Next, insert appropriate morbid jokes <here> for "IDS is dead", "NAC is dead", "GRC is dead", everybody is dead... WTF? Are we at the cemetery or what? Is "dead" dead? Yeah, but it came back as a zombie :-) So, "dead" is a "living dead" "dead" now. Ha*3.

Finally, think! Why were you thinking of buying a SIEM? 'Cause the big "G" in the sky said so? And while you are thinking, check these fun points out:

1. Does your SIEM require 17 beefy servers to operate? How many gallons of foreign oil have to go up in smoke to power that mammoth up? And you know what happened to mammoths, don't you?
2. If your "high-performance" SIEM appliance can only run 5 correlation rules at the same time, what "high" do they mean, really? Hold this thought....
3. Is five field engineers, two developers and CTO enough to install it? Who else needs to help? Ah, sorry, I missed the DBA :-)
4. Do you know when "If CustomVariable17 = Value5" condition matches? Will you still remember it in a year?
5. Can you tell "taxonomy" from "ontology"? You can now? Good for you. Are you more secure now? More efficient? Compliant?
6. How many shifts of security analysts do you have watching the shiny consoles 24/7? If zero, then why - oh - why those consoles are running in the first place? "If a tree falls..." - you know how this one ends. Correct! You get hit by the bough.
7. When was the last time you built a custom agent for parsing and normalizing, say, SAP logs? Did it work? What did you do after it didn't? Cried? And did it help? Then a burly vendor SE showed up, charged you $37,600 and left? Happy now?
8. Do you automatically correlate IDS/IPS alerts with vulnerability data ... for client-side attacks? Really? :-)
9. There are dozens of firewall, IDS/IPS, router, etc brands, each with its own log type. This is actually simple! But there are thousands upon thousands of applications in use today. Some have logs. All are different. Care to build rules for that? Now you finally know why SIEM vendors don't parse their own Java logs (no shit!)
10. Do you know what "threat x vulnerability x random()" equals to? Yup, it still equals random(). Automated prioritization, you say?
11. Do you know why some SIEM vendors are migrating to IT GRC now? So they can go and die there ... quietly.

All in all, I have to agree with Raffy to a large extent!  The world has evolved - and SIEM has not. It might not be dead (as old attacks and defenses never really die and large organization still build and man massive SOCs where SIEM is "a must"), but in this age of web application hacking, CSRF and XSS, phishing, PCI DSS, massive bot armies, client-side 0-days, stealth malware, etc, paying $x,000,000 for a pile of ugly Java code is insane ... As a result, SIEM has greatly diminished in importance and has become just one small thing you might do with logs and some other data. What made it so? Mostly implementation complexity - but a slew of other factors mentioned above as well.

So, consider this instead:

• Compliance? "Sorry, buddy, you need this for compliance, not that. "
• Want to simplify your incident response? Get log management and fly through all your logs, not crawl through some of them.
• Have a very real need to dig into your logs for troubleshooting or tracking that pesky user? Log management works.

Now, what if you have a latent and vague desire to "correlate something" and a million nice greenbacks to flush down the drain? OK, go get your SIEM toy for $780,000 + 20% maintenance/year ... a true bargain (price valid today only).

Finally, I would like to end this on an optimistic note. Do we need more intelligence to analyze the log data we have collected? Of course! Do we have a widest set of log use cases from today's security  to tomorrow's regulations? You bet. And, for you Raffy, I'd add "... we also have other data to analyze together with logs." So, can we "reinvent SIEM?" Yes, I think so! It just hasn't been done yet ... For now, just use log management.

Gartner IT Security Summit - June 1-3, 2008 - Washington, DC.

Alright - call this an omnibus posting.

I had planned to do a better job of intra-day postings, but the schedule here is hectic and as anyone who knows me can attest, I really do work to get maximum value out of any conference that I go to.

Highlights here - much more detail available if anyone comments/emails me to ask.

Day 1
Opening Keynote - The next 10 years in IT Security - Rated: Good.
Keynote - Google’s Security - Rated: Excellent.
Keynote - SciFi Authors’ Future View of IT Security - Rated: Excellent.

“F” Track - Gartner Analysts/Researchers speak on the topic of “The CISO” - Rated: Mediocre to Good.
Exhibition Floor - Rated: Good.
Food - Rated: Hotel Std. Bring Pepto
Product Highlight - Alcatel-Lucent OmniAccess 3500 Nonstop Laptop Guardian It’s a way to lojack your laptops - a device that stores your crypto keys, 2nd factor auth token, acts as your 3G WWAN, GPS enabled, has an on-board Linux which acts as the “IT department’ controlled/controllable machine. Main feature - remote kill the laptop you lost.

Day 2
Keynote - Security Architecture for the Next 10 years - Rated: Excellent
“F” Track - Gartner Analysts/Researchers speak on the topic of “The CISO” - Rated: Good to Better
Exhibition Floor - Rated: I don’t want to try to get that much shwag through airport security. SRSLY.
Food - Rated: I cannot wait for my kitchen. I cannot eat this much commercial grade food and stay healthy/alive. Amazing how even the fresh fruit is labelled “Hotel Froot”. It’s like an episode of the Simpsons.

