Monthly Blog Round-Up – June 2014

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Why No Open Source SIEM, EVER?” contains some of my SIEM thinking from 2009. Is it relevant now? Well, you be the judge.  Current emergence of open sources log search tools, BTW, does not break the logic of that post.
2. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
3. “New SIEM Whitepaper on Use Cases In-Depth OUT!” (dated 2010) presents a whitepaper on select SIEM use cases described in depth with rules and reports [using now-defunct SIEM product]; also see this SIEM use case in depth and this for a more current list.
4. My classic PCI DSS Log Review series is popular as well. The series of 18 posts cover a comprehensive log review approach (OK for PCI DSS 3.0 as well), useful for building log review processes and procedures , whether regulatory or not. It is also described in more detail in our Log Management book.
5. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research on SIEM:

• On SIEM Tool and Operation Metrics
• SIEM Analytics Histories and Lessons
• Popular SIEM Starter Use Cases and Detailed SIEM Use Case Example
• Back to SIEM Research!
• SIEM Webinar Questions – Answered
• How to Use Threat Intelligence with Your SIEM?

Previous research on threat intelligence (TI):

• My Threat Intelligence and Threat Assessment Research Papers Publish
• Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!)
• On Threat Intelligence Management Platforms
• How to Use Threat Intelligence with Your SIEM?
• On Internally-sourced Threat Intelligence
• Delving into Threat Actor Profiles
• On Threat Intelligence Sources
• How to Make Better Threat Intelligence Out of Threat Intelligence Data?
• On Threat Intelligence Use Cases
• On Broad Types of Threat Intelligence
• Threat Intelligence is NOT Signatures!
• The Conundrum of Two Intelligences!
• On Comparing Threat Intelligence Feeds
• Consumption of Shared Security Data
• From IPs to TTPs

Miscellaneous fun posts:

• On “Defender’s Advantage”
• Security Essentials? Basics? Fundamentals? Bare Minimum?

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012, 2013.

Disclaimer: most content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – May 2014
• All posts tagged monthly

Monthly Blog Round-Up – May 2014

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
2. “New SIEM Whitepaper on Use Cases In-Depth OUT!” (dated 2010) presents a whitepaper on select SIEM use cases described in depth with rules and reports [using now-defunct SIEM product]; also see this SIEM use case in depth and this for a more current list.
3. “Why No Open Source SIEM, EVER?” contains some of my SIEM thinking from 2009. Is it relevant now? Well, you be the judge.
4. My classic PCI DSS Log Review series is popular as well. The series of 18 posts cover a comprehensive log review approach, useful for building log review processes and procedures (OK for PCI DSS 3.0 as well), whether regulatory or not. It is also described in more detail in our Log Management book.
5. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research on SIEM:

• Popular SIEM Starter Use Cases and Detailed SIEM Use Case Example
• Back to SIEM Research!
• SIEM Webinar Questions – Answered
• How to Use Threat Intelligence with Your SIEM?

Previous research on threat intelligence (TI):

• My Threat Intelligence and Threat Assessment Research Papers Publish
• Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!)
• On Threat Intelligence Management Platforms
• How to Use Threat Intelligence with Your SIEM?
• On Internally-sourced Threat Intelligence
• Delving into Threat Actor Profiles
• On Threat Intelligence Sources
• How to Make Better Threat Intelligence Out of Threat Intelligence Data?
• On Threat Intelligence Use Cases
• On Broad Types of Threat Intelligence
• Threat Intelligence is NOT Signatures!
• The Conundrum of Two Intelligences!
• On Comparing Threat Intelligence Feeds
• Consumption of Shared Security Data
• From IPs to TTPs

Miscellaneous fun posts:

• On “Defender’s Advantage”
• Security And/Or/Vs/Not Compliance?

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012, 2013.

