Wednesday, November 26, 2008
Finally, I also love, love, love his reminder that there are no "PCI -compliant products" (unlike some assclowns here think)
"Q: What technologies are considered PCI-compliant?
A: There is no such thing as a PCI-compliant product. The PCI standard does not certify products. Some products will help with PCI compliance, but there is no single product or group of products that will ensure complete PCI compliance. "
Tuesday, November 25, 2008
Wonna go into SIEM market, anybody?
UPDATE: to put it into context, read this
UPDATE2: read "SIEM: The Quickening Begins" too. Long (forever?) live Connor MacLeod :-)
Monday, November 24, 2008
I polled a few lists to create a longer lost of PCI DSS related blogs (looking especially for blogs by QSAs), so IN NO PARTICULAR ORDER:
- Obviously: http://chuvakin.blogspot.com/search/label/PCI :-)
- PCI DSS News and Information at http://www.treasuryinstitute.org/blog
- PCI Answers at http://pcianswers.com/
- Branden Williams' Security Convergence Blog at http://blogs.verisign.com/securityconvergence/
- SecuriTIM on PCI DSS at http://www.securitim.com/blog.html
- Payment Card Security & IT Controls Explained at http://pcidss.wordpress.com/
If I missed anybody, sorry, please add below and I will update my list!
UPDATED: Also see:
Thursday, November 20, 2008
Some quotes: "We get money for noisy threats, and get called paranoid freaks for trying to prevent quiet threats (which can still lose our organizations a boatload of money, but don’t interfere with the married CEO’s ability to flirt with the new girl in marketing over email)."
"Slice up your budget and see how much you spend preventing noisy vs. quiet threats. It’s often our own little version of security theater."
"The problem is, noisy vs. quiet may bear little to no relationship to your actual risk and losses, but that’s just human nature."
Overall, a MUST read.
God, please, send us some credible security metrics... please.
Here is my long-overdue book review for “Applied Security Visualization“ by Raffy Marty.
First, here is what my early endorsement for the book said (can be found on the inside cover of the book):
“Amazingly useful (and fun to read!) book that does justice to this somewhat esoteric subject - and this is coming from a long-time visualization skeptic! What is most impressive that this book is actually 'hands-on-useful," not conceptual, with examples usable by readers in their daily jobs. Chapter 8 on insiders is my favorite!”
What else do I think of the book, apart from the fact that it is awesome? :-)
First, I have to admit that I used to argue with Raffy about usefulness of visualization. I was burned by having to look at bad “visualization” tools and would take an ugly, meaningful table over an ugly, meaningless picture any day now. Thus, I was a visualization skeptic. Buy you know what? The book does justice to visualization really well, and it explains when to use it and when not to use it.
The book gives just the right amount of visualization theory, which is not onerous to read at all (unlike some other books), as well as other visualization basics. The fun starts at Chapter 4, where he covers the process from data to useful pictures. This actually explains why some visualization are useful and some are not; if you just jam data into a graphing program, there is a good chance that it would not be too useful. If you follow the ideas from Ch4, it is more likely to be useful.
Ch5 and 6 cover network data analysis: logs, packets, flows. This is what most people usually try to visualize; this book goes beyond “worms and scans” into nice visuals of email traffic, wireless and even vulnerability data (I found the latter slightly confusing). Ch7 covers “compliance”, which, in this case, covers all sorts of fun things, from risk assessment to database log visualization. As I said, Ch8 is my favorite: I agree that insider tracking MAY be the area where visualization tools and approaches beat others. In Ch9, the book covers a few visualization tools; obviously, including the author’s AfterGlow.
So, to summarize, get the book if you have any connection to security AND data analysis. In fact, it is very likely that if you are doing security, you’d have to do data analysis at some point and so will benefit from reading the book. And, yes, it does come with a CD full of visualization tools (DAVIX).
BTW, I am posting it at Amazon as well.
Wednesday, November 19, 2008
Somebody, somewhere is thinking ...
In any case, "free is in" :-) Look at all the announcements (NetWitness, Mandiant, this) as well as "the original free."
Is it really "Good-bye Big Yellow and Little Red?" Probably not, as this new offering is aimed at consumers and lower-end SMBs; large orgs will still pay ransom ... eh, subscription fees for their AV. It was also interesting to read some of the comments, like "OMG, I so hate paying for AV... and now I won't have to." If such sentiment is indeed widespread, maybe MS choose a really, really good moment to come out with this!
The most fun comments are found on the OneCare team blog here. Esp. see this one: "a majority of consumers around the world do not have up-to-date antivirus, antispyware and antimalware protection" (now they will, thanks to MS! :-)) and "this new offering will focus on getting the majority of consumers the essential protection they need by providing comprehensive, real-time anti-malware protection, covering such threats as viruses, spyware, rootkits, trojans, and other emerging threats, in a single [FREE!], focused solution."
