Thursday, December 13, 2012

PCI Compliance Book Giveaway #2

OK folks, our PCI Compliance book has been out for a few months now, and Branden & I thought it would be fun to give away a copy with another contest! We have assembled a group of three independent judges who will look at the submissions and pick winners for each competition. The winner will receive a free, signed copy of the book! In fact, it would be one of those rare “dual-signed” copies with both of our signatures (and the book will have to travel from TX to CA – or from CA to TX – for this Smile)

So, on to the second contest (first one).

Our book attempts to draw a middle line between the black & white “audit” style of looking at PCI DSS and the loosey-goosey “anything goes” view. We want to take a compliance-friendly and security-friendly, practitioners line. However, sometimes even a compliance guy has to be CREATIVE!

So our second challenge to you, in the comments below, please tell us about your MOST CREATIVE PCI DSS CONTROL you implemented, assessed or even witnessed.

HOWEVER, it will help your submission if such control was also ACCEPTED by a QSA. We will absolutely reject the creative control submissions that have no chance of making your environment PCI DSS compliant…

You’ve got about a week (until the end of December 21st), and we will announce the winners after the holidays!

It doesn’t matter if you comment here or on Branden’s blog, we will capture all of them.

Related posts:

Tuesday, December 04, 2012

PCI Compliance Book Giveaway–Results

Our PCI Compliance Book Giveaway has ended – with a bang!  The winning entry (submitted here) is below:

"Hilarious in a sad way, the worst PCI fail I ever had was getting
solicited by a Wedding / Bridal catalog company to assist them in
improving their online ordering and bridal catalog subscription
service. I had no contract with them, this was just a preliminary
"Let's see what we can do for you." They sent us their website, and
also e-mailed me a copy of their site's source code.
In the source code was an SQL dump of over 7 years of brides personal
information including names, addresses, birthdays, and FULL credit
card numbers, expiration dates, CCVs, card type, phone numbers, email
addresses, and unencrypted passwords.
In shock of seeing this, I called the potential client, said we
couldn't help them and deleted the data as completely as I could.
Eek!"

The winner, “James P”, please mail your address to authors@pcicompliancebook.info and we will mail you your signed copy of The PCI Book, 3rd edition. And, no, we won’t charge your credit card for that Smile

The runner-up entries were:

“A very large retailer decides to reorganize their IT department to be more responsive and reactive. As part of that reorganization, they create a group titled 'Enterprise Monitoring' that is responsible for the care/feeding of the log management and analysis solutions. Centralized personnel that actually do the monitoring are pushed out to the business units where, according to IT management, the actual monitoring belongs. Everyone at the meeting announcing this decision says that the name. Enterprise Monitoring, needs to be changed because it gives the impression that the group does the monitoring, but they are over ruled.
Spin ahead almost a year later to their PCI assessment. The monitoring personnel that were pushed out to the business units were, surprise/surprise, were seen as new bodies that could be used for everything BUT monitoring. So, we have great log management and analysis solutions running, but no one has been monitoring anything for almost a year! When asked, the business units point to the Enterprise Monitoring group and say that it is their responsibility because they are 'Enterprise Monitoring'. DUH!” (source)

and

“I work with a stadium and arena concessions operation that once told me they were compliant because they put their card swipe readers on the counter and turned them around to face the customer. They no longer touched the cards so this made them compliant. True story.” (source)

and

“It’s a not a fail, but I certainly found humor in this. When enrolling in training with the PCI Security Standards Council, if you would like pay by credit card they ask that you write your CC#, CVV, Expiration, etc on the invoice and fax it or mail it to them. They note, it is a secure and password protected fax. I expected something a little more from the people who create the standards, but hey that’s one way to reduce your scope. Upon receiving the invoice, it was an LOL moment. ” (source)

MORE PCI Book CONTESTS ARE COMING!! Stand by….

Monday, December 03, 2012

Monthly Blog Round-Up – November 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:
  1. Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
  2. PCI Compliance Book Giveaway!” announces our new contest and its prize – The PCI Compliance book. We will announce the winner any day now.
  3. My classic PCI DSS Log Review series is popular as well. The approach is useful for building other types of log review processes and procedures, whether regulatory or not.
  4. On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on  choosing SIEM tools.
  5. Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current DLP research:

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

Thursday, November 15, 2012

PCI Compliance Book Giveaway!

