Thursday, January 31, 2008

A MUST Read From Rich: "11 Truths We Hate to Admit" About Security

Rich's "11 Truths We Hate to Admit" About Security is a must read (and think about!)!

Examples are:

2. The bad guys beat us because they're agnostic and we're religious.
4. Vendors are like politicians – they lie to us because we ask them to.
8. Network security is the result of a mistake, not an industry worth perpetuating.
9. Disclosure is dead.

etc. Read on!

Wednesday, January 30, 2008

Tools Need People!!

Very enlightening post from Jeremiah Grossman here. It is obvious, some would say painfully so, but many, many sadly don't GET IT: tools don't solve problems, people use tools to solve problems.

Excerpt: "... I stopped short and said, “That’s never going to work!” A little stunned he asked, “Why not?”" (read more)

There is also a side conclusion: if you don't plan to actually use the tools or don't have anybody who would use it, it really won't matter which one you'd pick - you are guaranteed to flush your money down the toilet ...

Online = Public

Yes, I've heard of access controls and such. However, it is more useful and safe to believe what was mentioned in the article: "It is ridiculous to think that there is privacy on public websites." (not to say that it is true in all cases...)

If you are sharing online - think 'you are sharing with the world.' If you want it private, keep it private (= offline) ...

SANS Security Laboratory Thought Leadership Interview

Here is a fun interview with me at SANS site. I share a bunch of thoughts on logging and log management. For example, what is my #1 logging pet peeve, what's the #1 logging mistake, will we ever see log standards, why are we looking at an increase in the number of log types we need to look at, etc.

It starts like this: "Dr. Anton Chuvakin from LogLogic has agreed to be interviewed by the Security Laboratory and we certainly thank him for his time! He is probably the number one authority on system logging in the world, and his employer is probably the leading vendor for logging, so we appreciate this opportunity to share in his insights."

Monday, January 28, 2008

New Paper: "Security policy in the age of compliance"

Another fun read in the "... in the age of compliance" series on ComputerWorld: "Security policy in the age of compliance."

"In my previous articles, I have covered specific topics (log management, incident response, intrusion detection, and computer forensics), but now it's time to take a step back and look at the forest rather than the trees. Those specific subjects are all covered by the same broader umbrella: the corporate security policy." (read more)

AV Test Report?

Here is that widely ridiculed anti-virus test report (with >95% average of successful detection).

My comments?

a) Make your own darn conclusions ...
b) Credible AV testing is a hard, hard problem.

Friday, January 25, 2008

"First Ever CyberWar" Cost $1,642? Bua-ha-ha!

Remember "Estonian DoS", the "first cyber-war ever" (gasp! :-)) -

"A 20-year-old Estonian student has been fined for participating in a cyberattack that paralyzed Estonian Web sites and soured the country's relationship with Russia, a government official said Thursday. [...] Galushkevich must pay $1,642. "

So, will the scaremongers please shut up?

Nice Attack Thru Logs!

What if those referrer URLs in your web logs are evil? (SANS ISC entry)

If you review your web logs (web server, for example) and blindly click all referred URL to see who sent traffic to you site, there is a good chance that you'd be 0wned!

99% PCI Compliance?

Via PCIDSS blog we hear that "99% of Level 1 Merchants and 92% of Level 2 Merchants have met compliance or have submitted an approved remediation program."

Is this cool or what?
I bet it is an "or what" :-)

Others say "more than a year after the TJX breach first came to light, only 30 percent of retailers are PCI compliant, according to Sophos’ 2008 Internet Security Report. "

What's the story here? Some numbers are for Visa 'Level 1s' only while others are for all merchants (all levels?), but this is still too big a difference...

Webcast Version of My "Choosing Your Log Management Approach" Presentation

As I mentioned before, this presentation of mine called "Choosing Your Log Management Approach: Buy vs Build vs Outsource" will be turned into a webcast. It will first be aired on the following date:

January 29, 2008
2:00 p.m. EST/ 11:00 a.m. PST

Direct link to registration.

If you are dealing with logs (or planning to start!), it is a very worthwhile presentation to attend. And fun too!

