One More Bit On "Compliance First"

I did say that I am writing a longer blog post on that ("Scary Tales from 'Compliance First' World"), but I just can't resist.

Yes!, Yes!!, Yes!!! - everybody smart and security-savvy KNOWS: focus on security, risk management first AND whatever compliance du jour will come. "Security first" mantra works, it just works.

But you know what? I am constantly SHOCKED since I notice a volume of people who INSIST on "compliance first" AND in silo'ed, regulation by regulation way. OMFG!

Monthly Blog Round-Up – November 2008

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is an attempt to remind people of useful content from the past month! If you are “too busy to read the blogs” (!), at least read these.

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics.

1. Amazingly, this month by far the #1 post is my “'Blogging from DeepSec 2008 in Vienna.” DeepSec was indeed an awesome conference.
2. Last month, I said that “SIEM bashing reached a new high.” OMFG. What should I say now? I dunno. In any case, “11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!" is on the top list. BTW, “On Open Source in SIEM and Log Management” is also again on the top list, to much of my amazement.
3. Again and again, PCI compliance is obviously still all the rage: MUST-DO Logging for PCI? post was again propelled to a place in my monthly Top5 list.
4. Get a firewall AND a fire extinguisher, now, will ya? Is it too much to ask? :-) The post “On Small Companies and PCI Compliance” is on the Top list.
5. Shockingly, AGAINx2 :-) this month, the "Top 11 Reasons to Secure and Protect Your Logs" came up as on the Top list.  BTW, see my other logging polls and my other “top 11” lists.

See you in December. Also see my annual “Top Posts” (2007)

Possibly related posts / past monthly popular blog round-ups:

• Monthly Blog Round-Up - October 2008
• Monthly Blog Round-Up - September 2008
• Monthly Blog Round-Up - August 2008
• Monthly Blog Round-Up - July 2008
• Monthly Blog Round-Up - June 2008
• Monthly Blog Round-Up - May 2008  
• Monthly Blog Round-Up - April 2008  
• Monthly Blog Round-Up - March 2008  
• Monthly Blog Round-Up - February 2008  
• Monthly Blog Round-Up - January 2008  
• Monthly Blog Round-Up - December 2007  
• Monthly Blog Round-Up - November 2007  
• Monthly Blog Round-Up - October 2007  
• Monthly Blog Round-Up - September 2007
• Monthly Blog Round-Up - August 2007

 

Technorati Tags: blog,security,loggings,monthly

Fun PCI FAQ - Good Reading

Check out this cool PCI FAQ here, created by Andrew Plato. He reminds people about a few of the common "PCI misconceptions" (like, "when is the PCI deadline? - Yesterday") and key facts (like, "Do organizations using third-party processors have to be PCI-compliant? - Yes")

Finally, I also love, love, love his reminder that there are no "PCI -compliant products" (unlike some assclowns here think)

"Q: What technologies are considered PCI-compliant?

A: There is no such thing as a PCI-compliant product. The PCI standard does not certify products. Some products will help with PCI compliance, but there is no single product or group of products that will ensure complete PCI compliance. "

Read it!

The Bastards Made Me Do It

Ok, Ok, Ok!!!! The bot will still post :-) but I am on Twitter now too. I read you!

SIEM Is Not What Is SIEMs Nowadays...

"Aliso Viejo-based High Tower Software, a venture-backed developer of security, compliance, and log management software, has shut down."

Wonna go into SIEM market, anybody?

UPDATE: to put it into context, read this

UPDATE2: read "SIEM: The Quickening Begins" too. Long (forever?) live Connor MacLeod :-)

Which Blogger Will Post 2009 Predictions First?

Huh?

UPDATE: OMG, one already did.

PCI DSS Blogs

I polled a few lists to create a longer lost of PCI DSS related blogs (looking especially for blogs by QSAs), so IN NO PARTICULAR ORDER:

• Obviously:  http://chuvakin.blogspot.com/search/label/PCI   :-)
• PCI DSS News and Information at http://www.treasuryinstitute.org/blog 
• PCI Answers at http://pcianswers.com/
• Branden Williams' Security Convergence Blog  at http://blogs.verisign.com/securityconvergence/ 
• SecuriTIM on PCI DSS at http://www.securitim.com/blog.html
• Payment Card Security & IT Controls Explained at http://pcidss.wordpress.com/ 

If I missed anybody, sorry, please add below and I will update my list!

Just FYI.

