Wednesday, December 31, 2008

Review of My 2008 Security Predictions

OK, so other bloggers are not doing it, maybe they are too shocked by The Death of the Internets, 2008 Edition, Rel. 2.0. I will, however!  Namely, I am going to revisit my 2008 predictions, posted here. BTW, I disagree that year-end predictions and reflection are a waste of time. I think  whenever you do it, it is useful to think and reflect about the long term.

So, here are the predictions (in italic) and how they did (in regular) after about 12 months of “facing reality.”

Platform security:

  • Vista makes us secure = no. People start to actually use it (in large numbers) = maybe. And then get 0wned = yes! The volume of Vista hacking (and then Win 2008 hacking) will increase as the year progresses.

This prediction was too safe; and also not too specific! Vista definitely did not make us secure. I can suggest that the part that “people start to actually use it” was a failure and Vista is NOT yet in wide use (definitely not on the corporate side). There was not much public ”Vista hacking” and few critical Vista vulns. On the other hand, Vista is not a security failure; it is just a regular one :-) So, is Vista the new OS/2?

  • Increase in Mac hacking = yes. The story is that Vista drives Mac adoption -> Mac increase in popularity will drive a new wave of Mac "0wnership"

Just as the previous one of his prediction was not too specific. I think we can claim that Mac hacking has increased and few critical Mac vulns crept up.  However, I don't have the metrics to prove it.  Definitely, the idea that “Mac = secure” has shrunk in popularity down to its minimum value: the size of a Mac fandom :-)

  • Web application hacking still on the growth path = yes. As they say, 'it will get worse before it gets better.' I am predicting that 2008 is still the year when it continues to be getting worse.

Yes, yes and yes! As Jeremiah said, web application hacking has finally arrived (after a few false starts).  However, I will call this “a pussy prediction” since it was so easy to get right.  In any case, go check your website for SQL injection, it is probably 0wned already :-)


  • 0days use becomes mundane = yes. This will be especially true for those browser-hacking folks who "need" to earn some cash off phishing and other data theft. Thus, "0day use" will no longer constitute news!

I’d say, “a miss,” despite all those fine folks 0wned thru IE 0days: a good zero day attack story still makes news. BTW, check Pete’s “0day tracker” here.

Hacking, data theft, etc:

  • Loss of trust towards legitimate Internet sites = yes. This is manifested by things like this point by the WS guys - more 0wned than malicious sites are used to spread malware. Even now I shudder from the thought that ANY site I visit might be displaying a malicious banner ad which is either bought or "hacked in" by the attackers. The implications of this are pretty horrifying!

I wanted to link to Rich’s  Amex example here, but why bother?  The whole root CA fakery is a much, much, much better example (brief, details, for laymen) Fake sites –> fake SSL sites is definitely an ominous possibility (even though this particular issue is not that scary [more cool than scary!], but it illustrates the point)

  • Major utility/SCADA hack = no (not yet). Everybody predicts this one forever (as Rich mentions), but I am guessing we would need to wait another year or so for this ...

This one makes for interesting thinking about why it did not happen; surely there is a massive fun factor in sending some sewage towards your enemies.  I'm happy to be correct here, but I was predicting that something major and world changing would NOT happen so Feynman paradox is on my side.

  • Cyber-terrorism = no (again, not yet!) Will it be a reality in the future? You bet! Just not now ...

Do I really have to comment on this one? Is there anybody with a semblance of a brain who expected 2008 to be the year of “cyber terrorism?” This was a safe one; an ultimate “pussy prediction." Easy to get right for the same reasons as the previous one, about SCADA.

  • A massive data theft to dwarf TJX = yes. And it will include not some silly credit card number (really, who cares? :-)), but full identity - SSN and all.

Ok, I missed this one – no “TJX 2.0”  this year.  I seemingly forgot about the famous Feynman paradox (see book), which says that if you predict the status quo, you’d be right more often than not. Still, I think that the current onslaught of security breaches is not the worst we have seen,  not by far.


  • The year of mobile malware = no (not yet, if you insist!). As I discussed here, mobile malware is "a good idea" (for attackers) provided there is something valuable to steal (not the case yet in the US)

This one was a no-brainer; another “Fuzzer prediction.” In fact, I think that everybody who predicts it either is retarded or has something to sell.

  • More fun bots = yes. Bots are here to stay: they follow an overall trend for IT automation (seriously!). Think of bot infrastructures as "shadow IT" with their own SLAs, business model innovation, performance optimization tactics, etc
  • Fewer worms and viruses = yes (why write one if you can make money off bots?) As the share of "conventional" viruses and worms in the whole malware universe decreases, so will the popularity of "legacy" AV vendors ...

These two go hand and hand! Worms did NOT come back while bots proliferated. Unless folks invent new and cool ways of making money with worms, we are looking at further bot development. I’d say that it slowed down a bit since our defenses are so far behind. BTW, what was the latest infection numbers for bots? 30% of all desktops? 60%? 87%?

  • Facebook malware/malicious app = yes . This one will be fun to see (others agree), and current malware defenses will definitely not stop this "bad boy."On the flip side, there is not that much to steal off Facebook accounts ...

A miss. My guess is that there is still not much to steal from Facebook accounts (well, maybe that picture :-)) I think social networks will become more than an insignificant source of malware, just not today.


  • PCI DSS continues its march = yes. In fact, I bet PCI DSS frenzy will spread downmarket - there is sooooo much more Level 3s and Level 4s compared to Level 1 merchants. They all take CCs, they are all insecure - thus, they will all be 0wned! And then hopefully fined :-)

I am proud of this one, actually, and not only because of my job title. So many sore losers has predicted that PCI momentum will fizzle. No such “luck.”  While some people criticize it for specific requirements or missing things here and there, I swear that those who paid ABSOLUTELY NO attention to security now do it ONLY because of PCI. As a result, PCI DSS –> the world is a safer place for everybody!