Thursday, January 24, 2008

Evil Silos

Today I will speak about evil. Yes, evil! There is plenty of evil in the world of logs (e.g. ugly logs), but this is a "bigger, better" evil :-): siloed approach to logs!

There is little that I hate more than  siloed approach to logs. A situation when you have your security team "owning" network IDS logs, network team having firewall and router logs (as well as all SNMP traps) and, say, a sysadmins possessing  (or, rather, ignoring!) the logs from servers and desktop is not only sad, counterproductive, inefficient and wasteful, but also dangerous.

Where does such approach to logs (where they are divided by both technical and political chasms) breaks down most painfully? In case of an incident response, of course. This is where instead of one query across all logs and all log sources (or whatever needed subset of logs or log sources), you'd end up with having run around, beg, connect, wait, swear, wait, download logs, dig in many places at once, wait, grep, suffer with many UIs, swear more - and have a time of your life in general! :-) All of the above instead of connecting to your shiny new log management system and running a few reports, drilldowns and searches across the relevant logs.

Ideally, you'd fight the evil and break down the silo walls by deploying a log management platform across the entire organization and then letting every team that needs logs to get them from the system in a controlled fashion, via the interface or a web API (BTW, LogLogic has a web API to get logs!). Apart from being a trend (e.g. see recent ESG report on that), it will make your IT and security operations that much more efficient - and pleasant!

On the other hand, what is bizarre is that some newer vendors,  who claim to do log management, actually work to propagate, not combat, the siloed approach. For example, selling the tool for $5000 to each of the many separate teams within the organization IMHO must be made illegal :-) as it builds walls, not bridges; digs holes and overall "silo-izes" your operation...

Technorati tags: ,

NERC CIP Rules Out - Logs In!

NERC security rules [PDF], that were updated and became mandatory last week, might well become "a new PCI DSS" and trigger "a golden age" of security in the energy industry: the rules are mandatory, they are specific (more specific than a lot of other regulatory security guidance) and there is an enforcement body (NERC) that can make life miserable for those not complying.

Here are some log-related examples from the guidance:

"R5.1.2. The Responsible Entity shall establish methods, processes, and procedures
that generate logs of sufficient detail to create historical audit trails of
individual user account access activity for a minimum of ninety days. "


"R6.4. The Responsible Entity shall retain all logs specified in Requirement R6 for ninety calendar days.
R6.5. The Responsible Entity shall review logs of system events related to cyber security
and maintain records documenting review of logs. "

So, again: have logs, retain them ("Top 11 Reasons to Collect and Preserve Computer Logs") and review them ("Top 11 Reasons to Look at Your Logs").

Hey! Vote on a poll!

Hey, hey, hey - why are you ignoring my most fun poll ever? :-) Vote on!

Wednesday, January 23, 2008

Baboon for a Manager?!

OMG, this is both funny and true: "Baboons can demonstrate the same risk management skills as some managers" draws "an interesting parallel between the wild baboons from his native [South Africa] land and the counter-productive habits of many businesses today."

Tuesday, January 22, 2008

Internet Down?

Fun, thought-inspiring reading:
Papers like that help put system and network security in the right context: if your business will run just fine even after losing your IT, your connectivity and all your data (e.g. you are a lemonade stand! :-)) than it is OK to fire that security manager :-) If not, get to work - your security likely needs improvement!

So, think about it, it is 2008 now and the paper says that "for the non-Web-centric business, the loss of the Internet likely would likely be, at the very least, a major inconvenience as well" (obviously, "[online] businesses would also come to a crashing halt").

Now think 2018. Will a typical business of 2018 survive that intact?

If you are still not getting it, think 2028. Will there be any businesses that will survive the "stop of the Internet"? My guess is NO (not even lemonade stands....).

TJX Lessons

Very enlightening read on TJX lessons one year later. Highlights:

"Breach disclosures don't always affect revenue or stock prices ... Despite being the biggest, costliest and perhaps most written-about breach ever, customer and investor confidence in TJX has remained largely unshaken."

