Metricon 7 Workshop Reminder

Just a quick reminder about the Metricon 7 workshop on security metrics.

Date: August 7, 2012

Location: Bellevue, WA (co-located with USENIX 12)

Registration:https://www.usenix.org/conference/usenixsecurity12/registration-information  (pick just the metrics workshop or the entire event)

Agenda:

1. Introduction to Metricon, security metrics and workshop goals by Anton Chuvakin (9:00-9:30)

2. “Even Giant Metrics Programs Start Small” by David Severski (9:30-10:30)

3. Break (10:30-10:45)

4. PANEL: “Rules of the Road for Useful Security Metrics” (10:45-11:30)

5. Mini-talk 1 and 2 – TBD (11:30-12:00)

6. Lunch break (12:00-1:00)

7. “What We Want to See in Security Metrics” by Christopher Carlson (1:00-2:00)

8. PANEL: “What We Know to Work in Security Metrics” (2:00-2:30)

9. “Application Security Metrics We Use” Steve Mckinney (2:30-3:00)

10. Break (3:00 – 3:15)

11. "Threat Genomics and Threat Modeling” by Jon Espenschied (3:15-4:15)

12. Discussion time, everybody shares lessons, highlights, etc (4:15-5:00)

13. Conclusions, results and action items by Anton Chuvakin (5:00-5:15)

Additional details: here 

See you there!

Metricon 7 Call for Papers

This is a Call for Papers (CFP) for Metricon 7.

Key stats first:

• Conference date: August 7, 2012
• CFP deadline: May 31, 2012
• Conference location: Bellevue, WA
• Cost to attend: free (but you’d need to add value to discussions).

CFP follows below and can be found at SecurityMetrics site.

Metricon 7 - Security Metrics: Useful or Bust!!

How to define, generate, and communicate security metrics you can use TODAY!

This year, Metricon 7.0 is excited to issue a call for participation to the information security community. The event will occur August 7th 2012 collocated with USENIX in Bellevue, WA.

Given that this is the 7th event, we think it is time to finally say it: security metrics MUST be useful NOW! Thus, the focus this year is on useful and usable metrics – not conceptual and theoretical stuff that sounds great, but cannot and will not be used in today’s organizations. Also, presentations and panels that talk about “How?” and “What?” will be strongly prioritized over “Why?”(and “whine”). Enterprises and tool vendors are both welcome to present! Academic researchers tacking the real-world problems are welcome as well.

We want to see:
• How you achieved “quick wins” with security metrics?
• How you define useful metrics, whether risk or operational?
• What metrics you track are the most useful?
• How did you solve a particular challenge in security metrics area?
• How your tool helps (not “can help”!) with collecting and analyzing security metric data?
• Who gets the metrics you create? How do they use them?
• What metrics you use to determine that security controls are effective?
• How organization generate actionable advice from security metrics?
• How to track that your security is improving using metrics?

We do not want:
• Uncollectable and unusable metrics
• Metrics philosophy
• Uncooked metrics that sound vaguely “interesting”

Send submissions and your ideas for panels and presentations to metricon7@securitymetrics.org

Deadline for presentation and talk submissions is May 31st, 2012. Submissions should be sent to Metricon7@securitymetrics.org.

See You At RSA 2012!

Just a quick note to my readers: see you at RSA 2012 next week. I am around Monday-Thursday and even though most of my time is booked, you can probably find me near the press room at odd hours.

NEW (!) Metricon is Coming, RFP Out

The CFP for Metricon 6 is alive, the deadline is June 15. If you think that the previous one [somewhat] sucked, this one will be different, since it will be about…

… "Real People Generating Real Information"

This year, Metricon 6 is excited to issue a call for participation to the InfoSec community. Occurring August 9th 2011 colocated with USENIX in San Francisco California. We will be breaking up topics into the following sections, and subsequently would be very interested to review submissions in the following subjects:

• Metrics & Instrumentation
• The Utility of Risk Metrics
• Risk & Cyber Insurance
• Methods for measuring impact
• Incident Management Metrics
• Operational Metrics Beyond Patches, Vulns, & Anti-Virus

THE PROGRAM
--------------------------------

This year's Metricon will be more "convention" than "defend your thesis." Included will be panels, discussions, as well as traditional presentations. We would like to include:

The "Listen" Portion of our Program: Executive use of Metrics

WANTED: Executives to join a panel on the use of Metrics to make decisions:

Metricon 6 is seeking executives excited to discuss metrics they are happy with, unhappy with, or just executives who want to reach out to the security metric community and give us an earful.

We're especially interested in executives who are (or have unsuccessfully tried to) use operational metrics to make business case.

The "Feedback" Portion of our Program: Metrics & Instrumentation

WANTED: Vendors (Product Managers?) who want to talk about their approach to developing the artifacts for their products and services and how they currently or in the future hope to help customers feed an evidence-driven approach to risk management.

In addition, we are looking for security vendors who would like unobstructed feedback to the artifacts and outputs of their current products & services.

For Discussion: Methods for Measuring Impact

WANTED: risk analysts, auditors and anyone else who is estimating and/or tracking the impact of incidents. How do you account for or estimate how much an organization suffers from IT Security incidents.

Speaking of Incidents, For Discussion: The Role of Metrics in an Incident Response Program

WANTED: IR teams and/or executives willing to talk war stories not about incident specifics but looking back, what is the role of metrics in IR (real or hypothetical), what metrics you (may or may not) collect, and why.

