http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2011-08-01 09:11:22 - Anton Chuvakin Blog Security Warrior : This is my last blog post for the foreseeable future It is dated 7 31 2011 at 11 59PM What happens tomorrow A new life, of course As only very few of you know, I have accepted a position of Research Director with Gartner, Inc Tomorrow I am joining a stellar team lead by Phil Schacter, formerly from Burton Group I spent two VERY successful years consulting, working with companies like Novell, RSA, LogLogic, NitroSecurity, eGestalt, ObserveIT, Tripwire, AlienVault, Big MSSP , Big Insurance Company , SaaS Log Management Company , IT Management Software Company , SMB Security Company , Big Networking Equipment Company and others I defined, built, deployed, and marketed security products, mostly in the area of SIEM and log management I helped organizations with security and PCI DSS strategy I advised security vendor management on compliance strategy for their products I have spoken at clients events and have written more whitepapers than I care to admit as well as did a lot of other fun things It was fun and I loved it - and as my clients can attest, I was good at it Also, I was more busy than I thought I d be, and occasionally more than I wanted to be However, at some point I started to feel that I need another step up And so I am making that step now In accordance with my future employer policy, I have resigned from the Advisory Boards of Dasient, Securonix, nexTier Networks, Savant Protection, eGestalt, and RapidIO Good luck to all of you In all likelihood, I will eventually resurface at Gartner blogs please look for me there And finally, those who love my personal blogging all 4007 of you as of today , don t despair I will still occasionally blog here on non-infosec subjects think good books, laser weapons, hypnosis, skiing, travel and my other weird hobbies Smile Finally, I want to give very special thanks to Lee Kushner for his super-valuable career counseling that helped me make this difficult career choice Possibly related posts my past career decisions blog posts Going to Consulting Going to Qualys Going to LogLogic About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/320274.shtmlhttp://www.secuobs.com/revue/news/320274.shtml Secuobs.com : 2011-07-31 20:18:51 - Anton Chuvakin Blog Security Warrior - Executive summary you need to procure services when you buy a SIEM tool, if you don t you d be sorry later Even if you are amazingly intelligent and have extensive SIEM experience see above Even if you saw a successful SIEM project that didn t include vendor or 3rd party services with your very eyes see above Even if your SIEM vendor tells you you don t need services see above See above See above See above Smile image Let s analyze this SIEM services paradox A lot of organizations way too many, in fact balk at the need to procure related services before, during and after their SIEM purchase The thinking often goes like this we need a SIEM and this box is a SIEM That s all we need What services Why services Huh In reality - and this is what I sometimes call secret to SIEM magic that box is not a SIEM That box, when racked and connected to your network, is STILL not quite a SIEM Only when you operationalize it see picture , then you can say that you have Security Information and Event Management SIEM capability in your organization and that you do real-time security monitoring Now, be honest, do you know how to deploy a SIEM tool and then figure out the shortest path to its operational success Probably not thus services consultants who will work WITH you to make it a reality by arriving at the best possible way of benefitting from SIEM in your environment Which use case give you the best bang for the SIEM buck Which one will show a quick win to your management Which one is more likely to detect an attacker in your network When a SIEM vendor tries to sell you services, it is NOT vendor greed but simply common sense And if you say no , it is not saving money but being stupid SIEM success out-of-the-box while real, in some cases is a pale shadow of what a well-thought through deployment looks like My broken analogy is you buying a nice shiny Aston Martin and then only using it to commute to a train station 1 mile from home Will it work Yes Is this a good investment and a good experience Hell no So, no, SIEM is NOT useless without services, but it is unlikely to reach its full potential Pitfalls to SIEM success are many, and navigating them requires help And, no, outsiders alone cannot do it You will need to help them help you This also leads to the rise of managed or co-managed SIEM options which are NOT MSSPs, BTW as more people realize that a they need a SIEM and b they cannot handle a SIEM Future cloud SIEM will when it emerges try to tackle the same problem of being simpler to operate and thus simpler to operationalize Today, most SIEM vendors offer an extensive menu of services to go with a product, and there are also some smart third parties Many services around SIEM can be organized as follows Pre-sale services examples Product selection help Vendor differentiation analysis and shortlist definition Regulation analysis and business cases review Product strengths weaknesses analysis Product fit for type of project Product fit for vertical business type RFP definition assistance Current tools vs requirements gap analysis Services offered during SIEM acquisition and deployment SIEM implementation SIEM project planning Proof-of-concept deployment management Product testing in production environment Data source integration and collection architecture Default contents tuning Post-sale, operational services SIEM analyst training Performance tuning and capacity planning SIEM project management Custom content creation Custom device integration SOC building Vendors and consulting firms offer other types of services as well all the way up to co-managed SIEM where a 3rd party firm manages your SIEM deployment for you Will future SIEM work better out of the box Yes, I think so Will SIEM ever be as simple as a firewall No, never it is inherent complexity of security monitoring that cannot be squeezed out even by creative engineering Enjoy as this was my final blog post on SIEM Possibly related posts on SIEM On Broken SIEM Deployments Top 10 Criteria for a SIEM Algorithmic SIEM Correlation Is Back How Do I Get The Best SIEM Log Management-SIEM Graduation Criteria Violate at Your Own Peril How to Replace a SIEM SIEM Resourcing or How Much the Friggin Thing Would REALLY Cost Me How to Write an OK SIEM RFP On Choosing SIEM So, What Should I Want or How NOT to Pick a SIEM-III The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II I Want to Buy Correlation or How NOT to Pick a SIEM Log Management SIEM On SIEM Complexity SIEM Bloggables SIEM Use Cases and Whitepaper with detailed SIEM use cases Log Management SIEM Users Minimalist vs Analyst All posts labeled SIEM About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/320230.shtmlhttp://www.secuobs.com/revue/news/320230.shtml Secuobs.com : 2011-07-31 08:16:28 - Anton Chuvakin Blog Security Warrior - In preparation for a career change stand by for an announcement on midnight July 31, 2011 , I am posting A LOT of my old presentations and documents online for the community See http wwwslidesharenet anton_chuvakin presentations for such gems as my HITB 2010 keynote Security Chasm , Brief SIEM Primer, Making Log Data Useful as well as the most recent Five Best and Five Worst SIEM Practices See http wwwdocstoccom profile anton1chuvakin for a bunch of older documents on security, logging, SIEM, PCI DSS including such gems as Logging Haiku, firewall logging primer, etc Enjoy About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/320180.shtmlhttp://www.secuobs.com/revue/news/320180.shtml Secuobs.com : 2011-07-29 20:35:25 - Anton Chuvakin Blog Security Warrior - Imagine you own a broken, dilapidated, failing SIEM crap deployment What Really that, like, never happens, dude SIEM is what makes unicorns shine and be happy all the time, right Well mmm no comment In this post, I want to address one common FAIL scenario a SIEM that is failing because it was deployed with a goal of real-time security monitoring, all the while the company was nowhere near ready not mature enough to have any monitoring process and operations criteria for it On my log SIEM maturity scale presented here, also see this related post from Raffy , they are either in the ignorance phase or maybe log collection phase And herein lies the problem if you deployed one of the legacy, born in the 1990s SIEMs that are not based on a solid log management platform, the tool will actually suck at the very fundamental level log collection The specific issue here is that most of these early tools were designed to only selectively collect what was deemed necessary for real-time security monitoring vs all log data In essence, you have a tool with monitoring features that you don t use and with weak collection features that you can use, but they are weak What to do You have these options 1 Leave it to rot you can always keep it just to boast to your friends and PCI QSAs that ye own one of em olde SIEMs 2 Blow it away and join the SIEM doesn t work crowd and maybe buy a simple log management tool later 3 Deploy a log management tool to undergird your crappy SIEM you have a choice of buying from the same SIEM vendor if they have it or a different vendor 4 Built your own log management layer on syslog and open source tools I have seen people take either of the above four Personally, I have seen much more success with the option 3 buy log management and not infrequently with 4 built log management BTW, this deck might help you choose You want to move your SIEM setup from get some logs ignore all logs model to collect all more logs review some logs which is typically much more aligned with your level of maturity And then grow and solve more problems with your SIEM and demonstrate quick wins While you are at it, review some architecture choices discussed here Enjoy while it lasts Possibly related posts on SIEM Top 10 Criteria for a SIEM Algorithmic SIEM Correlation Is Back How Do I Get The Best SIEM Log Management-SIEM Graduation Criteria Violate at Your Own Peril How to Replace a SIEM SIEM Resourcing or How Much the Friggin Thing Would REALLY Cost Me How to Write an OK SIEM RFP On Choosing SIEM So, What Should I Want or How NOT to Pick a SIEM-III The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II I Want to Buy Correlation or How NOT to Pick a SIEM Log Management SIEM On SIEM Complexity SIEM Bloggables SIEM Use Cases and Whitepaper with detailed SIEM use cases Log Management SIEM Users Minimalist vs Analyst All posts labeled SIEM About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/320034.shtmlhttp://www.secuobs.com/revue/news/320034.shtml Secuobs.com : 2011-07-28 09:24:49 - Anton Chuvakin Blog Security Warrior - Gartner Says Less Than Half of Security Software Market Belongs to Top Five Vendors Just 44 percent of the 165 billion world wide security software market in 2010 belonged to Symantec, McAfee, Trend Micro, IBM and CA, according to Gartner, Inc The combined market share for the top five vendors has dropped from 60 percent since 2006 IMAGE http://www.secuobs.com/revue/news/319683.shtmlhttp://www.secuobs.com/revue/news/319683.shtml Secuobs.com : 2011-07-28 06:46:32 - Anton Chuvakin Blog Security Warrior - As I am going through my backlog of topics I wanted to blog about but didn t have time for the last 4-6 months , this is the one I really wanted to explore Here is the scenario image 1 Something blows up, hits the fan, starts to smell bad, either in your IT environment or at one of your clients 2 Logs mostly and other evidence is taken from all the components of the affected system and packaged for offline analysis 3 You get a nice 10MB-10GB pile of juicy log data and they wants answers 4 What do you do FIRST With what tools Let s explore this situation I know most of you would say just pile em into splunk and, of course, I will do that However, that is not a full story As I point out in this 2007 blog post Do You Enjoy Searching , to succeed with search you need to know what to search for At this point of our incident investigation, we actually don t Meanwhile, the volume of log data beyond a few megabytes makes trial and error approach of searching for common clues fairly ineffective If you received any hints with the log pile I think the user jsmith did it or it seems like 10132 IP was involved , then you can search for this and then branch out to co-occurring and related issues and drill-down as needed , but then your investigation will suffer from tunnel vision of only seeing this initially reported issue and that is, obviously, a bad idea Let s take a step back and think what do we want here what is our problem We want a way to explore ALL the logs in a pile, across log types, across devices, across all time AND then also following a timeline of events In other words, we ain t in searchland here, buddy If you have an enterprise SIEM sitting around and one with well-engineered support for diverse historical log imports which is NOT a certainty, BTW , you should definitely load the logs there as well I like this approach since you can then run cross-device summary reports over the entire set, slice the set in various ways type of log source, log source instance, type of log entry categorized, time period filter, time trend, etc and data visualization tools treemaps, trend lines, link maps, and other advanced visuals on parsed, normalized and categorized help get a big picture view of our pile Looking at the open source log tools, does anything look promising for the task OSSIM can do the trick even though their historical log import is not my favorite , but nothing else does In some cases, I used sawmill free trial for my big picture first look , but it is not cross-device and only shows reports for each log type individually If I were feeling really adventurous and was on hourly billing , I could actually send all the logs via a syslog streamer into OSSEC in order to see the log entries the tool will flag as interesting alertable , but this is not really something I d enjoy doing I am almost tempted to say that you can use something like afterglow, but it relies on parsed data that you d sill need to cook somehow such as again using a SIEM Log2timeline is useful, but only for one dimension and the one that splunk actually addresses pretty well already To generalize, you need a a search tool and b an exploration tool The search tool should help you quickly answer SPECIFIC questions The exploration tool should use data to generate hints on WHAT questions you should start asking About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/319669.shtmlhttp://www.secuobs.com/revue/news/319669.shtml Secuobs.com : 2011-07-27 20:28:57 - Anton Chuvakin Blog Security Warrior - OK, this WILL be taken the wrong way I spent years whining about how use cases and your requirements should be THE MAIN thing driving your SIEM purchase And suddenly Anton shows up with a simple Top 10 list , so blame it on that cognac This list is AN EXAMPLE SAMPLE ILLUSTRATION It is here FOR FUN If you use it to buy a SIEM for your organization, your girlfriend will sleep with your plumber All sorts of bad things can and likely will happen to you and or your dog and even your pet squirrel might go nuts Please look up the word EXAMPLE in the dictionary before proceeding On top of this, this list was built with some underlying assumptions which I am not at liberty to disclose Think large, maybe think SOC, think complex environment, etc Obviously, an environment with its own peculiarities just like yours With that out of the way, Top 10 Criteria for Choosing a SIEM EXAMPLE 1 User interface and analyst experience in general ease of performing common tasks, streamlined workflows, small number of clicks to critical functions and efficient and quick information lookups including external information when needed during the investigation 2 Correlation correlation engine performance, ease of rule creation and modification, canned rule content, cross-device correlation based on normalized categorized data additional analytics methods including analysis of stored historical log data ability to test rules before production deployment 3 Log source coverage full integration of most better all needed log sources before operational deployment, detailed parsing and normalization of all fields needed for the analysts work coverage of device, OS and application logs wide use of real-time log collection methods, even at a cost of using agents 4 Dashboards and analyst views availability of required analyst views, flexibility and customization, drilldown capability to see additional details, ease of modification and tuning, real-time operation not periodic polling 5 Reporting report performance, visual clarity, ease of modification and default canned report content, ability to create custom reports on all data in a flexible manner without knowing the SIEM product internal structures and other esoterica 6 Search and query high seconds performance of searches and queries when investigating an incident, access to raw log data via an efficient search command, tied to the main interface 7 Escalation, shift and analyst collaboration support a system to manage collaborative investigations of security issues, take notes, add details and review approve the workflow likely this requires an advanced case management ticketing system to be built in 8 Ability to gradually expand storage on demand when the environment is growing this applies to both parsed normalized data storage as well as raw log storage 9 Complete log categorization and normalization for cross-device correlation that enables the analysts to cross-train and not device-train before using the SIEM well 10 New log source integration technology and process ability to either quickly integrate new log sources or have vendor do it promptly days to few weeks upon request Got any comments If not, well, enjoy it while it lasts Possibly related posts Algorithmic SIEM Correlation Is Back How Do I Get The Best SIEM Log Management-SIEM Graduation Criteria Violate at Your Own Peril How to Replace a SIEM SIEM Resourcing or How Much the Friggin Thing Would REALLY Cost Me How to Write an OK SIEM RFP On Choosing SIEM So, What Should I Want or How NOT to Pick a SIEM-III The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II I Want to Buy Correlation or How NOT to Pick a SIEM Log Management SIEM On SIEM Complexity SIEM Bloggables SIEM Use Cases and Whitepaper with detailed SIEM use cases Log Management SIEM Users Minimalist vs Analyst All posts labeled SIEM Enhanced by ZemantaAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/319587.shtmlhttp://www.secuobs.com/revue/news/319587.shtml Secuobs.com : 2011-07-26 21:04:49 - Anton Chuvakin Blog Security Warrior - A lot of good work on logging standards as well as standards for the surrounding areas correlation rules, parsing rules, etc will happen at this first-ever NIST workshop on EMAP Please mark your calendars to save the date for an EMAP Developer Workshop to be held August 29-30, 2011 at the NIST Campus in Gaithersburg, Maryland We are still formalizing the agenda, but topics to be covered will include Discussion of target use cases and requirements as identified by EMAP working group CEE Overview and in-depth discussion of current issues Discussion of EMAP component specifications and issues questions for the community Discussion of EMAP roadmap and connections with other efforts within security automation We are in the process of standing up a registration page and creating the agenda A teleconference line will be provided for those who cannot attend in person More details to come in the near future, we hope to see you there If you are dealing with logs and SIEM such as building, or even using the tools and care about standards, please consider attending but only if you will contribute Possibly related posts NIST EMAP is Out CEE posts About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/319368.shtmlhttp://www.secuobs.com/revue/news/319368.shtml Secuobs.com : 2011-07-26 08:18:46 - Anton Chuvakin Blog Security Warrior - Just FYI, I am speaking at Gartner Catalyst 2011 event in San Diego tomorrow The topic is Five Best and Five Worst Practices for SIEM Implementing SIEM sounds straightforward, but reality sometimes begs to differ In this session, Dr Anton Chuvakin will share the five best and worst practices for implementing SIEM as part of security monitoring and intelligence Understanding how to avoid pitfalls and create a successful SIEM implementation will help maximize security and compliance value, and avoid costly obstacles, inefficiencies, and risks Time Tuesday, 26 July 2011 02 45 PM to 03 20 PM Location Hilton San Diego Bayfront 1 Park Boulevard San Diego, CA 92101 If you are around, come see me here About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/319236.shtmlhttp://www.secuobs.com/revue/news/319236.shtml Secuobs.com : 2011-07-25 11:13:56 - Anton Chuvakin Blog Security Warrior - As I was drinking cognac on the upper deck of a 747, flying TPE-SFO back from a client meeting, the following idea crossed my mind CAN one REALLY do a decent job with log management including log review if their budget is 0 AND their time budget is 1 hour week I got asked that when I was teaching my SANS SEC434 class a few months ago and the idea stuck in my head and now cognac, courtesy of China Airlines, helped stimulate it into a full blog post So, 0 budget points to using open-source, free tools duh , but 1hr week points in exactly the opposite direction commercial or even outsourced model The only slightly plausible way it that I came up with is 1 Spend your 1st hour building a syslog server it can be done, especially if starting from a old Linux box that you found in the basement at 0 don t forget logrotate or equivalent 2 Spend a few next weeks ie hours configuring various Unix, Linux and network devices essentially, all syslog log sources to log to it 3 Consider deploying Snare on a few Windows boxes if needed it would likely be easier to do than doing remote pull too much tuning might be needed 4 Next, drop a default OSSEC install on your log server and gasp enable all alerts 5 Spend the next few hours in the next few weeks turning off the ones that are too numerous, irrelevant or don t trigger any action in your environment 6 If you log volume fits within a free splunk license size 500MB day , also spend an hour deploying splunk on your log server and have it index all gathered logs 7 Now you d be spending your one log hour each week on reviewing alerts and if installed digging in splunk for additional details 8 Congrats 0 and 1hr week gave you semblance of log management and even monitoring What do you think It just might work for organizations with severe time AND money constraints Enjoy the post while it lasts BTW, on a completely unrelated note do you think EVERY organization above a certain size NEEDS a SIEM Or WILL NEED a SIEM in the future About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/319020.shtmlhttp://www.secuobs.com/revue/news/319020.shtml Secuobs.com : 2011-07-18 20:04:01 - Anton Chuvakin Blog Security Warrior - I am posting this as a small favor to my friends at NitroSecurity Description The Director, Product Marketing is responsible for developing, planning and executing externally-focused product marketing strategies, plans programs for the industry leading NitroView SIEM, log management, database monitoring, application monitoring and IDS IPS solution They will research understand security market trends by working with industry analysts and engaging prospects customers, closely monitor analyze competitor offerings and develop value propositions, product positioning and messages for enterprise and government markets worldwide They will drive and lead all new product launch and introduction activities, and support on-going product and solution campaigns and programs Candidates in metro Boston, metro Washington DC or open to virtual, home office arrangements are welcomed to apply to jobs nitrosecuritycom Responsibilities a Work closely with Product Management, Engineering and Operations to fully understand current and planned technologies, products and solutions b Conduct competitive research and provide analysis on competitive advantages competitor claims relative to customer needs c Determine product positioning product messaging and create manage a broad range of product and solution collateral, on-line content, white papers, blogs sales tools d Develop and deliver new product training to field sales, systems engineers and channel partner and technology partner organizations e Key company spokesperson, presenting to prospects, customers, partners, press and analysts in person, via webcasts and at industry conferences Experience and Qualifications a 10 years of product marketing experience in security networking assignments b 5 years security industry experience c Excellent speaking, writing and presentation skills d Strong analytical skills, including business, markets and competition e Team player with proven success in high growth environments f Technical undergraduate degree preferred or equivalent, MBA or equivalent advanced degree preferred Apply via jobs nitrosecuritycom About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/317641.shtmlhttp://www.secuobs.com/revue/news/317641.shtml Secuobs.com : 2011-07-14 09:12:13 - Anton Chuvakin Blog Security Warrior - The Demise of the Antivirus Industry IMAGE http://www.secuobs.com/revue/news/316924.shtmlhttp://www.secuobs.com/revue/news/316924.shtml Secuobs.com : 2011-07-11 09:12:56 - Anton Chuvakin Blog Security Warrior - On the rack IMAGE http://www.secuobs.com/revue/news/316199.shtmlhttp://www.secuobs.com/revue/news/316199.shtml Secuobs.com : 2011-07-06 09:18:51 - Anton Chuvakin Blog Security Warrior - More than passive defense Coding for Death Exploits that can Kill Nerd Problems IMAGE http://www.secuobs.com/revue/news/315366.shtmlhttp://www.secuobs.com/revue/news/315366.shtml Secuobs.com : 2011-07-04 20:26:45 - Anton Chuvakin Blog Security Warrior - Just a quick announcements about my PCI in the cloud class that I am teaching this week The location has been finalized Location map Ariba Silicon Valley Office Sequoia Conference Room 910 Hermosa Court, Sunnyvale, CA please use the main entrance and tell receptionist that you are there for CSA PCI class, lunch and coffee will be provided Date Friday July 8, 2011 at 9AM There are still, I think, 2-3 seats left at 20 seat beta price must provide class feedback , so go and register here Possibly related posts PCI DSS in Cloud Computing Environments THE Training About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/315097.shtmlhttp://www.secuobs.com/revue/news/315097.shtml Secuobs.com : 2011-07-01 18:38:55 - Anton Chuvakin Blog Security Warrior - Blogs are stateless and people often pay attention only to what they see today Thus a lot of useful security reading material gets lost These monthly round-ups is my way of reminding people about interesting and useful blog content If you are too busy to read the blogs, at least read these So, here is my next monthly Security Warrior blog round-up of top 5 popular posts topics this month 1 PCI DSS in the Cloud By the Council posts is my quick review of recent PCI DSS guidance on virtualization, focusing on cloud computing guidance 2 On Choosing SIEM tops the charts again this month The post is about the least wrong way of choosing a SIEM tool as well as why the right way is so unpopular A related read is SIEM Resourcing or How Much the Friggin Thing Would REALLY Cost Me , check it out as well While reading this, also check this presentation 3 Simple Log Review Checklist Released is still one of the most popular posts on my blog Grab the log review checklist here, if you have not done so already It is perfect to hand out to junior sysadmins who are just starting up with logs A related UPDATED Free Log Management Tools is also still on top - it is a repost of my free log tools list to the blog 4 Algorithmic SIEM Correlation Is Back is a post that I never thought would make it to my monthly top as it covers a bit of SIEM esoterica Surprise 5 NIST EMAP Out is my quick announcement summary of the NIST EMAP standard efforts, the log event brother of SCAP and an extension of CEE work Also, as a tradition, I am thanking my top 3 referrers this month those who are people, not organizations So, thanks a lot to the following people whose blogs sent the most visitors to my blog 1 Anonymous PCI Guru 2 Dmitry Orlov 3 Lenny Zeltzer Also see my past annual Top Posts - 2007, 2008, 2009, 2010 Next, see you in July for the next monthly top list Possibly related posts past monthly popular blog round-ups Monthly Blog Round-Up May 2011 Monthly Blog Round-Up April 2011 Monthly Blog Round-Up March 2011 Monthly Blog Round-Up February 2011 Monthly Blog Round-Up January 2011 Previous ones About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/314754.shtmlhttp://www.secuobs.com/revue/news/314754.shtml Secuobs.com : 2011-06-30 09:28:20 - Anton Chuvakin Blog Security Warrior - New PCI Virtualization Guidelines Answer Some Questions, Create Others IMAGE http://www.secuobs.com/revue/news/314403.shtmlhttp://www.secuobs.com/revue/news/314403.shtml Secuobs.com : 2011-06-24 10:05:29 - Anton Chuvakin Blog Security Warrior - SolarWinds To Acquire TriGeo For 35 Million IMAGE http://www.secuobs.com/revue/news/313320.shtmlhttp://www.secuobs.com/revue/news/313320.shtml Secuobs.com : 2011-06-16 19:16:59 - Anton Chuvakin Blog Security Warrior - The long-awaited PCI Council guidance on virtualization has been released PDF Congrats to the Virtualization SIG for the mammoth effort I rather liked the document, but let the virtualization crowd and press analyze it ad infinitum I d concentrate elsewhere on the cloud This guidance does not focus on cloud computing, but contains more than a few mentions, all of them pretty generic Here are some of the highlights and my thoughts on them Section 226 Cloud Computing does contain some potentially usable if obvious scope guidance Entities planning to use cloud computing for their PCI DSS environments should first ensure that they thoroughly understand the details of the services being offered, and perform a detailed assessment of the unique risks associated with each service Additionally, as with any managed service, it is crucial that the hosted entity and provider clearly define and document the responsibilities assigned to each party for maintaining PCI DSS requirements and any other controls that could impact the security of cardholder data emphasis by AC Now, after spending the last few months working on a training class on PCI DSS in the cloud for Cloud Security Alliance in fact, I am still finishing the exercises for our July 8 beta run , the above sounds like a total no-brainer However, I know A LOT of merchants plan to make the mistake of we use PCI-OK cloud provider then we are compliant , which is obviously completely insane just as PA-DSS payment app does not make you PCI DSS compliant and never did Further, the council guidance clarifies the above with The cloud provider should clearly identify which PCI DSS requirements, system components, and services are covered by the cloud provider s PCI DSS compliance program Any aspects of the service not covered by the cloud provider should be identified, and it should be clearly documented in the service agreement that these aspects, system components, and PCI DSS requirements are the responsibility of the hosted entity aka merchant AC to manage and assess The cloud provider should provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant emphasis in bold by AC The above is actually a gem, a nicely condensed version of a pile of challenges and hard problems, all nicely summarized Indeed, PCI in the cloud is largely about the above paragraph, but there is A LOT OF DEVIL in the details Smile I d like to draw your attention to the fact that providers have to provide sufficient evidence and assurance as opposed to just saying we got PCI Level 1 There is a big lesson for cloud providers in it In further sections section 43, mostly , there is some additional useful guidance, such as In a public cloud, some part of the underlying systems and infrastructure is always controlled by the cloud service provider The specific components remaining under the control imageof the cloud provider will vary according to the type of service for example, Infrastructure as a Service IaaS , Platform as a Service PaaS and Software as a Service SaaS Physical separation between tenants is not practical in a public cloud environment because, by its very nature, all resources are shared by everyone emphasis by AC again this reminds us that PCI does NOT in fact require such physical separation of assets On top of this, the Council folks also highlight some of the additional cloud security challenges, affecting PCI DSS, such as page 24, section 43 The hosted entity has limited or no visibility into the underlying infrastructure and related security controls The hosted entity has no knowledge of who they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment the section in bold is kind of a hidden big deal think about it your payment environment may blow up since your cloud neighbor just annoyed LulzSec by something they said on Twitter The guidance counters these and other challenges with additional controls In a public cloud environment, additional controls must be implemented to compensate for the inherent risks and lack of visibility into the public cloud architecture A public cloud environment could, for example, host hostile out-of-scope workloads on the same virtualization infrastructure as a cardholder data environment More stringent preventive, detective, and corrective controls are required to offset the additional risk that a public cloud, or similar environment, could introduce to an entity s CDE notice MUST, not may or should also notice REQUIRED and not suggested or oh wow, would it be nice if Smile And if you don t have such additional controls, then These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner In any case, it was definitely a fun and useful read hopefully future detailed guidance on PCI in the cloud is coming given that virtualization SIG took a few years, I am looking forward to 2017 or later here BTW, my PCI DSS in the cloud training class will happen on July 8 in Bay Area and you can still sign up About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/311678.shtmlhttp://www.secuobs.com/revue/news/311678.shtml Secuobs.com : 2011-06-16 09:23:34 - Anton Chuvakin Blog Security Warrior - Citigroup data theft the result of a common vulnerability ISSA Milwaukee June Meeting at Clint Laskowski, CISSP, CISM Stop Asking for Crap You Don t Need, and Won t Use IMAGE http://www.secuobs.com/revue/news/311559.shtmlhttp://www.secuobs.com/revue/news/311559.shtml Secuobs.com : 2011-06-15 09:18:29 - Anton Chuvakin Blog Security Warrior - Citigroup hack turns out to be simple enough for your grandmother to exploit Industry IMAGE http://www.secuobs.com/revue/news/311292.shtmlhttp://www.secuobs.com/revue/news/311292.shtml Secuobs.com : 2011-06-14 20:37:37 - Anton Chuvakin Blog Security Warrior - Back in 2002 when I was at a SIEM vendor that shall remain nameless at least until they finally die , I fell in love with algorithmic correlation Yes, I can write correlation rules like there is no tomorrow and have fun doing it , but that s just me I am funny that way A lot of organizations today will rely on default correlation rules hoping that SIEM is some kinda improved host IDS of yesteryear remember those and then quickly realize that logs are too darn diverse across environments to make such naïve pattern matching useful for many situations Other organizations will just start hating SIEM in general for all the false default rule alerts and fall back in the rathole of log search aka we can figure out what happened in days , not months mindset That problem becomes even more dramatic especially when they try to use mostly simple filtering rules IF username root AND ToD10 00PM AND ToDasset over time So, jsmith might be a frequent user on server1 , but only rarely goes to server2 , and such pair scoring will occasionally show some fun things from the OMG, he is really doing it category Smile So, when you think SIEM, don t just think how many rules think what other methods for real-time and historical event analysis do they use Possibly related posts How Do I Get The Best SIEM Log Management-SIEM Graduation Criteria Violate at Your Own Peril How to Replace a SIEM SIEM Resourcing or How Much the Friggin Thing Would REALLY Cost Me How to Write an OK SIEM RFP On Choosing SIEM So, What Should I Want or How NOT to Pick a SIEM-III The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II I Want to Buy Correlation or How NOT to Pick a SIEM Log Management SIEM On SIEM Complexity SIEM Bloggables SIEM Use Cases and Whitepaper with detailed SIEM use cases Log Management SIEM Users Minimalist vs Analyst All posts labeled SIEM About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/311134.shtmlhttp://www.secuobs.com/revue/news/311134.shtml Secuobs.com : 2011-06-14 09:49:52 - Anton Chuvakin Blog Security Warrior - Schneier on Security Security in 2020 Infosecurity UK - Information security in 2020 IMAGE http://www.secuobs.com/revue/news/310990.shtmlhttp://www.secuobs.com/revue/news/310990.shtml Secuobs.com : 2011-06-10 09:47:03 - Anton Chuvakin Blog Security Warrior - A Brief History of the Corporation 1600 to 2100 Zeus Acquires German-based Web Application Firewall Company art of defence Business Wire IMAGE http://www.secuobs.com/revue/news/310365.shtmlhttp://www.secuobs.com/revue/news/310365.shtml Secuobs.com : 2011-06-08 18:25:50 - Anton Chuvakin Blog Security Warrior - As those in the know already know, NIST has officially released some EMAP materials the other day see scapnistgov emap EMAP stands for Event Management Automation Protocol and has the goal of standardizing the communication of digital event data You can think of it as future SCAP for logs events the SCAP itself is for configurations and vulnerabilities Obviously, both twin standards will be Siamese twins and will have multiple connection points such as through CVE, CPE and others In reality, SCAP and EMAP are more like standard umbrellas and cover multiple constituent security data standards such as CPE, CVE, CVSS, XCCDF, etc for SCAP and CEE for EMAP As the new EMAP site states The Event Management Automation Protocol EMAP is a suite of interoperable specifications designed to standardize the communication of event management data EMAP is an emerging protocol within the NIST Security Automation Program, and is a peer to similar automation protocols such as the Security Content Automation Protocol SCAP Where SCAP standardizes the data models of configuration and vulnerability management domains, EMAP will focus on standardizing the data models relating to event and audit management At a high-level, the goal of EMAP is to enable standardized content, representation, exchange, correlation, searching, storing, prioritization, and auditing of event records within an organizational IT environment emphasis by me While CEE team is continuing its work on the log formats, taxonomy, profiles and other fun details of logging events, the broader EMAP effort creates a framework around it as well as proposes a set of additional standards related to correlation, parsing rules, event log filtering, event log storage, etc The released deck PDF has these details as well as some use cases for EMAP such as Audit Management, Regulatory Compliance, Incident Handling, Filtered Event Record Sharing, Forensics, etc In the future, I expect EMAP to include event log signing, maybe its own event transport run under CEE component standard as well as a bunch of standardized representation for correlation via CERE component standard and parsing rules via OEEL to simplify SIEM interoperability as well as migration Everything public to read on EMAP is linked here 2009 , here 2010 , here, etc links are PDFs , if you are into that sort of reading SIEM log management vendors, please pay attention Smile - some of you have already started implementation of this stuff About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/309969.shtmlhttp://www.secuobs.com/revue/news/309969.shtml Secuobs.com : 2011-06-08 09:25:20 - Anton Chuvakin Blog Security Warrior - Is Social Media Malware Infecting Your Business IMAGE http://www.secuobs.com/revue/news/309861.shtmlhttp://www.secuobs.com/revue/news/309861.shtml Secuobs.com : 2011-06-01 17:33:07 - Anton Chuvakin Blog Security Warrior - Blogs are stateless and people often pay attention only to what they see today Thus a lot of useful security reading material gets lost These monthly round-ups is my way of reminding people about interesting and useful blog content If you are too busy to read the blogs, at least read these So, here is my next monthly Security Warrior blog round-up of top 5 popular posts topics this month 1 On Choosing SIEM tops the charts this month The post is about the least wrong way of choosing a SIEM tool as well as why the right way is so unpopular A related read is SIEM Resourcing or How Much the Friggin Thing Would REALLY Cost Me , check it out as well While reading this, also check this presentation 2 My commentary on the latest SIEM Magic Quadrant 2011 On SIEM MQ 2011 is next I not only share my insights, but also point some unintentional hilarity in the reports 3 What To Do When Logs Don t Help New Whitepaper announces my new whitepaper written under contract for Observe-IT about using other means for activity review and monitoring when logs are either not available or hopelessly broken 4 Also, How to Replace a SIEM is on the list it talks about a messy situation when you have to replace one SIEM log management too with another 5 Simple Log Review Checklist Released is still one of the most popular posts on my blog Grab the log review checklist here, if you have not done so already It is perfect to hand out to junior sysadmins who are just starting up with logs A related UPDATED Free Log Management Tools is also still on top - it is a repost of my free log tools list to the blog Also, as a tradition, I am thanking my top 3 referrers this month those who are people, not organizations So, thanks a lot to the following people whose blogs sent the most visitors to my blog 1 Anonymous PCI Guru 2 Dmitry Orlov 3 Anonymous SIEM Ninja Also see my past annual Top Posts - 2007, 2008, 2009, 2010 Next, see you in May for the next monthly top list Possibly related posts past monthly popular blog round-ups Monthly Blog Round-Up April 2011 Monthly Blog Round-Up March 2011 Monthly Blog Round-Up February 2011 Monthly Blog Round-Up January 2011 Previous ones About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/308485.shtmlhttp://www.secuobs.com/revue/news/308485.shtml Secuobs.com : 2011-05-31 20:52:47 - Anton Chuvakin Blog Security Warrior - It took many long weeks to create and now it is OUT Sign up here now if you are in Bay Area on July 8, 2011 The training is being offered free by the Cloud Security Alliance well, we ask for 20 to offset the pizza costs in exchange for your feedback and participation is very limited I would not be surprised if future production runs would cost its attendees 30x-50x of the above price since this is a full-day class focused solely on PCI DSS and cloud environments likely 9AM-4PM with a few breaks The initial PCI DSS Cloud Training Class to be held in Silicon Valley on July 8, 2011, exact location to be determined The first ever class dedicated to assessing and implementing PCI DSS controls in cloud computing environments covers how to think of and how to do PCI DSS in various cloud computing environments Focused primarily on people familiar with PCI DSS, it starts from the hype-free cloud computing facts and then delves into key scenarios where PCI DSS and clouds overlap in the real world You will learn where to look while assessing such environments and what pitfalls and mistakes to avoid It will also cover the shared responsibility between service providers and merchants in implementing PCI DSS controls Specifically, we will discuss how PCI DSS Requirement 128 applies to various cloud scenarios The class would be most useful to PCI DSS QSA, organizations offering PCI DSS consulting as well as merchants planning or implementing PCI compliance BTW, in addition to the class materials, I am preparing some goodies such as control spreadsheets and implementation tips that should work for various cloud and payment environments There will be some fun exercises as well See you there I will post updates and maybe even some materials as time progresses About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/308233.shtmlhttp://www.secuobs.com/revue/news/308233.shtml Secuobs.com : 2011-05-31 09:27:37 - Anton Chuvakin Blog Security Warrior - Securosis Blog BeyondTrust Acquires Lumigent Assets IMAGE http://www.secuobs.com/revue/news/308070.shtmlhttp://www.secuobs.com/revue/news/308070.shtml Secuobs.com : 2011-05-26 19:46:44 - Anton Chuvakin Blog Security Warrior - Somebody asked me that question Do I need SIEM or do I need log management yesterday again, and I figured I d repost this bit of Anton s wisdom ego alert Smile , so that people can just read this instead of repeatedly bugging me with this question Q How do I figure out whether I need SIEM or log management A You need log management if you have computers, IT, data, etc Period This is not really a discussion item at all, since about 1986 or so But do you also need a SIEM You might think you need it, but you would only be able to benefit from it and satisfy that need if your organization fits the following graduation criteria from log management to SIEM 1 Response capability The organization must be ready to respond to alerts soon after they are produced Incident response process procedures are a must 2 Monitoring capability The organization must have or start to a build security monitoring capability such as a Security Operations Center SOC , or at least a team person resource dedicated to ongoing periodic monitoring 3 Tuning and customization capability The organization must accept responsibility for tuning and customizing the deployed SIEM tool pure out-of-the-box SIEM deployments rarely succeed originally written for this paper where the above are clarified in more detail Possibly related posts All my posts about SIEM About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/307399.shtmlhttp://www.secuobs.com/revue/news/307399.shtml Secuobs.com : 2011-05-25 09:28:12 - Anton Chuvakin Blog Security Warrior - Anti-Botnet Startup Quietly Emerges From Stealth Mode - Darkreading The average of 7 to 12 percent of an enterprise's machines being bot-infected may not be enough to cost-justify them buying another appliance IMAGE http://www.secuobs.com/revue/news/306956.shtmlhttp://www.secuobs.com/revue/news/306956.shtml Secuobs.com : 2011-05-24 09:18:22 - Anton Chuvakin Blog Security Warrior - Tracking the ROI on SIEM - Computerworld IMAGE http://www.secuobs.com/revue/news/306738.shtmlhttp://www.secuobs.com/revue/news/306738.shtml Secuobs.com : 2011-05-19 19:43:00 - Anton Chuvakin Blog Security Warrior - As all of you know, Gartner SIEM MQ 2011 is out you can see it here or here without registration The quadrant mostly matches my recent SIEM project experience My observations follow below CA SIEM and Log Manager are finally wiped off the face of the Earth removed from SIEM MQ , NetIQ is dumped down to the Niche As they should be Honestly, Symantec SSIM in Leaders is a mystery to me must be those invisible non-competitive deals or EU APAC deals I ve not seen them on an enterprise SIEM shortlist in the US for a loooooooong time The rest of the leaders match my expectations fully and four of them have been at some point my consulting clients Splunk is now officially a sub-par SIEM, even though it is really not Is that good or bad Well, they got their honorable mention for the last few years and now they are in the quadrant BTW, this example shows that you can make A LOT of money by being free and not in any Magic Quadrant Visionary sector of the MQ galaxy is extremely crowded but with very different tools, ranging from Prism to Trustwave Many organizations will choose a tool from this sector, but need to be careful read the related posts below for some selection ideas and pitfalls BTW, congrats to all the vendors who got added this year AlienVault, Tripwire, splunk and the regional SIEM guys As always, apart from insight, the MQ document has a good share of unintentional hilarity, for example This company declined to provide any information to Gartner for this research Darwin Awards anybody Customer feedback on product function and support is mixed Anton translation product usually doesn t work Non-English-language versions of XYZ are not available Anton s comment is everything else about the product perfectly perfect Finally, if anybody is wondering, I think the concept of Magic Quadrant whoever at Gartner came up with is brilliant However, many wrong SIEM purchase decisions I ve seen made usually stem from the decision maker s own ignorance and not from whatever document or market visualization he has in his possession Keep this in mind Rocky, your turn