Friday, October 31, 2008

Fun Reading on Security AND Compliance – 9

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #9, dated October 30th, 2008. BTW, I am renaming it into “Fun Reading on Security AND Compliance”

  1. “A Gartnergate?” What happened after Mr Pescatore uttered his now famous 12 words: “The best security program is at the business with the happiest customers.” This (complete with Gunnar’s famous “firewalls+SSL” chart), this – will add more as this snowballs.
  2. Do you have an “ignorable” security policy? If yours is BOTH “ignorable” and “unfair”, then fuggedaboutit. Cisco survey kinda proves it. A few fun comments are here (“If people can't get their jobs done without having to find a way to circumvent policy then the policy is wrong.”)
  3. Risk and clouds – here, here, here and here in poetic form (!). Fun reading, but you know what? For many, many organization, what they have today is LESS secure than any future cloud computing advance…
  4. Richard Bejtlich drop-kicks SIEM too, then kicks it in the balls. Then kicks the dead horse (1,2,3)
  5. Excellent reminder about why people don’t care about security with a fabled quote from MJR (yes, it is my fave too!) Overall, Rich “reassures” with: “Don’t worry. When things get bad enough, we’ll get the call. If you’ve kept your documentation and communications up, you won’t get shafted with the proverbial short end.”
  6. A few essays on risk, from ANSI, from Schneier and from BlogInfoSec (part 1 and part 2, especially read part 2)
  7. So, what do CTOs really do every day? Interesting summary here and here.
  8. Fun exploration of security x privacy x compliance.
  9. Burton Group opines on which security technologies will fare better/worse during "The crisis”
  10. A really fun interview with our CEO Philippe Courtot here.
  11. More on IT vs IT security, this time from Richard.
  12. Do you want people like that doing “security”? A normal call center employee recognizes fraud, but their so-called “outsource security dept” authorizes the scam. Niiice.
  13. Finally, “Robots Hunt 'Non-Cooperative Humans' in Army Plan” No comment :-)


Wednesday, October 29, 2008

CSI 35th 2008 Discount Passes

Since I am speaking at CSI 35th Annual Conference (on SIEM, believe it or now), I can again give out discount conference passes:

"The passes cover the full conference, Monday–Wednesday, November 17–19, 2008, for a 55% discount! To pass along your discount passes, send your guests to CSI 2008 Registration to register for a CSI 2008 Conference Pass and have them enter the below Priority Code in the box provided: SPK73

*Please note: This offer is only for new registrations, we cannot re-price current registrations."


For those rare people who read all the way to here :-), I can also give our 1 (one!) FREE CSI pass; please email me for it as it will be given on "a first come, first served" basis and can only be used by my loyal blog readers :-)

From Talking to Building

Ah, the first week at a new place. An exciting time! Even though being in Kuala Lumpur would probable be even more exciting :-)

In any case,  excitement is a good cause for sharing  it. So, why am I excited? Is it only the “new-ness” of my position?

Not so.

I am most excited to be building again. That is building as opposed to talking. I loved being an evangelist and I think I did make the world love logs just a bit more. However, I happen to think that while speaking and writing leaves a scratch on the fabric of the Universe, building products that solve people’s problems, that make people happy and that are  both affordable and enjoyable to use is leaving A BIGGER scratch.  As one old wizard said, it allows one to “strike sparks off the guard rail of the Universe!”

That is exactly why I am excited. What I do today will soon [hopefully!] translate into new products that people will enjoy to use (despite the fact that they are compliance-related :-)) and that will solve problems that cause “pain and suffering” on a grand scale.  (No, I am not saying what these are :-))

Having you define things THEN seeing them actually manifest in the real world THEN seeing people smile and say “Thanks!” is HUGELY exciting. Earning revenue in the process definitely doesn’t hurt either :-)

BTW, now I read all this stuff about “security and clouds” and laugh (I can tell you later why it is so funny to me now)

Monday, October 27, 2008

on HITB 2008 Conference

Not to pretend to steal Halvar Flake's glory, but I just got my own "fun" international travel story, which also spells bad news to those who wanted to hear my fun keynote at Hack In The Box 2008 in Kuala Lumpur, Malaysia.

To make the short story ... even shorter :-), I got kicked off my flight since my passport is only valid 5.5 months in the future and Malaysia requires that visitors' passports are valid for 6 months from the date of arrival (not that they make it anywhere near clear on their embassy website or anything :-)).

