Metricon 7 Workshop Reminder

Just a quick reminder about the Metricon 7 workshop on security metrics.

Date: August 7, 2012

Location: Bellevue, WA (co-located with USENIX 12)

Registration:https://www.usenix.org/conference/usenixsecurity12/registration-information  (pick just the metrics workshop or the entire event)

Agenda:

1. Introduction to Metricon, security metrics and workshop goals by Anton Chuvakin (9:00-9:30)

2. “Even Giant Metrics Programs Start Small” by David Severski (9:30-10:30)

3. Break (10:30-10:45)

4. PANEL: “Rules of the Road for Useful Security Metrics” (10:45-11:30)

5. Mini-talk 1 and 2 – TBD (11:30-12:00)

6. Lunch break (12:00-1:00)

7. “What We Want to See in Security Metrics” by Christopher Carlson (1:00-2:00)

8. PANEL: “What We Know to Work in Security Metrics” (2:00-2:30)

9. “Application Security Metrics We Use” Steve Mckinney (2:30-3:00)

10. Break (3:00 – 3:15)

11. "Threat Genomics and Threat Modeling” by Jon Espenschied (3:15-4:15)

12. Discussion time, everybody shares lessons, highlights, etc (4:15-5:00)

13. Conclusions, results and action items by Anton Chuvakin (5:00-5:15)

Additional details: here 

See you there!

"PCI Compliance", 3rd edition - Out On August 6, 2012

A new edition (3rd) of our book "PCI Compliance" is coming out on August 6, 2012.
It covers PCI DSS 2.0, as requested by many of our readers.  Other new materials include Emerging Technology and Alternative Payment Schemes, PCI for the Small Business, etc. A full ToC for this new edition is here.

Get the book in print or for Kindle!

Metricon 7 Call for Papers

This is a Call for Papers (CFP) for Metricon 7.

Key stats first:

• Conference date: August 7, 2012
• CFP deadline: May 31, 2012
• Conference location: Bellevue, WA
• Cost to attend: free (but you’d need to add value to discussions).

CFP follows below and can be found at SecurityMetrics site.

Metricon 7 - Security Metrics: Useful or Bust!!

How to define, generate, and communicate security metrics you can use TODAY!

This year, Metricon 7.0 is excited to issue a call for participation to the information security community. The event will occur August 7th 2012 collocated with USENIX in Bellevue, WA.

Given that this is the 7th event, we think it is time to finally say it: security metrics MUST be useful NOW! Thus, the focus this year is on useful and usable metrics – not conceptual and theoretical stuff that sounds great, but cannot and will not be used in today’s organizations. Also, presentations and panels that talk about “How?” and “What?” will be strongly prioritized over “Why?”(and “whine”). Enterprises and tool vendors are both welcome to present! Academic researchers tacking the real-world problems are welcome as well.

We want to see:
• How you achieved “quick wins” with security metrics?
• How you define useful metrics, whether risk or operational?
• What metrics you track are the most useful?
• How did you solve a particular challenge in security metrics area?
• How your tool helps (not “can help”!) with collecting and analyzing security metric data?
• Who gets the metrics you create? How do they use them?
• What metrics you use to determine that security controls are effective?
• How organization generate actionable advice from security metrics?
• How to track that your security is improving using metrics?

We do not want:
• Uncollectable and unusable metrics
• Metrics philosophy
• Uncooked metrics that sound vaguely “interesting”

Send submissions and your ideas for panels and presentations to metricon7@securitymetrics.org

Deadline for presentation and talk submissions is May 31st, 2012. Submissions should be sent to Metricon7@securitymetrics.org.

Quick Blogging Update

As I mentioned, due to my joining Gartner, I am not blogging on security here anymore. However, a quick announcement is in order:

• You can follow what I am reading at http://www.google.com/reader/shared/anton.chuvakin (RSS, Google Reader Likes) and http://www.delicious.com/anton18 (RSS)
• My Gartner blog is almost ready (there are no posts yet, but feel free to subscribe anyway – RSS)

Enjoy!

The Last Blog Post!

This is my last blog post –for the foreseeable future. It is dated 7/31/2011 at 11:59PM. What happens tomorrow? A new life, of course!

As only very few of you know, I have accepted a position of Research Director with Gartner, Inc. Tomorrow I am joining a stellar team lead by Phil Schacter, formerly from Burton Group.

