Dr Anton Chuvakin Blog PERSONAL Blog

Monthly Blog Round-Up – April 2013

anton@chuvakin.org (Anton Chuvakin) — Wed, 01 May 2013 07:07:00 PDT

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
“On Choosing SIEM” is another old classic (from 2010) that often shows up on my top list; it covers some tips on choosing SIEM tools.
“SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.
My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current network forensics research:

Current security data sharing research:

Miscellaneous fun posts:

(see my published Gartner research here)
Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.
Previous post in this endless series:

Monthly Blog Round-Up – March 2013
All posts tagged monthly

Monthly Blog Round-Up – March 2013

anton@chuvakin.org (Anton Chuvakin) — Mon, 01 Apr 2013 09:35:45 PDT

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
“On Choosing SIEM” is another old classic (from 2010) that often shows up on my top list; it covers some tips on choosing SIEM tools.
“SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current network forensics research:

Current security data sharing research:

Consumption of Shared Security Data
On Trust in Security Data Sharing
On Security Data Sharing Research
On Security Data Sharing
Our Log Standards Paper Publishes (mentions select data sharing standards)
More on DoS and Shared Security

Miscellaneous fun posts:

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

Monthly Blog Round-Up – February 2013
All posts tagged monthly

Monthly Blog Round-Up – February 2013

anton@chuvakin.org (Anton Chuvakin) — Mon, 04 Mar 2013 07:21:50 PST

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
“On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on choosing SIEM tools.
“SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current network forensics research:

Current security data sharing research:

On Trust in Security Data Sharing
On Security Data Sharing Research
On Security Data Sharing
Our Log Standards Paper Publishes (mentions select data sharing standards)
More on DoS and Shared Security

Previous DLP research:

Previous post in this endless series:

Monthly Blog Round-Up – January 2013
All posts tagged monthly

Monthly Blog Round-Up – January 2013

anton@chuvakin.org (Anton Chuvakin) — Fri, 01 Feb 2013 08:47:05 PST

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.
“On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on choosing SIEM tools.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
“SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:
Current network forensics research:

Network Forensics Defined?

Previous SIEM research:

My SIEM Papers Are Out

Previous DLP research:

Monthly Blog Round-Up – December 2012
All posts tagged monthly

Annual Blog Round-Up – 2012

anton@chuvakin.org (Anton Chuvakin) — Fri, 01 Feb 2013 08:47:31 PST

Here is my annual "Security Warrior" blog round-up of top 10 popular posts/topics in 2012.

“Simple Log Review Checklist Released!” was again the most popular this year. The checklist, a list of critical things to look for while reviewing system, network and security logs when responding to a security incident
PCI DSS Log Review series of posts take the #2 spot; they are about planning and executing PCI DSS-driven log review at an organization
“On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
“On Free Log Management Tools” is another perma-popular post, presenting a companion resource to the log checklist above
“Top 10 Criteria for a SIEM?” is an EXAMPLE criteria list for choosing a SIEM.
“Log Management at $0 and 1hr/week?” is pretty much what it is. How to do log management under extreme budget AND time constraints?
“Updated With Community Feedback SANS Top 7 Essential Log Reports” and an older “SANS Top 5 Essential Log Reports Update!”
“SIEM Bloggables” has one possible view on higher-level SIEM use cases and basic functionality, and a quick discussion of SIEM user types.
“How Do I Get The Best SIEM?” is a discussion (circa 2010) about approaches to choosing SIEM tools and matching functionality to requirements.
2009 post called “Log Management + SIEM = ?” gives some quick architecture advice on combining SIEM and log management

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.
Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Monthly Blog Round-Up – December 2012

anton@chuvakin.org (Anton Chuvakin) — Fri, 01 Feb 2013 08:47:54 PST

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
“On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on choosing SIEM tools.
My classic PCI DSS Log Review series is popular as well. The approach is useful for building other types of log review processes and procedures, whether regulatory or not.
“SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:
Current DLP research:

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.
Previous post in this endless series:

Monthly Blog Round-Up – November 2012
All posts tagged monthly

Links for 2013-01-10 [del.icio.us]