What makes it funnier is that I got so used to US dates of month/day/year that I actually was genuinely shocked when they said "you passport is not valid for 6 months" while it clearly said "Expires on 8/4/2009" ...

So much for Kuala Lumpur :-( Back to work now.

Monday, October 20, 2008


As I am sitting here in my new office getting set up, it is time for me to share the full news with the world.

So, starting today I am a Director of PCI Compliance Solutions at Qualys.

There you have it :-)

More on this later; I am way too busy now.

Friday, October 17, 2008

Presentation on Application Logging, Done Wrong or Very Wrong :-)

A final "automated" post, while I am on a plane back to California. This is a result of my work on defining what is a good log, based on looking at countless bad logs :-)

This presentation "Application Logging Good Bad Ugly ... Beautiful?" would be useful to application developers who create logging functionality as well as security pros who then need to use the logs.

Here it is, embedded below:


UPDATE: this is a good read to go with the preso; focusing on logging for Java developers.

Wednesday, October 15, 2008

Presentation on Optimizing Your Logging for Insider Attack Tracking

OK, I [well, my blogspot scheduler, rather :-)] am releasing another fun presentation that I've been "hoarding" for a while to keep my readers "entertained" while I am enjoying Siberia.

This presentation is about using logs for tracking insiders as well as about "insider-proofing" you logs and making them more useful for that purpose.

It is also embedded below:

Logs vs Insiders
View SlideShare presentation or Upload your own. (tags: management security)


Possible related posts:

Monday, October 13, 2008

Presentation on Unusual Use Cases for Log Management

Ok, so I will be a good blogger and plan a few scheduled posts while I am away. Here is the first - another presentation that I am unleashing upon the world. It covers a few "less common" use cases for log management: eDiscovery, database monitoring, etc.

It is also embedded below:


Thursday, October 09, 2008


No, this is not about a certain populist US politician :-) It is about a much graver subject indeed.

As of today, the only Chief Logging Evangelist in the world is no more. I have resigned from my position at LogLogic, effective October 9, 2008, which is today. Please don't contact me at the company email; use my personal email instead. My LinkedIn profile has been updated accordingly.

If you are curious, I still love logs. I really do. Logs are cute :-) You should love them too. And, it goes without saying, I will always remember that title, Chief Logging Evangelist, that I have created for myself. People did say that "Anton wakes up and thinks 'what else he can do today to make the world love logs?'" - it was pretty much like this. In fact, I think world does love logs a tiny bit more now and thus my mission of a logging evangelist has not been in vain.

I will be offline for the entire next week ("OMG, no blogging?" - "Nope, no blogging!") and you, my dear reader, will have to wait until October 20th to hear the news about ...

... where Anton is NOW!!!???

Yes, where is he? :-)

Talk to ya October 20th! The end always brings the new beginning ...

P.S. Please don't tell me that I have a penchant for dramatic. I know :-)

Technorati Tags:

Compliant, Not Compliant OR "Thought to Be Compliance:

Here is a fun bit of PCI trivia. I thought that one can be "compliant" or "not compliant."

Turns out there is a third choice: "thought to be compliant."

The quote is: 'The news is that Forever 21 (a clothing chain) which has been maintaining it was PCI compliant was, er, not. Seems their assessor missed databases containing cardholder data, and the bad guys found them. Those databases got breached. So it looks like their claim to be PCI compliant translates into a big "never mind."'

Presenting from SANS Webcast on Logging , Security and Virtualization

I am sharing another presentation that I did earlier this year at this SANS webcast "Security is Not Virtual". Enjoy! If you would like to see all slides, not just my part AND voice, then go to SANS site.

Wednesday, October 08, 2008

REALLY Cool Presentation: "Grand Challenges" of Log Management

If you are into logs and, especially, into tools that deal with logs, read this. This is my attempt to summarize everything that is challenging about log processing and analysis into one presentation, '"Grand Challenges" of Log Management.' Logs are fun, but they are also painful to deal with, and there are plenty of things that we need to address before we can consider ourselves "done."

The presentation is also embedded below:


POPE Rules!

OMFG, this sooo made my day today. Mike Rothman "communicates" with P.O.P.E. and produces deep, lasting, impacting insight ("incite?") on career, skills, etc.

My fave piece: "But ultimately I fancy myself to be a builder and [his new job] gives me the opportunity to build a strong strategy and marketing function." Amen to that! Even though Mike can be a "talker" too, not only a "builder."

