faulker051

Now that I flooded with work (with more on the way), I am eternally procrastinating  on my “ Fun Security Reading ” blog posts. So, let me at least try to blog about what I was WRITING if I don’t have time to blog about what I was reading ( Google Reader shared item feed ). The list is loosely sorted by time: My writing: “ HIPAA Logging HOWTO, Part 1 ” “HIPAA Logging HOWTO, Part 2” “ PCI Security: Q&A with Anton Chuvakin, PCI Compliance Expert ” “ PCI Security: Q&A with Anton Chuvakin, PCI Compliance Expert, PART 2 ” “ASSESSMENT SUCCESS: PCI DSS STANDARDS AND SECURE DATA STORAGE ” " How to Do Application Logging Right " (with Gunnar Petersen ) “ FISMA Logging HowTo, Part 1 ” “ Logging for FISMA part 2 : Detailed FISMA logging guidance ” “ Log management software can aid data security, boost IT accountability ” “ Log review for incident response, Part 1 ” “ A Pragmatic Approach to SIEM: Buy for Compliance, Use for S...

FYI, I have updated my list of free log analysis and log management on my consulting site . Here it is, reposted: Version 1.3 updated 3/8/2011 ( original location ) This page lists a few popular free open-source log management and log analysis tools. The page is a supplement to " Critical Log Review Checklist for Security Incidents " that can be found here or as PDF or DOC (feel free to modify it for your own purposes or for internal distribution - but please keep the attribution). The log cheat sheet presents a checklist for reviewing critical system, network and security logs when responding to a security incident. It can also be used for routine periodic log review. It was authored by Dr. Anton Chuvakin and Lenny Zeltser . The open source log management tools are: OSSEC ( ossec.net )  an open source tool for  analysis of real-time log data from Unix systems, Windows servers and network devices. It includes a set of useful default alerting rules as ...

I did this fun presentation on log forensics ( here ) and the question of “original” (aka “native”, “raw”, “unmodified”) log events came up again. Since the early days of my involvement in SIEM and log management , this question generated a lot of delusions and just sheer idiocy. A lot of people spout stuff like “you need original logs in court” without having any knowledge about either logs or court – or forensics in general. Or, as I sometimes feel, even computers in general.  So, WTH is an “original” event? Let’s explore this a bit.  For example, let’s take Windows 7 Event Logs. Before you read further, without focusing too much on the real meaning of “original”, think what you’d consider an original event log record … Is this original – the EVTX file itself: Is this – an XML view via Event Viewer on the computer where the log is produced: Is this – a “friendly” view in the same Event Viewer on the same “original” computer: As you might know, the above vi...

My account of RSA 2011 cannot be complete without-  yes! - SecurityBSides San Francisco . I was holding this post hoping to include links to videos, but – despite the power of Google – I was not able to figure out where AND whether the video are posted.  So, you have to enjoy my new fun SIEM presentation (below) without my voice and an image of me pointing at the sky Something Fun About Using SIEM by Dr. Anton Chuvakin View more presentations from Anton Chuvakin Enjoy! Possibly related notes: RSA 2011 Conference Notes RSA 2011 PCI Council Interview All posts tagged RSA

One of the ugliest, painfulest, saddest issues with SIEM is resourcing . Yes, that SIEM appliance might set us back $75,000 in hard earned security budget dollars, but how much more will we have to spend in the next 3 years deploying, integrating, using, tuning, cursing , expanding the thing? How much manpower will the new operational procedures ( example ) cost us? And if we actually build a SOC or “a virtual SOC”, how much will we have to spend on an ongoing basis to get the value and benefits? In fact, how much will the coffee cost if we have to work 20 hours in a row recovering that crashed SIEM database partition? These and other questions are super-important for every SIEM and log management project . And the time has come for me to reveal my secret knowledge of SIEM resourcing. OK, that’s a joke – it is not a secret, just a bunch of things that are often unpleasant for many SIEM buyers, users and sellers to hear. So: NEWSFLASH ! SIEM costs money. “Free” SIEM ( example )...