  • ISO17799, ITIL, COBIT frameworks = maybe (again); they likely won't be 'hot,' at least not in the US; ad hoc approach (with some use of ideas from the above frameworks) to security management will still rule.

Ok, I took the cowardly route here too, I should have said “no” (not “maybe”) and I’d still be correct.  In fact, I think that even all this work on ISO2700X will NOT make ISO popular in the US.

Risk management:

  • Will we know what risk management actually is in the context of IT security = no. Some people (e.g here) might, but not the majority. And don't even get me started on security ROI :-) This part of security realm will continue to be occupied mostly by loudmouths who will spout, but never define; rant, but never explain; blab, but never clearly state. Sorry to those who are not like this, but you will continue to be in the minority in 2008.

Darn it, I stand by it. We still don’t know jack about how to apply “risk management” (aka “sometimes you think you manage risk, and sometimes the risk manages you” :-)), but there are some really good attempts at it.

Security technologies:

  • eVoting security will flare up = yes. Expect big and bad stories about evoting in preparation to the US elections. Maybe another "chad story", but with an "e-" added to it? Fun, fun, fun! :-)

Yeah, there was some noise, but not as much as I thought. So, maybe we’ll call it a miss.

  • Full disk encryption becomes popular = no. In fact, I predict that in 2008 encryption would be "the new firewall" - more and more people will hide from reality behind "we have encryption - we are safe now!" (check out my piece on encryption mistakes, while you are at it)

Not happened yet, so we will call it a hit. I do think that in 2009 it will get there though (I am typing this on a laptop with an encrypted hard drive! :-))

  • NAC= huh. Huh? The451Group said it best: "NAC has been the 'next big thing' for about four years now – that's a long time in the IT world." Others just say "NAC fallout has started." NAC vs insider attacks? Gimme a break... :-)

A hit, for sure. Was I the first to predict the demise of NAC? Probably not. In fact, Gartner folks make fun of some NAC predictions here. “You know what we said about NAC becoming a $2B market that will achieve 100% enterprise penetration in 2008?” Bua-ha-ha-ha.

  • More whitelisting for host and network security = yes (but combined with blacklisting, which is certainly not going away!) As malware landscape becomes even more diverse, application whitelisting for security will start to shine even more.

Hard to say; I am tempted to say that it is a hit, but the inertia of “Big AV” is still too huge.

  • Academic security research stays ridiculous = yes. Wrong problems, wrong solutions, wrong speed (as in: solving solved problems of day before yesterday...). There will be some exceptions: for example, some of the Project Honeynet academic participants deliver a punch!

Seriously? As ridiculous as ever. I will NOT be shocked if some academic will invent a new anti-worm solution :-) Ya know, to stop Blaster, Slammer and their ilk.

  • Secure coding becomes mainstream = no (definitely, 'not yet' on this one) It pains me to say that that I think that while this ball definitely started rolling (e.g. SANS is pushing it hard now) it won't be hurtling down the highway at full speed. 2009? Sure, may be!

Again, this was an easy one. The tricky part is to predict when it will become mainstream or will the economics keep it in the niche. Here is a thought:  maybe it will become mainstream WHEN somebody will make it easy!

No, no and no. A hit, for sure. Please remind me the latest DoD deadline for IPv6? 2004? :-)

Security market:

  • Mid-market and SMB security = yes! I think 2008 is the year when smaller organizations will start buying the types of security solutions that were only looked at by the large enterprises before. After all, they have the same problems to solve! They have compliance too. They lose data

Well, PCI is making it so, but sooooooo slowly. I guess I phrased it safely (“start buying”)  and so it is a hit, but I’d say that it will take more development before smaller organization will even get a chance to become secure.

  • More security SaaS (software as a service) = yes. It is not just Qualys anymore ... More companies will figure out ways to sell security software as a service. This is especially true due to the SMB security spending increase predicted above!

He-he, funny you’d mention that :-) Of course! Yes, definitely a hit. The question is who will make it work next.

  • 'Consolidation' = no. Whaaaaat? You just said 'no' to consolidation in security market? :-) Well, Vendor X might buy Vendor Z and Vendor N might go down in flames, but I predict that we will celebrate 2009 with just as many security vendors as we have today ...

A hit, a counter-intuitive one for some.

Logging and log management:

  • Database logging = yes. 2008 is the year when database logs will be collected and analyzed just as Unix syslog, Windows event logs and firewall logs are collected and analyzed today by just about everybody.

This is true to a large extent, but I will not say that “everybody is doing it” so it is a partial.

  • Application logging will start = yes. People will start collecting (at least collecting at first) application logs, not just firewall and server OS logs (and database logs, as mentioned above). Maybe ERP, CRM logs, maybe other large enterprise applications will lead the way. Major 'application logging waterfall' will occur later, however ...

Starting – yes, but definitely not en masse. I think log standards work (CEE) has to be more advanced before application logging and log analysis will spread.

  • Now that collection and management are 'taken care of' in many organizations, log analysis will (again...) come to the forefront = yes. In the end of 2008, we will be doing log analysis in a large number of fun, new ways - it won't just be about rule-based correlation and keyword searching anymore (Andrew agrees)

A nice fat piece of wishful thinking on my behalf. Log storage is still largely the state of the art, even though I trust splunk folks will help advance this one.

Dark horses, that will influence security in a major but unknown way in 2008:

  • Virtualization = people talk about hypervisor security and virtual security appliances as well as other fun stuff (e.g. this), but, in all honesty, we can't yet fathom the impact that the coming virtualization wave will have on information security.

This one give a lot of people  a lot of reasons to talk about fun stuff (Hoff comes to mind) Will I call 2008 a year of virtualization security? No, probably not.

  • Privacy = I predict that privacy issues, also privacy laws and public outcry due to privacy violations will impact the world of information security in 2008. However, my crystal ball is refusing to share the details on how exactly, citing "privacy concerns" :-)

This one will also have to wait. If you think about a) security b) privacy and c) compliance, then c) holds MUCH more mindshare today, sadly.

Conclusion: my personality type is hereby labeled “successful but cowardly predictor” :-)

2009 predictions are coming soon!!! Yes, they are!!