Smile Possibly related posts How Do I Get The Best SIEM How to Replace a SIEM SIEM Resourcing or How Much the Friggin Thing Would REALLY Cost Me How to Write an OK SIEM RFP On Choosing SIEM So, What Should I Want or How NOT to Pick a SIEM-III The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II I Want to Buy Correlation or How NOT to Pick a SIEM Log Management SIEM On SIEM Complexity SIEM Bloggables SIEM Use Cases and Whitepaper with detailed SIEM use cases Log Management SIEM Users Minimalist vs Analyst All posts labeled SIEM About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/305944.shtmlhttp://www.secuobs.com/revue/news/305944.shtml Secuobs.com : 2011-05-18 20:12:40 - Anton Chuvakin Blog Security Warrior - Here is a hard problem you MUST log, but there are no logs to enable Or, what is no less common, logs are so abysmal that they don t help and don t fit the regulatory mold example PCI DSS Requirement 102 and 103 Or, logs are out there in the cloud and you cannot get them, but compliance is here and requires them What to do The answer to this eternal question is in my new whitepaper that I have written for Observe-IT observeit-syscom Executive summary This paper covers the critical challenges implementing PCI DSS controls and suggests creative solutions for related compliance and security issues Specifically, the hard problem of security monitoring and log review in cloud, legacy, and custom application environment is discussed in depth Additionally, clarification of key PCI DSS compensating controls is provided This paper will help you satisfy the regulatory requirements and improve security of your sensitive and regulated data Short version PDF 5 pages Extended version PDF 13 pages As usual, the vendor was paying the bill, but thinking and research are all mine SecurityWarrior Consulting Enjoy Possibly related posts past whitepapers Two New Logging Resources Published New SIEM Whitepaper on Use Cases In-Depth OUT Another Fun SIEM Whitepaper About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/305676.shtmlhttp://www.secuobs.com/revue/news/305676.shtml Secuobs.com : 2011-05-17 20:16:10 - Anton Chuvakin Blog Security Warrior - From the webcast I ve done awhile back, here are some fun Q A that I volunteered to answer PCI DSS literati reading this blog, don t freak out this is BASIC since the webinar was for Level4 ecommerce merchants Q I have a hosted Card Service Provider, are the SSL tunnel with certificates good enough security What PCI say about this A Well, SSL tunnel with certificates is good security at least compared to no SSL , but is it enough Not really PCI DSS has a long list of other security controls which need to be implemented - for example, if are and e-commerce merchant, web application security is extremely important, likely more so than SSL Q Another crystal ball question Do you think the day will come when merchants are not permitted to store credit card information in order to be PCI compliant A Well, merchants are not permitted to store CVV data today, merchants are not permitted to store PAN in cleartext and they are strongly discouraged to store PANs at all today example all as per PCI DSS I do not foresee a complete ban on PAN storage, but these rules might well become stronger If Q If we are not processing cards at all, but instead are protecting client lists, how much security is needed A The beauty of this question is that it is up to you to determine that risk There are no regulations to compel you so you have to make your own decisions based on your own research The answer might vary from none if these are essentially public to a lot if loss of those lists will destroy your business Q What about ACHDirect processing A Not under PCI all risks are yours, same as above In recent years, a lot of smaller companies have been attacked by ACH credential stealing malicious software Q The question about 2 or 3 things to secure their system Could they not just go to dial up credit terminals A They sure can a net will help protect the card data Q How can a criminal use stolen card data for themselves A Charge cards themselves, resell them in bulk, manufacture cards for resale and use if Track2 data is available , buy and resell goods, buy software and then pirate it, etc, etc, etc Think what you d do if you are given a free credit card Smile Q Retailer that use MPLS networks have historically not had to encrypt data over a private network connection like MPLS Do you expect MPLS to require data encryption and firewalling like you find with networks served by public internet connections A No, this is not a public network defined in PCI DSS, at least to the best of my knowledge So, while encryption and firewalls are a good idea , they are not the law Requirement 41 states that Use strong cryptography and security protocols for example, SSL TLS, IPSEC, SSH, etc to safeguard sensitive cardholder data during transmission over open, public networks Q When we went to our website provider to close ports as we said it was not PCI compliant we were told that because there was no CC data being taken through the site it's informational only , it doesn't have to be PCI compliant Is that true A Not exactly true Public servers are in scope and must be scanned for vulnerabilities having less open ports will help you have less vulnerabilities exposed to Internet Now, if you don t accept credit cards at all in your business, then obviously your website is not under PCI DSS Q We have a third party vendor that handles our payments what tools can we use to audit our vendor A Likely, you're talking not about technical tools, but legal tools like SLA, agreements, etc Q To be totally honest, we save the CVV number This is because is it a huge annoyance to have to call the customer every time we need to charge the card Is there another solution so we don't have to contact our customers for their CVV number A It is OK to save the CVV if you accept the fact that can never be PCI DSS compliant and will always be in violation of your agreement with your acquiring bank If I were you, I d ask you acquiring bank about how to do recurring payments without saving the CVV it IS possible Q Besides a firewall and web application firewall what other layer of security can be used A Yes, many if you are under SAQ D please read PCI DSS Examples include log management, configuration management, IDS IPS, FIM, etc, etc Q What about credit card data stored in QuickBooks A QB does have encryption, do you use it PANs stored in this application are just like any other stored complete PANs they need to be encrypted Q What IDS IPS system would you recommend A Snort is free and is hard NOT to recommend for that reason Q I use PayPal website Pro integrated into my site to process payments Do I still need a firewall to be PCI DSS compliant A It depends how it is used, but most likely yes and not just a firewall Read this for details Q If we use a swipe machine, are we storing data, or is it just transmitted A Depends on the machine, likely just transmitted but older machines are known to store data and should be replaced, whenever possible Q How about some websites books for learning web security A Key web security OWASP and WASC Q What products solutions do you recommend for managing logs from different types of applications eg, web applications and systems eg, var log A Many tools exist with prices from 0 to literally millions, here are some of my favorite free log tools Q How do I know if a website is PCI compliant before I accept credit cards Should the web host give me a certificate A Ah, good question and you are not the only one to wonder about that But there's no good answer Many security seals exist and some mention PCI DSS scanning on them , but their credibility is frequently called into question Q Why hasn't the term 'passphrase' taken off I tell all my users, use a pass phrase, with proper punctuation and spacing A Hard to say, this is a really good way to create long while memorable passwords Q We still transmit our payment card data over telephone lines Is that less risky A Yes, much less risky Dial-up terminal makes PCI DSS easier and genuinely reduces the risks to cardholder data Q On the Who What do Hackers Target question, what are the constraints for including the company data Are all companies included or only ones that require PCI compliance A All data is potentially under risk but payment card data and now ACH credentials are easier to profit from, if you are a criminal Many companies use PCI DSS to learn about security and then expand their knowledge to protect other kinds of data, beyond the card numbers Enjoy the basics Possibly related posts Blatant buy our PCI book NOW Smile About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/305429.shtmlhttp://www.secuobs.com/revue/news/305429.shtml Secuobs.com : 2011-05-09 17:48:31 - Anton Chuvakin Blog Security Warrior - Note this has been written for Cisco MARS blog as a guest post and is reposted here for posterity Ouch That Venus SIEM appliance that we got with routers has finally croaked That piece of PHP brilliance that pre-pre-previous security engineer wrote has been buried under the thick pile of XML That managed SIEM provider has annoyed us one last time What do the above situations have in common The unfortunate time to replace your SIEM has come What to expect, apart from copious amounts of pain This post will shed some light on this conundrum, based on author s experiences First, it goes without saying that it is better to choose the right SIEM the first time eg see On Choosing SIEM and other posts mentioned below than to migrate from a SIEM that has been collecting logs and dust for a few years However, you might not have any say in the matter you might have inherited it, your evil boss might have procured the previous SIEM without asking you or you might have built it yourself after a particularly bad hangover Also, your organization might have simply outgrown the SIEM or your early generation SIEM vendor has not kept up with innovation in the space In any case, you have a SIEM and you need a new one Let s look at the good side of the situation It is very likely that you learned some super-valuable lessons from your previous SIEM experience other people have to hire consultants to get to those lessons and now can avoid the common purchasing process pitfalls some discussed here, BTW You have much more confidence while discussing confusing SIEM features with vendors speaking from your previous SIEM experience this alone will make your new SIEM purchase process much less painful You have some semblance of the logging policy across the systems that log into SIEM that puts you ahead of those organizations who are just getting their first SIEM or log management tool It is possible that you built some operational procedures around SIEM such as for PCI DSS log review or other purposes and those would be handy for a new SIEM as well If you have to write an RFP as I discuss here , the chances are that your new RFP would be MUCH better and more likely to result in a good vendor short list Treat this situation as positive, think I now know more than 90pourcents of people buying a SIEM, thus my new SIEM project will be a success A few things to avoid and pay attention to Suppress that I d buy anything but this crap mentality think what problems will a new SIEM solve or solve better Avoid taking shortcuts such as not doing a PoC you are more knowledgeable, but not prescient How might a migration process look like This assumes that you have already selected a new product, tested it in the lab and are ready for production deployment Prepare to run both products for some time this might range from a few weeks to months Draft the new SIEM vendor to help you migrate the data after all, they are getting the prize Smile Potentially, be prepared to keep the old SIEM running without paying for the support contract, of course or at least keep the old data backups this becomes important if complete data migration is impossible due to architecture differences between the new and old SIEMs Ideally, your log management tool will hold raw log backups and so keeping the old SIEM in operation won t be needed One of the biggest migration efforts will be migrating SIEM content reports, rules, views, alerts, etc As well all know, such content is not really portable across SIEMs and you should be prepared to simply recreate all the custom content AND all the default content that you used in the the old SIEM and that the new SIEM might lack By the way, I have seen more than a few organizations start from an open source SIEM or home-grown log management tool, learn all the lessons they can without paying any license fees and then migrate to a commercial SIEM tool Their projects are successful more often than just pure buy commercial SIEM on day 1 projects and this might be a model to follow I once called this build then buy approach Possibly related posts SIEM Resourcing or How Much the Friggin Thing Would REALLY Cost Me How to Write an OK SIEM RFP Log Management Tool Selection Checklist Out On Choosing SIEM So, What Should I Want or How NOT to Pick a SIEM-III The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II I Want to Buy Correlation or How NOT to Pick a SIEM Logging, Log Management and Log Review Maturity Log Management SIEM On SIEM Complexity SIEM Bloggables SIEM Use Cases Whitepaper with detailed SIEM use cases using a particular SIEM as an example Log Management SIEM Users Minimalist vs Analyst All posts labeled SIEM Enhanced by ZemantaAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/303546.shtmlhttp://www.secuobs.com/revue/news/303546.shtml Secuobs.com : 2011-05-07 09:08:13 - Anton Chuvakin Blog Security Warrior - Sophos buys security appliance firm Astaro The Register IMAGE http://www.secuobs.com/revue/news/303227.shtmlhttp://www.secuobs.com/revue/news/303227.shtml Secuobs.com : 2011-05-05 01:36:09 - Anton Chuvakin Blog Security Warrior - The CFP for Metricon 6 is alive, the deadline is June 15 If you think that the previous one somewhat sucked, this one will be different, since it will be about Real People Generating Real Information This year, Metricon 6 is excited to issue a call for participation to the InfoSec community Occurring August 9th 2011 colocated with USENIX in San Francisco California We will be breaking up topics into the following sections, and subsequently would be very interested to review submissions in the following subjects Metrics Instrumentation The Utility of Risk Metrics Risk Cyber Insurance Methods for measuring impact Incident Management Metrics Operational Metrics Beyond Patches, Vulns, Anti-Virus THE PROGRAM -------------------------------- This year's Metricon will be more convention than defend your thesis Included will be panels, discussions, as well as traditional presentations We would like to include The Listen Portion of our Program Executive use of Metrics WANTED Executives to join a panel on the use of Metrics to make decisions Metricon 6 is seeking executives excited to discuss metrics they are happy with, unhappy with, or just executives who want to reach out to the security metric community and give us an earful We're especially interested in executives who are or have unsuccessfully tried to use operational metrics to make business case The Feedback Portion of our Program Metrics Instrumentation WANTED Vendors Product Managers who want to talk about their approach to developing the artifacts for their products and services and how they currently or in the future hope to help customers feed an evidence-driven approach to risk management In addition, we are looking for security vendors who would like unobstructed feedback to the artifacts and outputs of their current products services For Discussion Methods for Measuring Impact WANTED risk analysts, auditors and anyone else who is estimating and or tracking the impact of incidents How do you account for or estimate how much an organization suffers from IT Security incidents Speaking of Incidents, For Discussion The Role of Metrics in an Incident Response Program WANTED IR teams and or executives willing to talk war stories not about incident specifics but looking back, what is the role of metrics in IR real or hypothetical , what metrics you may or may not collect, and why For Discussion Risk CyberInsurance WANTED Do you buy, sell, or have internal hedging practices that could be considered cyberinsurance We're seeking individuals to present on the growing practice of cyberinsurance and it's use as a hedge against security incidents For Discussion Operational Metrics Beyond Patches, Vulns, Anti-Virus It's cliche these days to say that most operational metrics programs are of little use beyond the big three WANTED Panelists and presenters for discussions around operational metrics that are not directly the output of vuln mgmt, patch mgmt, or A V products The Lightening Rounds New and Unique Approaches 15 minute sessions showing off new research, approaches, data and models See ya there About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/302686.shtmlhttp://www.secuobs.com/revue/news/302686.shtml Secuobs.com : 2011-05-04 09:50:04 - Anton Chuvakin Blog Security Warrior - Log Management Spurs Data Collection Debate - Darkreading IMAGE http://www.secuobs.com/revue/news/302492.shtmlhttp://www.secuobs.com/revue/news/302492.shtml Secuobs.com : 2011-05-03 00:33:50 - Anton Chuvakin Blog Security Warrior - Blogs are stateless and people often pay attention only to what they see today Thus a lot of useful security reading material gets lost These monthly round-ups is my way of reminding people about interesting and useful blog content If you are too busy to read the blogs, at least read these So, here is my next monthly Security Warrior blog round-up of top 5 popular posts topics this month 1 Verizon DBIR 2011 is OUT announces the release of the next Verizon Breach Report awesomeness unleashed Smile 2 Simple Log Review Checklist Released is still one of the most popular posts on my blog Grab the log review checklist here, if you have not done so already It is perfect to hand out to junior sysadmins who are just starting up with logs A related UPDATED Free Log Management Tools is also still on top - it is a repost of my free log tools list to the blog 3 My PCI DSS log review procedures that I created for a consulting client and posted on the blog sanitized, of course took one of the top spots again the first post Complete PCI DSS Log Review Procedures, Part 1 and the whole series PCI_Log_Review would be useful to most large organizations under PCI DSS as well as other regulated organization that are looking to create a structure log review policies, procedures and process 4 On Sony PSN Breach and Commenting is about why I am rejecting many requests to comment on the Sony PSN breach because most of such post-breach comments by outsiders are pure drivel, that rarely even RAISES to the level of FUD 5 SIEM Resourcing or How Much the Friggin Thing Would REALLY Cost Me is a new post about figuring out the costs of your SIEM SIM SEM implementation it became an instant favorite and took the final top5 spot this month Also, as a tradition, I am thanking my top 3 referrers this month those who are people, not organizations So, thanks a lot to the following people whose blogs sent the most visitors to my blog 1 Anonymous PCI Guru 2 Anonymous SIEM Ninja 3 Dmitry Orlov Also see my past annual Top Posts - 2007, 2008, 2009, 2010 Next, see you in May for the next monthly top list Possibly related posts past monthly popular blog round-ups Monthly Blog Round-Up March 2011 Monthly Blog Round-Up February 2011 Monthly Blog Round-Up January 2011 Monthly Blog Round-Up December 2010 Monthly Blog Round-Up November 2010 Monthly Blog Round-Up October 2010 Monthly Blog Round-Up September 2010 Monthly Blog Round-Up August 2010 Monthly Blog Round-Up July 2010 Monthly Blog Round-Up June 2010 Monthly Blog Round-Up May 2010 Monthly Blog Round-Up April 2010 Monthly Blog Round-Up March 2010 Monthly Blog Round-Up February 2010 Monthly Blog Round-Up January 2010 Monthly Blog Round-Up December 2009 Monthly Blog Round-Up November 2009 Monthly Blog Round-Up October 2009 Monthly Blog Round-Up September 2009 Monthly Blog Round-Up August 2009 Monthly Blog Round-Up July 2009 Monthly Blog Round-Up June 2009 Monthly Blog Round-Up May 2009 Monthly Blog Round-Up April 2009 Monthly Blog Round-Up March 2009 Monthly Blog Round-Up February 2009 Monthly Blog Round-Up - January 2009 Monthly Blog Round-Up - December 2008 Monthly Blog Round-Up - November 2008 Monthly Blog Round-Up - October 2008 Monthly Blog Round-Up - September 2008 Monthly Blog Round-Up - August 2008 Monthly Blog Round-Up - July 2008 Monthly Blog Round-Up - June 2008 Monthly Blog Round-Up - May 2008 Monthly Blog Round-Up - April 2008 Monthly Blog Round-Up - March 2008 Monthly Blog Round-Up - February 2008 Monthly Blog Round-Up - January 2008 Monthly Blog Round-Up - December 2007 Monthly Blog Round-Up - November 2007 Monthly Blog Round-Up - October 2007 Monthly Blog Round-Up - September 2007 Monthly Blog Round-Up - August 2007 About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/302122.shtmlhttp://www.secuobs.com/revue/news/302122.shtml Secuobs.com : 2011-04-28 21:21:19 - Anton Chuvakin Blog Security Warrior - Here is why I am rejecting many requests to comment on the Sony PSN breach because most of such post-breach comments by outsiders are pure drivel, that rarely even RAISES to the level of FUD So Q What got stolen in the now infamous Sony PlayStation Network PSN breach, the 4 largest ever at DatalossDB A Definitively, for all PSN users name, address city, state, zip , country, email address, birthdate, PlayStation Network Qriocity password and login, and handle PSN online ID source Sony letter, obtained via dataloss-discuss datalossdborg Possibly profile data, including purchase history and billing address city, state, zip , and your PlayStation Network Qriocity password security answers source same Sony letter Total record count stands at 77 millions Q Were all the credit cards stolen A I don t know and Sony says THEY DON T KNOW either Q What does it mean, they don t know A To me, it means they sucked at security monitoring and sucked REALLY hard at logging, and likely didn t have database logging auditing Allowing the breach to happen can happen to anybody, but not knowing AFTER the breach whether REGULATED data was stolen point to gross incompetence Q Were they PCI compliant A I don t l know Most likely, they were validated as PCI DSS compliant at some point I d assume they are Level 2 or maybe Level 1 Was there a QSA involved I don t know, but I d guess they are comprised of multiple Level 2 and below merchants, not one Sony-wide Level 1 Thus they self-assessed via SAQ Q But were they REALLY PCI compliant A I don t know Don t bug me about this one Smile Q Were they PCI compliant at the presumed time of the breach A I don t know Personally, I seriously doubt it since maintaining PCI compliance at all times is extremely hard example and access to regulated data should be logged and monitored Enjoy About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/301466.shtmlhttp://www.secuobs.com/revue/news/301466.shtml Secuobs.com : 2011-04-27 20:28:37 - Anton Chuvakin Blog Security Warrior - So, yes, seatbelts One of my favorite compliance metaphors lately, which I have considered infallible and used everywhere After all, everybody knows that seatbelts save lives and there is plenty of reliable evidence of that, coming from DoT NHTSA studies this one, BTW, is worth a skim for the infosec crowd, for sure , etc So, we all know that image However, the other day I was in Russia, traveling to Lake Baikal in particular long story, but it has to do with my wife s love of exotic locations, both tropical and permafrost-bound image Given that it was still winter and given that roads in Russia are mmm not, most locals simply drive on the ice of a lake it is way smoother, shorter and faster than doing the road thing Besides, that is the only way to reach some lake islands in winter bonus question for advanced readers how do the locals get to those islands when the lake is already frozen no boats , but the ice is too thin for cars or already broken down no cars Answer In any case, we got into a car and I started to fasten the seatbelt At that very moment, the driver looked at me funny and said something along the lines of Wow, having suicidal thoughts lately, aren t you Baikal 015 And at that moment, risk collided with compliance in my head Boom I was one of one of those rare environments where your risk model is completely different from the one regulators imply when building the regulations and traditional compliance rules just don t apply By the way, even traffic police there will never fine you for driving on the lake with seatbelts off Well, all others must go do PCI compliance Smile About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/301210.shtmlhttp://www.secuobs.com/revue/news/301210.shtml Secuobs.com : 2011-04-22 17:40:21 - Anton Chuvakin Blog Security Warrior - SANS is almost ready with their 7th Annual Log Management Survey, which would be unveiled at two SANS webcasts on April 25 and April 26 both at 1PM EST 10AM PST The SANS log management survey is a useful measure of what organizations do with logs and how it changes year over year SANS states that organizations still want better access to their log data and better integration with third party security software and their SIEM systems and their Windows logs I am allowed to share a few very few bits from a report, but expect full analysis from me when it officially comes out So Collection has dropped way down among the most challenging tasks related to logs now categorization, reporting, analysis and other higher level tasks show up as top challenges good news Alerting detection again trumps search investigations as far as basic log use cases are concerned it is definitely very interesting since post-incident search requires much less tuning than alerting PCI DSS still rules the roost of logging for compliance which mandate is 2 Well, wait for the survey to come out Smile Windows logs still spell t-r-o-u-b-l-e , even after Windows Vista and new XML logging only 10pourcents are happy with it analysis is the top problem that organizations have with Windows log management And Snare agent still rules Enjoy the webcasts and the report next week Possibly related posts SANS Log Management Survey 2010 is Out About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/300284.shtmlhttp://www.secuobs.com/revue/news/300284.shtml Secuobs.com : 2011-04-19 19:49:50 - Anton Chuvakin Blog Security Warrior - OMG, today is The Breach Day, an official security holiday Verizon Business has just released their super-famous 2011 Data Breach Investigations Report Here are my notes, thoughts, jokes and highlights are images and quotes are from VzDBIR 2011 First, we all know that science has been looking for a scientific proof of stupidity for year, and finally it is here vz-IMG_0020 In other words, most of the damaging, expensive breaches has cheap countermeasures that people just don t do Niiiice On a more serious note, not only many of the breached organizations were ignorant, there were not even close to being PCI compliant vz_IMG_0006 Doesn t it make you think that we are going backwards in security, APT notwithstanding So, who ARE these people Well, we now know vz-IMG_0007 That is likely why we have less records stolen overall no known mega-breaches , but A LOT of smaller losses , largely attributes to industrial hacking machine of cybercrime hitting smaller business head-on And how exactly they are getting owned surely with an ancient Chinese secret APT hacking tools Well, yeah on the ancient part it is password guessing mostly that harks back from the 1970s vz-IMG_0012 What assets are bearing the brunt of attacks This easy diagram shows vz-IMG_0013 So, merchants, do you still have that POS server in the back of the store with PANs of all the cards you ever accepted Congrats, you donation to cybercrime fund has been accepted To make things even sadder, people are not detecting shit vz-IMG_0014 The above shows that the most typical time between the incident and its detection is weeks Still want to field that real-time monitoring system Save some money and buy a cheaper log management system establish a solid log review process example The Verizon team does give the same advice I often give my clients today Change your approach to event monitoring and log analysis Based on the data we collect in the Time of Breach events, we believe that organizations would be better served to focus less on the real-time methods of detection, and more on the this week methods If we can shift Compromise to Discovery time frame from Weeks and Months to Days, it will significantly reduce the damage done to your organization Let s REALLY crank up the sadness even after WEEKS or MONTHS, who is detecting Yup, The Third Party wins again vz-IMG_0015 Your own log review detects breaches LESS OFTEN then happenstance discovery by unrelated 3rd party why because you ain t doing that log review This is how bad things really are The above graph made me cry in pain, BTW Specifically, the report states If there is one positive note that we can squeeze out of these statistics around active measures, it s that discovery through log analysis and review has dwindled down to 0pourcents So the good news is that things are only looking up from here Yeah, that s squeezing pretty hard, but what else can we do Figure 41 continues to show that good evidence of the breach usually exists in the victim s log files waiting to be used Finally, does PCI compliance helps Well, we d know only if the organizations were in compliance, and most aren t not even at ASSESSMENT TIME, much less at BREACH TIME vz-IMG_0018 End of the story Overall, this was the saddest VzDBIRs I ever read Wade and Alex, you made me and my puppy weep Smile My highlight might be fun, but PLEASE do take time to read the entire report PDF Possibly related posts Verizon Breach Report 2010 OUT Verizon PCI Report is Out Breach Report 2009 Day About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/299465.shtmlhttp://www.secuobs.com/revue/news/299465.shtml Secuobs.com : 2011-04-09 09:19:21 - Anton Chuvakin Blog Security Warrior - Security Depends On The Devious Human Touch eWEEK Europe UK It is likely that RSA had log management systems in place but they were not being checked and analysed properly Judging by the speed with which the company has been able to produce a forensic report on the attack implies that all the clues were there IMAGE http://www.secuobs.com/revue/news/297283.shtmlhttp://www.secuobs.com/revue/news/297283.shtml Secuobs.com : 2011-04-08 09:29:15 - Anton Chuvakin Blog Security Warrior - Sentrigo has been Acquired by McAfee Sentrigo IMAGE http://www.secuobs.com/revue/news/297041.shtmlhttp://www.secuobs.com/revue/news/297041.shtml Secuobs.com : 2011-04-05 09:31:59 - Anton Chuvakin Blog Security Warrior - EMC acquires NetWitness, combines with RSA Business Tech - CNET News IMAGE http://www.secuobs.com/revue/news/296273.shtmlhttp://www.secuobs.com/revue/news/296273.shtml Secuobs.com : 2011-04-04 14:38:40 - Anton Chuvakin Blog Security Warrior - Blogs are stateless and people often pay attention only to what they see today Thus a lot of useful security reading material gets lost These monthly round-ups is my way of reminding people about interesting and useful blog content If you are too busy to read the blogs, at least read these So, here is my next monthly Security Warrior blog round-up of top 5 popular posts topics this month 1 My PCI DSS log review procedures that I created for a consulting client and posted on the blog sanitized, of course took THE top spot again the first post Complete PCI DSS Log Review Procedures, Part 1 and the whole series PCI_Log_Review would be useful to most large organizations under PCI DSS as well as other regulated organization that are looking to create a structure log review policies, procedures and process 2 SIEM Resourcing or How Much the Friggin Thing Would REALLY Cost Me is a new post about figuring out the costs of your SIEM SIM SEM implementation it became an instant favorite and took the next top5 spot in March 3 The next is Log Forensics and Original Events that covers the issue of raw , original or native log records and their use for forensics 4 UPDATED Free Log Management Tools is next it is a repost of my free log tools list to the blog I repost it every time after an update 5 Finally, my RSA 2011 notes RSA 2011 Conference Notes also are in the top list 6 Simple Log Review Checklist Released is still one of the most popular posts on my blog Grab the log review checklist here, if you have not done so already It is perfect to hand out to junior sysadmins who are just starting up with logs Also, as a tradition, I am thanking my top 3 referrers this month those who are people, not organizations So, thanks a lot to the following people whose blogs sent the most visitors to my blog 1 Anonymous PCI Guru 2 Walt Conway 3 D Orlov please let me know what D stands for your blog is not exactly clear about it Smile Also, thanks for translating my PCI DSS log review procedures into Russian Also see my past annual Top Posts - 2007, 2008, 2009, 2010 Next, see you in April for the next monthly top list Possibly related posts past monthly popular blog round-ups Monthly Blog Round-Up February 2011 Monthly Blog Round-Up January 2011 Monthly Blog Round-Up December 2010 Monthly Blog Round-Up November 2010 Monthly Blog Round-Up October 2010 Monthly Blog Round-Up September 2010 Monthly Blog Round-Up August 2010 Monthly Blog Round-Up July 2010 Monthly Blog Round-Up June 2010 Monthly Blog Round-Up May 2010 Monthly Blog Round-Up April 2010 Monthly Blog Round-Up March 2010 Monthly Blog Round-Up February 2010 Monthly Blog Round-Up January 2010 Monthly Blog Round-Up December 2009 Monthly Blog Round-Up November 2009 Monthly Blog Round-Up October 2009 Monthly Blog Round-Up September 2009 Monthly Blog Round-Up August 2009 Monthly Blog Round-Up July 2009 Monthly Blog Round-Up June 2009 Monthly Blog Round-Up May 2009 Monthly Blog Round-Up April 2009 Monthly Blog Round-Up March 2009 Monthly Blog Round-Up February 2009 Monthly Blog Round-Up - January 2009 Monthly Blog Round-Up - December 2008 Monthly Blog Round-Up - November 2008 Monthly Blog Round-Up - October 2008 Monthly Blog Round-Up - September 2008 Monthly Blog Round-Up - August 2008 Monthly Blog Round-Up - July 2008 Monthly Blog Round-Up - June 2008 Monthly Blog Round-Up - May 2008 Monthly Blog Round-Up - April 2008 Monthly Blog Round-Up - March 2008 Monthly Blog Round-Up - February 2008 Monthly Blog Round-Up - January 2008 Monthly Blog Round-Up - December 2007 Monthly Blog Round-Up - November 2007 Monthly Blog Round-Up - October 2007 Monthly Blog Round-Up - September 2007 Monthly Blog Round-Up - August 2007 About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/296025.shtmlhttp://www.secuobs.com/revue/news/296025.shtml Secuobs.com : 2011-04-04 08:51:36 - Anton Chuvakin Blog Security Warrior - Just a quick post about my upcoming presentation at Source Boston 2011 one of the most fun security conferences around The details are quoted from the conference site So You Got That SIEM Now What Do You Do Anton Chuvakin, Principal, Security Warrior Consulting anton_chuvakin Many organization that acquired Security Information and Event Management SIEM tools and even simpler log management tools have realized that they are not ready to use many of the advanced correlation features, despite promises that they are easy to use and totally intuitive So, what should you do to achieve success with SIEM What logs should you collect Correlate Review How do you use log management as a step before SIEM What process absolutely must be built before SIEM purchase becomes successful At this presentation, you will learn from the experience of those who did not have the benefit of learning from other's mistakes Also, learn a few tips on how to operationalize that SIEM purchase you've made And laugh at some hilarious stories of SIEM FAIL of course As a bonus track, how to revive a FAILED SIEM deployment you inherited at your new job will be discussed Dr Anton Chuvakin is a recognized security expert in the field of log management, SIEM and PCI DSS compliance He is an author of books Security Warrior and PCI Compliance Currently he runs his consulting practice focused on SIEM, log management as well as compliance So, if you are around Boston on April 20-22 see you there About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/295989.shtmlhttp://www.secuobs.com/revue/news/295989.shtml Secuobs.com : 2011-04-01 19:57:15 - Anton Chuvakin Blog Security Warrior - StorefrontBacktalk Blog Archive So Many Logs, So Little Time Why Won't You Share With Me Unspecific Blog Archive IANS Lone Star Information Security Forum The case study was an interesting idea of how to tie together log management systems with a custom SIEM solution to be proactive During Tim s talk he presenting the following formula for success Formula for Success 50pourcents process integration 25pourcents technology integration 25pourcents overcoming internal resistance which emphasizes that this is not about technology, but more about the process workflow ShackF00 What s New is Old, Actually The Analyst s Creed wirewatcher These are my logfiles There are many like them, but these ones are mine My logfiles are my best friends They are my life I must master them as I must master my life My logfiles, without me, are useless Without my logfiles, I am useless I must comprehend my logfiles every word I must be more vigilant than my enemy who is trying to invade me I must detect him before he compromises me The Power of Written Security Policies A number of recent court rulings have confirmed was security folks have been saying for years That having a pre-written policy can make all the difference in legal matters Consider these three recent cases involving employee privacy Case 1 The US Supreme Court in July ruled that a police officer s texts on department pagers were not private But that ruling was based on grounds other than the Ontario Police Department s policy that said text messages on work pagers were not private In this case, there was a policy in place but it did not cover pages specifically Securosis Blog On Science Projects SIEM is clearly a science project Like all cool exploding volcanoes, circuit boards, and fighting Legos, value can be had from a SIEM deployment if you put in the work And keep putting in the work, because these tools require ongoing, consistent care and feeding Log Management, on the other hand, is brain-dead simple Point a syslog stream somewhere, generate a report, and you are done Where do you think most customers needing to do security management start Right, with log management Over time a do make the investment to get to more broad analysis SIEM , but most don t And they don t need to Remember even though we don t like it and we think they are wrong these folks don t care about security They care about generating a report for the auditor, and log management does that just fine IMAGE http://www.secuobs.com/revue/news/295749.shtmlhttp://www.secuobs.com/revue/news/295749.shtml Secuobs.com : 2011-03-29 01:05:59 - Anton Chuvakin Blog Security Warrior - Now that I flooded with work with more on the way , I am eternally procrastinating on my Fun Security Reading blog posts So, let me at least try to blog about what I was WRITING if I don t have time to blog about what I was reading Google Reader shared item feed The list is loosely sorted by time My writing 1 HIPAA Logging HOWTO, Part 1 2 HIPAA Logging HOWTO, Part 2 3 PCI Security Q A with Anton Chuvakin, PCI Compliance Expert 4 PCI Security Q A with Anton Chuvakin, PCI Compliance Expert, PART 2 5 ASSESSMENT SUCCESS PCI DSS STANDARDS AND SECURE DATA STORAGE 6 How to Do Application Logging Right with Gunnar Petersen 7 FISMA Logging HowTo, Part 1 8 Logging for FISMA part 2 Detailed FISMA logging guidance 9 Log management software can aid data security, boost IT accountability 10 Log review for incident response, Part 1 11 A Pragmatic Approach to SIEM Buy for Compliance, Use for Security 12 Log review for incident response, Part 2 13 PCI DSS 20 Fun Facts 14 Logs vs Bots and Malware Today 15 PCI DSS Today and Tomorrow Logging is the Key 16 Logs for Insider Abuse Investigations Presentations 1 Log Standards and Future Trends BrightTalk 2 What PCI DSS Taught Us About Security BrightTalk 3 You Got That SIEM Now What Do You Do BayThreat 2010 4 Achieve PCI Compliance and Ensure Security in a Data Deluge Focuscom webcast 5 Address Network Security Dramatically Reduce PCI DSS Scope with Gateway Tokenization Intel NRF webcast 6 Proactive Compliance for new PCI-DSS 20 SANS webcast 7 Using Logs for Breach Investigations and Incident Response Brightalk webcast and presentation 8 PCI Compliance Tips, Tricks Emerging Technologies BankInfoSec webcast 9 You can always see more on my Slideshare page Audio podcasts etc 1 Cloudchasers podcast Cloud security and compliance its all about the logs May 20, 2010 mp3 2 Cloudchasers podcast IT Security industry consolidation and the cloud Sept 16, 2010 mp3 3 Logs, Clouds and Open Source, Oh My 4 ETM podcast Insight into SIEM mp3 5 McAfee podcast about retail security mp3 6 and, obviously, our own log podcast LogChat Miscelaneous 1 Scaling the Security Chasm is not by me, but it is written based on my HITB keynote last year 2 How to handle PCI DSS requirements for log management in the cloud is also not by my, but has significant input from me BTW, if you d like to see what I ve been reading, subscribe up for my Google Reader shared item feed and Like feed Buzz Or use the widget below And, no, Twitter didn t kill blogging, but it sure looks like Twitter is intent on killing Twitter Smile PS Posted by a scheduler please don t laugh, but I am in Siberia now Smile Responses to comments will happen when I am back Possibly related posts Fun Reading on Security and Compliance 25 My recent presentations About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/294680.shtmlhttp://www.secuobs.com/revue/news/294680.shtml Secuobs.com : 2011-03-25 19:26:29 - Anton Chuvakin Blog Security Warrior - FYI, I have updated my list of free log analysis and log management on my consulting site Here it is, reposted Version 13 updated 3 8 2011 original location This page lists a few popular free open-source log management and log analysis tools The page is a supplement to Critical Log Review Checklist for Security Incidents that can be found here or as PDF or DOC feel free to modify it for your own purposes or for internal distribution - but please keep the attribution The log cheat sheet presents a checklist for reviewing critical system, network and security logs when responding to a security incident It can also be used for routine periodic log review It was authored by Dr Anton Chuvakin and Lenny Zeltser The open source log management tools are 1 OSSEC ossecnet an open source tool for analysis of real-time log data from Unix systems, Windows servers and network devices It includes a set of useful default alerting rules as well as a web-based graphical user interface This is THE tool to use, if you are starting up your log review program It even has a book written about it 2 Snare agent intersectalliancecom projects indexhtml and ProjectLasso remote collector sourceforgenet projects lassolog are used to convert Windows Event Logs into syslog, a key component of any log management infrastructure today at least until Visa W7 log aggregation tools become mainstream 3 syslog-ng balabitcom network-security syslog-ng is a replacement and improvement of classic syslog service - it also has a Windows version that can be used the same way as Snare 4 rsyslog rsyslogcom is another notable replacement and improvement of syslog service that uses traditional rather than ng-style format for syslogconf configuration files No Windows version, but it has an associated front-end called phpLogCon 5 Among the somewhat dated tools, Logwatch logwatchorg , Lire logreportorg and LogSurfer cryptgennz logsurfer can all be used to summarize logs into readable reports 6 sec simple-evcorrsourceforgenet can be used for correlating logs, even though most people will likely find OSSEC correlation a bit easier to use 7 LogHound ristovuserssourceforgenet loghound and slct ristovuserssourceforgenet slct are more research-grade tools, that are still very useful for going thru a large pool of barely-structured log data 8 Log2timeline log2timelinenet is a useful tool for investigative review of logs it can create a timeline view out of raw log data 9 LogZilla aka php-syslog-ng codegooglecom p php-syslog-ng is a simple PHP-based visual front-end for a syslog server to do searches, reports, etc The next list is honorable mentions list which includes logging tools that don't quite fit the definition above Splunk is neither free nor open source, but is has a free version usable for searching up to 500MB of log data per day - think of it as a smart search engine for logs Splunk includes a tool to extracting parameters out of log data Offering both fast index searches and parsed data reports, Novell Sentinel Log Manager 25 is not open source, but can be used for free forever as long as your log data volume does not exceed 25 log messages second 25 EPS Unlike splunk above, it includes log data parsing for select log formats and thus can be used for running reports out of the box, not just searching Q1Labs is also neither free nor open source, but is has a free version usable for managing up to 50EPS roughly 2GB day It can be downloaded as a virtual appliance OSSIM is not just for logs and also includes OSSEC it is an open source SIEM tool and can be used much the same way as commercial Security Information and Event Management tools are used SIEM use cases Microsoft Log Parser is a handy free tool to cut thru various Windows logs, not just Windows Event Logs A somewhat similar tool for Windows Event log analysis is Mandiant Highlighter mandiantcom products free_software highlighter Sguil is not a log analysis tools, but a network security monitoring NSM tool, but it uses logs in its analysis Loggly cloud logging service now offers free developer accounts at logglycom signup for their cloud log management service The volume limitation is 200MB day and retention time limitation is 7 days If you'd like to collect and search your logs without running any software, this is for you For a list of commercial log management tools go to Security Scoreboard site A few of the commercial tools offer free trials for up to 30 days or longer PS I d love to finally test GrayLog in my lab since it looks very promising, but sorry I was not able to get it to work Sad smile Too much Ruby and Java for my Linux box BTW, I got a couple more of fun new tools that I plan to test and then possibly add to this list PPS Comment response will be slow, I am away from computers Possibly related posts Original On Free Log Management Tools About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/294237.shtmlhttp://www.secuobs.com/revue/news/294237.shtml Secuobs.com : 2011-03-22 19:56:50 - Anton Chuvakin Blog Security Warrior - I did this fun presentation on log forensics here and the question of original aka native , raw , unmodified log events came up again Since the early days of my involvement in SIEM and log management, this question generated a lot of delusions and just sheer idiocy A lot of people spout stuff like you need original logs in court without having any knowledge about either logs or court or forensics in general Or, as I sometimes feel, even computers in general So, WTH is an original event Let s explore this a bit For example, let s take Windows 7 Event Logs Before you read further, without focusing too much on the real meaning of original , think what you d consider an original event log record Is this original the EVTX file itself image Is this an XML view via Event Viewer on the computer where the log is produced image Is this a friendly view in the same Event Viewer on the same original computer image As you might know, the above view is actually enriched ie has new information added compared to the EVTX file Does it break the originality What if the EVTX file is copied to another computer and then opened in an Event Viewer It might look a bit different due to various ID dereference operation, and it might enrich the contents with slightly different information How about this exported to CSV at another computer Is this still original image And what about the one that is converted to syslog in a similar fashion What if, or horror, TABs are replaces with spaces Smile So, what s the lesson here Obsession about original , native , raw logs is just not a useful pursuit and it dead-ends pretty quickly Instead, you need a clearly understood and documented path of all event records that unambiguously tracks all changes to event records removals, addition of details, modifications of contents, new headers, etc , not fake and impossible quest for originality For additional reference on trusting logs, check out what Eric Fitzerald wrote about log trust back in the days of his ownership of the Event Log Possibly related posts Log Trustworthiness Hierarchy About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/293388.shtmlhttp://www.secuobs.com/revue/news/293388.shtml Secuobs.com : 2011-03-19 08:08:32 - Anton Chuvakin Blog Security