote: “One day, almost everything we do on private networks – manage information, applications, infrastructure, and services – will be accessible instantly and securely from anywhere and from any Web browser.”
10. EthicalHacker.net is doing another challenge, here. 
11. We had an ROI war. Now another war is coming: “How to Value Digital Assets?” started it. The pile-up is here, here, here, here, here – hostilities continue…
12. Finally, Josh Corman (now a security lead at 451 Group) unleashes some awesomeness here at FUDsec: “Do the Evolution..” He uses what lately became one of my favorite ideas as well: “Can you name *one* security control we’ve retired?” He also bitch-slaps some folks with “… or we could continue to whine about PCI ruining risk management” :-) BTW, you also must read the turmoil in the comments…

PCI DSS section:

1. Good or bad data, but this is worth thinking about: “PCI Survey Finds Some Merchants Don't Use Antivirus Software” (PCI haters should read it too, BTW!) This is about folks who security is nowhere near PCI DSS levels. Key quote: “Around 10 percent of the respondents who said they were PCI DSS compliant said they weren't using basic security software such as antivirus, firewalls and SSL.”  More comments on it here.
2. Fun interview with Bob Russo. Enough said. Quote: “How many [QSAs] have left the QSA program because they weren't able to recertify [after being kicked in the balls by the QSA QA SWAT team]?”
3. “Tokenization Vs. End-to-End Encryption: Experts Weigh in” (myself includes). “End-to-end” claim worry me in the same way intrusion PREVENTION worries me…

Enjoy!

Possibly related posts:

• All other security reading posts.

On PCI and Whitelisting

I am hearing some interesting rumors… But let’s take a step back. PCI DSS Requirement 5.1 mandates the use of anti-virus on systems in scope of PCI (“Deploy anti-virus software on all systems commonly affected by malicious software”)

Now, when people think “AV software” they think about classic anti-virus with daily updates, painful scans, etc. In other words, “enumerating badness”, blacklisting, FAIL, etc. Give relatively low adoption of the whitelisting for desktop security (and slightly wider adoption for single-purpose systems such as PoS or industrial control boxes), I was under impression that the issue of whether a whitelisting protection would be a satisfactory control for PCI Requirement 5 was never  presented to a QSA.

Well, I was mistaken. It seems like many QSA WILL accept a whitelisting-based security application for Req 5, even if it is a pure whitelisting app with no embedded blacklisting mini-engine. Isn’t it cool?

And the rumor was that PCI Council will issue some kind of an opinion on this soon. So, maybe, just maybe, PCI gods will bless this technology into wider adoption – I think it might well happen. And I think it deserves to happen, especially since some vendors have usable implementations of whitelisting which does not plunge its user into “granular-policy-writing hell” (but more on this in the future…)

BTW, my favorite whitelisting vendor, Savant Protection (where I serve on the advisory board) is doing a fun webinar on Tuesday, October 27th.

Open Source CLOUD SIEM, Anybody?

"It's too bad I am not building an open-source SIEM … but if I would" (extra credit: guess the inspiration for this line), I would actually not build a software security information and event management (SIEM) product.

If I were doing it (and I am not!),  I’d built an open-source-based “cloud SIEM” with a default option to have it hosted by the vendor (that is you) as well as with a possibility to have it hosted by the customer (that is, old school on-premise model). The latter option would give you a classic open source “product.”

Think about it! If you are a new company, you cannot afford to be in the appliance business. That leaves two choices: software and SaaS. If you want to sell software, you are probably insane, go lock yourself up :-) If you want to give away software and sell services, you are OK. But won’t SaaS be better? And you can combine it with on-prem model, if some folks insist.  My recent employment made me quite SaaS-obsessed, since I had a chance to observe an excellent SaaS operation from the inside. It was amazing how easy it is to provision trials as well deploy the service in production, track usage and improve customer experience.