I spent two VERY successful years consulting, working with companies like Novell, RSA, LogLogic, NitroSecurity, eGestalt, ObserveIT, Tripwire, AlienVault, “Big MSSP”, “Big Insurance Company”, “SaaS Log Management Company”, “IT Management Software Company”, “SMB Security Company”, “Big Networking Equipment Company”  and others. I defined,  built, deployed, and marketed security products, mostly in the area of SIEM and log management. I helped organizations with security and PCI DSS strategy. I advised security vendor management on compliance strategy for their products. I have spoken at clients’ events and have written more whitepapers than I care to admit… as well as did a lot of other fun things!

It was fun and I loved it - and as my clients can attest, I was good at it. Also, I was more busy than I thought I’d be, and occasionally more than I wanted to be. However, at some point I started to feel that I need another step up. And so I am making that step now!

In accordance with my future employer policy, I have resigned from the Advisory Boards of Dasient, Securonix, nexTier Networks, Savant Protection, eGestalt, and Rapid.IO. Good luck to all of you!

In all likelihood, I will eventually resurface at Gartner blogs – please look for me there.  And finally, those who love my personal blogging (all 4007 of you as of today), don’t despair – I will still occasionally blog here on non-infosec subjects: think good books, laser weapons, hypnosis, skiing, travel and my other weird hobbies

Finally, I want to give very special thanks to Lee Kushner for his super-valuable career counseling that helped me make this difficult career choice.

Possibly related posts – my past “career decisions” blog posts:

• Going to Consulting
• Going to Qualys
• Going to LogLogic

Old Content Posted: Presentations, Documents, etc

In preparation for a career change (stand by for an announcement on midnight July 31, 2011), I am posting A LOT of my old presentations and documents online for the community.

See http://www.slideshare.net/anton_chuvakin/presentations for such gems as my HITB 2010 keynote “Security Chasm”,  Brief SIEM Primer, “Making Log Data Useful” as well as the most recent "Five Best and Five Worst SIEM Practices"

See http://www.docstoc.com/profile/anton1chuvakin for a bunch of older documents on security, logging, SIEM, PCI DSS – including such gems as Logging Haiku,  firewall logging primer, etc

Enjoy!

NIST EMAP Workshop–Aug 2011

A lot of good work on logging standards as well as standards for the “surrounding areas” (correlation rules, parsing rules, etc) will happen at this first-ever NIST workshop on EMAP.

Please mark your calendars to save the date for an EMAP Developer Workshop to be held August 29-30, 2011 at the NIST Campus in Gaithersburg, Maryland.  We are still formalizing the agenda, but topics to be covered will include:

· Discussion of target use cases and requirements as identified by EMAP working group.

· CEE Overview and in-depth discussion of current issues.

· Discussion of EMAP component specifications and issues/questions for the community.

· Discussion of EMAP roadmap and connections with other efforts within security automation.

We are in the process of standing up a registration page and creating the agenda.  A teleconference line will be provided for those who cannot attend in person.  More details to come in the near future, we hope to see you there.

If you are dealing with logs and SIEM (such as building, or even using the tools) and care about standards, please consider attending – but only if you will contribute!

Possibly related posts:

• NIST EMAP is Out
• CEE posts

PCI in the Cloud Class July 8: Location Finalized

Just  a quick announcements about my “PCI in the cloud” class that I am teaching this week.  The location has been finalized:
Location (map):
Ariba Silicon Valley Office
Sequoia Conference Room
910 Hermosa Court,
Sunnyvale, CA
(please use the main entrance and tell receptionist  that you are there for CSA PCI class, lunch and coffee will be provided)
Date: Friday July 8, 2011 at 9AM
There are still, I think, 2-3 seats left at $20/seat (beta price! must provide class feedback!!), so go and register here.

UPDATE: 7/4/2011 5:50PM Sorry, sold out! I will check with the host tomorrow about the room size and there is a slight chance that we can fit more than 25 people, but it is not a certainty.

Possibly related posts:

• PCI DSS in Cloud Computing Environments–THE Training

PCI DSS in Cloud Computing Environments–THE Training

It took many long weeks to create and now it is …. OUT!!! Sign up here now if you are in Bay Area on July 8, 2011. The training is being offered free by the Cloud Security Alliance (well, we ask for $20 to offset the pizza costs) in exchange for your feedback and participation is very limited. I would not be surprised if future production “runs” would cost its attendees 30x-50x of the above “price” since this is a full-day class focused solely on PCI DSS and cloud environments (likely 9AM-4PM with a few breaks).

