Thursday, July 29, 2010

Log Awesomeness – On August 19!

As far as awesomeness is concerned  [and I am a big student of it :-)], this is full of it. BrightTalk Log Management Summit promises to be as awesome as logging events go... Here is an agenda:

WHEN: Thursday, August 19, 2010, attend live online throughout the day or afterward on-demand

HOW: Register Now:


  • “Log Standards & Future Trends” by Dr. Anton Chuvakin, Principal, Security Warrior Consulting
  • “Leveraging Logs, Information and Events” by Derek Brink, VP & Research Fellow for IT Security, Aberdeen Group
  • “Log Visualization in the Cloud” by Raffael Marty, Chief Logger, <– how come they don’t mention Loggly here?
  • “The Integration Lifecycle: Loving Long Logging Lifecycles” by Andrew Hay, CISSP, Senior Analyst, Enterprise Security Practice, The 451 Group <- high chance for an awesomeness boost from Andrew!
  • “Best Practice and Approaches for Log Management” by Ritesh Singhai, Senior Security Engineer, SecureWorks
  • “Delivering Value from SIEM” by Chris Burtenshaw, Information & Technology Risk Manager, Deloitte

Enjoy! And “see” you there on August 19th.

Possibly related posts:

Enhanced by Zemanta

Monday, July 26, 2010

Skills for Work vs Skills for Getting Hired

Given the amount of attention my previous security career post gathered (“A Myth ….”), it is time for a new one. Some of it is inspired by Source Boston 2010 mentoring panel, a gift that just keeps on giving (BTW, I signed up as a mentor with that new project, InfoSecMentors).

So, let’s talk about security skills that you can prove, skills that you need for a job and skills that will pass HR filters. It shocks me – to put it mildly – that these three are often completely different – and not even overlapping.

Which ones do you need to develop? Should you spend time writing papers, hacking code or reading up on 10 domains of “see-bee-kay”? Should you get good at something that will not be immediately obvious to everybody (like reversing malware) or spent time doing something visible (like writing papers about malware without having first-hand knowledge of how it works)? Should you choose sexy esoteric area of security, get really good at it – and then notice that nobody wants to hire you for that – with the possible exception of a Russian crime syndicate? :-)

While it is extremely tempting to bark “All of them!” and stop right there, the reality seems more complex to me, as it almost always is.

  • Skills that help pass HR filters (and especially certifications like “see-sssss-ph”) sure seem important as you won’t even have a chance to get to using your other skills aka be hired – unless you are a master-ninja-networker! By the way, buzzword - loading your resume is not about skills - it is about a socially acceptable form of lying: TCP/IP, UDP, ICMP, BGP, IDS, IPS, W3C, CIFS, WAF, DLP, GRC, SIEM, NAC, IAM, SNMP, SMTP, POP3, HTTP, NASL, IPv6 … ASS :-)
  • Skills that will help you do the job obviously vary depending on what job you have in mind. For most entry- and mid-level security roles, these skills are technical (sorry, Mssrs Security Policy Writers). From log analysis to IPS tuning to firewall management to web application scanning, the range is broad and you need to choose.  You can pick an area and then go really deep; however, it is worthwhile to try not to pick “typewriter repair” as an area of specialization :-) Fortunately, since none of the security problems we ever faced have been solved yet, choosing wrong is very hard. If you are still lost, pick application security or pentesting. These are not going away – EVER!
  • Skills that are easy to prove - typically via a multiple choice test - is another interesting set: some technical skills (such as knowledge about what is in TCP/IP header) are easy to test, while others (such as an ability to do web app penetration testing) are extremely hard to validate. I guess social engineering is an ultimate “unprovable” skill, while knowledge about how to configure a Cisco router is easier to prove. BTW, I’ve met some “Cisco Gear Master Magicians” whose skills bordered on divine – they can literally get that box to do anything.

And if I were to give some advice on this that I wish I received when I started in security, I’d say focus your energies like this:

  1. Put most of you energy in developing skills that will be most useful at work – work you do at your current job or the one you dream about (aka your next job :-)) As I said above, it is more likely that these skills are technical.
  2. However, balance the time you spent practicing technical skills that are simply fun for you with the ones that are easy to prove to potential employees. Let’s call them “visible skills.”
  3. Severely limit the time you spent on developing skills just to pass HR filters – instead get better at networking! Darn, even Twitter skills are better than practicing your daily laps in alphabet soup like the mess above.