OK folks, our PCI Compliance book has been out for a couple of months now, and Branden & I thought it would be fun to give a way a couple of copies with a contest! We have assembled a group of three independent judges that will take a whittled down list and pick winners for each competition. The winner will receive a free, signed copy of the book!

So, on to the first contest.

Our book attempts to draw a middle line between the black & white “audit” style of looking at PCI DSS and the loosey-goosey anything goes view. We want to take a compliance-friendly, practitioners line. But we’ve all been in those meetings when you look at a particular defense of a control (or lack thereof) and you can’t help but laugh a little bit on the ridiculous nature of what was presented.

So our first challenge to you, in the comments below, please tell us about your MOST HILARIOUS PCI FAIL.

You’ve got a week (until the end of Wednesday, November 21st), and we will announce the winners after the US Thanksgiving holiday!

It doesn’t matter if you comment here or on Branden’s blog, we will capture all of them.

Thursday, November 01, 2012

Monthly Blog Round-Up – October 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:
  1. Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it needs another update)
  2. On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on  choosing SIEM tools.
  3. Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
  4. My PCI DSS Log Review series is popular as well. It actually needs no introduction.
  5. SIEM use cases (however they are defined) seem to be on a lot of minds and so “SIEM Bloggables” post (and this one too) is on my top list.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current DLP research:

Recent SIEM research:

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

Monday, October 01, 2012

Monthly Blog Round-Up – September 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:
  1. Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it needs another update…)
  2. Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
  3. On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on  choosing SIEM tools.
  4. My PCI DSS Log Review series is popular as well. It actually needs no introduction Smile
  5. The Myth of SIEM as “An Analyst-in-the-box” or How NOT to Pick a SIEM-II?” is about how some organizations want to buy a SIEM and pretend they now have security monitoring
In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current SIEM research:

Other fun Gartner blog posts:

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

Friday, September 14, 2012

On “Output-driven” SIEM [BACKUP FROM DEAD GARTNER BLOG]


NOTICE: after Gartner killed ALL blogs in late 2023, I am trying to salvage (via archive.org) some of the most critical blogs I've written while working there, and repost them with backdates here, for posterity. This one reminds the world that I popularized the term "output-driven SIEM"


Here is a great term I picked from another SIEM literati: “output-driven SIEM.” This simply means deploying your security information and event management tool in such a way that NOTHING comes into your SIEM unless and until you know how it would be utilized and/or presented. Thus, only existing/planned reports, visuals, alerts, dashboards, profiling algorithms, context fusion or whatever other means of using the data can make a SIEM implementer to “open the floodgates” and admit a particular log type into a tool. If a process exists outside of a SIEM tool that will make use of the SIEM data, that qualifies as well. In this model, goals drive security requirements, requirements drive use cases, use cases drive functionality and collection scope. By the way, this model is as well-known and effective … as it is, sadly, uncommon among the organizations deploying SIEM tools today. “Now that we have all this data [and now that our SIEM is very slow], how do we use it?” is much more common….

For example, if your goal is to make it possible to detect when your users abuse access credentials (or when somebody steals their credentials), requirements will call for login-counting correlation rules, user activity profiling as well as associated reporting on user access data. Thus, various types of authentication records (Unix syslog and Windows event logs, access control and remote access server logs, VPN, etc) need to be collected.

Now, this is dramatically different from an approach one should take with broad scope log management, aimed at general system troubleshooting or incident response support. This is where being “input-driven” and getting every possible bit of data in would be admirable. Collect “100% of all logs,” pile them in Hadoop, have them ready for use, etc  works brilliantly there – pick the data now and sort it out later, don’t dwell on choosing collection-time filters. However, doing the same with a SIEM is a great way to turning your deployment into a quivering, jumbled mess of barely performing components and oodles of “crap-ta” (a hybrid of “crap” and “data”, as you can guess). “Big” or “small”, unused data just does not help the SIEM perform its security mission well.

How does such difference matter in real-world deployments?

Every log line going into a SIEM tool “costs” (and sometimes actually costs – i.e. in dollar and not just in computing resource terms) much more than a log line dropped into a log aggregator.  $50,000  for an appliance system that does 100,000 EPS sounds like a great log management price, while SIEM deployments where 100,000 log messages are actually analyzed by a SIEM every second are both rare and really expensive (likely well into 7 digits territory).