The initial PCI DSS Cloud  Training Class to be held in Silicon Valley on July 8, 2011, exact location to be determined.

The first ever class dedicated to assessing and implementing PCI DSS controls in cloud computing environments covers how to think of and how to do PCI DSS in various cloud computing environments. Focused primarily on people familiar with PCI DSS, it starts from the “hype-free” cloud computing facts and then delves into key scenarios where PCI DSS and clouds overlap in the real world. You will learn where to look while assessing such environments and what pitfalls and mistakes to avoid. It will also cover the shared responsibility between service providers and merchants in implementing PCI DSS controls. Specifically, we will discuss how PCI DSS Requirement 12.8 applies to various cloud scenarios.

The class would be most useful to PCI DSS QSA, organizations offering PCI DSS consulting as well as merchants planning or implementing PCI compliance.

BTW, in addition to the class materials, I am preparing some “goodies” such as control spreadsheets and implementation tips that should work for various cloud and payment environments. There will be some fun exercises as well!

See you there! I will post updates and maybe even some materials as time progresses.

On SIEM MQ 2011

As all of you know, Gartner SIEM MQ 2011 is out – you can see it here (or here) without registration. The quadrant mostly matches my recent SIEM project experience.

My observations follow below:

• CA “SIEM” and “Log Manager” are finally wiped off the face of the Earth (=removed from SIEM MQ), NetIQ is dumped down to the Niche. As they should be.
• Honestly, Symantec SSIM in Leaders is a mystery to me; must be those invisible non-competitive deals or EU/APAC deals. I’ve not seen them on an enterprise SIEM shortlist in the US for a loooooooong time. The rest of the leaders match my expectations fully (and four of them have been at some point my consulting clients)
• Splunk is now officially a [sub-par] SIEM, even though it is really not. Is that good or bad? Well, they got their “honorable mention” for the last few years and now they are in the quadrant. BTW, this example shows that you can make A LOT of money by being free and not in any Magic Quadrant!
• Visionary sector of the MQ galaxy is extremely crowded – but with very different tools, ranging from Prism to Trustwave. Many organizations will choose a tool from this sector, but need to be careful – read the related posts below for some selection ideas and pitfalls.

BTW, congrats to all the vendors who got added this year: AlienVault, Tripwire, splunk and the regional SIEM guys.

As always, apart from insight, the MQ document has a good share of unintentional hilarity, for example:

• “This company declined to provide any information to Gartner for this research” (Darwin Awards anybody?)
• “Customer feedback on product function and support is mixed.” (Anton translation: product usually doesn’t work?)
• “Non-English-language versions of XYZ are not available.” (Anton’s comment: is everything else about the product perfectly perfect?)

Finally, if anybody is wondering, I think the concept of Magic Quadrant (whoever at Gartner came up with) is brilliant. However, many wrong  SIEM purchase decisions I’ve seen made usually stem from the decision maker’s own ignorance and not from whatever document or market visualization he has in his possession. Keep this in mind…

Rocky, your turn!

Possibly related posts:

• How Do I Get The Best SIEM?
• How to Replace a SIEM?
• SIEM Resourcing or How Much the Friggin’ Thing Would REALLY Cost Me?
• How to Write an OK SIEM RFP?
• On Choosing SIEM
• "So, What Should I Want?" or How NOT to Pick a SIEM-III?
• The Myth of SIEM as "An Analyst-in-the-box" or How NOT to Pick a SIEM-II?
• I Want to Buy Correlation” or How NOT to Pick a SIEM?
• Log Management + SIEM = ?
• On SIEM Complexity
• SIEM Bloggables: SIEM Use Cases and Whitepaper with detailed SIEM use cases
• Log Management / SIEM Users: "Minimalist" vs "Analyst"
• All posts labeled SIEM

What To Do When Logs Don’t Help: New Whitepaper

Here is a hard problem: you MUST log, but there are no logs to enable. Or, what is no less common, logs are so abysmal that they don’t help – and don’t fit the regulatory mold (example: PCI DSS Requirement 10.2 and 10.3). Or, logs are “out there in the cloud” and you cannot get them, but compliance is here and requires them.