To figure out that point, I once asked my wise mentor “Why do you still run /bin/bash, awk around and install Fedora, after you wrote three books, sold a company, gave a dozen keynote speeches and run a profitable consulting business for many years?” He – wisely, of course – said: “So that I can be a sysadmin if shit hits the fan.” This line is still stuck in my head after many years!!

Otherwise, you risk being of those types who respond to an ad for “firewall admin, must have CISSP” and end up crashing the network, which is kinda sad. For example, for many years I’ve had this bizarre unconscious skepticism towards people whose main skill is to write security policy. Writing this post cleared my head as to why: a well-written security policy does EXACTLY nothing for security … unless it is implemented.

Finally, some folks reading this will say – “screw the skills, I just want to be an expensive loudmouth for hire.” OK. There are indeed a few who rose to such noble occupation… First, you have to slave away for many years doing something else – and then hope that eventually people will want to pay to listen to your rants. Second, you can join Gartner, still slave away for a few years – and then maybe people will pay for your “loudmouthery.” In both cases, you’d still need some “+5” to Luck :-) And then maybe you can be “a mercenary loudmouth.”

But this is likely a subject of another post.

Possibly related posts:

Friday, July 23, 2010

FINALLY! SANS SEC434 “The” Log Management Class (2-day version!) in Northern California on Sep 9-10, 2010

It will happen! My SANS SEC434 Log Management Class will be taught in in Northern California on Sep 9-10, 2010 in its never-before-seen extended 2-day version (with loads of cool hands-on log mangling exercises). The announcement follows below:

Log Management In-Depth: Compliance, Security, Forensics, and Troubleshooting
Thursday, September 9, 2010 - Friday, September 10, 2010

“This first-ever dedicated log management class for IT and security managers will cover system, network, and security logs and their management at an organization. We will start with the basics, like making sure that logs exist, and then go on to touch upon everything from managing log storage, to analysis techniques, to log forensics and regulatory issues related to logging.

In the beginning, we will cover various log types and provide configuration guidance, describe a phased approach to implementing a company-wide log management program, and go into specific tasks that IT and security managers need to be focusing on a daily, weekly, and monthly basis in regards to log monitoring.

A unique and comprehensive section that covers the hot topic of using logs for regulatory compliance, such as PCI DSS, will also be presented. Everybody knows that logs are essential for resolving compliance challenges; this class will teach you what you need to concentrate on and how to make your log management compliance-friendly.

The class will also touch upon various uses of logs for incident response, forensics, and operational monitoring. Common logging mistakes, learned from many years of working with logs, will also be explained.”

Class Location:

UC Davis
Room 1065, Kemper Hall, UC Davis
1 Shields Ave
Davis, CA
Web site:

The price is actually VERY reasonable.

Sign up … NOW! I mean it!! :-)

Possibly related posts:

Monday, July 19, 2010

SIEM-related Field Job: Western US

As a favor to another friend, I am posting this fun SIEM field job here:


We are seeking an exceptional individual to serve as a presales technical expert in the sale of Novell Security Management products to a variety of clients throughout the US and Canada.”

“You will be the technology expert in the sales effort as a Novell sales team works with a variety of companies in positioning Novell ISM products.  While you are part of the sales team, your efforts will still be dedicated to technical tasks up to 75% of your time.”

Full details.

Possibly related posts:

Tuesday, July 13, 2010

SANS Top 5 Essential Log Reports Update!