Disclaimer: most content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – April 2014
• All posts tagged monthly

Monthly Blog Round-Up – April 2014

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
2. My classic PCI DSS Log Review series is popular as well. The series of 18 posts cover a comprehensive log review approach, useful for building log review processes and procedures, whether regulatory or not. It is also described in more detail in our Log Management book.
3. “New SIEM Whitepaper on Use Cases In-Depth OUT!” (dated 2010) presents a whitepaper on select SIEM use cases described in depth with rules and reports [using now-defunct SIEM product]; the paper link is now working again, BTW – also see this SIEM use case in depth.
4. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
5. “SANS Top 6 Log Reports Reborn!” is a new post that announces that many people’ work on best log reports has finally been published as “The 6 Categories of Critical Log Information” (with a subtitle of “Top 6 SANS Essential Categories of Log Reports 2013”)

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research on threat intelligence (TI):

• Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!)
• On Threat Intelligence Management Platforms
• How to Use Threat Intelligence with Your SIEM?
• On Internally-sourced Threat Intelligence
• Delving into Threat Actor Profiles
• On Threat Intelligence Sources
• How to Make Better Threat Intelligence Out of Threat Intelligence Data?
• On Threat Intelligence Use Cases
• On Broad Types of Threat Intelligence
• Threat Intelligence is NOT Signatures!
• The Conundrum of Two Intelligences!
• On Comparing Threat Intelligence Feeds
• Consumption of Shared Security Data
• From IPs to TTPs

Miscellaneous fun posts:

• Security And/Or/Vs/Not Compliance?
• SIEM Webinar Questions – Answered
• If You Use Window XP – You Are NOT PCI DSS Compliant!

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012, 2013.

Disclaimer: most content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – March 2014
• All posts tagged monthly

Monthly Blog Round-Up – March 2014

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
2. “Why No Open Source SIEM, EVER?” contains some of my SIEM thinking from 2009. Is it relevant now? Well, you be the judge.
3. “New SIEM Whitepaper on Use Cases In-Depth OUT!” (dated 2010) presents a whitepaper on select SIEM use cases described in depth with rules and reports [using now-defunct SIEM product]; the paper link is now working again, BTW – also see this SIEM use case in depth.
4. “Logging, Log Management and Log Review Maturity” post describes a common curve for SIEM/log management maturation, from mere collection (“dead log storage”) to real-time monitoring and analysis [BTW, if I were to create this now, I’d have added a layer or two on top of this…]
5. My classic PCI DSS Log Review series is popular as well. The series of 18 posts cover a comprehensive log review approach, useful for building log review processes and procedures, whether regulatory or not. It is also described in more detail in our Log Management book.
6. “SANS Top 6 Log Reports Reborn!” is a new post that announces that many people’ work on best log reports has finally been published as “The 6 Categories of Critical Log Information” (with a subtitle of “Top 6 SANS Essential Categories of Log Reports 2013”)

(why 6 of the “Top 5 entries” again? Well, the #6 on the list is a good read, that’s why!)

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research on threat intelligence (TI):

• How to Use Threat Intelligence with Your SIEM?
• On Internally-sourced Threat Intelligence
• Delving into Threat Actor Profiles
• On Threat Intelligence Sources
• How to Make Better Threat Intelligence Out of Threat Intelligence Data?
• On Threat Intelligence Use Cases
• On Broad Types of Threat Intelligence
• Threat Intelligence is NOT Signatures!
• The Conundrum of Two Intelligences!
• On Comparing Threat Intelligence Feeds
• Consumption of Shared Security Data
• From IPs to TTPs

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012, 2013.

Disclaimer: most content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – February 2014
• All posts tagged monthly

How to Use Threat Intelligence with Your SIEM? [BACKUP FROM DEAD GARTNER BLOG]

 NOTICE: after Gartner killed ALL blogs in late 2023, I am trying to salvage (via archive.org) some of the most critical blogs I've written while working there, and repost them with backdates here, for posterity. This one is about SIEM and TI.

SIEM and Threat Intelligence (TI) feeds are a marriage made in heaven! Indeed, every SIEM user should send technical TI feeds into their SIEM tool. We touched on that subject several times, but in this post will look at in in depth. Well, in as much depth as possible to still make my future paper on the topic a useful read :–)

First, why are we doing this:

• Faster detection – alerting on TI matches (IPs, URLs, domains, hashes, etc) is easier than writing good correlation rules
• Better context – alert triage and incident investigation becomes easier and information is available faster
• Threat tracking and awareness – combining local monitoring observations, external TI and [for those who are ready!] internal TI in one place.