What to do?

The answer to this eternal question is in my new whitepaper that I have written for Observe-IT (observeit-sys.com)

Executive summary:

This paper covers the critical challenges implementing PCI DSS controls and suggests creative solutions for related compliance and security issues. Specifically, the hard problem of security monitoring and log review in cloud, legacy, and custom application environment is discussed in depth. Additionally, clarification of key PCI DSS compensating controls is provided. This paper will help you satisfy the regulatory requirements and improve security of your sensitive and regulated data.

Short version [PDF] (5 pages)

Extended version [PDF] (13 pages)

As usual, the vendor was paying the bill, but thinking and research are all mine (SecurityWarrior Consulting)

Enjoy!

Possibly related posts / past whitepapers:

• Two New Logging Resources Published 
• New SIEM Whitepaper on Use Cases In-Depth OUT! 
• Another Fun SIEM Whitepaper

NEW (!) Metricon is Coming, RFP Out

The CFP for Metricon 6 is alive, the deadline is June 15. If you think that the previous one [somewhat] sucked, this one will be different, since it will be about…

… "Real People Generating Real Information"

This year, Metricon 6 is excited to issue a call for participation to the InfoSec community. Occurring August 9th 2011 colocated with USENIX in San Francisco California. We will be breaking up topics into the following sections, and subsequently would be very interested to review submissions in the following subjects:

• Metrics & Instrumentation
• The Utility of Risk Metrics
• Risk & Cyber Insurance
• Methods for measuring impact
• Incident Management Metrics
• Operational Metrics Beyond Patches, Vulns, & Anti-Virus

THE PROGRAM
--------------------------------

This year's Metricon will be more "convention" than "defend your thesis." Included will be panels, discussions, as well as traditional presentations. We would like to include:

The "Listen" Portion of our Program: Executive use of Metrics

WANTED: Executives to join a panel on the use of Metrics to make decisions:

Metricon 6 is seeking executives excited to discuss metrics they are happy with, unhappy with, or just executives who want to reach out to the security metric community and give us an earful.

We're especially interested in executives who are (or have unsuccessfully tried to) use operational metrics to make business case.

The "Feedback" Portion of our Program: Metrics & Instrumentation

WANTED: Vendors (Product Managers?) who want to talk about their approach to developing the artifacts for their products and services and how they currently or in the future hope to help customers feed an evidence-driven approach to risk management.

In addition, we are looking for security vendors who would like unobstructed feedback to the artifacts and outputs of their current products & services.

For Discussion: Methods for Measuring Impact

WANTED: risk analysts, auditors and anyone else who is estimating and/or tracking the impact of incidents. How do you account for or estimate how much an organization suffers from IT Security incidents.

Speaking of Incidents, For Discussion: The Role of Metrics in an Incident Response Program

WANTED: IR teams and/or executives willing to talk war stories not about incident specifics but looking back, what is the role of metrics in IR (real or hypothetical), what metrics you (may or may not) collect, and why.

For Discussion: Risk & CyberInsurance

WANTED: Do you buy, sell, or have internal hedging practices that could be considered "cyberinsurance?" We're seeking individuals to present on the growing practice of cyberinsurance and it's use as a hedge against security incidents.

For Discussion: Operational Metrics Beyond Patches, Vulns, & Anti-Virus

It's cliche these days to say that most operational metrics programs are of little use beyond "the big three". WANTED: Panelists and presenters for discussions around operational metrics that are not directly the output of vuln. mgmt, patch mgmt, or A/V products.

The Lightening Rounds: New and Unique Approaches

15 minute sessions showing off new research, approaches, data and models.

 

See ya there!!

On Sony PSN Breach and Commenting

Here is why I am rejecting many requests to “comment on the Sony PSN breach”: because most of such post-breach comments by outsiders are pure drivel, that rarely even RAISES to the level of FUD.

So:

Q: What got stolen in the now infamous Sony PlayStation Network (PSN) breach, the #4 largest ever at DatalossDB?

A: Definitively, for all PSN users: “name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID” (source: Sony letter, obtained via dataloss-discuss@datalossdb.org)

Possibly: “profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers” (source: same Sony letter)

Total record count stands at 77 millions.

Q: Were all the credit cards stolen?

A: I don’t know and Sony says THEY DON’T KNOW either.

 

Q: What does it mean, “they don’t know”?