Some of you remember the project started at SANS Log Management Summit 2006 called “SANS Top 5 Essential Log Reports.” You can still grab the old document here [PDF]. Recently, I volunteered to create a 2010 version of SANS Top 5 Log Reports.
With help from others [to be credited when the project is complete, but definitely with help from somebody named MJR :-)] and some research into past efforts, I have identified the report types and specific examples below as candidates for a new Top 7 Essential Log Reports list – and now I need your help!
Initially, I wanted people to vote for 5 out of the 7 candidates, but let’s do it differently: just comment on the list below (blog comments, your own blogs – please post a li here, email, twitter, etc) or suggest your own most useful, most popular log reports or even report categories. There is no reason why we can’t have Top 7 or Top N>7 useful log reports :-)

NEW PROPOSED Top 7 Essential Log Reports

Top Log Report Candidate 1. Authentication and Authorization Reports
a. Login Failures and Successes
b. Attempts to gain unauthorized access through existing accounts
c. Privileged account access (success, failure)
d. VPN Authentication and other remote access (success, failure)
e. Please add more reports you find useful!
Top Log Report Candidate 2. Change Reports
a. Addition/Changes/Deletions to Users, Groups and Services
b. Change to configurations
c. Application installs and Updates
d. Please add more reports you find useful!
Top Log Report Candidate 3. Network Activity Reports [used to be called “Suspicious or Unauthorized Network Traffic Patterns” in the old Top 5 list]
a. Top Internal Systems Connecting Through Firewall // Summary of Outbound Connections
b. Network Services Transiting A Firewall
c. Top Largest File Transfers Through the Firewall
d. Internal Systems Using Many Different Protocols/Ports
e. Top Internal Systems With NIDS Alerts
f. Proxy Report on File Uploads
g. Please add more reports you find useful!
Top Log Report Candidate 4. Resource Access Reports
a. File
i. Failed File or Resource Access Attempts
b. Database
i. Top Database Users
ii. Summary of Query Types
iii. SELECT Data Volume
iv. All Users Executing INSERT/DELETE Commands
v. Database Backups
c. Email
i. Top Internal Email Addresses by Volume of Messages
ii. Top Attachment Types with Sizes
iii. Top Internal Systems Sending Spam // Top Internal Systems Sending Email NOT Through Mail Server
c. Please add more reports you find useful!
Top Log Report Candidate 5. Malware Activity Reports
a. Top systems with anti-malware events
b. Detect-only events from anti-malware tools (“leave-alones”)
c. Anti-virus protection failures by type
d. Internal malware connections (all sources)
e. Please add more reports you find useful!
Top Log Report Candidate 6. “Various FAIL”
a. Critical Errors
b. Backup failures
c. Capacity / Limit Exhaustion
d. System and Application Starts, Shutdowns and Restarts
e. Please add more reports you find useful!
Top Log Report Candidate 7. Analytic Reports  [Mostly Using “Never Before Seen” (NBS) aka “NEW Type/Object” Analysis]
a. NEW (NBS) IDS/IPS Alert Types
b. NEW (NBS) Log Entry Types
c. NEW (NBS) Users Authentication Success
d. NEW (NBS) Internal Systems Connecting Through Firewall
e. NEW (NBS) Ports Accessed
f. NEW (NBS) HTTP Request Types
g. NEW (NBS) Query Types on Database
h. Please add more NBS or other analytic reports you find useful!

So, please help this project by commenting via whatever means!!!

BTW, I think I perused all the previous efforts to distill log reports (such as this one), but feel free to point me to such things as well.

Finally, if you are a SIEM or log management vendor, please consider supporting the resulting reports in your products – after they are finalized by the community and released by SANS.

Possibly related posts:

Wednesday, July 07, 2010

HITB 2010 Amsterdam Awesomeness

I just came back from Amsterdam where I presented my keynote "Security Chasm" at Hack In The Box 2010 conference European debut. Both the keynote and the entire conference were a lot of fun - but then again WTH do expect from an event in Amsterdam? Below are my notes from the event.


It is worthwhile to note that I was the first speaker of the first day, which put some extra responsibility onto my shoulders. The main theme of my speech was that we have essentially two "securities" - one where people do paper risk assessments, "align strategy" and “enable business” and another where people actually deal with consequences of intrusions and other burning technical issues. You can read some notes from the audience here (and here) and live tweeting here.