For Discussion: Risk & CyberInsurance

WANTED: Do you buy, sell, or have internal hedging practices that could be considered "cyberinsurance?" We're seeking individuals to present on the growing practice of cyberinsurance and it's use as a hedge against security incidents.

For Discussion: Operational Metrics Beyond Patches, Vulns, & Anti-Virus

It's cliche these days to say that most operational metrics programs are of little use beyond "the big three". WANTED: Panelists and presenters for discussions around operational metrics that are not directly the output of vuln. mgmt, patch mgmt, or A/V products.

The Lightening Rounds: New and Unique Approaches

15 minute sessions showing off new research, approaches, data and models.

 

See ya there!!

Source Boston 2011–See You There!

Just a quick post about my upcoming presentation at Source Boston 2011 – one of the most fun security conferences around!

The details are quoted from the conference site:

So You Got That SIEM. Now What Do You Do?
Anton Chuvakin, Principal, Security Warrior Consulting (@anton_chuvakin)

Many organization that acquired Security Information and Event Management (SIEM) tools and even simpler log management tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use" and "totally intuitive."
So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful?

At this presentation, you will learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made. And laugh at some hilarious stories of "SIEM FAIL" of course! As a bonus track, how to revive a FAILED SIEM deployment you inherited at your new job will be discussed.

Dr. Anton Chuvakin is a recognized security expert in the field of log management, SIEM and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance." Currently he runs his consulting practice focused on SIEM, log management as well as compliance.

So, if you are around Boston on April 20-22 – see you there!

SecurityBSides San Francisco at RSA 2011 Presentation

My account of RSA 2011 cannot be complete without-  yes! - SecurityBSides San Francisco. I was holding this post hoping to include links to videos, but – despite the power of Google – I was not able to figure out where AND whether the video are posted.  So, you have to enjoy my new fun SIEM presentation (below) without my voice and an image of me pointing at the sky

Something Fun About Using SIEM by Dr. Anton Chuvakin

View more presentations from Anton Chuvakin

Enjoy!

Possibly related notes:

• RSA 2011 Conference Notes
• RSA 2011 PCI Council Interview
• All posts tagged RSA

RSA 2011 Conference Notes

Here is my account of RSA 2011 conference – with all its awesomeness! I LOVE RSA and I always say that if you can only attend one security event a year – make it RSA. Now, it takes some [admittedly, small] effort to get value out of your RSA experience: the conference is not about the keynotes and not really about [way too many] tracks of presentations. It is about our industry gathering – pretty much the entire security industry as it exists in 2011! For security training you go to SANS, for latest attacks – to BlackHat/DEFCON (or, increasingly, to smaller conferences),  but for getting a sense of the entire security industry … SECURITY BUSINESS, if I may… you MUST go to RSA.

I spent my first RSA2011 day – Monday (aka The Valentine’s Day) at Metricon.  This year Metricon – and I admit to only attending about 2/3 of the day – just disappointed. This is the second year I am sacrificing all sorts of fun RSA-related events – CSA, AGC, etc – for security metrics and I promise I won’t do it again. Metricon this year was a shoutfest, not a conversation, about metrics. Yes, there was awesomeness there, for sure: Verizon crew showed their early results from Veris community incident data collection (“Baker, Wade and Alex Hutton - Veris Data/Veris Community”). I loved the presentation on log analysis of DNS server data (“Fruhwirth, Proschinger, Lendl, Savola - Name Server Log Data”) which did show a few new log tricks. Then a guy from Finnish CERT talked about automated incident reporting.  Chris Eng  on “Critical Consumption of Infosec Stats” was fun to watch as well, although it did turn loud a few times… A few other presentation turned into a mess, and I won’t go into details – it was painful enough being there.
RSA proper started for me on Tuesday, since – yes, I know, it is unbelievable – I spent Monday evening celebrating Valentine’s Day instead. But before, there was one awesomeness-induced day at SecurityBSides San Francisco, where I presented on SIEM (to be covered in a separate blog post).

So, apart from current and future client meetings (these always “taste better” at RSA somehow :-)), I had a chance to spent some time in RSA Vendor Exhibition on Tuesday. Usually I allocate 5-6 hours to walk the vendor hall, talk to people (old and new) and figure what’s up – and who’s down (=HBGary, obviously, this year). What did I see?

• Since I expected the cloud to be a huge oppressive presence, I was not surprised. In fact, I was surprised that some booths did NOT have cloud written all over them. Cloud, BTW, is not just “a security trend of the day” ! It is part of a massive “trifecta of security evil”- Virtualization + Cloud + Mobile – which will absolutely change the way we do information security in the next 3-5 years and possibly longer.
• BTW, I learned a new definition of “virtualization security” at RSA: “a belief that your virtual infrastructure is as secure as your physical infrastructure”…. aka "secured by faith" 
• The third leg of the trifecta – mobile – was not visible at all. I am not talking about the silly “mobile anti-virus” stuff, but about security solutions focused on mobile security problems (no, viruses is not one of them!). After RSA, somebody introduced me to Nukona which will serve here as an example of mobile security solutions focused on mobile security problems (no, I am not on their advisory board )
• I didn’t see enough application security, even counting all incarnations. Obviously, application security plays a leading role in security of the above “trifecta of security evil”, but somehow I have not noticed enough new approaches to appsec. I did notice a bit more whitelisting, I guess, and this approach definitely deserves to finally go into the mainstream.
• Funnily, I noticed some sad loser vendors with big booths. What’s up, dudes? Have you blown your entire 2011 marketing budget on that RSA booth and now somebody will surely acquire you?
• Maybe it is just me , but I have never noticed Asian companies at RSA before  – this year there were a few. Is this a new trend?
• It was also interesting to see a theme of “we unify security and compliance” (as if compliance ever existed on its own ..well…it kinda did, unfortunately). What’s going on here is vendors sold a lot of gear for compliance and now need to “sell” the worldview that all that gear is useful for security – what a shocker!
• I also noticed a lot of network traffic and flow analysis, but absolutely no DLP. Has DLP fallen into that pig trough of disillusionment?
• Yes, booth babes are mostly gone (except for the NSA booth, but that is totally different). However, it seems like booth monkeys are in: I had an unfortunate experience of talking with people at booths who had a very, very vague idea about security, despite having lofty titles like “VP of Marketing.” If you show up at RSA, please do your homework!
• And sorry for a mildly idiotic final point, but why don’t we use email encryption in 2011? There was not even one vendor with a new and creative email encryption scheme. Even without painful HBGary reminder, it seems clear that organizations treat email as sensitive protected data. How dumb is that? Please remember the old saying: unless you encrypt, email is a postcard…