A: To me, it means they sucked at security monitoring and sucked REALLY hard at logging, and likely didn’t have database logging/auditing. Allowing the breach to happen can happen to anybody, but not knowing AFTER the breach whether REGULATED data was stolen point to gross incompetence.

 

Q: Were they PCI compliant?

A: I don’t l know. Most likely, they were validated as PCI DSS compliant at some point (I’d assume they are Level 2 or maybe Level 1). Was there a QSA involved? I don’t know, but I’d guess they are comprised of multiple  Level 2 (and below) merchants, not one Sony-wide Level 1. Thus they self-assessed via SAQ.

 

Q: But were they REALLY PCI compliant?

A: I don’t know. Don’t bug me about this one 

Q: Were they PCI compliant at the presumed time of the breach?

A: I don’t know. Personally, I seriously doubt it since maintaining PCI compliance at all times is extremely hard (example) and access to regulated data should be logged and monitored.

 

Enjoy!

Verizon DBIR 2011 is OUT!

OMG, today is The Breach Day, an official security holiday. Verizon Business has just released their super-famous “2011 Data Breach Investigations Report”
Here are my notes, thoughts, jokes and highlights (are images and quotes are from VzDBIR 2011).

First, we all know that science has been looking for a scientific proof of stupidity for years, and finally it is here, delivered through the power of a Pie Chart below:

In other words, most of the damaging, expensive breaches has cheap countermeasures that people just don’t do. Niiiice!

On a more serious note, not only many of the breached organizations were ignorant, there were not even close to being PCI DSS compliant (more on this below).

Doesn’t it make you think that we are going backwards in security, “APT” notwithstanding?
So, who ARE these people? Well, we now know:


Key industries are those know for limited infosec resource and lots of juicy payment card numbers, often combined with other useful information such as mailing addresses.

That is likely why we have less records stolen overall (no known mega-breaches), but A LOT of smaller “losses”, largely attributes to industrial “hacking machine” of cybercrime hitting smaller business head-on.
And how exactly they are getting owned – surely with an ancient Chinese secret APT hacking tools? Well, yeah – on the “ancient” part”: it is password guessing mostly that harks back from the 1970s:


So, Verizon says: please go and change that password that still says "password" - you will help your security posture a lot!

What specific computing assets are bearing the brunt of attacks? This easy diagram shows:

So, merchants, do you still have that POS server in the back of the store with PANs of all the cards you ever accepted? Congrats, your donation to  cybercrime fund has been accepted…

To make things even sadder, people are not detecting shit:

The above shows that the most typical time between the incident  and its detection is “weeks.” Still want to field that real-time monitoring system? Save some money and buy a cheaper log management system + establish a solid log review process (example).

The Verizon team does give the same advice I often give my clients today: "Change your approach to event monitoring and log analysis: Based on the data we collect in the Time of Breach events, we believe that organizations would be better served to focus less on the “real-time” methods of detection, and more on the “this week” methods. If we can shift Compromise to Discovery time frame from Weeks and Months to Days, it will significantly reduce the damage done to your organization"

Let’s REALLY crank up the sadness – even after WEEKS or MONTHS, who is actually doing detecting? Not the security team, mind you. Yup, The Third Party wins again!

Your own log review detects breaches LESS OFTEN then “happenstance discovery by unrelated 3rd party” [why? because you ain’t doing that log review!]  So, random people stumbling on your weeks-old breach evidence is more "effective" than your log analysis. This is how bad things really are… The above graph made me cry in pain, BTW.

Specifically, the report states "If there is one positive note that we can squeeze out of these statistics around active measures, it’s that discovery through log analysis and review has dwindled down to 0%. So the good news is that things are only looking up from here. Yeah, that’s squeezing pretty hard, but what else can we do? Figure 41 continues to show that good evidence of the breach usually exists in the victim’s log files waiting to be used. "

Finally, does PCI compliance helps? Well, we’d know only if the organizations were in compliance, and most aren’t (not even at ASSESSMENT TIME, much less at BREACH TIME):

End of the story, really.