Fri, 11 Jan 2013 00:00:00 PST

Links for 2013-01-07 [del.icio.us]

Tue, 08 Jan 2013 00:00:00 PST

Links for 2013-01-06 [del.icio.us]

Mon, 07 Jan 2013 00:00:00 PST

2013 Prediction – It’s a Mad, Mad, Mobile World

Links for 2013-01-03 [del.icio.us]

Fri, 04 Jan 2013 00:00:00 PST

2013 Open Group Predictions, Vol. 1 | The Open Group Blog

Links for 2012-12-27 [del.icio.us]

Fri, 28 Dec 2012 00:00:00 PST

Browsing Security Predictions for 2013 « Hackmageddon.com

Links for 2012-12-26 [del.icio.us]

Thu, 27 Dec 2012 00:00:00 PST

Links for 2012-12-22 [del.icio.us]

Sun, 23 Dec 2012 00:00:00 PST

PCI Compliance Book Giveaway #2

anton@chuvakin.org (Anton Chuvakin) — Thu, 13 Dec 2012 16:09:40 PST

OK folks, our PCI Compliance book has been out for a few months now, and Branden & I thought it would be fun to give away a copy with another contest! We have assembled a group of three independent judges who will look at the submissions and pick winners for each competition. The winner will receive a free, signed copy of the book! In fact, it would be one of those rare “dual-signed” copies with both of our signatures (and the book will have to travel from TX to CA – or from CA to TX – for this )

So, on to the second contest (first one).

Our book attempts to draw a middle line between the black & white “audit” style of looking at PCI DSS and the loosey-goosey “anything goes” view. We want to take a compliance-friendly and security-friendly, practitioners line. However, sometimes even a compliance guy has to be CREATIVE!

So our second challenge to you, in the comments below, please tell us about your MOST CREATIVE PCI DSS CONTROL you implemented, assessed or even witnessed.

HOWEVER, it will help your submission if such control was also ACCEPTED by a QSA. We will absolutely reject the creative control submissions that have no chance of making your environment PCI DSS compliant…

You’ve got about a week (until the end of December 21st), and we will announce the winners after the holidays!

It doesn’t matter if you comment here or on Branden’s blog, we will capture all of them.

Related posts:

PCI Compliance Book Giveaway–Results

anton@chuvakin.org (Anton Chuvakin) — Tue, 04 Dec 2012 14:32:59 PST

Our PCI Compliance Book Giveaway has ended – with a bang! The winning entry (submitted here) is below:

"Hilarious in a sad way, the worst PCI fail I ever had was getting
solicited by a Wedding / Bridal catalog company to assist them in
improving their online ordering and bridal catalog subscription
service. I had no contract with them, this was just a preliminary
"Let's see what we can do for you." They sent us their website, and
also e-mailed me a copy of their site's source code.
In the source code was an SQL dump of over 7 years of brides personal
information including names, addresses, birthdays, and FULL credit
card numbers, expiration dates, CCVs, card type, phone numbers, email
addresses, and unencrypted passwords.
In shock of seeing this, I called the potential client, said we
couldn't help them and deleted the data as completely as I could.
Eek!"

The winner, “James P”, please mail your address to authors@pcicompliancebook.info and we will mail you your signed copy of The PCI Book, 3rd edition. And, no, we won’t charge your credit card for that

The runner-up entries were:

“A very large retailer decides to reorganize their IT department to be more responsive and reactive. As part of that reorganization, they create a group titled 'Enterprise Monitoring' that is responsible for the care/feeding of the log management and analysis solutions. Centralized personnel that actually do the monitoring are pushed out to the business units where, according to IT management, the actual monitoring belongs. Everyone at the meeting announcing this decision says that the name. Enterprise Monitoring, needs to be changed because it gives the impression that the group does the monitoring, but they are over ruled.
Spin ahead almost a year later to their PCI assessment. The monitoring personnel that were pushed out to the business units were, surprise/surprise, were seen as new bodies that could be used for everything BUT monitoring. So, we have great log management and analysis solutions running, but no one has been monitoring anything for almost a year! When asked, the business units point to the Enterprise Monitoring group and say that it is their responsibility because they are 'Enterprise Monitoring'. DUH!” (source)