Tuesday, December 30, 2008


'The cat is out of the bag : The title of the talk “Making the theoretical possible” has been changed to “MD5 considered harmful today: Creating a rogue CA certificate”.'

OK, this IS seriously cool. And, yes, as usual there is always somebody who just knew it before :-)

Live stream here somewhere.

Monday, December 29, 2008

On 2008 (!) Security Predictions

Notice how few people (one example, Rothman will do it of course) actually go back to their past year predictions (all 2008 predictions via my delicious tracker) and review them. Is it because more than a few of those predictions are retarded? I dunno... I am working on my 2008 predictions review as we speak.

And, BTW, I am baaaack! Kauai is indeed as awesome as people said :-)

Friday, December 19, 2008

No Blogging Next Week

No blogging and twittering next week. I am off to warmer places.

BTW, if upon return I won't find at least a dozen of cool security predictions from my fellow security bloggers, I will kick your blogging ass ;-)

Finally, Somebody Said It Like It Is...

So, I was writing a long blog post (still to be finished) about how I read some stuff people write about "cloud security" and laugh. Why? They write about cloud security and cloud-based security services, but we DO it. Now somebody said it really well here:

"Cloud computing is all the rage now.

But Qualys, a fast-growing Redwood City-based network security firm, was a pioneer in offering computing applications and services over the Internet when it was founded in 1999."

Think about it ... you are writing write about it in 2008 and there is somebody who has been doing it since 1999.

OMG, I Started to Be Knows As ...

... as @anton_chuvakin (example)

I am NOT @anton_chuvakin, I am Anton Chuvakin :-)

Thursday, December 18, 2008

On Infosec-related Cat Names

Don't ask me to explain it, but you can vote in my newest poll about the best infosec-related cat names here. As usual, results will be posted here.

Finally, I'd hate to bias the poll for you, but I suggest that you vote for "Fuzzer."

UPDATE: infosec cat story takes on a life of its own.

UPDATE2: Fuzzer is winning!

On "IRS Doesn't Check Cyberaudit Logs"

As reported by Ken Belva from '"IRS Doesn't Check Cyberaudit Logs" (Slashdot, original source): "The US Internal Revenue Service's IT staff hasn't routinely checked its cybersecurity audit logs, according to a report released this week by the agency's inspector general's office. "


Come on.... is there anything shocking in infosec?

When “Solutions Before Problems” Approach is OK?

So, they say that dumb overeager salespeople push “what they have” no matter “what the customer needs” – and, more often  than not, end up with BOTH an annoyed customer and some damage to their employer’s brand (yes, it might be all about his/her personal sleaziness, but it DOES damage the employer’s brand!) On the other hand, it is said that a smart salesperson will always inquire about “what problem does the customer have?” and then position/describe his wares accordingly, IF they are indeed a fit for his needs.

I happen to agree with this and think that problems should be visible before solutions are unpacked. Other people mention it as well (recent example from Andy’s blog and its continuation, and then here and again here; read it – its fun!)

However,  what happens when a customer insists: “tell me what ya have!”  There are, curiously, many versions of that, when a customer confronts you with something like this:

  • “You guys are experts; tell me what I need to be doing ‘to be OK’”
  • “Please tell me which options I should enable”
  • “Just give me a document explaining how I can “be secure” using your product”
  • “You tell me which one is the best!”

(all above examples are fictitious, but “inspired by true stories”)

I can fight it (and I did fight it on a few occasions in the past, actually, insisting on problem description), but it creates a bizarre paradox:

“Customer is always right” + “problems before solutions” + “customer wants to hear about solutions first” = ?

Just sharing an observation… 

Thursday, December 11, 2008

On Retarded Year-end Security Predictions

‘Tis the season to predict (prediction tracker), BUT it is also a season to make fun of other’s idiotic or super-trivial predictions. Let’s start NOW!

More activity from the cyber underworld” (here)  - ya know, hackers will hack, phishers will phish, spammers will spam type stuff we need more of :-) Deep, deep insight in this.

Computer users can expect to see more spam” (here)  - now that we are on the subject of spam :-)

Someone will unplug the Internet” (here sadly) – no comment, really.

SCADA <anything REALLY bad>” (here) – to be really honest, I have not really seen it yet this year so no link, but it will come. Help yourself to previous year embarrassments :-)

The space <insert this vendor’s space> will be all the rage in ‘09!” (many) – if you are a NAC vendor saying this, you get 10x of the idiocy points. Congrats, you are now in prediction biz too :-)

Year of mobile malware AGAIN AGAIN AGAIN AGAIN AGAIN” (here) – the number of dangerous mobile viruses will grow 700% from 1 to 8 :-) [OK, I admit there are more than that, but what is their risk today?]

This would have made it into wonderful entry of “Nobody Is That Dumb ... Oh, Wait XI” (long forgotten series on my blog)

Wednesday, December 10, 2008

DLP Works – If You Know What “Works” Mean!

I’ve been reading all the recent DLP-related stuff (esp Rich’s ”Analysis Of The Microsoft/RSA Data Loss Prevention Partnership“ as well as this DLP gem -  “My Wife Finally Knows What I Do”) and thinking a bit about it. Also, I have to respond to a few folks who hold a somewhat naive belief that “DLP technology is a solution in search of a problem.”  Nah, it is actually a good workable solution for a specific problem hilarity ensues only when you start thinking that DLP will address all your data security needs ...  So, if “a magic bullet” is a bullet that you can shoot ANY monster with – and it would die, DLP is not a magic bullet (nor is it a silver bullet that can, if my fantasy skills serve me right, kill any undead monster :-))   

As my previous DLP musings (here and here and here) mentioned, using DLP tools will solve some of the real problems that people have today; that much is established. However, two questions remain:

  1. Will you have to kill yourself and ravage your IT environment in order to apply it successfully?
  2. Will it stop/detect all the leaks, with the sad exception of those that you actually care about?