What log data do we need?

• Most common log data to match to TI feeds: firewalls logs (outbound connection records … my fave logs nowadays!), web proxy logs
• Also used: netflow, router logs or anything else that shows connectivity
• NIDS/NIPS (and NBA, if you are into that sort of thing) data (TI matching here helps triage, not detection)
• ETDR tools can usually match to TI data without using a SIEM, but local endpoint execution data collected in one place marries well to TI feeds.

Where would TI data comes from (also look for other TI sources):

• SIEM vendor: some of the SIEM vendors are dedicating significant resources to the production of their own threat intelligence and/or TI feed aggregation, enrichment and cleaning
• Community, free TI feeds: CIF format comes really handy here, but CSV can be imported just as well (some lists and information on how to compare them)
• Commercial packaged feeds from the TI aggregator (it may even have pre-formatted rules ready for your SIEM!)
• Commercial TI providers of original threat intelligence.

Obviously, using your SIEM vendor TI feeds is the easiest (and may in fact be as easy as clicking one button to turn it on!), but even other sources are not that hard to integrate with most decent SIEM tools.

Now, let’s review all the usage of TI data inside a SIEM:

• Detect owned boxes, bots, etc that call home when on your network (including boxes pre-owned when not on your network) and, in general, detect malware that talks back to its mothership
• Validate correlation rules and improve baselining alerts by upping the priority of rules that also point at TI-reported “bad” sources
• Qualify entities related to an incident based on collected TI data (what’s the history of this IP?)
• Historical matching of past, historical log data to current TI data (key cool thing to do! resource intensive!)
• Review past TI history as key context for reviewed events, alerts, incidents, etc (have we seen anything related to this IP in the past TI feeds?)
• Review threat histories and TI data in one place; make use of SIEM reports and trending to analyze the repository of historical TI data (create poor man’s TI management platform)
• Enable [if you feel adventurous] automatic action due to better context available from high-quality TI feeds
• Run TI effectiveness reports in a SIEM (how much TI leads to useful alerts and incidents?)
• Validate web server logs source IP to profile visitors and reduce service to those appearing on bad lists (uncommon)
• Other use of TI feeds in alerts, reports and searches and as context for other monitoring tasks

So, if you are deploying a SIEM, make sure that you start using threat intelligence in the early phases of your project!

Posts related to this research project:

• On Internally-sourced Threat Intelligence
• Delving into Threat Actor Profiles
• On Threat Intelligence Sources
• How to Make Better Threat Intelligence Out of Threat Intelligence Data?
• On Threat Intelligence Use Cases
• On Broad Types of Threat Intelligence
• Threat Intelligence is NOT Signatures!
• The Conundrum of Two Intelligences!
• On Comparing Threat Intelligence Feeds
• Consumption of Shared Security Data
• From IPs to TTPs

Our Team Is Hiring Again: Join Gartner GTP Now!

It is with great pleasure that I am announcing that our team is HIRING AGAIN!

Join Security and Risk Management Strategies (SRMS) team at Gartner for Technical Professionals (GTP)!

Excerpts from the job description:

• Create and maintain high quality, accurate, and in depth documents or architecture positions in information security, application security, infrastructure security, and/or related coverage areas;
• Prepare for and respond to customer questions (inquiries/dialogues) during scheduled one hour sessions with accurate information and actionable advice, subject to capacity and demand;
• Prepare and deliver analysis in the form of presentation(s) delivered at one or more of the company’s Catalyst conferences, Summit, Symposium, webinars, or other industry speaking events;
• Participate in industry conferences and vendor briefings, as required to gather research and maintain a high level of knowledge and expertise;
• Perform limited analyst consulting subject to availability and management approval;
• Support business development for GTP by participating in sales support calls/visits subject to availability and management approval;
• Contribute to research planning and development by participating in planning meetings, contributing to peer reviews, and research community meetings

In essence, your job would be to research, write, guide clients (via phone inquiries/dialogs) and speak at events. Also, we do list a lot of qualifications in the job req, but you can look at my informal take on them in this post.