Warrior - Top 10 Things Your Log Management Vendor Won't Tell YouLog Management Central Criteria for Graduating from Log Management to SIEMLog Management Central InformationWeek Security SIEM gathers steam in 2010 Staffing for Splunk Splunk Blogs 1 Raindrop 5 Stages of Infosec Log Management Year in Review or Eyes in the Back of Your HeadLog Management Central Mark Runals' Blog Of Logsand crap Or is that the crappyness of logs LogInspect Cloud based Log Management - Good or bad Mark Runals' Blog SIEM needs a new name Mark Runals' Blog Is ArcSight hard to use SIEM Evaluation Criteria - Functionality Matrix - Security Operations by Visible Risk - Visible Risk - Enterprise Information Security and Intelligence Operations 5 Myths about SIEM Log Management Log Talk Q A with David Corlette of NovellLog Management Central What are your five favorite correlation rules Quick Wins SIEM NINJA Implementing SIEM - Information Security Strategy Like many IT projects, a SIEM project is not something that can be rushed From the point of project initiation, I decided to take 1 year to go through the process of research, budget acquisition, requirements formulation, scoping, vendor presentations, contract negotiations, etc to the point where a product has been purchased and implementation could start IMAGE http://www.secuobs.com/revue/news/292770.shtmlhttp://www.secuobs.com/revue/news/292770.shtml Secuobs.com : 2011-03-18 08:42:09 - Anton Chuvakin Blog Security Warrior - Trustworthiness of Information in Audit Records - Windows Security Logging and Other Esoterica - Site Home - MSDN Blogs Compliance, Security, and the relations therein The Chase Is On Departments Connection Magazine Log Management Catalyst for Vital Functions Speaking of Security The RSA Blog and Podcast I expected to see enterprises start using their logs to get more now that the expensive systems are in place where back in 2003 it didn t make sense to pursue the auto-magic Is correlation killing the SIEM market Log Talk These customers are mostly smaller enterprises, what Gartner defines as SME, however they still purchased predominantly for the classic Gartner use case the budget came from a compliance drive but they wanted to use SIEM as a means of improving overall IT security and sometime operations SIEM Love it or leave it - Inform As much as I love SIEM it's my favorite technology I know there are a lot of people who are frustrated by it, says Anton Chuvakin, who worked within the SIEM vendor community for nearly 10 years and now heads SIEM consultancy Security Warrior Consulting Log Consolidation or SIEM BOTH ISC 2 Blog SIEM ROI - How to prove it Web Server Log Forensics App Wanted hackersorg web application security lab IMAGE http://www.secuobs.com/revue/news/292511.shtmlhttp://www.secuobs.com/revue/news/292511.shtml Secuobs.com : 2011-03-17 08:44:25 - Anton Chuvakin Blog Security Warrior - You Might Be a Product Manager If Product Beautiful Building Product Management by Paul Young IMAGE http://www.secuobs.com/revue/news/292214.shtmlhttp://www.secuobs.com/revue/news/292214.shtml Secuobs.com : 2011-03-15 00:59:59 - Anton Chuvakin Blog Security Warrior - My account of RSA 2011 cannot be complete without- yes - SecurityBSides San Francisco I was holding this post hoping to include links to videos, but despite the power of Google I was not able to figure out where AND whether the video are posted So, you have to enjoy my new fun SIEM presentation below without my voice and an image of me pointing at the sky Smile Something Fun About Using SIEM by Dr Anton ChuvakinView more presentations from Anton Chuvakin Enjoy Possibly related notes RSA 2011 Conference Notes RSA 2011 PCI Council Interview All posts tagged RSA About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/291583.shtmlhttp://www.secuobs.com/revue/news/291583.shtml Secuobs.com : 2011-03-11 09:07:09 - Anton Chuvakin Blog Security Warrior - Inside Google s Age of Augmented Humanity Xconomy IMAGE http://www.secuobs.com/revue/news/290949.shtmlhttp://www.secuobs.com/revue/news/290949.shtml Secuobs.com : 2011-03-08 09:17:30 - Anton Chuvakin Blog Security Warrior - The Official Lookout Blog The Official Lookout Blog Do Androids Dream IMAGE http://www.secuobs.com/revue/news/290074.shtmlhttp://www.secuobs.com/revue/news/290074.shtml Secuobs.com : 2011-03-07 20:35:10 - Anton Chuvakin Blog Security Warrior - One of the ugliest, painfulest, saddest issues with SIEM is resourcing Yes, that SIEM appliance might set us back 75,000 in hard earned security budget dollars, but how much more will we have to spend in the next 3 years deploying, integrating, using, tuning, cursing, expanding the thing How much manpower will the new operational procedures example cost us And if we actually build a SOC or a virtual SOC , how much will we have to spend on an ongoing basis to get the value and benefits In fact, how much will the coffee cost if we have to work 20 hours in a row recovering that crashed SIEM database partition These and other questions are super-important for every SIEM and log management project And the time has come for me to reveal my secret knowledge of SIEM resourcing OK, that s a joke it is not a secret, just a bunch of things that are often unpleasant for many SIEM buyers, users and sellers to hear So NEWSFLASH SIEM costs money Free SIEM example costs money too, BTW Let s try to delve into what those costs are I will be not-quite-scientific in regards to real hard money costs eg software license purchasing and soft costs costs eg staff time costs , but I will try to clearly mark each kind of SIEM cost below First, assumptions and limitations This is NOT SOC staffing , but simply running a SIEM staffing SOC implies more processes and more tasks and a broader mission Assumes in-sourced, traditional buy and run SIEM outsourced, co-managed co-sourced cost model would look different Here is the rough cost model for some of the most common SIEM cost categories 1 Initial hard costs 1 SIEM license costs base price per user, per node, per EPS, per CPU and per CPU core , etc costs however your favorite vendor charges 2 For software SIEM, also hardware, OS, database costs for as many servers as you need 3 If any, mandatory 3rd party software license costs occasionally, agents, reporting tools, etc 4 If chosen, vendor or consultant deployment services costs If not chosen, staff time for deployment will pop out in soft costs below 5 Vendor training or 3rd party training on logs, log management, SIEM, etc 6 Additional external storage in most cases 2 SIEM ongoing, operating hard costs 1 Various SIEM vendor services support typically mandatory , ongoing professional services costs 2 Personnel to operate a SIEM from part of FTE very small scale, few use cases for a SIEM to 1 FTE small appliance deployments to many FTEs of various roles much more for SOC staffing if live monitoring is implemented 0 FTE for SIEM SIEM project FAIL with 10000pourcents probability 3 Periodic or occasional hard costs 1 Various SIEM vendor services professional services, custom development work for device integration some of these may go into soft costs if done internally for advanced organization or those experienced with SIEM already 2 Periodic staff training on SIEM operation and tuning 3 Specialty staffing DBA, sysadmins, node sysadmins, in-house developers for custom connectors, Crystal Reports administrator yuck , etc some of these might go into soft costs if poaching existing personnel time 4 Deployment expansion costs same as initial costs, but for additional systems, software, hardware, etc as you grow these sneak up really fast if SIEM is licensed using many dimensions such as user CPU node server something else 5 External storage expansion costs yes, you will buy more storage if your volume grows, and log retention time stays the same eg 1 year for PCI DSS On the other hand, here are some of the soft costs, such as time expenditures by existing resources 1 Initial soft costs 1 Deployment time for the SIEM project allocate more time if deploying purely using internal personnel, not vendor or consultant 2 Log source configuration and integration this will likely take way more than simply installing the tool This is what makes SIEM deployment projects go for months in complex, distributed organizations with many silos 3 Initial tuning, content creation and adapting the tool to your environment however lightweight it may be 4 Training and other staff time costs to jumpstart the operation Congratulations You bought ta SIEM Now you need to operate it 2 SIEM ongoing, operating soft costs 1 Report review and other ongoing monitoring tasks from 24 7 to daily to weekly 2 Alert response and escalation SIEM implies correlation and automated alerting 3 Other using SIEM tasks such as reviewing the dashboards 4 Uptime maintenance tasks ie caring for your SIEM as well as storage backups, updates, minor troubleshooting, etc 3 Periodic or occasional soft costs 1 SIEM rule tuning, reports creation, dashboard customization, new log source integration, other ongoing SIEM tasks 2 Periodic training and related staff time costs 3 Expansion same as initial soft costs As was suggested by a discussion on SIEMusersorg shhh the site is not ready for launch yet , it is useful to separate soft costs that are mandatory FOR SIEM operation from those which commonly arise FROM SIEM operation The most obvious example is incident response due to increased awareness of network and system activities, delivered by your SIEM Soft costs that commonly result from SIEM 1 Added cost of incident response more incidents are likely to be detected 2 Resulting incident remediation costs and even cost of new technologies deployed for preventing the discovered issues 3 Other department personnel time for dealing with issues revealed by SIEM the soft costs do leak out of the security department to IT and even beyond legal, HR, etc Anything big I missed that you experienced BTW, in my experience, I have seen the total cost of a SIEM project hard soft range from 10pourcents of SIEM license costs for shelfware SIEM deployments to a mind-boggling 20x of license cost PS Finally, if you want to really annoy Anton, mention SIEM ROI If you do that, I will send you to Gal Shpantser for a mandatory why he avoids SIEM class Smile Possibly related posts Log Management Tool Selection Checklist Out So, What Should I Want or How NOT to Pick a SIEM-III On Choosing SIEM I Want to Buy Correlation or How NOT to Pick a SIEM The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II Logging, Log Management and Log Review Maturity Log Management SIEM On SIEM Complexity SIEM Bloggables SIEM Use Cases Whitepaper with detailed SIEM use cases using a particular SIEM as an example Log Management SIEM Users Minimalist vs Analyst All posts labeled SIEM About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/289942.shtmlhttp://www.secuobs.com/revue/news/289942.shtml Secuobs.com : 2011-03-05 09:21:53 - Anton Chuvakin Blog Security Warrior - Network Security Blog Network Security Podast, Episode 231 IMAGE http://www.secuobs.com/revue/news/289599.shtmlhttp://www.secuobs.com/revue/news/289599.shtml Secuobs.com : 2011-03-03 20:41:59 - Anton Chuvakin Blog Security Warrior - Just like last year, I did this great interview with Bob Russo, the GM of PCI Council There is no audio recording, what follows below are my notes reviewed by the Council Italic emphasis is added by me for additional clarity Q1 PCI DSS 20 is out What do you think its impact is, so far A We are just entering the implementation phase, but it seems like there is no major impact yet, it is definitely too early to say what the impact would be Using data discovery merchants looking to confirm that PAN data does not exist outside of the defined PCI DSS scope - seem to be becoming more prominent and this seems to be a direct result of PCI DSS 20 Accidental exposure of cardholder data is a known risk By identifying where the data truly resides first, through a tool or a methodology, should aid organizations in their assessment efforts and ongoing security By the way, despite moving to the longer three year process, we can still update the standard in between via errata mechanism described here added by AC or using additional guidance produced by the Council and SIGs For example, if there is a new threat, we can issue additional guidance on how to deal with it within the framework of PCI DSS Q2 QSA assessment quality is said to be improving due to QSA QA On the other hand, reports of many SAQs being inaccurate are fairly widespread Is anything being done to improve SAQ quality at Level2 and smaller merchants A Well, some merchants do answer Yes to every question - is that what you mean by inaccurate We see education as the answer to this For example, there are plans for making SAQ easier to fill in think about a TurboTax type model for SAQ a wizard process for answering the pertinent SAQ questions and for presenting the right questions to the merchant in a logical order Education efforts can help a merchant understand that honest and accurate SAQ are for their protection Everyone needs to include security in their daily process The Council will seek to help by providing additional guidance on how to become more secure, comply with the Standards and how to validate that compliance Some of this is being addressed with the new general Awareness Training we have launched, offering a high level overview of what PCI is and the role that every employee plays in keeping card holder data secure Q3 While we are on the SAQ theme, can anything be done to have more merchants stay compliant, not just get validated every year and then forget about PCI DSS until the next validation A Definitely, more education is needed and we are trying to fill that vacuum, like with the Awareness Trainings we have rolled out For example, educating merchants that PCI DSS is about data security not checkbox compliance - is a big focus Merchants also need to be reminded that they need to get secure and compliant and stay secure and compliant It requires ongoing vigilance Unfortunately, some merchants think that PCI DSS is about a questionnaire and a scan and this mentality needs to be addressed by educating merchants about data security Q4 Visa new EMV rules might make merchants in Europe and Asia care even less about payment data security What do you think the impact of the new rules will be on PCI A It is too early to tell at this stage as the rules were announced last week first week of February 2011 AC In essence though, this is a compliance or reporting issue Nothing has changed for the Council or the standards PCI DSS still remains the foundation for card security for all payment brands Ecommerce merchants in those regions remain still must adhere to the PCI DSS even with the new rules In essence, the new rules imply that the merchants do not need to continue validate compliance, however, we understand that the merchants still has to become and stay compliant, and have proof of that even before considering this program by that brand As far as we know, acquirers still plan to get their merchants compliant and validated, so nothing has changed for them in the new VISA program Also, according to public information on the new program, acquirers can still be fined for non-compliance under the new rules as well This should continue to lead them to get their merchants PCI compliant to reduce the risk of the acquiring bank It s early to tell what merchants think and how they will react to this at this time Q5 Will PCI DSS ever move away from the model where the merchants are either compliant with the entire PCI or they are not Isn t it better if 100pourcents of merchants implement 10 critical controls vs 10pourcents of all merchants implement 100pourcents of controls A We are continuing to look at ways for merchants and others in the payment chain to reduce and minimize their card data environment Some technologies can help, but only if done right That is why we are putting so much effort in really scrutinizing these technologies to ensure that they are indeed effective, and under circumstances For those just starting their compliance journey, using the PCI milestones and Prioritized Approach see here AC will also increase in the future For example, in the new standards we suggest a risk based approach to compliance programs Mitigate the biggest risks first and you are doing yourself a great favor and moving that much closer to compliance As an example of this, updating requirement 62 to allow vulnerabilities to be ranked and prioritized according to risk You will hear more from the Council about this in 2011 Q6 Some QSAs and merchants still complain that QSAs are subjective Will there be more prescriptive assessment procedures A Compliance cannot be absolute and completely objective since merchant environments differ greatly For example, look at compensating controls they are an example of flexibility with working with the Standards If we get more rigid, and do not include flexibility within the Standard for compensating controls, more people will believe that PCI DSS is forcing them to do things our way We think the current standard is at or close to a balance in this regard, allowing security and flexibility to protect card data within everyone s own unique environment People should feel free to ask the PCI Council if there is any doubt about a particular QSA decision The Council also receives details on QSA performance, outside of just merchants We keep a close watch on this to ensure a consistent level of QSA performance Also, merchants are not the only ones who can report bad QSAs to the Council I suspect, although I am not sure, that they are talking about other QSAs here AC In addition, we hope that more organizations will take advantage of our Internal Security Assessor program to help their internal employees better understand the process of an external assessment and how to maintain a strong security program between assessments Q7 Does council plan to certify any other security technologies, like you do for ASV vulnerability scanning A We do not currently have plans to do so More guidance will likely be released on using technologies to help with PCI DSS compliance and data security There are no plans to certify other security technologies in a manner similar to vulnerability scanning and ASVs Many technologies, such as possibly logging and log review, may get additional guidance in the future While the DSS 20, added a sub-requirement for payment applications to support centralized logging PA-DSS Requirement 44 AC , it is a known area where many merchants are struggling and additional guidance could go a long way Q8 There is definitely a need for more scoping guidance, especially for complex environments, involving virtualization, cloud providers, 3rd party partners, etc When will scoping SIG guidance be released A PCI DSS 20 does recommend using data discovery for better scoping We ve reinforced that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment Merchants should not be guessing at what the scope is, but completely and objectively determine that scope Simple scoping guidance is a challenge It is difficult to create a single set of parameters that one can undertake to determine the scope of PCI applicability across a complex environment It is an inherently complicated task However, we hope to provide some additional guidance on this process soon, perhaps, a few steps at a time to begin to help merchants better understand this process Enjoy Possibly related notes RSA 2010 EXCLUSIVE PCI Security Standards Council Interview About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/289209.shtmlhttp://www.secuobs.com/revue/news/289209.shtml Secuobs.com : 2011-03-03 09:49:15 - Anton Chuvakin Blog Security Warrior - Cisco Completes Acquisition of Pari Networks IMAGE http://www.secuobs.com/revue/news/289071.shtmlhttp://www.secuobs.com/revue/news/289071.shtml Secuobs.com : 2011-03-02 20:50:59 - Anton Chuvakin Blog Security Warrior - Here is my account of RSA 2011 conference with all its awesomeness I LOVE RSA and I always say that if you can only attend one security event a year make it RSA Now, it takes some admittedly, small effort to get value out of your RSA experience the conference is not about the keynotes and not really about way too many tracks of presentations It is about our industry gathering pretty much the entire security industry as it exists in 2011 For security training you go to SANS, for latest attacks to BlackHat DEFCON or, increasingly, to smaller conferences , but for getting a sense of the entire security industry SECURITY BUSINESS, if I may you MUST go to RSA I spent my first RSA2011 day Monday aka The Valentine s Day at Metricon This year Metricon and I admit to only attending about 2 3 of the day just disappointed This is the second year I am sacrificing all sorts of fun RSA-related events CSA, AGC, etc for security metrics and I promise I won t do it again Metricon this year was a shoutfest, not a conversation, about metrics Yes, there was awesomeness there, for sure Verizon crew showed their early results from Veris community incident data collection Baker, Wade and Alex Hutton - Veris Data Veris Community I loved the presentation on log analysis of DNS server data Fruhwirth, Proschinger, Lendl, Savola - Name Server Log Data which did show a few new log tricks Then a guy from Finnish CERT talked about automated incident reporting Chris Eng on Critical Consumption of Infosec Stats was fun to watch as well, although it did turn loud a few times A few other presentation turned into a mess, and I won t go into details it was painful enough being there RSA proper started for me on Tuesday, since yes, I know, it is unbelievable I spent Monday evening celebrating Valentine s Day instead But before, there was one awesomeness-induced day at SecurityBSides San Francisco, where I presented on SIEM to be covered in a separate blog post So, apart from current and future client meetings these always taste better at RSA somehow - , I had a chance to spent some time in RSA Vendor Exhibition on Tuesday Usually I allocate 5-6 hours to walk the vendor hall, talk to people old and new and figure what s up and who s down HBGary, obviously, this year What did I see Since I expected the cloud to be a huge oppressive presence, I was not surprised In fact, I was surprised that some booths did NOT have cloud written all over them Cloud, BTW, is not just a security trend of the day It is part of a massive trifecta of security evil - Virtualization Cloud Mobile which will absolutely change the way we do information security in the next 3-5 years and possibly longer BTW, I learned a new definition of virtualization security at RSA a belief that your virtual infrastructure is as secure as your physical infrastructure aka secured by faith The third leg of the trifecta mobile was not visible at all I am not talking about the silly mobile anti-virus stuff, but about security solutions focused on mobile security problems no, viruses is not one of them After RSA, somebody introduced me to Nukona which will serve here as an example of mobile security solutions focused on mobile security problems no, I am not on their advisory board Smile I didn t see enough application security, even counting all incarnations Obviously, application security plays a leading role in security of the above trifecta of security evil , but somehow I have not noticed enough new approaches to appsec I did notice a bit more whitelisting, I guess, and this approach definitely deserves to finally go into the mainstream Funnily, I noticed some sad loser vendors with big booths What s up, dudes Have you blown your entire 2011 marketing budget on that RSA booth and now somebody will surely acquire you Maybe it is just me , but I have never noticed Asian companies at RSA before this year there were a few Is this a new trend It was also interesting to see a theme of we unify security and compliance as if compliance ever existed on its own well it kinda did, unfortunately What s going on here is vendors sold a lot of gear for compliance and now need to sell the worldview that all that gear is useful for security what a shocker I also noticed a lot of network traffic and flow analysis, but absolutely no DLP Has DLP fallen into that pig trough of disillusionment Yes, booth babes are mostly gone except for the NSA booth, but that is totally different However, it seems like booth monkeys are in I had an unfortunate experience of talking with people at booths who had a very, very vague idea about security, despite having lofty titles like VP of Marketing If you show up at RSA, please do your homework And sorry for a mildly idiotic final point, but why don t we use email encryption in 2011 There was not even one vendor with a new and creative email encryption scheme Even without painful HBGary reminder, it seems clear that organizations treat email as sensitive protected data How dumb is that Please remember the old saying unless you encrypt, email is a postcard On Wednesday, apart from more meetings, I did another interview with PCI Council s Bob Russo to be published under separate cover The rest of Wednesday was spent in fun meetings with potential clients and a quick trip to Palo Alto don t ask Smile Thursday was spend advancing CEE log standard and even surprise attending a few RSA sessions Fridays at RSA are always fun not too many people at the sessions I spent my morning at BUS-402 analyst roundtable session with Kupplinger Cole, Gartner and Forrester, moderated by Asheem Chandna from Greylock VC firm Most analyst takeaways from RSA 2011 were pretty much about cloud and mobility I ve heard a fun opinion on IT consumerizatiion if you deal with the security of employee devices by banning them, you will automatically make your organization unattractive to the best employees thus increasing, not reducing, your business risk not sure how true it is, really Also, I didn t realize that virtualization platform vendors abandon security this was strangely stated as a fact by the analysts Finally, I went to President Clinton keynote After tolerating the ever-so-annoying Hugh Thompson, we got the full Clinton experience for more than an hour Clinton keynote was great unexpectedly so He mentioned tea Party 3x times of his mentions of Obama in the form of Obamacare , spoke how he is a socially progressive fiscally conservative which is pretty awesome, IMHO I am still shocked that I d appreciate the politician speech at a security conference that much He was more specific and fact-based than a few other keynoters at RSA2011 If the video of his keynote surfaces maybe , do listen, just for fun Other fun RSA2011 accounts are tagged here http wwwdeliciouscom anton18 RSA 2011 A few fun example are Change we can believe in , RSA 2011 In Summary , RSA 2011 What s My Theme Possibly related posts RSA 2010 Day 4-5 and all posts tagged RSA About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/288917.shtmlhttp://www.secuobs.com/revue/news/288917.shtml Secuobs.com : 2011-03-01 17:24:48 - Anton Chuvakin Blog Security Warrior - Blogs are stateless and people often pay attention only to what they see today Thus a lot of useful security reading material gets lost These monthly round-ups is my way of reminding people about interesting and useful blog content If you are too busy to read the blogs, at least read these So, here is my next monthly Security Warrior blog round-up of top 5 popular posts topics this month 1 The Honeynet Project Releases New Tool PhoneyC leads all posts this month this is reposted to my blog since I recently began serving as volunteer Chief PR Officer for The Honeynet Project Another recent Project release is The Honeynet Project Releases New Tool Cuckoo 2 Simple Log Review Checklist Released is still one of the most popular posts on my blog Grab the log review checklist here, if you have not done so already It is perfect to hand out to junior sysadmins who are just starting up with logs 3 My PCI DSS log review procedures that I created for a consulting client and posted on the blog sanitized, of course took one of the top spots again the first post Complete PCI DSS Log Review Procedures, Part 1 and the whole series PCI_Log_Review would be useful to most large organization under PCI DSS as well as other regulations 4 Test Your Mad Logging and Log Management Skills NOW is a fun test you can take to check your skills related to logs, logging, log analysis and log management Another LogManagementCentral special, Bottom 11 Log Management Worst Practices , is next on the top list Hate security best practices Check out the bottom worst practices instead Yet another LogManagementCentral special, 11 Log Resolutions for 2011 is up here as well 5 The hilarious Top 10 Things Your Log Management Vendor Won't Tell You , written for LogManagementCentral, reign supreme this month Read, laugh, weep log Also, below I am thanking my top 3 referrers this month those who are people, not organizations So, thanks a lot to the following people whose blogs sent the most visitors to my blog 1 Walt Conway 2 Lenny Zeltser 3 Anonymous SIEM Ninja Also see my past annual Top Posts - 2007, 2008, 2009, 2010 Next, see you in March for the next monthly top list Possibly related posts past monthly popular blog round-ups Monthly Blog Round-Up January 2011 Monthly Blog Round-Up December 2010 Monthly Blog Round-Up November 2010 Monthly Blog Round-Up October 2010 Monthly Blog Round-Up September 2010 Monthly Blog Round-Up August 2010 Monthly Blog Round-Up July 2010 Monthly Blog Round-Up June 2010 Monthly Blog Round-Up May 2010 Monthly Blog Round-Up April 2010 Monthly Blog Round-Up March 2010 Monthly Blog Round-Up February 2010 Monthly Blog Round-Up January 2010 Monthly Blog Round-Up December 2009 Monthly Blog Round-Up November 2009 Monthly Blog Round-Up October 2009 Monthly Blog Round-Up September 2009 Monthly Blog Round-Up August 2009 Monthly Blog Round-Up July 2009 Monthly Blog Round-Up June 2009 Monthly Blog Round-Up May 2009 Monthly Blog Round-Up April 2009 Monthly Blog Round-Up March 2009 Monthly Blog Round-Up February 2009 Monthly Blog Round-Up - January 2009 Monthly Blog Round-Up - December 2008 Monthly Blog Round-Up - November 2008 Monthly Blog Round-Up - October 2008 Monthly Blog Round-Up - September 2008 Monthly Blog Round-Up - August 2008 Monthly Blog Round-Up - July 2008 Monthly Blog Round-Up - June 2008 Monthly Blog Round-Up - May 2008 Monthly Blog Round-Up - April 2008 Monthly Blog Round-Up - March 2008 Monthly Blog Round-Up - February 2008 Monthly Blog Round-Up - January 2008 Monthly Blog Round-Up - December 2007 Monthly Blog Round-Up - November 2007 Monthly Blog Round-Up - October 2007 Monthly Blog Round-Up - September 2007 Monthly Blog Round-Up - August 2007 About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/288518.shtmlhttp://www.secuobs.com/revue/news/288518.shtml Secuobs.com : 2011-03-01 09:40:25 - Anton Chuvakin Blog Security Warrior - Securosis Blog Firestarter Risk Metrics are Crap Uncommon Sense Security The true cost of non-compliance is ZERO nCircle Products Vulnerability Management Systems Compliance Audit Solutions Securosis Blog RSA Guide 2011 Key Themes RSA 2011 What s My Theme Liquidmatrix Security Digest RSA 2011 In Summary The Falcon's View RSA Conference 2011 recap Silver Tail Blog RSA 2011 dis Innovation Sandbox The Falcon's View Security Uncorked What s missing from mobile security RSA Juniper Session Recap IMAGE http://www.secuobs.com/revue/news/288409.shtmlhttp://www.secuobs.com/revue/news/288409.shtml Secuobs.com : 2011-02-25 09:25:32 - Anton Chuvakin Blog Security Warrior - ShackF00 Change we can believe in 1 Raindrop What you didn't see at RSA Integration IMAGE http://www.secuobs.com/revue/news/287634.shtmlhttp://www.secuobs.com/revue/news/287634.shtml Secuobs.com : 2011-02-22 22:55:17 - Anton Chuvakin Blog Security Warrior - Two of my esteemed colleagues, Misha Govshtein of AlertLogic and Raffael Marty of Loggly had a bit of an argument over something fairly central to logging and log management, especially as it applies to the coming cloud wave Let s review what happened In 2010, AlertLogic folks have submitted an IETF draft of what they called Syslog Extension for Cloud Using Syslog Structured Data Draft is available here and AlertLogic team explanation of its mission and purpose can be found here and here unfortunately in MP3 form The draft reads as if they are proposing a new cloud log standard since the very first sentence of the document is This document provides an open and extensible log format to be used by any cloud entity or cloud application to log and trace activities that occur in the cloud Said draft has found its way to the CEE Editorial Board via IETF list message and has caused some interest and, dare I say, unrest And some disagreements Raffael Marty of Loggly has published his position on the draft here Further exchange of opinions can be seen in comments here, as well as heard in the hallways of RSA 2011 conference What do I think of this I think both of these renowned log literati are both right and wrong at this point, somebody might say Anton you are such a consultant and I am Smile Unquestionably, I believe that the idea of cloud logging having its very own special standard, completely disconnected from all other logs is misguided Being disconnected from both the rest of the logging domain and current log standardization efforts like CEE, XDAS, etc only makes this idea more misguided In essence, if you grab an example of a current bad application log, add cloudiness to it more on this later and then publish it as cloud log standard , you generate mostly hilarity and not value for the IT community Logically, it goes like this 1 Bad log cloud ID really bad cloud log 2 Really bad cloud log public IETF draft really bad, standard cloud log, exposed in public 3 Really bad standard log in the cloud EXPOSED in public stupidity 4 Stupidity funny blog posts from Anton, like, for example, this one This just reminds me of Chris Hoff saying Cloud security suffers from the exact same siloed security telemetry problems as legacy operational models except now it does it at scale In fact, here is an example from the draft Aug 16 13 34 18 context aid 149683FC-8DF5-1004-E1A8-00000A000152 provider examplecom rid 1 123 transit client 17216182 User authentication successful for 1 123 Would YOU like to spend your mornings analyzing logs like this If you expose such examples in a purported standard draft, future generations of log analysts will hate you with a passion However I also happen to think that there are significant differences of logging from at cloud computing platforms whether SaaS, PaaS or IaaS compared to BOTH traditional system logging AND distributed application logging Cloud computing as defined by NIST has inherent multi-tenancy, elasticity, immediate provisioning and other fun properties, not found in traditional applications and platforms whether distributed or not All of these happen to affect accountability, auditability and transparency all the goals logs serve in a number of big ways Thus, cloud computing must change how logging is done and it will change it Specifically, adding a unique ID audit identifier which uniquely identifies an external request for activity to logs in order to enable serves a useful purpose So, we must change logging for the cloud AND we must improve logging everywhere through standard work It will result in GOOD, USEFUL LOGS that ALSO WORK WELL IN THE CLOUD The caveat We need it sooner than CEE is finished and adopted on a broad scale CloudLog effort contains useful ideas that need to be implemented in future logs produced by cloud framework components, but the method chosen uncooked IETF draft choke full of bad log examples deserves mostly ridicule About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/286940.shtmlhttp://www.secuobs.com/revue/news/286940.shtml Secuobs.com : 2011-02-15 00:29:07 - Anton Chuvakin Blog Security Warrior - LogChat Podcast is back again sorry for a brief delay Everybody knows that all this world needs is a podcast devoted to logs, logging and log management as well as SIEM, incident response and other fun related subjects And now you have it AGAIN with edition 5 - through the sheer combined genius of Andrew Hay and myself, Anton Chuvakin Our topic today is scaling and sizing log management and SIEM scalability, sizing, estimating log volumes, hard EPS limits evil , scalability of the entire system vs component scalability, peak vs ongoing log rates, EPS, petabytes of logs, log math , capacity planning as well as how to slap your vendor obviously, a quote is from Andrew, not myself Smile in regards to the scalability of their tools Some administrative items 1 We plan for this to happen periodically, such as maybe every three weeks - recorded on Wednesday, posted on Thursday However, due to our work schedules, irregularities occur all the time If you have not seen or heard a new LogChat podcast for a few weeks, be aware that we are not dead just busy taking over the world 2 No, we are still not ready with transcribing and, yes, we still want it I did try Amazon Mechanical Turk, but it didn't turn to be as inexpensive as people claimed If you have ideas for a good AND cheap transcribing service, we are all ears 3 Please suggest topics to cover as well - even though we are not likely to run out of ideas for a few years 4 Any other feedback is HUGELY useful Is it too long Too loud Too rant-y Too technical Not enough jokes Too few mentions of the cloud Feedback please And now, in all its glory - the podcast link to 5 MP3 is here MP3 , RSS feed is here - it is also on iTunes now Enjoy THE LogChat Possibly related posts LogChat Podcast 1 Anton Chuvakin and Andrew Hay Talk Logs LogChat Podcast 2 Anton Chuvakin and Andrew Hay Talk Logs LogChat Podcast 3 Anton Chuvakin and Raffy Marty Talk Logs LogChat Podcast 4 Anton Chuvakin and Andrew Hay Talk Logs About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/285213.shtmlhttp://www.secuobs.com/revue/news/285213.shtml Secuobs.com : 2011-02-10 10:59:38 - Anton Chuvakin Blog Security Warrior - nCircle acquires security and compliance visualization vendor ClearPoint Metrics - The 451 Group nCircle acquires security and compliance visualization vendor ClearPoint Metrics IMAGE http://www.secuobs.com/revue/news/284217.shtmlhttp://www.secuobs.com/revue/news/284217.shtml Secuobs.com : 2011-02-09 13:14:15 - Anton Chuvakin Blog Security Warrior - As promised, I will be reposting some of the cool new announcements from The Honeynet Project here on my blog since I now serve as Project s Chief PR OfficerHoneynet_logo_ppt_400px Here is one more a release of a new tool called PhoneyC, a virtual client honeypot PhoneyC is a virtual client honeypot, meaning it is not a real application that can be compromised by attackers and then monitored for analysis of attacker behavior , but rather an emulated client, implemented in Python The main thing it does is scour web pages looking for those that attack the browser It can be run, for example, as python phoneycpy -v wwwgooglecom By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques Download version 01 a contained readme contains installation instructions here phoneyc_v0_1_rev1631tar_gz v01 feature highlights include Interpretation of useful HTML tags for remote links - hrefs, imgs, etc - iframes, frames, etc Interpretation of scripting languages - javascript through spidermonkey - supports deobfuscation, remote script sources ActiveX vulnerability modules for exploit detection Shellcode detection and analysis through libemu Heap spray detection PhoneyC is hosted on http codegooglecom p phoneyc from which the newest development version can be obtained via SVN For any issues turn to the Google Group dedicated to the project http groupsgooglecom group phoneyc Possibly related posts The Honeynet Project Annual Conference invite-only and a Public Day in Paris, March 2011 About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/283949.shtmlhttp://www.secuobs.com/revue/news/283949.shtml Secuobs.com : 2011-02-07 14:23:35 - Anton Chuvakin Blog Security Warrior - Love those easy unscientific quizzes you see all over the Internet Here is one such quiz on LOGGING and LOG MANAGEMENT that I created specially for LogManagementCentral Go check what you really know about logs and figure out whether you are a mere bunny logger or a log management ninjaimage Result scales Bunny logger score of 10pourcents Eager log beaver score of 20 40pourcents I know my way around logs score of 50 70pourcents I changed my name to Log Logger score of 80 90pourcents Log management ninja score of 10000pourcents and nothing less Don t be afraid I did put a couple of tricky questions in there About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/283380.shtmlhttp://www.secuobs.com/revue/news/283380.shtml Secuobs.com : 2011-02-03 21:47:19 - Anton Chuvakin Blog Security Warrior - At one of the first security conferences I ever attended probably in 2001 or so , there was this vendor dude who would not stop rambling about continuous compliance I listened to him and it suddenly dawned on me what an awesome idea Running a security-focused, ongoing, multi-regulation program that delivers value to both business units and reduces risk what s not to love here However, over the years I ve gotten more cynical on this matter we all know our beloved security industry does this to people Smile As I said in my infamous Top PCI DSS Security Marketing Annoyances , Ongoing compliance theme is awesome Sadly, a majority of your customers I was addressing security vendors in that post AC don t do it like this to their own loss this why it is sad They still have assessment-time rush, pleasing the assessor approach and checklist-oh-we-are-DONE mentality If you want to sell continuous compliance, you need to educate them first Despite such sentiment, I still love the idea of continuous, proactive, cross-regulatory approach to compliance A mere fact that most organizations don t do it like this, should not discourage the education efforts to make this more common In fact, some recent research indicates that maybe just maybe the tide is turning and organizations will start revolting against the annual assessment rush , audit mentality and audit done see ya next year, security themes Even if very weak, there are other indicators that the value of running an ongoing compliance program with technical control assessment automation is growing more popular and newer tools may make it more real Verizon Breach 2010 report and Verizon PCI report also seem to indicate that compliance programs help security, while annual compliance audits only work to unearth negligence and incompetence The drive to operationalize PCI DSS controls example and to stay compliant example also seems to be growing, at least among the larger merchants One more example comes from the whole FISMA theater NIST folks now are all about continuous monitoring for FISMA compliance see this FAQ In light of this, maybe the times of continuous, more automated compliance are upon us It so happens that I d be doing a SANS webcast to explore this topic on February 11 Join the conversation as well as a fight for useful and continuous compliance in service of security Is continuous compliance a reality at your organization Are you doing something 9, 6, 3 months before the annual PCI DSS assessment Do you meet the auditor once a year Or do you make an effort to stay compliant About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/282835.shtmlhttp://www.secuobs.com/revue/news/282835.shtml Secuobs.com : 2011-02-02 16:08:00 - Anton Chuvakin Blog Security Warrior - Blogs are stateless and people often pay attention only to what they see today Thus a lot of useful security reading material gets lost These monthly round-ups is my way of reminding people about interesting blog content If you are too busy to read the blogs, at least read these So, here is my next monthly Security Warrior blog round-up of top 5 popular posts topics this month 1 The hilarious Top 10 Things Your Log Management Vendor Won't Tell You , written for LogManagementCentral, reign supreme this month Read, laugh, weep log 2 My PCI DSS log review procedures that I created for a consulting client and started posting on the blog sanitized, of course took the top spot again the first post Complete PCI DSS Log Review Procedures, Part 1 and the whole series PCI_Log_Review are expected to be useful to most large organization under PCI DSS as well as other regulations 3 To my great excitement, Today The Industry Is Changed that announced the relaunch of Security Scoreboard, is one of the most popular posts this month This great project is taking off like a rocket and will hopefully will make our industry better soon 4 Another LogManagementCentral special, Bottom 11 Log Management Worst Practices , is next on the top list Hate security best practices Check out the bottom worst practices instead 5 Oh wow Yet another LogManagementCentral special, 11 Log Resolutions for 2011 takes the 5 spot this month Make and stick to these resolutions in your environment as well 6 Final, 6th of 5, Smile position is again held by my free log management tool list On Free Log Management Tools from my consulting site The original version was written as a companion to our Log Review Checklist that also sits on the top list this month Also, below I am thanking my top 3 referrers this month those who are people, not organizations So, thanks a lot to the following people whose blogs sent the most visitors to my blog 1 Lenny Zeltser 2 Kevin Riggins 3 Dancho Danchev who, BTW, is back Also see my past annual Top Posts - 2007, 2008, 2009, 2010 Next, see you in February for the next monthly top list Possibly related posts past monthly popular blog round-ups Monthly Blog Round-Up December 2010 Monthly Blog Round-Up November 2010 Monthly Blog Round-Up October 2010 Monthly Blog Round-Up September 2010 Monthly Blog Round-Up August 2010 Monthly Blog Round-Up July 2010 Monthly Blog Round-Up June 2010 Monthly Blog Round-Up May 2010 Monthly Blog Round-Up April 2010 Monthly Blog Round-Up March 2010 Monthly Blog Round-Up February 2010 Monthly Blog Round-Up January 2010 Monthly Blog Round-Up December 2009 Monthly Blog Round-Up November 2009 Monthly Blog Round-Up October 2009 Monthly Blog Round-Up September 2009 Monthly Blog Round-Up August 2009 Monthly Blog Round-Up July 2009 Monthly Blog Round-Up June 2009 Monthly Blog Round-Up May 2009 Monthly Blog Round-Up April 2009 Monthly Blog Round-Up March 2009 Monthly Blog Round-Up February 2009 Monthly Blog Round-Up - January 2009 Monthly Blog Round-Up - December 2008 Monthly Blog Round-Up - November 2008 Monthly Blog Round-Up - October 2008 Monthly Blog Round-Up - September 2008 Monthly Blog Round-Up - August 2008 Monthly Blog Round-Up - July 2008 Monthly Blog Round-Up - June 2008 Monthly Blog Round-Up - May 2008 Monthly Blog Round-Up - April 2008 Monthly Blog Round-Up - March 2008 Monthly Blog Round-Up - February 2008 Monthly Blog Round-Up - January 2008 Monthly Blog Round-Up - December 2007 Monthly Blog Round-Up - November 2007 Monthly Blog Round-Up - October 2007 Monthly Blog Round-Up - September 2007 Monthly Blog Round-Up - August 2007 About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/282440.shtmlhttp://www.secuobs.com/revue/news/282440.shtml Secuobs.com : 2011-02-01 21:35:34 - Anton Chuvakin Blog Security Warrior - It is with great pleasure I announce the first-ever Project Honeynet Public Conference, held alongside with the traditional The Honeynet Project Annual Workshop The event is held on March 21, 2011 in Paris For those who just want to register now, go here IMAGE Date 21 March 2011 Monday 8 30AM 18 00PM GMT 1 Location ESIEA Paris, 9 rue Vesale 75005 Paris Nearest subway station Les Gobelins line 7 About the event The 2011 Honeynet Project Security Workshop brings together experts in the field of information security from around the world to share the latest advances and threats in information security research Organized by the not-for-profit The Honeynet Project and co-sponsored by the ESIEA Engineering School, this full day workshop creates opportunities for networking, collaboration and lessons-learned featuring a rare, outstanding line-up of international security professionals who will present on the latest research tools and findings in the field This year s workshop will be held in Paris, France on 21 March 2011 and is the first time that the workshop has opened a day to the public Starting at 9 00 GMT 1, the workshop program features a format that includes presentations in five sessions and two bonus hands-on activities The bonus activities include a technically challenging capture-the-flag CTF session and a tough forensics challenge FC that will allow attendees to apply their expertise and compete for prizes If you re looking to attend a high quality and challenging security workshop, then we encourage you to take advantage of this rare opportunity Note 1 Attendee limitation is 180 2 Participants can bring their Computer to play CTF and Forensics Challenges FC 3 Security workshop will be conducted in English Full agenda is available here some highlights are below SESSION 2 Combating the Ever-Evolving Malware 10 30 11 00 Efficient Analysis of Malicious Bytecode Linespeed Shellcode Detection and Fast Sandboxing Georg 'oxff' Wicherski McAfee 11 00 11 30 High-Performance Packet Sniffing Tillmann Werner Kaspersky Lab 11 30 12 00 Reversing android malware Mahmud Ab rahman MyCERT, Cybersecurity Malaysia Enjoy the event