I do think that there are tools that actually solve the problem of a) accidental leaks over a set of network channels and b) specific set of malicious leaks over a set of network channels and to do that without massive ‘collareral damage’ to your mental sanity and IT infrastructure. And, to top it off, they do it without falling victim to questions #1 and #1 above.  If you want more (like, a box to stop ALL malicious leaks without any work on your part) … well…. me too :-)

In light of the above, I don’t think that DLP is “another NAC” (which is as good as gone now that  even Cisco is not doing much of it.) The reason DLP is not another NAC is: it solves a much more isolated problem of discovering, learning and then detecting/blocking the movement of specific content. Maybe “DLP fused with DRM and embedded into an OS” will indeed turn out to be a NAC-sized boondoggle, but a clean DLP box that does a few things well AND running in an environment where these same things needs to be done deserves to be deployed.

BTW,  NextTier (where I am on the Advisory Board) is now listed in “10 IT security companies to watch.” While some companies from past years fared disastrously, I think workable DLP technology that people can use without killing themselves with massive data classification has a better future than that. BTW, NextTier is doing a beta program for a new release soon. Interested?

Possibly related posts:

Tuesday, December 09, 2008

Fun Reading on Security and Compliance #10

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #10, dated December 8th, 2008 (read past ones here). I admit that some stuff has been sitting in my “2blog queue” for way too long, but you know what? If it is relevant after a few weeks of “cooling down,” it is even more worth reading :-)

  1. “SOA Security in Real Life” – if you have to read up on SOA security, you really MUST do it at Gunnar ‘s site :-) Fabulous quote: “Infosec is spending waaayyyy too much time and money protecting garages and not enough protecting assets.”
  2. Bad? Buahahaha. “When it comes to offensive information security, we ain't seen nothing yet,” opines Dave Aitel (he is probably right :-()
  3. Are you “secure” ONLY because you didn’t let your auditor see your FAIL? The ugliest “security by obscurity” revealed. A quote: “Can a company be at the forefront of security and still maintain a cost/profit/edge over the rest of their market?”
  4. SaaS security fun: “You versus SaaS: Who can secure your data?”, “Cloud Providers Are Better At Securing Your Data Than You Are...”,
  5. Mike Rothman vs eBay fraudsters, an epic battle (a spoiler: Mike wins :-))
  6. “Myth or truism? Security experts judge conventional wisdom“ – it is from NetworkWorld, but it not that bad, actually :-)  It does contain some peculiar bits of “weirdom:”  “Q: Regulatory compliance is a good measure of security.  A: Lacey: Yes, it is. I have always found a direct correlation between the number of controls implemented and the level of incidents and vulnerability. Selby: (laughter)” This one is fun though: “There are lots of ways to measure security ROI, all of them flawed.” Guys, care for another ROI mudfight? :-)
  7. Fun insight from Gartner on ‘security as insurance’: “Is Information Security Spending At All Like Insurance Spending?” (picked via Mike R here)
  8. Does your business depend on intellectual property (IP)? Duh, isn’t [almost] everybody’s?  Well, “Intellectual Property: Develop or Steal” reminds us that if your competitors decide that stealing is cheaper  than developing a particular IP, then steal it they will (well, maybe in US most won’t, but in some other countries most definitely will…)
  9. I am sure everybody read Rich’s “Don't Fight the Future. No????!!!! GO-READ-NOW! Yes, it is that good!
  10. “Finally, “On the difficulties of event correlation”: “You wouldn’t know it by the number of vendors and products on the market, but event management and log correlation is really, really hard.” – it also describes it as “woefully inaccurate” and “stunningly misleading in some cases.”

Special “PCI DSS is fun!” compliance section:

  1. REALLY insightful post from BeastOrBudda: “PCI DSS Compliance Projects - The road to nowhere….” I do disagree with a few pointers there (e.g. that “all PCI projects are security projects” – I think NOT enough of the PCI projects are security/risk management projects!); otherwise, it is golden. A quote: “If anything, PCI DSS has demonstrated that across the world, very few organisations have ever taken security seriously.”
  2. “International Challenges in PCI Security” from CSO Magazine.
  3. A VERY interesting discussion on PCI “in the cloud”, MUST read “Please Help Me: I Need a QSA To Assess PCI/DSS Compliance In the Cloud...” and then MUST read “PCI Compliance in the Cloud: Get it in writing!” and then MUST read “Cloud computing security and PCI.” Also, MUST read the discussions for these; it is actually not as esoteric as it seems (albeit, pretty darn esoteric still :-))  When you are done, read this too.
  4. “Do someone know who is responsible for checking the merchants self-assessment questionnaires from the PCI-DSS program?”  He-he, uh, no :-) [this means “nobody apart from your acquiring bank, in most case”] Fave quote: “If you mark an SAQ as 100% compliant and have signed it off yourselves, the acquirer will not do any further checks.“ :-(
  5. Actually fun: PCI word cloud. Notice the big word in the center? VERIFY!
  6. This almost beat the “fire extinguisher–as– firewall” story: “One day he received a deduction from his deposits in the amount of $130 for “PCI compliance”.  He called up his gateway and found out it was an automatic charge for an online form he had to fill out.  He filled out the form and it turned out he failed compliance.  Why?  Because when asked “do you have a bonded company take your backup tapes off-site” he said “No” because it did not apply to his business.  So he called the gateway back and they said to “Fill out YES to every question so you can pass.””
  7. Dave Taylor’s “Are Your Stores Worth Stealing From?“  BTW, I am amazed that so few people know about the PCI Knowledge Base at There is some really useful stuff on PCI.
  8. Another time, another smart guy reminds everybody “Beware PCI DSS Compliant solution vendors.”  Scammers are out there though. A good quote: ”The purpose of PCI DSS is to reduce risk. Risk can be reduced by reducing complexity. Increasing complexity increases risk.” If you don’t heed this advice, I got a PCI-compliant bridge to sell you!
  9. While we are on the subject, more noise and PCI and virtualization (nowadays, I guess, no paper that a) fails to mention Hoff and b) mentions virtualization has any credibility :-))
  10. Old news, but an important reminder: “QA for QSAs” is finally here. If you are a shady QSA, hopefully the council will find you and kick your ass. Or, “arse”, if you are in Europe :-)


Monday, December 08, 2008

My 2009 Annual Predictions Tracker

As during past few years, I track all the end-of-the-year security predictions:

There are a few there already, so start obsessing about them :-)

Also, I suggest other bloggers start making fun of others FAIL'ed :-) security predictions.... please don't be shy...