On Wednesday, apart from more meetings, I did another interview with PCI Council’s Bob Russo (to be published under separate cover).

The rest of Wednesday was spent in fun meetings with potential clients (and a quick trip to Palo Alto …don’t ask ). Thursday was spend advancing CEE log standard and even – surprise! – attending a few RSA sessions.

Fridays at RSA are always fun – not too many people at the sessions. I spent my morning  at BUS-402 “analyst roundtable” session with Kupplinger Cole, Gartner and Forrester, moderated by Asheem Chandna from Greylock VC firm.  Most “analyst takeaways” from RSA 2011 were pretty much about cloud and mobility. I’ve heard a fun opinion on IT consumerizatiion: if you deal with the security of employee devices by banning them, you will automatically make your organization unattractive to the best employees – thus increasing, not reducing, your business risk (not sure how true it is, really). Also, I  didn’t realize that virtualization platform vendors abandon security; this was strangely stated as a fact by the analysts.

Finally, I went to President Clinton keynote. After tolerating the ever-so-annoying Hugh Thompson, we got the full “Clinton experience” for more than an hour. Clinton keynote was great – unexpectedly so. He mentioned tea Party 3x times of his mentions of Obama (in the form of “Obamacare”), spoke how he is a “socially progressive / fiscally conservative” (which is pretty awesome, IMHO). I am still shocked that I’d appreciate the politician speech at a security conference that much. He was more specific and fact-based than a few other keynoters at RSA2011… If the video of his keynote surfaces (maybe), do listen, just for fun.

Other fun RSA2011 accounts are tagged here: http://www.delicious.com/anton18/RSA+2011. A few fun example are “Change we can believe in?”, “RSA 2011: In Summary”, “RSA 2011: What’s My Theme?”


Possibly related posts:

• RSA 2010 – Day 4-5 and all posts tagged RSA

First-ever Honeynet Project Public Conference–Paris 2011

It is with great pleasure I announce the first-ever Project Honeynet Public Conference, held alongside with the traditional The Honeynet Project Annual Workshop. The event is held on March 21, 2011 in Paris. For those who just want to register now, go here.

Date: 
21 March 2011 (Monday)
8:30AM ~ 18:00PM (GMT+1)
Location:
ESIEA Paris, 9 rue Vesale 75005 Paris
(Nearest subway station: Les Gobelins(line #7))
About the event:
The 2011 Honeynet Project  Security Workshop brings together experts in the field of information security from around the world to share the latest advances and threats in information security research. Organized by the not-for-profit The Honeynet Project and co-sponsored by the ESIEA Engineering School, this full day workshop creates opportunities for networking, collaboration and lessons-learned featuring a rare, outstanding line-up of international security professionals who will present on the latest research tools and findings in the field.
This year’s workshop will be held in Paris, France on 21 March 2011 and is the first time that the workshop has opened a day to the public. Starting at 9:00 GMT+1, the workshop program features a format that includes presentations in five sessions and two bonus hands-on activities. The bonus activities include a technically challenging capture-the-flag (CTF) session and a tough forensics challenge (FC) that will allow attendees to apply their expertise and compete for prizes. If you’re looking to attend a high quality and challenging security workshop, then we encourage you to take advantage of this rare opportunity.
Note:
1. Attendee limitation is 180
2. Participants can bring their Computer to play CTF and Forensics Challenges (FC).
3. Security workshop will be conducted in English.
Full agenda is available here; some highlights are below:
SESSION 2: Combating the Ever-Evolving Malware
10:30~11:00
Efficient Analysis of Malicious Bytecode Linespeed Shellcode Detection and Fast Sandboxing
Georg 'oxff' Wicherski
McAfee
11:00~11:30
High-Performance Packet Sniffing
Tillmann Werner
Kaspersky Lab
11:30~12:00
Reversing android malware
Mahmud Ab rahman
MyCERT, Cybersecurity Malaysia

Enjoy the event!

BayThreat!

Just FYI, new security conference in Bay Area – see you all there next week; I will be doing a hilarious SIEM/log management talk there… It will be fun!!

What:

There's a new information security conference in the South Bay at The Hacker Dojo, December 10th & 11th. Perfect for those of us with exhausted travel budgets. We're an active community with tons of the smartest folks in the biz. It just makes sense that we would get a regional con of our own!

The theme for BayThreat is as simple as black & white: "Building & Breaking Security." Two tracks, each tackling opposite sides of the security fence. As Security Professionals, it is up to us to take that dichotomy and mold it into the shades of gray we use to protect our environment.

