faulker051

It took many long weeks to create and now it is …. OUT!! ! Sign up here now if you are in Bay Area on July 8, 2011 . The training is being offered free by the Cloud Security Alliance ( well, we ask for $20 to offset the pizza costs ) in exchange for your feedback and participation is very limited . I would not be surprised if future production “runs” would cost its attendees 30x-50x of the above “price” since this is a full-day class focused solely on PCI DSS and cloud environments (likely 9AM-4PM with a few breaks). The initial PCI DSS Cloud  Training Class to be held in Silicon Valley on July 8, 2011 , exact location to be determined. The first ever class dedicated to assessing and implementing PCI DSS controls in cloud computing environments covers how to think of and how to do PCI DSS in various cloud computing environments. Focused primarily on people familiar with PCI DSS, it starts from the “hype-free” cloud computing facts and then delves into key scenarios wh...

Somebody asked me that question “ Do I need SIEM or do I need log management? ” yesterday again, and I figured I’d repost this “ bit of Anton’s wisdom ” (ego alert! ), so that people can just read this instead of repeatedly bugging me with this question. Q: How do I figure out whether I need SIEM or log management? A: You need log management – if you have computers, IT, data, etc. Period! This is not really a discussion item at all, since about 1986 or so. But do you also need a SIEM? You might think you need it, but you would only be able to benefit from it and satisfy that need if your organization fits the following " graduation criteria from log management to SIEM :” Response capability: The organization must be ready to respond to alerts soon after they are produced. Incident response process/procedures are a must Monitoring capability: The organization must have or start to a build security monitoring capability such as a Security Operations Center (SOC), ...

As all of you know, Gartner SIEM MQ 2011 is out – you can see it here (or here ) without registration. The quadrant mostly matches my recent SIEM project experience. My observations follow below: CA “SIEM” and “Log Manager” are finally wiped off the face of the Earth (=removed from SIEM MQ), NetIQ is dumped down to the Niche. As they should be. Honestly, Symantec SSIM in Leaders is a mystery to me; must be those invisible non-competitive deals or EU/APAC deals. I’ve not seen them on an enterprise SIEM shortlist in the US for a loooooooong time. The rest of the leaders match my expectations fully (and four of them have been at some point my consulting clients ) Splunk is now officially a [sub-par] SIEM, even though it is really not. Is that good or bad? Well, they got their “honorable mention” for the last few years and now they are in the quadrant. BTW, this example shows that you can make A LOT of money by being free and not in any Magic Quadrant! Visionary sect...

Here is a hard problem: you MUST log, but there are no logs to enable. Or, what is no less common, logs are so abysmal that they don’t help – and don’t fit the regulatory mold (example: PCI DSS Requirement 10.2 and 10.3). Or, logs are “out there in the cloud” and you cannot get them, but compliance is here and requires them. What to do? The answer to this eternal question is in my new whitepaper that I have written for Observe-IT ( observeit-sys.com ) Executive summary: This paper covers the critical challenges implementing PCI DSS controls and suggests creative solutions for related compliance and security issues. Specifically, the hard problem of security monitoring and log review in cloud, legacy, and custom application environment is discussed in depth. Additionally, clarification of key PCI DSS compensating controls is provided. This paper will help you satisfy the regulatory requirements and improve security of your sensitive and regulated data. Short version [PDF] ...

From the webcast I’ve done awhile back , here are some fun Q&A that I volunteered to answer. PCI DSS literati reading this blog , don’t freak out – this is BASIC since the webinar was for Level4 ecommerce merchants. Q: I have a hosted Card Service Provider, are the SSL tunnel with certificates good enough security?  What PCI say about this? A:  Well, “SSL tunnel with certificates” is good security (at least compared to no SSL!), but is it enough? Not really. PCI DSS has a long list of other security controls which need to be implemented - for example, if are and e-commerce merchant, web application security is extremely important, likely more so than SSL. Q: Another crystal ball question. Do you think the day will come when merchants are not permitted to store credit card information in order to be PCI compliant? A: Well, merchants are not permitted to store CVV data today, merchants are not permitted to store PAN in cleartext and they are strongly discouraged t...

Note : this has been written for “Cisco MARS blog” as a guest post and is reposted here for posterity. Ouch! That “Venus” SIEM   appliance that we got with routers has finally croaked. That piece of PHP brilliance that pre-pre-previous security engineer wrote has been buried under the thick pile of XML. That managed SIEM provider has annoyed us one last time. What do the above situations have in common? The unfortunate time to replace your SIEM has come. What to expect, apart from copious amounts of pain? This post will shed some light on this conundrum, based on author’s experiences. First, it goes without saying that it is better to choose the right SIEM the first time (e.g. see “ On Choosing SIEM ” and other posts mentioned below) than to migrate from a SIEM that has been collecting logs (and dust) for a few years. However, you might not have any say in the matter – you might have inherited it, your “evil boss” might have procured the previous SIEM without asking you or ...

The CFP for Metricon 6 is alive , the deadline is June 15. If you think that the previous one [ somewhat ] sucked , this one will be different, since it will be about… … "Real People Generating Real Information" This year, Metricon 6 is excited to issue a call for participation to the InfoSec community. Occurring August 9th 2011 colocated with USENIX in San Francisco California. We will be breaking up topics into the following sections, and subsequently would be very interested to review submissions in the following subjects: • Metrics & Instrumentation • The Utility of Risk Metrics • Risk & Cyber Insurance • Methods for measuring impact • Incident Management Metrics • Operational Metrics Beyond Patches, Vulns, & Anti-Virus THE PROGRAM -------------------------------- This year's Metricon will be more "convention" than "defend your thesis." Included will be panels, discussions, as well a...

Blogs are "stateless" and people often pay attention only to what they see today . Thus a lot of useful security reading material gets lost. These monthly round-ups is my way of reminding people about interesting and useful blog content. If you are “too busy to read the blogs,” at least read these . So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month. “ Verizon DBIR 2011 is OUT! ” announces the release of the next Verizon Breach Report: awesomeness unleashed “ Simple Log Review Checklist Released! ” is still one of the most popular posts on my blog. Grab the log review checklist here , if you have not done so already. It is perfect to hand out to junior sysadmins who are just starting up with logs. A related “ UPDATED Free Log Management Tools ” is also still on top - it is a repost of my free log tools list to the blog. My PCI DSS log review procedures that I created for a consulting client an...