But let’s take a step back first! A lot of folks try to understand the relationship between “open source” and “cloud everything” (discussions about their relationship here, here, here and obviously here). The main idea here is the following: if people have “trust issues” with cloud providers, what is a better “mistrust breaker” than showing the source code for your solution? “Wonna audit?” - “Knock yourself out!” Moreover, if people have “hidden costs issues” with open source software, what is a better way to mitigate  it but to offer to run it for them? No hidden costs, not even electricity…

So, if you are possessed by SIEM aspirations (and I am not!), head to the clouds. For starters, your tool will be easier to deploy and update. But what is much more important, you’d take a fare shot at solving scalability problems without being a database tuning uber-guru. Unlike early software SIEM vendors (FAIL!), you won’t have to sheepishly point in the direction of mammoth Sun boxes, you’d just fire up another EC2 instance (or a thousand).  Moreover, on the scalability front, you’d have a fare shot against established SIEM vendors: I often hear rumors that even today, in the age of “cheap hardware”, some large organizations with loads of log data simply cannot architect a SIEM to handle all their security log data. And cloud computing leads to affordable scalability!

Solving these performance problems will let you use the CPU resources for log data parsing, correlation, stored data analysis and all sorts of other fun stuff. Storage, whether raw text or parsed data, will be even easier. Bandwidth will be a bit tricky, but I am leaving it out of this piece for a particular reason … don’t want to spill too much (I am leaving “the collection challenge” out as well).

Finally, as cloud applications [as well as web applications, in general] grow in importance, the whole idea of “SIEM in the cloud for the cloud” won’t be as naive. As we know,  the need for auditing comes last (here), but when it does come, it will come in force and both SMBs and F2000s will have this problem.  And it never hurts to be better prepared for the death of on-prem apps, if we are to believe certain visionaries.

So, throw together some EC2 magic, some database code and a sleek, well-designed UI to delight the users – and you are ready to do battle with foes 10x your size…

Any thoughts?

Possibly related posts:

• Why No Open Source SIEM, EVER?
• “On Open Source in SIEM and Log Management”
• Various SIEM posts.

Obligatory “added everywhere” posts :-)

• I am not at Qualys anymore and looking for the next big security idea to work on! Meanwhile, I might be available for fun consulting projects related to PCI, log management or other fun security things.

My Fun PCI Webcast on Oct 27, 2009

So, apart from flying to Baltimore, speaking at CSI2009 and NIST Security Automation conference and meeting a huge number of fun people, next week I will also be doing this exciting PCI DSS webcast, where I will unveil my latest idea.

Here is an embed that talks about it:

Enjoy!

And if you are in Baltimore at CSI or NIST - see you next week!.

P.S. Somebody (wink-wink) promised to bring cigars, please do it ;-)

Book Review: “Into the Breach”

“Into the breach” by Michael Santarcangelo is actually a fun read; it seems to be a useful book on security for management. It is non-technical by design since it is about the people side of security. In fact, he presents security itself as “a human issue.”

One of my favorite sections in Part 1 reminds that many policy violations happen because people just want to do their jobs better (the author also claims that people “want to do the right thing” if such choice is easy enough). I loved the “compliance is not a video game” theme, where your faults do not have real world consequences, as well as “security as something inflicted upon the organization” and “security as a crash diet” themes. What is also interesting is that the book seeks to solve one of the key problems of “what is risky?” vs “what is only perceived as risky?”

The part of the book is Part 2 where author’s “strategy to protect information” is unveiled. The author then goes into some level of details on how to implement the strategy (run a pilot, “build a flywheel”, etc).

On the negative side, I was saddened that Michael succumbed to a popular insider myth (on page 11 – “70% of attacks are by insiders”) while trying to dispel another security myth. That is the risk anybody runs while quoting too many questionable surveys. Also, the book sounds too fluffy at times (e.g. the strategy is “understand-engage-optimize”, frequent advice to “be effective”, etc), but does seem to convey its message pretty well.