About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/282228.shtmlhttp://www.secuobs.com/revue/news/282228.shtml Secuobs.com : 2011-01-31 23:34:07 - Anton Chuvakin Blog Security Warrior - Now that I have checked my 2010 predictions see here and reflected and mused on 2010 here , I am allowed to proceed to 2011 predictions Smile My past experience predicting shows that I am a cowardly, extrapolating predictor and can get a lot of easy, obvious stuff right Great I will do some of it now as well since there is nothing wrong with extrapolation and Feynman prediction methodology predicting that whatever is there now will stay the same in the future , but will try to be a bit more wild, like I was in my 2020 security predictions Also, I noticed I ve been a bit too verbose in the past, so this year I d rather be brief since I am busier So PCI DSS 20 marches on this is the year when PCI DSS gets even BIGGER if you can imagine it And smaller too more smaller business will get PCI Great news On the not so good side of PCI, I predict that a few of validated compliant companies will be found abysmally non-compliant and insecure after the breach or otherwise Maybe some QSA heads will roll as a result, especially those remote-assessing easy-graders The challenges of compliance in non-traditional environments virtual, cloud, mobile devices, non-traditional payment methods, etc will rise to prominence as well HIPAA teeth yes, this is one of those things that people has been predicting since 1996 yes, really , but somehow I feel like this time in 2011 HIPAA HITECH enforcement will be for real OK you can call me an idiot in a year, if I am wrong here Application security and application security monitoring Gunnar paradox on firewalls SSL might finally start to break in 2011 I do predict that not just web application security, but also many internal enterprise application will get in scope for SIEM, correlation, near-real-time monitoring, etc And not just at adventurous security leader companies, but more like in early mainstream Still no mobile malware deluge enough about this one Enough Enough For sure, there will be isolated and possibly pretty bad malware incidents, but not Slammer for iPhone or Blaster for Android in 2011 I suspect that PCs will still have more money and more holes and so this is what the bad guys will continue to steal Mainstream security in the cloud yes, Qualys and a few others have been doing it since 1999 and a few cloud security providers has been absorbed into large entities latest, sort of , but I suspect that in 2011 we will see much more of approach to security of now in the cloud BTW, I mean REALLY using SaaS PaaS IaaS cloud options and not press-release cloud like many do today New types of incidents going on limb, I predict a few large and very damaging breaches, NOT involving regulated PII, but good old secrets Wikileaks mentality cybercrime resources a fun year SIEM for dummies OK, this is another risky one As you know, there is no leader in the SMB SME SIEM market and I am really looking for somebody to climb on that hill The world needs a penultimate SIEM for dummies As of today, SIEM is decidedly not At the very least I am predicting the arrival of a log toaster Smile Security vendors despite the silly 2007 predictions by RSA CEO, there will still be hundreds of security companies around However, some of the players will definitely feel like they overstayed market s welcome eg some legacy SIEM vendors and will either die or go firesale Risk management every past year, I predicted that we will remain dazed and confused about how to apply risk to information security in an objective manner objective, not necessarily quantitative This year drumroll I am laying these dark thoughts to rest at least for a while Maybe, just maybe, we are starting to see both data and approaches that will eventually give us something to work with And not just whine about it Smile Enjoy Possibly related posts My prediction tracker of people s 2011 predictions wwwdeliciouscom anton18 security predictions 2011 My security 2010 predictions My security 2020 predictions All posts tagged prediction, going back to about 2007 or so About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/281970.shtmlhttp://www.secuobs.com/revue/news/281970.shtml Secuobs.com : 2011-01-24 22:31:26 - Anton Chuvakin Blog Security Warrior - FYI, this piece has been especially created for LogManagementCentral original post It is reposted here for posterity Many organizations talk about best practices for security, log management, SIEM, etc The definition of such practice is often fuzzy and overrun by marketing influences but can be loosely related to what leaders in the field are doing today and what practices generally lead to great results Following the same model, we can create a definition of a worst practice What the losers in the field are doing today A practice that generally leads to disastrous results, despite its popularity Here are some of the worst practices in the area of SIEM and log management that I have observed over the years 1 Skipping the requirement definition stage of SIEM purchase is one of the worst, albeit common, practices one can take It almost always leads to failed SIEM projects, unmet needs for customers as well as unjustified anger aimed at technology providers John said that we need a correlation engine is not the way to define your requirements, by the way 2 Postponing the environment sizing until the purchase is another generally disastrous practice Even if you plan to eventually collect everything , the initial implementation will only have a specific smaller set of data Careful sizing of that initial phase by watching your logs for a week or two is very important 3 Choosing by price alone has led to many wrong purchases and not only in the realm of SIEM SIEM and log management products are priced from 0 to a few hundred to millions and there is usually a difference in both capability and scalability between tools with dramatically different prices Remember that tool can be 30pourcents cheaper, but be only twice as bad 4 Saving time by not checking references is another common bad practice at purchase stage Your environment might be unique, but references is one of the few ways to know that the tool you re planning to purchase has the will of somebody else Skipping Proof-of-concept is even worse- that is your way to test a complex new tool in your environment 5 Expecting the vendor to tell you what you need to log happens more frequently than you might think Sadly, the only person who knows your needs and requirement for logging, log management and log monitoring is you not the vendor If you don t know then nobody does 6 SIEM implementation is often a very political affair and thinking you can do it alone without involving others from you organization is definitely the worst practices SIEM touches systems, network devices, possibly IdM systems and many other components each with their own business owners and administrators These people and teams have to be involved in SIEM implementation and there is no way around it Preparing the infrastructure is key for the deployment, even if you simply need to make sure that all log source systems has their time synchronized 7 Ignoring your legal team is a quick way to FAIL with SIEM, especially if your project covers log data from multiple countries Log data is covered by a conflicting laws and regulations and only your organization legal counsel can figure it out 8 Deploying everywhere at once and not in phases is a way to run out of budget, management patience and other resources Phased approach both in terms of log source scope and SIEM capabilities from simple to more advanced is the only way to go Focus on quick wins in each phase 9 The interface is intuitive so who needs training Avoiding training is not the way to save money on a SIEM tool SIEM and log management tools connect to many pieces of the infrastructure and applications The vendor or consultants might teach you how to resolve many of these challenges, based on their experience with other customers 10 Not checking for changed needs as your SIEM implementation expands is another way to fail Even though your SIEM may have a few problems, it does not necessarily mean that it can solve every problem you have Notice how some organization deployed log management tools and then had to expand their deployments to full SIEM due to evolving needs We made the decision years ago why fuss over it does not work for integration-heavy technologies like SIEM 11 Finally, expecting immediate reduction in work after deploying a SIEM is unreasonable Unless you deploy, customize and tune your system, it is likely that you will not see massive resource savings SIEM is a great example of to get value you have to work on it rather than a magic box that tells you what is wrong What good or bad practices with SIEM and log management can you share About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/280436.shtmlhttp://www.secuobs.com/revue/news/280436.shtml Secuobs.com : 2011-01-21 10:02:31 - Anton Chuvakin Blog Security Warrior - What s not going to happen in 2011 Anti-Predictions Fortinet Security Blog IMAGE http://www.secuobs.com/revue/news/279843.shtmlhttp://www.secuobs.com/revue/news/279843.shtml Secuobs.com : 2011-01-20 11:50:25 - Anton Chuvakin Blog Security Warrior - Splunk Splunk Reports 2010 Revenue of 66 Million 96pourcents Annual Growth Rate Splunk, the leading provider of operational intelligence software, today announced record results for the year ending December 31, 2010 For the full year, Splunk achieved revenues of 66 million, representing year-over-year growth of 96pourcents Splunk added over 900 new customers for the year increasing the total to over 2,300 customers in 74 countries IMAGE http://www.secuobs.com/revue/news/279534.shtmlhttp://www.secuobs.com/revue/news/279534.shtml Secuobs.com : 2011-01-20 00:17:48 - Anton Chuvakin Blog Security Warrior - Don t I love overly dramatic headings Smile Yup, I do Pretty much since the day Security Scoreboard launched, I was a MAJOR fan of the site and have always considered it an industry-changing idea that can solve the 1 problem in information security no, not APT inability to match solutions to security problems and rate what solutions actually solve those problems well The industry, as we all know, is full of crapware from PCI scans for 041 per month to fake anti-spyware and magic appliances that do security stuff And now we have a powerful weapon to fight it Today Security Scoreboard changes everything again Specifically Security Scoreboard has announced the appointment of security industry veteran Dominique Levin as Chief Executive Officer The site offering unbiased end-user reviews and ratings on security products also received an investment and moved its headquarters to the Silicon Valley Yes, you can still think of the site as Yelp for Security Products but also start thinking of it as crowd-sourced and reality-based Gartner In my opinion, there is NOTHING that our industry needs more than clarity and Yes, even more than APT defense and easy-to-use SIEM Smile Lately, a lot of very smart folks have been bemoaning the state of the industry example, example and Security Scoreboard relaunch cannot have come at a better time Full press-release is pasted below original yes, I am that excited to do it Security Scoreboard, which offers security product ratings and analytics based on real-world user experiences, announced that it has received an initial angel investment Crowd-sourcing could significantly improve the validity and quality of the information available about commercial IT products , said Dana Gardner, president and principal analyst at Interarbor Solutions As a consumer I can look at Angie's List, Rotten Tomatoes or TripAdvisor and it's crazy such thing doesn't exist for IT Even if you have the time and money to test different solutions, it's always the details of real-life implementations that come to bite you , said Chris Sawall, Supervisor of Information Security at Ameren Corporation, a Fortune 500 company and one of the nation's largest investor-owned electric and gas utilities You never know how technologies and solutions will really work until you have invested in them Security Scoreboard allows me to be better informed At the time of the investment, the company also appointedDominique Levin as CEO Levin comes to Security Scoreboard from LogLogic Inc, a leader in security and log management solutions, where she served as Chief Marketing Officer and Acting CEO She was also previously VP Marketing at PoliVec, held positions at Nippon Telegraph and Telephone and Philips Consumer Electronics and generated over 630 million in shareholder value as a venture capital investor The recent funding and the move to Silicon Valley will allow us to tap into engineering talent to accelerate our roadmap, said Levin Security Scoreboard recently introduced new analytics capabilities, which highlight top vendors by user ratings and present trends on site visits , said Dr Boaz Gelbord, President and co-founder of Security Scoreboard and himself a practicing security executive We are looking to add more sophisticated analysis leveraging user generated data The new analytics move Security Scoreboard in the direction from merely showing you what your peers are thinking to making true crowd-based recommendations about which vendor tools to use , said Jay Leek, Vice President of International Security at Equifax The company plans to raise additional venture funding later this year About Security Scoreboard Security Scoreboard is a community generated review and rating site to help security practitioners and executives select the right information security solutions Security Scoreboard is supported by an Advisory Group and User Council of industry leading CISOs, CIOs and security managers The site leverages crowd sourced ratings and state of the art analytics to provide recommendations based on real life experiences of other customers I am REALLY looking forward to the new era and I do realize that it will take work Possibly related posts Security Scoreboard Out Security Scoreboard Updated About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/279437.shtmlhttp://www.secuobs.com/revue/news/279437.shtml Secuobs.com : 2011-01-17 22:04:45 - Anton Chuvakin Blog Security Warrior - FYI, this piece has been specially created for LogManagementCentral original post , an awesome site about logs, log management and SIEM It is reposted here for posterity So, behold 11 log resolutions for 2011 1 I will turn logging on the systems I manage this resolution is about the very first step one must take to using log data for many purposes inside and outside of IT actually having logs Start 2011 by committing to enabling logging across the systems you manage or oversee And, yes, log everything is not the answer in most environments and as all oversimplifications, it is often downright silly eg log every SELECT on a database will lead to your DBAs killin ya Smile further resolutions help with figuring out how to do it without killing your systems 2 I will create log policy this resolution helps you to make a commitment to understanding what you need to log on each system and how to do it Logging policy starts from reviewing compliance requirements and other use cases for log data 3 I will check for when logging stops one of the simplest ways to commit to having logging in 2011 and all years thereafter is to commit to monitoring when logging stops Apart from being a violation of a few regulatory compliance mandates, termination of logging whether due to an attacker all by mistake is something you need to know right when it happens 4 I will use compliance intelligently this resolution draws a line between being a checkbox-following compliance monkey and being convinced that compliance is evil Regulation such as PCI DSS contain not just motivation but also some useful advice on how to do logging right some ideas 5 I will learn what the logs mean committing to logs is not simply committing to having logs you have to know what the log messages actually mean and what they are trying to tell you In 2011, make sure who that you seek to understand what your systems are trying to tell you in their logs and learn to tell routine messages from critical system-busting alerts 6 I will at least check logs for intrusions, system and account changes and major errors one cannot make a resolution to analyze logs without starting small first if you have to look for some will things first, at least commit to check your logs for intrusions, system and account changes and major errors this checklist can help 7 I will review logs generating, centralizing and storing logs is important These practices a bed of sensible and mandatory prescribed by many regulatory mandates However, main log value lies in interpreting, understanding and then acting upon the information present in the logs You cannot commit to logging excellence without committing to log review using automated tools lots of ideas on log review 8 I will make sure that I have logs preserved after an incident leads rarely matter more than in a hectic post-incident environment where every bit of data can help understand the origin and impact of the intrusion Commit to using logs for incident response in 2011 useful tips on that 9 I will train my developers to create useful logs making and keeping -a resolution to collect and review logs is impossible if logs do not exist as it is often the case for your custom applications In order to gain benefits of logging in such case, you must make a resolution to train your application developers to create useful logs inside their applications Use emerging standards such as CEE to guide them towards proper logging practices 10 I will stop complaining about how bad logging is at most organizations everybody starts somewhere, and many organizations start from a truly abysmal state in regards to logging Start logging and stop complaining Go from log ignorance to near-real-time log enlightenment using a process similar to this 11 Finally, I WILL REMEMBER THESE RESOLUTIONS FOR THE ENTIRE YEAR unlike some security technologies, logging, log review and log monitoring is a lifetime commitment To get something useful out of log data, you have to log and review data all the time Any other logging resolutions you are making for 2011 About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/278774.shtmlhttp://www.secuobs.com/revue/news/278774.shtml Secuobs.com : 2011-01-14 10:30:27 - Anton Chuvakin Blog Security Warrior - Eugene Kaspersky The man, the myth, the maverick IT PRO Kaspersky believes, as others do, that this is a turning point in the history of industry, perhaps even the world Attacks will now affect the physical world rather than just the noncorporeal one, hitting transportation, manufacturers, power plants and more Post Are You Sacrificing Security for ROI Regulation renovation Regulatory compliance mandates - Inform Some health care organizations remembered that HIPAA exists and started doing a little bit more, says Anton Chuvakin, a computer security specialist and principal at Security Warrior Consulting I've not seen a tidal wave of compliance as a result of HITECH The Heaths Say Consumers Must Feel a Deep Felt Need Fast Company If entrepreneurs want to succeed, as venture capitalists like to say, they'd better be selling aspirin rather than vitamins Vitamins are nice they're healthy But aspirin cures your pain it's not a nice-to-have, it's a must-have Log management basics - CSO Online - Security and Risk Rainer's Blog CEE library will be named libee PCI Compliance Tradeoffs, Newton s Laws, Data Breach Rules Chaordic Mind Top 10 Reasons for Weak Product 1 Raindrop Reconcile This Outgunned How Security Tech Is Failing Us -- InformationWeek Walking into the CEO's office and saying that the products you've spent a small fortune on are effective only at stopping novices and for checking off compliance forms That takes more intestinal fortitude than most can muster But now, finally, undeniable evidence of security tech failures is starting to surface SANS - Computer Forensics and Incident Response with Rob Lee You've Been Breached Now What -- InformationWeek Cisco Blog Blog Archive Netflow for Incident Response telematica - Blog - The 451 Group considers enterprise security - the legacy of 2010 for 2011 2011 The Death of Security As We Know IT or Operationalizing Security Amrit Williams Blog IMAGE http://www.secuobs.com/revue/news/278212.shtmlhttp://www.secuobs.com/revue/news/278212.shtml Secuobs.com : 2011-01-12 21:48:49 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company They are focused on PCI DSS compliance, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all The practices can be implemented with commercial log management or SIEM tools, open source log analysis tools or manually As you well know, tools alone don t make anybody compliant This is the FINAL, 18th post in the long, long series part 1, part 2, part 3 all parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs And so we end our Complete PCI DSS Log Review Procedures Please start reading from Part 1 at this stage we are deep in the details and these sections might seem out of context without reading earlier parts References The following references are useful for PCI DSS log review program and log management in general SANS CAG CSC Twenty Critical Security Controls for Effective Cyber Defense Consensus Audit Guidelines http wwwsansorg critical-security-controls Specifically, the relevant control on audit logs is shown below Critical Control 6 Maintenance, Monitoring, and Analysis of Audit Logs NIST 800-92 Logging Guide Guide to Computer Security Log Management Recommendations of the National Institute of Standards and Technology by Karen Kent and Murugiah Souppaya http csrcnistgov publications nistpubs 800-92 SP800-92pdf NIST 800-66 HIPAA Guide An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act HIPAA Security Rule http csrcnistgov publications nistpubs 800-66-Rev1 SP-800-66-Revision1pdf Appendix A Recommended Logbook Format Logbook entry 1 Date time time zone this logbook entry was started 2 Name and role of the person starting the logbook entry 3 Reason it is started log exception copied from log aggregation tool or from the original log file , make sure that the entire log is copied, especially its time stamp which is likely to be different from the time of this record and system from which it came from what when where, etc 4 Detailed on why the log is not routine and why this analysis is undertaken 5 Information about the system that produced the exception log record or the one this log exception is about a Hostname b OS c Application name d IP address s e Location f Ownership if known g System criticality if defined and applicable h Under patch management, change management, FIM, etc 6 Information about the user whose activity produced the log if applicable 7 Investigation procedure followed, tools used, screenshots, etc 8 Investigative actions taken 9 People contacted in the course of the log analysis 10 Impact determine during the course of the analysis 11 Recommendations for actions, mitigations if needed Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/277830.shtmlhttp://www.secuobs.com/revue/news/277830.shtml Secuobs.com : 2011-01-12 09:20:56 - Anton Chuvakin Blog Security Warrior - FYI, this piece has been specially created for LogManagementCentral original post , an awesome resource for all logging things It is reposted here for posterity While many people have seen 10 things that your chef, real-estate agent, wedding planner or pilot won t tell you, the world has not yet seen Top 10 things your log management vendor won't tell you Finally, this gap is now closed 1 We talk analytics, but really, most of our customers use us for collection only While some products within SIEM and log management offer advanced analytics features, many of their customers are not truly ready for them They need to start dealing with the basics logging, log collection, log review before delving into advanced areas Buying a product based on features you won t use is a mistake For example, see Log Management Before SIEM 2 Our tool won t make you PCI compliant You d have to do A LOT of things yourself every day to get and maintain compliance Sadly, many security solutions and SIEM log management are no exception are sometimes sold as compliance in a box You need to be aware that to stay PCI compliance you need to do more than purchase tools For example, see How to Stay PCI Compliant 3 No, you cannot buy an entire SOC in this small box Just as with compliance, you cannot buy an entire Security Operations Center in a box, big or small However, some will try to sell you their SIEM as SOC-in-a-box Running an effective SOC includes multiple processes and procedures which are just as necessary as a market-leading SIEM tool 4 We are cloud-ready, because mmmmm well, we are ready for it Many vendors will tell you that their tools are cloud-ready without really thinking what they mean Effectively monitoring traditional and multi-tenant cloud environments distributed across regions and countries requires more than updated marketing materials You need to carefully test the tool in your own hybrid environment before concluding that it is cloud ready 5 Our SIEM is really just a renamed log management tool But that s all you probably need The confusion around SIEM and log management functionality rages on it also allows some tools to be sold as SIEM without having any critical SIEM functionality such as correlation and real-time dashboards Even though it might be all many customers need, it does not make such tool a SIEM tool For additional reading, see this whitepaper 6 We can do everything with logs, but it might require some SMALL customizations Our PS team is standing by More than a few SIEM vendors will promise support for every possible log including logs they have never seen However, fully integrating a new log source for reporting, correlation and visualization will always takes work and cannot be taken for granted 7 If you make a mistake with capacity planning, we d be happy to sell you more log management than you really need Many organizations are having trouble estimating how much log data will be coming into their SIEM or log management tools Both under as to making and overestimating are common It is recommended that you spend about a week measuring log volumes across the systems that will be reporting to a SIEM 8 We think our tool is scalable, but we don t really have production customers of your size Our engineers believe that it might work Scalability claims are cheap and would often be made by SIEM and log management vendors However, the only real proof that the tool will scale to your requirements is testing the tool in your environment Thus, you should insist on performance testing during the pilot if there are any doubts 9 Out tool offers predictive security intelligence No, we don t know what it means either and we can t really predict it SIEM is one of the most over-hyped and over-marketed security technologies out there The only way to get the tool that satisfies your requirements is too carefully spelled out those requirements and then test the tool yourself 10 We estimate our performance using really small log messages sizes Yes, our tools can do a million message an instant but these are our special messages that we create in the lab Nowadays, application logs and proliferation of XML-based logging has pushed the message sizes up to 1 kb or more from a traditional 200 byte logs from firewalls Thus, you need to be wary of performance estimates based on such artificially short logs So what is your vendor NOT tellin ya About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/277669.shtmlhttp://www.secuobs.com/revue/news/277669.shtml Secuobs.com : 2011-01-11 11:08:08 - Anton Chuvakin Blog Security Warrior - 2010 Year in Review Silver Tail Blog Security Forecasts for 2011 - David Lacey's IT Security Blog Cyber Security Predictions for 2011 Part II IMAGE http://www.secuobs.com/revue/news/277340.shtmlhttp://www.secuobs.com/revue/news/277340.shtml Secuobs.com : 2011-01-11 00:25:28 - Anton Chuvakin Blog Security Warrior - Here is my review for Security Information and Event Management SIEM Implementation by David Miller, Shon Harris, Allen Harper, Stephen VanDyke, Chris Blask It has just been published to Amazon as 4 stars out of 5 I was looking forward to reading this book for a few months pretty much since the time I ve heard that it is being written Obviously, I was very excited when it arrived in my mailbox Now that I am done reading it, I can say it left a mixed impression Mostly positive but still mixed I definitely enjoyed reading it, despite or maybe due to the fact that I ve been involved with SIEM for nearly 10 years Let me first go through all the chapters and then give my overall impression The book is organized in three big parts introduction to SIEM threat intelligence for IT systems , IT threat intelligence using SIEM systems and SIEM tools Chapter 1 covers security basics with minimum connections to SIEM It might have that over-simplified refresher of what information security is about Chapter 2 can be summarized using the quote from the chapter itself the bad things that could happen It contains another refresher on attacks, somewhat jumbled and somewhat dated We re not really touching SIEM yet at this point Chapter 3 has an author s view of regulatory compliance the usual suspects are mentioned PCI DSS, HIPAA, FISMA, SB1386, SOX, GLBA, etc HIPAA is not misspelled which counts as good news Smile Chapter 4 has a bizarre name SIEM concepts components for small and medium-sized businesses It contains an overview of SIEM with little focus on SMB It is mildly confusing for example, it calls LogRhythm a commercial syslog server It contains a few outright mistakes as well like a mention of one log management vendor whose application reportedly covers all 228 PCI controls The chapter tries to talk about everything yes, even GRC and makes a very weak impression Chapter 5 looks like a twin of the previous chapter It also contains an overview of SIEM, but a different one a better one, in fact These two chapters don t contradict each other much, but joint their presence in the book is mysterious and somewhat confusing Chapter 6 is a sudden break from SIEM into incident response It does contain a few useful but high-level- flow charts for incident response I doubt that it was written by somebody who did much incident response however Chapter 7 is both a curse and a blessing I loved the ideas in the chapter using SIEM for BI but I hated the fact that its author didn t even bother to check what SIEM abbreviation stands for see page 116 Chapter 8 and Chapter 9 are about OSSIM AlienVault From all the SIEM product chapters below, these are the weakest and the least useful They offer little practical guidance and miss yes, really most the details you d need to know before deploying OSSIM in production I was especially annoyed by screenshot-three lines of text-screenshot-three lines of text model that most of Ch 8 and Ch 9 follow It makes pages 152-166 just wasted paper Ch9 tries to be a bit more useful has two case studies , but collapses under the load of too many screenshots as well Chapter 10 and Chapter 11 talk about Cisco MARS Since nobody cares about MARS anymore, I won t be reviewing them here Chapter 12 and Chapter 13 cover Q1Labs SIEM Unlike the above, these are actually useful for practical architecture planning of QRadar deployments These chapters also contain useful SIEM insights still, even these can benefit from more real-world tuning tips The case study in Ch13 is useful as well If you are thinking of getting a Q1Labs SIEM, grab the book to quickly review what you will encounter when you get the product Finally, Chapter 14 and Chapter 15 cover ArcSight SIEM Despite minor mistakes and vendor whitepaper feel, the chapters would be handy for people in early stages of selecting, reviewing and deploying ArcSight SIEM The chapters suffer a bit from trying to duplicate product help you re more likely to learn how to patch ArcSight them how to use it well Sadly, no case studies are included in these chapters Overall, the book has unfortunate signs of being written by a team of others who didn t talk to each other Despite the promises of implementation guidance, it leaves some of the very complex SIEM issues untouched and even unmentioned Very few case studies some good ones are stashed in the appendix for some weird reason and few tips and tricks for real-world SIEM implementation Also, it is much stronger on the what then on how Still, I suggest that people buying, using and building SIEM products, get their own copy and read at least a few chapters relevant to them You will likely not be disappointedAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/277240.shtmlhttp://www.secuobs.com/revue/news/277240.shtml Secuobs.com : 2011-01-10 22:43:00 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company They are focused on PCI DSS compliance, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all The practices can be implemented with commercial log management or SIEM tools, open source log analysis tools or manually As you undoubtfully know, tools alone don t make anybody compliant This is the 17th, one before last, post in the long series of 18 posts part 1, part 2, part 3 all parts this is a very important part as it contains the summary of key periodic operational procedures Please consider reading from Part 1 at this stage we are deep in the details and these sections might seem out of context without reading earlier parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs And so we continue with our Complete PCI DSS Log Review Procedures Periodic Operational Task Summary The following chapter contains a summary of operational tasks related to logging and log review Some of the tasks are described in detail in the document above others are auxiliary tasks needed for successful implementation of PCI DSS log review program Daily Tasks The table below contains daily tasks, responsible role that performs them as well as what record or evidence is created of their execution Task Responsible Role Evidence Review all the types of logs produced over the last day as described in the daily log review procedures Security administrator, security analyst, if authorized application administrator Record of reports being run on a log management tool As needed investigate the anomalous log entries as described in the investigative procedures Security administrator, security analyst, if authorized application administrator Recorded logbook entries for investigated events As needed take actions as needed to mitigate, remediate or reconcile the results of the investigations Security administrator, security analyst, if authorized application administrator, other parties Recorded logbook entries for investigated events and taken actions Verify that logging is taking place across all in-scope applications Application administrator Create a spreadsheet to record such activities for future assessment As needed enabled logging if disabled or stopped Application administrator Create a spreadsheet to record such activities for future assessment Weekly Tasks The table below contains weekly tasks, responsible role that performs them well as what record or evidence is created of their execution Task Responsible Party Evidence If approved by a QSA Review all the types of logs produced on less critical application over the last day as described in the daily log review procedures Security administrator, security analyst, if authorized application administrator Record of reports being run on a log management tool Record of QSA approval for less frequent log reviews and reasons for such approval As needed investigate the anomalous log entries as described in the investigative procedures Security administrator, security analyst, if authorized application administrator Recorded logbook entries for investigated events As needed take actions as needed to mitigate, remediate or reconcile the results of the investigations Security administrator, security analyst, if authorized application administrator, other parties Recorded logbook entries for investigated events and taken actions Monthly Tasks The table below contains daily tasks, responsible role that performs them as well as what record or evidence is created of their execution Task Responsible Party Evidence Prepare a report on investigated log entries Security analyst, security manager Prepared report to be filed Report on observed log message types Security analyst, security manager Prepared report to be filed Report on observed NEW log message types Security analyst, security manager Prepared report to be filed If approved by a QSA Review all the types of logs produced on non-critical applications over the last day as described in the daily log review procedures Security administrator, security analyst, if authorized application administrator Record of reports being run on a log management tool Record of QSA approval for less frequent log reviews and reasons for such approval As needed investigate the anomalous log entries as described in the investigative procedures Security administrator, security analyst, if authorized application administrator Recorded logbook entries for investigated events As needed take actions as needed to mitigate, remediate or reconcile the results of the investigations Security administrator, security analyst, if authorized application administrator, other parties Recorded logbook entries for investigated events and taken actions Quarterly Tasks The table below contains daily tasks, who performs them as well as what record or evidence is created of their execution Task Responsible Party Evidence Verify that all the system in scope for PCI are logging and that logs are being reviewed Security analyst, security manager Recorded logbook entries for review and exception follow-up Review daily log review procedures Security analyst, security manager Updates to logging procedures change log Review log investigation procedures Security analyst, security manager Updates to logging procedures change log Review collected compliance evidence Security analyst, security manager Compliance evidence evidence review log Review compliance evidence collection procedures Security analyst, security manager Updates to procedures change log Annual Tasks The table below contains daily tasks, who performs them as well as what record or evidence is created of their execution Task Responsible Party Evidence Review logging and log review policy CSO Policy changes change log policy review meeting minutes Review compliance evidence before the QSA assessment PCI DSS compliance project owner Meeting minutes or other record Live tests with anomalies As needed Logs or other records of such tests To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/277205.shtmlhttp://www.secuobs.com/revue/news/277205.shtml Secuobs.com : 2011-01-08 11:26:39 - Anton Chuvakin Blog Security Warrior - Internet Security Predictions for 2011 The Shape of Things to Come Symantec Connect Information Security Predictions 2011 - Security Blog - InformationWeek Five Security Predictions for 2011 - Websense Insights Privacy, Hacktivists, Insider Threats Security Predictions for 2011 - Security - News Reviews - eWeekcom 10 Security Predictions for 2011 from Imperva My Security Predictions for 2011 OSS Ramblings 2011 The year self-evident security predictions die Unisys security predictions for 2011 More censorship, data breaches and devices Security predictions for 2011 HPSWSC - Fearless Security Predictions for 2011 - HP Software Solutions Community online forum 2011 Security Predictions WatchGuard Technologies IMAGE http://www.secuobs.com/revue/news/276801.shtmlhttp://www.secuobs.com/revue/news/276801.shtml Secuobs.com : 2011-01-07 21:58:59 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company They are focused on PCI DSS compliance, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all The practices can be implemented with commercial log management or SIEM tools, open source log analysis tools or manually As you undoubtfully know, tools alone don t make anybody compliant This is the 16th post in the long series that is nearing the end part 1, part 2, part 3 all parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs And so we continue with our Complete PCI DSS Log Review Procedures please consider reading from Part 1 at this stage we are deep in the details and these sections might seem out of context without reading earlier parts Management Reporting In addition for compliance evidence, validation activities can be used to report the success of a log management program, processes and procedures to senior management The data accumulated in the above sections as proof of organization-wide PCI DSS compliance can also be used for management reporting Specifically, the following are useful reports that can be produced from the data Presence and adequacy of logging o Percentage of all systems regulated data systems covered by logging the latter should be 100pourcents Presence of defined log review processes and their implementation o Log policy and procedure changes o Application under log review o Log entries reviewed Exception handling process and its implementation o Log exceptions handled by type, analyst name, etc o Exception escalated to incident response o if relevant Risk reduced due to timely escalation or incident prevention o Resources saved due to timely escalation or incident prevention o Application performance improvement due to log review Other log management program reporting o Overall compliance readiness PCI DSS and other Finally, let s summarize all periodic operational tasks the organization should be executing in connection with log review To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/276667.shtmlhttp://www.secuobs.com/revue/news/276667.shtml Secuobs.com : 2011-01-06 20:36:43 - Anton Chuvakin Blog Security Warrior - We are doing ONE LAST BETA for my log management class 1 2 price in Sacramento again Info and where to sign up are below Class name Log Management In-Depth Compliance, Security, Forensics, and Troubleshooting Class dates Thursday, January 27, 2011 - Friday, January 28, 2011 Day 1 9 00am - 5 00pm Day 2 9 00am - 12 00pm Class location CalPERS 400 Q Street, East Building Room 1733 Sacramento, CA 95811 Class description source This first-ever dedicated log management class teaches system, network, and security logs, their analysis and management and covers the complete lifecycle of dealing with logs the whys, hows and whats You will learn how to enable logging and then how to deal with the resulting data deluge by managing data retention, analyzing data using search, filtering and correlation as well as how to apply what you learned to key business and security problems The class also teaches applications of logging to forensics, incident response and regulatory compliance In the beginning, you will learn what to do with various log types and provide brief configuration guidance for common information systems Next, you will learn a phased approach to implementing a company-wide log management program, and go into specific log-related tasks that needs to be done on a daily, weekly, and monthly basis in regards to log review and monitoring Everyone is looking for a path through the PCI DSS and other regulatory compliance maze and that is what you will learn in the next section of the course Logs are essential for resolving compliance challenges this class will teach you what you need to concentrate on and how to make your log management compliance-friendly And people who are already using log management for compliance will learn how to expand the benefits of you log management tools beyond compliance You will learn to leverage logs for critical tasks related to incident response, forensics, and operational monitoring Logs provide one of the key information sources while responding to an incident and this class will teach you how to utilize various log types in the frenzy of an incident investigation Finally, the class author, Dr Anton Chuvakin, probably has more experience in the application of logs to IT and IT security than anyone else in the industry This means he and the other instructors chosen to teach this course have made a lot of mistakes along the way You can save yourself a lot of pain and your organization a lot of money by learning about the common mistakes people make working with logs Class is beta SANS gives you a 50pourcents discount and you provide detailed feedback This is a special beta course whose materials are still being fine-tuned We are offering it at a discount at this event in exchange for the students' detailed feedback, which will help us improve and finalize the course's content and exercises Note this laptop requirement no MacOS, no VMWare A laptop with Windows XP or later or recent Linux operating system installed which can unzip gunzip compressed files CD DVD drive is required MacOS is not acceptable Sign-up please the class already has enough people which suggests that it will not be cancelled, like the last one in LA About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/276356.shtmlhttp://www.secuobs.com/revue/news/276356.shtml Secuobs.com : 2011-01-06 10:27:40 - Anton Chuvakin Blog Security Warrior - Dell NASDAQ DELL Buys SecureWorks IMAGE http://www.secuobs.com/revue/news/276205.shtmlhttp://www.secuobs.com/revue/news/276205.shtml Secuobs.com : 2011-01-06 00:07:22 - Anton Chuvakin Blog Security Warrior - As a favor to yet another friend, I am posting yet another SIEM-related job IMHO, it is an ideal position for a good architect looking to jump ship from a failing or non-performing SIEM vendor The RSA Security s fast-growing Security Management group is looking for the best technical minds to develop the next generation of Security Information and Event Management SIEM software We are building a great organization with talented employees with the highest ethical and professional standards who deliver a portfolio of products to enable our customers to protect their information assets Ideal candidate will have broad knowledge of IT security with proven ability to architect and build complex enterprise systems You must enjoy working in a rapidly-changing, high-pressure environment spanning multiple geo locations As a lead architect, you will exert significant influence over the technical strategy and the architectural definition of the next generation of RSA s Security Management products Practical experience in one of the following areas is required large-scale database systems, real-time design, network monitoring and analysis This position is full-time, based in Bedford, MA If you are interested in joining the Security Management group in RSA, please send your inquiry or resume to Lauren Day at laurenday emccom or 978-686-2234 and somebody now owes me beer at RSA Smile Possibly related posts SIEM-related Job Principal SIEM Consultant SIEM-related Product Management Job Atlanta, GA All jobs posts on my blog About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/276127.shtmlhttp://www.secuobs.com/revue/news/276127.shtml Secuobs.com : 2011-01-04 19:49:52 - Anton Chuvakin Blog Security Warrior - If monthly, why not annual blog round-up These are my top popular Security Warrior blog posts for the entire 2010 This list covers the posts most popular in 2010, not necessarily only those written in 2010 image So, the list 1 Simple Log Review Checklist Released made BY FAR the biggest splash last year The checklist, a list of critical things to look for while reviewing system, network and security logs when responding to a security incident, now has a dedicated page securitywarriorconsultingcom logchecklist and you can grab an updated versions there 2 Checklist has a companion tool list of a popular free open-source log management and log analysis tools, which is also on the top list for 2010 It was posted to my blog On Free Log Management Tools as well as to a dedicated page securitywarriorconsultingcom logtools 3 On Choosing SIEM is next in my top post chart It helps to determine What is the least wrong way of choosing a SIEM or log management product which will actually get used in real-life Sadly, people seems unwilling to use the right way for a set of reasons 4 A carryover from last year, the quest for open source SIEM continues In fact, a few top posts on my blog in 2010 as well as 2009 resulted from search queries for open source SIEM and now open source log management They are Why No Open Source SIEM, EVER , On Open Source in SIEM and Log Management and Short Observation on Open Source SIEM 5 Updated With Community Feedback SANS Top 7 Essential Log Reports DRAFT2 , SANS Top 5 Essential Log Reports Update and their predecessor Top5 SANS Log Reports Update DRAFT also show up close to the top Now that I have a bit more time, I will finally finish the write-up and submit it to SANS for distribution look the final version in January 2011 6 The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II with 7 reasons why SIEM is NOT an analyst in the box and never can be SOC in the box Bua-ha-ha-ha, come on, let s be reasonable here 7 My Best PCI DSS Presentation EVER covers my keynote experience at PCI DSS Workshop 2010 by Treasury Institute for Higher Education the other keynote being Bob Russo, naturally the presentation is embedded in