Overall, this was the saddest VzDBIRs I ever read … Wade and Alex, you made me and my puppy weep  My highlights might be fun, but PLEASE do take time to read the entire report [PDF]!!
Possibly related posts:

• Verizon Breach Report 2010 OUT!
• Verizon PCI Report is Out
• Breach Report 2009 Day …

The Honeynet Project Releases New Tool: Cuckoo

Here is another cool tool release from The Honeynet Project: Cuckoo Box by Claudio Guarnieri. Cuckoo is a binary analysis sandbox, designed and developed with the general purpose of automating the analysis of malware. Read more about the tool here, grab the tool here – but please read detailed setup guide here (make sure to read it!). BTW, this tool is really well-documented, so make use of it before deploying it.

Cuckoo is a lightweight solution that performs automated dynamic analysis of provided Windows binaries. It is able to return comprehensive reports on key API calls and network activity. Current features are:

• Retrieve files from remote URLs and analyze them.
• Trace relevant API calls for behavioral analysis.
• Recursively monitor newly spawned processes.
• Dump generated network traffic.
• Run concurrent analysis on multiple machines.
• Support custom analysis package based on AutoIt3 scripting.
• Intercept downloaded and deleted files.
• Take screenshots during runtime.

Please try the tool and send the feedback to the author – or sign up for a mailing list devoted to this tool here.

Possibly related posts:

• The Honeynet Project Releases New Tool: PhoneyC

The Honeynet Project Releases New Tool: PhoneyC

As promised, I will be reposting some of the cool new announcements from The Honeynet Project here on my blog since I now serve as Project’s Chief PR Officer.

Here is one more: a release of a new tool called PhoneyC, a virtual client honeypot.

PhoneyC is a virtual client honeypot, meaning it is not a real application (that can be compromised by attackers and then monitored for analysis of attacker behavior), but rather an emulated client, implemented in Python. The main thing it does is scour web pages looking for those that attack the browser.

It can be run, for example, as: $ python phoneyc.py -v www.google.com

By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.

Download version 0.1 (a contained readme contains installation instructions) here: phoneyc_v0_1_rev1631.tar_.gz

v0.1 feature highlights include:

* Interpretation of useful HTML tags for remote links

- hrefs, imgs, etc ...

- iframes, frames, etc

* Interpretation of scripting languages

- javascript (through spidermonkey)

- supports deobfuscation, remote script sources

* ActiveX vulnerability "modules" for exploit detection

* Shellcode detection and analysis (through libemu)

* Heap spray detection

PhoneyC is hosted on http://code.google.com/p/phoneyc/ from which the newest development version can be obtained via SVN. For any issues turn to the Google Group dedicated to the project: http://groups.google.com/group/phoneyc.

Possibly related posts:

• The Honeynet Project Annual Conference (invite-only) and a Public Day in Paris, March 2011

Proactive and Continuous Compliance? For Real?

At one of the first security conferences I ever attended (probably in 2001 or so), there was this vendor dude who would not stop rambling about continuous compliance. I listened to him and it suddenly dawned on me: what an awesome idea! Running a security-focused, ongoing, multi-regulation program that delivers value to both business units and reduces risk – what’s not to love here?

However, over the years I’ve gotten more cynical on this matter; we all know our beloved security industry does this to people As I said in my infamous “Top PCI DSS Security Marketing Annoyances”, ““Ongoing compliance” theme is awesome. Sadly, a majority of your customers [I was addressing security vendors in that post – A.C.] don’t do it like this (to their own loss – this why it is sad). They still have assessment-time rush, pleasing the assessor approach and checklist-oh-we-are-DONE! mentality. If you want to sell continuous compliance, you need to educate them first!”

Despite such sentiment, I still love the idea of continuous, proactive, cross-regulatory approach to compliance. A mere fact that most organizations don’t do it like this, should not discourage the education efforts to make this more common.

In fact, some recent research indicates that maybe – just maybe – the tide is turning and organizations will start revolting against the “annual assessment rush”, “audit mentality” and “audit done? see ya next year, security!” themes. Even if very weak, there are other indicators that the value of running an ongoing compliance program with technical control assessment automation is growing more popular and newer tools may make it more real. Verizon Breach 2010 report and Verizon PCI report also seem to indicate that compliance programs help security, while annual compliance audits only work to unearth negligence and incompetence. The drive to operationalize PCI DSS controls (example) and to stay compliant (example) also seems to be growing, at least among the larger merchants. One more example comes from the whole FISMA theater – NIST folks now are all about “continuous monitoring” for FISMA compliance (see this FAQ).