CSI SIEM Summit Slides and Notes

As I mentioned, I did this fun "SIEM Summit" at CSI 35th in DC. Here are my slides from the event; feel free to pick on them :-)

SIEM: Is It What Is SIEMs? Security Information and Event Management Summit at CSI 35th Conference

View SlideShare presentation or Upload your own. (tags: security siem)

Just Love This: Noisy vs Quiet from Rich

OMG, some people (usually ex-Gartner... for whatever mystical reason) have this uncanny ability to present information in a way that just triggers an avalanche of insight. Here is an example: "The Two Kinds Of Security Threats, And How They Affect Your Life " from Rich Mogul.

Some quotes: "We get money for noisy threats, and get called paranoid freaks for trying to prevent quiet threats (which can still lose our organizations a boatload of money, but don’t interfere with the married CEO’s ability to flirt with the new girl in marketing over email)."

and

"Slice up your budget and see how much you spend preventing noisy vs. quiet threats. It’s often our own little version of security theater."

and

"The problem is, noisy vs. quiet may bear little to no relationship to your actual risk and losses, but that’s just human nature."

Overall, a MUST read.

God, please, send us some credible security metrics... please.

SANS Doom vs Hope

Just a fun read from SANS: "We Are Doomed" vs "There is Hope "

Uh-oh... it looks like I am back at "spurt blogging." :-)

Raffy’s Visualization Book

Here is my long-overdue book review for “Applied Security Visualization“  by Raffy Marty.

First, here is what my early endorsement for the book said (can be found on the inside cover of the book):

“Amazingly useful (and fun to read!) book that does justice to this  somewhat esoteric subject - and this is coming from a long-time  visualization skeptic! What is most impressive that  this book is  actually 'hands-on-useful," not conceptual, with examples usable by  readers in their daily jobs. Chapter 8 on insiders is my favorite!”

What else do I think of the book, apart from the fact that it is awesome? :-)

First, I have to admit that I used to argue with Raffy about usefulness of visualization. I was burned by having to look at bad “visualization” tools and would take an ugly, meaningful table over an ugly, meaningless picture any day now. Thus, I was a visualization skeptic. Buy you know what? The book does justice to visualization really well, and it explains when to use it and when not to use it.

The book gives just the right amount of visualization theory, which is not onerous to read at all (unlike some other books), as well as other visualization basics. The fun starts at Chapter 4, where he covers  the process from data to useful pictures. This actually explains why some visualization are useful and some are not; if you just jam data into a graphing program, there is a good chance that it would not be too useful. If you follow the ideas from Ch4, it is more likely to be useful.

Ch5 and 6 cover network data analysis: logs, packets, flows. This is what most people usually try to visualize; this book goes beyond “worms and scans” into nice visuals of email traffic, wireless and even vulnerability data (I found the latter slightly confusing). Ch7 covers “compliance”, which, in this case, covers all sorts of fun things, from risk assessment to database log visualization.  As I said, Ch8 is my favorite: I agree that insider tracking MAY be the area where visualization tools and approaches beat others. In Ch9, the book covers a few visualization tools; obviously, including the author’s AfterGlow.

So, to summarize, get the book if you have any connection to security AND data analysis. In fact, it is very likely that if you are doing security, you’d have to do data analysis at some point and so will benefit from reading the book. And, yes, it does come with a CD full of visualization tools (DAVIX).

BTW, I am posting it at Amazon as well.

My Last Logging Interview?

While at GOVCERT.NL 2008, I gave this fun interview.... check it out.

As you can guess, I talk about logs. BTW, while you are at that link, check out other fun interviews; at least, check out David Rice's.

A Fun List of Security Blogs

Check your RSS readers.... got all of them? :-)

Darn Good Idea ... If Done Well

"A free, downloadable, log management and compliance product that provides organizations with visibility across their networks, data centers, and infrastructures?" (here)

Somebody, somewhere is thinking ...

In any case, "free is in" :-) Look at all the announcements (NetWitness, Mandiant, this) as well as "the original free."

MS AV Out and Free ... Uh-Oh

With headlines like "MS Destroys the Consumer AV Market," the news hit ... well, hit the fan like the proverbial... well, you know what :-)

Is it really "Good-bye Big Yellow and Little Red?" Probably not, as this new offering is aimed at consumers and lower-end SMBs; large orgs will still pay ransom ... eh, subscription fees for their AV. It was also interesting to read some of the comments, like "OMG, I so hate paying for AV... and now I won't have to." If such sentiment is indeed widespread, maybe MS choose a really, really good moment to come out with this!

The most fun comments are found on the OneCare team blog here. Esp. see this one: "a majority of consumers around the world do not have up-to-date antivirus, antispyware and antimalware protection" (now they will, thanks to MS! :-)) and "this new offering will focus on getting the majority of consumers the essential protection they need by providing comprehensive, real-time anti-malware protection, covering such threats as viruses, spyware, rootkits, trojans, and other emerging threats, in a single [FREE!], focused solution."