"TJX has said that in the 12 months since the breach was disclosed, it has spent or set aside about $250 million in breach-related costs."

"... many retailers, including top-tier ones like TJX, had not yet fully implemented the set of security controls mandated by the major credit card companies under the Payment Card Industry Data Security Standard, or PCI."

IPs Now Private Info?

Thru we learn (original here) about something that might have pretty dramatic implication to logging and log management: "IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said Monday." (the quote is related to EU fight with Google, also described there)

Wow! If accepted, this will quite some implication to logging ( outline a few fun implications as well), since it will dramatically increase the sensitivity of logs and will turn all logging projects, no matter how small and tactical, into "PII collection efforts" with heavy privacy price to pay.

Now I have to share the dirty, evil thought that crossed my mind when read it: at one point, Google and other companies should just boycott those "'dumb privacy' freaks" and conduct a wonderful experiment: how long those Europeans will survive without search engine "service?" But wait a few years, Google, before pulling a plug: it will make sure that Internet becomes truly indispensable ...

Also, what do I mean by "dumb privacy"? Am I anti-privacy? No (not anymore), this is where I explain it. I did experience my eureka moment during a webcast on privacy when I realized the existence of a "privacy chasm" (see more here)

UPDATE: Richard Stiennon calls it "crazy talk of the third degree" here.

HIPAA Growing Teeth, Round II?

Half a year after round one of "HIPAA Growing Teeth" we proudly give you: round deux :-)

Specifially, "CMS to check hospitals for HIPAA security compliance" paper claims that "The Centers for Medicare and Medicaid Services (CMS) will begin on-site reviews of hospitals’ compliance with security rules mandated by the Health Insurance Portability and Accountability Act of 1996. "

Can these guys kick (eeeeh, "bite," not "kick," since we are talking about "growing teeth" :-)) some insecure healthcare ass? Only time will tell, but HIPAA won't be another PCI DSS (for many reasons)

Thursday, January 17, 2008

Logs = Accountability!

I was thinking about logs the other day :-)

And the following thought occurred to me: Logs = accountability.

So, what is accountability, really? Wikipedia defines it as "Accountability is a concept in ethics with several meanings. It is often used synonymously with such concepts as answerability, enforcement, responsibility, blameworthiness, liability and other terms associated with the expectation of account-giving."

Yes, there are many other mechanisms of accountability in an organization, but logs are the one that pervades all IT. And if you IT is not accountable, your business is neither. Thus, if you tend to not be serious about logs, be aware that you are not serious about accountability. Is that the message your organization wants to be sending?

Ignoring logs is not just stupid (due to losing that important resources for troubleshooting and security), it is not only illegal (due to various regulations), but it is also unethical! :-)

UPDATE: OMG, how can I miss it when writing this post. Dan Geer's classic testimony before "Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology" succinctly states: "Priority number five: Accountability, not access control." He then explains how accountability and monitoring succeed and shine when access control and restrictions fail.

Technorati tags: ,

Luck-based Security?

Fun quote from this interview with Art Coviello of RSA: "Coviello: But I can tell you that every retail customer I went into, and I say, Why hasn't this [TJX-scale breach] happened to you? They say, Luck. All these systems were built prior to the Internet and they get connected to the Internet and then all of a sudden everyone's a schmuck."

It is a very useful reminder that a lot of our "security" is luck-based: in other words, you are not 0wned 'cause nobody got around to hacking you yet :-)

Wednesday, January 16, 2008

What If It Happened in 1979?

Now, I like to label all sorts of things as "fun read," but there is a limit. I was about to say "hey, fun read!" but then thought better of it. So read "Timeline 9: "The Big D" - what if "the mid-east war escalated and the tensions between the superpowers grew. March 17, 1979 nuclear war broke out: Egyptian missiles with Soviet warheads struck against Israel ..." (read it) This is indeed one of the most detailed and enlightening "alternative future" scenarios that I've seen.

Scary World Ahead?!

No, I appreciate a good piece of FUD, but one of my 2008 predictions is coming to life with scary, scary speed!