Is This?

Is this how YOUR security program structured too?

Sunday, December 07, 2008

Friday, December 05, 2008


As you know, misspelling HIPAA (I am NOT going to type it here in its wrong form ... it makes me want to puke) is one of my fave pet peeves. I have long fought this without much success (apparently) as otherwise intelligent people keep doing it. Here is one recent example.

Please make fun of them so that they will stop :-)

UPDATE: others have been just as outraged about it, for years (quote: "AAAAAAARRRRRRGGGGGGGGGHHHHHHHHHH!!!!")

UPDATE2: here is an easy tip for remembering this, if you are a security vendor: each time you spell HIPAA with two "P"s, think that you are posting a note at your website that says "we are retards; we don't care about compliance and our customer needs; we just want to make money and fuck you." Better now?

Wednesday, December 03, 2008

One More Bit On "Compliance First"

I did say that I am writing a longer blog post on that ("Scary Tales from 'Compliance First' World"), but I just can't resist.

Yes!, Yes!!, Yes!!! - everybody smart and security-savvy KNOWS: focus on security, risk management first AND whatever compliance du jour will come. "Security first" mantra works, it just works.

But you know what? I am constantly SHOCKED since I notice a volume of people who INSIST on "compliance first" AND in silo'ed, regulation by regulation way. OMFG!

Tuesday, December 02, 2008

Monthly Blog Round-Up – November 2008

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is an attempt to remind people of useful content from the past month! If you are “too busy to read the blogs” (!), at least read these.

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics.

  1. Amazingly, this month by far the #1 post is my “'Blogging from DeepSec 2008 in Vienna.” DeepSec was indeed an awesome conference.
  2. Last month, I said that “SIEM bashing reached a new high.” OMFG. What should I say now? I dunno. In any case, “11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!" is on the top list. BTW, “On Open Source in SIEM and Log Management” is also again on the top list, to much of my amazement.
  3. Again and again, PCI compliance is obviously still all the rage: MUST-DO Logging for PCI? post was again propelled to a place in my monthly Top5 list.
  4. Get a firewall AND a fire extinguisher, now, will ya? Is it too much to ask? :-) The post “On Small Companies and PCI Compliance” is on the Top list.
  5. Shockingly, AGAINx2 :-) this month, the "Top 11 Reasons to Secure and Protect Your Logs" came up as on the Top list.  BTW, see my other logging polls and my other “top 11” lists.

See you in December. Also see my annual “Top Posts” (2007)

Possibly related posts / past monthly popular blog round-ups:


Technorati Tags: ,,,

Wednesday, November 26, 2008

Fun PCI FAQ - Good Reading

Check out this cool PCI FAQ here, created by Andrew Plato. He reminds people about a few of the common "PCI misconceptions" (like, "when is the PCI deadline? - Yesterday") and key facts (like, "Do organizations using third-party processors have to be PCI-compliant? - Yes")

Finally, I also love, love, love his reminder that there are no "PCI -compliant products" (unlike some assclowns here think)

"Q: What technologies are considered PCI-compliant?

A: There is no such thing as a PCI-compliant product. The PCI standard does not certify products. Some products will help with PCI compliance, but there is no single product or group of products that will ensure complete PCI compliance.

Read it!

Tuesday, November 25, 2008

The Bastards Made Me Do It

Ok, Ok, Ok!!!! The bot will still post :-) but I am on Twitter now too. I read you!

SIEM Is Not What Is SIEMs Nowadays...

"Aliso Viejo-based High Tower Software, a venture-backed developer of security, compliance, and log management software, has shut down."

Wonna go into SIEM market, anybody?

UPDATE: to put it into context, read this

UPDATE2: read "
SIEM: The Quickening Begins" too. Long (forever?) live Connor MacLeod :-)

Which Blogger Will Post 2009 Predictions First?


UPDATE: OMG, one already did.

Thursday, November 20, 2008

Just Love This: Noisy vs Quiet from Rich

OMG, some people (usually ex-Gartner... for whatever mystical reason) have this uncanny ability to present information in a way that just triggers an avalanche of insight. Here is an example: "The Two Kinds Of Security Threats, And How They Affect Your Life " from Rich Mogul.

Some quotes: "We get money for noisy threats, and get called paranoid freaks for trying to prevent quiet threats (which can still lose our organizations a boatload of money, but don’t interfere with the married CEO’s ability to flirt with the new girl in marketing over email)."


"Slice up your budget and see how much you spend preventing noisy vs. quiet threats. It’s often our own little version of security theater."


"The problem is, noisy vs. quiet may bear little to no relationship to your actual risk and losses, but that’s just human nature."

Overall, a MUST read.

God, please, send us some credible security metrics... please.

SANS Doom vs Hope

Just a fun read from SANS: "We Are Doomed" vs "There is Hope "

Uh-oh... it looks like I am back at "spurt blogging." :-)

Raffy’s Visualization Book

Here is my long-overdue book review for “Applied Security Visualization“  by Raffy Marty.

First, here is what my early endorsement for the book said (can be found on the inside cover of the book):

“Amazingly useful (and fun to read!) book that does justice to this  somewhat esoteric subject - and this is coming from a long-time  visualization skeptic! What is most impressive that  this book is  actually 'hands-on-useful," not conceptual, with examples usable by  readers in their daily jobs. Chapter 8 on insiders is my favorite!”