UPDATE: very funny comments from AV firms and "normal people" (see below the article at the link)

UPDATE2: another very fun comment, including "maybe it's time that Symantec and McAfee start offering free versions of their own antivirus products"

On Inspiration and Security

First, I have a horrible revelation to make: I never held CEOs in much regard. For example, if you go to “a CEO keynote” at a security conference (RSA comes to mind), you can be  pretty much assured that you’d get a boring, bland and “content-free” speech which summarizes to 1 word: nothing. Actually, it is 0 words :-)  Similarly, even though I knew what CEOs did (tell people what to do, give speeches so that employees work better, help sales sell, interfere with engineers’ engineering :-), etc), but always regarded them as people regarded “party commissars” back in the Soviet Union days: as folks who give rosy speeches hardly anybody believes in and who show charts with upward trending curves (e.g. “Bullshit volume per employee per quarter is UP 34.6%!!!” :-)) To better understand this point read the famous book “Why Business People Speak Like Idiots: A Bullfighter's Guide” :-)

So, my dear readers, imagine how amazed I was to find myself being truly inspired by my CEO,  for the first time in my working life! Philippe’s “no-B.S.” approach definitely works for me. I listened to his speech at a company meeting last week and – I am serious! – that was the most interesting, visionary AND inspiring speech that I’ve heard in a long time. It was clear what we’ve been doing, what worked, what didn’t and what we need to be doing and why it will work.

I already learned more than a few things from him just by listening to him  speak or conduct a meeting (or by watching him beat up a job candidate…). For example,  one CAN be “positive, but not marketing-ish,” even if situation is difficult. If one has an issue, one has to face it with no sugarcoating rather than ’play’ positive and pretend the issue is not there. One can have BOTH a driving vision AND be attentive to customers. One CAN release something when it is ready, not a year before :-) Etc, etc.

Finally, while some choose to lay people off, we at Qualys  ARE HIRING!  Come join us and help build the SaaS security platform that actually works! Specifically, we are looking for TAMs (kind like an SE, but better :-)), PMs and a lot of engineers.

Come Meet at CSI in DC

If you are in DC, come meet me during/after SIEM Summit or catch me at the show floor (ask at Qualys booth)

Blogging from DeepSec 2008 in Vienna

I am already back stateside from DeepSec and I am now flying to CSI 35th in DC; finally I had time to prepare my DeepSec blog post.

First, I enjoyed DeepSec conference and I am grateful for the invitation to speak there. I love European conferences – and not only for having infinitely (with that being an under-statement of the year) superior coffee during breaks :-) In particular, I liked the audience for my presentation (slides will be posted here soon) and I think the audience liked my material and myself too :-)

What also impressed me a lot was Ivan Krstić speech, which was the second day keynote. He started by simply stating that ‘security industry has failed’ and that ‘a desktop is lost.’ His proof was in typical numbers like “75% of corporate systems are infected with at least 1 malware piece per system”, “1 million of malware types” and “25,000 unique malware samples a day seen.” However, he then broadened the subject and talked about how not only “a trusted desktop” is gone, but the entire world of “trust everything [on a system], all the time” is gone (his ideas were similar to what I planned to present in my HITB 2008 presentation about “the 0wned world”)

I also like how he positioned all those “security user prompts” (in Vista and even before) as a proof that security technologies have failed and now we have to rely on the user to make security decisions (which will obviously fail as well since users are now fully conditioned to “see a chunk of technical mumbo-jumbo, then click OK”)

It was also interesting how he connected a lot of security failures to his “#1 reason: all programs run with all privileges of the user that runs them.” In fact, he illustrated it by reminding the audience that “everybody runs untrusted code every day today [web browser + Javascript, etc] while nobody did this 30 years ago.” He also beat up blackisting as an approach to security (but then again, everybody does it today :-)) - what was interesting that he opined that “we will spend the next 10 years proving that whitelisting will fail just as we spent previous 10 years proving that blacklisting fail.” His main point was that global “onslaught” of whitelisting and code signing will kill all sorts of useful things AND provide little security.

He then called for everybody to think about solving the hard, possibly non-sexy problems. This is the part where I could have used more details :-)

So, a fun speech (even though my telling of it is a bit jumbled… check out his slides whenever they are posted) – and a fun conference overall. Worth a 12 hour flight :-)

At DeepSec in Vienna

As some of you know, I am in Vienna at DeepSec. My presentation is tomorrow - and it will be fun: "Making Logs Sexy Again: Can We Finally Lose The Regexes?"