the post 8 How Do I Get The Best SIEM is another SIEM selection advice post that made the top chart It sure seems like 2010 was a year when a lot of organizations were looking for SIEM tools 9 I Want to Buy Correlation or How NOT to Pick a SIEM guess what it is about Yup, selecting a SIEM tool 10 It is amazing that something posted in November made the year s best list Still, Complete PCI DSS Log Review Procedures, Part 1 and the whole series which would be completed in early 2011 is among the most read posts for the entire 2010 See you in December 2011 when I will post the next annual blog round-up see my previous annual Top Posts -2007, 2008 and the monthly top posts below Possibly related posts past monthly popular blog round-ups Monthly Blog Round-Up December 2010 Monthly Blog Round-Up November 2010 Monthly Blog Round-Up October 2010 Monthly Blog Round-Up September 2010 Monthly Blog Round-Up August 2010 Monthly Blog Round-Up July 2010 Monthly Blog Round-Up June 2010 Monthly Blog Round-Up May 2010 Monthly Blog Round-Up April 2010 Monthly Blog Round-Up March 2010 Monthly Blog Round-Up February 2010 Monthly Blog Round-Up January 2010 Monthly Blog Round-Up December 2009 Monthly Blog Round-Up November 2009 Monthly Blog Round-Up October 2009 Monthly Blog Round-Up September 2009 Monthly Blog Round-Up August 2009 Monthly Blog Round-Up July 2009 Monthly Blog Round-Up June 2009 Monthly Blog Round-Up May 2009 Monthly Blog Round-Up April 2009 Monthly Blog Round-Up March 2009 Monthly Blog Round-Up February 2009 Monthly Blog Round-Up - January 2009 Monthly Blog Round-Up - December 2008 Monthly Blog Round-Up - November 2008 Monthly Blog Round-Up - October 2008 Monthly Blog Round-Up - September 2008 Monthly Blog Round-Up - August 2008 Monthly Blog Round-Up - July 2008 Monthly Blog Round-Up - June 2008 Monthly Blog Round-Up - May 2008 Monthly Blog Round-Up - April 2008 Monthly Blog Round-Up - March 2008 Monthly Blog Round-Up - February 2008 Monthly Blog Round-Up - January 2008 Monthly Blog Round-Up - December 2007 Monthly Blog Round-Up - November 2007 Monthly Blog Round-Up - October 2007 Monthly Blog Round-Up - September 2007 Monthly Blog Round-Up - August 2007 About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/275744.shtmlhttp://www.secuobs.com/revue/news/275744.shtml Secuobs.com : 2011-01-01 09:55:44 - Anton Chuvakin Blog Security Warrior - Security and Risk Management Strategies Blog Open Question from McAfee Focus 09 Security Conference Innovator's Crisis - fudseccom Securosis Blog FireStarter In Search of Solutions Why is GRC important Norman Marks on Governance, Risk Management, and Internal Audit TaoSecurity Privacy vs Security or Privacy AND Security The result is that customer and enterprise data is at greater risk thanks to privacy laws Securosis Blog Thoughts on Privacy and Security Without perfect security there cannot be complete privacy, and there is no such thing as perfect security Privacy isn't dead, but it is most definitely changing in ways we cannot fully predict The Real Deal on Chip and PIN EMV in the US Chaordic Mind Companies that adopt Chip PIN will still need to comply with the PCI DSS Top 5 Reasons Why Traditional Managed Security Services Will Fail in the Cloud Cloud and MSSP architecture and delivery models are like oil water They just don t mix IMAGE http://www.secuobs.com/revue/news/275190.shtmlhttp://www.secuobs.com/revue/news/275190.shtml Secuobs.com : 2011-01-01 09:55:44 - Anton Chuvakin Blog Security Warrior - Blogs are stateless and people often pay attention only to what they see today Thus a lot of useful security reading material gets lost These monthly round-ups is my way of reminding people about interesting blog content If you are too busy to read the blogs, at least read these So, here is my next monthly Security Warrior blog round-up of top 5 popular posts topics this month 1 Obviously, my PCI DSS log review procedures that I created for a consulting client and started posting on the blog sanitized, of course took the 1 spot the first post Complete PCI DSS Log Review Procedures, Part 1 and the whole series PCI_Log_Review are expected to be useful to most large organization under PCI DSS 2 Just as last month, one of the top positions is again held by my repost of my free log management tool list On Free Log Management Tools from my consulting site The original version was written as a companion to our Log Review Checklist that also sits on the top list this month BTW, my other checklist, Log Management Tool Selection Checklist Out is also in the top chart It can be used to compare log management tools during the tool selection process or even formal RFP process 3 Surprisingly, Novell Bought What Happens in SIEM takes the next spot The post contains my quick market analysis and some strategy choices related to SIEM market impact of Novell acquisition 4 Checking My 2010 Security Predictions contains my self-assessment of security predictions I made back in early 2010 5 Finally, Random Fun Highlights from PCI DSS 20 originated from my reading the new version of PCI DSS and taking some notes Feel free to read it to quickly get what s new in PCI DSS 20 Also, below I am thanking my top 3 referrers this month those who are people, not organizations So, thanks a lot to the following people whose blogs sent the most visitors to my blog 1 Walt Conway 2 Raffy Marty 3 Stephen Bradshaw First, see you in a day or so when I post the list of most popular blog posts in the entire 2010 also see my past annual Top Posts - 2007, 2008, 2009 Next, see you later in January for the next monthly top list Possibly related posts past monthly popular blog round-ups Monthly Blog Round-Up November 2010 Monthly Blog Round-Up October 2010 Monthly Blog Round-Up September 2010 Monthly Blog Round-Up August 2010 Monthly Blog Round-Up July 2010 Monthly Blog Round-Up June 2010 Monthly Blog Round-Up May 2010 Monthly Blog Round-Up April 2010 Monthly Blog Round-Up March 2010 Monthly Blog Round-Up February 2010 Monthly Blog Round-Up January 2010 Monthly Blog Round-Up December 2009 Monthly Blog Round-Up November 2009 Monthly Blog Round-Up October 2009 Monthly Blog Round-Up September 2009 Monthly Blog Round-Up August 2009 Monthly Blog Round-Up July 2009 Monthly Blog Round-Up June 2009 Monthly Blog Round-Up May 2009 Monthly Blog Round-Up April 2009 Monthly Blog Round-Up March 2009 Monthly Blog Round-Up February 2009 Monthly Blog Round-Up - January 2009 Monthly Blog Round-Up - December 2008 Monthly Blog Round-Up - November 2008 Monthly Blog Round-Up - October 2008 Monthly Blog Round-Up - September 2008 Monthly Blog Round-Up - August 2008 Monthly Blog Round-Up - July 2008 Monthly Blog Round-Up - June 2008 Monthly Blog Round-Up - May 2008 Monthly Blog Round-Up - April 2008 Monthly Blog Round-Up - March 2008 Monthly Blog Round-Up - February 2008 Monthly Blog Round-Up - January 2008 Monthly Blog Round-Up - December 2007 Monthly Blog Round-Up - November 2007 Monthly Blog Round-Up - October 2007 Monthly Blog Round-Up - September 2007 Monthly Blog Round-Up - August 2007 About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/275189.shtmlhttp://www.secuobs.com/revue/news/275189.shtml Secuobs.com : 2010-12-31 21:52:07 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company They are focused on PCI DSS compliance, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all The practices can be implemented with commercial log management or SIEM tools, open source log analysis tools or manually As you undoubtfully know, tools alone don t make anybody compliant This is the 15th post in the long, long series part 1, part 2, part 3 all parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs And so we continue with our Complete PCI DSS Log Review Procedures please consider reading from Part 1 at this stage we are deep in the details and these sections might seem out of context without reading earlier parts PCI Compliance Evidence Package Finally, it is useful to create a PCI Compliance Evidence Package based on the established and implemented procedures to show it to the QSA It will help establish your compliance with three key of PCI DSS logging requirements Presence and adequacy of logging Log review Exception handling While it is possible to prepare the evidence package before the assessment, it is much easier to maintain it on the ongoing basis For example, keep printed or electronic copies of the following 1 Logging policy that covers all of the PCI DSS in-scope systems 2 Logging and log review procedures this document 3 List of log sources all systems and their components applications from the in-scope environment 4 Sampling of configuration files that indicate that logging is configured according to the policy eg etc syslogconf for Unix, screenshots of audit policy for Windows, etc 5 Sampling of logs from in-scope systems that indicate that logs are being generated according to the policy and satisfy PCI DSS logging requirements 6 Exported or printed report from a log management tools that shows that log reviews are taking place 7 Up-to-date logbook defined above This will allow always establishing compliant status and proving ongoing compliance To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/275151.shtmlhttp://www.secuobs.com/revue/news/275151.shtml Secuobs.com : 2010-12-30 11:16:35 - Anton Chuvakin Blog Security Warrior - IT Predictions for 2011 Security, Log Management and More Log Management Central Securosis Blog Dealtime 2010 Remembering the Departed Dasient Blog Fast Forward Dasient's Security Predictions for 2011 Cyber Security Predictions for 2011 Part 1 IMAGE http://www.secuobs.com/revue/news/274868.shtmlhttp://www.secuobs.com/revue/news/274868.shtml Secuobs.com : 2010-12-29 22:10:29 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company They are focused on PCI DSS compliance, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all The practices can be implemented with commercial log management or SIEM tools, open source log analysis tools or manually As you undoubtfully know, tools alone cannot and do not make anybody compliant This is the 14th post in the long, long series part 1, part 2, part 3 all parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs And so we continue with our Complete PCI DSS Log Review Procedures please consider reading from Part 1 at this stage we are deep in the details and these sections might seem out of context without reading earlier parts Example Logbook Entry Here is an example following the above pattern 1 Date time time zone this logbook entry was started November 23, 2009, 4 15PM PST 2 Name and role of the person starting the logbook entry Anton Chuvakin, principal consultant 3 Reason the logbook entry is started log exception copied from log aggregation tool or from the original log file , make sure that the entire log is copied, especially its time stamp which is likely to be different from the time of this record and system from which it came from what when where, etc clip_image002 Time date of log 10 21 2009 10 01 23 PM PST System OLGAexamplecom 4 Detailed on why the log is not routine and why this analysis is undertaken this event ID Windows event ID 11 from this application event source Source crypt32 was never seen before on any of the systems where logs are reviewed across our organization 5 Information about the system that produced the exception log record or the one this log exception is about a Hostname OLGAexamplecom b OS Windows XP SP 3 c Application name N A d IP address s 10111 e Location Home office f Ownership if known Olga Chuvakin, President and CEO g System criticality if defined and applicable critical, main laptop of the executive h Under patch management, change management, FIM, etc yes 6 Information about the user whose activity produced the log N A, no user activity involved 7 Investigation procedure followed, tools used, screenshots, etc procedure for Initial Investigation described above 8 Investigative actions taken following the procedure for Initial Investigation described above, it was determined that this log entry is followed by a successful completion of the action logged Specifically, on the same day, 1 second later the following log entry appeared clip_image004 This entry indicates the successful completion of the action referenced in our exception log entry and thus no adverse impact from the error failure is present 9 People contacted in the course of the log analysis none 10 Impact determine during the course of the analysis impact was determined to be low to non-existent no functionality was adversely affected, no system was at risk 11 Recommendations for actions, mitigations if needed no mitigation needed, added this log entry to baseline to be ignored in the future as long as the subsequent log entry exists The logbook of that sort is used as compliance evidence since it establishes log exceptions follow-up, required in item 106a of PCI DSS validation procedure, which states Obtain and examine security policies and procedures to verify that they include procedures to review security logs at least daily and that follow-up to exceptions is required The logbook whether in electronic or paper form can be presented to a QSA or other auditor, if requested I recommend retaining the log book for 3 years or at least 2x of the log retention period 1 year for PCI DSS To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/274771.shtmlhttp://www.secuobs.com/revue/news/274771.shtml Secuobs.com : 2010-12-29 22:10:29 - Anton Chuvakin Blog Security Warrior - Just quoted from here Christmas in May Take the SANS 2011 Annual Log Management Survey Take the 7th Annual Log Management Survey and be entered to win a 250 American Express Gift card This comprehensive survey has become a leading indicator of how well log management and automation helps organizations with their security and compliance needs To take our survey, follow this link http wwwsansorg info 68369 The results will be released in early May during a short series of live webcasts with Jerry Shenk and Dave Shackleford Do the survey, please Past years results have been very insightful due to good participation Possibly related posts SANS Log Management Survey 2010 is Out contains last year survey analysis About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/274770.shtmlhttp://www.secuobs.com/revue/news/274770.shtml Secuobs.com : 2010-12-29 10:33:42 - Anton Chuvakin Blog Security Warrior - McAfee predicts attacks on social services, mobile products in 2011 More Mac malware common on 2011 prediction lists - SC Magazine US IMAGE http://www.secuobs.com/revue/news/274646.shtmlhttp://www.secuobs.com/revue/news/274646.shtml Secuobs.com : 2010-12-27 21:54:54 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company They are focused on PCI DSS compliance, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all The practices can be implemented with commercial log management or SIEM tools, open source log analysis tools or manually As you undoubtfully know, tools alone don t make anybody compliant This is the 13th post in the long, long series part 1, part 2, part 3 all parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs And so we continue with our Complete PCI DSS Log Review Procedures please consider reading from Part 1 at this stage we are deep in the details and these sections might seem out of context without reading earlier parts Logbook Evidence of Exception of Investigations How to create a logbook that proves that you are reviewing logs and following up with exception analysis, as prescribed by PCI DSS Requirement 10 The logbook is used to document everything related to analyzing and investigating the exceptions flagged during daily review While the same logbook approach is used in the incident handling process such as SANS Incident Response Workflow , in this document it is utilized as compliance evidence The logbook should record all systems involved, all people interviewed, all actions taken as well as their justifications, what outcome resulted, what tools and commands were used with their results , etc Here is one recommendation for a logbook entry Recommended Logbook Format Logbook entry 1 Date time time zone this logbook entry was started 2 Name and role of the person starting the logbook entry 3 Reason it is started log exception copied from log aggregation tool or from the original log file , make sure that the entire log is copied, especially its time stamp which is likely to be different from the time of this record and system from which it came from what when where, etc 4 Detailed on why the log is not routine and why this analysis is undertaken 5 Information about the system that produced the exception log record or the one this log exception is about a Hostname b OS c Application name d IP address s e Location f Ownership if known g System criticality if defined and applicable h Under patch management, change management, FIM, etc 6 Information about the user whose activity produced the log if applicable 7 Investigation procedure followed, tools used, screenshots, etc 8 Investigative actions taken 9 People contacted in the course of the log analysis 10 Impact determine during the course of the analysis 11 Recommendations for actions, mitigations if needed To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/274394.shtmlhttp://www.secuobs.com/revue/news/274394.shtml Secuobs.com : 2010-12-24 21:10:09 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all It can be performed manually at small log volumes , using free open source log analysis tools or using commercial log management or SIEM tools This is the 12th post in the long, long series part 1, part 2, part 3 all parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs And so we continue with our Complete PCI DSS Log Review Procedures please consider reading from Part 1 at this stage we are deep in the details and these pieces might seem out of context without reading earlier parts Validation of Log Review Final and critical part of compliance-motivated log review is making sure that there is sufficient evidence of the process, its real-world implementation and diligence in following the log review process The good news here is that the same data can be used for management reporting about the logging and log review processes, so you are not doing just for PCI DSS compliance Let s determine what documentation should be produced as proof of log review First, the common misconception is that having the actual logs provides that That is not really true having logs and having logs reviewed are completely different and sometime years of maturing the security and compliance program separates one and the other Please make sure that your team members keep that in mind Just as a reminder, we have several major pieces that we need to prove for PCI DSS compliance validation Here is the master-list of all compliance proof we will assemble Unlike other sections, here we will cover proof of logging and not just proof of log review since the latter is so dependent on the former Presence and adequacy of logging Presence of log review processes and its implementation Exception handling process and its implementation Now we can organize the proof around those areas and then build processes to collect such proof Proof of Logging The first category is proof of presence and adequacy of logging This section is the easiest to prove out of the three The following items serve as proof of logging 1 Documented logging policy, covering both logged events and details logged for each event 2 System application configuration files implementing the above policy 3 Logs produced by the above applications while following the policy As stated previously, your QSA is the ultimate judge of what proof of compliance will be adequate for your organization These tips has been known to be found adequate, but see disclaimers in earlier parts for details Proof of Log Review The second category proof of log review processes and its implementation This section is harder to prove compared to the previous one The following items serve as proof of log review 1 Documented logging policy, covering log review 2 Documented operational procedures, detailing the exact steps taken to review the logs 3 Records of log review tasks being executed by the appropriate personnel some log management products create an audit log of reviewed reports and events such audit trail should cover it the case of manual review is covered below think about this item as log review log 4 Also, records of exceptions being investigated next section indirectly proves that log review is taken place as well Proof of Exception Handling The third category proof of exception handling process and its implementation This section is by far the hardest to prove out of these three The following items serve as proof of log exception process 1 Documented logging policy, covering exceptions and their handling 2 Documented operational procedures, detailing the exact steps taken to investigate exceptions found during log review this document 3 A log of all exceptions investigated with actions taken logbook The above evidence should provide ample proof that the organization follows PCI DSS guidance with diligence Let s focus on producing this proof the table has the details PCI Compliance Logging Sub-Domain Proof of Compliance How to Obtain Proof Proof of presence and adequacy of logging Documented logging policy Create policy, if not present Proof of presence and adequacy of logging System application configuration files After deployment, preserve the configuration files as a master copy Proof of presence and adequacy of logging Logs produced by the above applications Collect sample logs and save as proof of compliance Proof of log review Documented logging policy Create policy, if not present Proof of log review Documented operational procedures Proof of log review Records of log review tasks being executed Either use the tool or create a logbook format below Proof of log review Records of exceptions being investigated Create a logbook of investigations Proof of exception handling Documented logging policy Create policy, if not present Proof of exception handling Documented operational procedures Proof of exception handling A log of all exceptions investigated Create a logbook of investigations or knowledge base These items directly map to PCI DSS Requirements 10 and PCI DSS validation procedures The critical item from the above list is a logbook that is used to record exception follow-up and investigation, thus creating powerful evidence of compliance with PCI DSS requirements In a more advanced form, the logbook can even grow into an investigative knowledge base that contains all past exception analysis cases To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/274130.shtmlhttp://www.secuobs.com/revue/news/274130.shtml Secuobs.com : 2010-12-23 11:17:51 - Anton Chuvakin Blog Security Warrior - Information Security 2020 - David Lacey's IT Security Blog 2011 What's Your IT Security Plan threatpost Will 2011 be the year of mobile malware Mobilize - InfoWorld IMAGE http://www.secuobs.com/revue/news/273830.shtmlhttp://www.secuobs.com/revue/news/273830.shtml Secuobs.com : 2010-12-22 22:26:06 - Anton Chuvakin Blog Security Warrior - People should be banned from making new industry predictions before checking how their past predictions fared and possibly embarrassing themselves again and again see The Year of Mobile Malware Smile My 2010 predictions were here http chuvakinblogspotcom 2009 12 security-predictions-2010html Proceeding to check them below 1 Compliance as many other observers Joshua at 451 Group comes to mind noted, many of the security activities in 2010 will be defined by regulatory mandates such as PCI DSS, HIPAA HITECH and others Sadly, this is as true as ever As security moves downstream downmarket, compliance plays bigger role WIN but an easy one BTW, some people did predict the death of compliance , but this sure isn't happening any time soon 2 Bad shit what we have here is an intersection of two opposite trends rampant, professional cybercrime and low occurrence of card fraud as a percentage of card transaction volume I explain this conundrum by predicting a scary picture of huge criminal opportunity, which still exists unchanged Shit is indeed pretty bad WIN but an easy one no fame points getting this right This will get worse before they get better and we are in the climb to REALLY bad shit phase , IMHO 3 Intrusion tolerance is another trend and its continues existence is in fact my prediction for 2010 which helps the bad guys it is highly likely that most organizations have bots on their networks What are they doing about it Nothing much that actually helps It is too hard and many businesses just aren t equipped both skill-wise and technology wise to combat a well-managed criminal operation which also happens to not be very disruptive to the operation of their own business Same thing predicting this was like taking candy from a baby WIN, but with no extra credit Organization will likely stay owned, despite regulations, media attentions, big security budgets, etc 4 Cloud security I predict much more noise and a bit more clarity due to CSA work in regards to information security requirements as more and more IT migrates to the cloud The Holy Grail of cloud security a credible cloud provider assessment guide checklist will emerge during 2010 A WIN here too - more clarity on cloud security is here CSA work CSA 20 guide, recent cloud compliance matrix and CloudAudit releases are helping Still, there is a lot of delusional cloud noises from many vendors 5 Platform security just like Vista didn t in 2007, Windows 7 won t make us secure The volume of W7 hacking will increase as the year progresses Also, in 2008, I predicted an increase in Mac hacking I d like to repeat it as there is still room there - And, only the truly lazy won t predict more web application attacks Of course It is a true no-brainer, if there ever were one Web application hacking is a remote network service overflow of the 2000s So, a partial WIN here, but then again predicting more attacks is stupidly easy BTW, Windows 7 is holding pretty well and there is no dramatic rise in public W7 vuln releases Are people hoarding them possible or the vulnerabilities just aren t there Or maybe everybody is owning Adobe now NEWFLASH Adobe 2 days without a 0-day vulnerability 6 Incidents just like in 2008, I predict no major utility SCADA intrusion and thus no true cyber-terrorism not yet Everybody predicts this one forever as Rich mentions , but I am guessing we would need to wait at least few years for this one see my upcoming predictions for 2020 Sure, it makes for interesting thinking about why it did not happen surely there is a massive fun factor in sending some sewage towards your enemies I'm happy to be correct here and have no such incidents happen, but I was predicting that something major and world changing would NOT happen so Feynman paradox is on my side WIN but a reluctant one I still won t predict it for 2011 predictions out soon , but even thinking about this one freaks me out A massive data theft to dwarf Heartland will probably be on the books And it will include not some silly credit card number really, who cares - , but full identity - SSN and all FAIL No such breach materialized at least not publicly 7 Malware sorry guys, but this year won t be the Year of Mobile Malware either As I discussed here, mobile malware is a good idea for attackers provided there is something valuable to steal but it is just not the case yet in the US There will be more PoC malware for iPhone, BlackBerry, maybe the Droid, but there will be no rampage On the fun side, maybe we will finally see that Facebook malware malicious application that I predicted and consequently missed in 2008 This one will be fun to watch others agree , and current malware defenses will definitely not stop this bad boy, at least not before it does damage WIN Read my lips noyearof mobile malware Yes, I know AV vendors want it badly in their ongoing fight for relevance and keep predicting it but it ain t coming Sorry 8 Risk management more confusion Enough said In 2008, I said Will we know what risk management actually isin the context of IT security No It sounds like we know no more now WIN, but maybe not for long Growing amount of security data might change it in the next few years Maybe For now, as Mike said it, Risk scoring is still a load of crap Conclusion I can predict, but mostly easily predictable stuff I am an extrapolator, not a Nostradamus Possibly related posts Everything prediction About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/273679.shtmlhttp://www.secuobs.com/revue/news/273679.shtml Secuobs.com : 2010-12-22 10:43:46 - Anton Chuvakin Blog Security Warrior - ID Experts Data Breach Prevention Response Blog - ID Experts IMAGE http://www.secuobs.com/revue/news/273546.shtmlhttp://www.secuobs.com/revue/news/273546.shtml Secuobs.com : 2010-12-21 17:01:56 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all This is the 11th post in the long, long series part 1, part 2, part 3 all parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs And so we continue with our Complete PCI DSS Log Review Procedures please read in order- at this point we are pretty deep in the details and this piece might look out of context External Information Sources Investigation Here is the procedure to follow in this case clip_image002 This procedure can be expanded to cover other sources of information available at the organization The main idea of this procedure it to identify and then query information sources such as IdM, change management, integrity checking, network flow analysis, etc , based on the type of the exception log entry and then to identify its impact and the required actions if any The procedure works to roughly identify the type of a log entry and then to query the relevant information sources In some cases, then the log entry is deemed to be an indication of a serious issue, incident response process is triggered However, it sometimes happens that neither the preliminary analysis nor the query of external systems yields the results and the exception log entry is exceptional In this case, the collaborative workflow is triggered See the next section for details Escalation to Others Procedure Collaborative Workflow The investigation and escalation process is shown below clip_image002 5 This process allows tapping into the knowledge of other people at the organization who might know what this anomaly is about The main idea of this procedure it to identify and then interview the correct people who might have knowledge about the events taking place on the application then to identify its impact and the required actions if any The very last resource is to query the application vendor such info request is typically time consuming or even expensive depends on the support contract available so it should be used sparingly To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/273345.shtmlhttp://www.secuobs.com/revue/news/273345.shtml Secuobs.com : 2010-12-20 14:27:44 - Anton Chuvakin Blog Security Warrior - Here is my new annual post on top of my annual top post chart and annual predictions Security Reflections and Musings on a Passing Year Totally informal Subjective No science has been harmed while making it So, what security events, things, happenings do I remember from 2010 in no particular order 86pourcents of breached companies had intrusion evidence in their logs and other super-juicy bits from Verizon breach report Wikileaks Your data will be stolen and, if you are lucky, leaked If you are not lucky, sold and then used against you Boom That was your business going down PCI DSS 20 is here but the fight goes on Now you merchants finally have to do it or outsource card processing APT Please forget APT most people NOT all while you are reading in the media about APT, your barely-there-security is being owned by Backwards Non-persistent Whaaa-you-call-that-a-threat BNW Boom TSA JunkGrabGate please don t laugh, but S in TSA actually OK, stop laughing NOW stands for yeah, I know, I know security So, it counts as a part of security reflections for the year It is definitely stuck in my head and probably will be stuck in my head for more than a year RSA2010 conference this was my first show where I was as an independent consultant no vendor hat in hand and I loved it I am sooo looking forward to this year and my press pass is already confirmed Maybe I can tag others to reflect on the year Hey, others, Smile want to do it Stand by for my review of 2010 predictions and yes - 2011 predictions About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/273070.shtmlhttp://www.secuobs.com/revue/news/273070.shtml Secuobs.com : 2010-12-17 15:53:07 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all This is the tenth post in the long, long series part 1, part 2, part 3 all parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs And so we continue with our Complete PCI DSS Log Review Procedures Exception Investigation and Analysis A message not fitting the profile of a normal is flagged an exception It is important to note that an exception is not the same as a security incident, but it might be an early indication that one is taking place At this stage we have an individual log message that is outside of routine normal operation How do we figure out whether it is significant, determine impact on security and PCI compliance status Initial Investigation The following high-level investigative process Initial Investigation is used on each exception entry more details are added further in the document clip_image002 Specifically, the above process makes use of a log investigative checklist, which is explained below in more details 1 Look at log entries at the same time this technique involves looking at an increasing range of time periods around the log message that is being investigated Most log management products can allow you to review logs or to search for all logs within a specific time frame For example a First, look at other log messages triggered 1 minute before and 1 minute after the suspicious log b Second, look at other log messages triggered 10 minute before and 10 minute after the suspicious log c Third, look at other log messages triggered 1 hour before and 1 hour after the suspicious log 2 Look at other entries from same user this technique includes looking for other log entries produced by the activities of the same user It often happens that a particular logged event of a user activity can only be interpreted in the context of other activities of the same user Most log management products can allow you to drill down into or search for a specific user within a specific time frame 3 Look at the same type of entry on other systems this method covers looking for other log messages of the same type, but on different systems in order to determine its impact Learning when the same message was products on other system may hold clues to understanding the impact of this log message 4 Look at entries from same source if applicable this method involves reviewing all other log messages from the network source address where relevant 5 Look at entries from same app module if applicable this method involves reviewing all other log messages from the same application module or components While other messages in the same time frame see item 1 above may be significant, reviewing all recent logs from the same components typically helps to reveal what is going on In some cases, the above checklist will not render the result Namely, the exception log entry will remain of unknown impact to security and PCI DSS compliance In this case, we need to acquire information from other systems, such as File Integrity Monitoring, Vulnerability Management, Anti-malware, Patch Management, Identity Management, Network Management and others To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/272595.shtmlhttp://www.secuobs.com/revue/news/272595.shtml Secuobs.com : 2010-12-16 10:52:26 - Anton Chuvakin Blog Security Warrior - Marcus Ranum on 2011 Security Outlook Security predictions for 2011 Symantec IMAGE http://www.secuobs.com/revue/news/272192.shtmlhttp://www.secuobs.com/revue/news/272192.shtml Secuobs.com : 2010-12-15 16:31:08 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all This is the ninth post in the long, long series part 1, part 2, part 3 all parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs Today s section covers one of the most critical parts of any log review process the main daily workflow Pay attention, please Smile And so we continue with our Complete PCI DSS Log Review Procedures Main Workflow Daily Log Review This is the very central piece of the log review comparing the logs produced over the last day in case of a daily review with an accumulated baseline Daily workflow follows this model clip_image002 This diagram summarizes the actions of the log analyst who performs daily log review Before we proceed, the issue of frequency of the log review needs to be addressed Frequency of Periodic Log Review PCI DSS requirement 106 explicitly states that Review logs for all system components at least daily It is assumed that daily log review procedures will be followed every day Only your QSA may approve less frequent log reviews, based on the same principle that QSAs use for compensating controls What are some of the reasons when less frequent log reviews may be approved The list below contains some of the reasons why daily log review may be performed less frequently than every day Application or system does not produce logs every day If log records are not added every day, then daily log review is unlikely to be needed Log review is performed using a log management system that collects log in batch mode, and batches of logs arrive less frequently than once a day 1 Application does not handle or store credit card data it is only in scope since it is directly connected to Remember that only your QSA s opinion on this is binding and nobody else s How does one actually compare today s batch of logs to a baseline Two methods are possible both are widely used for log review the selection can be made based on the available resources and tools used Specifically clip_image004 Out of the two methods, the first method only considers log types not observed before and can be done manually as well as with tools Despite its simplicity, it is extremely effective with many types of logs simply noticing that a new log message type is produced is typically very insightful for security, compliance and operations For example, if log messages with IDs 1,2,3,4,5,6 and 7 are produced every day in large numbers, but log message with ID 8 is never seen, each occurrence of such log message is reason for an investigation If it is confirmed that the message is benign and no action is triggered, it can be later added to the baseline So, the summary of comparison methods for daily log review is Basic method o Log type not seen before NEW log message type Advanced methods o Log type not seen before NEW log message type o Log type seen more frequently than in baseline o Log type seen less frequently than in baseline o Log type not seen before for particular user o Log type not seen before for particular application module o Log type not seen before on the weekend o Log type not seen before during work day o New user activity noted any log from a user not seen before on the system While following the advanced method, other comparison algorithms can be used by the log management tools as well After the message is flagged as an exception, we move to a different stage in our daily workflow from daily review to investigation and analysis --------------------------------------------------------------------- 1 While such rare collection is not recommended, it is not entirely uncommon either To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/271956.shtmlhttp://www.secuobs.com/revue/news/271956.shtml Secuobs.com : 2010-12-15 10:48:09 - Anton Chuvakin Blog Security Warrior - CoreTrace 2011 security predictions More blended malware threats across new platforms Top 5 Security Predictions for 2011 Fortinet Security Blog Technicalinfonet Blog Threat Landscape in 2011 10 Privacy Trends and Predictions for 2011 Information Security News, IT Security News Expert Insights SecurityWeekCom 7 Trends to Watch for in 2011 Optimal Security The Lumension Blog IMAGE http://www.secuobs.com/revue/news/271884.shtmlhttp://www.secuobs.com/revue/news/271884.shtml Secuobs.com : 2010-12-14 14:39:57 - Anton Chuvakin Blog Security Warrior - Recent You Got That SIEM How What Do You Do at BayThreat 2010 in San Jose, CA Presentation is embedded below and available here You Got That SIEM Now What Do You Do by Dr Anton ChuvakinView more presentations from Anton Chuvakin Upcoming Webinar with Intel and NRF on Tokenization Address Network Security Dramatically Reduce PCI DSS Scope with Gateway Tokenization Basic PCI DSS on 12 14 2010 at 10AM PST Focuscom webinar with Tripwire Achieve PCI Compliance and Ensure Security in a Data Deluge Basic PCI DSS on 12 15 2010 at 10AM PST Enjoy About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/271528.shtmlhttp://www.secuobs.com/revue/news/271528.shtml Secuobs.com : 2010-12-14 02:43:52 - Anton Chuvakin Blog Security Warrior - LogChat Podcast is back again - and now on iTunes as well Everybody knows that all this world needs is a podcast devoted to logs, logging and log management as well as SIEM, incident response and other fun related subjects And now you have it AGAIN with edition 4 - through the sheer combined genius of Andrew Hay and myself, Anton Chuvakin Our topic today is log management IN the cloud in the cloud not for the cloud, NIST cloud definitions and hosted log management, log management AND SIEM in the cloud, real-time correlation in the cloud is it possible, hybrid solutions, sensitivity of log data, barriers to market entry, log collection for the cloud, etc All that how not to anger Chris Hoff with your cloud log management tool Smile Some administrative items 1 No, we are still not ready with transcribing and, yes, we still want it I did try Amazon Mechanical Turk, but it didn't turn to be as inexpensive as people claimed If you have ideas for a good AND cheap transcribing service, we are all ears 2 We plan for this to happen every three weeks - recorded on Wednesday, posted on Thursday However, due to our work schedules, irregularities will occur all the time 3 Please suggest topics to cover as well - even though we are not likely to run out of ideas for a few years 4 Any other feedback is HUGELY useful Is it too long Too loud Too rant-y Too technical Not enough jokes Too few mentions of the cloud Feedback please And now, in all its glory - the podcast link to 4 MP3 is here MP3 , RSS feed is here - it is also on iTunes now Enjoy THE LogChat Possibly related posts LogChat Podcast 1 Anton Chuvakin and Andrew Hay Talk Logs LogChat Podcast 2 Anton Chuvakin and Andrew Hay Talk Logs LogChat Podcast 3 Anton Chuvakin and Raffy Marty Talk Logs About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/271440.shtmlhttp://www.secuobs.com/revue/news/271440.shtml Secuobs.com : 2010-12-11 22:36:37 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company As I am preparing to handle more of such engagements including ones not focused on PCI DSS, but covering other compliance or purely security log reviews , I decided to publish a heavily sanitized version of that log review guidance as a long blog post series, tagged PCI_Log_Review It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all This is the eighth post in the long, long series part 1, part 2, part 3 all parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs And so we continue with our Complete PCI DSS Log Review Procedures Building an Initial Baseline Manually To build a baseline without using a log management tool has to be done when logs are not compatible with an available tool or the available tool has poor understanding of log data text indexing tool To do it, perform the following 1 Make sure that relevant logs from a PCI application are saved in one location 2 Select a time period for an initial baseline 90 days or all time if logs have been collected for less than 90 days check the timestamp on the earliest logs to determine that 3 Review log entries starting from the oldest to the newest, attempting to identify their types 4 Manually create a summary of all observed types if realistic, collect the counts of time each message was seen not likely in case of high log data volume 5 Assuming that no breaches of card data have been discovered in that time period , we can accept the above report as a baseline for routine operation 6 An additional step should be performed while creating a baseline even though we assume that no compromise of card data has taken place, there is a chance that some of the log messages recorded over the 90 day period triggered some kind of action or remediation Such messages are referred to as known bad and should be marked as such Example Building an Initial Baseline Manually Here is an example process of the above, performed on a Windows system in-scope for PCI DSS that also contains PCI DSS application called SecureFAIL 1 Make sure that relevant logs from a PCI application are saved in one location First, verify Windows event logging is running a Go to Control Panel , click on Administrative Tools , click on Event Viewer b Right-click on Security Log , select Properties The result should match this clip_image002 c Next, review audit policy Second, verify SecureFAIL dedicated logging a Go to C Program Files SecureFAIL Logs b Review the contents of the directory, it should show the following clip_image004 2 Select a time period for an initial baseline 90 days or all time if logs have been collected for less than 90 days check the timestamp on the earliest logs to determine that a Windows event logs available for 30 days on the system, might be available for longer b SecureFAIL logs available for 90 days on the system, might be available for longer Baselining will be performed over last 30 days since data is available for 30 days only 3 Review log entries starting from the oldest to the newest, attempting to identify their types a Review all using MS LogParser tool can be obtained http wwwmicrosoftcom downloads detailsaspx FamilyID 890cd06b-abf8-4c25-91b2-f8d975cf8c07 displaylang en Run the tool as follows C Tools LogParserexe SELECT SourceName, EventCategoryName, Message INTO event_log_summarytxt GROUP BY EventCategoryName FROM Security' -resolveSIDs ON and review the resulting summary of event types b Open the file secureFAIL_log-082009txt in notepad and review the entries LogParser tool above may also be used to analyze logs in plain text files detailed instructions on using the tool fall outside the scope of this document 4 Manually create a summary of all observed types if realistic, collect the counts of time each message was seen not likely in case of high log data volume This step is the same as when using the automated tools the baseline is a table of all event types as shown below Event ID Event Description Count Average Count day 1517 Registry failure 212 23 562 Login failed 200 22 563 Login succeeded 24 03 550 User credentials updated 12 01 666 Memory exhausted 1 00 Assuming that no breaches of card data have been discovered in that time period, we can accept the above report as a baseline for routine operation However, during the first review it logs, it might be necessary to investigate some of the logged events before we accept them as normal such as the last even in the table The next step explains how this is done 5 An additional step should be performed while creating a baseline even though we assume that no compromise of card data has taken place, there is a chance that some of the log messages recorded over the 90 day period triggered some kind of action or remediation Such messages are referred to as known bad and should be marked as such Same as when using the automated log management tools, we notice the last line, the log record with an event ID 666 and event name Memory exhausted that only occurred once during the 90 day period Such rarity of the event is at least interesting the message description Memory exhausted might also indicate a potentially serious issue and thus needs to be investigated as described below in the investigative procedures What are some of the messages that will be known bad for most applications Guidance for Identifying Known Bad Messages The following are some rough guidelines for marking some messages as known bad during the process of creating the baseline If generated, these messages will be looked at first during the daily review process MANY site-specific messages might need to be added but this provides a useful starting point 1 Login and other access granted log messages occurring at unusual hour 1 2 Credential and access modifications log messages occurring outside of a change window 3 Any log messages produced by the expired user accounts 4 Reboot restart messages outside of maintenance window if defined 5 Backup export of data outside of backup windows if defined 6 Log data deletion 7 Logging termination on system or application 8 Any change to logging configuration on the system or application 9 Any log message that has triggered any action in the past system configuration, investigation, etc 10 Other logs clearly associated with security policy violations As we can see, this list is also very useful for creating what to monitor in near-real-time policy and not just for logging