Overall, if you are managing security on a high level, or manage IT or even the whole business, read this book. It is short enough so that such people will read it and get the ideas! If you are a security pro and can handle a non-technical volume, grab it as well and keep in mind that this is a management book. After reading it, please give it you your manager!

Possibly related posts:

• My other recent book reviews
• My Amazon book reviews
• My old book reviews

Praying to PCI Gods

Obviously, inspired by Amrit’s “Exorcising the PCI demons” and, in fact, morphed right from it.

“… But let’s get back to Josh’s demonological metaphor and consider some of the ways that PCI resembles ...” the Benign Deity (specific deity is up to the reader…)

The God holds promise. PCI DSS offers its adherents access to the spiritual riches — and not only those attainable through debit and credit cards—so long as they know and respect (and validate!) PCI’s 12 commandments. While delivering its spiritual riches, it also makes its adherents BETTER in the process: better security, better businesses, better awareness of the threats.

The God is honest. PCI does not promise falsities such as “to make retailers secure against hackers.” It promises to raise them out of the ignorance and “0wnage” to finally having a modicum of much-needed security technology and process.

The sorry history of breaches, blowouts, and damaged reputations attests that there is a long and sometimes difficult road ahead of us and that both faith and hard work will be needed along the way.

The great thing is that PCI is likely the best that many organizations can use to protect a transaction technology based on account numbers, magnetic stripes, fixed user identities, and passwords.

The God is an inspiration for goodness. PCI has led countless companies and organizations to improve security and reduce their operational risks – as well as instill customer confidence.

Security professionals often find themselves assisted by the PCI God when they win an argument with management which then allows them to start taking actions to block threats and keep the business running and out of the negative press. PCI both inspires them to build a solid security program and helps them as a powerful force for good security.

The God loves humanity, even its haters. As at least one commentator has pointed out, the PCI standard is a brilliant way to shift responsibility for IT security from card issuers to retailers.

It is indeed brilliant since many merchants are negligent and lose card data in massive amounts as a result of their own ignorance, but issuing banks have to “eat” all of the card replacement costs which are due to no fault of their own.

Card issuing banks did not invent and institute the technologies that have proven so vulnerable to moderately skilled hackers. When a breach occurs, merchants shrug and talk about their devotion to promulgating security measures, knowing that the issuers will be left with all of the card replacement costs and some of the fraud costs.

The God is sometimes a sacrificial lamb. There are two groups that will vehemently attack the virtues of PCI by completely lacking any insight into it. One group are organizations who refuse to implement any security measures and prefer to be negligent and breach the social contract with their customers by losing their data left and right. The other group are idiotic perfectionists who want all the data to be protected all the time, no matter what the business impact. The latter group also wants somebody (but, obviously, not them!) to pay for an overhaul of the world’s electronic payment processing systems.

Vendors that provide security solutions and those that provide PCI assessment services, also known as qualified security assessors (QSA), will always position PCI as necessary and useful for security. Indeed, PCI God guides the willing – by providing the Data Security Standard – and motivates those still in the darkness – by providing the validation regime and His army of God’s Angels aka QSAs.

At this point, readers may ask, with all of the God’s awesomeness and track record in doing good even to those who prefer to remain ignorant, why do people criticize it? Well, remember the old saying: "I see..."

UPDATE: link for the "I see..." updated; the previous link had some bad language in comments. Thanks for one of my readers for pointing it out.

Amrit, sorry for all the quoting! :-) Enjoy!

Possibly related posts:

• Five Reasons to Dislike PCI DSS – And Why They Are WRONG!

Notes from Cornerstones of Trust Conference

I spent a day yesterday at Cornerstones of Trust Conference conference here in Bay Area. The event was “a cooperative effort of the San Francisco Bay and Silicon Valley chapters of the Information Systems Security Association (ISSA); and San Francisco Bay Area InfraGard.”

