Sunday, May 30, 2010

SIEM-related Product Management Job: Atlanta, GA

As a favor to a friend, I am posting this job ad, related to SIEM, log management and MSSP.

This Product Manager role will primarily be responsible for SecureWorks next-generation correlation and analysis offering.

“This is a mid-level position reporting to the Vice President of Product Management. This position involves responsibility for defining new service lines as well as managing existing service lines. It is a highly visible position with enhanced opportunity for career growth.

In this role, you will drive product strategy and planning for your services and will lead the matrix team responsible for delivering these service lines. Your focus will be to work with the VP of Product Management and the Chief Marketing Officer to develop a compelling vision for your service and to execute, measure, and adjust the strategy accordingly. You must have experience in security technologies, enterprise and commercial markets, and ideally managed services. You would use your client input, market knowledge, and experience to define product plans and product requirements for services that will be highly competitive in the market and can be delivered efficiently through our Security Operations Center.”

All details and how to apply here.

So, if you end up getting hired, make sure to remember to buy me a beer :-)

Friday, May 28, 2010

Recent SIEM/Log Management Webcast Q&A

A few weeks ago week I did this fun webcast with NitroSecurity (recording) on Log Management and SIEM; here are some belated Q&A we got there:


Q1: Is it Security Incident Event Management or Security Information and Event Mgmt?

A1: SIEM stands for Security Information and Event Management. But please shoot whatever market analyst who first mistook ‘information’ for ‘incident’


Q2: What is the level of personnel resources are needed to maintain a SIEM?

A2: This is what is known as "one million dollar question” :-) First, it depends on your SIEM “use cases” – essentially on what you plan to accomplish using a SIEM. You can read “SIEM Bloggables” to see some of the high-level usage scenarios. For example, you might acquire and use a SIEM for reviewing compliance reports once a month. In this case, your personnel requirement will probably not exceed a few hours of 1 FTE.  On the other extreme, you might be building a Security Operations Center (SOC) for a global enterprise based on a SIEM. In this case, you might be looking at dozens of people of varying skill levels, from junior analyst to senior SOC managers.


Q3: Please explain chain of custody.

A3: Wikipedia’s definition is just fine, see: In brief: “Chain of custody (CoC) refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic.”


Q4: How long does PCI DSS require logs to be kept?

A4: As per PCI DSS v 1.2.1 Requirement 10.7: “Retain audit trail history [A.C. – i.e. logs] for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up).” A typical SIEM or log management tool can hold 90 days of data with up to 1 year available in file backups.


Q5: Does adding context/content sources slow the SIEM down?

A5: It depends on the SIEM. Some of the commercial products are slow even without anything being added to them :-) Others can handle extreme event loads. So, the only way to know for sure is to use it in your environment, with your log data and with your context data (assets, vulnerabilities, user roles, etc).


BTW, slides similar to those I used at the webinar are posted at Slideshare and embedded below:


Possibly related posts:

Reblog this post [with Zemanta]

Monday, May 24, 2010

Fun Reading on Security and Compliance #25

Here is an issue #25 of my “Fun Reading on Security and Compliance,” dated May 24, 2010 (read past ones here). You can judge by its size that my “2blog” folder has been way too full, since I was too busy working on a few fun consulting projects.

Main section: 