and

“I work with a stadium and arena concessions operation that once told me they were compliant because they put their card swipe readers on the counter and turned them around to face the customer. They no longer touched the cards so this made them compliant. True story.” (source)

and

“It’s a not a fail, but I certainly found humor in this. When enrolling in training with the PCI Security Standards Council, if you would like pay by credit card they ask that you write your CC#, CVV, Expiration, etc on the invoice and fax it or mail it to them. They note, it is a secure and password protected fax. I expected something a little more from the people who create the standards, but hey that’s one way to reduce your scope. Upon receiving the invoice, it was an LOL moment. ” (source)

MORE PCI Book CONTESTS ARE COMING!! Stand by….

Monthly Blog Round-Up – November 2012

anton@chuvakin.org (Anton Chuvakin) — Mon, 03 Dec 2012 07:43:12 PST

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
“PCI Compliance Book Giveaway!” announces our new contest and its prize – The PCI Compliance book. We will announce the winner any day now.
My classic PCI DSS Log Review series is popular as well. The approach is useful for building other types of log review processes and procedures, whether regulatory or not.
“On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on choosing SIEM tools.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current DLP research:

Previous post in this endless series:

Monthly Blog Round-Up – October 2012
All posts tagged monthly

PCI Compliance Book Giveaway!

anton@chuvakin.org (Anton Chuvakin) — Thu, 15 Nov 2012 15:51:35 PST

OK folks, our PCI Compliance book has been out for a couple of months now, and Branden & I thought it would be fun to give a way a couple of copies with a contest! We have assembled a group of three independent judges that will take a whittled down list and pick winners for each competition. The winner will receive a free, signed copy of the book!

So, on to the first contest.

Our book attempts to draw a middle line between the black & white “audit” style of looking at PCI DSS and the loosey-goosey anything goes view. We want to take a compliance-friendly, practitioners line. But we’ve all been in those meetings when you look at a particular defense of a control (or lack thereof) and you can’t help but laugh a little bit on the ridiculous nature of what was presented.

So our first challenge to you, in the comments below, please tell us about your MOST HILARIOUS PCI FAIL.

You’ve got a week (until the end of Wednesday, November 21st), and we will announce the winners after the US Thanksgiving holiday!

It doesn’t matter if you comment here or on Branden’s blog, we will capture all of them.

Monthly Blog Round-Up – October 2012

anton@chuvakin.org (Anton Chuvakin) — Thu, 01 Nov 2012 10:48:20 PDT

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it needs another update)
“On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on choosing SIEM tools.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
My PCI DSS Log Review series is popular as well. It actually needs no introduction.
SIEM use cases (however they are defined) seem to be on a lot of minds and so “SIEM Bloggables” post (and this one too) is on my top list.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current DLP research:

Recent SIEM research:

Previous post in this endless series:

Monthly Blog Round-Up – September 2012
All posts tagged monthly

Monthly Blog Round-Up – September 2012

anton@chuvakin.org (Anton Chuvakin) — Mon, 01 Oct 2012 09:14:09 PDT

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it needs another update…)
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
“On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on choosing SIEM tools.
My PCI DSS Log Review series is popular as well. It actually needs no introduction
“The Myth of SIEM as “An Analyst-in-the-box” or How NOT to Pick a SIEM-II?” is about how some organizations want to buy a SIEM and pretend they now have security monitoring

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current SIEM research:

Other fun Gartner blog posts:

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

Monthly Blog Round-Up – August 2012
All posts tagged monthly

Monthly Blog Round-Up – August 2012

anton@chuvakin.org (Anton Chuvakin) — Mon, 10 Sep 2012 07:46:57 PDT

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it needs another update…)
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
My PCI DSS Log Review series is popular as well.
“On Choosing SIEM” is another old classic (from 2010) that shows up on my top list.
Next is “SIEM Resourcing or How Much the Friggin’ Thing Would REALLY Cost Me?” While reading this, also check this presentation.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current SIEM research:

Other fun posts:

Previous post in this endless series:

Monthly Blog Round-Up – July 2012
All posts tagged monthly

One Year at Gartner!

anton@chuvakin.org (Anton Chuvakin) — Thu, 02 Aug 2012 10:28:52 PDT

Believe it or not, but I've been at Gartner for a year. One whole year has passed since that infamous blog post. I don't feel like diving into deep reflections and long contemplations about it, but I wanted to share how it was. During this year, I …

learned a lot, and expanded my security knowledge into new areas such as denial of service defense
found out that being an analyst is a lot of fun
realized that there are many levels of writing excellence beyond the level that I thought I had …
interacted with a lot of smart people both within and outside Gartner
helped dozens of our clients – both security vendors and large enterprises - with their security challenges, some simple and some pretty esoteric
discovered that a lot of companies are not where our industry pundits and "thought leaders" say they are (“what is more common today at large organizations, cloud or Windows 2000?”)

That's about it - I am really looking forward to my second year!

Monthly Blog Round-Up – July 2012

anton@chuvakin.org (Anton Chuvakin) — Wed, 01 Aug 2012 08:05:23 PDT

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
Next is “SIEM Resourcing or How Much the Friggin’ Thing Would REALLY Cost Me?” While reading this, also check this presentation.
“On SIEM Services” appearance on this list reminds me that the Internet has a mind of its own as this post is closely related to what I am working on right now
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
Finally, “Book Review: “UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A complete guide to analyst influence” by Richard Stiennon” made it to the top 5 as well.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current SIEM research:

Other fun posts:

How Are We Doing Compared To Peers?

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

Monthly Blog Round-Up – June 2012
All posts tagged monthly

Metricon 7 Workshop Reminder

anton@chuvakin.org (Anton Chuvakin) — Thu, 19 Jul 2012 17:20:39 PDT

Just a quick reminder about the Metricon 7 workshop on security metrics.

Date: August 7, 2012

Location: Bellevue, WA (co-located with USENIX 12)

Registration:https://www.usenix.org/conference/usenixsecurity12/registration-information (pick just the metrics workshop or the entire event)

Agenda:

1. Introduction to Metricon, security metrics and workshop goals by Anton Chuvakin (9:00-9:30)

2. “Even Giant Metrics Programs Start Small” by David Severski (9:30-10:30)

3. Break (10:30-10:45)

4. PANEL: “Rules of the Road for Useful Security Metrics” (10:45-11:30)

5. Mini-talk 1 and 2 – TBD (11:30-12:00)

6. Lunch break (12:00-1:00)

7. “What We Want to See in Security Metrics” by Christopher Carlson (1:00-2:00)

8. PANEL: “What We Know to Work in Security Metrics” (2:00-2:30)

9. “Application Security Metrics We Use” Steve Mckinney (2:30-3:00)

10. Break (3:00 – 3:15)

11. "Threat Genomics and Threat Modeling” by Jon Espenschied (3:15-4:15)

12. Discussion time, everybody shares lessons, highlights, etc (4:15-5:00)

13. Conclusions, results and action items by Anton Chuvakin (5:00-5:15)

Additional details: here

See you there!

Book Review: “UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A complete guide to analyst influence” by Richard Stiennon

anton@chuvakin.org (Anton Chuvakin) — Tue, 17 Jul 2012 10:09:01 PDT

This is not a book for everybody (and your grandmother probably does not need to read it; neither does an average IT professional). However, I think that this book is pure gold for those tasked with interacting with analyst firms.

I am an analyst, and I wish every vendor client read this book and followed some of the advice given there. It would reduce pain on both sides of the conversation, as well as make the interactions more valuable for – again! - both sides.

Obviously, this is not a book to guarantee your IT product a favorable placement in analyst research. It is also not a book on how to bamboozle the analysts, despite its focus on analyst influence. However, it is definitely a book to make sure that well deserving products, developed and marketed by good teams of people, don't get sidelined.