Read it!

More on "Helping With Compliance" vs "Selling Using Compliance"

So, here is a perfect example showing the idea I shared in my post "Just A Thought on Compliance": the exact quote is "it’s a vendor’s responsibility to make bearing the costs of PCI manageable."

Did he say "it is vendor's role to 'sell stuff' using PCI." God no! He said that vendors will make PCI "bearable" for end-users. A big difference ...

Yes, PCI DSS is "a driver" for vendors to sell security tools AND "a sledgehammer" for end-users to "motivate" their bosses into releasing budget, but the reality is that PCI DSS compliance is a non-trivial challenge for many organizations, and that they need HELP more than they need "being sold to."

And help is on its way...

Possibly related posts:

Saturday, October 04, 2008

Presentation from SANS 2008 Lunch and Learn in Las Vegas

As promised, here is my infamous presentation on "Log management 'Worst Practices'" that I gave at SANS Network Security 2008 yesterday.

This presentation can also be considered a sequel to my "Choosing a Log Management Approach" presentation, which was my previous SANS Lunch and Learn preso.

If you are involved / about to be involved with logging, read both (first, second)!

It is also embedded below:

Possibly related material:
  • All my presentation on Slideshare.

Friday, October 03, 2008

Just A Thought on Compliance

Do you know the difference between a solution "sold as compliance" and a solution that "helps with compliance?" In other words, are you "a checkmark" in a compliance checkbox OR do you help people with their compliance challenges?

Get it?

A Few Fun Bits, While I Am Preparing for My Speech at SANS

A few more things, that qualify as fun reads, with - hopefully just as fun! - comments.
  • Love, love, love this piece :-) Remember the "robotic gun rampage" stories from last year? How does this sound: "The gun can track 360 degress, but there is a software-driven safety zone that makes sure rounds don't blow the rotors off. If the Osprey has to maneuver away from the target and the crew chief can't hold the gun on the bad guys manually, the system slaves the gun to the point of the last shot, slewing it as the plane moves." (watch the fun video there too)
  • "Security idiot" meme lives on - go here. BTW, the post is a follow-up to this
  • A fun follow-up to my post on compliance approaches titled Is PCI DSS "Too Prescriptive"?
  • Finally, my fave post: "Increase Your Logging." I am sooooo happy that logging evangelism is spreading far and wide! A quote from the paper: ”Logs are interesting, logs are fun, logs should be done by EVERYONE…..get to logging!!!” (I promise that specific case was not my quote, even though I do say that very thing all the time!)
Enjoy! Time for me to run and do my preso ... about logs of course!

Thursday, October 02, 2008

Fun Reading on Security - 8

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #7, dated October 2nd, 2008.

  1. Great paper that complements the whole "SIEM is dead?" saga - "Most enterprises are looking for a product that will solve all of their problems in some sort of off-the-shelf miracle, and when they find out that the currently available tools can't do it, they either postpone their deployment or put them on the back burner. "
  2. "The Mess: looking for someone to blame?" is an awesome piece on Internet security and its architecture - and so is Gunnar's follow-up ("If a tree falls in someone else's silo...")
  3. Mike call to "Rise up against Mediocrity."  - "Dilbert makes the risk of the lowest common denominator approach abundantly clear."; in other words, you say 'best practices', I say 'mediocrity!' Mike also remind us, in vain, to do "Security FIRST!" (and compliance second)
  4. A great piece from Burton: "On Response" - I think the world needs another 10-20 million reminders that PREVENTION FAILS. This is definitely a good one for those still in the "we'll just block the threat world" - "we will not win a continuing war of escalation" and "using response can be more cost effective than installing the latest and greatest preventative tool"
  5. More on metrics, including the highly-awaited ISO27004.
  6. Pretty dumb paper by a person confused by why PCI DSS exists (the guy needs to read this). PCI doesn't "fall short," it helps people who will otherwise not do anything and their systems will "power" those botnets of the future...
  7. While we are on this subject: a really good coverage of PCI 1.2. changes, released Oct 1st. More PCI fun here. And more here ("PCI Compliance - dispelling some common myths"). And, more PCI myths. And more good ideas on PCI from Mike R. Sorry, can't stop thinking about PCI :-)  - also this is good.
  8. Adrian on behavioral monitoring; mostly in DAM, but also elsewhere in security.
  9. "Premature Chasm-Crossing"  - a must-read for all security vendors and especially their marketing (and  their easily-excitable PR teams...) - "Shouldn't vendors be spending more time fighting the problems that security managers are facing today, right this minute?" (Mike R also comments on that). A related - and  just as interesting point is made here: "Security is not a solution"
  10. More on compliance and security checklists, good and bad: "I think this is a dangerous trend unless the "checklist" is all inclusive." (how can a checklist include ALL? :-))
  11. "SANS Top 7 New IR/Forensic Trends In 2008"
  12. Read "The three approaches to computer security!"  Why? Come on, it is from Joanna! :-)
  13. A fun discussion about a hot new technology: network IDS. Is IDS absolutely indispensable to ALL companies? No. Can it be incredibly useful? You bet. End of discussion.
  14. On an unrelated note, are lasers the future of warfare? Some say no.
  15. Finally, some security humor from Gartner (!): "Get Rich Quick With Network Security"