  1. Fun piece from my co-author (“PCI Compliance”) Branden: “Compliance, Easier Than Security!
  2. CloudAudit (former A6WG) goes ahead full-steam: “Q&A: CloudAudit targets automated risk assessment, management” (I suspect this is where we’d go for practical guidance in a few years … not to CSA [PDF]) BTW, CSA did release its cloud compliance control matrix  a while ago and it is used by CloudAudit.
  3. I dunno why, but I forgot to highlight Alex’s awesome BSides presentation on…risk management: “Risk Management - Time to blow it up and start over?” (now you know that my 2blog folder has been rotting since March 2010 :-))
  4. Worthwhile posts from Securosis: “Mogull’s Law”, “LHF: Quick Wins with DLP—the Conclusion”, “Announcing NetSec Ops Quant: Network Security Metrics Suck. Let’s Fix Them” , “Help Build the Mother of All Data Security Surveys”  and their discoveries regarding PCI Level 4 merchants "Level 4 Apathy"
  5. In addition, Securosis folks started a series on SIEM (a must):  "Understanding and Selecting SIEM/Log Management: Introduction"  "Understanding and Selecting SIEM/LM: Use Cases, Part 1", "Understanding and Selecting SIEM/LM: Use Cases, Part 2", "Understanding and Selecting SIEM/LM: Business Justification"
  6. Notable pieces from FUDSec: ”The Broken Windows Economics of IT Security” , “SCSOVLF (aka, the Shpantzer Coma Scale Of Vendor Lameness and FUD)” (quote: “If, when asked, "How do you approach the APT issue, exactly?" they respond "That's on our roadmap"”)
  7. Fun posts from Richard: “Time and Cost to Defend the Town”, “Forget ROI and Risk. Consider Competitive Advantage” (a fresh batch of ROI jokes inside)
  8. Famous Forrester “too much compliance” study (notes, full PDF) , a must read!
  9. Gunnar’s “10 Quick, Dirty and Cheap Things to Improve Enterprise Security” that I should have highlighted earlier (and of course: “8. Improve your Audit Logging”…)
  10. Completely awesome presentation on REAL cloud security from Alex Stamos @ SourceBoston (was one of my favorite at Source)
  11. Interesting report on web ownage from Dasient (disclosure: I am an advisor). Quote: “We found that 97% of Fortune 500 web sites are at a high risk of getting infected with malware due to external partners. In fact, Fortune 500 web sites have such a high risk because 69% of them use external Javascript to render portions of their sites and 64% of them are running outdated web applications.” Niiice.
  12. InfoSecMentors (site, blog) launched off the ideas from the SourceBoston mentorship panel.
  13. The Security FAIL Chronicles launched (site); “the purpose of this site is to document security failures in various technologies.” Note to self: I need to get my KilledBySoftware site finally up… :-)
  14. SANS produces a mid-year list of security predictions for 2011-2012. Why now? I don’t know, but the predictions are always fun.
  15. How to Kick Ass in Information Security — Hoff’s Spritually-Enlightened Top Ten Guide to Health, Wealth and Happiness”...awesomely hoffistic piece.
  16. Please don’t laugh but do check the calendar (the year part): people…still…ask…questions…what…ports…to block…on…a firewall! On a list where Marcus Ranum lurks. If this is not the best way to have you balls flattened, I don’t know what is.
  17. Upon leaving security (!), Mark Curphey reposted all his Security Bullshit cartoons here.
  18. A great, though-provoking piece from Michal Zalewski "Security engineering: broken promises"
Logging, log management section and SIEM section:
  1. Using OSSEC for the forensic analysis of log files” – OSSEC is mostly for real-time log analysis, but now you can also analyze stored logs
  2. Useful list of windows event IDS that record application install/updates, such as “1005 Install operation initiated a reboot” and all others.
  3. Gorka Sadowski has a useful bit on various logs here (especially read the part about anti-virus logs)
  4. Rocky has a series of fun posts on SIEM that you need to read: "SIEM Evolution: Chapter 1" , "2010 Gartner MQ for SIEM" (with a lot of fun MQ analysis), "Tetragon of Prestidigitation".
  5. Centralized vs. Distributed Syslog System Architectures” about exactly what it says :-)
  6. This fits under both PCI DSS and logging so, “log data revisited” is worth a read (it mentions 70TB of log data which is always juicy): “The second thing we hear most often is, “We only look at log data when we have a problem.” Typically what this means is that the problem has now grown to the size of a whale and has become noticeable by end users who are complaining.”
  7. Building a logging VM – syslog-ng and Splunk
  8. A really old log trick that people need to be reminded of: “How to Protect Your Logs from Tampering
  9. SANS ISC on application logs explains deep suckage of [most] application logs: “dear developer, please spare us the debug log that got swiftly re-branded into "audit log" five minutes before project completion.”
  10. My “PCI Logging HOWTO, Part 2” (part 1). While we are on this subject, here is a fairly useful list on what to log for PCI DSS on Windows.
  11. Another “you have no logs – when you REALLY need them” horror story: “ERP billing systems that did zero audits (total breach of SarOx) due to performance constraints and lack of vendor know how on what to implement let alone how.
  12. I've long whined about firewall "connection allowed" logs (example), LogLogic folks  reminder everybody about their value again: "Do your "Traffic Allowed" logs sing?"
  13. Another bit on SIEM "SIEM: The good and the bad - Part I" with SIEM basics. Key quote "I believe SIEM's will be as common as firewalls within 5 years. " (let’s see whether it will happen this way!)
  14. Well-spelled out example of what one organization are looking for in a SIEM/log management tool: "Open Source centralized log management/SIEM solutions"
  15. Bloor folks also unleashed a salvo in a direction of SIEM - their angle is SIEM as information management solution: "The problem with SIEM 1" and "The problem with SIEM 2" Quote: "…  analytic warehouses are currently capable of ingesting data much faster than any of the SIEM products. In our survey the highest load rates we found were at around 4TB per day: analytic warehouses can often load that much per hour!"
  16. SIEM implementation lessons video.