Some of the specifics that I liked include the influence pyramid concept, social media techniques, a careful approach to managing corporate Wikipedia entries, specific approaches to various analyst activities (such as calls, reports, advisory days and conferences), etc. My favorite sections (both fun to read as well as insightful!) are the one on “guerrilla tactics” and the obligatory “what not to do” chapter (the latter has a few sad case studies of IT vendors who screwed themselves up). Another great chapter covers the role of a vendor sales team in both helping the interaction with the analyst firm and avoiding some embarrassing mistakes.

In fact, this book makes me proud to be an analyst. Then again, maybe it is my ego talking as the book seems to project an impression that “an analyst is the most important person in the world“, at least as far as IT vendors are concerned.

Finally, if you are a IT vendor marketer, remember: when you say “holistic," some analysts think “imaginary.” Richard suggests to scrub your presentations of silly meaningless words like “synergy” and “holistic.”

All book reviews.

Monthly Blog Round-Up – June 2012

anton@chuvakin.org (Anton Chuvakin) — Mon, 09 Jul 2012 15:10:25 PDT

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
My PCI DSS Log Review series is popular as well.
“On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm.
“Log Management at $0 and 1hr/week?” is where a lot of companies still are, thus this post became popular again.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Denial of Service research:

Other fun posts:

Monthly Blog Round-Up – May 2012

"PCI Compliance", 3rd edition - Out On August 6, 2012

anton@chuvakin.org (Anton Chuvakin) — Tue, 12 Jun 2012 23:05:07 PDT

A new edition (3rd) of our book "PCI Compliance" is coming out on August 6, 2012.
It covers PCI DSS 2.0, as requested by many of our readers. Other new materials include Emerging Technology and Alternative Payment Schemes, PCI for the Small Business, etc. A full ToC for this new edition is here.

Get the book in print or for Kindle!

Monthly Blog Round-Up – May 2012

anton@chuvakin.org (Anton Chuvakin) — Fri, 01 Jun 2012 08:37:24 PDT

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Log Management at $0 and 1hr/week?” is where a lot of companies still are, thus this post became popular again.
“Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
“Why No Open Source SIEM, EVER?” (and this) is next – for some weird reason. I suspect a lot of people still crave a free open source SIEM tool.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm.
“On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Denial of Service research:

Monthly Blog Round-Up – April 2012

Book Review: “Security De-Engineering: Solving the Problems in Information Risk Management” by Ian Tibble

anton@chuvakin.org (Anton Chuvakin) — Fri, 18 May 2012 15:44:56 PDT

This book is probably the most thought-provoking book on security I read in the last 5-7 years! While I'm somewhat known from my proclivity to exaggerate, I assure you this is not an exaggeration. As I was reading it, I felt like I connected to deep layers of the subconsciousness of security industry.
In fact, the influence this book already had on me is palpable: I found myself using some of the terms (such as author’s favorites, “intellectual capital” and “CASE”) and concepts on the next day after I started reading it.

As a brief summary, the book investigates the evolution of the way we do information security from the “hacker-lead” late 1990s to “compliance-heavy” late 2000s and today. The author also highlights dramatic problems with today's approach to security and suggests some of the solutions in the way people think and operate around security.

In fact, it might be one of the most influential books ever written in history of security industry - the one that appeared at the best possible time when it’s most needed. Along the same line, I have grown worried about the ranks of security professionals who are not hands-on with technology and who have never secured production systems. Just as the author, I've been grown frustrated with the ranks of idiots who equate compliance and security. Even author’s rant about ethics is something I've been thinking for years.

The author slaughters a few of the sacred cows of security industry: one that “executives are clueless” and the one that we “must have reliable actuarial data on incidents to stay relevant.” He also highlights a few categories of security products, which are notorious for not delivering value and explains the reasons for that. Most of his points are backed up by specific cases from his experience, going back to the end of 1990s when the security industry was born.

And, of course, as with any thought-provoking writing, I cannot say I agree with every word I read. For example, I am much less negative on the vulnerability assessment technology than the author (I don't think they give you 50% “false negatives” on common platforms today). Furthermore, I abhor the use (misuse, really) of “ROI” for justifying security spending. Style-wise, the author is a little too fond of repetitions to my taste. However, having a summary after each chapter is a great idea.

Finally, despite the unreasonably high price, I feel that every member of the security community MUST read this book. Literally every chapter will have insights that will make you a better security professional today.
All book reviews.

