Wednesday, March 31, 2010

Fun Reading on Security and Compliance #24

Here is an issue #24 of my “Fun Reading on Security and Compliance,” dated March 31, 2010 (read past ones here). You can judge that my “2blog” folder has been kinda full, since I was too busy working on a few fun consulting projects.
This edition is dedicated to RSA conference – an unending source of awesomeness!
Main section:
  1. First, a great read from Dave Shackleford “A Glimpse Into the Security Mindset” which reminds: “Security people have a challenge that is 100% unique to their discipline [within IT – A.C.]: we have adversaries.” While there, also read his “5 Reasons Your Security Program is a Failure.” (quote: “if you don’t have daily SOPs around your monitoring tools and capabilities, you will end up with shelfware, and that just sucks”). But if you really into sucking, check Lenny’s “How to Suck at Information Security
  2. Gartner blog has hilarious “Worst and Best Security Sales Practices” (first). Example: '”saying your product is in market X, since X is currently cool”
  3. Josh Corman, Jeff Williams (of OWASP fame) and David Rice (of “Geekonomics” fame) launch “RUGGED software” manifesto: “Software that endures against the environmental forces arrayed against it in cyberspace.” The manifesto is here at its brand new site. 
  4. Sad hilarity reigns supreme here in comments at  “Thor vs Clown”  from TaoSecurity. Example: “P(Compromise) = P(C.SMS) x P(C.PIN)
Logging, log management section and SIEM section:
  1. Using Logs To Reduce Response Gap”: “Unfortunately, auditing and never really using logs for anything except for records retention can cause organizations to treat them as merely objects to move around and not necessarily utilize for any action.”
  2. Prism Microsystems continues its epic mega-saga of “100 Log Management Useshere at “#27 Printer logs.”   While there, also please read “Sustainable vs. situational values” by Ananth that has this great quote: “I am often asked that if Log Management is so important to the modern IT department, then how come more than 80% of the market that “should” have adopted it has not done so?”
  3. Something made the Team Securosis think about correlation – and even argue between themselves: “Network Security Fundamentals: Correlation” (quote: “Most security professionals have tried and failed to get sufficient value from correlation relative to the cost, complexity, and effort involved in deploying the technology.”) and “Counterpoint: Correlation Is Useful, but Threat Assessment Is Fundamental” – then Rocky comments on the whole thing [BTW, I have no idea why they think correlation is about NETWORK security…]
  4. BTW, fun correlation discussion is also ongoing at one of the SANS blogs: “IT Audit: Correlating Logs and Event Logs.” It looks like David Hoelzer might bring his DAD correlation project back to life…
  5. A fairly intelligent piece on logging (“Best Practices For Windows Log Monitoring”) has this great quote: “Not monitoring your Windows logs is like setting up a security camera and putting an exit sign in front of it.”
  6. Lenny has “Establishing a Practical Routine for Reviewing Security Logs:” “A practical routine for reviewing security logs is regularly scheduled, partially automated, alternated among team members, and linked to problem resolution.” Our joint project, "Critical Log Review Checklist for Security Incidents" definitely helps with that.
  7. I mean, come on, even McAfee suddenly started talking about logs (something they’ve been ignoring forever). Eric Cole talks about logs in the context of SANS CAG/CSC in “Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs.” He says: “Unmanaged Logs Hurt” and reminds that “Sometimes logging records are the only evidence of a successful attack.” Sadly, at the end he hints that you should be using ePO as a SIEM… gasp.
Vendor section [now that I am not employed by the vendor I can call vendors names, etc :-)]:
  1. Finally, one SIEM vendor realized that  analyzing firewall rules together with vulnerability data should not be left to the dedicated vendors [I always thought that fw rules + vuln scans analysis is waaay too narrow to launch a company on; SIEM should have ‘owned’ that a long time ago] and launched a new product that looks at events, flows, rules and vulnerability scans. Good idea!
  2. And one log management vendor realized that “Reviewing logs everyday is a pain, we just made it easier
  3. AlienVault, OSSIM commercial home, has released OSSIM 2.2. This deck has the highlights. As I am using the system now, it looks more impressive than ever. Seriously!
Possibly related posts:

Dr Anton Chuvakin