Overall Review: I’ll probably come back - the issue of credibility in ensuring that I can quote someone that the business / IT folks respect rather than just my own opinion is a good thing, however, as a prominent (ha - take that Mike) security blogger, I’m a 4-5 on the CISO-CMM — and I’m surrounded by a whole lot of zeros and ones. Gartner is a good host, they take feedback seriously and are very interested in delivering some real value to people like me.

What needs to be fixed:

1. You may have noted that I’m not really chuffed by the food, and you’d be damn right. What is it with the “Conference Hotel/Venue” market that gives them such perfect 2 dimensional homogeneity of image and food? Fix the food.
2. Reorganize the environment such that I spend less time walking back and forth down this hallway.

3. Wifi… oh terrifying wifi. If there was a Wall of Sheep here, you couldn’t read it - it’d be scrolling too fast. Don’t you idiots have a freakin’ VPN?
4. BoF Sessions would be good — there’s not a whole lot of time in the schedule just to stir around and talk to people. There should be a number of areas that allow for free form communication amongst attendees. Have Gartner Analysts in and around those areas to spur conversations.
5. And lastly - Washington? WTF? Flying in to the DC area is practically a strip search. Conferencing is getting harder as the airline industry squeezes - and if I’ve got to fly, I want as little friction as possible.

It’s been a blast, but I need to pay attention and watch the countdown to my airport transfer at 1600.

Tags: Gartner, Gartner IT Security Summit, Alcatel-Lucent, OmniAccess 3500, Security Conferences

Returning my rent a car here in Denver, I stopped in the gas station to fill up.  I paid $4.04.9 for 85 octane gas.  First time I have cracked the $4 dollar barrier.  I am so excited I can cry. Oil went over $133 a barrel today and I saw an analyst report that it could go as high as $200 a barrel.  It seems that when George W became President I remember oil in the 20 to 30 dollar range.  There really doesn't seem to be a shortage of oil, supply meets demand.  So WTF?  Why are prices going up daily like this?  I used to think it was due to fears that another war in the Persian Gulf would break out, but I think it is beyond that now. I really feel like the markets are being manipulated and it is time for intervention.

If this does not give us as a country the will to do something about our dependence on oil, I don't know what will.  Lets see a bold call to action like putting a man on the moon for this country to rally around with a goal of developing alternate energy and soon!

Whaaaat? WTF is "reverse compliance?" 

"Reverse compliance" is a motivation to purposefully avoid technologies that have a chance of telling you that you are NOT in compliance. Sadly, logging is featured very high on the list of such technologies that a) tell you about all the problems with your compliance posture (e.g. direct violations of regulatory requirements,  lack of controls, inefficient controls, policies not followed, etc) as well as b) are mandated by various regulations (e.g. PCI DSS) and c) actively used by auditors for finding compliance issues.

When this type of thinking in progress, people start going even further towards:

• If I have no logging, people will not know that I was "0wned" for years and thus have to notify the customers (reverse breach disclosure compliance)
• If I have not logs, nobody can blame that I knew (or - had a way to know)  about the successful attack and data theft? 
• If breach investigation will lead to a dead end due to not having logs, maybe I won't be fined as severely?
• If I don't have logs to show the auditors, they won't blame me for mismanaging security in my environment (or - they will only blame me for not having logs and not for all the other serious issues I have...)
• If I have no logging, I cannot be found to be in violation of many PCI DSS requirements since evidence of violation will be in the logs (but, will, obviously be in violation of Requirement 10)

The key question is how widespread "reverse compliance" is? I am sure that many of my enlightened readers would think that no organization is that f*cked up :-) Well...

... some sadly are. Is "worst in class" label appropriate here? Maybe not, since these companies are thinking that they are "being smart about their business"  and saving money by avoiding those "useless" (also known as "common sense" ;-)) compliance requirements.

So, will you log if logs will prove your incompetence?

That is, my friend, the whole question here...

On the other hand, I hope that this "approach" is not too common in the age of breach notification laws: logs or no logs, they will have to tell the public and - often! - without logs they will have to announce that ALL is lost. The burden in on them to prove what was NOT stolen IF the server where the data is stored was found to be owned.

For example,   a compromised server + critical data stored = every record is assumed 'lost' in the absense of logs.

This is, in fact, one of the stronger motivation for log management today as it shows you clear, obvious savings: notify 200,000 people vs notify 40,000,000 people of the breach at, say, $5 apiece....

Nine out of the world’s top 11 security hackers came to HP through the SPI Dynamics acquisition, he boasts, although it’s not immediately clear who ranked those top 11.

The “he” is Mark Potts CTO of Software, Hewlett-Packard. When I read that the first thing that came to mind was; Billy Hoffman is top 10 material? The end is near!! (joking…) Then I wondered who is ranking hackers and how much would it cost to get the #1 spot. Then later I thought there must be a real ranking because if you where making it up you would just say “nine out of the top ten, not 9 out of the top 11″ which would generally mean you had 8 of the top ten and one person at eleven so you went for Top eleven instead of top ten. Maybe people from Australia use a top 11 system?

Post from: Grumpy Security Guy

HP Corners the Market on Hackers