Shades of the Gray Area

We've invited speakers from all over the Bay Area and beyond to a two day conference at the Hacker Dojo in Mountain View, CA. The Dojo is a familiar place for the security community, as it hosts the #DC650 meetings every month.

We're excited to host speakers with security expertise from both sides of the fence. Early-acceptance speakers include Anton Chuvakin, Neel Mehta, Ryan Smith, Gal Shpantzer, Jim McLeod, Allen Gittelson, and Dan Kaminsky. The Call For Abstracts is now closed.

When: December 10-11, 2010

Where: Hacker Dojo, 140A South Whisman Rd, Mountain View, CA 94041  (map)

How much: nominal fee of (!) $45

Schedule: TBA here

CFP for RSA 2011 Metricon 5.5 Event: Be There!

“Mini-MetriCon 5.5 (organized by securitymetrics.org, loosely defined ) is intended as a forum for lively, discussion in the area of security metrics. It is a forum for quantifiable approaches and results to problems afflicting information security today, with a bias towards specific approaches that demonstrate the value of security metrics with respect to a security-related goal. Topics and presentations will be selected for their potential to stimulate discussion in the workshop.
Mini-MetriCon will be a one-day event, Monday, February 14, 2010, co-located with the RSA Conference, the meeting room is a courtesy of RSA.
Mini-Metricon begins at 8:30am, and lunch is taken in the meeting room.
Attendance will be by invitation and limited in size.
All participants are expected to be willing to address the group in some fashion. Potential Mini-Metricon participants are expected to submit a discussion topic. Abstracts of papers, research projects, or practitioner presentations are encouraged and may result in a session allocation devoted to the submission topic. We also welcome ideas for 5-to-10-minute lightning talks on topics such as security-related data sets or key problems and challenges in security metrics. Collections of these talks are expected to result in group discussion on the submitter's topic of interest.
Submissions should be sent to  metricon5.5@securitymetrics.org  by November 12, 2010.”
Remember, the ONLY way to be there is to propose a discussion topic! There is no non-participating audience, as per event chapter
P.S. Last year I had to pass on both Cloud Security Alliance meet-up and some VC meetings in order to be at the Metricon – and I didn’t regret it one bit. As you can guess, I can recognize deep awesomeness, when I see it


Possibly related posts:

• Notes from RSA 2010 Metricon event

Log Awesomeness – On August 19!

As far as awesomeness is concerned  [and I am a big student of it :-)], this is full of it. BrightTalk Log Management Summit promises to be as awesome as logging events go... Here is an agenda:

WHEN: Thursday, August 19, 2010, attend live online throughout the day or afterward on-demand

HOW: Register Now: http://www.brighttalk.com/r/vbf

TOPICS AND PRESENTERS:

• “Log Standards & Future Trends” by Dr. Anton Chuvakin, Principal, Security Warrior Consulting
• “Leveraging Logs, Information and Events” by Derek Brink, VP & Research Fellow for IT Security, Aberdeen Group
• “Log Visualization in the Cloud” by Raffael Marty, Chief Logger, SecViz.org <– how come they don’t mention Loggly here?
• “The Integration Lifecycle: Loving Long Logging Lifecycles” by Andrew Hay, CISSP, Senior Analyst, Enterprise Security Practice, The 451 Group <- high chance for an awesomeness boost from Andrew!
• “Best Practice and Approaches for Log Management” by Ritesh Singhai, Senior Security Engineer, SecureWorks
• “Delivering Value from SIEM” by Chris Burtenshaw, Information & Technology Risk Manager, Deloitte

Enjoy! And “see” you there on August 19th.

Possibly related posts:

• Brief Log Management Class
• SANS Log Management Class in California?
• FINALLY! SANS SEC434 "The" Log Management Class (2-day version!) in Northern California on Sep 9-10, 2010

HITB 2010 Amsterdam Awesomeness

I just came back from Amsterdam where I presented my keynote "Security Chasm" at Hack In The Box 2010 conference European debut. Both the keynote and the entire conference were a lot of fun - but then again WTH do expect from an event in Amsterdam? Below are my notes from the event.

It is worthwhile to note that I was the first speaker of the first day, which put some extra responsibility onto my shoulders. The main theme of my speech was that we have essentially two "securities" - one where people do paper risk assessments, "align strategy" and “enable business” and another where people actually deal with consequences of intrusions and other burning technical issues. You can read some notes from the audience here (and here) and live tweeting here.

Next I went to Fyodor Yarochkin presentation on Russian cybercrime called “From Russia with Love 2.0.” While lots of people speak about Russian cybercrime, Fyodor’s take was interesting and new (at least to me). First, did you know that most Russian malicious hackers face no ethical challenges - they think of what they do simply as "making money online?" For example, Fyodor reported that people were asking on one of the forums "Is it legal to Google for card numbers and then use them?" :-)  Along the same line, he does not think many of them are “professionals” - but simply people making some money on the side off “stupid rich foreigners” [A.C. – we are talking about you, dear merchants ignoring PCI DSS… :-)].  Despite all that, he did describe a lot of interesting bits of criminal infrastructure such as eBay-like site for selling stolen Skype accounts with online feedbacks (for assuring stolen account reliability, ya know) and “conversion services” for transferring money, say from WebMoney to PayPal.

