Anton Chuvakin Blog -

Links for 2008-07-03 [del.icio.us]

Thu, 03 Jul 2008 20:00:00 +0000

Misc Reading Related To Verizon Breach Report

Thu, 03 Jul 2008 10:07:00 +0000

All sort of fun stuff was unearthed, discussed and - sometimes - made-up upon reading the Verizon Security Breach Investigations report. Here are some things from the pile which I found fun:

Report itself [PDF] and brief on it from Verizon (and two fun follow-ups, this and this here)
"90% of all statistics can be made to say anything… 50% of the time, aka my thoughts on the Verizon report"
"Data Breach Post Mortem Offers Surprises" (well, to some people, they are surprises ...)
"Insider Threat Exaggerated, Study Says" (not, it doesn't, BTW)
"Verizon Business Report Speaks Volumes" (from Richard, thus a MUST read)

And of course, here is my favorite part: "In 82 percent of cases, our investigators noted that the victim possessed the ability to discover the breach had they had they been more diligent in monitoring and analyzing event-related information [AC - i.e. logs] available to them at the time of the incident." and this "Furthermore, a crime scene devoid of any network and system logs, a key resource for computer forensics, is a disturbingly common occurrence."

What can I say? Back to battle stations for me - to fight the war of making logs more popular! :-)

On Logs and Breach Disclosure Laws

Thu, 03 Jul 2008 09:40:00 +0000

Check out my fun paper called "Where the truth is: Logs and breach-disclosure laws" at ComputerWorld. I personally find the premise that logs help with breach notification mandates to be a perfect no-brainer, but it looks like some people consider it to be deep insight.

And, let's leave it at that: deep insight it is :-)

Key point for the impatient bunch: "... logs are essential for compliance with breach-notification laws because you know who exactly to notify. Proper log-keeping will save massive amounts of money while complying with both the letter and the spirit of this law."

Links for 2008-07-01 [del.icio.us]

Tue, 01 Jul 2008 20:00:00 +0000

Monthly Blog Round-Up - June 2008

Tue, 01 Jul 2008 07:10:00 +0000

I saw this idea of a monthly blog round-up and I liked it. In general, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. This is what is driving an idiotic campaign of such "news" as "hackers increase hacking", "compliance is hard/easy/matters/doesn't" or "awareness of virtualization/SaaS/hacking/compliance grows."

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts and topics.

Again this month, my logging polls took the #1 spot! Poll #8 that covered context data for log analysis is analyzed here. Other popular polls include a controversial Windows Log Collection Poll (which is a poll #7) and poll #6 about logs that people actually look and poll #5 about logging challenges. Next poll is coming soon.
Not entirely surprising, my post/rant called "You Are "A Security Idiot" If ..." takes the #2 spot after being live for only a few days. Yes, we all like to point out other people's problems, especially when they are epically huge :-)
Also not surprisingly, my post "11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!"" is on the Top list. It is both humorous and sadly true (and backed up by other sources)
A curious subject of DLP or "data leak prevention" (specifically, the post called "So, CAN We Have DLP?") also tops the charts. My previous post on data leak 'prevention' ("In Passing on DLP") is popular as well.
Again and again, people googling for "open source SIEM" have pushed this post (this tiny old pathetic blurb) to top5. This ancient post from years ago explains why an open source SIEM will NOT emerge soon, if ever.

See you in July!

Possibly related posts / past monthly popular blog round-ups:

Technorati tags: blog, security, loggings, monthly

Links for 2008-06-30 [del.icio.us]

Mon, 30 Jun 2008 20:00:00 +0000

SIEM tools come up short
Are SIEM and log management the same thing? - Network World
Log Management « IT@SmallBiz
Another issue we faced in dealing with our SAS 70 audit was log management. Every system admin deals with this issue, we just ignore it most times. You have all sorts of information stored in log files on all your various servers. If you were going to
Datawocky: Searching for a Needle or Exploring the Haystack?
"Searching for a Needle or Exploring the Haystack?" Search engines are great at finding the needle in a haystack. And that's perfect when you are looking for a needle. Often though, the main objective is not so much to find a specific needle as to exp

Evil BETAs Attack!