So APPLY HERE!

P.S. If the link above fails, go to https://careers.gartner.com and search for “IRC26388”

P.P.S. If you have questions, feel free to email me – I cannot promise a prompt response, but I sure can promise a response.

P.P.P.S This is cross-posted from my Gartner blog.

Related posts:

• On Being An Analyst or WHO Are We Hiring?
• Our Team Is Hiring Again: Australia Only [position filled]
• Our Team Is Hiring Again: UK/Europe Only [position filled]
• Our Team Is Hiring [position filled]
• The Last Blog Post! (when I joined Gartner in 2011)

Monthly Blog Round-Up – February 2014

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
2. “Why No Open Source SIEM, EVER?” contains some of my SIEM thinking from 2009. Is it relevant now? Well, you be the judge.
3. “New SIEM Whitepaper on Use Cases In-Depth OUT!” (dated 2010) presents a whitepaper on select SIEM use cases described in depth with rules and reports (the paper link is now restored!) – also see this SIEM use case in depth.
4. My classic PCI DSS Log Review series is popular as well. The series of 18 posts cover a comprehensive log review approach, useful for building log review processes and procedures, whether regulatory or not. It is also described in more detail in our Log Management book.
5. “SANS Top 6 Log Reports Reborn!” is a new post that announces that many people’ work on best log reports has finally been published as “The 6 Categories of Critical Log Information” (with a subtitle of “Top 6 SANS Essential Categories of Log Reports 2013”)

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research on threat intelligence:

• On Threat Intelligence Sources
• How to Make Better Threat Intelligence Out of Threat Intelligence Data?
• On Threat Intelligence Use Cases
• On Broad Types of Threat Intelligence
• Threat Intelligence is NOT Signatures!
• The Conundrum of Two Intelligences!
• On Comparing Threat Intelligence Feeds
• Starting Threat Intelligence Research

Past research on using big data approaches for security:

• Our “Security Information and Event Management Futures and Big Data Analytics for Security” Paper Publishes
• Big Data Analytics Mindset – What Is It?
• Big Data for Security Realities – Case 4: Big But Narrowly Used Data
• Big Data for Security Realities – Case 3: Elastic Search or Similar
• Big Data for Security Realities – Case 2 Variety Explosion
• Big Data for Security Realities - Case 1 Too Much Volume To Store aka “Big Data Collection”
• More On Big Data Security Analytics Readiness
• Broadening Big Data Definition Leads to Security Idiotics!
• Next Research Project: From Big Data Analytics to … Patching
• 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
• “Big Analytics” for Security: A Harbinger or An Outlier?

 

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012, 2013.

Disclaimer: most content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – January 2014
• All posts tagged monthly

Monthly Blog Round-Up – January 2014

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
2. “Why No Open Source SIEM, EVER?” contains some of my SIEM thinking from 2009. Is it relevant now? Well, you be the judge.
3. My classic PCI DSS Log Review series is popular as well. The series of 18 posts cover a comprehensive log review approach, useful for building log review processes and procedures, whether regulatory or not. It is also described in more detail in our Log Management book.
4. “SANS Top 6 Log Reports Reborn!” is a new post that announces that many people’ work on best log reports has finally been published as “The 6 Categories of Critical Log Information” (with a subtitle of “Top 6 SANS Essential Categories of Log Reports 2013”)
5. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research on threat intelligence:

• On Broad Types of Threat Intelligence
• Threat Intelligence is NOT Signatures!
• The Conundrum of Two Intelligences!
• On Comparing Threat Intelligence Feeds
• Starting Threat Intelligence Research

Past research on using big data approaches for security:

• Our “Security Information and Event Management Futures and Big Data Analytics for Security” Paper Publishes
• Big Data Analytics Mindset – What Is It?
• Big Data for Security Realities – Case 4: Big But Narrowly Used Data
• Big Data for Security Realities – Case 3: Elastic Search or Similar
• Big Data for Security Realities – Case 2 Variety Explosion
• Big Data for Security Realities - Case 1 Too Much Volume To Store aka “Big Data Collection”
• More On Big Data Security Analytics Readiness
• Broadening Big Data Definition Leads to Security Idiotics!
• Next Research Project: From Big Data Analytics to … Patching
• 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
• “Big Analytics” for Security: A Harbinger or An Outlier?