Come over - it is at 9:50AM.

BTW, I will post the slides here when I am done.

Monthly Blog Round-Up – October 2008

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is an attempt to remind people of useful content from the past month!

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts and topics.

1. OF COURSE, the news of my “transition” is the item #1, by far. “Change!!!” and “Qualys” posts rule the list.
2. Last month I posted a bunch of my presentations on logs, security, etc on the blog.  “Presentation from GOVCERT.NL 2008: Log Forensics” takes one of the tops spots; and so do “Presentation on Application Logging, Done Wrong or Very Wrong” and “Presentation on Optimizing Your Logging for Insider Attack Tracking.”  BTW, all the presentations are here.
3. Shockingly, AGAIN this month, the "Top 11 Reasons to Secure and Protect Your Logs" came up as #1 most popular post (maybe driven by my poll).  BTW, see my other logging polls and my other “top 11” lists.
4. SIEM bashing reached a new high (eh…“low”? :-)), now that Richard is helping too;  my “11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!" is on the top list. It is both humorous and sadly true (and backed up by other sources and here.)
5. Somewhat predictably, PCI compliance is obviously still all the rage: MUST-DO Logging for PCI? post was again propelled to a place in my monthly Top5 list.

See you in November.

Possibly related posts / past monthly popular blog round-ups:

• Monthly Blog Round-Up - September 2008
• Monthly Blog Round-Up - August 2008
• Monthly Blog Round-Up - July 2008
• Monthly Blog Round-Up - June 2008
• Monthly Blog Round-Up - May 2008  
• Monthly Blog Round-Up - April 2008  
• Monthly Blog Round-Up - March 2008  
• Monthly Blog Round-Up - February 2008  
• Monthly Blog Round-Up - January 2008  
• Monthly Blog Round-Up - December 2007  
• Monthly Blog Round-Up - November 2007  
• Monthly Blog Round-Up - October 2007  
• Monthly Blog Round-Up - September 2007
• Monthly Blog Round-Up - August 2007

 

Technorati Tags: blog,security,loggings,monthly

On Small Companies and PCI Compliance

Read this post ("E-Commerce Startups deal with PCI compliance" at "PCI Anwsers" Blog) and weeeeeeep: "I once was talking with a small business owner who was reading through the Self-Assessment Questionnaire (SAQ) and stopped at the first question, which basically said, Do you have a properly configured firewall? The business owner called into the back room and asked the store manager, “Hey, do we have a firewall?” The store manager replied that he thought they had a fire extinguisher which was up to date. I then watched as the store manger checked the “In Place” box on the form stating they had a properly configured firewall in place."

Wonna "sell PCI compliance" to small businesses? One need to get smart in a very special way! :-)

Interesting ... On Compliance

Treat this as a prequel for my upcoming blog post called "Tales From 'A Compliance-First' World" (link TBA).

I am learning that many people really, really, really hate to be told that "they are not compliant" (when they are not, of course!) and such hatred goes down to a very curious level indeed ... almost all the way down to the good ole "scanless PCI" joke level.

So, here is an ultimate "how to make enemies and alienate people?" tip: tell them "YOU ARE NOT COMPLIANT!"

Fun Reading on Security AND Compliance – 9

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #9, dated October 30th, 2008. BTW, I am renaming it into “Fun Reading on Security AND Compliance”

1. “A Gartnergate?” What happened after Mr Pescatore uttered his now famous 12 words: “The best security program is at the business with the happiest customers.” This (complete with Gunnar’s famous “firewalls+SSL” chart), this – will add more as this snowballs.
2. Do you have an “ignorable” security policy? If yours is BOTH “ignorable” and “unfair”, then fuggedaboutit. Cisco survey kinda proves it. A few fun comments are here (“If people can't get their jobs done without having to find a way to circumvent policy then the policy is wrong.”)
3. Risk and clouds – here, here, here and here in poetic form (!). Fun reading, but you know what? For many, many organization, what they have today is LESS secure than any future cloud computing advance…
4. Richard Bejtlich drop-kicks SIEM too, then kicks it in the balls. Then kicks the dead horse (1,2,3)
5. Excellent reminder about why people don’t care about security with a fabled quote from MJR (yes, it is my fave too!) Overall, Rich “reassures” with: “Don’t worry. When things get bad enough, we’ll get the call. If you’ve kept your documentation and communications up, you won’t get shafted with the proverbial short end.”
6. A few essays on risk, from ANSI, from Schneier and from BlogInfoSec (part 1 and part 2, especially read part 2)
7. So, what do CTOs really do every day? Interesting summary here and here.
8. Fun exploration of security x privacy x compliance.
9. Burton Group opines on which security technologies will fare better/worse during "The crisis”
10. A really fun interview with our CEO Philippe Courtot here.
11. More on IT vs IT security, this time from Richard.
12. Do you want people like that doing “security”? A normal call center employee recognizes fraud, but their so-called “outsource security dept” authorizes the scam. Niiice.
13. Finally, “Robots Hunt 'Non-Cooperative Humans' in Army Plan” No comment :-)

Enjoy!