The speaker also mentioned that the rumors of Russian political hackers are “greatly exaggerated” - by far the most are in it for the money (and, yes, you can hire some to further your political goals like blowing away Twitter for $80/day, but it doesn’t make them “political hackers”).  Another curious resource he highlighted was a complete tutorial for “making money online” - where to start if you are a complete amateur, barely know computers, but want to make money. Another fun bit was that he described how much DoS costs have fallen…

Now, the other part of his presentation was a description of his research tool for automatic intelligence gathering and analysis, complete with text mining, jargon conversion and language translation.

Another worthwhile speech that I would like to highlight was the second keynote by Mark Curphey - who “left” security a while back. It was so visual and hard to summarize that I probably won't do it justice here - just check his deck. It was about his “10 Crazy Ideas to Improve Security” such as “#2 stop human pattern matching” (ha, I wish we knew how to do that :-)) and “#3 community statistical analysis for security.” Audience comments are here.

Also, I went to the presentation by the author of Maltego analysis tool.  I have long been curious about the capabilities of this tool, and it seems like v3 will come with even more magic such as “named entity recognition ” (NER) which allows the tool to extract names of people and countries out of the analysis. And it might tell you who wins the 2010 FIFA World Cup … and be wrong about it :-)

As far as fun hallway conversation is concerned, I had a couple of very fun chats: one with Rop Gonggrijp about climate change and geopolitics and one with Mark Curphey on using agile for security (and security in agile software development)

Finally, presentation materials can be found here.  Videos are promised to be posted soon! Enjoy!

BTW, if you’d like to invite me to speak at your conference, please do so, but keep in kind that flying around and speaking does not pay the bills :-)

SLAML 2010 Log Analysis Workshop

This year, Workshop on the Analysis of System Logs (WASL) is reborn as SLAML. Please consider submitting a short paper (no need to do a full academic write-up!). The deadline is July 11.

“Join us in Vancouver, BC, Canada, October 2–3, 2010, for the Workshop on Managing Systems via Log Analysis and Machine Learning Techniques. Modern large-scale systems are challenging to manage. Fortunately, as these systems generate massive amounts of performance and diagnostic data, there is an opportunity to make system administration and development simpler via automated techniques to extract actionable information from the data. SLAML '10 workshop addresses this problem in two thrusts: (i) the analysis of raw system data logs and (ii) the application of machine learning to systems problems. The large overlap in these topics should promote a rich interchange of ideas between the areas.

SLAML '10 combines the Workshop on the Analysis of System Logs (WASL) and the Workshop on Tackling Computer Systems Problems with Machine Learning Techniques (SysML)."

The part related to logs is:

“Log Analysis: It is well known that raw system logs are an abundant source of information for the analysis and diagnosis of system problems and prediction of future system events. However, a lack of organization and semantic consistency between system data from various software and hardware vendors means that most of this information content is wasted. Current approaches to extracting information from the raw system data capture only a fraction of the information available and do not scale to the large systems common in business and supercomputing environments. It is thus a significant research challenge to determine how to better process and combine information from these data sources.”

The topics sought are:

“Topics include but are not limited to:

• Reports on publicly available sources of sample system logs
• Prediction of malfunction or misuse based on system data
• Statistical analysis of system logs
• Applications of Natural-Language Processing (NLP) to system data
• Techniques for system log analysis, comparison, standardization, compression, anonymization, and visualization
• Applications of log analysis to system administration problems
• Use of machine learning techniques to address reliability, performance, power management, security, fault diagnosis, scheduling, or manageability issues
• Challenges of scale in applying machine learning to large systems
• Integration of machine learning into real-world systems and processes
• Evaluating the quality of learned models, including assessing the confidence/reliability of models and comparisons between different methods”

Please submit to advance the state of log analysis research! Past workshop information is here (2008, 2009).

P.S. This is posted by a scheduler; response to comments may be delayed since I might be away from computers.

Possibly related posts:

• Free Log Data For Research – Update

• Workshop on the Analysis of System Logs (WASL) 2009 CFP

• Workshop on the Analysis of System Logs (WASL) 2010 CFP Out!

Hack in The Box Keynote in Amsterdam 2010

Among all the fun security conferences I’ve been to lately, this one is promising to be extra-special. After two failed attempts (one), I’d be doing (finally!) a keynote at Hack in The Box (HITB) Amsterdam 2010. So, if you are in the vicinity of Amsterdam on June 30 – July 2, 2010, come over and attend it. My keynote will be titled “Security Chasm”

Full abstract follows:

Have you often wondered why people are updating their security policies, closing compliance gap and defining ISMS while attackers are owning their systems – at the same time? Why consultants advise management on ‘risk ass-essment” while new bots are being deployed on what was formerly known as ‘your network’? Why some say that “DLP is all the rage” while record data losses and resulting fraud occur daily? Why application architects now have to assume that a client PCs is ‘owned’ when its user goes to a bank website and the design solutions to work securely around that?

Reality today often presents a grim vision of “two securities”: one concerned with ‘elevating the infosec conversation’ while the other is concerned with cleaning up the mess on our networks and systems. In one, people pretend to ‘assess risk’ while in the other incident response is the only way to go…. This very concept, that I call “security chasm,” will be the subject of my keynote presentation, along with such questions as “why we wear seatbelts because of the monetary fine, but not because of risk to our lives?” and “What will make us secure – if anything?” (and what does it actually mean!) Finally, I will explore the future of what we now call security industry and make a few long term predictions of where we will end up in a few years….

See ya all there!

Possibly related posts:

• Secure 360 Conference Notes
• Source Boston 2010 Conference Notes
• My Best PCI DSS Presentation EVER! and PCI Indy conference notes
• RSA 2010 - Day 4-5 notes
• ShmooCon 2010 - Our PCI DSS Panel and conference notes
• All posts tagged conference.