Over time, this list should be expanded based on the knowledge of local application logs and past investigations After we built the initial baselines we can start the daily log review --------------------------------------------------------------------- 1 Technically, this also requires a creation of a baseline for better accuracy However, logins occurring outside of business hours for the correct time zone are typically at least interesting to review To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/271111.shtmlhttp://www.secuobs.com/revue/news/271111.shtml Secuobs.com : 2010-12-10 15:58:08 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company As I am preparing to handle more of such engagements including ones not focused on PCI DSS, but covering other compliance or purely security log reviews , I decided to publish a heavily sanitized version of that log review guidance as a long blog post series, tagged PCI_Log_Review It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all This is the seventh post in the long, long series part 1, part 2, part 3 all parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs And so we continue with our Complete PCI DSS Log Review Procedures Building an Initial Baseline Using a Log Management Tool To build a baseline using a log management tool perform the following 1 Make sure that relevant logs from a PCI application are aggregated by the log management tools 2 Confirm that the tool can understand parse, tokenize, etc the messages and identify the event ID or message type of each log For pure indexing tools, see the manual procedures presented in the next section 3 Select a time period for an initial baseline 90 days or all time if logs have been collected for less than 90 days In some cases, 7-30 days periods can be used 4 Run a report that shows counts for each message type This report indicates all the log types that are encountered over the 90 day period of system operation 5 Assuming that no breaches of card data have been discovered , we can accept the above report as a baseline for routine operation 6 An additional step should be performed while creating a baseline even though we assume that no compromise of card data has taken place, there is a chance that some of the log messages recorded over the 90 day period triggered some kind of action or remediation Such messages are referred to as known bad and should be marked as such Let s go through a complete example of the above strategy 1 Make sure that relevant logs from a PCI DSS application are aggregated by the available log management tool At this step, we look at the log management tools and verify that logs from PCI applications are aggregated It can be accomplished by looking at report with all logging devices Timeframe Jan 1, 2009 - Mar 31, 2009 90 days Device Type Device Name Log Messages Windows 2003 Winserver1 215762 Windows 2003 Winserver2 215756 SANITIZED1 SANITIZED1 53445 SANITIZED2 SANITIZED2 566 SANITIZED3 SANITIZED3 3334444 This would indicate that aggregation is performed as needed 2 Confirm that the tool can understand parse, tokenize, etc the messages and identify the event ID or message type of each log This step is accomplished by comparing the counts of messages in the tool such as the above report that shows log message counts to the raw message counts in the original logs 3 Select a time period for an initial baseline 90 days or all time if logs have been collected for less than 90 days In this example, we are selecting 90 days since logs are available 4 Run a report that shows counts for each message type For example, the report might look something like this Timeframe Jan 1, 2009 - Mar 31, 2009 90 days Event ID Event Description Count Average Count day 1517 Registry failure 212 23 562 Login failed 200 22 563 Login succeeded 24 03 550 User credentials updated 12 01 This report indicates all the log types that are encountered over the 90 day period of system operation 5 Assuming that no breaches of card data have been discovered , we can accept the above report as a baseline for routine operation During the first review it logs, it might be necessary to investigate some of the logged events before we accept them as normal The next step explains how this is done 6 An additional step should be performed while creating a baseline even though we assume that no compromise of card data has taken place, there is a chance that some of the log messages recorded over the 90 day period triggered some kind of action or remediation Such messages are referred to as known bad and should be marked as such Some of the logs in our 90 day summary actually indicative of the problems and require an investigation Event ID Event Description Count Average Count day Routine or bad 1517 Registry failure 212 23 562 Login failed 200 22 563 Login succeeded 24 03 550 User credentials updated 12 01 666 Memory exhausted 1 N A Action restart system In this report, we notice the last line, the log record with an event ID 666 and event name Memory exhausted that only occurred once during the 90 day period Such rarity of the event is at least interesting the message description Memory exhausted might also indicate a potentially serious issue and thus needs to be investigated as described below in the investigative procedures Creating a baseline manually is possible, but more complicated To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/270860.shtmlhttp://www.secuobs.com/revue/news/270860.shtml Secuobs.com : 2010-12-10 09:56:05 - Anton Chuvakin Blog Security Warrior - Securosis Blog My 2011 Security Predictions WikiLeaks Moving Target - Renesys Blog Juniper Buys Virtual Security Vendor Altor Networks - Networking news from Channel Insider IMAGE http://www.secuobs.com/revue/news/270802.shtmlhttp://www.secuobs.com/revue/news/270802.shtml Secuobs.com : 2010-12-08 17:07:30 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company As I am preparing to handle more of such engagements including ones not focused on PCI DSS, but covering other compliance or purely security log reviews , I decided to publish a heavily sanitized version of that log review guidance as a long blog post series, tagged PCI_Log_Review It was written to be a complete and self-contained guidance document that can be provided to people NOT yet skilled in the sublime art of logging and log analysis in order to enable them to do the job and then grow their skills It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all This is the sixth post in the long, long series part 1, part 2, part 3 all parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs And so we continue with our Complete PCI DSS Log Review Procedures Creating Log Message Types It is important to note that explicit event types might not be available for some log types For example, some Java application logs and some Unix logs don t have explicit log or event types recorded in logs Thus, what is needed is to create an implicit event type The procedure for this case is as follows 1 Review the log message either review and identify what application or device produced it if multiple logs are collected together 2 Identify which part of the log message identifies what it is about 3 Determine whether this part of the message is unique 4 Create an event ID from this part of the message Even though log management tools perform the process automatically, it makes sense to go through an example of doing it manually in case manual log review procedure is utilized For example Example 1 1 Review the log message The log message is Mon Jan 26 22 55 37 2010 notice Digest generating secret for digest authentication 2 Identify which part of the log message identifies what it is about It is very likely that the key part of the message is generating secret for digest authentication or even generating secret 3 Determine whether this part of the message is unique A review of other messages in the log indicates that no other messages contain the same phase and thus this phrase can be used to classify a message as a particular type 4 Create an event ID from this part of the message We can create a message ID or message type as generating_secret Now we can update our baseline that this type of message was observed today Let s go through another example using Java-based payment application logs AC sorry, sanitized Initial baseline can be quickly built using the following process, presented below for two situations with automated log management tools and without them In addition to this event type , it makes sense to perform a quick assessment of the overlap log entry volume for the past day past 24 hr period Significant differences in log volume should also be investigated using the procedures define below In particular, loss of logging often recognized from a dramatic decrease in log entry volume needs to be investigated and escalated as a security incident To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/270251.shtmlhttp://www.secuobs.com/revue/news/270251.shtml Secuobs.com : 2010-12-08 10:39:34 - Anton Chuvakin Blog Security Warrior - SANS Technology Institute Stephen Northcutt's Security Predictions for 2011 and 2012 IMAGE http://www.secuobs.com/revue/news/270195.shtmlhttp://www.secuobs.com/revue/news/270195.shtml Secuobs.com : 2010-12-07 10:31:47 - Anton Chuvakin Blog Security Warrior - Top Security Predictions for 2011 - PCWorld Business Center IMAGE http://www.secuobs.com/revue/news/269899.shtmlhttp://www.secuobs.com/revue/news/269899.shtml Secuobs.com : 2010-12-07 00:31:17 - Anton Chuvakin Blog Security Warrior - After I came back from my vacation in Egypt, I started looking through all the noise related to Novell acquisition by Attachmate Everybody whines about Microsoft, Linux, VMware, patents, open-source, unknown IP bundle , etc but what about SIEM Novell has Sentinel SIEM and NetIQ, the previous Attachmate victim purchase, has their own toy SIEM Security Manager Now, we can all joke about how sad that NetIQ SIEM really is, how it doesn t scale and how nobody uses it and culminate with quotes from Gartner s Mark Nicolett about it see Magic Quadrant for Security Information and Event Management, 2010 not very visible in competitive evaluations and not growing with the market Seriously, if your product team fails to impress Mark with a few no-you-cannot-call-them-fake happy customer references and the final SIEM MQ report goes out with the above quotes, you should look into what seppuku really means to you Smile So, what can become the future Attachmate SIEM 1 Is it NetIQ SM, coming back as a lumbering zombie to SIEM playground to be slaughtered in competitive deals 2 Is it Novell Sentinel, which is now improving both its technology and market position by leaps and bounds 3 Is it both but with some magic differentiation positioning ahem like Tweedledum and Tweedledee of SIEM IBM TCIM and IBM TSOM perhaps 4 Is it some future integrated version of both While I don t claim to possess any deep inside information on the deal, I think one can envision the last option actually working out OK over the long term for all involved as well as for customers For example, combine NetIQ SM strength on Windows and servers desktops in general with Novell cross-platform correlation, UIs, new log manager, etc Reuse their FDCC-focused pieces too maybe Also, integrate NetIQ system management tools with Sentinel So, if I were them and here is my unsolicited product strategy tip , I d salvage NetIQ SIEM for parts and use them to bulk up Novell Sentinel where such parts can be plugged in with minimum effort Salvage some useful Windows correlation rules they used to have and port them into Sentinel At the same time, integrate more functional NetIQ products with Sentinel to improve IT and security management story for Novell Attachmate In the short term, just make most NetIQ Security Manager customers happy by upgrading them to Novell Sentinel About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/269808.shtmlhttp://www.secuobs.com/revue/news/269808.shtml Secuobs.com : 2010-12-04 21:54:19 - Anton Chuvakin Blog Security Warrior - Just FYI, new security conference in Bay Area see you all there next week I will be doing a hilarious SIEM log management talk there It will be fun What There's a new information security conference in the South Bay at The Hacker Dojo, December 10th 11th Perfect for those of us with exhausted travel budgets We're an active community with tons of the smartest folks in the biz It just makes sense that we would get a regional con of our own The theme for BayThreat is as simple as black white Building Breaking Security Two tracks, each tackling opposite sides of the security fence As Security Professionals, it is up to us to take that dichotomy and mold it into the shades of gray we use to protect our environment Shades of the Gray Area We've invited speakers from all over the Bay Area and beyond to a two day conference at the Hacker Dojo in Mountain View, CA The Dojo is a familiar place for the security community, as it hosts the DC650 meetings every month We're excited to host speakers with security expertise from both sides of the fence Early-acceptance speakers include Anton Chuvakin, Neel Mehta, Ryan Smith, Gal Shpantzer, Jim McLeod, Allen Gittelson, and Dan Kaminsky The Call For Abstracts is now closed When December 10-11, 2010 Where Hacker Dojo, 140A South Whisman Rd, Mountain View, CA 94041 map How much nominal fee of 45 Schedule TBA here About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/269415.shtmlhttp://www.secuobs.com/revue/news/269415.shtml Secuobs.com : 2010-12-04 15:55:44 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company As I am preparing to handle more of such engagements including ones not focused on PCI DSS, but covering other compliance or purely security log reviews , I decided to publish a heavily sanitized version of that log review guidance as a long blog post series, tagged PCI_Log_Review It was written to be a complete and self-contained guidance document that can be provided to people NOT yet skilled in the sublime art of logging and log analysis in order to enable them to do the job and then grow their skills It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all This is the fourth post in the long, long series part 1, part 2, part 3 all parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs And so we continue with our Complete PCI DSS Log Review Procedures Logging and Log Review Policy In light of the above, a PCI-derived logging policy must at least contain the following Adequate logging, that covers both logged event types and details Log aggregation and retention 1 year Log protection Log review Let s now focus on log review in depth as defined in project scope PCI DSS states that Review logs for all system components at least daily Log reviews must include those servers that perform security functions like intrusion-detection system IDS and authentication, authorization, and accounting protocol AAA servers for example, RADIUS It then adds that Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 106 PCI testing and validation procedures for log review mandate that a QSA should obtain and examine security policies and procedures to verify that they include procedures to review security logs at least daily and that follow-up to exceptions is required QSA must also assure that Through observation and interviews, verify that regular log reviews are performed for all system components Below we document application Log Review Procedures and workflows that cover 1 Log review practices, patterns and tasks 2 Exception investigation and analysis 3 Validation of these procedures and management reporting The procedures will be provided for using automated log management tools as well as manually when tools are not available or not compatible with log formats produced by the application Review Procedures and Workflows The overall connection between the three types of PCI-mandates procedure is as follows clip_image002 In other words, Periodic Log Review Practices are performed every day or less frequently, if daily review is impossible and any discovered exceptions or are escalated to Exception Investigation and Analysis Both are documented as prescribed in Validation of Log Review to create evidence of compliance We will now provide details on all three types of tasks AC and so the fun starts To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/269367.shtmlhttp://www.secuobs.com/revue/news/269367.shtml Secuobs.com : 2010-12-03 15:43:10 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company As I am preparing to handle more of such engagements including ones not focused on PCI DSS, but covering other compliance or purely security log reviews , I decided to publish a heavily sanitized version of that log review guidance as a long blog post series, tagged PCI_Log_Review It was written to be a complete and self-contained guidance document that can be provided to people NOT yet skilled in the sublime art of logging and log analysis in order to enable them to do the job and then grow their skills It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all This is the fourth post in the long, long series part 1, part 2, part 3 all parts A few tips on how you can use it in your organization can be found in Part 1 You can also retain me to customize or adapt it to your needs And so we continue with our Complete PCI DSS Log Review Procedures for now, we are still in the introductory section, BTW Other Requirements Related to Logging Many claims that are made about PCI DSS controls, such as data encryption or anti-virus updates, can make effective use of log files to actually substantiate the claims For example, Requirement 1 , Install and maintain a firewall configuration to protect cardholder data mentions that organizations must have a formal process for approving and testing all external network connections and changes to the firewall configuration However, after such process is established, one needs to validate that firewall configuration changes do happen with authorization and in accordance with documented change management procedures That is where logging becomes extremely handy, since it shows you what actually happened and not just what was supposed to happen The entire Requirement 13 contains guidance to firewall configuration, with specific statements about inbound and outbound connectivity One must use firewall logs to verify this even a review of configuration would not be sufficient, since only logs show how it really happened and not just how it was configured Similarly, Requirement 2 talks about password management best practices as well as general security hardening, such as not running unneeded services Logs can show when such previously disabled services are being started, either by misinformed system administrators or by attackers Further, Requirement 3, which deals with data encryption, has direct and unambiguous links to logging For example, the entire subsection 36, shown below in an abbreviated form, implies having logs to verify that such activity actually take place Specifically, key generation, distribution, and revocation are logged by most encryption systems and such logs are critical for satisfying this requirement Requirement 4, which also deals with encryption, has logging implications for similar reasons Requirement 5 refers to anti-virus defenses Of course, in order to satisfy Section 52, which requires that you Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs, one needs to see such mentioned logs So, even the requirement to use and regularly update anti-virus software will likely generate requests for log data during the assessment, since the information is present in anti-virus audit logs It is also well-known that failed anti-virus updates, also reflected in logs, expose the company to malware risks, since anti-virus without the latest signature updates only creates a false sense of security and undermines the compliance effort Requirement 6 is in the same league it calls for the organizations to Develop and maintain secure systems and applications, which is unthinkable without a strong audit logging functions and application security monitoring Requirement 7, which states that one needs to Restrict access to cardholder data by business need-to-know, requires logs to validate who actually had access to said data If the users that should be prevented from seeing the data appear in the log files as accessing the data usefully, remediation is needed Assigning a unique ID to each user accessing the system fits with other security best practices In PCI it is not just a best practice it is a requirement Requirement 8 Assign a unique ID to each person with computer access Obviously, one needs to Control addition, deletion, and modification of user IDs, credentials, and other identifier Objects Section 851 of PCI DSS Most systems log such activities In addition, Section 859, Change user passwords at least every 90 days, can also be verified by reviewing the logs files from the server in order to assure that all the accounts have their password changed at least every 90 days Requirement 9 presents a new realm of security physical access control Even Section 94 that covers maintaining a visitor logs likely in the form of a physical logbook is connected to log management if such a visitor log is electronic There are separate data retention requirements for such logs Use a visitor log to maintain a physical audit trail of visitor activity Retain this log for a minimum of three months, unless otherwise restricted by law Requirement 11 addresses the need to scan or test the in-scope systems for vulnerabilities However, it also calls for the use of IDS or IPS in Section 114 Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises Keep all intrusion detection and prevention engines up-to-date Intrusion detection is only useful if logs and alerts are reviewed Requirement 12 covers the issues on a higher level security policy as well as security standards and daily operational procedures eg, a procedure for daily log review mandates by Requirement 10 should be reflected here However, it also has logging implications, since audit logging should be a part of every security policy In addition, incident response requirements are also tied to logging Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations is unthinkable to satisfy without effective collection and timely review of log data Next section deals with PCI-derived logging policy Thus, event logging and security monitoring in PCI DSS program go much beyond Requirement 10 Only through careful data collection and analysis can companies meet broad requirements of PCI DSS To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/269175.shtmlhttp://www.secuobs.com/revue/news/269175.shtml Secuobs.com : 2010-12-02 19:24:47 - Anton Chuvakin Blog Security Warrior - Blogs are stateless and people often pay attention only to what they see today Thus a lot of useful security reading material gets lost These monthly round-ups is my way of reminding people about interesting blog content If you are too busy to read the blogs, at least read these So, here is my next monthly Security Warrior blog round-up of top 5 popular posts topics this month 1 Just as last month, the top position in November is again held by my repost of my free log management tool list On Free Log Management Tools from my consulting site The original version was written as a companion to our Log Review Checklist that also sits on the top list this month 2 Another checklist, Log Management Tool Selection Checklist Out holds a close second spot it can be used to compare log management tools during the tool selection process or even formal RFP process 3 As you know, I started posting my PCI DSS log review procedures that I created for a consulting client sanitized, of course The first post in what will be a REALLY long series Complete PCI DSS Log Review Procedures, Part 1 is next Look for all posts under PCI_Log_Review tag 4 Random Fun Highlights from PCI DSS 20 originated from my reading the new version of PCI DSS and taking some notes Feel free to read it to quickly get what s new in PCI DSS 20 5 On Choosing SIEM , a companion to How Do I Get The Best SIEM , held the next top position and so it How to Write an OK SIEM RFP If you are thinking of getting a SIEM or a log management tool, check them out and also look at related resources at the end of these posts So, What Should I Want or How NOT to Pick a SIEM-III , The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II and I Want to Buy Correlation or How NOT to Pick a SIEM also stay at the top it seems like smaller organizations are looking at deploying SIEM and log management and there is a lot of interest in simple guidance 6 Our LogChat podcast release is next on the list the third issue is coming next week The podcast is now on iTunes as well check it out The next issue 4 is coming next week Also, below I am thanking my top 3 referrers this month those who are people, not organizations So, thanks a lot to the following people whose blogs sent the most visitors to my blog 1 Mike Dahn 2 Walt Conway 3 Raffy Marty 4 Martin McKeay 5 Dancho Danchev See you in December for the next monthly and also annual top blog posts - also see my past annual Top Posts - 2007, 2008, 2009 Possibly related posts past monthly popular blog round-ups Monthly Blog Round-Up October 2010 Monthly Blog Round-Up September 2010 Monthly Blog Round-Up August 2010 Monthly Blog Round-Up July 2010 Monthly Blog Round-Up June 2010 Monthly Blog Round-Up May 2010 Monthly Blog Round-Up April 2010 Monthly Blog Round-Up March 2010 Monthly Blog Round-Up February 2010 Monthly Blog Round-Up January 2010 Monthly Blog Round-Up December 2009 Monthly Blog Round-Up November 2009 Monthly Blog Round-Up October 2009 Monthly Blog Round-Up September 2009 Monthly Blog Round-Up August 2009 Monthly Blog Round-Up July 2009 Monthly Blog Round-Up June 2009 Monthly Blog Round-Up May 2009 Monthly Blog Round-Up April 2009 Monthly Blog Round-Up March 2009 Monthly Blog Round-Up February 2009 Monthly Blog Round-Up - January 2009 Monthly Blog Round-Up - December 2008 Monthly Blog Round-Up - November 2008 Monthly Blog Round-Up - October 2008 Monthly Blog Round-Up - September 2008 Monthly Blog Round-Up - August 2008 Monthly Blog Round-Up - July 2008 Monthly Blog Round-Up - June 2008 Monthly Blog Round-Up - May 2008 Monthly Blog Round-Up - April 2008 Monthly Blog Round-Up - March 2008 Monthly Blog Round-Up - February 2008 Monthly Blog Round-Up - January 2008 Monthly Blog Round-Up - December 2007 Monthly Blog Round-Up - November 2007 Monthly Blog Round-Up - October 2007 Monthly Blog Round-Up - September 2007 Monthly Blog Round-Up - August 2007 About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/268917.shtmlhttp://www.secuobs.com/revue/news/268917.shtml Secuobs.com : 2010-12-01 19:38:49 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company As I am preparing to handle more of such engagements including ones not focused on PCI DSS, but covering other compliance or purely security log reviews , I decided to publish a heavily sanitized version of that log review guidance as a long blog post series, tagged PCI_Log_Review It was written to be a complete and self-contained guidance document that can be provided to people NOT yet skilled in the sublime art of logging and log analysis in order to enable them to do the job and then grow their skills It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all This is the third post in the long, long series part 1, part 2 prepare to see lots of process flow charts BTW, I will stop posting this intro starting from the next post in the series A few tips on how you can use it in your organization If you need to establish log review practices to satisfy PCI DSS Requirement 106 Review logs for all system components at least daily , feel free to steal from this document and adapt it tor your environment I can do that for you too There is a slight bias towards application and OS logging in this document as per client request an you do need to review network and security device logs as well The methods and practices apply to them as well This was created before PCI DSS 20 release, but has been checked to comply with the most recent standard and Requirement 10 has not changed much in 20 A QSA looked at it and liked it but YMMV Your QSA is always the ultimate authority in regards to what will make you compliant Don t forget to buy me a beer if you find it useful Better contract me to create something similar for your organization Are you doing a good job with log review today And so we continue 105 Next, one needs to address all of the confidentiality, integrity and availability CIA of logs Section 1051 of PCI DSS covers the confidentiality Limit viewing of audit trails to those with a job-related need This means that only those who need to see the logs to accomplish their jobs should be able to For example, one of the reasons is that many los that record authentication decisions such as Unix and Windows will always contains usernames While not truly secret, username information provides 50pourcents of the information needed for successful password guessing password being the other 50pourcents Moreover, due to users mistyping their credentials, it is not uncommon for passwords themselves to show up in logs Also, poorly written payment applications might result in a password being logged together with the URL in web server logs Next comes integrity As per section 1052 of PCI DSS, one needs to protect audit trail files from unauthorized modifications This one is obvious, since if logs can be modified by unauthorized parties or by anybody they stop being an objective record of system and user activities However, one needs to preserve the logs not only from malicious users, but also from system failures and consequences of system configuration errors This touches upon both the availability and integrity of log data Specifically, Section 1053 of PCI DSS covers that one needs to promptly back-up audit trail files to a centralized log server or media that is difficult to alter Indeed, centralizing logs to a server or a set of servers that can be used for log analysis is essential for both log protection as well as increasing log usefulness Backing up logs to DVDs or tapes, for that matter is another consequence of this requirement One should always keep in mind that logs on tape are not easily accessible and not searchable in case of an incident and PCI DSS mandates immediate availability of 3 months of log data AC with a slight change in PCI DSS 20 Many pieces of network infrastructure such as routers and switches are designed to log to an external server and only preserve a minimum or none of logs on the device itself Thus, for those systems, centralizing logs is most critical Also, requirement 1054 of PCI DSS states the need to copy logs for wireless networks onto a log server on the internal LAN To further decrease the risk of log alteration as well as to enable proof that such alteration didn t take place, Requirement 1055 calls for the use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts At the same time, adding new log data to a log file should not generate an alert since log files tend to grow and not shrink on their own unless logs are rotated or archived to external storage File integrity monitoring systems use cryptographic hashing algorithms to compare files to a known good copy The issue with logs is that log files tend to grow due to new record addition, thus undermining the missing of integrity checking To resolve this contradiction, one should note that integrity monitoring can only assure the integrity of logs that are not being actively written to by the logging components some algorithms also exist to detect any change but addition 106 The next requirement is truly one of the most important as well as one of the most often overlooked Many PCI DSS control implementers simply forget that PCI Requirement 10 does not just call for having logs, but also for having the logs AND looking at them Specifically, Section 106 states that the PCI organization must, as per PCI DSS, review logs for all system components at least daily Log reviews must include those servers that perform security functions like IDSes and AAA servers eg, RADIUS The rest of this document covers the detailed log review procedures and practices Thus the requirement covers the scope of log sources that need to be reviewed daily and not just configured to log, and have logs preserved or centralized Given that a large IT environment might produce gigabytes of logs per day, it is humanly impossible to read all of the logs line by line That is why a note is added to this requirement of PCI DSS that states that Log harvesting, parsing, and alerting tools may be used to achieve compliance with Requirement 106 This document will cover both manual and automated log review 107 The final requirement 107 deals with another important logging question log retention It says retain audit trail history for at least one year, with a minimum of three months online availability AC - as per PCI DSS 121 Thus, if you are not able to go back one year and look at the logs, you are in violation So, let us summarize what we learned so far on logging in PCI PCI Requirement 10 calls for logging specific events with a pre-defined level of details from all in-scope systems PCI calls for tying the actual users to all logged actions All clocks and time on the in-scope systems should be synchronized The C-I-A of all collected logs should be protected Logs should be regularly reviewed specific logs should be reviewed at least daily All in-scope logs should be retained for at least one year Now we are ready to dig deeper to discover that logs and monitoring live not only within Requirement 10, but in all other PCI requirements While many think that logs in PCI are represented only by Requirement 10, reality is more complicated logs are in fact present, undercover, in all other sections To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/268627.shtmlhttp://www.secuobs.com/revue/news/268627.shtml Secuobs.com : 2010-12-01 10:56:15 - Anton Chuvakin Blog Security Warrior - Trend Micro Systems To Purchase Mobile Armor ITProPortalcom IMAGE http://www.secuobs.com/revue/news/268512.shtmlhttp://www.secuobs.com/revue/news/268512.shtml Secuobs.com : 2010-11-30 15:19:01 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company As I am preparing to handle more of such engagements including ones not focused on PCI DSS, but covering other compliance or purely security log reviews , I decided to publish a heavily sanitized version of that log review guidance as a long blog post series, tagged PCI_Log_Review It was written to be a complete and self-contained guidance document that can be provided to people NOT yet skilled in the sublime art of logging and log analysis in order to enable them to do the job and then grow their skills It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor at all This is the second post in the long, long series part 1 is here prepare to see lots of process flow charts A few tips on how you can use it in your organization If you need to establish log review practices to satisfy PCI DSS Requirement 106 Review logs for all system components at least daily , feel free to steal from this document and adapt it tor your environment I can do that for you too There is a slight bias towards application and OS logging in this document as per client request an you do need to review network and security device logs as well The methods and practices apply to them as well This was created before PCI DSS 20 release, but has been checked to comply with the most recent standard and Requirement 10 has not changed much in 20 A QSA looked at it and liked it but YMMV Your QSA is always the ultimate authority in regards to what will make you compliant Don t forget to buy me a beer if you find it useful Better contract me to create something similar for your organization Are you doing a good job with log review today And so we continue Role and Responsibilities The following roles are mentioned in the document and are involved in Log Review process Role Responsibility Example Involvement in Log Review Application administrator Administers the application Configured application logging settings, may perform daily log review for operational reasons System or network administrator Administers the underlying operating system or network Configured logging settings, may perform daily log review for operational reasons Application business owner Business manager who is responsible for the application Approves the changes to application configuration required for logging and log review Security administrator Administers security controls on one or more systems or applications Configured security and logging settings, performs daily log review not of his own activities Security analyst Deals with operational security processes Accesses security systems and analyzes logs and other data, performs daily log review Security director or manager Oversees security policy, process and operation Owns Log Review Procedures, updates the procedures as needed Incident responder Gets involved in security incident response Deal with security incidents, reviews logs during the response process These roles and responsibilities are covered in depth throughout the document Introduction PCI and Logging Basics This background section covers the basics of PCI DSS logging and what is required by PCI DSS It should be noted that logging and monitoring are not constrained to Requirement 10, but, in fact, pervades all 12 of the PCI DSS requirement The key focus areas for this project are Requirement 10 and sections of Requirement 11 Key Requirement 10 We will go through it line by line and then go into details, examples, and implementation guidance AC this references PCI DSS 121 I will mention where PCI DSS 20 differs for your convenience 101 Specifically, Requirement 101 covers establish ing a process for linking all access to system components especially access done with administrative privileges such as root to each individual user PCI DSS doesn t just mandate for logs to be there or for a logging process to be set, but instead mentions that logs must be tied to individual persons not computers or devices where they are produced It is this requirement that often creates problems for PCI implementers, since many think of logs as records of people actions, while in reality they will only have the records of computer actions By the way, PCI DSS requirement 81 which mandates that an organization assigns all users a unique ID before allowing them to access system components or cardholder data helps to make the logs more useful here 102 Next, Section 102 defines a minimum list of system events to be logged or, to allow the events to be reconstructed Such requirements are motivated by the need to assess and monitor user actions as well as other events that can affect credit card data such as system failures Following is the list from the requirements events that must be logged from PCI DSS v 121 1021 All individual user accesses to cardholder data 1022 All actions taken by any individual with root or administrative privileges 1023 Access to all audit trails 1024 Invalid logical access attempts 102 5 Use of identification and authentication mechanisms 1026 Initialization of the audit logs 1027 Creation and deletion of system-level objects As can be seen, this covers data access, privileged user actions, log access and initialization, failed and invalid access attempts, authentication and authorization decisions, and system object changes It is important to note that such a list has its roots in IT governance best practices, which prescribe monitoring access, authentication, authorization change management, system availability, and suspicious activity 103 Moreover, PCI DSS Requirement 10 goes into an even deeper level of detail and covers specific data fields or values that need to be logged for each event They provide a healthy minimum requirement, which is commonly exceeded by logging mechanisms in various IT platforms Such fields are quoted from PCI DSS 1031 User identification 1032 Type of event 1033 Date and time 1034 Success or failure indication 1035 Origination of event 1036 Identity or name of affected data, system component, or resource As can be seen, this minimum list contains all of the basic attributes needed for incident analysis and for answering the questions when, who, where, what, and where from For example, if trying to discover who modified a credit card database to copy all of the transactions with all the details into a hidden file a typical insider privilege abuse , knowing all of the above records is useful 104 The next requirement, 104, addresses a commonly overlooked but critical requirement a need to have accurate and consistent time in all of the logs It seems fairly straightforward that time and security event monitoring would go hand in hand as well System time is frequently found to be arbitrary in a home or small office network It s whatever time your server was set at, or if you designed your network for some level of reliance, you re systems are configured to obtain time synchronization from a reliable source, such as NTP service AC this section 104 is slightly different in PCI DSS 20, but the key point you must have reliable time is the same To be continued Follow PCI_Log_Review to see all posts Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/268287.shtmlhttp://www.secuobs.com/revue/news/268287.shtml Secuobs.com : 2010-11-29 20:03:47 - Anton Chuvakin Blog Security Warrior - Just as a reminder, I am teaching my SANS Log Management Class SEC434 in its 15 day version and still at beta prices of 50pourcents off in Los Angeles next month and it still has some seats left Sign up now Class title Log Management In-Depth Compliance, Security, Forensics, and Troubleshooting Date Thursday, December 9, 2010 - Friday, December 10, 2010 Time Day 1 9 00am - 5 00pm and Day 2 9 00am - 12 00pm Location UCLA Extension Building 10995 Le Conte Avenue Los Angeles, CA 90024 Official SANS SEC434 description This first-ever dedicated log management class teaches system, network, and security logs, their analysis and management and covers the complete lifecycle of dealing with logs the whys, hows and whats You will learn how to enable logging and then how to deal with the resulting data deluge by managing data retention, analyzing data using search, filtering and correlation as well as how to apply what you learned to key business and security problems The class also teaches applications of logging to forensics, incident response and regulatory compliance In the beginning, you will learn what to do with various log types and provide brief configuration guidance for common information systems Next, you will learn a phased approach to implementing a company-wide log management program, and go into specific log-related tasks that needs to be done on a daily, weekly, and monthly basis in regards to log review and monitoring Everyone is looking for a path through the PCI DSS and other regulatory compliance maze and that is what you will learn in the next section of the course Logs are essential for resolving compliance challenges this class will teach you what you need to concentrate on and how to make your log management compliance-friendly And people who are already using log management for compliance will learn how to expand the benefits of you log management tools beyond compliance You will learn to leverage logs for critical tasks related to incident response, forensics, and operational monitoring Logs provide one of the key information sources while responding to an incident and this class will teach you how to utilize various log types in the frenzy of an incident investigation Finally, the class author, Dr Anton Chuvakin, probably has more experience in the application of logs to IT and IT security than anyone else in the industry This means he and the other instructors chosen to teach this course have made a lot of mistakes along the way You can save yourself a lot of pain and your organization a lot of money by learning about the common mistakes people make working with logs Sign up here likely to be full in a couple of days so please hurry About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/268023.shtmlhttp://www.secuobs.com/revue/news/268023.shtml Secuobs.com : 2010-11-24 19:12:05 - Anton Chuvakin Blog Security Warrior - Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company As I am preparing to handle more of such engagements including ones not focused on PCI DSS, but covering other compliance or purely security log reviews , I decided to publish a heavily sanitized version of that log review guidance as a long blog post series, tagged PCI_Log_Review It was written to be a complete and self-contained guidance document that can be provided to people NOT yet skilled in the sublime art of logging and log analysis a key requirement for this project guidance was to be useful to such people in order to enable them to do the job and then grow their skills It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation or without any compliance flavor of course This is the first post in the long, long series prepare to see lots of process flow charts Smile A few tips on how you can use it in your organization If you need to establish log review practices to satisfy PCI DSS Requirement 106 Review logs for all system components at least daily , feel free to steal from this document and adapt it tor your environment I can do that for you too There is a slight bias towards application and OS logging in this document as per client request an you do need to review network and security device logs as well The methods and practices apply to them as well This was created before PCI DSS 20 release, but has been checked to comply with the most recent standard and Requirement 10 has not changed much in 20 A QSA looked at it and liked it but YMMV Your QSA is always the ultimate authority in regards to what will make you compliant Don t forget to buy me a beer if you find it useful Better contract me to create something similar for your organization Are you doing a good job with log review today Owning an expensive SIEM product but not using it well does not magically make you compliant or secure it can make you poor though Smile but then again, you already knew it And so we begin our journey Project Goals The goal of this project is to create a comprehensive Log Review Procedures document for PCI DSS applications Such document needs to cover log review procedures, tasks and practices and incorporate other systems in review workflow and also document all stages of log review If implemented in operational practice, this Log Review Procedure document should satisfy PCI DSS requirements in select sections of PCI DSS Requirement 10 and 12 and should be adequate to pass PCI compliance validation 1 Project Assumptions, Requirements and Precautions These critical items are essential for a success of PCI logging, log management and log review project It is assumed that the following requirements are satisfied before the Log Review Procedures are put into operational practice Requirements A set of requirements needs to be in place before the operational procedures described in this document can be used effectively 1 Logging policy is created to codify PCI DSS log-related requirements as well as other regulatory and operational logging requirements 2 Logging is enabled on the in-scope systems 3 Interruption or termination of logging is in itself logged and monitored 4 Events mandated in PCI DSS documentation are logged 5 Generated logs satisfy PCI DSS logging requirements eg Req 103 6 Time is synchronized across the in-scope systems and with the reliable time server NTP or other as per PCI DSS Req 104 7 Time zones of all logging systems are known and recorded and can be reviewed in conjunction with logs Precautions This additional precautions need to be taken in order to make logs useful for PCI DSS compliance, other regulations as well as security, forensics and operational requirement Key precaution the person whose actions are logged on a particular system cannot be the sole party responsible for log review on that same system Key precaution PCI DSS mandates log security measures detailed below , all access to logs should be logged and monitored to identify attempts to terminate or otherwise affect the presence and quality of logging --------------------------------------------------------------------- 1 No assurance or guarantee of PCI compliance or passing PCI validation with one or more PCI DSS requirements can be given in this document Only each organization s QSA can be the judge of compliant status, as per PCI Council guidelines Out-of-scope Items The following items are not covered in the document despite the fact that they might be essential for becoming PCI DSS compliant Out-of-scope Item Why out of scope What events to log for each application Scope of the project is defined to cover log review only It is assumed that proper logging is already implemented as per corporate logging policy What details to log for each logged event for each application Scope of the project is defined to cover log review only It is assumed that proper logging is already implemented as per corporate logging policy High-level logging and monitoring policy It is known that such policy is already in place Log aggregation, rotation and retention policies and procedures