faulker051

This is my last blog post –for the foreseeable future. It is dated 7/31/2011 at 11:59PM. What happens tomorrow? A new life, of course! As only very few of you know, I have accepted a position of Research Director with Gartner, Inc . Tomorrow I am joining a stellar team lead by Phil Schacter , formerly from Burton Group . I spent two VERY successful years consulting , working with companies like Novell, RSA, LogLogic, NitroSecurity, eGestalt, ObserveIT, Tripwire, AlienVault, “Big MSSP”, “Big Insurance Company”, “SaaS Log Management Company”, “IT Management Software Company”, “SMB Security Company”, “Big Networking Equipment Company”  and others. I defined,  built, deployed, and marketed security products, mostly in the area of SIEM and log management . I helped organizations with security and PCI DSS strategy. I advised security vendor management on compliance strategy for their products. I have spoken at clients’ events and have written more whitepapers than I care to admit...

Executive summary : you need to procure services when you buy a SIEM tool, if you don’t – you’d be sorry later. Even if you are amazingly intelligent and have extensive SIEM experience – see above.  Even if you saw a successful SIEM project that didn’t include vendor or 3rd party services with your very eyes – see above. Even if your SIEM vendor tells you “you don’t need services” – see above. See above! See above!! See above!!! Let’s analyze this “SIEM services paradox.” A lot of organizations – way too many, in fact – balk at the need to procure related services before, during and after their SIEM purchase. The thinking often goes like this: we need a SIEM and this box <points at the appliance still in the box> is a SIEM. That’s all we need. What services? Why services? Huh? In reality -  and this is what I sometimes call “secret to SIEM magic” – that box is not a SIEM. That box, when racked and connected to your network, is STILL not quite a SIEM. Only when ...

In preparation for a career change (stand by for an announcement on midnight July 31, 2011), I am posting A LOT of my old presentations and documents online for the community. See http://www.slideshare.net/anton_chuvakin/presentations for such gems as my HITB 2010 keynote “Security Chasm” ,  Brief SIEM Primer , “Making Log Data Useful”  as well as the most recent " Five Best and Five Worst SIEM Practices " See http://www.docstoc.com/profile/anton1chuvakin for a bunch of older documents on security, logging, SIEM , PCI DSS – including such gems as Logging Haiku ,  firewall logging primer , etc Enjoy!

Imagine you own a broken, dilapidated, failing SIEM   crap deployment. What? Really… that, like, never happens, dude! SIEM is what makes unicorns shine and be happy all the time, right? Well…mmm… no comment. In this post, I want to address one common  #FAIL scenario : a SIEM that is failing because it was deployed with a goal of real-time security monitoring, all the while the company was nowhere near ready (not mature enough) to have any monitoring process and operations ( criteria for it ).  On my log/SIEM maturity scale (presented here , also see this related post from Raffy), they are either in the ignorance phase or maybe log collection phase. And herein lies the problem: if you deployed one of the legacy, born in the 1990s SIEMs that are not based on a solid log management platform, the tool will actually suck at the very fundamental level: log collection. The specific issue here is that most of these early tools were designed to only selectively collect wha...

As I am going through my backlog of topics I wanted to blog about (but didn’t have time for the last 4-6 months), this is the one I really wanted to explore. Here is the scenario: Something blows up, hits the fan, starts to smell bad, <insert your favorite incident metaphor> … either in your IT environment or at one of your clients’ Logs (mostly) and other evidence is taken from all the components of the affected system and packaged for offline analysis You get a nice 10MB-10GB pile of juicy log data – and they wants “ answers ” What do you do FIRST? With what tools? Let’s explore this situation. I know most of you would say “ just pile’em into splunk ”  and, of course, I will do that. However, that is not a full story. As I point out in this 2007 blog post (“ Do You Enjoy Searching? ”), to succeed with search you need to know what to search for. At this point of our incident investigation, we actually don’t! Meanwhile, the volume of log data beyond a few megabytes makes “tri...

OK, this WILL be taken the wrong way! I spent years whining about how use cases and your requirements should be THE MAIN thing driving your SIEM purchase. And suddenly Anton shows up with a simple ‘Top 10 list’, so…. blame it on that cognac . This list is AN EXAMPLE. SAMPLE. ILLUSTRATION . It is here FOR FUN . If you use it to buy a SIEM for your organization, your girlfriend will sleep with your plumber.  All sorts of bad things can and likely will happen to you and/or your dog – and even your pet squirrel might go nuts. Please look up the word “EXAMPLE” in the dictionary before proceeding! On top of this, this list was built with some underlying assumptions which I am not at liberty to disclose. Think large, maybe think SOC, think complex environment, etc. Obviously,  an environment with its own peculiarities … just like yours. With that out of the way, Top 10 Criteria for Choosing a SIEM … EXAMPLE! 1. User interface and analyst experience in general: ease of per...