I predicted that "Loss of trust towards legitimate Internet sites = yes. This is manifested by things like this point by the WS guys - more 0wned than malicious sites are used to spread malware. Even now I shudder from the thought that ANY site I visit might be displaying a malicious banner [or serving malware thru other means] ad which is either bought or "hacked in" by the attackers. The implications of this are pretty horrifying!" and it does worry me, but I am not yet truly paranoid about this.

OK, change that "am" to "was." Today I officially became Internet-phobic (where do I sign up? :-)) when I've heard (through a little birdie, as usual) that one of the security publication websites was 0wned (maybe thu banners? the details are not available yet) and serving malware. Nice! In a few minutes, I was also informed that one of the leading business publications is also serving malware. Fuck!

Yes, my personal system probably won't be 0wned by this, but many will be (IE users are clearly screwed, but I doubt that Firefox users or Mac fans will be immune either).

So, welcome to 0wned Internet 2.0, where every site is 0wned and is serving malware?

Bonus question: do you think major brand AV will protect you from the above?

UPDATE: a similar post from Andy, IT Guy called "Will Malware Kill the Internet?" is here. And another update on that from him (even more insightful)

UPDATE2: another fun one "Trend Micro Hacked - Serving Malicious Iframes"

Fun Info on Pain Rays

Representative quote: "The femtosecond laser they used is not quite capable of causing agony at the receiving end." :-)

Take This SANS/LogLogic Log Management Survey!

Here is fun survey on log management, check it out: "How do organizations use their log data? What are their challenges in log data analysis? What are their perceptions versus their practices? Take the third annual SANS/LogLogic Log Management Survey and help us find out. "

On Guanxi

I was reading this Stratfor piece on Guanxi called "China: Guanxi and Corporate Security" and it was something puzzling so maybe somebody can explain it to me.

Wikipedia defines "Guanxi" it as "basic dynamic in personalized networks of influence" (here), while Stratfor says "many U.S. and other Western businesses, however, simply regard guanxi as corruption."

It seems like this thing has some pretty darn peculiar security implications ... especially this part of the Stratfor piece: "Chinese business ethics, however, are built on the basis of guanxi, which places relationships above other considerations, including an employer’s code of conduct and even the law. The idea that taking a job with a company, particularly a non-Chinese company, cancels obligations toward people with whom someone has long-term relationships and to whom one owes much guanxi is seen not only as alien but also as the essence of immorality."


UPDATE: more discussion of this here.

More Required Reading: Mike R

Mike R was going thru his 2007 predictions and checking them (good idea!); all are fun, but this are extra-hot:

and while we are at it: this bit from Mike on security management trends in 2008 is fun too (especially check his reference to log management!)

More on Security and Innovation

This whole thing (Parts I-IV) from Chris is, obviously, required reading.

Tuesday, January 15, 2008

I Should Really Not Touch This ....

... I really should not. But - darn it! - how can I miss a potential blog fight related to log management?

So, it seems like Raffy baited some poor folks from Prism with his post on "IT search" (what an abomination of a term!). But, seriously, "IT search" is a marketing term (nothing wrong with that, BTW!), so it will mean whatever the folks who coined feel at any given moment. I really hate it when folks try to argue objectively with a clear fluke.

I think this debate is mostly about two approaches to logs: collect and parse some logs (typical SIEM approach) vs collect and index all logs (like, ahem, "IT search").

You can see where this one is going, right? :-)

Yes, Virginia! You do need to do BOTH - and you know who does both? LogLogic!

Fun 2008 Outlook With ...

.. the terms "risk", "threat", etc defined!

Among all the 2008 predictions I am tagging, this one is special:Top information security risks for 2008. Apart from the interesting insight, they - wow!- defined and used the terms for threat, vulnerability, risk and control. The actual doc is called top information security threats, vulnerabilities and impacts, along with some risk scenarios and controls [PDF]

OMG, This is Funny: BullshIT Awards :-)

Nick Selby delivers: "The 2007 BullsIT Awards: The Top Ten Tech-Flack Quotes of the Year! Annotated!"