The plot? As usual: A Linux server was possibly compromised and a forensic analysis is required in order to understand what really happened. Hard disk dumps and memory snapshots of the machine are provided in order to solve the challenge. Are you up to the challenge ? Here are the questions that need your answers : What service and what account triggered the alert? (1pt) What kind of system runs on targeted server? (OS, CPU, etc) (1pt) What processes were running on targeted server? (2pts) What are attackers IP and target IP addresses? (2pts) What service was attacked? (1pt) What attacks were launched against targeted server? (2pts) What flaws or vulnerabilities did he exploit? (2pts) Were the attacks successful? Did some fail? (2pts) What did the attacker obtain with attacks? (2pts) Did the attacker download files? Which ones? Give a quick analysis of those files. (3pts) What can you say about the attacker? (Motivation, skills, etc...

Just like last year , I did this great interview with Bob Russo, the GM of PCI Council. There is no audio recording,  what follows below are my notes reviewed by the Council. Italic emphasis is added by me for additional clarity. Q1. PCI DSS 2.0 is out. What do you think its impact is, so far? A: We are just entering the implementation phase, but it seems like there is no major impact yet, it is definitely too early to say what the impact would be. Using data discovery – merchants looking to confirm that PAN data does not exist outside of the defined PCI DSS scope - seem to be becoming more prominent and this seems to be a direct result of PCI DSS 2.0 . Accidental exposure of cardholder data is a known risk. By identifying where the data truly resides first, through a tool or a methodology, should aid organizations in their assessment efforts and ongoing security. By the way, despite moving to the longer three year process, we can still update the standard in between via errata mec...

FYI, I won’t be posting these here all the time (they are written for The Honeynet Project blog – original location for this post ), but I figured I’d post the first one here just to tell people about all the fun stuff from the Honeynet blog that I now take care of as a project PR officer.. The following are the Top 5 popular blog posts from The Honeynet Project blog this month. “ Observing Botnets ” talks about tools to observe bot traffic on the network; it is an excerpt from “ Know Your Enemy: Tracking Botnets ” paper (fun quote: ‘ "A botnet is comparable to compulsory military service for windows boxes" – Stromberg’) “ The Honeynet Project Releases New Tool: Cuckoo ” covers Cuckoo, a binary analysis sandbox, designed and developed with the general purpose of automating the analysis of malware. “ First-ever Honeynet Project Public Conference–Paris 2011 ” announces the first-ever Honeynet Project Public Conference, held alongside with the traditional Honeynet Project A...

Here is my account of RSA 2011 conference – with all its awesomeness! I LOVE RSA and I always say that if you can only attend one security event a year – make it RSA. Now, it takes some [admittedly, small] effort to get value out of your RSA experience: the conference is not about the keynotes and not really about [way too many] tracks of presentations. It is about our industry gathering – pretty much the entire security industry as it exists in 2011! For security training you go to SANS, for latest attacks – to BlackHat/DEFCON (or, increasingly, to smaller conferences),  but for getting a sense of the entire security industry … SECURITY BUSINESS, if I may… you MUST go to RSA. I spent my first RSA2011 day – Monday (aka The Valentine’s Day) at Metricon.  This year Metricon – and I admit to only attending about 2/3 of the day – just disappointed. This is the second year I am sacrificing all sorts of fun RSA-related events – CSA, AGC, etc – for security metrics and I promise I...

Blogs are "stateless" and people often pay attention only to what they see today . Thus a lot of useful security reading material gets lost.  These monthly round-ups is my way of reminding people about interesting and useful blog content. If you are “too busy to read the blogs,” at least read these . So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month. “ The Honeynet Project Releases New Tool: PhoneyC ” leads all posts this month – this is reposted to my blog since I recently began serving as  [volunteer] Chief PR Officer for The Honeynet Project . Another recent Project release is “ The Honeynet Project Releases New Tool: Cuckoo ” “ Simple Log Review Checklist Released! ” is still one of the most popular posts on my blog. Grab the log review checklist here , if you have not done so already. It is perfect to hand out to junior sysadmins who are just starting up with logs. My PCI DSS ...