Admittedly, “output-driven SIEM” is hard work. It makes soooooo much sense to “just collect it for now” and then “figure out how to use it later.” In many cases, however, this means that your deployment will be stuck. Sometimes it may work for you – but please be aware that for many people who thought that “it would work for them," it actually did not. At this point, it should be obvious to most readers that combining “input-driven” log aggregation and “output-driven” SIEM analysis is still the best way to go for most organizations. And, yes, as with every great useful rule, it has great useful exceptions …

On the architecture side, if your SIEM includes log management components (like most do today), the same logic applies: that aggregator component will see all of the data, while core SIEM analysis components and dashboards will only see the data that needs to be there. For two distinct tools, this “magic” is achieved via filters that are deployed between a log management system and a SIEM.

So, think about using the data before you admit it into a SIEM!

Related SIEM posts:

Monday, September 10, 2012

Monthly Blog Round-Up – August 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:
  1. Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it needs another update…)
  2. Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
  3. My PCI DSS Log Review series is popular as well.
  4. On Choosing SIEM” is another old classic (from 2010) that shows up on my top list.
  5. Next is “SIEM Resourcing or How Much the Friggin’ Thing Would REALLY Cost Me?” While reading this, also check this presentation.
In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current SIEM research:

Other fun posts:

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

Thursday, August 02, 2012

One Year at Gartner!

Believe it or not, but I've been at Gartner for a year. One whole year has passed since that infamous blog post. I don't feel like diving into deep reflections and long contemplations about it, but I wanted to share how it was. During this year, I …

  • learned a lot, and expanded my security knowledge into new areas such as denial of service defense 
  • found out that being an analyst is a lot of fun
  • realized that there are many levels of writing excellence beyond the level that I thought I had …
  • interacted with a lot of smart people both within and outside Gartner
  • helped dozens of our clients – both security vendors and large enterprises - with their security challenges, some simple and some pretty esoteric
  • discovered that a lot of companies are not where our industry pundits and "thought leaders" say they are (“what is more common  today at large organizations, cloud or Windows 2000?”)

That's about it - I am really looking forward to my second year!

Wednesday, August 01, 2012

Monthly Blog Round-Up – July 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:
  1. Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
  2. Next is “SIEM Resourcing or How Much the Friggin’ Thing Would REALLY Cost Me?” While reading this, also check this presentation.
  3. On SIEM Services” appearance on this list reminds me that the Internet has a mind of its own as this post is closely related to what I am working on right now Smile
  4. Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
  5. Finally, “Book Review: “UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A complete guide to analyst influence” by Richard Stiennon” made it to the top 5 as well.
In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current SIEM research:

Other fun posts:

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

Thursday, July 19, 2012

Metricon 7 Workshop Reminder

Just a quick reminder about the Metricon 7 workshop on security metrics.

Date: August 7, 2012

Location: Bellevue, WA (co-located with USENIX 12)

Registration:https://www.usenix.org/conference/usenixsecurity12/registration-information  (pick just the metrics workshop or the entire event)

Agenda:

1. Introduction to Metricon, security metrics and workshop goals by Anton Chuvakin (9:00-9:30)

2. “Even Giant Metrics Programs Start Small” by David Severski (9:30-10:30)

3. Break (10:30-10:45)

4. PANEL: “Rules of the Road for Useful Security Metrics” (10:45-11:30)

5. Mini-talk 1 and 2 – TBD (11:30-12:00)

6. Lunch break (12:00-1:00)

7. “What We Want to See in Security Metrics” by Christopher Carlson (1:00-2:00)

8. PANEL: “What We Know to Work in Security Metrics” (2:00-2:30)

9. “Application Security Metrics We Use” Steve Mckinney (2:30-3:00)

10. Break (3:00 – 3:15)

11. "Threat Genomics and Threat Modeling” by Jon Espenschied (3:15-4:15)

12. Discussion time, everybody shares lessons, highlights, etc (4:15-5:00)

13. Conclusions, results and action items by Anton Chuvakin (5:00-5:15)

Additional details: here 

See you there!

Tuesday, July 17, 2012

Book Review: “UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A complete guide to analyst influence” by Richard Stiennon

This is not a book for everybody (and your grandmother probably does not need to read it; neither does an average IT professional). However, I think that this book is pure gold for those tasked with interacting with analyst firms.