 

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012, 2013.

Disclaimer: most content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – November 2013
• All posts tagged monthly

Annual Blog Round-Up – 2013

Here is my annual "Security Warrior" blog round-up of top 10 popular posts/topics in 2013.

1. “Simple Log Review Checklist Released!” was again the most popular this year. The checklist, a list of critical things to look for while reviewing  system, network and security logs when responding to a security incident (companion free log tool list)
2. “Why No Open Source SIEM, EVER?” contains some of my SIEM thinking from 2009. Is it relevant now? Well, you be the judge.
3. PCI DSS Log Review series of posts takes the #3 spot; they are about planning and executing a complete log review process at an organization.
4. “Top 10 Criteria for a SIEM?” is an EXAMPLE requirement list for choosing a SIEM tool (it can be used for creating your very own SIEM RFP, but this is much better for it, of course).
5. “New SIEM Whitepaper on Use Cases In-Depth OUT!” (dated 2010) presents a whitepaper on select SIEM use cases described in depth with rules and reports (the paper link is now restored!) – also see this SIEM use case in depth.
6. “On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as about why the right way is so unpopular.
7. “SIEM Bloggables” has one possible view on higher-level SIEM use cases and basic functionality, and a quick discussion of SIEM user types (circa 2009 – so NO “big data” for you!).
8. “SIEM Resourcing or How Much the Friggin’ Thing Would REALLY Cost Me?” is a quick framework for assessing the SIEM project (well, a program, really) costs at an organization (much more details on this here).
9. “My Best PCI DSS Presentation EVER!” is my conference presentation where I make a passionate claim that PCI DSS is actually useful for security (do read the PCI book as well)!
10. SANS Top 6 Log Reports Reborn! highlights the re-release of top most popular log reports list.

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

SANS Top 6 Log Reports Reborn!

This story goes back years - many, many years. It starts with “SANS Top 5 Log Reports” [PDF] in 2006, and then continues with me volunteering to update it in 2009. I did a lot of work on it in 2009-2010, but never got it to a stage where I was 100% happy with it.  Then in 2011, I joined Gartner and therefore was unable to finish it. Only in 2012 I found a new author who polished it before handing it to SANS for publication.

The document has now been published as “The 6 Categories of Critical Log Information” (with a subtitle of “Top 6 SANS Essential Categories of Log Reports 2013”, v 3.01)

At its center are these top log report categories:

1. Authentication and Authorization Reports
2. Systems and Data Change Reports
3. Network Activity Reports
4. Resource Access Reports
5. Malware Activity Reports
6. Failure and Critical Error Reports

The document can be used to figure out what to log, what to report on and what reports to review for various purposes.

So, enjoy! A lot of work of many smart people went into this. Thanks A LOT to those who contributed to it over the years. Special thanks go to Marcus Ranum, the original logging guru, and the enlightened members of the SANS GIAC Alumni mailing list.

P.S. Those of you who have read our Log Management book have seen an earlier and somewhat more wordy version of it. This one is better!

Related posts and the entire history of this effort:

• Legacy SANS Top 5 Log Reports [PDF] (2006)
• SANS Top 5 Essential Log Reports Update! (2010)
• Updated With Community Feedback SANS Top 7 Essential Log Reports DRAFT2 (2010)

Monthly Blog Round-Up – November 2013

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Why No Open Source SIEM, EVER?” contains some of my SIEM thinking from 2009. Is it relevant now? Well, you be the judge.
2. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
3. My classic PCI DSS Log Review series is popular as well. The series of 18 posts cover a comprehensive log review approach, useful for building log review processes and procedures, whether regulatory or not. It is also described in more detail in our Log Management book.
4. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
5. “New SIEM Whitepaper on Use Cases In-Depth OUT!” (dated 2010) presents a whitepaper on select SIEM use cases in depth (the paper link is now RESTORED!)