PCI DSS section:

  1. “PCI And Cloud Computing: It’s All About Scope” …PCI DSS + clouds = what else do you need? :-)
  2. Fun interview with me on PCI DSS. Quote: “Q: Where do you see the PCI compliance industry in five years? A: To be honest, I don’t want to see “PCI compliance industry” at all: not now, not in a year, not to five years. […]
  3. Undergoing a PCI Assessment – How to Prepare” and “PCI Onsite Assessment - Part 1” (also “Part Two - Preparation for an onsite assessment and what to do first!” and all the way to “Part Five - Selecting a QSA!”)
  4. Please take a good swig from the bottle of no less than 60 proof alcohol before reading this. EXTREME RAGE ALERT! :-)
  5. A really good Forbes piece on PCI: “The easiest way for small businesses to address the information security requirements imposed by credit card companies is the wrong way. I'm talking about lying and praying.” and a quote from me:  “Businesses that endanger their customers really do deserve to die.” 


Possibly related posts:

Reblog this post [with Zemanta]

Wednesday, May 19, 2010

Compliance Mega-Epiphany!

After spending a week at an amazing Project Honeynet 2010 Annual “Get-together” in Mexico City, I realized that the workshop environment was missing one big thing: nobody ever mentioned COMPLIANCE (!!!). Yes, the pink elephant in the room was …not in the room – no trace of it, not even a whiff of compliant elephant dung.


The discussions covered malware (mostly bots, but also Conficker, of course), malware reversing, attacker behavior, distributed data analysis, intelligence gathering, log analysis (see the class that I gave there) – but not compliance. As a result, my brain got completely drained of all compliancy (and, no, the fact that I had to then fly to give my PCI DSS keynote didn’t stop it from draining).


You see, compliance has no value. [this would be a good moment to say that this gets a Captain Obvious 2010 award :-)] None! If somebody offers you “ROI for compliance,” just smile and kick them in the nuts. Hard! Then smile again. And if you are feeling generous, do it again! Again!!


Let me rephrase it: regulatory compliance has no intrinsic value. Just as a seatbelt law that fines you $30 for not wearing a seatbelt has no value – in fact, it has a negative value (of -$30) to those fined.

However, the epiphany continues: does the above mean that all the recent “comply-mancing” is in vain?

No, I think that is is needed more than ever!

Imagine the Universe where we, security professionals, possess detailed information on the threats that we face AND on the countermeasures we have – complete with how efficient each countermeasure is against each threat. In this case, doing “risk management” will be trivial: run a list of threats your organization faces, get the desired degree of security (or, “risk”, if you must call it that), then pick the countermeasures which will get you there, starting from the least expensive. Bingo! You are done. If you run out of budget in the process, then go back and reassess the desired degree of security/”risk”. Or negotiate the lower price with the countermeasures provider.