I am an analyst, and I wish every vendor client read this book and followed some of the advice given there. It would reduce pain on both sides of the conversation, as well as make the interactions more valuable for – again! - both sides.

Obviously, this is not a book to guarantee your IT product a favorable placement in analyst research. It is also not a book on how to bamboozle the analysts, despite its focus on analyst influence. However, it is definitely a book to make sure that well deserving products, developed and marketed by good teams of people, don't get sidelined.

Some of the specifics that I liked include the influence pyramid concept, social media techniques, a careful approach to managing corporate Wikipedia entries, specific approaches to various analyst activities (such as calls, reports, advisory days and conferences), etc. My favorite sections (both fun to read as well as insightful!) are the one on “guerrilla tactics” and the obligatory “what not to do” chapter (the latter has a few sad case studies of IT vendors who screwed themselves up). Another great chapter covers the role of a vendor sales team in both helping the interaction with the analyst firm and avoiding some embarrassing mistakes.

In fact, this book makes me proud to be an analyst. Then again, maybe it is my ego talking as the book seems to project an impression that “an analyst is the most important person in the world“, at least as far as IT vendors are concerned.

Finally, if you are a IT vendor marketer, remember: when you say “holistic," some analysts think “imaginary.” Richard suggests to scrub your presentations of silly meaningless words like “synergy” and “holistic.”

Monday, July 09, 2012

Monthly Blog Round-Up – June 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:
  1. Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
  2. My PCI DSS Log Review series is popular as well.
  3. On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
  4. Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm.
  5. Log Management at $0 and 1hr/week?” is where a lot of companies still are, thus this post became popular again.
In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Denial of Service research:

Other fun posts:

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Tuesday, June 12, 2012

"PCI Compliance", 3rd edition - Out On August 6, 2012

A new edition (3rd) of our book "PCI Compliance" is coming out on August 6, 2012.
It covers PCI DSS 2.0, as requested by many of our readers.  Other new materials include Emerging Technology and Alternative Payment Schemes, PCI for the Small Business, etc. A full ToC for this new edition is here.

Get the book in print or for Kindle!




Friday, June 01, 2012

Monthly Blog Round-Up – May 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:
  1. Log Management at $0 and 1hr/week?” is where a lot of companies still are, thus this post became popular again.
  2. Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
  3. Why No Open Source SIEM, EVER?” (and this) is next – for some weird reason. I suspect a lot of people still crave a free open source SIEM tool.
  4. Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm.
  5. On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Denial of Service research:

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Friday, May 18, 2012

Book Review: “Security De-Engineering: Solving the Problems in Information Risk Management” by Ian Tibble

This book is probably the most thought-provoking book on security I read in the last 5-7 years! While I'm somewhat known from my proclivity to exaggerate, I assure you this is not an exaggeration. As I was reading it, I felt like I connected to deep layers of the subconsciousness of security industry.
In fact, the influence this book already had on me is palpable: I found myself using some of the terms (such as author’s favorites, “intellectual capital” and “CASE”) and concepts on the next day after I started reading it.

As a brief summary, the book investigates the evolution of the way we do information security from the “hacker-lead” late 1990s to “compliance-heavy” late 2000s and today. The author also highlights dramatic problems with today's approach to security and suggests some of the solutions in the way people think and operate around security.

In fact, it might be one of the most influential books ever written in history of security industry - the one that appeared at the best possible time when it’s most needed. Along the same line, I have grown worried about the ranks of security professionals who are not hands-on with technology and who have never secured production systems. Just as the author, I've been grown frustrated with the ranks of idiots who equate compliance and security. Even author’s rant about ethics is something I've been thinking for years.

The author slaughters a few of the sacred cows of security industry: one that “executives are clueless” and the one that we “must have reliable actuarial data on incidents to stay relevant.” He also highlights a few categories of security products, which are notorious for not delivering value and explains the reasons for that. Most of his points are backed up by specific cases from his experience, going back to the end of 1990s when the security industry was born.

And, of course, as with any thought-provoking writing, I cannot say I agree with every word I read. For example, I am much less negative on the vulnerability assessment technology than the author (I don't think they give you 50% “false negatives” on common platforms today). Furthermore, I abhor the use (misuse, really) of “ROI” for justifying security spending. Style-wise, the author is a little too fond of repetitions to my taste. However, having a summary after each chapter is a great idea.

Finally, despite the unreasonably high price, I feel that every member of the security community MUST read this book. Literally every chapter will have insights that will make you a better security professional today.
All book reviews.