UPDATE: very funny comments from AV firms and "normal people" (see below the article at the link)
UPDATE2: another very fun comment, including "maybe it's time that Symantec and McAfee start offering free versions of their own antivirus products"
Monday, November 17, 2008
First, I have a horrible revelation to make: I never held CEOs in much regard. For example, if you go to “a CEO keynote” at a security conference (RSA comes to mind), you can be pretty much assured that you’d get a boring, bland and “content-free” speech which summarizes to 1 word: nothing. Actually, it is 0 words :-) Similarly, even though I knew what CEOs did (tell people what to do, give speeches so that employees work better, help sales sell, interfere with engineers’ engineering :-), etc), but always regarded them as people regarded “party commissars” back in the Soviet Union days: as folks who give rosy speeches hardly anybody believes in and who show charts with upward trending curves (e.g. “Bullshit volume per employee per quarter is UP 34.6%!!!” :-)) To better understand this point read the famous book “Why Business People Speak Like Idiots: A Bullfighter's Guide” :-)
So, my dear readers, imagine how amazed I was to find myself being truly inspired by my CEO, for the first time in my working life! Philippe’s “no-B.S.” approach definitely works for me. I listened to his speech at a company meeting last week and – I am serious! – that was the most interesting, visionary AND inspiring speech that I’ve heard in a long time. It was clear what we’ve been doing, what worked, what didn’t and what we need to be doing and why it will work.
I already learned more than a few things from him just by listening to him speak or conduct a meeting (or by watching him beat up a job candidate…). For example, one CAN be “positive, but not marketing-ish,” even if situation is difficult. If one has an issue, one has to face it with no sugarcoating rather than ’play’ positive and pretend the issue is not there. One can have BOTH a driving vision AND be attentive to customers. One CAN release something when it is ready, not a year before :-) Etc, etc.
Finally, while some choose to lay people off, we at Qualys ARE HIRING! Come join us and help build the SaaS security platform that actually works! Specifically, we are looking for TAMs (kind like an SE, but better :-)), PMs and a lot of engineers.
Sunday, November 16, 2008
First, I enjoyed DeepSec conference and I am grateful for the invitation to speak there. I love European conferences – and not only for having infinitely (with that being an under-statement of the year) superior coffee during breaks :-) In particular, I liked the audience for my presentation (slides ARE posted here) and I think the audience liked my material and myself too :-)
What also impressed me a lot was Ivan Krstić speech, which was the second day keynote. He started by simply stating that ‘security industry has failed’ and that ‘a desktop is lost.’ His proof was in typical numbers like “75% of corporate systems are infected with at least 1 malware piece per system”, “1 million of malware types” and “25,000 unique malware samples a day seen.” However, he then broadened the subject and talked about how not only “a trusted desktop” is gone, but the entire world of “trust everything [on a system], all the time” is gone (his ideas were similar to what I planned to present in my HITB 2008 presentation about “the 0wned world”)
I also like how he positioned all those “security user prompts” (in Vista and even before) as a proof that security technologies have failed and now we have to rely on the user to make security decisions (which will obviously fail as well since users are now fully conditioned to “see a chunk of technical mumbo-jumbo, then click OK”)
He then called for everybody to think about solving the hard, possibly non-sexy problems. This is the part where I could have used more details :-)
So, a fun speech (even though my telling of it is a bit jumbled… check out his slides whenever they are posted) – and a fun conference overall. Worth a 12 hour flight :-)
UPDATE: my slides are posted here.
Thursday, November 13, 2008
Come over - it is at 9:50AM.
BTW, I will post the slides here when I am done.
Monday, November 10, 2008
As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is an attempt to remind people of useful content from the past month!
So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts and topics.
- OF COURSE, the news of my “transition” is the item #1, by far. “Change!!!” and “Qualys” posts rule the list.
- Last month I posted a bunch of my presentations on logs, security, etc on the blog. “Presentation from GOVCERT.NL 2008: Log Forensics” takes one of the tops spots; and so do “Presentation on Application Logging, Done Wrong or Very Wrong” and “Presentation on Optimizing Your Logging for Insider Attack Tracking.” BTW, all the presentations are here.
- Shockingly, AGAIN this month, the "Top 11 Reasons to Secure and Protect Your Logs" came up as #1 most popular post (maybe driven by my poll). BTW, see my other logging polls and my other “top 11” lists.
- SIEM bashing reached a new high (eh…“low”? :-)), now that Richard is helping too; my “11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!" is on the top list. It is both humorous and sadly true (and backed up by other sources and here.)
- Somewhat predictably, PCI compliance is obviously still all the rage: MUST-DO Logging for PCI? post was again propelled to a place in my monthly Top5 list.
See you in November.
Possibly related posts / past monthly popular blog round-ups:
- Monthly Blog Round-Up - September 2008
- Monthly Blog Round-Up - August 2008
- Monthly Blog Round-Up - July 2008
- Monthly Blog Round-Up - June 2008
- Monthly Blog Round-Up - May 2008
- Monthly Blog Round-Up - April 2008
- Monthly Blog Round-Up - March 2008
- Monthly Blog Round-Up - February 2008
- Monthly Blog Round-Up - January 2008
- Monthly Blog Round-Up - December 2007
- Monthly Blog Round-Up - November 2007
- Monthly Blog Round-Up - October 2007
- Monthly Blog Round-Up - September 2007
- Monthly Blog Round-Up - August 2007
Tuesday, November 04, 2008
Wonna "sell PCI compliance" to small businesses? One need to get smart in a very special way! :-)
Monday, November 03, 2008
I am learning that many people really, really, really hate to be told that "they are not compliant" (when they are not, of course!) and such hatred goes down to a very curious level indeed ... almost all the way down to the good ole "scanless PCI" joke level.
So, here is an ultimate "how to make enemies and alienate people?" tip: tell them "YOU ARE NOT COMPLIANT!"