As you are reading the above, you are quickly coming to a realization that such description truly has nothing to do with the world we live in (sorry for NLP mind tricks…)


In our world, threats are of unknown frequency and damage (ALE my ass!), countermeasures are of unknown efficiency and random cost – plus both change all the time. And we don’t even have the formula to plug the unknown and changing numbers in. And we can’t reliably value assets and losses. And we don’t know what is our desired level of security – that was icing on a security cake…yummmm.

So, what are the choices a majority of organizations take? Do nothing. Or do something random. Or do “something cheap.”image Securosis folks once called it a market failure in security. Rich’s recent presentation at Secure 360 conference also spoke about the same.

The result? Massive 0wnage, fraud, losses, breaches and other cyber-freaking-war.

Here is where compliance comes in. Compliance is a blunt instrument (a sledgehammer, as I say here) to compel people to do security, auditability, transparency, even responsibility for the losses of others and sometimes even for their own losses, etc.

We live in an intensely interconnected world and if a merchant does not protect the data belonging to an issuer (taking an example from PCI land), we all suffer. If people don’t protect [or remove] such data, we’d have no ecommerce as electronic payment system will eventually crash. No electricity as SCADA systems will [eventually] be hacked. And no healthcare as eventually reliance on computers in healthcare will lead to  people being KilledBySoftware (also see Security Predictions 2020)

Can we mandate that people do a good job? No. “Good job” by definition comes from the heart, not from the whip. Is it still worth it? Yes, I think so. In other words, the current onslaught of compliance is a sign that information security is pretty much mainstream. In the future, compliance efforts will help establish a new, higher baseline level will be established – and security battle will shit to levels above it.

Finally, is there any other way to sell security? Yup, FUD. Arghh!!!! You are sooo getting owned if you don’t buy our stuff!!! I happen to think compliance is a better choice than that.


To conclude this passionate epiphany, I have to say, thrice:

If you are “doing compliance” and gain no value of security, you are probably an idiot. Please stop!

If you are “doing compliance” and gain no value of security, you are probably an idiot. Please stop!!

If you are “doing compliance” and gain no value of security, you are probably an idiot. Please stop!!!

Possibly related posts:

Reblog this post [with Zemanta]

Monday, May 17, 2010

Hack in The Box Keynote in Amsterdam 2010

Among all the fun security conferences I’ve been to lately, this one is promising to be extra-special. After two failed attempts (one), I’d be doing (finally!) a keynote at Hack in The Box (HITB) Amsterdam 2010. So, if you are in the vicinity of Amsterdam on June 30 – July 2, 2010, come over and attend it. My keynote will be titled “Security Chasm

Full abstract follows:

Have you often wondered why people are updating their security policies, closing compliance gap and defining ISMS while attackers are owning their systems – at the same time? Why consultants advise management on ‘risk ass-essment” while new bots are being deployed on what was formerly known as ‘your network’? Why some say that “DLP is all the rage” while record data losses and resulting fraud occur daily? Why application architects now have to assume that a client PCs is ‘owned’ when its user goes to a bank website and the design solutions to work securely around that?

Reality today often presents a grim vision of “two securities”: one concerned with ‘elevating the infosec conversation’ while the other is concerned with cleaning up the mess on our networks and systems. In one, people pretend to ‘assess risk’ while in the other incident response is the only way to go…. This very concept, that I call “security chasm,” will be the subject of my keynote presentation, along with such questions as “why we wear seatbelts because of the monetary fine, but not because of risk to our lives?” and “What will make us secure – if anything?” (and what does it actually mean!) Finally, I will explore the future of what we now call security industry and make a few long term predictions of where we will end up in a few years….

See ya all there!

Possibly related posts:

Reblog this post [with Zemanta]

Friday, May 14, 2010

Secure360 2010 Conference Notes

I just came back from Secure 360 conference in Minneapolis, MN. First, I’d like to thank the organizers for inviting me to be a "featured" speaker at the event. Just as in 2008, the conference was well organized and well attended as well - pretty much all 9 (!) tracks.