What else do I think of the book, apart from the fact that it is awesome? :-)

First, I have to admit that I used to argue with Raffy about usefulness of visualization. I was burned by having to look at bad “visualization” tools and would take an ugly, meaningful table over an ugly, meaningless picture any day now. Thus, I was a visualization skeptic. Buy you know what? The book does justice to visualization really well, and it explains when to use it and when not to use it.

The book gives just the right amount of visualization theory, which is not onerous to read at all (unlike some other books), as well as other visualization basics. The fun starts at Chapter 4, where he covers  the process from data to useful pictures. This actually explains why some visualization are useful and some are not; if you just jam data into a graphing program, there is a good chance that it would not be too useful. If you follow the ideas from Ch4, it is more likely to be useful.

Ch5 and 6 cover network data analysis: logs, packets, flows. This is what most people usually try to visualize; this book goes beyond “worms and scans” into nice visuals of email traffic, wireless and even vulnerability data (I found the latter slightly confusing). Ch7 covers “compliance”, which, in this case, covers all sorts of fun things, from risk assessment to database log visualization.  As I said, Ch8 is my favorite: I agree that insider tracking MAY be the area where visualization tools and approaches beat others. In Ch9, the book covers a few visualization tools; obviously, including the author’s AfterGlow.

So, to summarize, get the book if you have any connection to security AND data analysis. In fact, it is very likely that if you are doing security, you’d have to do data analysis at some point and so will benefit from reading the book. And, yes, it does come with a CD full of visualization tools (DAVIX).

BTW, I am posting it at Amazon as well.

Wednesday, November 19, 2008

My Last Logging Interview?

While at GOVCERT.NL 2008, I gave this fun interview.... check it out.

As you can guess, I talk about logs. BTW, while you are at that link, check out other fun interviews; at least, check out David Rice's.

A Fun List of Security Blogs

Check your RSS readers.... got all of them? :-)

Darn Good Idea ... If Done Well

"A free, downloadable, log management and compliance product that provides organizations with visibility across their networks, data centers, and infrastructures?" (here)

Somebody, somewhere is thinking ...

In any case, "free is in" :-) Look at all the announcements (NetWitness, Mandiant, this) as well as "the original free."

MS AV Out and Free ... Uh-Oh

With headlines like "MS Destroys the Consumer AV Market," the news hit ... well, hit the fan like the proverbial... well, you know what :-)

Is it really "Good-bye Big Yellow and Little Red?" Probably not, as this new offering is aimed at consumers and lower-end SMBs; large orgs will still pay ransom ... eh, subscription fees for their AV. It was also interesting to read some of the comments, like "OMG, I so hate paying for AV... and now I won't have to." If such sentiment is indeed widespread, maybe MS choose a really, really good moment to come out with this!

The most fun comments are found on the OneCare team blog here. Esp. see this one: "a majority of consumers around the world do not have up-to-date antivirus, antispyware and antimalware protection" (now they will, thanks to MS! :-)) and "this new offering will focus on getting the majority of consumers the essential protection they need by providing comprehensive, real-time anti-malware protection, covering such threats as viruses, spyware, rootkits, trojans, and other emerging threats, in a single [FREE!], focused solution."

UPDATE: very funny comments from AV firms and "normal people" (see below the article at the link)

UPDATE2: another very fun comment, including "
maybe it's time that Symantec and McAfee start offering free versions of their own antivirus products"

Monday, November 17, 2008

On Inspiration and Security

First, I have a horrible revelation to make: I never held CEOs in much regard. For example, if you go to “a CEO keynote” at a security conference (RSA comes to mind), you can be  pretty much assured that you’d get a boring, bland and “content-free” speech which summarizes to 1 word: nothing. Actually, it is 0 words :-)  Similarly, even though I knew what CEOs did (tell people what to do, give speeches so that employees work better, help sales sell, interfere with engineers’ engineering :-), etc), but always regarded them as people regarded “party commissars” back in the Soviet Union days: as folks who give rosy speeches hardly anybody believes in and who show charts with upward trending curves (e.g. “Bullshit volume per employee per quarter is UP 34.6%!!!” :-)) To better understand this point read the famous book “Why Business People Speak Like Idiots: A Bullfighter's Guide” :-)

So, my dear readers, imagine how amazed I was to find myself being truly inspired by my CEO,  for the first time in my working life! Philippe’s “no-B.S.” approach definitely works for me. I listened to his speech at a company meeting last week and – I am serious! – that was the most interesting, visionary AND inspiring speech that I’ve heard in a long time. It was clear what we’ve been doing, what worked, what didn’t and what we need to be doing and why it will work.

I already learned more than a few things from him just by listening to him  speak or conduct a meeting (or by watching him beat up a job candidate…). For example,  one CAN be “positive, but not marketing-ish,” even if situation is difficult. If one has an issue, one has to face it with no sugarcoating rather than ’play’ positive and pretend the issue is not there. One can have BOTH a driving vision AND be attentive to customers. One CAN release something when it is ready, not a year before :-) Etc, etc.

Finally, while some choose to lay people off, we at Qualys  ARE HIRINGCome join us and help build the SaaS security platform that actually works! Specifically, we are looking for TAMs (kind like an SE, but better :-)), PMs and a lot of engineers.

Come Meet at CSI in DC

If you are in DC, come meet me during/after SIEM Summit or catch me at the show floor (ask at Qualys booth)

Sunday, November 16, 2008

Blogging from DeepSec 2008 in Vienna

I am already back stateside from DeepSec and I am now flying to CSI 35th in DC; finally I had time to prepare my DeepSec blog post.