Even though PCI DSS prescribes log retention, such procedures are not covered in this document Security incident response process Scope of the project is defined to cover log review only Log review procedures sometimes call for initiation of a security incident response process and investigation Application that are not in scope for PCI DSS Scope of the project is defined to cover PCI DSS applications only Network devices that are OR are not in scope for PCI DSS Scope of the project is defined to cover PCI DSS applications only AC note when posting make sure you do include network devices I your PCI logging project Access control to stored logs, protecting the confidentiality and integrity of log data Even though PCI DSS prescribes access control guidelines for aggregated logs, such procedures are not covered in this document as per project definition Compensating controls when logging is not possible Scope of the project is defined to cover log review only Log review is always possible whenever logging is possible However, situation where logging is not possible is not covered in this document Real-time monitoring of central logging health, performance, etc Scope of the project is defined to cover periodic log review only Any and all logging requirements in PCI DSS outside of Requirements 10 and 12 Scope of the project is defined to cover log review procedures in PCI requirements 10 and 12 only A brief overview of PCI logging requirements in other sections is provided, but no detailed operational guidance is given Guarantee of passing PCI DSS assessment Only each organization QSA can provide such assurance or guarantee after the assessment Correlation rules for PCI monitoring While correlation rules can be created to automate some of the items discussed in the document, the project is scoped to cover log review and not correlation Log record preservation for forensic purposes Log record preservation should be a part of a security incident response workflow Note that some or all of the above items may be mandatory for passing PCI compliance validation To be continued Follow PCI_Log_Review to see all posts PS This posted by a scheduler I am away from computers and response to comments will be slow Possibly related posts Incident Log Review Checklist All posts tagged PCI_Log_Review About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/267247.shtmlhttp://www.secuobs.com/revue/news/267247.shtml Secuobs.com : 2010-11-22 21:51:47 - Anton Chuvakin Blog Security Warrior - We wrote a very clear and concise note about Common Event Expression CEE approach to log standards Even marketing people can read it Smile Quoted from here I'd like to make you aware that the CEE editorial board has published a short overview white paper describing the overall CEE effort including the problems and approaches that CEE is taking If you want a quick summary of what CEE is and how the different parts of the effort work, we'd encourage you to take a look at this paper The document is available for download in PDF form on the CEE web site http ceemitreorg documentshtml And as always, we'd encourage your feedback- please feel free to post any comments to the CEE discussion mailing list at cee-discussion-list listsmitreorg PS Posted by a scheduler I am away from the computers responses to comments will be delayed About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/266683.shtmlhttp://www.secuobs.com/revue/news/266683.shtml Secuobs.com : 2010-11-16 06:03:33 - Anton Chuvakin Blog Security Warrior - Ok, some people think consultants are supposed to make money off helping enterprises write RFPs, but I am busy enough and so it goes This is what happens if Anton is stuck in a metal tube for 5 hours in seat 1A Smile Question How do I go about writing a SIEM or log management RFP Quick answer don t This purchase method is probably equally hated by vendors and end-users As somebody who was volunteered to help sales folks with 1600 page yes, really and smaller RFPs more than once during my vendor years, I can tell you that with a tongue firmly in cheek a if you ask a vague question in your RFP, you will get either a Yes or a nice blurb taken from a random location in vendor datasheet b if you ask a question starting with How , you will get a nice blurb taken from a vendor datasheet c if you ask a silly question do you have an Albanian language interface , you will get either a Yes or a nice blurb taken from a random location in vendor datasheet d if you ask a question that is impossible to answer Can your product handle the high load , you will likely get a Yes surprise e if you ask an honest question that might cast a product in a negative light will you every lose log data , what do you think you will get See a theme emerge here Note that I am not trying to imply that any particular vendor would lie in their RFP responses the term here is defensible creative exaggeration BTW, what do you think happens when a standard enterprises RFP template collides with a standard vendor RFP boiler plate response Boom The explosion of high-grade concentrated idiocy And if you think that I am a bit cynical about this whole thing, than maybe you are correct making sausage for a long time does distort one s personality a wee bit Smile Despite the above, there are two exceptions to this rule of not doing RFPs 1 You are obligated to do a RFP government, etc 2 You d like to use your RFP as a chance to distill and focus your SIEM LM requirements Let s address them both at the same time If you are case 1 above, you should really turn it into case 2 As you recall if not, review these posts here , one of the most important things an organization should do before buying a SIEM is to set its own goals, requirements, use cases, etc BTW, this recent SIEM presentation stresses the same point esp see slide 16 and around This older presentation has some things to avoid at the product selection stage see worst practices 1-4 So, based on my experience on both sides of the RFP interface , here are some of my SIEM RFP tips Keep it short If you cannot express what you need in under 10 pages, go back and rethink it Every time an organization releases a 500 page RFP, God kills an intern Yes, that very intern who is tasked with responding to that monster, of course Start from your REAL main reason for getting a SIEM, your problem statement monitor PCI DSS CDE, perform IDS IPS alert analysis, monitor servers for suspicious logins, protect web applications via log correlation, etc Include your use cases which simply means to describe how you plan to use the system and what you expect the system to do for you Some examples are shown here more high level and here more detailed inside the whitepaper Based on your goals and use cases and that is important , describe SIEM product functionality that is essential for your mission agentless collection, bandwidth throttling, rule-based correlation, visual dashboards, trend reports, whatever Include log sources devices that you absolutely need supported and what you mean by supported eg parsed, normalized, categorized, suitable for correlation, covered by default correlation rules, updated promptly when log source changes, etc This area is notorious for extra-high volume of creative exaggeration of course we support VidgetMaster 72 via our generic LogMahgic 10 TM collector which dumps log files right into storage without analysis and then rotates them to oblivion within 7 days Avoid or reduce the usage of vague terms scalable , high , flexible , effective , advanced , automatic , proper , etc Why tempt the other side unnecessarily Smile Clarify most other terms, even those that look clear to you correlation , reporting , keyword search , trend , responsive , etc Size the environment before writing an RFP, as we discuss in LogChat 2 Baseline your log sources for 2-4 weeks to get your average EPS rate then include both the volume of data and number of log sources that you absolutely need supported Also, specify response time for reports and searches while you are at it Make phases of your SIEM project clear up front don t say 400,000 devices and 4,000,000 EPS enterprise-wide I got news for you you probably will never get there Be very clear about your Phase 1-2 and simply keep later phases in mind for the coming years Try hard to avoid idiotic statements sorry Vendor MUST specify their efforts and processes to guarantee that products and services provided will completely satisfy us or exceed our expectations quote from a real RFP And hold on to your pants despite the above effort you should be prepared to take the responses with a HUGE grain of salt One of my contacts on the enterprise side put it simply of course we ignore all the specifics in RFP responses Sad smile With this approach to RFP writing, you WILL still benefit even if you don t read the responses Finally, a more useful question than how do I write a SIEM RFP is how do I buy the right SIEM for my organization Keep this in mind while tuning your RFP Or just retain me to help a 20k consulting project is known to sometimes save an organization from a 500k SIEM failure Possibly related posts Log Management Tool Selection Checklist Out So, What Should I Want or How NOT to Pick a SIEM-III On Choosing SIEM I Want to Buy Correlation or How NOT to Pick a SIEM The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II Logging, Log Management and Log Review Maturity Log Management SIEM On SIEM Complexity SIEM Bloggables SIEM Use Cases Whitepaper with detailed SIEM use cases using a particular SIEM as an example Log Management SIEM Users Minimalist vs Analyst All posts labeled SIEM Enhanced by ZemantaAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/265084.shtmlhttp://www.secuobs.com/revue/news/265084.shtml Secuobs.com : 2010-11-10 15:49:41 - Anton Chuvakin Blog Security Warrior - Just FYI, I am teaching my SANS Log Management Class SEC434 in its 15 day version in Los Angeles next month SANS has some juicy discounts since the class is still in beta this is hopefully the last one Sign up now Class title Log Management In-Depth Compliance, Security, Forensics, and Troubleshooting Date Thursday, December 9, 2010 - Friday, December 10, 2010 Time Day 1 9 00am - 5 00pm Day 2 9 00am - 12 00pm Location UCLA Extension Building 10995 Le Conte Avenue Los Angeles, CA 90024 Description This first-ever dedicated log management class teaches system, network, and security logs, their analysis and management and covers the complete lifecycle of dealing with logs the whys, hows and whats You will learn how to enable logging and then how to deal with the resulting data deluge by managing data retention, analyzing data using search, filtering and correlation as well as how to apply what you learned to key business and security problems The class also teaches applications of logging to forensics, incident response and regulatory compliance In the beginning, you will learn what to do with various log types and provide brief configuration guidance for common information systems Next, you will learn a phased approach to implementing a company-wide log management program, and go into specific log-related tasks that needs to be done on a daily, weekly, and monthly basis in regards to log review and monitoring Everyone is looking for a path through the PCI DSS and other regulatory compliance maze and that is what you will learn in the next section of the course Logs are essential for resolving compliance challenges this class will teach you what you need to concentrate on and how to make your log management compliance-friendly And people who are already using log management for compliance will learn how to expand the benefits of you log management tools beyond compliance You will learn to leverage logs for critical tasks related to incident response, forensics, and operational monitoring Logs provide one of the key information sources while responding to an incident and this class will teach you how to utilize various log types in the frenzy of an incident investigation Finally, the class author, Dr Anton Chuvakin, probably has more experience in the application of logs to IT and IT security than anyone else in the industry This means he and the other instructors chosen to teach this course have made a lot of mistakes along the way You can save yourself a lot of pain and your organization a lot of money by learning about the common mistakes people make working with logs Sign up here likely to be full in a couple of days so please hurry About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/263876.shtmlhttp://www.secuobs.com/revue/news/263876.shtml Secuobs.com : 2010-11-09 20:07:41 - Anton Chuvakin Blog Security Warrior - for people who d never read the whole thing yes, I mean you, marketing people - Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide this is useful for ahem reminding merchants about it verify that no cardholder data exists outside of the currently defined cardholder data environment scoping stuff became much better and this also smells like DLP to me In any case, I head DLP vendors are partying over this already Smile Where virtualization technologies are in use, implement only one primary function per virtual system component this is what got added to 221 and it is great Virtualization now officially in Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities my guess is a lot of people read too much into this change of 62 It pretty much means the same bad vuln fix it I don t believe it will lead to reduced patching and increased risk acceptance But I am sure some vendors that mix up firewall rules with vulnerability data will be ecstatic over this one Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes lack of change here in 66 which lead a lot of merchants to think that web app scanners needs to be run ANNUALLY is sad My guess is that after ANY change will be conveniently missed Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time updates to 104 are interesting there are no new requirements you still need to sync time , but there are more details here now There is definitely more importance placed on this one in PCI 20 Methods that may be used in the process or wireless scanning include but are not limited to wireless network scans, physical logical inspections of system components and infrastructure, network access control NAC , or wireless IDS IPS this sure kicked some wireless IDS IPS vendors in the balls or so I ve heard Smile as this can be interpreted as wireline AP detection is just fine Perform quarterly internal vulnerability scans - a new 1121 which used to be rolled into 112 is a good idea internal scanning was completely ignored by many merchants, sadly And now this req got its own number Same happened to scanning after changes a new 1123 which is good too Finally, rescan internal until fixed is a useful reminder for merchants who sometimes just scan for scanning s sake Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30 adding example to 1212 as well as a testing procedure are handy We don t need people creating their own idiotic risk assessment methods Use intrusion-detection systems, and or intrusion-prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises this made 114 more palatable to merchant, I am sure adding at critical points in CDE is useful So, is it perfect now Come on But there are many small but useful changes that will help merchants protect the cardholder data I can see how this version can survive for 3 years just fine Enjoy About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/263586.shtmlhttp://www.secuobs.com/revue/news/263586.shtml Secuobs.com : 2010-11-05 12:07:20 - Anton Chuvakin Blog Security Warrior - LogChat Podcast is back again - and now on iTunes as well Everybody knows that all this world needs is a podcast devoted to logs, logging and log management as well as SIEM, incident response and other fun related subjects And now you have it AGAIN with edition 3 - through the sheer combined genius of our guest host Raffael Marty sorry, Andrew Hay please get well soon, the world of logging needs you and myself, Anton Chuvakin As usual, administrative items first 1 So far, we are still not ready with transcribing I did try Amazon Mechanical Turk, but it didn't turn to be as inexpensive as people claimed If you have ideas for a good inexpensive transcribing service, we are all ears 2 We plan for this to happen every three weeks - recorded on Wednesday, posted on Thursday However, due to our work schedules, irregularities will occur - 3 Please suggest topics to cover as well - even though we are not likely to run out of ideas for a few years Our topic today is building a business case for log management justifications for logging, log collection and log review, time money savings, availability monitoring, logs for incident response AND system troubleshooting, going beyond compliance , business case for SIEM vs log management, etc 4 Any other feedback is HUGELY useful Is it too long Too loud Too rant-y Too technical Not enough jokes Too few mentions of the cloud Feedback please And now, in all its glory - the podcast link to 3 MP3 is here MP3 , RSS feed is here - it is also on iTunes now Enjoy THE LogChat Possibly related posts LogChat Podcast 1 Anton Chuvakin and Andrew Hay Talk Logs LogChat Podcast 2 Anton Chuvakin and Andrew Hay Talk Logs About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/262681.shtmlhttp://www.secuobs.com/revue/news/262681.shtml Secuobs.com : 2010-11-03 15:00:17 - Anton Chuvakin Blog Security Warrior - Knowing how much people love checklists, here is one more a checklist for comparing log management tools It is being released at the new log management related site, Log Management Central subscribe to RSS, follow on Twitter The announcement and brief description is here Printable PDF version is here Spreadsheet XLS version with adjustable criteria scoring is here Disclosure creation of this checklist was funded by a vendor, but it did not affect my choice of criteria or any other content decision It also does not reduce awesomeness in any way In other words, it is up to you how to use it and whether to use it and what decision to make after evaluating the tools Just don t make a decision of letting your logs rot Smile Please feel free to make suggestions to make the checklist more useful Is anything missing Worded in a non-vendor neutral way Anything else Possibly related posts Simple Log Review Checklist Released On Free Log Management Tools Enhanced by ZemantaAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/262098.shtmlhttp://www.secuobs.com/revue/news/262098.shtml Secuobs.com : 2010-11-01 20:00:57 - Anton Chuvakin Blog Security Warrior - Mini-MetriCon 55 organized by securitymetricsorg, loosely defined Smile is intended as a forum for lively, discussion in the area of security metrics It is a forum for quantifiable approaches and results to problems afflicting information security today, with a bias towards specific approaches that demonstrate the value of security metrics with respect to a security-related goal Topics and presentations will be selected for their potential to stimulate discussion in the workshop Mini-MetriCon will be a one-day event, Monday, February 14, 2010, co-located with the RSA Conference, the meeting room is a courtesy of RSA Mini-Metricon begins at 8 30am, and lunch is taken in the meeting room Attendance will be by invitation and limited in size All participants are expected to be willing to address the group in some fashion Potential Mini-Metricon participants are expected to submit a discussion topic Abstracts of papers, research projects, or practitioner presentations are encouraged and may result in a session allocation devoted to the submission topic We also welcome ideas for 5-to-10-minute lightning talks on topics such as security-related data sets or key problems and challenges in security metrics Collections of these talks are expected to result in group discussion on the submitter's topic of interest Submissions should be sent to metricon55 securitymetricsorg by November 12, 2010 Remember, the ONLY way to be there is to propose a discussion topic There is no non-participating audience, as per event chapter Smile PS Last year I had to pass on both Cloud Security Alliance meet-up and some VC meetings in order to be at the Metricon and I didn t regret it one bit As you can guess, I can recognize deep awesomeness, when I see it Smile Possibly related posts Notes from RSA 2010 Metricon event About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/261550.shtmlhttp://www.secuobs.com/revue/news/261550.shtml Secuobs.com : 2010-11-01 18:14:06 - Anton Chuvakin Blog Security Warrior - Blogs are stateless and people often pay attention only to what they see today Thus a lot of useful security reading material gets lost These monthly round-ups is my way of reminding people about interesting blog content If you are too busy to read the blogs, at least read these So, here is my next monthly Security Warrior blog round-up of top 5 popular posts topics this month 1 By far, the top position in October is held by my repost of my free log management tool list On Free Log Management Tools from my consulting site The list was reposted and retweeted like crazy The original version was written as a companion to our Log Review Checklist that also sits on the top list this month 2 The notes from my reading of Verizon PCI report Verizon PCI Report is Out are next The report is really, really good so you should read it along with their data breach reports 3 On Choosing SIEM , a companion to How Do I Get The Best SIEM , held the next top position If you are thinking of getting a SIEM or a log management tool, check them out and also look at related resources at the end of these posts The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II and I Want to Buy Correlation or How NOT to Pick a SIEM also stay at the top it seems like smaller organizations are looking at deploying SIEM and log management and there is a lot of interest in simple guidance BTW, the newest post in this loose series is So, What Should I Want or How NOT to Pick a SIEM-III And you can always get me to help with the selection, of course 4 Career posts are always super-popular somehow Gartner-heads vs Packet-heads post is no exception The previous post in my security career series Skills for Work vs Skills for Getting Hired still shows up in Top10 as well as their predecessor Myth of an Expert Generalist 5 Updated With Community Feedback SANS Top 7 Essential Log Reports DRAFT2 , SANS Top 5 Essential Log Reports Update and their predecessor Top5 SANS Log Reports Update DRAFT also show up close to the top Now that I have a bit more time, I will finally finish the write-up and submit it to SANS for distribution 6 Our LogChat podcast release is next on the list the third issue is coming next week The podcast is now on iTunes as well check it out Also, below I am thanking my top 3 referrers this month those who are people, not organizations So, thanks a lot to the following people whose blogs sent the most visitors to my blog 1 Walt Conway 2 Ben Tomhave 3 Michał Wiczyński See you in October also see my annual Top Posts - 2007, 2008, 2009 Possibly related posts past monthly popular blog round-ups Monthly Blog Round-Up September 2010 Monthly Blog Round-Up August 2010 Monthly Blog Round-Up July 2010 Monthly Blog Round-Up June 2010 Monthly Blog Round-Up May 2010 Monthly Blog Round-Up April 2010 Monthly Blog Round-Up March 2010 Monthly Blog Round-Up February 2010 Monthly Blog Round-Up January 2010 Monthly Blog Round-Up December 2009 Monthly Blog Round-Up November 2009 Monthly Blog Round-Up October 2009 Monthly Blog Round-Up September 2009 Monthly Blog Round-Up August 2009 Monthly Blog Round-Up July 2009 Monthly Blog Round-Up June 2009 Monthly Blog Round-Up May 2009 Monthly Blog Round-Up April 2009 Monthly Blog Round-Up March 2009 Monthly Blog Round-Up February 2009 Monthly Blog Round-Up - January 2009 Monthly Blog Round-Up - December 2008 Monthly Blog Round-Up - November 2008 Monthly Blog Round-Up - October 2008 Monthly Blog Round-Up - September 2008 Monthly Blog Round-Up - August 2008 Monthly Blog Round-Up - July 2008 Monthly Blog Round-Up - June 2008 Monthly Blog Round-Up - May 2008 Monthly Blog Round-Up - April 2008 Monthly Blog Round-Up - March 2008 Monthly Blog Round-Up - February 2008 Monthly Blog Round-Up - January 2008 Monthly Blog Round-Up - December 2007 Monthly Blog Round-Up - November 2007 Monthly Blog Round-Up - October 2007 Monthly Blog Round-Up - September 2007 Monthly Blog Round-Up - August 2007 About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/261516.shtmlhttp://www.secuobs.com/revue/news/261516.shtml Secuobs.com : 2010-10-27 02:20:05 - Anton Chuvakin Blog Security Warrior - So, what should I want the allure of asking that question is truly irresistible when dealing with somebody who presumably knows more than you do about a particular subject Lately, I experienced its force first hand when dealing with various contractors on swimming pool, flooring, A C, remodeling all new to me due to purchase of our first house These insane words just roll off your tongue after a contractor explains 57 floor board options or 4 types of swimming pool heaters In light of this, I am not shocked when a SIEM prospect asks that question of a vendor sales guy or slightly better a field engineer Have you ever caught yourself asking questions like What log data I should collect first What are the best reports I should run Which correlation rules I should enable What data I should search for What is the best access control policy for my SIEM implementation That stuff happens out there every day Despite all the evangelizing about business requirements , use cases , focus on problems solved and other words and phrases of wisdom, a lot of SIEM is purchased as described above Dear vendor, tell me what should I want And you know what If your organization is truly committed to the cause of furthering world s idiocy, that may work Asking the vendor is BETTER than just choosing at random as I discovered with some of my house-related chores Yes, on average, you d get suggestions towards more expensive stuff surprise , but vendor research vendor opinion IMHO are better than no research random choice And of course The above point about that working occasionally, somewhat does NOT remove the simple fact that THE RIGHT WAY TO PROCURE A SIEM IS STILL THINKING ABOUT YOUR REQUIREMENTS AND THEN YOUR USE CASES And then choosing a product Still, evil allure of please tell me what I want is very hard to resist when looking for SIEM and log management tools BTW, On Choosing SIEM has the less wrong way described in more details Possibly related posts On Choosing SIEM I Want to Buy Correlation or How NOT to Pick a SIEM The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II Logging, Log Management and Log Review Maturity Log Management SIEM On SIEM Complexity SIEM Bloggables SIEM Use Cases Whitepaper with detailed SIEM use cases using a particular SIEM as an example Log Management SIEM Users Minimalist vs Analyst All posts labeled SIEM Enhanced by ZemantaAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/260111.shtmlhttp://www.secuobs.com/revue/news/260111.shtml Secuobs.com : 2010-10-20 16:34:47 - Anton Chuvakin Blog Security Warrior - FYI, Security Scoreboard aka Yelp for Security Products comes up with an update which makes it even more useful The following is reposted from their news blast Real-time Vendor News and Reviews - Vendor pages now feature real time news and analysis pulled from select credible sources Security Scoreboard filters and sorts these results to bring you the most relevant links for each company User Link Submission - Users can now submit their own links to relevant online sources for inclusion in vendor listings Listing Competitors - Security Scoreboard now lists select competitors on vendor pages This helps CISOs and CIOs quickly find the main players in a specific market segment such as, for example, firewall management tools or phone-based 2-factor authentication solutions - HOT feature AC Comment Section - Visitors can now leave comments on any listing without filling out a review Sadly, there are still a few mistakes For example, check out their SIEM listings which ONE company has absolutely nothing to do with SIEM there I always recommend starting your security product research there, if you don t know where to start About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/258586.shtmlhttp://www.secuobs.com/revue/news/258586.shtml Secuobs.com : 2010-10-18 15:06:27 - Anton Chuvakin Blog Security Warrior - Taking notes as I am reading Verizon s awesome Verizon 2010 Payment Card Industry Compliance Report PDF Organizations struggled most with requirements 10 track and monitor access , 11 regularly test systems and processes , and 3 protect stored cardholder data - not surprising, given DAILY log review in 106image Overall, organizations that suffered a data breach were 50pourcents less likely to be compliant than a normal population of PCI clients one of THE KEY findings and a good measure of PCI DSS efficiency PCI works side of an argument gets a powerful weapon All of the top 10 threat actions leading to the compromise of payment card data are well within scope of the PCI DSS not at all surprising to me, but might surprise some of the attacks are soooooo dynamic people - An organization may be able to pass validation in order to achieve compliance but then once the QSA leaves become lax about maintaining the degree of security the standard is designed to provide over time As such, the goal of any organization should be to maintain its state of security in adherence with the minimum baseline compliance requirements set by the standard a very useful reminder to more than a few folks who forget that QSA do not manufacture compliance 22pourcents were validated compliant with the PCI DSS at the time of their IROC indeed a point worthy of discussion 22pourcents found compliant from the 1st shot is pretty darn good, IMHO these organizations had at least some expectation going into the validation process that they would be found compliant and yet over three quarters of them were not indeed, compliance is MUCH easier if exists only in your mind - Most organizations appear overconfident when assessing the state of their security practices Cap n Obvious callingcallingcalling - Regular testing R11 and monitoring R10 may be the most crucial but underrated and least appreciated aspects of security if a merchant has to work at it throughout the year, as opposed to simply buy or check the box, compliance rates lag image image we have shown that the majority of organizations do not meet their goal of 100pourcents compliance upon initial assessment BTW, do we realize that these guys were likely not compliant for most of the time since their last compliant FRoC Organizations tend to struggle in all of these areas, most notably with generating 101 and 102 , protecting 105 , reviewing 106 , and, to a lesser extent, archiving 107 logs well, it is not only the hard stuff that is hard The easy stuff is hard too mmmm breach victims are less compliant than a normal population of organizations these results do suggest that an organization wishing to avoid breaches is better off pursuing PCI DSS than shunning it altogether this is a part of proof that PCI DSS works to improve security Nice it cannot be said that the PCI DSS fails to address the most prevalent threats to cardholder data None of the top threat actions listed above falls outside the scope of its 12 requirements For most of them, in fact, multiple layers of relevant controls exist across the standard as obvious as it was to me, I suspect some people will be surprised Threats today s don t seem as dynamic as some people think the requirements exhibiting the worst assessment scores 10, 11 are also those most broadly applicable to the threat actions shown in Table 4 It should not be terribly surprising, then, that organizations suffering known data breaches were not highly compliant with the PCI DSS oops Fail to do the right things suffer a breach with or without PCI DSS achieving and maintaining PCI Compliance should not be considered an annual project but a daily process please keep this in mind, darn it What is so special about this line that we have to repeat it every freaking day and still have some people act as if it is news to them next I started quoting from report conclusions and realized I d be quoting most of their content So, just read it Finally, a good way to think about PCI DSS below from page 11 of the report image Overall, a SUPERB piece of work did I mention that I think it is awesome - and a must-read for any PCI DSS proponent OR skeptic Possibly related articles Verizon Breach Report 2010 OUT Enhanced by ZemantaAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/257835.shtmlhttp://www.secuobs.com/revue/news/257835.shtml Secuobs.com : 2010-10-16 11:03:06 - Anton Chuvakin Blog Security Warrior - Security services firm iSEC Partners acquired - Security Bytes IMAGE http://www.secuobs.com/revue/news/257528.shtmlhttp://www.secuobs.com/revue/news/257528.shtml Secuobs.com : 2010-10-14 20:54:19 - Anton Chuvakin Blog Security Warrior - LogChat Podcast is back - and now on iTunes as well Everybody knows that all this world needs is a podcast devoted to logs, logging and log management as well as SIEM, incident response and other closely related subjects And now you have it AGAIN with edition 2 - through the sheer combined genius of Andrew Hay and myself, Anton Chuvakin Administrative items first 1 It turns out, we don't need a new name We are now entirely happy with LogChat The prize we offered will hereby be awarded to that one person who liked the original name - Marisa, please email me to claim your very own signed copy of the PCI Compliance book 2 So far, we are still not ready with transcribing I did try Amazon Mechanical Turk, but it didn't turn to be as inexpensive as people claimed If you have ideas for a good inexpensive transcribing service, we are all ears 3 We plan for this to happen every four weeks - recorded on Wednesday, posted on Thursday However, due to our wok schedules, irregularities may occur - 4 Please suggest topics to cover as well - even though we are not likely to run out of ideas for a few years Our topic today is log collection challenges and solutions log sizing, EPS estimation, agents agentless, high volume collection, Windows to syslog, etc 5 Any other feedback is HUGELY useful Is it too long Too loud Not enough jokes Too few mentions of the cloud Feedback please And now, in all its glory - the podcast link to 2 MP3 is here MP3 , RSS feed is here - it is also on iTunes now Enjoy THE LogChat Possibly related posts LogChat Podcast 1 Anton Chuvakin and Andrew Hay Talk Logs About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/257056.shtmlhttp://www.secuobs.com/revue/news/257056.shtml Secuobs.com : 2010-10-10 21:36:15 - Anton Chuvakin Blog Security Warrior - Note this was written as a guest post for Branden Williams blog my co-author for the PCI Compliance book it is reposted here for posterity People who came to PCI DSS assessments and related services such as compliance gap analysis and even implementation of PCI controls from doing pure information security often view PCI scope reduction as a cheap trick aimed at making PCI DSS compliance undeservedly easier They only think of scope reduction as of limiting the area where PCI DSS security controls apply - with negligence, supposedly, reigning supreme outside of that sacred area However, PCI DSS scope shrink is not just a cop out aimed at not protecting the data It is not just PCI project cost reduction measure Some half-witted analysts propagate this view by saying things like by reducing the scope, these enterprises can dramatically lower the cost and anxiety of PCI DSS compliance and significantly increase the chance of audit success eh for starters, PCI on-site assessment is not an audit, stop calling it that Well, you will get that but it is not the point of scope reduction at all In reality, efforts to reduce the area of PCI DSS applicability scope reduction are one of the most effective ways to reduce the risk of cardholder data theft Like we say in our PCI book Chapter 5, Protecting Cardholder Data Before we even start our discussion of data protection methods, we need to remind you that the only good data is dead data Humor aside, dropping, deleting, not storing and otherwise not touching the data is the best single trick to make your PCI DSS compliance easier as well as to make the transaction less risky, reduce your liability, chance of fines and breach notification losses If you d like, think of scope reduction as one of the manifestation of the least privilege principle or least data needed to do business principle You stop the spread of card data and thus become a more compact, harder to hit target Along the same line, tokenization, data vaults, virtual terminals, hashing, network segmentation, transient PAN storage all reduce scope and reduce risk at the same time These are the things that make PCI compliance easier WHILE reducing the risk of damaging compromise So, reduce scope by changing business process it will bring more security benefits than THAT FIREWALL you deploy And remember that fable about somebody asking a QSA firm that was planning to accept payment cards as payment for PI assessments oh irony how would they do it What Of course we d outsource it We won t touch that toxic card data shit About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/255693.shtmlhttp://www.secuobs.com/revue/news/255693.shtml Secuobs.com : 2010-10-06 10:31:18 - Anton Chuvakin Blog Security Warrior - Qualys, Inc acquired Nemean IMAGE http://www.secuobs.com/revue/news/254650.shtmlhttp://www.secuobs.com/revue/news/254650.shtml Secuobs.com : 2010-10-02 04:10:16 - Anton Chuvakin Blog Security Warrior - Blogs are stateless and people often pay attention only to what they see today Thus a lot of useful security reading material gets lost These monthly round-ups is my way of reminding people about interesting blog content If you are too busy to read the blogs, at least read these So, here is my next monthly Security Warrior blog round-up of top 5 popular posts topics this month 1 Top position this month is held by my quick analysis of ArcSight acquisition by HP End of an Era ArcSight Goes to HP Winners, losers, trends the usual fun stuff 2 Our LogChat podcast inaugural issue is next on the list the second issue is coming next week Stand by 3 On Free Log Management Tools is a repost from my consulting site The list of free log management tools is a companion resource to our Log Review Checklist Updated version has just been posted 4 Making fun of stupidity in security industry was always one of my favorite pastimes Nobody Is That Dumb Oh Wait series just got its 13th issue, courtesy of Information Security magazine It is about about how to win a SIEM contest without building a SIEM product and then get good press on it 5 Career posts are always super-popular somehow Gartner-heads vs Packet-heads post is no exception The previous post in my security career series Skills for Work vs Skills for Getting Hired still shows up in Top10 as well as their predecessor Myth of an Expert Generalist 6 Updated With Community Feedback SANS Top 7 Essential Log Reports DRAFT2 , SANS Top 5 Essential Log Reports Update and their predecessor Top5 SANS Log Reports Update DRAFT also show up close to the top Now that I have a bit more time, I will finally finish the write-up and submit it to SANS for distribution 7 How Do I Get The Best SIEM , a companion to On Choosing SIEM , went to the top like lighting a few months ago and stayed there this month as well If you are thinking of getting a SIEM or a log management tool, check them out and also look at related resources at the end of these posts The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II and I Want to Buy Correlation or How NOT to Pick a SIEM also stay at the top it seems like smaller organizations are looking at deploying SIEM and log management and there is a lot of interest in simple guidance on this And you can always hire me to help with the selection, of course Yeah, so my Top5 has 7 entries this month And your point is - Also, below I am thanking my top 3 referrers this month those who are people, not organizations So, thanks a lot to the following people whose blogs sent the most visitors to my blog 1 Michał Wiczyński 2 Dancho Danchev 3 Raffael Marty See you in October also see my annual Top Posts - 2007, 2008, 2009 Possibly related posts past monthly popular blog round-ups Monthly Blog Round-Up August 2010 Monthly Blog Round-Up July 2010 Monthly Blog Round-Up June 2010 Monthly Blog Round-Up May 2010 Monthly Blog Round-Up April 2010 Monthly Blog Round-Up March 2010 Monthly Blog Round-Up February 2010 Monthly Blog Round-Up January 2010 Monthly Blog Round-Up December 2009 Monthly Blog Round-Up November 2009 Monthly Blog Round-Up October 2009 Monthly Blog Round-Up September 2009 Monthly Blog Round-Up August 2009 Monthly Blog Round-Up July 2009 Monthly Blog Round-Up June 2009 Monthly Blog Round-Up May 2009 Monthly Blog Round-Up April 2009 Monthly Blog Round-Up March 2009 Monthly Blog Round-Up February 2009 Monthly Blog Round-Up - January 2009 Monthly Blog Round-Up - December 2008 Monthly Blog Round-Up - November 2008 Monthly Blog Round-Up - October 2008 Monthly Blog Round-Up - September 2008 Monthly Blog Round-Up - August 2008 Monthly Blog Round-Up - July 2008 Monthly Blog Round-Up - June 2008 Monthly Blog Round-Up - May 2008 Monthly Blog Round-Up - April 2008 Monthly Blog Round-Up - March 2008 Monthly Blog Round-Up - February 2008 Monthly Blog Round-Up - January 2008 Monthly Blog Round-Up - December 2007 Monthly Blog Round-Up - November 2007 Monthly Blog Round-Up - October 2007 Monthly Blog Round-Up - September 2007 Monthly Blog Round-Up - August 2007 Enhanced by ZemantaAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/253701.shtmlhttp://www.secuobs.com/revue/news/253701.shtml Secuobs.com : 2010-09-30 16:32:06 - Anton Chuvakin Blog Security Warrior - I completely forgot to repost my list of free log management tools to the blog from my consulting site Here it is original that is updated periodically This page lists a few popular free open-source log management and log analysis tools The page is a supplement to Critical Log Review Checklist for Security Incidents that can be found here or as PDF or DOC feel free to modify it for your own purposes or for internal distribution - but please keep the attribution to us authors The log cheat sheet presents a checklist for reviewing critical system, network and security logs when responding to a security incident It can also be used for routine periodic log review It was authored by Dr Anton Chuvakin and Lenny Zeltser The open source log management tools are 1 OSSEC ossecnet an open source tool for analysis of real-time log data from Unix systems, Windows servers and network devices It includes a set of useful default alerting rules as well as a web-based graphical user interface This is THE tool to use, if you are starting up your log review program It even has a book written about it 2 Snare agent intersectalliancecom projects indexhtml and ProjectLasso remote collector sourceforgenet projects lassolog are used to convert Windows Event Logs into syslog, a key component of any log management infrastructure today at least until Visa W7 log aggregation tools become mainstream 3 syslog-ng balabitcom network-security syslog-ng is a replacement and improvement of classic syslog service - it also has a Windows version that can be used the same way as Snare 4 Among the somewhat dated tools, Logwatch logwatchorg , Lire logreportorg and LogSurfer cryptgennz logsurfer can all still be used to summarize logs into readable reports 5 sec simple-evcorrsourceforgenet can be used for correlating logs, even though most people will likely find OSSEC correlation a bit easier to use or even use OSSIM below 6 LogHound ristovuserssourceforgenet loghound and slct ristovuserssourceforgenet slct are more research-grade tools, that are still very useful for going thru a large pool of barely-structured log data 7 Log2timeline log2timelinenet is a useful tool for investigative review of logs it can create a timeline view out of raw log data 8 LogZilla aka php-syslog-ng codegooglecom p php-syslog-ng is a simple PHP-based visual front-end for a syslog server to do searches, reports, etc The next list is a list of honorable mentions list which includes logging tools that don't quite fit the definition above Splunk is neither free nor open source, but is has a free version usable for searching up to 500MB of log data per day - think of it as a smart search engine for logs OSSIM is not just for logs and also includes OSSEC it is an open source SIEM tool and can be used much the same way as commercial Security Information and Event Management tools are used SIEM use cases Microsoft Log Parser is a handy free tool to cut thru various Windows logs, not just Windows Event Logs A somewhat similar tool for Windows Event log analysis is Mandiant Highlighter mandiantcom products free_software highlighter Sguil is not a log analysis tools, but a network security monitoring NSM tool it does use logs in its analysis For a list of commercial log management tools go to Security Scoreboard site A few of the commercial tools offer free trials for up to 30 days Feel free to suggest your favorite tools and I will update the list Possibly related posts Simple Log Review Checklist SANS Top 5 Essential Log Reports Update About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/253116.shtmlhttp://www.secuobs.com/revue/news/253116.shtml Secuobs.com : 2010-09-27 15:13:18 - Anton Chuvakin Blog Security Warrior - Who do you want to be when you grow up, a gartner -head or a packet-head Huh image Over the years, I realized that even in our mixed-up field of information security there are essentially two paths that is, provided you do choose to follow a path as opposed to just dabble in security or be an I just work here kinda guy image Instead of starting from asking a question of do you even need a path or is security your career or your passion , let s assume that it IS in fact your passion It might vary in strength from all-consuming mental affliction to a mild case of securitis or securosis , per chance - - but it is a passion nonetheless How do you plot your course through that passion without losing your mind and then switching to real estate career BTW, a real case I ve heard of And how do you stay on your path without diffusing your efforts, losing focus and becoming aware of everything and expert in nothing As I mention, there are two paths 1 A path towards super-deep technical kung fu in one or very few related areas It does not have to be exploitation even though that is a popular choice , but can be about network packets, web app security, malware reversing or something even more fun eh logs This is what I humorously call The Path of a Packet-head 2 A path towards well let s call it strategy , even though the word is heavily abused This is where CSOs-from-god and good security product leaders come from This is what I humorously call The Path of a Gartner-head It goes without saying that suffering through a few hex dumps or through a few policy rewrites, does not put you on the path And neither does reading an exciting piece from well Gartner I am talking here about a commitment to become one of the best in the field BTW, I hate be the best you can theme for many people it just means you d still suck but I guess that d be an unamerican thing to say, so I won t say it - But here is the trick there is some MAGIC in carefully blending the two paths a bit The trick is in NOT losing focus on your path WHILE blending in but not dabbling something from the other path A simple example if you spend 12 hours a day looking at the smoking guts of malicious software, try reading what some analyst firm wrote about the anti-virus market even if it sounds a bit boring at first Does it make sense to you or not Does what they say match your experience An opposite is even more true if you spend 8 hours a day writing policies and connecting pieces together into a big picture , why don t you pick one of said pieces and look what s inside Does it have code What does it do Does it really work And how do you know Thinking about things like that has a potential of moving you forward on your path, however counterintuitive it might sound It will also give you career advantages without failing into the generalist expert crap eh trap At the risk of praising myself too much, only now I fully grasped the compliment somebody gave me a few years back you can switch from reading packets to reading Gartner in a second and not even flinch - Let consider this an inspiration for this post, nothing more no offense to esteemed folks from Forrester - Possibly related posts Skills for Work vs Skills for Getting Hired A Myth of An Expert Generalist All posts related to career Enhanced by ZemantaAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/251981.shtmlhttp://www.secuobs.com/revue/news/251981.shtml Secuobs.com : 2010-09-25 03:00:34 - Anton Chuvakin Blog Security Warrior - Perhaps surprisingly, but Information Security magazine allowed me to restart my long-forgotten Nobody Is That Dumb Oh, Wait series The last post in the series was a long time ago, so thanks to them we now have the 13 Hurrah So, their latest issue has this brilliant piece of sheer idiocy image Do you really need me to comment Just laugh TrendMicro gets a Silver Prize in SIEM category WITHOUT EVEN HAVING A SIEM PRODUCT And reported dead a few times Symantec SIM gets a Gold Prize, but that just gets filed under insult to injury category So, even though my subscription has expired, I just updated my address with them so that they can send me some of the stuff they are smoking Possibly related posts Everything else labeled stupidity About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/251594.shtmlhttp://www.secuobs.com/revue/news/251594.shtml Secuobs.com : 2010-09-23 13:27:37 - Anton Chuvakin Blog Security Warrior - Just FYI, I am doing two fun PCI DSS presentations today 1 LogLogic s PCI 20 - What's Next register The PCI DSS standard is evolving, with version 20 due some time very soon The summary of changes has just been issued Do you know how it affects you Dr Anton Chuvakin, author of the book PCI Compliance Understand and Implement Effective PCI Data Security Standard Compliance will talk us through what s expected, how you should respond, and how you should target your efforts The focus of course will be on audit trails, tracking and forensics within a best-practice framework provided by LogLogic and 2 BrightTalk s What PCI DSS Taught Us About Security register This presentation will derive some useful lessons from our industry experience with PCI DSS Organization can use these lessons to improve their security programs and reduce risk as well The first one is more useful and the second one is more fun Enjoy Possibly related posts All recent presentations LogChat Podcast 1 Anton Chuvakin and Andrew Hay Talk Logs Compliance Poll Analysis PCI DSS Wins Enhanced by ZemantaAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/250994.shtmlhttp://www.secuobs.com/revue/news/250994.shtml Secuobs.com : 2010-09-21 10:55:55 - Anton Chuvakin Blog Security Warrior - Ross Macdonald SECURITY M A GONE A BIT CRAZY IMAGE http://www.secuobs.com/revue/news/250207.shtmlhttp://www.secuobs.com/revue/news/250207.shtml Secuobs.com : 2010-09-18 10:07:01 - Anton Chuvakin Blog Security Warrior - Another week on the acquisition rollercoaster - SC Magazine UK The Perils that PCI Brings to Security IMAGE http://www.secuobs.com/revue/news/249252.shtmlhttp://www.secuobs.com/revue/news/249252.