Tuesday, May 01, 2012

Monthly Blog Round-Up – April 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:
  1. Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
  2. Why No Open Source SIEM, EVER?” (and this) is next – for some weird reason. I suspect a lot of people still crave a free open source SIEM tool.
  3. On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
  4. Log Management at $0 and 1hr/week?” is where a lot of companies still are, thus this post became popular again.
  5. Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm.
In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Denial of Service research:

Cloud security monitoring research:

Future SIEM analytics research:

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Monday, April 30, 2012

Metricon 7 Call for Papers

This is a Call for Papers (CFP) for Metricon 7.

Key stats first:

  • Conference date: August 7, 2012
  • CFP deadline: May 31, 2012
  • Conference location: Bellevue, WA
  • Cost to attend: free (but you’d need to add value to discussions).

CFP follows below and can be found at SecurityMetrics site.

Metricon 7 - Security Metrics: Useful or Bust!!

How to define, generate, and communicate security metrics you can use TODAY!

This year, Metricon 7.0 is excited to issue a call for participation to the information security community. The event will occur August 7th 2012 collocated with USENIX in Bellevue, WA.

Given that this is the 7th event, we think it is time to finally say it: security metrics MUST be useful NOW! Thus, the focus this year is on useful and usable metrics – not conceptual and theoretical stuff that sounds great, but cannot and will not be used in today’s organizations. Also, presentations and panels that talk about “How?” and “What?” will be strongly prioritized over “Why?”(and “whine”). Enterprises and tool vendors are both welcome to present! Academic researchers tacking the real-world problems are welcome as well.

We want to see:
• How you achieved “quick wins” with security metrics?
• How you define useful metrics, whether risk or operational?
• What metrics you track are the most useful?
• How did you solve a particular challenge in security metrics area?
• How your tool helps (not “can help”!) with collecting and analyzing security metric data?
• Who gets the metrics you create? How do they use them?
• What metrics you use to determine that security controls are effective?
• How organization generate actionable advice from security metrics?
• How to track that your security is improving using metrics?

We do not want:
• Uncollectable and unusable metrics
• Metrics philosophy
• Uncooked metrics that sound vaguely “interesting”

Send submissions and your ideas for panels and presentations to metricon7@securitymetrics.org

Deadline for presentation and talk submissions is May 31st, 2012. Submissions should be sent to Metricon7@securitymetrics.org.

Monday, April 02, 2012

Monthly Blog Round-Up – March 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:
  1. Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people
  2. Updated With Community Feedback SANS Top 7 Essential Log Reports DRAFT2”, “SANS Top 5 Essential Log Reports Update!” and their predecessor  “Top5 SANS Log Reports Update DRAFT” also show up close to the top. IF YOU WANT TO VOLUNTEER TO FINISH THIS DOCUMENT- PLEASE EMAIL ME!
  3. My classic PCI DSS log review series is still on my Top 5: “Complete PCI DSS Log Review Procedures”; they are also useful for other compliance or security log review and log monitoring.
  4. On Free Log Management Tools” is a companion to the checklist below (updated version)
  5. On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
In addition, I’d like to draw your attention to a few posts from my Gartner blog:
  1. “Big Analytics” for Security: A Harbinger or An Outlier?
  2. Many Faces of Application Security Monitoring
  3. More on Application Security Monitoring
  4. Cloud Security Monitoring for IaaS, PaaS, SaaS
  5. More On Security Monitoring of Public Cloud Assets
  6. Is Cloud Secure? WTFC!
  7. Cloud Security Monitoring!
  8. Cloud Security Monitoring: IaaS Conundrum
  9. Cloud IS Different: So Monitoring Must Be Different?
Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Friday, March 09, 2012

The Log Book Needs YOUR Help!

As most of you know, I’ve been working on a book about logs, logging and log management for some number of years. At this point, the book is almost done, but the author team is having some minor time commitment issues (aka “less time to write than originally estimated”) Smile).

So, do any of my esteemed blog readers (those adept in the dark arts of log analysis) care to help and write a few chapters here and there, in exchange for (lots of) immortal fame and (admittedly small amount of) cash?

Table of contents is here – if you see any chapters you’d like to help with, please let us know. I will post a list of chapters that really need help soon.

At this point, we have PLENTY of reviewing help, but we sure can use some writing help!