Previous security reading.

Wednesday, October 01, 2008

Monthly Blog Round-Up - September 2008

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is an attempt to remind people of useful content from the past month!

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts and topics.

  1. Shockingly, AGAIN this month, the "Top 11 Reasons to Secure and Protect Your Logs" came up as #1 most popular post (maybe driven by my poll).  BTW, see my other logging polls.
  2. Security ROI - and its parent topic "security metrics"/"measuring security" - is definitely an ongoing HOT debate. Indeed, the old post "Security ROI Pile-Up!" takes the #2 spot this month, possibly propelled by a more recent post "Second ROI War."
  3. Some say that "short blog posts rule", but, in reality, good, fun content is the best. Here is an example:  "Dumb Luck IS a Strategy!" post makes the top list. In it, I try to explore why people still ignore security concerns even if stare people in the face...
  4. Discussion on what you can do to soften the impact of "getting 0wned" ( "What CAN You Do?") made the top list. Good!
  5. As before, my post "11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!"". It is both humorous and sadly true (and backed up by other sources)
  6. Still burning hot is a post with my irreverent comments on a Terry Childs saga. Namely, "On Doomsaying (Terry Childs case)", "So ... Am I? Maybe I Am!" and "Admins , Good Guys or "I am NOT an Idiot!""

See you in October.

Possibly related posts / past monthly popular blog round-ups:


Technorati Tags: ,,,

Dedicated to All PMs Out There

A must read on product management... funny as life :-)

"You Might be a PM if…

· … someone asks about your weekend plans and your answer consists of a list of Pri ones, twos, and threes.

· … you’ve ever ended a relationship using a PowerPoint presentation."


Really Good Point From Schneier ...

Read all here; the key point is: "The same is true for knitting needles [...] and whatever else the airport screeners are confiscating this week. If there's no consequence to getting caught with it, then confiscating it only hurts innocent people. At best, it mildly annoys the terrorists.

To fix this, airport security has to make a choice. If something is dangerous, treat it as dangerous and treat anyone who tries to bring it on as potentially dangerous. If it's not dangerous, then stop trying to keep it off airplanes. Trying to have it both ways just distracts the screeners from actually making us safer."

Doesn't it just make sense?!

Security + Logging + Virtualization Podcast

Here is a fun podcast a bunch of us (yes, including Chris, of course!) did on security, logging and virtualization (audio, full transcript).

It is actually a fun read / listen, if you are into either/all of these three :-)

Here is the brief blurb on that from the podcaster site: "To help learn about new ways that systems log tools and analysis are aiding the ramp-up to virtualization use, I [Dana Gardner] recently spoke with Charu Chaubal, senior architect for technical marketing, at VMware; Chris Hoff, chief security architect at Unisys, and Dr. Anton Chuvakin, chief logging evangelist and a security expert at LogLogic."

My Lunch Presentation at SANS Network Security 2008

If you are at SANS Network Security 2008 in Vegas, come see me speak about "'Worst Practices' of Log Management." It is a fun presentation - and we (LogLogic) will feed you lunch. For those of you who cannot make it, I will release the slide deck here after I present it this last time...

Here is the announcement:
LogLogic Lunch and Learn Presentation
'Worst Practices' of Log Management
Speaker: Dr. Anton Chuvakin, GCIH, GCFA
Friday, October 3rd, 2008 * 12:30pm - 1:15 pm

BTW, I am arriving Thursday night, so if anybody wants to meet and "talk logs," please drop me an email.

UPDATE: presentation is posted here.

Possibly relates posts:

Dr Anton Chuvakin