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - Blogs are stateless and people often pay attention only to what they see today Thus a lot of useful security reading material gets lost These monthly round-ups is my way of reminding people about interesting blog content If you are too busy to read the blogs, at least read these So, here is my next monthly Security Warrior blog round-up of top 5 popular posts topics 1 Top5 SANS Log Reports Update DRAFT finally beat the previous champion of a few months Simple Log Review Checklist Released In a few days, I will post the results of a community effort to refine the new SANS Top 8 Log Reports stand by 2 Career posts somehow always get top scores automatically and Skills for Work vs Skills for Getting Hired is no exception Just as its predecessor, Myth of an Expert Generalist , it got on my monthly Top 5 posts immediately, was featured on Redditcom, etc, etc 3 How Do I Get The Best SIEM , a companion to On Choosing SIEM , went to the top like lighting a few months ago and stayed there this month If you are thinking of getting a SIEM or a log management tool, check them out and also look at related resources at the end of these posts The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II and I Want to Buy Correlation or How NOT to Pick a SIEM also stay at the top it seems like smaller organizations are looking at deploying SIEM and log management and there is a lot of interest in simple guidance on this 4 Next up are my notes from University PCI DSS workshop where I delivered a keynote My Best PCI DSS Presentation EVER the infamous compliance kitten quotes comes from here 5 The report from HITB 2010 Amsterdam conference which I opened with a keynote Security Chasm is also on the monthly top list HITB 2010 Amsterdam Awesomeness Also, below I am thanking my top 5 referrers this month those who are people, not organizations So, thanks a lot to the following people whose blogs sent the most visitors to my blog 1 Michał Wiczyński 2 Raffael Marty 3 Dancho Danchev 4 Walt Conway 5 Cédric Blancher See you in August also see my annual Top Posts - 2007, 2008, 2009 PS Watch for a fun post tomorrow, releasing a new SIEM whitepaper that I wrote for a client Possibly related posts past monthly popular blog round-ups Monthly Blog Round-Up June 2010 Monthly Blog Round-Up May 2010 Monthly Blog Round-Up April 2010 Monthly Blog Round-Up March 2010 Monthly Blog Round-Up February 2010 Monthly Blog Round-Up January 2010 Monthly Blog Round-Up December 2009 Monthly Blog Round-Up November 2009 Monthly Blog Round-Up October 2009 Monthly Blog Round-Up September 2009 Monthly Blog Round-Up August 2009 Monthly Blog Round-Up July 2009 Monthly Blog Round-Up June 2009 Monthly Blog Round-Up May 2009 Monthly Blog Round-Up April 2009 Monthly Blog Round-Up March 2009 Monthly Blog Round-Up February 2009 Monthly Blog Round-Up - January 2009 Monthly Blog Round-Up - December 2008 Monthly Blog Round-Up - November 2008 Monthly Blog Round-Up - October 2008 Monthly Blog Round-Up - September 2008 Monthly Blog Round-Up - August 2008 Monthly Blog Round-Up - July 2008 Monthly Blog Round-Up - June 2008 Monthly Blog Round-Up - May 2008 Monthly Blog Round-Up - April 2008 Monthly Blog Round-Up - March 2008 Monthly Blog Round-Up - February 2008 Monthly Blog Round-Up - January 2008 Monthly Blog Round-Up - December 2007 Monthly Blog Round-Up - November 2007 Monthly Blog Round-Up - October 2007 Monthly Blog Round-Up - September 2007 Monthly Blog Round-Up - August 2007 About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248904.shtmlhttp://www.secuobs.com/revue/news/248904.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - Belated reading of Verizon DBIR 2010 My favorites image 79pourcents of victims subject to PCI DSS had not achieved compliance close to what I suspect the reality is a lot of organizations did try to fake their way to PCI compliance Hopefully now Bob s point about not compliant at the time of the the breach will make more sense AC Because fraud alerts are the leading method of discovering breaches, it stands to reason that many breaches could occur without anyone being the wiser if the criminal decided it was in his best interest to be patient and We find it more than a little ironic that the most effective way of detecting data breaches is for the perpetrator to fraudulently use what was stolen every time I read fraud is the leading method of breach discovery , I feel sad To me this means either most organizations are negligent, or our security technology is crap Or both - I am not touching the whole insider vs outsider debate again it just smells Read the report and forget the 80 20 myth Think about it though every organization has 1-100,000 insiders employees, partners, contractors, etc , but there are possibly millions of criminal outsiders Given how porous many networks are, who do you think will steal more incredible 97pourcents of the 140 million records were compromised through customized malware across the Verizon-USSS caseload toss the AV, finally AC The use of stolen credentials was the number one hacking type in both the Verizon and USSS datasets, which is pretty amazing when you think about it We ve observed companies that were hell-bent on getting patch x deployed by week s end but hadn t even glanced at their log files in months given that password guessing seen in logs trumps vuln exploitation by such a wide margin, this should change Will it AC The security media hype machine would like us to believe that we re all Targets of Choice which is cool and not Targets of Opportunity which is silly AC and there s nothing we can do to stop the new insert whatever you like here threat This simply isn t true and is not a healthy line of reasoning for security management indeed, APT is for everyone message is pretty stupid If your passwords on external routers are something like password , you have a long task list to go thru before APT shows up AC Breach discovery bar chart on the right is The Saddest Picture Ever TM - No comment reallyimage It cannot be a pleasant experience to learn that the six months of log data you ve been collecting contained all the necessary indicators of a breach It is, however, a common experience We consistently find that nearly 90pourcents of the time logs are available but discovery via log analysis remains under 5pourcents In the 2009 DBIR, we reported that event monitoring and log analysis, which should be the doyen of detection, successfully alerted only 6pourcents of breach victims This year that figure has dropped yes dropped to 4pourcents Of that 4pourcents, log analysis lead to the discovery of a handful of breaches while intrusion detection systems identified only one Richard, IDS really is dead - or The Second Saddest Fact in the report - AC Change your approach to event monitoring and log analysis A quick review of a few findings from this report will set the stage for this one 1 In most attacks, the victim has several days or more before data are compromised 2 Breaches take a long time to discover and 3 when that finally happens, it usually isn t the victim who finds it 4 Finally, almost all victims have evidence of the breach in their logs this, BTW, reminds us that detection within days is darn right close to real-time for most organizations AC Get full report here Enjoy About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248903.shtmlhttp://www.secuobs.com/revue/news/248903.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - Thanks for overwhelming community response here, here, here, and separate blog posts here and here and I might have missed a few places too The list has grown and is on the verge of becoming unwieldy and not top and essential so I am about to close the comment period, write up the doc and send it to SANS to update the legacy SANS Top 5 Log Reports PDF Any last second thoughts before I document this baby Any smokin hot log reports to add Also, anything I should take OFF the list for not being top and essential 1 Authentication and Authorization Reports a All login failures and successes by user, system, business unit must have login success logs, not just failure b Login attempts successes, failures to disabled service non-existing default suspended accounts c All logins after office hours off hours d Users failing to authentication by count of unique systems they tried e VPN authentication and other remote access logins success, failure f Privileged account access logins, su use, Run As use, etc success, failure g Multiple login failures followed by success by same account needs to have correlation for that 2 Change Reports a Additions changes deletions to users, groups even a trend on user additions across systems would be useful b Additions of accounts to administrator privileged groups c Password changes and resets by users and by admins to users d Additions changes deletions to network services e Changes to system files binaries, configurations likely needs a list to run g Changes in file access permissions h Application installs and updates success, failure by system, application, user 3 Network Activity Reports a Log volume trend over days watch for both drops and increases in logging levels on systems b All outbound connections from internal and DMZ systems by system, connection count, user, bandwidth, count of unique destinations, hour of access focus on off hours c Top largest file transfers inbound, outbound OR Top largest sessions by bytes transferred d Web file uploads to external sites - based on proxy logs e All file downloads by content type exe, dll, scr, upx, etc and protocol HTTP, IM, etc f Internal systems using many different protocols ports g Top internal systems as sources of multiple types of NIDS, NIPS or WAF Alerts h VPN network activity by user name, total session bytes, count of sessions, usage of internal resources i P2P use by internal systems j Wireless network activity i Rogue AP detection ii Wireless network access by user iii WIDS WIPS alert activity 4 Resource Access Reports a General i Access to resources on critical systems after office hours off hours b Web i Top internal users blocked by proxy from accessing prohibited sites malware sources, pornography, etc c File i File, network share or resource access success, failure - for specific audited resources d Database i Top database users - excluding known application access ii Summary of query types - excluding known application queries iii All privileged user access iv All users executing INSERT, DELETE commands - excluding known application queries v All users executing CREATE, GRANT, schema changes, etc vi Database backups e Email i Top internal email addresses by count of messages, byte volume ii Top internal email addresses sending attachments to public hosted addresses iii All emailed attachment content types, sizes iv All internal systems sending mail excluding known mail servers 5 Malware Activity Reports a All systems with AV events by user, system name, time trend b Detect-only events from anti-virus tools leave-alones c All anti-virus protection failures crashes, unloads, update failures, etc d Internal connections to known malware IP addresses a public blacklist needed 6 Failures and Critical Errors a Critical errors by system, application, business unit b System and application crashes, shutdowns, restarts c Backup failures d Capacity limit exhaustion - memory, disk, CPU, etc 7 Analytic Reports Mostly Using Never Before Seen NBS aka NEW Type Object Analysis also add rarely seen OSO bottom X by a NEW NBS Log message types event types b NEW NBS Users authenticating successfully c NEW NBS Sources that connected to systems using privileged accounts d NEW NBS Internal system connecting to external systems e NEW NBS External IPs connecting to NEW Entry Points not sure how to collect this f NEW NBS Ports accessed on internal systems g NEW NBS HTTP request types h NEW NBS Downloaded uploaded content types i NEW NBS Query types on databases More last-second comments If not, I will be adding documentation for all report examples and submitting it to SANS for distribution Also, if you commented, please let me know if you do NOT want your name in the credits Default you will be mentioned as valuable contributor as long as your contribution was, you know, valuable - Possibly related posts Simple Log Review Checklist SANS Top 5 Essential Log Reports Update Enhanced by ZemantaAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248902.shtmlhttp://www.secuobs.com/revue/news/248902.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - Just wanted to highlight another useful resource on logging How to Do Application Logging Right by Gunnar Peterson and myself Following on our previous IEEE paper here PDF , we explored application logging from a developer's perspective As Gunnar already pointed out, audit logs are one of the quick, dirty and cheap things that can improve enterprise security Here is a fun except Organizations have finally gotten network device logging and to some extent server logging under control However, after getting used to neat Cisco Adaptive Security Appliance or other firewall logs and Linux password accepted messages, security incident investigators trying to respond to the next wave of attacks have been thrust into the horrific world of application logging and We can start by establishing criteria for good security audit logs which we just call logs from now on On the basis of the six Ws, the following list see paper provides a starting point for what to include in each application log message and Software architects and developers must get logging there s no other way This is because infrastructure logging from network devices and operating systems won t cut it for detecting and investigating application-level threats Security teams will need to guide developers and architects through useful, effective logging Grab the paper here PDF and enjoy And, Raffy, you owe me another beer for We thank Raffy Marty of Loggly for his thoughtful review of the draft article - In fact, I think me using the word thoughtful here justifies beer 2 Possibly related posts IEEE About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248901.shtmlhttp://www.secuobs.com/revue/news/248901.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - Tektronix Communications to buy Arbor Networks - Daily Business Update - The Boston Globe IMAGE http://www.secuobs.com/revue/news/248900.shtmlhttp://www.secuobs.com/revue/news/248900.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - As some of you know, I have been doing SIEM and log management for more than 9 years already Nine years of looking at them logs is a long time, lemme tell you - image And that 86pourcents of cases where intrusion evidence was present in logs see Verizon 2010 Breach Report just sent me down into cold rage This is freakin year twenty-ten Why are people STILL not looking at their logs Not even monthly especially where daily is mandated see PCI DSS Are they that mind-blowingly stupid Do they love to live on the bloody edge, perhaps Do they enjoy being violently penetrated and not even enjoy it, purely for masochistic purposes I read some blog posts which basically expressed the same rage example , and my rage just became The Epic Log Rage And while consumed by this rage, I had an epiphany End-users are not really the ones to blame - not that much Nobody can be blamed for not wanting to grep a 245GB log file I think - Our log analysis tools are simply too pathetic Think about it - they are Why is empty search window and overly complicated correlation rule builder represent the state of the art of log analysis after nearly 20 years of development in this field Why do we have to dig for log insights like fucking truffle hunting pigs image Further, yesterday I was trying to explain the state of the art of log analysis to a client who looks to use his cool new technology for log analysis and SIEM , and I felt embarrassed to admit that, yes, search and rules are indeed the state of the art In other words, most of the analysis burden is on the tool USER BRAIN, not on the TOOL They looked at me like I just wasted 10 years of my life, writing regexes and otherwise being a stupid monkey Even things like profiling baselining example or simple and I mean SIMPLE data mining example, details mostly stay on research drawing boards for ages So, I can talk about unsupervised learning, associative rule discovery and natural language processing the other NLP for logs as well as the next guy and maybe better , but the tools you can buy just don t have that shit They have compliance reports deep insight alert NOT - , empty search window and learn what CustomInteger17 means and then you can write your very own correlation rule that will function maybe while a simple Netflix movie selection triggers more brainpower on the backend than is available in all SIEM product combined To conclude, I have a suspicion that it is likely that in the near future all SIEM tools magically turn into electric typewriters PS My dear vendor friends and colleagues, don t take offense I still love you We all just need to work and think a little harder that s all - PPS My dear friends in academia, please DO take offense Most log analysis research I ve seen over the last 10 years is mmm not very practical Get some real logs and get thinking About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248899.shtmlhttp://www.secuobs.com/revue/news/248899.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - Lack of attention invites cybersecurity breaches -- Government Computer News IT security guru Anton Chuvakin is creating a new Top 7 Essential Log Reports for SANS Security Institute Among his proposed candidates network activity reports, called suspicious or unauthorized network traffic patterns in the current SANS list and authentication and authorization, which includes login failures and successes, logins after office hours and attempts to gain unauthorized access through existing accounts IMAGE http://www.secuobs.com/revue/news/248898.shtmlhttp://www.secuobs.com/revue/news/248898.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - CloudAudit delivers it s first batch of cloud compliance specifications Quoting from the announcement The CloudAudit initial distribution features five elements 1 The CloudAudit normative specification in txt format cloudaudit-specification_drafttxt 2 The CloudAudit CompliancePacks archive of xls files which map controls control objectives to namespaces based upon the Cloud Security Alliance Control Matrix cloudaudit-compliancepackszip 3 The CloudAudit namespaces archive which represents a complete CloudAudit directory tree representation of all CompliancePacks with placeholder indexhtml manifestxml created in each directory stub cloudaudit-namespaceszip 4 The CloudAudit Python script pack which automates the creation of the CloudAudit namespaces above cloudaudit-namespace_creatorzip 5 A READMEtxt file this content and The CompliancePacks map control objectives to specific namespace entities which are contained below and feature NIST SP800-53, PCI DSS, HIPAA, ISO27002 and COBIT compliance frameworks Ultimately these directories are where a Cloud Provider will store and secure the assertions and supporting materials related to each compliance framework or assertion - the bold part is kinda the whole point - AC Grab the mammoth itself here ZIP Enjoy About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248897.shtmlhttp://www.secuobs.com/revue/news/248897.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - A lot of people talk about SIEM use cases example , but few describe them in depth, complete with instructions on how imageto actually solve the problems and actually do each use case, using a particular SIEM tool Here at Security Warrior Consulting, we are all about DOING, not just TALKING - With this introduction, I am presenting a new detailed SIEM whitepaper that I wrote for the RSA enVision team This paper will help jumpstart SIEM use process and highlight common SIEM usage scenarios for organizations of all sizes It will also explain how to operationalize the SIEM tool and utilize it for many security use cases and scenarios, from Web site threats to security incident response Specific examples from RSA s enVision platform are used to illustrate the concepts in the paper Here is an excerpt from one use case from the paper Comprehensive firewall monitoring security network Since the early days of SIEM technology, firewall log data has been considered as one of the most useful and commonly collected information sources Apart from allowing and denying connections to and from the network, firewalls allow recording or logging of every single connection denied or allowed by the firewall An example would be connections from the outside world to the DMZ Web server, or connections by users inside the company to their favorite social media Web site Analysis of such logs is extremely useful for security, compliance and even operational purposes such as network management, bandwidth management, etc For example, on the compliance side, PCI DSS, HIPAA, NERC FERC all have firewall logging implications Firewall logs are also extremely useful for incident response and forensics since they can help identify the connectivity pattern and serve as poor man netflow On top of this, firewall logs can be used to assess the health of the firewall itself and to optimize the rule set performance Collection comprehensive firewall log collection is mandatory for this use case, and it is important to remember that firewalls can record both failed and successful connections through the firewall both types are essential for SIEM Grab the paper here PDF Another fun long whitepaper is coming soon and it will be just as fun Possibly related posts Two New Logging Resources Published How Do I Get The Best SIEM On Choosing SIEM One More Time on SIEM vs Log Management Enhanced by ZemantaAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248896.shtmlhttp://www.secuobs.com/revue/news/248896.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - As a favor to yet another friend, I am posting yet another SIEM-related job Job Description A Principal Security Consultant at Vigilant is expected to leverage his her extensive technical abilities to provide innovative, pragmatic and business-focused security solutions for our customers Principal Security Consultants report to the Director of Services Delivery, and are expected to work in the capacity of a Vigilant Project Managers on multiple, concurrent engagements to architect and deliver a variety of solutions, in such functional areas as Security Information Event Management SIEM , Security Architecture Design, and general Security Assessments It is expected that the Principal Security Consultant will be a mentor within the Professional Services team, and will provide expert advice and guidance to partners and newer Vigilant consultants Applicants who reside in the NY Metro area and Washington DC area are encouraged to apply Skills Analytical Technical Skills Expert knowledge of SIEM products ArcSight, Novell Sentinel, RSA enVision, etc Ability to design complex, enterprise-scale network security architectures Extensive knowledge in the use and configuration of relational databases, including Oracle and SQL Server Expert knowledge in the use of Unix Solaris Linux and Windows Server Family NT 2000 Extensive experience with Intrusion Detection Systems, Firewalls, Proxy Servers, Antivirus, NAC, or other network security infrastructure Familiarity with the integration of 3rd-party applications ETL tools, data mining, business intelligence products Ability to analyze complex issues for impact and alternative solutions, making logical decisions based on overall product objectives Ability to prioritize tasks and manage time efficiently High level of self-initiative and self-motivation Full info and how to apply is here More SIEM jobs from Vigilant in the NYC area are here Possibly related posts All posts tagged jobs mostly SIEM and log management related About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248895.shtmlhttp://www.secuobs.com/revue/news/248895.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - Everybody knows that PCI DSS 20 is coming The Council released a summary of changes for version 20 PDF to be released in October 2010 Council folks have granted this brief interview to Security Warrior Blog it is provided below in its entirety Q1 As promised, the changes to PCI DSS are minor Are you worried that since the next edition will come in 2013, both technology and threat landscape will change way too much and DSS will lose its relevance over time PCI Council Answer 1 The Standard is maturing and is increasingly being adopted globally, that's part of the reason why there are no new requirements in DSS 20 Nonetheless, we always have in place an errata process that allows us to add elements or requirements to the standards as necessary It is important to note that in the years that the standards have been in effect, there has never been a specific threats that has required this emphasis by AC AC I am sure the highlighted bit will rile a lot of noisy security folks with minimum knowledge of the payment industry, but, upon some thinking, I actually tend to agree with it - mostly The issue is not with requirements are stale , but with merchants not doing this stuff Daily log reviews are MANDATORY for PCI DSS compliance see Req 106 Are they ALL doing it Ha And people still fall victim to passwords guessing en masse like its 1983 Even future PCI in the cloud is fairly well addressed by Req 128 So please can this threats are dynamic snivel Q2 Does Council plan to launch any studies on the effectiveness of the new PCI DSS vs today's cyber attacks against payment card data PCI Council Answer 1 While we have no plans for an official study, we do receive feedback and public forensic reports, like the recent Verizon Data Breach report that allow us to review forensic data gathered globally link added by AC Q2 Will there be any changes to Prioritized Approach to PCI DSS document in light of PCI DSS changes PCI Council Answer 3 Not at this point, but the new DSS does allow, on a merchant by merchant basis, a certain degree of a risk-based approach during their assessments AC this means that implementation first, policy last thinking will stay in Intuitively, I get it policies on their own don t stop loss, while removal of PAN storage does but I expect a lot of whining over this one as well Q4 Does Council plan any additional implementation guidance along the lines of wireless guidelines to help merchants comply with PCI 20 PCI Council Answer 4 At some point, we will be releasing a similar set of guidelines on Bluetooth deployments, similar to the Wireless Guidelines There you have it And we wouldn t even have to update our PCI book much - Go PCI 20 About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248894.shtmlhttp://www.secuobs.com/revue/news/248894.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - 100,000 log messages second x 300 bytes log message 286 MB x 3600 seconds 1006 GB hour x 24 hours 235 TB day x 365 days 8605 TB year x 3 years 252 PB Oops Now you know what is a petabyte And, BTW, you also now what is a trillion of log messagesAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248893.shtmlhttp://www.secuobs.com/revue/news/248893.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - Reposted from here for those who don t monitor public Common Event Expression CEE log standard effort First of all, let me answer the question that is in all of your heads No, CEE is not dead After a slow start, the work pace has picked up over the past couple of months I apologize for the extremely long delay in posting any details regarding the state of CEE The CEE Board that s us AC - has been working on bringing the CEE Dictionary, Taxonomy, and Syntax requirements together We have drafted specification documents detailing the CEE Architecture as well as the initial Dictionary and Taxonomy specifications These documents are the first of the CEE v05 previous versions were internal document series and have already been shared with some of you for your feedback We are waiting for the final authorization before they are posted to the CEE website for your review This authorization is expected to be granted next week A follow-up e-mail will be sent to this discussion list as well as the CEE Announce list notifying you that the documents were posted along with the URL where said documents may be obtained It is important to note that these are only the first iterations of many We need your help in improving CEE In addition to helping critique and improve the CEE documents, we are also requesting your help in building and improving the CEE Use Cases Within the next week or two, you will also receive the beginnings of a list of CEE Use Cases for review Sign up for the public CEE list to see more Meanwhile, the effort for log standardization makes another step About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248892.shtmlhttp://www.secuobs.com/revue/news/248892.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - OK, some of you would say that I have weird hobbies, like writing books about PCI DSS image In any case, just for fun I am running this poll on compliance here Please respond violently is OK, if compliance brings this up in you - Enjoy Possibly related posts Old posts with fun polls and their analysis About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248891.shtmlhttp://www.secuobs.com/revue/news/248891.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - As I am hearing rumors about some sinking and some sunk SIEM log management ships, here is a special public service announcement to those affected by the disasters Don t despair Quality vendors in this space are hiring like crazy, especially if you are a good Field Engineer example or Professional Services example Check out other SIEM and log management vendor sites as well, a lot of field hiring and some HQ hiring is going on as we speak And, if you happen to be a customer of one of those unfortunate vendors, well pick better next time - Oh, one more tip security vendors are not a reliable source of information on security vendor longevity You will get wildly-crazy over-estimates about self and minblowingly-insane under-estimates about competitors Possibly related pots All posts tagged jobs SIEM-related Job Principal SIEM Consultant SIEM-related Field Job Western US SIEM-related Product Management Job Atlanta, GA Enhanced by ZemantaAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248890.shtmlhttp://www.secuobs.com/revue/news/248890.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - The future of logging is finally here Common Event Expression CEE team releases CEE Architecture Overview PDF for public comments HUGE thanks to MITRE side of team for finally clearing all the hurdles and releasing our baby The Common Event Expression CEE Architecture Overview document defines the structure and components that comprise the CEE event log standard This architecture was developed by MITRE, in collaboration with industry and government, and builds upon the Common Event Expression Whitepaper This document defines the CEE Architecture for an open, practical, and industry-accepted event log standard It provides a high-level overview of CEE along with details on the overall architecture and introduces each of the CEE components including the data dictionary, event taxonomies, syntax encodings, and profiles The CEE Architecture is the first in a collection of documents and specifications, whose combination provides the necessary pieces to create the complete CEE event log standard We encourage community members to offer feedback on this document on the CEE Email Discussion list You may also contact us directly at cee mitreorg Again, the document is at http ceemitreorg docs CEE_Architecture_Overview-v05pdf The day we were working towards for nearly five years has finally come and more of CEE is revealed to the world Of course, detailed specifications are still in development and we will release them when they are ready for public review Possibly related posts All posts tagged CEE My first post on CEE in April 2007 About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248889.shtmlhttp://www.secuobs.com/revue/news/248889.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - 10 Tips to Thwart Skimming IMAGE http://www.secuobs.com/revue/news/248888.shtmlhttp://www.secuobs.com/revue/news/248888.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - As promised, here is another detailed SIEM whitepaper called A Pragmatic Approach to SIEM Buy for Compliance, Use for Security that I wrote for a great team at Tripwire earlier this year TW_WP While recent economic troubles might have something to do with it, many organizations today seek to only do a bare minimum of security To be more precise, they try to do what they think is the bare necessary minimum Their perception that security due diligence can be reduced all the way down to the level prescribed by regulations, such as PCI DSS, is more common than ever today All too common result of this thinking is security breaches and other damaging events This trend has affected many security safeguards, and SIEM and log management are hard hit by this as well It is very common to deploy these technologies in order to satisfy the compliance check box In this paper we will analyze this trend and provide useful guidance for getting value out of SIEM and log management tools while focusing on protecting systems and data and not simply on checking the box Get the paper here Possible related posts New SIEM Whitepaper on Use Cases In-Depth OUT Two New Logging Resources Published About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248887.shtmlhttp://www.secuobs.com/revue/news/248887.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - Project Honeynet just released its latest Forensic Challenge 5 - Log Mysteries It is based on logs from a compromised virtual server and requires quite a bit of digging through messy log data The Challenge Analyze the attached sanitized_logzip AC get the logs here and answer the following questions 1 Was the system compromised and when How do you know that for sure 5pts 2 If the was compromised, what was the method used 5pts 3 Can you locate how many attackers failed If some succeeded, how many were they How many stopped attacking after the first success 5pts 4 What happened after the brute force attack 5pts 5 Locate the authentication logs, was a bruteforce attack performed if yes how many 5pts 6 What is the timeline of significant events How certain are you of the timing 5pts 7 Anything else that looks suspicious in the logs Any misconfigurations Other issues 5pts 8 Was an automatic tool used to perform the attack if yes which one 5pts 9 What can you say about the attacker's goals and methods 5pts Bonus What would you have done to avoid this attack 5pts Go get the challenge here and get to solving it you have about a month And, yes, there will be prizes too Finally, if you really want to make me happy hehewho d want that - , please invent a new approach while solving the challenge Possibly related posts Everything tagged Project Honeynet About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248886.shtmlhttp://www.secuobs.com/revue/news/248886.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - LogChat Podcast is born Everybody knows that all this world needs is a podcast devoted to logs, logging and log management as well as SIEM, incident response and other closely related subjects And now you have it - through the sheer combined genius of Andrew Hay and myself, Anton Chuvakin Administrative items first 1 We need a new name We are not entirely happy with LogChat and, sadly, LogTalk is taken Please suggest a name - if we pick yours, you get a free signed copy of my PCI Compliance book 2 We will post the transcript, not just the MP3 file - in a few days If you have ideas for a good inexpensive transcribing service, we are all ears I will try Amazon Mechanical Turk first, but it might not be good enough for a technical podcast 3 Please also suggest topics to cover as well - even though we are not likely to run out of ideas for a few years Our first topic today is new log source integration - if it sounds boringwelllisten first judge second - 4 We plan for this to be a monthly podcast So, the next one will happen sometime early October 5 Any other feedback is HUGELY useful Is it too long Too loud Not enough jokes Too few mentions of the cloud Feedback please Who knowsmaybe there are more PCI books left in my secret stash and you too will earn that glorious prize for the most useful piece of feedback - And now, in all its, glory - the podcast the link to MP3 is here MP3 UPDATE RSS feed is here Enjoy the log chat About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248885.shtmlhttp://www.secuobs.com/revue/news/248885.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - Blogs are stateless and people often pay attention only to what they see today Thus a lot of useful security reading material gets lost These monthly round-ups is my way of reminding people about interesting blog content If you are too busy to read the blogs, at least read these So, here is my next monthly Security Warrior blog round-up of top 5 popular posts topics this month 1 My super-rant about log analysis Pathetic Analytics Epiphany has shot to the top like a pig kicked up in the ass by an irate giant It is about how after looking at logs for so many years, we still use primitive approaches and primitive tools 2 Not surprisingly, my belated reading of the Verizon Breach Reports 2010 Verizon Breach Report 2010 OUT is in my Top5 VzDBIR is pure awesomeness, as always 3 Updated With Community Feedback SANS Top 7 Essential Log Reports DRAFT2 , SANS Top 5 Essential Log Reports Update and their predecessor Top5 SANS Log Reports Update DRAFT finally beat the previous champion of a few months Simple Log Review Checklist Released Now I just need to document all the chosen favorite reports and submit it for community release 4 Career posts always get top scores automatically and Skills for Work vs Skills for Getting Hired is no exception Just as its predecessor, Myth of an Expert Generalist , it got on my monthly Top 5 posts immediately, was featured on Redditcom, etc, etc The next career post is coming soon don t despair - 5 News of sinking SIEM and log management vendors alluded to in To Those Escaping from Sinking SIEM Log Management Vendors somehow made it to the top Maybe links to SIEM jobs did it 6 How Do I Get The Best SIEM , a companion to On Choosing SIEM , went to the top like lighting a few months ago and stayed there this month as well If you are thinking of getting a SIEM or a log management tool, check them out and also look at related resources at the end of these posts The Myth of SIEM as An Analyst-in-the-box or How NOT to Pick a SIEM-II and I Want to Buy Correlation or How NOT to Pick a SIEM also stay at the top it seems like smaller organizations are looking at deploying SIEM and log management and there is a lot of interest in simple guidance on this Also, below I am thanking my top 5 referrers this month those who are people, not organizations So, thanks a lot to the following people whose blogs sent the most visitors to my blog 1 Michał Wiczyński 2 Raffael Marty 3 Dancho Danchev 4 Cédric Blancher 5 JP Bourget See you in September also see my annual Top Posts - 2007, 2008, 2009 Possibly related posts past monthly popular blog round-ups Monthly Blog Round-Up July 2010 Monthly Blog Round-Up June 2010 Monthly Blog Round-Up May 2010 Monthly Blog Round-Up April 2010 Monthly Blog Round-Up March 2010 Monthly Blog Round-Up February 2010 Monthly Blog Round-Up January 2010 Monthly Blog Round-Up December 2009 Monthly Blog Round-Up November 2009 Monthly Blog Round-Up October 2009 Monthly Blog Round-Up September 2009 Monthly Blog Round-Up August 2009 Monthly Blog Round-Up July 2009 Monthly Blog Round-Up June 2009 Monthly Blog Round-Up May 2009 Monthly Blog Round-Up April 2009 Monthly Blog Round-Up March 2009 Monthly Blog Round-Up February 2009 Monthly Blog Round-Up - January 2009 Monthly Blog Round-Up - December 2008 Monthly Blog Round-Up - November 2008 Monthly Blog Round-Up - October 2008 Monthly Blog Round-Up - September 2008 Monthly Blog Round-Up - August 2008 Monthly Blog Round-Up - July 2008 Monthly Blog Round-Up - June 2008 Monthly Blog Round-Up - May 2008 Monthly Blog Round-Up - April 2008 Monthly Blog Round-Up - March 2008 Monthly Blog Round-Up - February 2008 Monthly Blog Round-Up - January 2008 Monthly Blog Round-Up - December 2007 Monthly Blog Round-Up - November 2007 Monthly Blog Round-Up - October 2007 Monthly Blog Round-Up - September 2007 Monthly Blog Round-Up - August 2007 Enhanced by ZemantaAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248884.shtmlhttp://www.secuobs.com/revue/news/248884.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - As some of you know, I ve done this BrightTalk Log Management web conference the other week My presentation was about Log Standards and Future Trends Here is an embed of my presentation with voice If you just want this slides, go check the Slideshare version A BrightTALK ChannelEnjoy Possibly related posts Log Awesomeness - On August 19 CEE Architecture Overview FINALLY Out CEE Update - Aug 2010 About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248883.shtmlhttp://www.secuobs.com/revue/news/248883.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - Just FYI, I will be speaking at SANS San Francisco about SIEM Come see me there Topic Got SIEM Now what Making SIEM work for you Date Tuesday, November 9 Time 7 00pm - 8 00pm Location Hilton San Francisco Union Square Abstract Security Information and Event Management SIEM as well as log management tools have become more common across large organizations in recent years SIEM and log management have also been a topic of hot debates In fact, you organization might have purchased these tools already However, many who acquired SIEM tools have realized that they are not ready to use many of the advanced correlation features, despite promises that they are easy to use So, what should you do to achieve success with SIEM What logs should you collect Correlate Review How do you use log management as a step before SIEM What process absolutely must be built before SIEM purchase becomes successful Attend this session to learn from the experience of those who did not have the benefit of learning from other's mistakes Also, learn a few tips on how to operationalize that SIEM purchase you've made More details and how to sign up here Possibly related posts Another Fun SIEM Whitepaper How Do I Get The Best SIEM LogChat Podcast 1 Anton Chuvakin and Andrew Hay Talk Logs my new podcast on logs and SIEM Enhanced by ZemantaAbout me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248882.shtmlhttp://www.secuobs.com/revue/news/248882.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - The era has ended the last independent software SIEM worth buying is bought The biggest SIEM game winner ArcSight is acquired by HP for about 15b As people are already calling me en masse to comment, here is the post with a random sampling of conclusions, predictions and lessons learned Do something better than everybody else and you can win big even if you start late like ARST did this comes direct from the Cap n Obvious, of course - For example, focus on a good UI usable by your target audience as early as possible Appliance SIEM battle was - until now- a sideshow to the SIEM classic battle IMHO Yes, despite the volume of appliance sales, distributed software SIEM was still seen by many as the real thing and appliance SIEM was seen as maybe for SMBs And now appliance SIEM guys get to fight the main war Will HP screw it up Hmmmm with their record in security oh, wait, they have a record in security - No further comment It is official SIEM market again has no leader at least until HP figures our what to do with ARST Will anybody else stand up and take the reigns while HP is sorting things out What is the fate of the appliance SIEM Express and log management appliances Logger Well, the answer lies deep inside HP, but my guess is that they will not fare better than they fare now HP the home of OpenView will probably like big messy software more than the boxes Q Can I please say something related to the news with the word cloud A Sooooorry, nothing cloudy about it whatsoever Winners ArcSight, of course Big congrats to the crew I competed with you a few times, but that does not mean you are not awesome - Kleiner Perkins with about 20x on the investment even CIA made some money via In-Q-Tel , I guess SIEM players close to the top of the totem pole All will now claim ah, we are the leader now Losers Whoever was on the shortlist with ArcSight to be acquired by HP Oops Current HP SIEM partner - this vendor now gets to add their own name to the list of failed SIEM vendors - Bummer Whoever else wanted to buy ArcSight Oracle SIEM players close to the bottom of the totem pole Even fewer people will buy your wares now, especially if HP discounts Express aggressively More would be added as I think about it and talk to people Other fun coverage of the matter would be added below as well About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248881.shtmlhttp://www.secuobs.com/revue/news/248881.shtml Secuobs.com : 2010-09-17 15:49:50 - Anton Chuvakin Blog Security Warrior - A while ago, I did this quick poll on regulatory compliance and here is the result analysis CompliancePoll_08262010 The winners are 1 No brainer winner PCI DSS with 59pourcents it is indeed forevah 2 ISO2700x is a surprising silver medalist with 36pourcents more than half of PCI 3 ITIL holds an even-more-surprising 3rd spot with 19pourcents at nearly 1 2 of ISO again 4 A bunch of supposedly cool regs share 4 spot with 12pourcents-15pourcents FISMA, HIPAA, SOX 5 and the same percentage 15pourcents is held by I don t care about that compliance sh t Notable write-ins were NIST in general, I guess beyond just FISMA Red Flag financial CFATS PHIPA, MFIPPA EU Data Privacy laws What does it tell us What can we hypothesize based on our totally unscientific compliance poll All this talk about PCI DSS impacting security at large is very real now and likely in the near future I might argue with Josh about whether the impact is positive or negative but it is HUGE It definitely goes way beyond retail and ecommerce ISO27001 came back to life somehow That s probably a good thing Not sure what the lesson from ITIL being 3 is that folks from UK read my blog - Finally, I think the people who don t care about compliance split into two opposite camps people who don t EVEN CARE ABOUT COMPLIANCE much less security and people who care about security and operational excellence which gives them compliance not for free, mind you So, 19pourcents covers both of these camps Any other thoughts Possible related posts All posts on polls and their analysis About me http wwwchuvakinorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/248880.shtmlhttp://www.secuobs.com/revue/news/248880.shtml