Secure360 2010 Conference Notes

I just came back from Secure 360 conference in Minneapolis, MN. First, I’d like to thank the organizers for inviting me to be a "featured" speaker at the event. Just as in 2008, the conference was well organized and well attended as well - pretty much all 9 (!) tracks.

Day 1 started from attending Rich Mogul’s talk called “Putting the Fun in Dysfunctional: How the Security Industry Really Works.” His main theme was in use in economics and psychology (all the way to Maslow diagram :-)) to do analyze what happens in security industry. Some bits that caught my attention follow below:

We as an industry spend MORE on anti-virus+firewall than on ALL other security safeguards combined (!).

Many organizations are “reactive, but not responsive.”  Just as others, Rich also likes to remind people that incident response trumps most other things in important; you can choose to not deploy a DLP tool (for example, no offence to any DLP vendors in attendance :-)), but you WILL respond to an incident (even if your IR plan = panic :-))

We deal MUCH better with short term risks than long term risk  (also see Schneier saying similar things here); the chain “Fear –> wired response -> buy product” seems all but unbreakable

Compliance realigns economic drivers: risk of audit > attack. It was funny that in his view organizations need to pay attention only to those laws and regulations where penalties are actually imminent.

On top of this, controls to outcomes are not tied!! I also consider this to be one of the horrible holes in security today!

One of the curious point that I’ve seen before from Securosis folks is that “making us better at security” does not sell security tools and practices; even if it is MUCH better than current. What sells is fear of threats – of either hacking or fines.

Finally, feel free to ask Rich what is "Porn and email theory of security"  :-)

 

Next, Marcus Ranum gave a speech on software suckage (“Software as a Strategic Problem”) was thought-provoking (and somewhat argument-provoking too). The main idea was: BOTH COTS AND outsourced software development is wrong for super-sensitive government/national security uses (He gave an example of a rumored outsourced code running in a JDAM…) – agencies need to go back to hiring, retaining and utilizing in-house staff. In this view, that is the only way to avoid future “nation-busting” security issues.

He contrasted two approaches: “write the software to solve the problem - from scratch” vs “use very flexible COTS software + spend forever configuring and reconfiguring it.” He also called for such custom software to aim for “zero maintainability + zero administration” – which to me sounded unrealistic for most evolving uses of software…

Finally, Marcus was also visibly upset that US government didn’t backdoor Windows :-) - it seems like a missed opportunity for easy world domination…

Here is some fun coverage of Marcus’s speech and the usual Slashdot idiocy that followed. The key quote is: “If the United States wants to remain competitive in the global economy and prevent widespread penetrations of its strategic, corporate and commercial networks, enterprises and government agencies should stop relying on commercial [A.C. – whether COTS or contracted/outsourced] software and go back to writing more of their own custom code” (read the comments too)

I ended day 1 at Gal Shpantzer presentation on USB isolation. The key idea was: given that most PC’s are owned (sad, huh?), how do we still use them for sensitive application like banking? He reviewed approaches such as dedicated PC vs "bubble" approach vs bootable approach on USB.

 

Day 2 started from  my very own presentation “PCI DSS-based Security: Is This For Real? Using PCI DSS as A Foundation for Your Security Program.” The slides are embedded below:

PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin

View more presentations from Anton Chuvakin.

It went pretty well, despite containing the picture of the devil while in Midwest :-)

Enjoy!

Possibly related notes:

• Source Boston 2010 Conference Notes
• My Best PCI DSS Presentation EVER!
• All conference posts.

My Best PCI DSS Presentation EVER!

As you know, I gave a keynote presentation at PCI DSS Workshop 2010 by Treasury Institute for Higher Education (the other keynote being Bob Russo, naturally :-)). Addressing an audience of about 130 mostly University IT, IT security and finance (!) professionals in charge of their payment and PCI DSS programs was a fun challenge. The slides are embedded below – I seriously consider it to be my best PCI presentation  ever… mmm… to date.

Spirit of PCI DSS by Dr. Anton Chuvakin

View more presentations from Anton Chuvakin.

(I suspect some of the things I had to invent for this presentation – e.g “the kitten bit” – will end up on Twitter pretty soon :-))

Also, the workshop was also pretty educational for me since I learned how PCI DSS is really done  at the most challenging environments possible – large Universities with hundreds of merchant IDs, every possible card acceptable method, wayward academics, general skepticism for policies and mandates,  desire for “openness” (aka come-take-our-PANs-SSNs-medical-records-kinda-openness…),  lack of centralized control and (sad and unjustified, but frequent) disdain for central IT groups.

On the other hand, I was amazed to learn that many Universities do not need any extra pushing and hand-wringing to treat PCI DSS and payment security as … gasp!… a business problem. As I mentioned above, the audience at a PCI Workshop was only about 30% IT and IT security with 70% finance/treasury folks responsible for PCI DSS compliance (there were also 2 stray auditors in the room).

So, the second day keynote was given by Bob Russo who is definitely known for putting up a good show (and, nowadays, song and dance!). A new bit for me was the establishment of ISAs – Internal Security Assessors – and upcoming ISA training by the Council. He also reiterated that PCI DSS “1.3” (October 2010) won’t have massive changes, but mostly additional clarifying guidance, produced by SIGs, will be released at or before that date.

Also, I was involved in “PCI Experts Panel” with Bob Russo and representatives from Elavon and Fifth Third Processing Solutions. We covered many fun questions (some of which sure made my head spin… we are talking deep PCI esoterica here). I was kinda surprised to learn that people still ask whether encrypted data needs to be protected, even though it is answered in the official PCI DSS FAQ.