Examples: "Our offering is very unique in the origination space." (#10) or "It’s a single, interoperable, scalable, extensive security framework that protects the data today and tomorrow as the infrastructure changes." (#3) and of course his old fave "They’re not related. There’s no relationship to our funding and our research and development cycle." (#1)

Tips for Correlation On a Budget

Even though I hated the reference to "... log management and its wiser, old brother, event correlation", this paper is a neat guide to "Event Correlation on a Budget." Correlation nowadays is nowhere near as mysterious as back in 2002 :-)

On the other hand, I am pretty shocked that the author missed OSSIM tool, which has more features compared to others mentioned.

Watch This Trend!

Fun - well, sort, of! :-) - read: "Corporate Compliance: A Convergence With Electronic Discovery" (full version here - even though it devolves into the ad closer to the end)

Keep in mind that some surveys by ESG Group say that logs are requested in 74% of e-discovery case. It might well be that e-discovery will power the next (or the one after next!) compliance wave.

To All Strategists!

Penelope wonders "Do you think you’re a strategist? You’re probably wrong."

Required reading to those of my colleagues who just coined new strategist titles for themselves...

Fun quote: "Most people I have managed have told me, at one point or another, that their strength is strategy. For the most part, I hear this as “I don’t know how to execute what you’re asking me to execute.” "

Fun Read: "Busting the 10 Myths About Data Protection"

I am sitting here in New Orleans, preparing for tomorrow's SANS Lunch and Learn (come over! it'll be fun since I will talk about "worst practices" again) and - yes! you guessed right! - a blogging frenzy descended upon me...

First, a fun Read: "Busting the 10 Myths About Data Protection"

For example: "Myth No. 4 I should be most concerned about protecting my data from data theft and malicious internal leaks." or ""

"Blocking" vs Logging: Which is A Better Deterrent?

Loved this quote from one of the mailing lists: "The best deterrent is going to be a policy stipulating consequences for violation, a logging server with at least many months of firewall/proxy/Internet access logs, and your employees understanding that you can track it back to them after the fact."

Why aren't more people thinking about it? Why such obsession about trying (and failing!) to block if you can log - and achieve the same policy outcome!?

Wednesday, January 09, 2008

My 2008 Security Predictions!

I just have to start with this quote from Rich Mogul: "... Legions of armchair futurists slobber over their keyboards, spilling obvious dribble that they either predict every year until it finally happens or is so nebulous that they claim success if a butterfly flaps its wings in Liechtenstein." :-) Amen to that, Rich. Onwards to my 2008 predictions!

So, just as in 2006 and 2007, I am coming up with security predictions that cover both technology and market. I just posted a review of my last's year's prediction where I mostly erred on the conservative side. I promise to be more 'extreme' this year, while still keeping the old wisdom of Richard Feynman in mind: if you predict the status quo, you are more likely to be correct...

Here is my 'twitter-style' (I guess what used to be called telegraph-style :-)) view of predictions in no particular order:

Platform security:

  • Vista makes us secure = no. People start to actually use it (in large numbers) = maybe. And then get 0wned = yes! The volume of Vista hacking (and then Win 2008 hacking) will increase as the year progresses.
  • Increase in Mac hacking = yes. The story is that Vista drives Mac adoption -> Mac increase in popularity will drive a new wave of Mac "0wnership"
  • Web application hacking still on the growth path = yes. As they say, 'it will get worse before it gets better.' I am predicting that 2008 is still the year when it continues to be getting worse.


  • 0days use becomes mundane = yes. This will be especially true for those browser-hacking folks who "need" to earn some cash off phishing and other data theft. Thus, "0day use" will no longer constitute news!

Hacking, data theft, etc:

  • Loss of trust towards legitimate Internet sites = yes. This is manifested by things like this point by the WS guys - more 0wned than malicious sites are used to spread malware. Even now I shudder from the thought that ANY site I visit might be displaying a malicious banner ad which is either bought or "hacked in" by the attackers. The implications of this are pretty horrifying!
  • Major utility/SCADA hack = no (not yet). Everybody predicts this one forever (as Rich mentions), but I am guessing we would need to wait another year or so for this ...
  • Cyber-terrorism = no (again, not yet!) Will it be a reality in the future? You bet! Just not now ...
  • A massive data theft to dwarf TJX = yes. And it will include not some silly credit card number (really, who cares? :-)), but full identity - SSN and all.