Here is what I attended; they promise to post the presentations soon:

• “Compliance is Not The Same as Security” panel moderated by  Robert K. West, CEO and Founder of Echelon One.
• “Head in the clouds, feet on the ground - The business side of security in the cloud” by Tim Mather, Security Strategist and Subra Kumaraswamy.
• "Why We Must Develop a New Model for Collaboration in Cyber Security: A Perspective on America’s Innovation Crisis", keynote by Pascal Levenson
• “Cloud Computing Security - Practical and Actionable Security Controls to Assess the Cloud Vendor” by Brian Koref , Information Security Officer at KLA-Tencor.

Do you know what amazed me the most about this event? Lack of tweeting! Back at RSA and BlackHat, you can see flashes of TweetDeck everywhere in the audience, if you look from the back. Here – you see a lone gunman…eh... tweetman :-)  In any case, I invented” the hashtag “#cornerstonestrust” and took some notes; read them here (as usual, you have to read from the bottom).

The conference was fun, but I couple of times I had my “buffoon alert” tingled. For example, somebody said that Heartland is suing their QSA and, to the best of my knowledge, that is not true. Cloud sessions – both of them – were pretty interesting. I learned what is “cloud angst”  and realized that despite CSA work, people are still creating their own cloud provider diligence sheets (hopefully, the upcoming version 2 will help). The innovation keynote reminded me of my ROTC training in PsyOps. Namely, when you push your message too hard, people just start doubting you (our ROTC colonel also cautioned us from ever saying anything like “I am not saying it because I profit from it; on the opposite…” :-))

In any case, the conference was a day well spent!

Enjoy!

SANS Log Management Class – CDI2009

As some of you know, I’ve been secretly working on a one day SANS Log Management class for quite some time now. A few trials were conducted and most-if-not-all-all guinea pigs survived their encounter with the log :-)

It now seems increasing likely that this class will be first launched at SANS CDI 2009 in DC this December.

Here is the information about it – please sign up now:

Log Management In-Depth: Compliance, Security, Forensics, and Troubleshooting  (1 day)

Thursday, December 17, 2009 : 9am – 5pm

Description:  This first-ever dedicated log management class for IT and security managers will cover system, network, and security logs and their management at an organization. We will start with the basics, like making sure that logs exist, and then go on to touch upon everything from managing log storage, to analysis techniques, to log forensics and regulatory issues related to logging.

In the beginning, we will cover various log types and provide configuration guidance, describe a phased approach to implementing a company-wide log management program, and go into specific tasks that IT and security managers need to be focusing on a daily, weekly, and monthly basis in regards to log monitoring.

A unique and comprehensive section that covers the hot topic of using logs for regulatory compliance, such as PCI DSS, will also be presented. Everybody knows that logs are essential for resolving compliance challenges; this class will teach you what you need to concentrate on and how to make your log management compliance-friendly.

The class will also touch upon various uses of logs for incident response, forensics, and operational monitoring. Common logging mistakes, learned from many years of working with logs, will also be explained.

Here is my “Author Statement” about the class:

Logs and log analysis have long been one of the most challenging areas of security; they are also closely tied to proper system and network administration practices. With regulatory compliance added on top with specific requirements on log collection, retention, and analysis (such as those found in PCI DSS), there has never been a better time to FINALLY get your logs under control. This class is the first-ever dedicated class on getting your log management project right. If you know that "you need to have those logs handled!", sign up and learn exactly how to do that. Many years of experience with logs went into this class and so you, an attendee, have a chance to avoid the most damaging mistakes and learn from many years of the author's experience with logging, log management, log tools, and the use of logs for various purposes.

More info and sign-up here!

Enjoy!

MUST Read on Walmart Intrusion

Move over “Heartland-gate”, make room for “Walmart-gate” :-)

Wired uncovers a very fun story here. The juiciest quotes follow below:

On intruder goals:

“hackers targeted the development team in charge of the chain’s point-of-sale system and siphoned source code and other sensitive data”

On practices:

“at least four years’ worth of customer purchasing data, including names, card numbers and expiration dates, were housed on company networks in unencrypted form.”