CSI 35th 2008 Discount Passes

Since I am speaking at CSI 35th Annual Conference (on SIEM, believe it or now), I can again give out discount conference passes:

"The passes cover the full conference, Monday–Wednesday, November 17–19, 2008, for a 55% discount! To pass along your discount passes, send your guests to CSI 2008 Registration to register for a CSI 2008 Conference Pass and have them enter the below Priority Code in the box provided: SPK73

*Please note: This offer is only for new registrations, we cannot re-price current registrations."

UPDATE: THE OFFER BELOW HAVE BEEN TAKEN AS OF 5:00PM Oct 30th.

For those rare people who read all the way to here :-), I can also give our 1 (one!) FREE CSI pass; please email me for it as it will be given on "a first come, first served" basis and can only be used by my loyal blog readers :-)

From Talking to Building

Ah, the first week at a new place. An exciting time! Even though being in Kuala Lumpur would probable be even more exciting :-)

In any case,  excitement is a good cause for sharing  it. So, why am I excited? Is it only the “new-ness” of my position?

Not so.

I am most excited to be building again. That is building as opposed to talking. I loved being an evangelist and I think I did make the world love logs just a bit more. However, I happen to think that while speaking and writing leaves a scratch on the fabric of the Universe, building products that solve people’s problems, that make people happy and that are  both affordable and enjoyable to use is leaving A BIGGER scratch.  As one old wizard said, it allows one to “strike sparks off the guard rail of the Universe!”

That is exactly why I am excited. What I do today will soon [hopefully!] translate into new products that people will enjoy to use (despite the fact that they are compliance-related :-)) and that will solve problems that cause “pain and suffering” on a grand scale.  (No, I am not saying what these are :-))

Having you define things THEN seeing them actually manifest in the real world THEN seeing people smile and say “Thanks!” is HUGELY exciting. Earning revenue in the process definitely doesn’t hurt either :-)

BTW, now I read all this stuff about “security and clouds” and laugh (I can tell you later why it is so funny to me now)

on HITB 2008 Conference

Not to pretend to steal Halvar Flake's glory, but I just got my own "fun" international travel story, which also spells bad news to those who wanted to hear my fun keynote at Hack In The Box 2008 in Kuala Lumpur, Malaysia.

To make the short story ... even shorter :-), I got kicked off my flight since my passport is only valid 5.5 months in the future and Malaysia requires that visitors' passports are valid for 6 months from the date of arrival (not that they make it anywhere near clear on their embassy website or anything :-)).

What makes it funnier is that I got so used to US dates of month/day/year that I actually was genuinely shocked when they said "you passport is not valid for 6 months" while it clearly said "Expires on 8/4/2009" ...

So much for Kuala Lumpur :-( Back to work now.

Qualys

As I am sitting here in my new office getting set up, it is time for me to share the full news with the world.

So, starting today I am a Director of PCI Compliance Solutions at Qualys.

There you have it :-)

More on this later; I am way too busy now.

Presentation on Application Logging, Done Wrong or Very Wrong :-)

A final "automated" post, while I am on a plane back to California. This is a result of my work on defining what is a good log, based on looking at countless bad logs :-)

This presentation "Application Logging Good Bad Ugly ... Beautiful?" would be useful to application developers who create logging functionality as well as security pros who then need to use the logs.

Here it is, embedded below:

Application Logging Good Bad Ugly ... Beautiful?

View SlideShare presentation or Upload your own. (tags: logs logging)

Enjoy!

UPDATE: this is a good read to go with the preso; focusing on logging for Java developers.

Presentation on Optimizing Your Logging for Insider Attack Tracking

OK, I [well, my blogspot scheduler, rather :-)] am releasing another fun presentation that I've been "hoarding" for a while to keep my readers "entertained" while I am enjoying Siberia.

This presentation is about using logs for tracking insiders as well as about "insider-proofing" you logs and making them more useful for that purpose.

It is also embedded below:

Logs vs Insiders

View SlideShare presentation or Upload your own. (tags: management security)

Enjoy!


Possible related posts:

• "Protecting Logs from Admins"