First, I enjoyed DeepSec conference and I am grateful for the invitation to speak there. I love European conferences – and not only for having infinitely (with that being an under-statement of the year) superior coffee during breaks :-) In particular, I liked the audience for my presentation (slides ARE posted here) and I think the audience liked my material and myself too :-)

What also impressed me a lot was Ivan Krstić speech, which was the second day keynote. He started by simply stating that ‘security industry has failed’ and that ‘a desktop is lost.’ His proof was in typical numbers like “75% of corporate systems are infected with at least 1 malware piece per system”, “1 million of malware types” and “25,000 unique malware samples a day seen.” However, he then broadened the subject and talked about how not only “a trusted desktop” is gone, but the entire world of “trust everything [on a system], all the time” is gone (his ideas were similar to what I planned to present in my HITB 2008 presentation about “the 0wned world”)

I also like how he positioned all those “security user prompts” (in Vista and even before) as a proof that security technologies have failed and now we have to rely on the user to make security decisions (which will obviously fail as well since users are now fully conditioned to “see a chunk of technical mumbo-jumbo, then click OK”)

It was also interesting how he connected a lot of security failures to his “#1 reason: all programs run with all privileges of the user that runs them.” In fact, he illustrated it by reminding the audience that “everybody runs untrusted code every day today [web browser + Javascript, etc] while nobody did this 30 years ago.” He also beat up blackisting as an approach to security (but then again, everybody does it today :-)) - what was interesting that he opined that “we will spend the next 10 years proving that whitelisting will fail just as we spent previous 10 years proving that blacklisting fail.” His main point was that global “onslaught” of whitelisting and code signing will kill all sorts of useful things AND provide little security.

He then called for everybody to think about solving the hard, possibly non-sexy problems. This is the part where I could have used more details :-)

So, a fun speech (even though my telling of it is a bit jumbled… check out his slides whenever they are posted) – and a fun conference overall. Worth a 12 hour flight :-)

UPDATE: my slides are posted here.

Thursday, November 13, 2008

At DeepSec in Vienna

As some of you know, I am in Vienna at DeepSec. My presentation is tomorrow - and it will be fun: "Making Logs Sexy Again: Can We Finally Lose The Regexes?"

Come over - it is at 9:50AM.

BTW, I will post the slides here when I am done.

Monday, November 10, 2008

Monthly Blog Round-Up – October 2008

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is an attempt to remind people of useful content from the past month!

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts and topics.

  1. OF COURSE, the news of my “transition” is the item #1, by far. “Change!!!” and “Qualys” posts rule the list.
  2. Last month I posted a bunch of my presentations on logs, security, etc on the blog.  “Presentation from GOVCERT.NL 2008: Log Forensics” takes one of the tops spots; and so do “Presentation on Application Logging, Done Wrong or Very Wrong” and “Presentation on Optimizing Your Logging for Insider Attack Tracking.”  BTW, all the presentations are here.
  3. Shockingly, AGAIN this month, the "Top 11 Reasons to Secure and Protect Your Logs" came up as #1 most popular post (maybe driven by my poll).  BTW, see my other logging polls and my other “top 11” lists.
  4. SIEM bashing reached a new high (eh…“low”? :-)), now that Richard is helping too;  my “11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!" is on the top list. It is both humorous and sadly true (and backed up by other sources and here.)
  5. Somewhat predictably, PCI compliance is obviously still all the rage: MUST-DO Logging for PCI? post was again propelled to a place in my monthly Top5 list.

See you in November.

Possibly related posts / past monthly popular blog round-ups:


Technorati Tags: ,,,

Tuesday, November 04, 2008

On Small Companies and PCI Compliance

Read this post ("E-Commerce Startups deal with PCI compliance" at "PCI Anwsers" Blog) and weeeeeeep: "I once was talking with a small business owner who was reading through the Self-Assessment Questionnaire (SAQ) and stopped at the first question, which basically said, Do you have a properly configured firewall? The business owner called into the back room and asked the store manager, “Hey, do we have a firewall?” The store manager replied that he thought they had a fire extinguisher which was up to date. I then watched as the store manger checked the “In Place” box on the form stating they had a properly configured firewall in place."

Wonna "sell PCI compliance" to small businesses? One need to get smart in a very special way! :-)

Monday, November 03, 2008

Interesting ... On Compliance

Treat this as a prequel for my upcoming blog post called "Tales From 'A Compliance-First' World" (link TBA).

I am learning that many people really, really, really hate to be told that "they are not compliant" (when they are not, of course!) and such hatred goes down to a very curious level indeed ... almost all the way down to the good ole "scanless PCI" joke level.

So, here is an ultimate "how to make enemies and alienate people?" tip: tell them "YOU ARE NOT COMPLIANT!"

Friday, October 31, 2008

Fun Reading on Security AND Compliance – 9

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #9, dated October 30th, 2008. BTW, I am renaming it into “Fun Reading on Security AND Compliance”

  1. “A Gartnergate?” What happened after Mr Pescatore uttered his now famous 12 words: “The best security program is at the business with the happiest customers.” This (complete with Gunnar’s famous “firewalls+SSL” chart), this – will add more as this snowballs.
  2. Do you have an “ignorable” security policy? If yours is BOTH “ignorable” and “unfair”, then fuggedaboutit. Cisco survey kinda proves it. A few fun comments are here (“If people can't get their jobs done without having to find a way to circumvent policy then the policy is wrong.”)
  3. Risk and clouds – here, here, here and here in poetic form (!). Fun reading, but you know what? For many, many organization, what they have today is LESS secure than any future cloud computing advance…
  4. Richard Bejtlich drop-kicks SIEM too, then kicks it in the balls. Then kicks the dead horse (1,2,3)
  5. Excellent reminder about why people don’t care about security with a fabled quote from MJR (yes, it is my fave too!) Overall, Rich “reassures” with: “Don’t worry. When things get bad enough, we’ll get the call. If you’ve kept your documentation and communications up, you won’t get shafted with the proverbial short end.”
  6. A few essays on risk, from ANSI, from Schneier and from BlogInfoSec (part 1 and part 2, especially read part 2)
  7. So, what do CTOs really do every day? Interesting summary here and here.
  8. Fun exploration of security x privacy x compliance.
  9. Burton Group opines on which security technologies will fare better/worse during "The crisis”
  10. A really fun interview with our CEO Philippe Courtot here.
  11. More on IT vs IT security, this time from Richard.
  12. Do you want people like that doing “security”? A normal call center employee recognizes fraud, but their so-called “outsource security dept” authorizes the scam. Niiice.
  13. Finally, “Robots Hunt 'Non-Cooperative Humans' in Army Plan” No comment :-)


Wednesday, October 29, 2008

CSI 35th 2008 Discount Passes

Since I am speaking at CSI 35th Annual Conference (on SIEM, believe it or now), I can again give out discount conference passes:

"The passes cover the full conference, Monday–Wednesday, November 17–19, 2008, for a 55% discount! To pass along your discount passes, send your guests to CSI 2008 Registration to register for a CSI 2008 Conference Pass and have them enter the below Priority Code in the box provided: SPK73

*Please note: This offer is only for new registrations, we cannot re-price current registrations."