In light of this, maybe the times of continuous, [more] automated compliance are upon us? It so happens that I’d be doing a SANS webcast to explore this topic on February 11. Join the conversation as well as a fight for useful and continuous compliance in service of security.

Is continuous compliance a reality at your organization? Are you doing something 9, 6, 3 months before the annual PCI DSS assessment? Do you meet the auditor once a year? Or do you make an effort to stay compliant?

First-ever Honeynet Project Public Conference–Paris 2011

It is with great pleasure I announce the first-ever Project Honeynet Public Conference, held alongside with the traditional The Honeynet Project Annual Workshop. The event is held on March 21, 2011 in Paris. For those who just want to register now, go here.

Date: 
21 March 2011 (Monday)
8:30AM ~ 18:00PM (GMT+1)
Location:
ESIEA Paris, 9 rue Vesale 75005 Paris
(Nearest subway station: Les Gobelins(line #7))
About the event:
The 2011 Honeynet Project  Security Workshop brings together experts in the field of information security from around the world to share the latest advances and threats in information security research. Organized by the not-for-profit The Honeynet Project and co-sponsored by the ESIEA Engineering School, this full day workshop creates opportunities for networking, collaboration and lessons-learned featuring a rare, outstanding line-up of international security professionals who will present on the latest research tools and findings in the field.
This year’s workshop will be held in Paris, France on 21 March 2011 and is the first time that the workshop has opened a day to the public. Starting at 9:00 GMT+1, the workshop program features a format that includes presentations in five sessions and two bonus hands-on activities. The bonus activities include a technically challenging capture-the-flag (CTF) session and a tough forensics challenge (FC) that will allow attendees to apply their expertise and compete for prizes. If you’re looking to attend a high quality and challenging security workshop, then we encourage you to take advantage of this rare opportunity.
Note:
1. Attendee limitation is 180
2. Participants can bring their Computer to play CTF and Forensics Challenges (FC).
3. Security workshop will be conducted in English.
Full agenda is available here; some highlights are below:
SESSION 2: Combating the Ever-Evolving Malware
10:30~11:00
Efficient Analysis of Malicious Bytecode Linespeed Shellcode Detection and Fast Sandboxing
Georg 'oxff' Wicherski
McAfee
11:00~11:30
High-Performance Packet Sniffing
Tillmann Werner
Kaspersky Lab
11:30~12:00
Reversing android malware
Mahmud Ab rahman
MyCERT, Cybersecurity Malaysia

Enjoy the event!

Today The Industry Is Changed!

Don’t I love overly dramatic headings? Yup, I do.
Pretty much since the day Security Scoreboard launched, I was a MAJOR fan of the site and have always considered it “an industry-changing idea”  that can solve the #1 problem in information security – no, not APT! – inability to match solutions to security problems and rate what solutions actually solve those problems well. The industry, as we all know, is full of crapware – from “PCI scans” for $0.41 per month to fake anti-spyware and “magic” appliances that “do security stuff.”
And now we have a powerful weapon to fight it! Today Security Scoreboard changes everything … again.
Specifically:

Security Scoreboard has announced the appointment of security industry veteran
Dominique Levin as Chief Executive Officer. The site offering unbiased end-user
reviews and ratings on security products also received an investment and moved its
headquarters to the Silicon Valley.

Yes, you can still think of the site as “Yelp for Security Products” – but also start thinking of it as “crowd-sourced and reality-based Gartner.”  In my opinion, there is NOTHING (!!!) that our industry needs more than clarity and Yes, even more than APT defense and easy-to-use SIEM  Lately, a lot of very smart folks have been bemoaning the state of the industry (example, example) and Security Scoreboard relaunch cannot have come at a better time.
Full press-release is pasted below (original) – yes, I am that excited to do it:

Security Scoreboard, which offers security product ratings and analytics based on real-world user experiences, announced that it has received an initial angel investment.
"Crowd-sourcing could significantly improve the validity and quality of the information available about commercial IT products”, said Dana Gardner, president and principal analyst at Interarbor Solutions. “As a consumer I can look at Angie's List, Rotten Tomatoes or TripAdvisor and it's crazy such thing doesn't exist for IT."
“Even if you have the time and money to test different solutions, it's always the details of real-life implementations that come to bite you”, said Chris Sawall, Supervisor of Information Security at Ameren Corporation, a Fortune 500 company and one of the nation's largest investor-owned electric and gas utilities. “You never know how technologies and solutions will really work until you have invested in them. Security Scoreboard allows me to be better informed."
At the time of the investment, the company also appointedDominique Levin as CEO.
Levin comes to Security Scoreboard from LogLogic Inc., a leader in security and log management solutions, where she served as Chief Marketing Officer and Acting CEO. She was also previously VP Marketing at PoliVec, held positions at Nippon Telegraph and Telephone and Philips Consumer Electronics and generated over $630 million in shareholder value as a venture capital investor.
“The recent funding and the move to Silicon Valley will allow us to tap into engineering talent to accelerate our roadmap,” said Levin.
“Security Scoreboard recently introduced new analytics capabilities, which highlight top vendors by user ratings and present trends on site visits”, said Dr. Boaz Gelbord, President and co-founder of Security Scoreboard and himself a practicing security executive. “We are looking to add more sophisticated analysis leveraging user generated data”.   
"The new analytics move Security Scoreboard in the direction from merely showing you what your peers are thinking to making true crowd-based recommendations about which vendor tools to use", said Jay Leek, Vice President of International Security at Equifax.
The company plans to raise additional venture funding later this year.
About Security Scoreboard:
Security Scoreboard is a community generated review and rating site to help security practitioners and executives select the right information security solutions. Security Scoreboard is supported by an Advisory Group and User Council of industry leading CISOs, CIOs and security managers. The site leverages crowd sourced ratings and state of the art analytics to provide recommendations based on real life experiences of other customers.

I am REALLY looking forward to the new era – and I do realize that it will take work!
Possibly related posts:

• “Security Scoreboard” Out! 
• Security Scoreboard Updated

Latest Reviews From Security Scoreboard

www.securityscoreboard.com

SANS SEC434 Log Management Class is Back–Jan 27-28, 2011 in Sacramento, CA

We are doing ONE LAST BETA for my log management class (1/2 price) in Sacramento again. Info and where to sign up are below:
Class name:  Log Management In-Depth: Compliance, Security, Forensics, and Troubleshooting
Class dates:
Thursday, January 27, 2011 - Friday, January 28, 2011 :
Day 1: 9:00am - 5:00pm
Day 2: 9:00am - 12:00pm
Class location:
CalPERS
400 Q Street, East Building Room 1733
Sacramento, CA 95811
Class description (source):

This first-ever dedicated log management class teaches system, network, and security logs, their analysis and management and covers the complete lifecycle of dealing with logs: the whys, hows and whats.
You will learn how to enable logging and then how to deal with the resulting data deluge by managing data retention, analyzing data using search, filtering and correlation as well as how to apply what you learned to key business and security problems. The class also teaches applications of logging to forensics, incident response and regulatory compliance.
In the beginning, you will learn what to do with various log types and provide brief configuration guidance for common information systems. Next, you will learn a phased approach to implementing a company-wide log management program, and go into specific log-related tasks that needs to be done on a daily, weekly, and monthly basis in regards to log review and monitoring.
Everyone is looking for a path through the PCI DSS and other regulatory compliance maze and that is what you will learn in the next section of the course. Logs are essential for resolving compliance challenges; this class will teach you what you need to concentrate on and how to make your log management compliance-friendly. And people who are already using log management for compliance will learn how to expand the benefits of you log management tools beyond compliance.
You will learn to leverage logs for critical tasks related to incident response, forensics, and operational monitoring. Logs provide one of the key information sources while responding to an incident and this class will teach you how to utilize various log types in the frenzy of an incident investigation.
Finally, the class author, Dr. Anton Chuvakin, probably has more experience in the application of logs to IT and IT security than anyone else in the industry. This means he and the other instructors chosen to teach this course have made a lot of mistakes along the way. You can save yourself a lot of pain and your organization a lot of money by learning about the common mistakes people make working with logs.

Class is beta: SANS gives you a 50% discount and you provide detailed feedback:

This is a special beta course whose materials are still being fine-tuned. We are offering it at a discount at this event in exchange for the students' detailed feedback, which will help us improve and finalize the course's content and exercises.

Note this laptop requirement: no MacOS, no VMWare.

A laptop with Windows XP or later or recent Linux operating system installed which can unzip/gunzip compressed files. CD/DVD drive is required. MacOS is not acceptable.

Sign-up please; the class already has enough people which suggests that  it will not be cancelled, like the last one in LA.