Friday, March 02, 2012

Monthly Blog Round-Up – February 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:
  1. Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people
  2. On Free Log Management Tools” is a companion to the checklist below (updated version)
  3. My classic PCI DSS log review series is last on my Top 5: “Complete PCI DSS Log Review Procedures”; they are also useful for other compliance or security log review and log monitoring.
  4. Updated With Community Feedback SANS Top 7 Essential Log Reports DRAFT2”, “SANS Top 5 Essential Log Reports Update!” and their predecessor  “Top5 SANS Log Reports Update DRAFT” also show up close to the top. IF YOU WANT TO VOLUNTEER TO FINISH THIS DOCUMENT- PLEASE EMAIL ME!
  5. On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
In addition, I’d like to draw your attention to a few posts from my Gartner blog:
  1. Many Faces of Application Security Monitoring
  2. Cloud Security Monitoring for IaaS, PaaS, SaaS
  3. More On Security Monitoring of Public Cloud Assets
  4. Cloud Security Monitoring!
  5. Cloud Security Monitoring: IaaS Conundrum
  6. Cloud IS Different: So Monitoring Must Be Different?
Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Friday, February 24, 2012

See You At RSA 2012!

Just a quick note to my readers: see you at RSA 2012 next week. I am around Monday-Thursday and even though most of my time is booked, you can probably find me near the press room at odd hours.


Wednesday, February 01, 2012

Monthly Blog Round-Up – January 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:
  1. On Free Log Management Tools” is a companion to the checklist below (updated version)
  2. Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people
  3. Updated With Community Feedback SANS Top 7 Essential Log Reports DRAFT2”, “SANS Top 5 Essential Log Reports Update!” and their predecessor  “Top5 SANS Log Reports Update DRAFT” also show up close to the top. IF YOU WANT TO VOLUNTEER TO FINISH THIS DOCUMENT- PLEASE EMAIL ME!
  4. On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
  5. My classic PCI DSS log review series is last on my Top 5: “Complete PCI DSS Log Review Procedures.”
In addition, I’d like to draw your attention to a few posts from my Gartner blog:
  1. Cloud Security Monitoring for IaaS, PaaS, SaaS
  2. More On Security Monitoring of Public Cloud Assets
  3. Cloud Security Monitoring!
Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.


Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Wednesday, January 04, 2012

Annual Blog Round-Up – 2011

Here is my annual "Security Warrior" blog round-up of top 10 popular posts/topics in 2011. This list covers the posts most popular in 2011, not necessarily only those written in 2011.

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

  1. Simple Log Review Checklist Released!” was again the most popular this year. The checklist, a list of critical things to look for while reviewing  system, network and security logs when responding to a security incident
  2. PCI DSS Log Review series of posts take the #2 spot; they are about planning and executing PCI DSS-driven log review at an organization
  3. On Free Log Management Tools” is another perma-popular post, presenting a companion resource to the log checklist above
  4. On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
  5. Log Management at $0 and 1hr/week?” is pretty much what it is. How to do log management under extreme budget AND time constraints?
  6. Top 10 Criteria for a SIEM?” is an EXAMPLE criteria list for choosing a SIEM.
  7. SIEM Resourcing or How Much the Friggin’ Thing Would REALLY Cost Me?” is a quick approach of planning SIEM costs
  8. A humorous post “Top 10 Things Your Log Management Vendor Won't Tell You
  9. 2009 post called “Log Management + SIEM = ?” gives some quick architecture advice on combining SIEM and log management
  10. Finally, “The Last Blog Post!” also made the top 10 list – it announced my departure from consulting (and blogging) in order to join Gartner.

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010.

Tuesday, January 03, 2012

Monthly Blog Round-Up – December 2011

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month.

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

  1. On Free Log Management Tools” is a companion to the checklist below (updated version)
  2. Simple Log Review Checklist Released!” is often at the top; it is the case this month – the checklist is still a very useful tool for many people
  3. On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
  4. Log Management at $0 and 1hr/week?” is pretty much what it is. How to do log management under extreme budget AND time constraints?
  5. Top 10 Criteria for a SIEM?” is an EXAMPLE criteria list for choosing a SIEM.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

  1. On Vulnerability Prioritization and Scoring
  2. On LARGE Scale Vulnerability Management
  3. On Scanning “New” Environments

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010.

Dr Anton Chuvakin