Day 1 started from attending Rich Mogul’s talk called “Putting the Fun in Dysfunctional: How the Security Industry Really Works.” His main theme was in use in economics and psychology (all the way to Maslow diagram :-)) to do analyze what happens in security industry. Some bits that caught my attention follow below:

We as an industry spend MORE on anti-virus+firewall than on ALL other security safeguards combined (!).

Many organizations are “reactive, but not responsive.”  Just as others, Rich also likes to remind people that incident response trumps most other things in important; you can choose to not deploy a DLP tool (for example, no offence to any DLP vendors in attendance :-)), but you WILL respond to an incident (even if your IR plan = panic :-))

We deal MUCH better with short term risks than long term risk  (also see Schneier saying similar things here); the chain “Fear –> wired response -> buy product” seems all but unbreakable

Compliance realigns economic drivers: risk of audit > attack. It was funny that in his view organizations need to pay attention only to those laws and regulations where penalties are actually imminent.

On top of this, controls to outcomes are not tied!! I also consider this to be one of the horrible holes in security today!

One of the curious point that I’ve seen before from Securosis folks is that “making us better at security” does not sell security tools and practices; even if it is MUCH better than current. What sells is fear of threats – of either hacking or fines.

Finally, feel free to ask Rich what is "Porn and email theory of security"  :-)


Next, Marcus Ranum gave a speech on software suckage (“Software as a Strategic Problem”) was thought-provoking (and somewhat argument-provoking too). The main idea was: BOTH COTS AND outsourced software development is wrong for super-sensitive government/national security uses (He gave an example of a rumored outsourced code running in a JDAM…) – agencies need to go back to hiring, retaining and utilizing in-house staff. In this view, that is the only way to avoid future “nation-busting” security issues.

He contrasted two approaches: “write the software to solve the problem - from scratch” vs “use very flexible COTS software + spend forever configuring and reconfiguring it.” He also called for such custom software to aim for “zero maintainability + zero administration” – which to me sounded unrealistic for most evolving uses of software…

Finally, Marcus was also visibly upset that US government didn’t backdoor Windows :-) - it seems like a missed opportunity for easy world domination…

Here is some fun coverage of Marcus’s speech and the usual Slashdot idiocy that followed. The key quote is: “If the United States wants to remain competitive in the global economy and prevent widespread penetrations of its strategic, corporate and commercial networks, enterprises and government agencies should stop relying on commercial [A.C. – whether COTS or contracted/outsourced] software and go back to writing more of their own custom code” (read the comments too)

I ended day 1 at Gal Shpantzer presentation on USB isolation. The key idea was: given that most PC’s are owned (sad, huh?), how do we still use them for sensitive application like banking? He reviewed approaches such as dedicated PC vs "bubble" approach vs bootable approach on USB.


Day 2 started from  my very own presentation “PCI DSS-based Security: Is This For Real? Using PCI DSS as A Foundation for Your Security Program.” The slides are embedded below:

It went pretty well, despite containing the picture of the devil while in Midwest :-)


Possibly related notes:

Tuesday, May 11, 2010

Guest Post (First Ever!): Branden Williams “‘Free’ or Commercial—YOU DECIDE!”

This is the first ever guest post on my blog. In it, my esteemed co-author of “PCI Compliance”, Branden Williams, analyzes the use of open source software for various projects.

Here is more information about Branden and his awesome blog:

"Free" or Commercial—YOU DECIDE!

Open source software that is freely available for download and use is one of the greatest things about our technical community. The fact that at any given time I have a massive library of software available at my fingertips to accomplish any number of software tasks is nothing short of amazing! Then you tell me that if there is something I want to add to the software, I just jump in and do it? WOW!

Don’t let the rest of this post fool you, I am 100% pro open-source. In fact, I released more than one open source project over the years (though nothing recently of note). Open source has a place in research and the commercial world alike.

But can you just assume that open source software is FREE software?

