faulker051

The long-awaited PCI Council guidance on virtualization has been released [PDF] . Congrats to the Virtualization SIG for the mammoth effort! I rather liked the document, but let the virtualization crowd (and press!) analyze it ad infinitum – I’d concentrate elsewhere: on the cloud! This guidance does not focus on cloud computing, but contains more than a few mentions, all of them pretty generic. Here are some of the highlights and my thoughts on them. Section 2.2.6 “Cloud Computing” does contain some potentially usable (if obvious) scope guidance: “Entities planning to use cloud computing for their PCI DSS environments should  first ensure that they thoroughly understand the details of the services being offered , and perform  a detailed assessment of the unique risks associated with each service. Additionally, as with any  managed service, it is crucial that the hosted entity and provider clearly define and document the  responsibilities assigned to each pa...

Back in 2002 when I was at a SIEM vendor that shall remain nameless (at least until they finally die), I fell in love with algorithmic "correlation." Yes, I can write correlation rules like there is no tomorrow (and have fun doing it!), but that’s just me – I am funny that way. A lot of organizations today will rely on default correlation rules (hoping that SIEM is some kinda “ improved host IDS ” of yesteryear … remember those ?) and then quickly realize that logs are too darn diverse across environments to make such naïve pattern matching useful for many situations. Other organizations will just start hating SIEM in general for all the false default rule alerts and fall back in the rathole of log search aka “we can figure out what happened in days , not months” mindset. That problem becomes even more dramatic especially when they try to use mostly simple filtering rules ( IF username=root AND ToD>10:00PM AND ToD<7:00AM AND Source_Country=China, THEN ALERT “Root Login...

As those in the know already know, NIST has officially released some EMAP materials the other day (see scap.nist.gov/emap/ ). EMAP stands for “Event Management Automation Protocol” and has the goal of “standardizing the communication of digital event data.” You can think of it as future “SCAP for logs/events” ( the SCAP itself is for configurations and vulnerabilities). Obviously, both twin standards will be “Siamese twins” and will have multiple connection points (such as through CVE, CPE and others). In reality, SCAP and EMAP are more like “standard umbrellas” and cover multiple constituent security data standards – such as CPE, CVE, CVSS, XCCDF, etc for SCAP and CEE for EMAP. As the new EMAP site states: The Event Management Automation Protocol (EMAP) is a suite of interoperable specifications designed to standardize the communication of event management data . EMAP is an emerging protocol within the NIST Security Automation Program, and is a peer to similar automation pr...

Blogs are "stateless" and people often pay attention only to what they see today . Thus a lot of useful security reading material gets lost. These monthly round-ups is my way of reminding people about interesting and useful blog content. If you are “too busy to read the blogs,” at least read these . So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month. “ On Choosing SIEM ” tops the charts this month. The post is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular. A related read is “ SIEM Resourcing or How Much the Friggin’ Thing Would REALLY Cost Me? ”, check it out as well. While reading this, also check this presentation My commentary on the latest SIEM Magic Quadrant 2011 (“ On SIEM MQ 2011 ”) is next – I not only share my insights, but also point some unintentional hilarity in the reports “ What To Do When Logs Don’t Help: New Whitepaper ” announc...