Quick Blogging Update

As I mentioned, due to my joining Gartner, I am not blogging on security here anymore. However, a quick announcement is in order:

Enjoy!

Comments

Post a Comment

Popular posts from this blog

Monthly Blog Round-Up – August 2018

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts based on last month’s visitor data  (excluding other monthly or annual round-ups): “New SIEM Whitepaper on Use Cases In-Depth OUT!” (dated 2010 – much ancient!) presents a whitepaper on select SIEM use cases described in depth with rules and reports [using now-defunct SIEM product]; also see this SIEM use case in depth and this for a more current list of popular SIEM use cases. Finally, see our research on developing security monitoring use cases here – and that we updated for 2018 . A lot more SIEM use case discussion is coming, here is a new post for 2018 SIEM use cases. “ Simple Log Review Checklist Released! ” is often at the top of this list – this rapidly aging checklist is still a useful tool for many people. “ On Free Log Management Tools ” (also aged quite a bit by now) is a companion to the checklist ( updated version ) “ Why No Open Source SIEM, EVER? ” contains some...
Read more

Got A Pile of Logs from an Incident: What to Do?

Image
As I am going through my backlog of topics I wanted to blog about (but didn’t have time for the last 4-6 months), this is the one I really wanted to explore. Here is the scenario: Something blows up, hits the fan, starts to smell bad, <insert your favorite incident metaphor> … either in your IT environment or at one of your clients’ Logs (mostly) and other evidence is taken from all the components of the affected system and packaged for offline analysis You get a nice 10MB-10GB pile of juicy log data – and they wants “ answers ” What do you do FIRST? With what tools? Let’s explore this situation. I know most of you would say “ just pile’em into splunk ”  and, of course, I will do that. However, that is not a full story. As I point out in this 2007 blog post (“ Do You Enjoy Searching? ”), to succeed with search you need to know what to search for. At this point of our incident investigation, we actually don’t! Meanwhile, the volume of log data beyond a few megabytes makes “tri...
Read more

How to Replace a SIEM?

Image
Note : this has been written for “Cisco MARS blog” as a guest post and is reposted here for posterity. Ouch! That “Venus” SIEM   appliance that we got with routers has finally croaked. That piece of PHP brilliance that pre-pre-previous security engineer wrote has been buried under the thick pile of XML. That managed SIEM provider has annoyed us one last time. What do the above situations have in common? The unfortunate time to replace your SIEM has come. What to expect, apart from copious amounts of pain? This post will shed some light on this conundrum, based on author’s experiences. First, it goes without saying that it is better to choose the right SIEM the first time (e.g. see “ On Choosing SIEM ” and other posts mentioned below) than to migrate from a SIEM that has been collecting logs (and dust) for a few years. However, you might not have any say in the matter – you might have inherited it, your “evil boss” might have procured the previous SIEM without asking you or ...
Read more