Mon, 30 Jun 2008 13:45:00 +0000

Read this awesome "The BETA Mindset: Public Enemy #1 " piece from Mike R (BTW, it is a MUST-read). The maybe refresh on what I said after reading "Geekonomics." Then think!

Yes, it is available today (as beta maybe - but then again "all software is beta").
Yes, it is free.
Yes, it works ... well, when it does.
Yes, you can trust, say, your email to it (who cares when it is made public, really! :-))

And then the same programmer mindset trickles up to the software that controls your aircraft engine.

Boom!

That WAS you.

The more I think about it, the more I like the idea of software manufacturers' liability (succinctly described in "Geekonomics"); I suspect that everything bad that might come with it will probably still be better than what we have now (or will have soon...)

Fun Reading on Logs and Log Management

Mon, 30 Jun 2008 12:09:00 +0000

I am amazed (no, AMAZED!) about how many people now write about logs; it is definitely not "the original logging evangelist" anymore :-) Here is a quick sample, useful for those struggling with logs (aka "everybody" :-))

A very fun read from Patrick Mueller (ex-Neohapsis now turned lawyer): "Facing The Monster: The Labors Of Log Management." I am happy that log management has been finally granted a monster status :-)
I am happy to see that one of the "five questions to ask before sending your data in the cloud" is "Will I have access to logging and auditing data?" This is indeed a big deal (well, it will be soon) and you will be hearing more about this. I call this "a case of log ransom," since you might need to pay the ransom to see what is "yours" - the logs
Again on leaving [some] logs behind. Remember, the point is not that "collecting all" is a good idea, it is that figuring what to pick is IMPOSSIBLE, while "collecting all" is simply very hard :-)
This is hot stuff: "Ten reasons you will be unhappy with your SIM solution" (no, I didn't write it :-), but this is mine)
Why HA for log management from our star engineer. Those thinking about the reliability of their logging systems should read it.
Fun info on web server log analysis for different purposes.
"Why Logs and Logging Matters - Part 1" and "Why Logs Matter - Part 2, A Letter" present really good intro logging for compliance and other purposes (even specifically saying "what you do with the logs that matters.")
"Smart Business Leaders Support Effective Log Management Practices and Necessary Resources" from Rebecca Herold is a nice basic piece, especially for those outside the circle of logging literati.
More from Sanford on logging standards: "Drawing Lines", an awesome post indeed.
A MUST read on SIEM and log management from Greg Shipley (I promise this is a coincidence! :-)) In this piece, Mr Neohapsis drop kicks more than a few "latest generation" SIEM tools. Guess which product review mentions "pain" 3 times on one page :-)
Finally, this is also worth a read: "Ode to Log Management" where Mr Baum laments logs being pigeonholed in to "another IT management tool" silo despite their broad relevance. He is right - but focusing on one use case after another works...

Enjoy!

Links for 2008-06-26 [del.icio.us]

Thu, 26 Jun 2008 20:00:00 +0000

Can You Hear Me Now? | Nemertes Research
Our brains (with functional ears) have the ability to dynamically adjust the gain control and adjust frequency sensitivity in real-time based on input from our other senses and our past experiences. The same capability is needed in SIEM/log management whe
Security and Risk Management Strategies Blog: Common Event Standard SIG Held At Catalyst

You Are "A Security Idiot" If ...

Thu, 26 Jun 2008 06:26:00 +0000

... you:

Misspell both HIPAA and SOX (how the f does one misspell SOX?)
Confuse "risks" and "threats"
Think that "Trojan is a vulnerability" AND "DoS is a vulnerability"
Quote "Insiders are 80%" without thinking for one darn second
Think that a loss of "$20 million is catastrophic to any company"
Talk about "NIST compliance"

Please add your faves to the list and we can create an official list to be used to expose fake experts. If you think that nobody in our industry is that stupid ... think again. F*ck!

To be explained later :-)