Monthly Blog Round-Up – April 2012

anton@chuvakin.org (Anton Chuvakin) — Tue, 01 May 2012 20:11:27 PDT

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
“Why No Open Source SIEM, EVER?” (and this) is next – for some weird reason. I suspect a lot of people still crave a free open source SIEM tool.
“On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
“Log Management at $0 and 1hr/week?” is where a lot of companies still are, thus this post became popular again.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Denial of Service research:

Availability, Security and Why is DoS Fun?

Cloud security monitoring research:

Future SIEM analytics research:

Monthly Blog Round-Up – March 2012

Metricon 7 Call for Papers

anton@chuvakin.org (Anton Chuvakin) — Mon, 30 Apr 2012 09:54:30 PDT

This is a Call for Papers (CFP) for Metricon 7.

Key stats first:

Conference date: August 7, 2012
CFP deadline: May 31, 2012
Conference location: Bellevue, WA
Cost to attend: free (but you’d need to add value to discussions).

CFP follows below and can be found at SecurityMetrics site.

Metricon 7 - Security Metrics: Useful or Bust!!

How to define, generate, and communicate security metrics you can use TODAY!

This year, Metricon 7.0 is excited to issue a call for participation to the information security community. The event will occur August 7th 2012 collocated with USENIX in Bellevue, WA.

Given that this is the 7th event, we think it is time to finally say it: security metrics MUST be useful NOW! Thus, the focus this year is on useful and usable metrics – not conceptual and theoretical stuff that sounds great, but cannot and will not be used in today’s organizations. Also, presentations and panels that talk about “How?” and “What?” will be strongly prioritized over “Why?”(and “whine”). Enterprises and tool vendors are both welcome to present! Academic researchers tacking the real-world problems are welcome as well.

We want to see:
• How you achieved “quick wins” with security metrics?
• How you define useful metrics, whether risk or operational?
• What metrics you track are the most useful?
• How did you solve a particular challenge in security metrics area?
• How your tool helps (not “can help”!) with collecting and analyzing security metric data?
• Who gets the metrics you create? How do they use them?
• What metrics you use to determine that security controls are effective?
• How organization generate actionable advice from security metrics?
• How to track that your security is improving using metrics?

We do not want:
• Uncollectable and unusable metrics
• Metrics philosophy
• Uncooked metrics that sound vaguely “interesting”

Send submissions and your ideas for panels and presentations to metricon7@securitymetrics.org

Deadline for presentation and talk submissions is May 31st, 2012. Submissions should be sent to Metricon7@securitymetrics.org.

Monthly Blog Round-Up – March 2012

anton@chuvakin.org (Anton Chuvakin) — Mon, 02 Apr 2012 10:17:08 PDT

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people
“Updated With Community Feedback SANS Top 7 Essential Log Reports DRAFT2”, “SANS Top 5 Essential Log Reports Update!” and their predecessor “Top5 SANS Log Reports Update DRAFT” also show up close to the top. IF YOU WANT TO VOLUNTEER TO FINISH THIS DOCUMENT- PLEASE EMAIL ME!
My classic PCI DSS log review series is still on my Top 5: “Complete PCI DSS Log Review Procedures”; they are also useful for other compliance or security log review and log monitoring.
“On Free Log Management Tools” is a companion to the checklist below (updated version)
“On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Monthly Blog Round-Up – February 2012

The Log Book Needs YOUR Help!

anton@chuvakin.org (Anton Chuvakin) — Fri, 09 Mar 2012 08:10:04 PST

As most of you know, I’ve been working on a book about logs, logging and log management for some number of years. At this point, the book is almost done, but the author team is having some minor time commitment issues (aka “less time to write than originally estimated”) ).

So, do any of my esteemed blog readers (those adept in the dark arts of log analysis) care to help and write a few chapters here and there, in exchange for (lots of) immortal fame and (admittedly small amount of) cash?

Table of contents is here – if you see any chapters you’d like to help with, please let us know. I will post a list of chapters that really need help soon.

At this point, we have PLENTY of reviewing help, but we sure can use some writing help!