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research on using big data approaches for security:

• Big Data Analytics Mindset – What Is It?
• Big Data for Security Realities – Case 3: Elastic Search or Similar
• Big Data for Security Realities – Case 2 Variety Explosion
• Big Data for Security Realities - Case 1 Too Much Volume To Store aka “Big Data Collection”
• More On Big Data Security Analytics Readiness
• Broadening Big Data Definition Leads to Security Idiotics!
• Next Research Project: From Big Data Analytics to … Patching
• 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
• “Big Analytics” for Security: A Harbinger or An Outlier?
• All posts tagged big data

 

Current research on security patch management:

• Cannot Patch? Compensate, Mitigate, Terminate!
• What is Your Minimum Time To Patch or “Patch Sound Barrier”

• Patch Management – NOT A Solved Problem!
• Next Research Project: From Big Data Analytics to … Patching
• On Nebulous Security Policies
• All posts related to patching

 

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – October 2013
• All posts tagged monthly

Monthly Blog Round-Up – October 2013

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Why No Open Source SIEM, EVER?” contains some of my SIEM thinking from 2009. Is it relevant now? Well, you be the judge.
2. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
3. My classic PCI DSS Log Review series is popular as well. The series of 18 posts cover a comprehensive log review approach, useful for building log review processes and procedures, whether regulatory or not.
4. “New SIEM Whitepaper on Use Cases In-Depth OUT!” (dated 2010) presents a whitepaper on select SIEM use cases in depth (the paper link is now RESTORED!)
5. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research on using big data approaches for security:

• Big Data for Security Realities – Case 2 Variety Explosion
• Big Data for Security Realities - Case 1 Too Much Volume To Store aka “Big Data Collection”
• More On Big Data Security Analytics Readiness
• Broadening Big Data Definition Leads to Security Idiotics!
• Next Research Project: From Big Data Analytics to … Patching
• 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
• “Big Analytics” for Security: A Harbinger or An Outlier?
• All posts tagged big data

 

Current research on security patch management:

• Cannot Patch? Compensate, Mitigate, Terminate!
• What is Your Minimum Time To Patch or “Patch Sound Barrier”

• Patch Management – NOT A Solved Problem!
• Next Research Project: From Big Data Analytics to … Patching
• On Nebulous Security Policies
• All posts related to patching

 

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – September 2013
• All posts tagged monthly

What is Your Minimum Time To Patch or “Patch Sound Barrier” [BACKUP FROM DEAD GARTNER BLOG]

 

My time this quarter is not only occupied by the exciting realm of big data, but also by the less exciting – but waaaaay more common – problem: security patching.

Here is a thought: every organization on this planet has an upper limit to their patching speed. For example, even if you threaten every sysadmin with torture upon failure and/or offer to pay them a $1m each upon success, there is no way (for example) to patch every Windows system at a large global bank in 3 days. The real situation is of course more nuanced and different systems have different time limits. Patching all Oracle databases within a week of patch release date is as unrealistic as patching all Windows desktops within one day, etc.

So, think of this as a “patching sound barrier”- you can try to break it, but your craft may well shatter to pieces. The knowledge of your limit is important since if your patch management is tied to risk reduction (as it should), and you are trying to reduce risk further by reducing your patching window, there is a point at which you really should stop trying… Also, if you can work *really* hard and shrink your patching window from 90 days to 30 days, meanwhile the attacker gets in within 3 days of patch release date, is your work really justified? Maybe other safeguard should be considered instead.

What factors affect this “patching sound barrier”? They include:

• Size of an organization
• Utilized system types (legacy, traditional, virtual, etc)
• Type of technology being patched (stock Windows desktop vs complex distributed application)
• System Admin/system ratio
• Degree of automation acceptance
• Change management process maturity
• Available patch management tools
• Desired risk balance (risk of patch crashing the system vs risk of unpatched system exploitation).