For those rare people who read all the way to here :-), I can also give our 1 (one!) FREE CSI pass; please email me for it as it will be given on "a first come, first served" basis and can only be used by my loyal blog readers :-)

From Talking to Building

Ah, the first week at a new place. An exciting time! Even though being in Kuala Lumpur would probable be even more exciting :-)

In any case,  excitement is a good cause for sharing  it. So, why am I excited? Is it only the “new-ness” of my position?

Not so.

I am most excited to be building again. That is building as opposed to talking. I loved being an evangelist and I think I did make the world love logs just a bit more. However, I happen to think that while speaking and writing leaves a scratch on the fabric of the Universe, building products that solve people’s problems, that make people happy and that are  both affordable and enjoyable to use is leaving A BIGGER scratch.  As one old wizard said, it allows one to “strike sparks off the guard rail of the Universe!”

That is exactly why I am excited. What I do today will soon [hopefully!] translate into new products that people will enjoy to use (despite the fact that they are compliance-related :-)) and that will solve problems that cause “pain and suffering” on a grand scale.  (No, I am not saying what these are :-))

Having you define things THEN seeing them actually manifest in the real world THEN seeing people smile and say “Thanks!” is HUGELY exciting. Earning revenue in the process definitely doesn’t hurt either :-)

BTW, now I read all this stuff about “security and clouds” and laugh (I can tell you later why it is so funny to me now)

Monday, October 27, 2008

on HITB 2008 Conference

Not to pretend to steal Halvar Flake's glory, but I just got my own "fun" international travel story, which also spells bad news to those who wanted to hear my fun keynote at Hack In The Box 2008 in Kuala Lumpur, Malaysia.

To make the short story ... even shorter :-), I got kicked off my flight since my passport is only valid 5.5 months in the future and Malaysia requires that visitors' passports are valid for 6 months from the date of arrival (not that they make it anywhere near clear on their embassy website or anything :-)).

What makes it funnier is that I got so used to US dates of month/day/year that I actually was genuinely shocked when they said "you passport is not valid for 6 months" while it clearly said "Expires on 8/4/2009" ...

So much for Kuala Lumpur :-( Back to work now.

Monday, October 20, 2008


As I am sitting here in my new office getting set up, it is time for me to share the full news with the world.

So, starting today I am a Director of PCI Compliance Solutions at Qualys.

There you have it :-)

More on this later; I am way too busy now.

Friday, October 17, 2008

Presentation on Application Logging, Done Wrong or Very Wrong :-)

A final "automated" post, while I am on a plane back to California. This is a result of my work on defining what is a good log, based on looking at countless bad logs :-)

This presentation "Application Logging Good Bad Ugly ... Beautiful?" would be useful to application developers who create logging functionality as well as security pros who then need to use the logs.

Here it is, embedded below:


UPDATE: this is a good read to go with the preso; focusing on logging for Java developers.

Wednesday, October 15, 2008

Presentation on Optimizing Your Logging for Insider Attack Tracking

OK, I [well, my blogspot scheduler, rather :-)] am releasing another fun presentation that I've been "hoarding" for a while to keep my readers "entertained" while I am enjoying Siberia.

This presentation is about using logs for tracking insiders as well as about "insider-proofing" you logs and making them more useful for that purpose.

It is also embedded below:

Logs vs Insiders
View SlideShare presentation or Upload your own. (tags: management security)


Possible related posts:

Monday, October 13, 2008

Presentation on Unusual Use Cases for Log Management

Ok, so I will be a good blogger and plan a few scheduled posts while I am away. Here is the first - another presentation that I am unleashing upon the world. It covers a few "less common" use cases for log management: eDiscovery, database monitoring, etc.

It is also embedded below:


Thursday, October 09, 2008


No, this is not about a certain populist US politician :-) It is about a much graver subject indeed.

As of today, the only Chief Logging Evangelist in the world is no more. I have resigned from my position at LogLogic, effective October 9, 2008, which is today. Please don't contact me at the company email; use my personal email instead. My LinkedIn profile has been updated accordingly.

If you are curious, I still love logs. I really do. Logs are cute :-) You should love them too. And, it goes without saying, I will always remember that title, Chief Logging Evangelist, that I have created for myself. People did say that "Anton wakes up and thinks 'what else he can do today to make the world love logs?'" - it was pretty much like this. In fact, I think world does love logs a tiny bit more now and thus my mission of a logging evangelist has not been in vain.

I will be offline for the entire next week ("OMG, no blogging?" - "Nope, no blogging!") and you, my dear reader, will have to wait until October 20th to hear the news about ...

... where Anton is NOW!!!???

Yes, where is he? :-)

Talk to ya October 20th! The end always brings the new beginning ...

P.S. Please don't tell me that I have a penchant for dramatic. I know :-)

Technorati Tags:

Compliant, Not Compliant OR "Thought to Be Compliance:

Here is a fun bit of PCI trivia. I thought that one can be "compliant" or "not compliant."

Turns out there is a third choice: "thought to be compliant."

The quote is: 'The news is that Forever 21 (a clothing chain) which has been maintaining it was PCI compliant was, er, not. Seems their assessor missed databases containing cardholder data, and the bad guys found them. Those databases got breached. So it looks like their claim to be PCI compliant translates into a big "never mind."'

Dr Anton Chuvakin