One of the biggest misconceptions that I see in our industry is open source software is free.  Freely downloadable, 0pen source software is by no means free—remember you need smart ladies and gentlemen like yourselves to install, configure, and support it. That aside, there is absolutely no reason why open source software should not be used to meet security or compliance requirements.

Before settling on a particular solution (commercial or open source), security professionals should do a full cost analysis including some risk-based elements.  I know security people avoid doing this because we trust our guts more than we trust business tools, and it can be very time consuming. When you have to put out fires on an hourly basis, fiddling with a spreadsheet just doesn’t seem like a good use of your time.

Know this: going through the exercise will pay off in spades by showing the team when and where open source is strategic.

Before considering an open source software package, check with your legal team to see if your company has a position on any of the plethora of open source licenses under which software is typically licensed. For example, I work with a customer that strictly forbids GPLv2 software from being used (due to the requirements to contribute code improvements back to the larger community), but permits software licensed under the BSD license. Get a legal opinion from your legal counsel before your business comes to depend on a piece of software.

Once you have the green light on a set of licenses and find a software package that meets your requirements, it’s time to do your cost analysis. Open source software that is freely downloadable does have a cost greater than zero, yet that cost is often left out of the comparison (or incomplete) between commercial and open source software packages. Here are some things to consider:

  • Do you have to acquire equipment for this software to run? Be sure to include network infrastructure to support it.
  • How much of your time is required to keep it up to date? Estimate it, then use your salary plus bonus, and add anywhere from 15-25% for a benefit load. This will get you in the ballpark.
  • Do you need to hire a staff to keep it up to date? Use the same calc above.
  • Will someone else in your company have to support it? Same calc as above.
  • Will you need a second tier support contract from the open source group to handle advanced support issues?

The base formula should look something like this:

Total Cost = (Total Man-Days * Estimated Daily Salary Costs) + Initial Hardware Cost + Hardware Upgrade Cost + Annual Support Contract.


  • Total Man Days = the TOTAL number of man-days you will spend per year. If maintaining this software will take 10% of your time, then that would be 192 hours (based on a 1920 hours/year) or 24 days. If you have multiple staff classes, you will need to do the math in the parenthesis multiple times with the correct corresponding day rates and man-day effort.
  • Estimated Daily Salary Costs = Your fully loaded daily rate. If someone made 70K/yr plus a 15K bonus, that’s 85K/yr target compensation, plus a 20% benefit load = 102K/year, divide that by 240 days per year and you get around 425/day. This and the previous would get you a support cost of 10K.
  • Initial Hardware Cost = The capital you must spend to get hardware to support your project.
  • Hardware Upgrade Cost = Your current hardware is probably on a 3 or 5 year lifecycle. Estimate costs of replacement and divide by the normal lifecycle to get an annualized cost.
  • Annual Support Contract = The annual cost of second tier support from the group that writes the software.

NOW you have something to compare to your commercial-off-the-shelf vendor’s estimate. In more cases than some of us want to admit, freely downloadable, open source software can be more expensive than commercial software. That doesn’t mean you shouldn’t use it, or that it always negatively impacts your business. On the contrary, this exercise will help you document all of the costs and risks associated with deploying the package.

Besides, on a personal note… if it goes down at 4am on a Sunday, isn’t it nicer to scream at someone’s face and then go back to bed? :-)


Enjoy the guest post – feel free to check out my guest post at Branden’s blog too.

Friday, May 07, 2010

My Best PCI DSS Presentation EVER!

As you know, I gave a keynote presentation at PCI DSS Workshop 2010 by Treasury Institute for Higher Education (the other keynote being Bob Russo, naturally :-)). Addressing an audience of about 130 mostly University IT, IT security and finance (!) professionals in charge of their payment and PCI DSS programs was a fun challenge. The slides are embedded below – I seriously consider it to be my best PCI presentation  ever… mmm… to date.