  • The year of mobile malware = no (not yet, if you insist!). As I discussed here, mobile malware is "a good idea" (for attackers) provided there is something valuable to steal (not the case yet in the US)
  • More fun bots = yes. Bots are here to stay: they follow an overall trend for IT automation (seriously!). Think of bot infrastructures as "shadow IT" with their own SLAs, business model innovation, performance optimization tactics, etc
  • Fewer worms and viruses = yes (why write one if you can make money off bots?) As the share of "conventional" viruses and worms in the whole malware universe decreases, so will the popularity of "legacy" AV vendors ...
  • Facebook malware/malicious app = yes . This one will be fun to see (others agree), and current malware defenses will definitely not stop this "bad boy."On the flip side, there is not that much to steal off Facebook accounts ...


  • PCI DSS continues its march = yes. In fact, I bet PCI DSS frenzy will spread downmarket - there is sooooo much more Level 3s and Level 4s compared to Level 1 merchants. They all take CCs, they are all insecure - thus, they will all be 0wned! And then hopefully fined :-)
  • ISO17799, ITIL, COBIT frameworks = maybe (again); they likely won't be 'hot,' at least not in the US; ad hoc approach (with some use of ideas from the above frameworks) to security management will still rule.

Risk management:

  • Will we know what risk management actually is in the context of IT security = no. Some people (e.g here) might, but not the majority. And don't even get me started on security ROI :-) This part of security realm will continue to be occupied mostly by loudmouths who will spout, but never define; rant, but never explain; blab, but never clearly state. Sorry to those who are not like this, but you will continue to be in the minority in 2008.

Security technologies:

  • eVoting security will flare up = yes. Expect big and bad stories about evoting in preparation to the US elections. Maybe another "chad story", but with an "e-" added to it? Fun, fun, fun! :-)
  • Full disk encryption becomes popular = no. In fact, I predict that in 2008 encryption would be "the new firewall" - more and more people will hide from reality behind "we have encryption - we are safe now!" (check out my piece on encryption mistakes, while you are at it)
  • NAC= huh. Huh? The451Group said it best: "NAC has been the 'next big thing' for about four years now – that's a long time in the IT world." Others just say "NAC fallout has started." NAC vs insider attacks? Gimme a break... :-)
  • More whitelisting for host and network security = yes (but combined with blacklisting, which is certainly not going away!) As malware landscape becomes even more diverse, application whitelisting for security will start to shine even more.
  • Academic security research stays ridiculous = yes. Wrong problems, wrong solutions, wrong speed (as in: solving solved problems of day before yesterday...). There will be some exceptions: for example, some of the Project Honeynet academic participants deliver a punch!
  • Secure coding becomes mainstream = no (definitely, 'not yet' on this one) It pains me to say that that I think that while this ball definitely started rolling (e.g. SANS is pushing it hard now) it won't be hurtling down the highway at full speed. 2009? Sure, may be!
  • IPv6 = no (while most think 'not yet', some start thinking 'not ever') In other words, Internet 'secure by design' = pipe dream in 2008.

Security market:

  • Mid-market and SMB security = yes! I think 2008 is the year when smaller organizations will start buying the types of security solutions that were only looked at by the large enterprises before. After all, they have the same problems to solve! They have compliance too. They lose data
  • More security SaaS (software as a service) = yes. It is not just Qualys anymore ... More companies will figure out ways to sell security software as a service. This is especially true due to the SMB security spending increase predicted above!
  • 'Consolidation' = no. Whaaaaat? You just said 'no' to consolidation in security market? :-) Well, Vendor X might buy Vendor Z and Vendor N might go down in flames, but I predict that we will celebrate 2009 with just as many security vendors as we have today ...