Enjoy!

P.S. WTH is “a kitten bit”? I coined the following phrase for this presentation: “Every time you think ‘PCI DSS OR security,’ god kills a kitten!”

Possibly related posts:

• ShmooCon 2010 - Our PCI DSS Panel
• Minor Bit of Promotion: PCI Book Rocks!
• Source Boston 2010 Conference Notes (and my PCI DSS presentation with Branden Williams)
• RSA 2010 EXCLUSIVE PCI Security Standards Council Interview
• How to Stay Compliant? or Ongoing Tasks in PCI DSS

Brief Log Management Class

I gave a brief 90 minute log analysis and log management class at the Project Honeynet event in Mexico City.
The class slides are embedded below:

Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton Chuvakin

View more presentations from Anton Chuvakin.

Enjoy!
Possibly related posts:

My other presentations on SlideShare

Source Boston 2010 Conference Notes

Here is my delayed account of the awesomeness of Source Boston 2010. Did I mention the event was awesome? Yup, it was indeed. Awesome.
So, here is Source 2010 conference day by day.
Day 1 started from Andy Purdy keynote which was ..shall we say… “not bad.” Since keynotes at security conferences usually suck (with a few notable exceptions), “not bad” is actually a pretty good rating. For example, he complained about how many meetings in DC are about “the need for data sharing” and then called for more data sharing himself :-) Ooops!
The next very fun thing was a start-up panel – with two parts, one with startup entrepreneurs (including Loggly) and the second with VCs. It is quite hard to summarize since the discussion floated from subject to subject – watch the video when it comes out. "Secure cloud enablement"  was mentioned as something they would fund while “mobile security” produced a passionate “forget it.” Better endpoint protection  was also mentioned as “AV is in crisis.” Other hot – fundable? - topics mentioned were "data-focused security", cloud (surprise!), next wave of privacy for consumer (an actual surprise for me), “secure data anywhere,” etc.
I asked a question about SMBs: will VCs favor a security solution that is aimed at enterprises over the one for SMBs? They did say that while "SMBs are harder to reach”, “’SMB security’ is largely a green field.” They also said that “SMB game” is more business model innovation than technology innovation and the winner is determined by "who owns the channel" and who does more "creative selling"  rather than by who is more “hard core” technically.
At one point in the panel, Josh tossed his favorite curveball about PCI DSS and “compliance culture.” The esteemed VC panel members were actually negative on PCI. The panelists tried to blame PCI for “PCI as a ceiling” mindset by saying that many organizations “achieve PCI” and then not do any more security which results in “false sense of security.” They only praised PCI for raising awareness of information security. My guess is that VCs would like people to buy shiny new toys and PCI DSS prescribes the use of “boring,” but effective “old toys” aka security basics. PCI’s focus on the basics is definitely abhorred by a lot of “discretionary purchase” security vendors as well.
The end of the day was a mentor panel. I somehow thought that more people would show up there, even if just to watch @SecBarbie perform :-). The topics discussed were related to security career development, certifications, written goals, finding mentors in security, building your personal brand, the importance of hands-on work, etc. I wish Source will somehow make this mentorship idea permanent and ongoing…

UPDATE: I don't know how, but I missed Andrew's "Failagain's Island - The Perils of Banking in an Island Nation" talk which was fun as well - even though it suffered from a lack of details. In any case, it makes sense to be on the lookout for some island banks 0wnage...

During Day 2, I loved Alex Stamos presentation on cloud security architecture, “Securely Moving Your Business into the Cloud.” I will just not do it justice by retelling it here, try to get the slides or even the video if/when they get posted. He spoke about how cloud deployment makes flat architecture superior to a traditional on-prem 3-tier arch both in terms of security and performance, for example.
Obviously, “Too Many Cooks Spoil The Broth: How Compliance Regulations Get Made” compliance panel was impressive as well. And the huge-but-cute face hanging over the entire audience made me even more skeptical about ISO ever producing a vulnerability disclosure standard :-)
Max Kilger from the Honeynet Project did an awesome presentation called “Motivations and Objectives That Are Shaping Emerging and Future Information Security Threats.” On top of a few gems like “Russia steals our money, China steals our future” and “First time in history a single individual can affect the entire country” [by using Internet for attacks], the presentation was insightful since it connected the technical world of attacks with the cultural profiles of the attackers. More highlights of his talk are here.
Finally, our PCI presentation (slides) and subsequent PCI book signing went really well. We did get praise for  managing to “make PCI compliance … fun” which totally made my day :-)
Among other highlight of the day, I like Rich’s “Involuntary Case Studies in Data Breaches” (even though I missed a piece of it). As it is typical for Rich, he was very insightful – and again reminded everybody that incident response if the only thing that you can ever hope to “get right” (likely, you’d screw both prevention and detection – but please don’t screw the response!).
On Day 3, somehow I had high hopes for a keynote by Sam Currey, but it was again “not bad.” A lot of his stuff was about well-known facts packaged together in an interesting way, and I liked the bit about how regulations evolve and more than few others. Skim the video when it comes out, it is worth it.
The biggest disappointment was that Amit Yoran “Security Sucks” speech was cancelled. I cannot believe he “got volcanoed” while flying from DC to Boston :-)
Among the usually great hallway conversations, there was one curious discussion about the PCI assessment level of diligence. Is the diligence of a routine QSA assessment any different from the  “replacement QSA” assessment after a massive breach (e.g. was Heartland first QSA less diligent than the second?)? This debate had to do with “no breached company was compliant during the breach” [so far], which I find reasonable and most people find offensive [since they equate this with retroactive PCI pulling…which it is not!]
The usual “security con rumor central” produced such gems as “after you travel to China with your mobile device, company X mandates that you toss the device into a nice bucket of cold water” and “no less than 10% of all iPhone apps are 0wned.”  Rumors come …rumors go.
Grab the conference slides here (more are being added as we speak). Grab ours (Branden’s and mine) here.
For live coverage, as usual, check hashtag #sourceboston. BTW, other accounts of the event can be found here and here.
BTW, I have started highlighting the key points to make this blog even more useful for even busier people. Let me know if you like it or not!
Possibly related posts:

• All posts on conferences
• RSA 2010 - Day 2-3
• ShmooCon 2010 - Our PCI DSS Panel

Two Upcoming Speaking Ops

Just FYI, in the next couple of days I am doing two fun speaking ops.
Namely:

1. Source Boston conference: Branden and me will present on “PCI DSS Done RIGHT and WRONG” (it will be even more fun than PCI Myths, promise!) on Thursday.
2. Focus.com webcast: don’t ask :-), but I will be doing a webcast titled “Zero Day Response: Strategies for the Newest Innovation in Corporate Defense”, primarily focusing on tips to management for improving response to security issues. It will be fairly high-level, so “listener beware.”

BTW, I am posting this after landing here in Boston. If you are around, show up at Source (location) and we can chat.

UPDATE: Focus.com webcast is recorded here

IANS 3/25 Log Webcast Q&A

As you remember, I’ve done this webcast/IPC with IANS called “Navigating the Data Stream without Boiling the Ocean: Case Studies in Effective Log Management.” My role as IANS faculty was to moderate the discussion.

My intro slides can be found here. A recording can be found somewhere here – grab it since we had a great panel discussion with a bunch of useful and juicy bits about log management in the real world. Below I am answering some of the fun questions we got at the show for a broader audience of this blog – and sorry for a delay with that.

Q: What, if anything, has anyone done to overcome privacy restrictions in some countries like Germany, France, Italy regarding log collection activity of users?

A: Sorry, but I have to give you a cynical answer. From what I am hearing, those countries are making a choice in favor of - what they think of as – “privacy” over security monitoring and activity auditing. As a result, many of the logging and log review tasks legality is becoming questionable or the burden of performing such tasks grows exponentially. The only advice I can give is to follow the law - even if you screw yourself and your organization in the process. Under democracy, you're supposed to act towards changing the law and not simply ignoring it.

 

Q: Can you describe your process for determining what to periodically review from your logs?  Did a committee comprised of sysadmin and information security team identify what to review?

A: Ideally, such process should and include all stakeholders, namely, people who can benefit from the information in log files. This would certainly include system administrators and a security team. However, it is not uncommon that the security team will do it on its own if other parties show no interest in participating. Regarding the process itself, the key approach to doing is “use cases.“ What do regulations say about logging and log review? What business units ask for, if anything? What level of details you'd prefer to have during incident response? What are the things I trying to accomplish? Look for future blog posts about this subject.

 

Q: Would you use log management without a SIEM?

A: Absolutely. I would not use a SIEM without log management though; I would also try not to use a SIEM without a good log management tool. For more info on this subject read this, this, this.

 

Q: Does using a complete SIEM solution reduce the number of staff required?

A: Hard to say what is meant by ”complete” here, but the answer is either “no” or “it depends.”

Overall, I do not like this type of positioning at all: if you are trying to purchase a SIEM solution in order to fire your security analysts, you'll fail miserably. On the other hand, if you'd like to reduce the number of people whose jobs consist of only reading logs every day, then SIEM can help reduce that staffing need so that you can allocate people to more productive security monitoring tasks. Still, the main value of a SIEM tool lies in the skilled personnel that operates it! For example, see this one.

 

Q: What is your definition of structured and un-structured data [mentioned in the discussion]?

A: Structured data is more like a database table, it has named fields such as “username”, “source IP”, etc. Name=value pairs is another example of log data with structure. On the other hand, plain English text is not structured [at least, not for our purposes of log analysis] and needs to be either structured (“parsed”, tokenized, etc) or directly analyzed using text mining tools.

 

Q: How visualization tools technically help in log review?

A: See http://secviz.org for more information on the subject than you ever wanted to learn :-) While you're in the subject, get a great book about it.

 

Q:  What level from the log management maturity curve [A.C. - reference to this graph] does HIPAA compliance require?

A: Based on the fact that HIPAA prescribes logging (164.312(b) Audit Controls) and some monitoring for specific events, such as logins (164.308(a)(5)(ii)(C)    Log-in Monitoring), I’d venture a guess that HIPAA compliance will require an organization to have a fairly mature log management and security monitoring operation. And is this reality? No, many healthcare organizations are nowhere near that stage with their logging.

 

Also, see awesome coverage of this webcast from Rocky DeStefano is here at his VisibleRisk blog.

Enjoy!

Possibly related posts:

• Fun Logging Webcasts: 4/1/2010 and 5/12/2010
• Open Group Log Webcast Slidea and Q&A: "Enterprise Logging and Log Management: Hot Topics"
• Thursday 3/25 IANS Webcast + Panel on Log Management: "Awesome++"
• Log Management / SIEM Users: "Minimalist" vs "Analyst"
• The Myth of SIEM as "An Analyst-in-the-box" or How NOT to Pick a SIEM-II?
• Log Management + SIEM = ?
• SIEM Bloggables talks about SIEM use cases.