(I suspect some of the things I had to invent for this presentation – e.g “the kitten bit” – will end up on Twitter pretty soon :-))

Also, the workshop was also pretty educational for me since I learned how PCI DSS is really done  at the most challenging environments possible – large Universities with hundreds of merchant IDs, every possible card acceptable method, wayward academics, general skepticism for policies and mandates,  desire for “openness” (aka come-take-our-PANs-SSNs-medical-records-kinda-openness…),  lack of centralized control and (sad and unjustified, but frequent) disdain for central IT groups.

On the other hand, I was amazed to learn that many Universities do not need any extra pushing and hand-wringing to treat PCI DSS and payment security as … gasp!… a business problem. As I mentioned above, the audience at a PCI Workshop was only about 30% IT and IT security with 70% finance/treasury folks responsible for PCI DSS compliance (there were also 2 stray auditors in the room).

So, the second day keynote was given by Bob Russo who is definitely known for putting up a good show (and, nowadays, song and dance!). A new bit for me was the establishment of ISAs – Internal Security Assessors – and upcoming ISA training by the Council. He also reiterated that PCI DSS “1.3” (October 2010) won’t have massive changes, but mostly additional clarifying guidance, produced by SIGs, will be released at or before that date.

Also, I was involved in “PCI Experts Panel” with Bob Russo and representatives from Elavon and Fifth Third Processing Solutions. We covered many fun questions (some of which sure made my head spin… we are talking deep PCI esoterica here). I was kinda surprised to learn that people still ask whether encrypted data needs to be protected, even though it is answered in the official PCI DSS FAQ.image


P.S. WTH is “a kitten bit”? I coined the following phrase for this presentation: “Every time you think ‘PCI DSS OR security,’ god kills a kitten!

Possibly related posts:

Reblog this post [with Zemanta]

Tuesday, May 04, 2010

Brief Log Management Class

I gave a brief 90 minute log analysis and log management class at the Project Honeynet event in Mexico City.
The class slides are embedded below:

Possibly related posts:

  • Monday, May 03, 2010

    Monthly Blog Round-Up – April 2010

    Blogs are a "stateless" media and people often only pay attention to what they see today. Thus a lot of useful security reading material gets lost.  These monthly round-ups is my way of reminding people about interesting content. If you are “too busy to read the blogs,” at least read these.

    So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics.

    1. By a HUGE margin, the #1 post this month is again “Simple Log Review Checklist Released!” Grab our log review checklist here, if you have not done so already. It is perfect to hand out to junior sysadmins who are just starting up with logs.
    2. Next is the post announcing the release of SANS Log Management Survey 2010 (“SANS Log Management Survey Is Out”), some highlights – and some surprises! - from the survey are in the post.
    3. The post announcing the release of my detailed whitepaper on SIEM and Log Management is also in Top5 (“Two New Logging Resources Published”); also see other relates content such as “One More Time on SIEM vs Log Management.” To get the paper, you’d need to fill the form at Novell site, but I assure you – it is totally worth it :-)
    4. A recent post “On Choosing SIEM“, only published a few days ago, went to the top like lighting. If you are thinking of getting a SIEM or a log management tool, check it out.
    5. The Myth of SIEM as “An Analyst-in-the-box” or How NOT to Pick a SIEM-II?“ and its predecessor ““I Want to Buy Correlation” or How NOT to Pick a SIEM?” hold the next position this month. They present some sadly popular misconceptions about acquiring and implementing SIEM and log management tools.
    6. My log management maturity curve post (“Logging, Log Management and Log Review Maturity”) continues to sit in Top 5 (as #6 :-)). Is it awesome or what? :-)

    BTW, notice something funny about the Top 5 this month? Look, Ma, no PCI DSS! :-)

    Also, below I am thanking my top 5 referrers this month (those who are people, not organizations). So, thanks a lot to the following people whose blogs sent the most visitors to my blog:

    1. Cédric Blancher
    2. Kevin  Riggins
    3. Michał Wiczyński
    4. Walt Conway
    5. Guerilla CISO

    See you in May ; also see my annual “Top Posts” - 2007, 20082009!

    Possibly related posts / past monthly popular blog round-ups:

    Dr Anton Chuvakin