Logging and log management:

  • Database logging = yes. 2008 is the year when database logs will be collected and analyzed just as Unix syslog, Windows event logs and firewall logs are collected and analyzed today by just about everybody.
  • Application logging will start = yes. People will start collecting (at least collecting at first) application logs, not just firewall and server OS logs (and database logs, as mentioned above). Maybe ERP, CRM logs, maybe other large enterprise applications will lead the way. Major 'application logging waterfall' will occur later, however ...
  • Now that collection and management are 'taken care of' in many organizations, log analysis will (again...) come to the forefront = yes. In the end of 2008, we will be doing log analysis in a large number of fun, new ways - it won't just be about rule-based correlation and keyword searching anymore (Andrew agrees)

Last year's drag-ons :-) and ongoing trends:

  • Some things make dumb predictions since they are so pitifully obvious and have been going on for years already. Thus, I pile them in this section...
  • So, client vs server exploitation: it started a few years back and will continue, for sure: more client vulnerabilities will be used to 0wn more desktops. Similarly, application vulnerabilities will beat platform ones. And targeted, commercially-driven attacks will overtake indiscriminate ones (another "no-brainer" that some try to sell as a prediction...)
  • Both of the above will power further evolution of network and system security into data and broader information security (it will be happening for another 3-5 years)
  • More fun "web 2.0" threats will come our way, but then again, this is true about most of the technologies that are being actively adopted ...

Dark horses, that will influence security in a major but unknown way in 2008:

  • Virtualization = people talk about hypervisor security and virtual security appliances as well as other fun stuff (e.g. this), but, in all honesty, we can't yet fathom the impact that the coming virtualization wave will have on information security.
  • Privacy = I predict that privacy issues, also privacy laws and public outcry due to privacy violations will impact the world of information security in 2008. However, my crystal ball is refusing to share the details on how exactly, citing "privacy concerns" :-)

Come back in Jan 2009 to see how I did!

Any comments? Additional predictions?

Technorati tags: , ,

Log Management in 2008?

As I am putting the finishing touches on my 2008 predictions (out later today - brace for impact! :-)), here is one fun prediction from Jon Oltsik that I was happy to see: "Large firms are experiencing exponential growth in the amount of log data they collect, store, and analyze. This will prompt large organizations to move log management activities beyond security and build enterprise-wide log management architectures in 2008."

Indeed, we will see MUCH more log management in 2008!

BTW, all predictions that I am noticing are tagged here at

Discounted Passes for IT Security World 2008 Anyone?

Just like before, I am giving out these discount passes for IT SecurityWorld 2008, where I will be speaking about logs and other fun stuff. To get you4 50% discount use Registration code: OS08/SDIS.

Tuesday, January 08, 2008

Logging Poll #4 "Who Looks at Logs?" Analysis

Time to analyze my final 2007 poll on logs. In it, I asked who actually looks at logs at the organization. Here is what came up: results are here and also included below.


What can we conclude from this?

First, a "duh" conclusion is in order! No matter how many times one can utter the word "compliance," logs are still most useful for mundane (one would hope! :-)) system administration. Yes, indeed, sysadmins are the primary consumers of logs - yesterday, today, and - likely! - tomorrow as well.

Second, I am saddened by the fact that application developers have not warmed up to logs, at least no en masse (and not according to this limited poll...). I am guessing when they start thinking of logging when creating their applications, they will be more aware of the fact that you can troubleshoot the applications using logs ...

Third, incident response team showing that low is some kind of fluke, I am sure. Everybody knows that logs are indispensable during incident response (yes, even if only a little logging was enabled or even logging defaults left in place, logs often reveal answers unobtainable via any other mechanisms)

Am I reading too much into this? Hey, maybe I am! :-) Then again, I am a former theoretical physicist - thus, I can explain anything!

Next poll coming soon!

Technorati tags: , ,

Friday, January 04, 2008

Annual Blog Round-Up - 2007

If monthly, why not annual blog round-up? These are my top popular "Security Warrior" blog posts for 2007! To make this a competition of posts, I am removing the links to the main blog, search labels (e.g. log management, which was indeed one of the most popular resources on the blog) as well as grouping posts together in theme clusters.