Next I went to Fyodor Yarochkin presentation on Russian cybercrime called “From Russia with Love 2.0.” While lots of people speak about Russian cybercrime, Fyodor’s take was interesting and new (at least to me). First, did you know that most Russian malicious hackers face no ethical challenges - they think of what they do simply as "making money online?" For example, Fyodor reported that people were asking on one of the forums "Is it legal to Google for card numbers and then use them?" :-)  Along the same line, he does not think many of them are “professionals” - but simply people making some money on the side off “stupid rich foreigners” [A.C. – we are talking about you, dear merchants ignoring PCI DSS… :-)].  Despite all that, he did describe a lot of interesting bits of criminal infrastructure such as eBay-like site for selling stolen Skype accounts with online feedbacks (for assuring stolen account reliability, ya know) and “conversion services” for transferring money, say from WebMoney to PayPal.

The speaker also mentioned that the rumors of Russian political hackers are “greatly exaggerated” - by far the most are in it for the money (and, yes, you can hire some to further your political goals like blowing away Twitter for $80/day, but it doesn’t make them “political hackers”).  Another curious resource he highlighted was a complete tutorial for “making money online” - where to start if you are a complete amateur, barely know computers, but want to make money. Another fun bit was that he described how much DoS costs have fallen…

Now, the other part of his presentation was a description of his research tool for automatic intelligence gathering and analysis, complete with text mining, jargon conversion and language translation.

Another worthwhile speech that I would like to highlight was the second keynote by Mark Curphey - who “left” security a while back. It was so visual and hard to summarize that I probably won't do it justice here - just check his deck. It was about his “10 Crazy Ideas to Improve Security” such as “#2 stop human pattern matching” (ha, I wish we knew how to do that :-)) and “#3 community statistical analysis for security.” Audience comments are here.

Also, I went to the presentation by the author of Maltego analysis tool.  I have long been curious about the capabilities of this tool, and it seems like v3 will come with even more magic such as “named entity recognition ” (NER) which allows the tool to extract names of people and countries out of the analysis. And it might tell you who wins the 2010 FIFA World Cup … and be wrong about it :-)

As far as fun hallway conversation is concerned, I had a couple of very fun chats: one with Rop Gonggrijp about climate change and geopolitics and one with Mark Curphey on using agile for security (and security in agile software development)

Finally, presentation materials can be found here.  Videos are promised to be posted soon! Enjoy!

BTW, if you’d like to invite me to speak at your conference, please do so, but keep in kind that flying around and speaking does not pay the bills :-)

Friday, July 02, 2010

Monthly Blog Round-Up – June 2010

Blogs are "stateless" and people often pay attention only to what they see today. Thus a lot of useful security reading material gets lost.  These monthly round-ups is my way of reminding people about interesting blog content. If you are “too busy to read the blogs,” at least read these.

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics.

  1. By a HUGE margin again, the #1 post this month is “Simple Log Review Checklist Released!” Grab our log review checklist here, if you have not done so already. It is perfect to hand out to junior sysadmins who are just starting up with logs. Another similar resource is in the works… If you are a vendor, you can also use it to market your logging awesomeness :-) - but you have  to keep the attribution to the authors.
  2. How Do I Get The Best SIEM?”, a companion to “On Choosing SIEM“, went to the top like lighting last month and stayed there this month. If you are thinking of getting a SIEM or a log management tool, check them out and also look at related resources at the end of these posts.
  3. Next up are my notes from University PCI DSS workshop where I delivered a keynote: “My Best PCI DSS Presentation EVER!” (the infamous “compliance kitten” quotes comes from here)
  4. How PCI Leads to DLP?” discusses the linkage between PCI DSS compliance and Data Leak/Loss Prevention/Protection (DLP) tools. And, no, PCI DSS won’t mandate DLP soon – but it doesn’t mean that you should not look at it for various PCI-related reasons.
  5. The Myth of SIEM as “An Analyst-in-the-box” or How NOT to Pick a SIEM-II?” and ““I Want to Buy Correlation” or How NOT to Pick a SIEM?” stay at the top – it seems like smaller organizations are looking at deploying SIEM and log management and there is a lot of interest in simple guidance on this.

Also, below I am thanking my top 5 referrers this month (those who are people, not organizations). So, thanks a lot to the following people whose blogs sent the most visitors to my blog:

  1. Michał Wiczyński
  2. Raffael Marty
  3. Dancho Danchev
  4. Richard Beitlich
  5. Cédric Blancher

See you in July; also see my annual “Top Posts” - 2007, 20082009!

Possibly related posts / past monthly popular blog round-ups:

Dr Anton Chuvakin