Friday, May 18, 2012

Book Review: “Security De-Engineering: Solving the Problems in Information Risk Management” by Ian Tibble

This book is probably the most thought-provoking book on security I read in the last 5-7 years! While I'm somewhat known from my proclivity to exaggerate, I assure you this is not an exaggeration. As I was reading it, I felt like I connected to deep layers of the subconsciousness of security industry.
In fact, the influence this book already had on me is palpable: I found myself using some of the terms (such as author’s favorites, “intellectual capital” and “CASE”) and concepts on the next day after I started reading it.

As a brief summary, the book investigates the evolution of the way we do information security from the “hacker-lead” late 1990s to “compliance-heavy” late 2000s and today. The author also highlights dramatic problems with today's approach to security and suggests some of the solutions in the way people think and operate around security.

In fact, it might be one of the most influential books ever written in history of security industry - the one that appeared at the best possible time when it’s most needed. Along the same line, I have grown worried about the ranks of security professionals who are not hands-on with technology and who have never secured production systems. Just as the author, I've been grown frustrated with the ranks of idiots who equate compliance and security. Even author’s rant about ethics is something I've been thinking for years.

The author slaughters a few of the sacred cows of security industry: one that “executives are clueless” and the one that we “must have reliable actuarial data on incidents to stay relevant.” He also highlights a few categories of security products, which are notorious for not delivering value and explains the reasons for that. Most of his points are backed up by specific cases from his experience, going back to the end of 1990s when the security industry was born.

And, of course, as with any thought-provoking writing, I cannot say I agree with every word I read. For example, I am much less negative on the vulnerability assessment technology than the author (I don't think they give you 50% “false negatives” on common platforms today). Furthermore, I abhor the use (misuse, really) of “ROI” for justifying security spending. Style-wise, the author is a little too fond of repetitions to my taste. However, having a summary after each chapter is a great idea.

Finally, despite the unreasonably high price, I feel that every member of the security community MUST read this book. Literally every chapter will have insights that will make you a better security professional today.
All book reviews.

Tuesday, May 01, 2012

Monthly Blog Round-Up – April 2012

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:
  1. Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
  2. Why No Open Source SIEM, EVER?” (and this) is next – for some weird reason. I suspect a lot of people still crave a free open source SIEM tool.
  3. On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
  4. Log Management at $0 and 1hr/week?” is where a lot of companies still are, thus this post became popular again.
  5. Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm.
In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Denial of Service research:

Cloud security monitoring research:

Future SIEM analytics research:

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Dr Anton Chuvakin