A lot of good work on logging standards as well as standards for the “surrounding areas” (correlation rules, parsing rules, etc) will happen at this first-ever NIST workshop on EMAP . Please mark your calendars to save the date for an EMAP Developer Workshop to be held August 29-30, 2011 at the NIST Campus in Gaithersburg, Maryland.  We are still formalizing the agenda, but topics to be covered will include: · Discussion of target use cases and requirements as identified by EMAP working group. · CEE Overview and in-depth discussion of current issues. · Discussion of EMAP component specifications and issues/questions for the community. · Discussion of EMAP roadmap and connections with other efforts within security automation. We are in the process of standing up a registration page and creating the agenda.  A teleconference line will be provided for those who cannot attend in person.  More details to come in the near future, we hope to se...

Just FYI, I am speaking at Gartner Catalyst 2011 event in San Diego tomorrow. The topic is “ Five Best and Five Worst Practices for SIEM .” “Implementing SIEM sounds straightforward, but reality sometimes begs to differ. In this session, Dr. Anton Chuvakin will share the five best and worst practices for implementing SIEM as part of security monitoring and intelligence. Understanding how to avoid pitfalls and create a successful SIEM implementation will help maximize security and compliance value, and avoid costly obstacles, inefficiencies, and risks.” Time : Tuesday, 26 July 2011 02:45 PM to 03:20 PM Location :   Hilton San Diego Bayfront 1 Park Boulevard San Diego, CA 92101 If you are around, come see me here .

As I was drinking cognac on the upper deck of a 747, flying TPE-SFO back from a client meeting, the following idea crossed my mind:  CAN one REALLY do a decent job with log management (including log review) if their budget is $0 AND their “time budget” is 1 hour/week? I got asked that when I was teaching my SANS SEC434 class a few months ago and the idea stuck in my head – and now cognac, courtesy of China Airlines, helped  stimulate it into a full blog post. So, $0 budget points to using open-source,  free tools (duh!), but 1hr/week points in exactly the opposite direction: commercial or even outsourced model. The only slightly plausible way it that I came up with is: Spend your 1st hour building a syslog server; it can be done, especially if starting from a old Linux box that you found in the basement (at $0); don’t forget logrotate or equivalent Spend a few next weeks (i.e. hours) configuring various Unix, Linux and network devices (essentially, all ...

I am posting this as a small favor to my friends at NitroSecurity. Description: The Director, Product Marketing is responsible for developing, planning and executing externally-focused product marketing strategies, plans & programs for the industry leading NitroView SIEM, log management, database monitoring, application monitoring and IDS/IPS solution. They will research & understand security market trends by working with industry analysts and engaging prospects & customers, closely monitor & analyze competitor offerings and develop value propositions, product positioning and messages for enterprise and government markets worldwide. They will drive and lead all new product launch and introduction activities, and support on-going product and solution campaigns and programs. Candidates in metro Boston, metro Washington DC or open to virtual, home office arrangements are welcomed to apply to jobs@nitrosecurity.com . Responsibilities: a. W...

Just  a quick announcements about my “PCI in the cloud” class that I am teaching this week.  The location has been finalized: Location ( map ) : Ariba Silicon Valley Office Sequoia Conference Room 910 Hermosa Court, Sunnyvale, CA (please use the main entrance and tell receptionist  that you are there for CSA PCI class, lunch and coffee will be provided) Date : Friday July 8, 2011 at 9AM There are still, I think, 2-3 seats left at $20/seat (beta price! must provide class feedback!!), so go and register here . UPDATE : 7/4/2011 5:50PM Sorry, sold out! I will check with the host tomorrow about the room size and there is a slight chance that we can fit more than 25 people, but it is not a certainty. Possibly related posts: PCI DSS in Cloud Computing Environments–THE Training

Blogs are "stateless" and people often pay attention only to what they see today . Thus a lot of useful security reading material gets lost. These monthly round-ups is my way of reminding people about interesting and useful blog content. If you are “too busy to read the blogs,” at least read these . So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month. “ PCI DSS in the Cloud … By the Council ” posts is my quick review of recent PCI DSS guidance on virtualization, focusing on cloud computing guidance. “ On Choosing SIEM ” tops the charts again this month. The post is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular. A related read is “ SIEM Resourcing or How Much the Friggin’ Thing Would REALLY Cost Me? ”, check it out as well. While reading this, also check this presentation . “ Simple Log Review Checklist Released! ” is still one of the most popul...