  1. Same as during past few months, the "fallout" from being featured on a high-profile programming site continues to drive humongous loads of traffic which made this set of posts the most popular, even for the year.  The topic that got such a huge boost was anti-virus efficiency. The posts are: Answer to My Antivirus Mystery Question and a "Fun" Story, More on Anti-virus and Anti-malware, Let's Play a Fun Game Here ... A Scary Game, The Original Anti-Virus Test Paper is Here!, Protected but Owned: My Little Investigation as well as a final entry about my own switch away from mainstream major-vendor anti-virus tool: A Bit More on AV  and Closure (Kind of) to the Anti-Virus Efficiency/Effectiveness Saga.
  2. Next by rank is a set of my Top11 listsTop 11 Reasons to Collect and Preserve Computer Logs and  Top 11 Reasons to Look at Your Logs (the third list, Top 11 Reasons to Secure and Protect Your Logs, was not quite that popular - I have long argued that, sadly, few people care about log security yet).
  3. Wow! I love, love, love the fact that my blog readers made my first Common Event Expression (CEE), post introducing this emerging log standard, (official site now live!) one of the most popular: Finally, Common Event Expression (CEE) is Out!!!. My other CEE-related posts are labeled here.
  4. Hurray to database logging (finally!) My posts related to database logging top the charts. Specifically, How to Do Database Logging/Monitoring "Right"? as well as its "prequels" :-) Full Paper on Database Log Management Posted and On Database Logging and Auditing (Teaser + NOW Full Paper).
  5. Finally, security ROI saga that flared up mid-year is also among the most popular. Indeed, Security ROI Pile-Up! post made it into Top5 (the related posts are: The Entire Security ROI Blood Trail and ROI, ROSI, RROI and Harry Potter Tales). The rest of my ROI-related posts are labeled here.
  6. At the risk of destroying my math credibility, I will add an item #6 to my Top 5 list, again. This little post called On Open Source in SIEM and Log Management have also generated a lot of traffic and discussion. Indeed, log management vs SIEM as well as reasons for a lack of a popular and complete open source log management solution are fun topics!

See you in 2009! :-)

Possibly related posts / past monthly popular blog round-ups:

Technorati tags: , , , , ,

Thursday, January 03, 2008

Monthly Blog Round-Up - December 2007

I saw this idea of a monthly blog round-up and I liked it. In general, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today.

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts and topics.

  1. Same as during the last few months, the "fallout" from being featured on a high-profile programming site continues to drive loads of traffic.  The topic that got such a huge boost was anti-virus efficiency. Thus, these posts with same theme of anti-virus efficiency were the most popular: Answer to My Antivirus Mystery Question and a "Fun" Story, More on Anti-virus and Anti-malware, Let's Play a Fun Game Here ... A Scary Game, The Original Anti-Virus Test Paper is Here!, Protected but Owned: My Little Investigation as well as a final entry about my own switch away from AV: A Bit More on AV  and Closure (Kind of) to the Anti-Virus Efficiency/Effectiveness Saga
  2. Hurray to database logging (finally!) My blurb, table and paper on database logging top the charts. Specifically, How to Do Database Logging/Monitoring "Right"? as well as its "prequels" :-) Full Paper on Database Log Management Posted and On Database Logging and Auditing (Teaser + NOW Full Paper).
  3. Surprise.... not! Next up is Review of My 2007 Security Predictions: Too Wimpy post that reviews my 2007 predictions.
  4. Next is again my Top11 logging lists:  Top 11 Reasons to Collect and Preserve Computer Logs and  Top 11 Reasons to Look at Your Logs (the third list, Top 11 Reasons to Secure and Protect Your Logs, was not quite that popular - I long argues that, sadly, few people care about log security yet).
  5. Interestingly, my post titled But What Does It ACTUALLY DO? where I expressed my frustration with some of the obscurity marketing also made it into Top 5 for the month.
  6. And, finally, I need to leave some room (as #6 of 5 :-)) for my my logging polls! Yes, they are popular too - and fun to read!

See you in January:-)  

Possibly related posts / past monthly popular blog round-ups:


Technorati tags:

Dr Anton Chuvakin