This limit needs to be taken into account when security recommendations and practices are considered and implemented.

Related blog posts on patching:

• Patch Management – NOT A Solved Problem!
• Next Research Project: From Big Data Analytics to … Patching
• On Nebulous Security Policies (featuring “we patch all systems within 30 days” boondoggle)
• All posts related to patching
• All posts related to vulnerability management.

Monthly Blog Round-Up – September 2013

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Why No Open Source SIEM, EVER?” contains some of my SIEM thinking from 2009. Is it relevant now? Well, you be the judge.
2. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
3. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
4. My classic PCI DSS Log Review series is popular as well. The series cover a comprehensive log review approach, useful for building log review processes and procedures, whether regulatory or not.
5. “New SIEM Whitepaper on Use Cases In-Depth OUT!” (dated 2010) presents a whitepaper on select SIEM use cases in depth (the paper link is now RESTORED!)

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research on using big data approaches for security:

• More On Big Data Security Analytics Readiness
• Broadening Big Data Definition Leads to Security Idiotics!
• Next Research Project: From Big Data Analytics to … Patching
• 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
• “Big Analytics” for Security: A Harbinger or An Outlier?

 

Past research on incident response:

• My Incident Response Paper Publishes
• On Three IR Gaps
• Fusion of Incident Response and Security Monitoring?
• Survey: How Many Security Incidents Have You Had Over the Last 12 Months?
• Security Incidents vs “IT Problems”
• Top-shelf Incident Response vs Barely There Incident Response
• On SANS Forensics Survey
• Incident Plan vs Incident Planning?
• On Importance of Incident Response
• Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
• Time-tested Incident Response Wisdom?
• Incident Response: The Death of a Straight Line
• Alert-driven vs Exploration-driven Security Analysis
• My Next Research Area: Incident Response

Past research on endpoint detection and investigation tools (ETDR):

• My Paper on Endpoint Tools Publishes
• Endpoint Threat Detection & Response Deployment Architecture
• Essential Processes Around Endpoint Threat Detection & Response Tools
• Named: Endpoint Threat Detection & Response
• Endpoint Threat Indication & Response?
• Endpoint Visibility Tool Use Cases
• On Endpoint Sensing
• RSA 2013 and Endpoint Agent Re-Emergence
• A Quiet Assumption

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – August 2013
• All posts tagged monthly.

Monthly Blog Round-Up – August 2013

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Why No Open Source SIEM, EVER?” contains some of my SIEM thinking from 2009. Is it relevant now? Well, you be the judge.
2. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
3. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
4. “On Choosing SIEM” is another old classic (from 2010) that often shows up on my top list; it covers some tips on choosing SIEM tools.
5. Finally, my classic PCI DSS Log Review series is popular as well. They outlined log review approach, useful for building log review processes and procedures, whether regulatory or not.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

 

Current research on incident response:

• On Three IR Gaps
• Fusion of Incident Response and Security Monitoring?
• Survey: How Many Security Incidents Have You Had Over the Last 12 Months?
• Security Incidents vs “IT Problems”
• Top-shelf Incident Response vs Barely There Incident Response
• On SANS Forensics Survey
• Incident Plan vs Incident Planning?
• On Importance of Incident Response
• Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
• Time-tested Incident Response Wisdom?
• Incident Response: The Death of a Straight Line
• My Next Research Area: Incident Response

Current research on endpoint detection and investigation tools (ETDR):

• Endpoint Threat Detection & Response Deployment Architecture
• Essential Processes Around Endpoint Threat Detection & Response Tools
• Named: Endpoint Threat Detection & Response
• Endpoint Threat Indication & Response?
• Endpoint Visibility Tool Use Cases
• On Endpoint Sensing
• RSA 2013 and Endpoint Agent Re-Emergence
• A Quiet Assumption

Miscellaneous fun posts:

• 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
• Bye-bye, Compliance Thinking. Welcome, Military Thinking!
• DLP Webinar Questions – Answered!

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – July 2013
• All posts tagged monthly.