On intrusion discovery (Was is … an IDS maybe? Ha, not funny!):

“a fortuitous server crash led administrators to a password-cracking tool that had been surreptitiously installed on one of its servers”

On logging:

“The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.”

Please read the above line again! Again! AGAIN!

On some spoils of war:

“one of the documents that flew off to Minsk from a programmer’s machine was titled“POS Store Systems Technical Specifications TLOG Encryption and Financial Flows.” […] The hackers also stole or accessed files containing point-of-sale source code and executables, as well as additional proprietary documentation detailing the company’s transaction processing network.”

On PCI role:

“Wal-Mart says it received a number of [PCI DSS compliance validation] deadline extensions […] … became certified as PCI-compliant in August 2006 by VeriSign. After it discovered the breach in November 2006 …”

Read the whole thing, will ya?!

More On Security Vendors and PCI DSS

Image by purpleslog via Flickr

This is a forced follow-up to my “Top PCI DSS Security Marketing Annoyances” post. What forced this is that a lot of folks are googling for “pci-dss market analysis”  (double laugh, if you read my previous post)!

So, let’s analyze this a bit: what creates such tidal wave of PCI security marketing stupidity is a mindset of some vendors. They keep thinking “how to sell our shit using PCI?” and not “how to help organizations with PCI challenges?” This is what drives people to buy encryption instead of not storing the data, to deploy IDS sensors with alerts going to /dev/null, to scan web sites and never fix them, etc.

It is not uncommon for a security vendor to review a report that says that “only 6% of companies under PCI DSS use a technology X mentioned in the standard” (and that said vendor happens to produce) and then think “Wow, those merchants are stupid! They really should buy out shit NOW!”  A quick question to merchants reading this: do you guys like it? :-)

The answer is obviously “NO!” You probably want said vendor to actually understand your problems with PCI DSS and then offer, well, SOLUTIONS! It is very hard for some vendor to shift to that helpful mode if they keep obsessing about the following: “Problems? What do you mean “what problems we solve?” – out bottom-line is our problem! ‘PCI-says-YOU-MUST-BUY!’” :-( 

Yes, PCI DSS does mandate the use of many security technologies and it is prudent to mention that fact, whether you are vendor looking to help others or an end user looking to gain management support. Admittedly, I’ve long called PCI our sledgehammer of both awareness and budget for information security. But you can build a house with a hammer or .. you know how this metaphor goes :-) PCI DSS has a lot of energy to motivate people to improve security, please help them do just that!

But what if a merchant’s only perceived challenge is to “make QSA go away and take his PCI thing with it?” Obviously, the other side of the coin is merchants buying something (like a Dell box with the the label “FIREWALL” taped on [source here]) just to fake validation. This is where you as a vendor must evangelize! As Guy would explain, “evangelism” is not the same as “shouting the loudest” or “lying the vilest,” it is educating and then eventually converting the customer base to your way of thinking, which also happen to be the most useful one for them as well…

Finally, if you did get here after googling for “pci-dss market analysis,” please keep in mind:

• Payment card security standard is called “PCI DSS”, not “PCI-DSS.”
• There is no such thing as “PCI market” so there is nothing to “analyze”; PCI is not for sale :-)

Enjoy!

Possibly related posts:

• Top PCI DSS Security Marketing Annoyances

Another Old Presentation: FIRST 2006 Logs and Incident Response

I am releasing another one of my old presentations that I don't plan to reuse in whole: “Log Data Analysis for Incident Response.”

It was presented at FIRST Conference in 2006 in Baltimore, MD as a half-day tutorial.

FIRST 2006 Full-day Tutorial on Logs for Incident Response

View more presentations from Anton Chuvakin.

Enjoy!