Supporting Hackers For Charity

Something in the back of my head told me to check out Johnny Long's Hackers for Charity website today to get an update on what's been happening with him and his family.   I hate to say it, but I let this go "out of site, out of mind" for me.  As I looked at the donor cloud and I noticed it was empty. Really?!?! Empty?!?!(technical issue maybe? I just donated to test it) I can't imagine that hasn't been any sponsorships in a month.

I realize there are multiple ways we all contribute to HFC (General Donations, Equipment, Software, Time/energy, Books, etc), but the donor cloud being empty worries me that maybe others have also let this go "out of site, out of mind" for them as well.  So consider this message a small reminder!

Get Involved with Hackers For Charity!

Whatever you can do, buy shirts, donate via Paypal, donate equipment, join Informer - every little bit helps a great deal over there.

In case you didn't know Johnny Long and his family through HFC support a couple of incredible missions in East Africa

1. Food Program in Kenya (You can help via the Donor Cloud on his website).

2. Classroom Initiative where with AOET they have built three classrooms already to help empower the Ugandans to learn and do for themselves!

Since his first trip, Johnny has inspired me to be better and to do more wherever I can.  His story is amazing.  He gets energized by our (community) support!  Personally, I've done what I can over the years to help and will continue to do the best I can, but it's never enough.  I'm suggesting we all join in - with whatever you can. $20/Month - $25 one time donation, whatever you can do.   To kick things off anew in 2010 - my family and I are planning on giving at least 50% of my first paycheck with whomever my new employer winds up being to HFC in March.  How will you help with this effort?

Let's see how we can support his incredible mission!

You can follow Johnny Long on Facebook You can also find him on Twitter

Getting More "Connected" in 2010

One of my goals in 2010 is to be more timely in my responses to everyone that takes the time to reach out to me.  It seems that I'm pretty much the worst person on earth when it comes to responding to phone messages or emails older than 24 hours.  I have a very small memory ring-buffer in my head. 

As part of me working on fixing this issue -  I'm opening up my entire "virtual" life to you all - If you want to reach out and talk (or collaborate on a project) about Security Operations, SIEM, Log Management, Security Monitoring and Analysis, Incident Response, etc - I've provided about every reasonable way I can think of to reach me and I'm committing to being as responsive as I can. 

In addition to my blog - here are some of the best ways to reach me - or learn what I'm up to in 2010:


Twitter "@RockyD"  DM me or at least "@rockyd" me and I'll probably see the message within a few minutes one my phone or desktop.  I'm addicted to Twitter (seriously I think I might need to go to Twitter Rehab). 


I'm almost always online via Skype either on my phone or at my desk. I'm willing to Video/Voice and Chat as necessary.





Linkedin Profile I use the Linkedin Groups feature to answer questions, though less so over the last few months. I do post there every few days and I use Linkedin in advance of every single professional conversation I have to help have an understanding of who I am talking with.



Google Wave "SecurityProfessional" I'm committing to trying this out for some projects I'm collaborating on and it is working great so far!




Google Buzz: Security Professional. My Information Security related "Buzz". Not committing 100% to Buzz yet, but I will try it out for a while and see how it goes. If you follow me on Buzz it does open up gmail and google chat as another communication opportunity.

Of course there is good old-fashioned email as well.  If you can't figure out my gmail with everything else I've provided above, please get off the internet.  If I don't respond to you within 24 hours - please feel free to ping me again.


Conferences:  I will be attending RSA and B-SidesSF in March and perhaps BH/DC in July.  Always happy to talk in person!  My schedule fills up pretty quick, but I always leave evenings open!

If you can't reach me with any of the above methods I'm either in-person meeting with someone (I don't usually answer to machines if I'm face-to-face with someone - it just seems rude) on an airplane, or I'm dead and if I can I'll either get back with you or haunt you whichever is appropriate. 

In all seriousness, I look forward to talking/collaborating with you in 2010 and beyond. 

Much Ado About Correlation

Mike Rothman at Securosis posted Network Security Fundamentals: Correlation yesterday and did a good job explaining some common issues SIEM and "Correlation". If you're in the market for SIEM you should read it and not just because it refers to some of my previous blogs :) (SIEM 101 and SIEM 201) but because is very accurate. You have to do the real work PRIOR to deploying the SIEM. It's all in the requirements. If you can't define how you will use the output of the SIEM - stick with Log Management until your organization can mature into using SIEM properly.

I really enjoyed Adrian's follow up Post Where he describes in detail why SIEM is not the end-all be-all of Security Monitoring. It's a good tool designed to do the best it can with what it is given. Simply put there is only so much you can do with crappy logs. Additional context is always required. For more on my thoughts about what works for Security Monitoring see Security Operations: Collection Post.

A week in and 2010 already has been a year of significant changes

Personally, I'll count 2009 as the year of lessons learned. I'm happy to start 2010 and begin anew. Many of you have reached out to me in twitter (@rockyd) or email, FB, etc and asked about my status, personally and professionally - for which I'm very thankful. It is awesome to see some many people and organizations genuinely care about me - I'm humbled. We did make some changes late in 2009 that for all intents and purposes brought an end to Decurity as it was known. The full plan never quite panned out the way we all hoped it would. I joined EMC/RSA for a while and worked alongside some fantastic people over there, but in the end it just wasn't the right place for me. I resigned my position at RSA and took some time off to focus on my family, my health and to renew myself so that I could focus fully in 2010 and beyond.

Personally: I had let myself get way out of shape (mentally, spiritually and physically) and let my blood sugar reach levels that truly frightened everyone. I thought I was just more sweet, but when doctors start wondering why you're not in a coma it's time to pay attention. I joke about it a lot but I've learned to pay much closer attention now. Eventually, I hope to make it to P90X type workouts but for now I'm happy to be able to walk a few miles, a few times a week. It sucks when there is no one else to blame but yourself, but then again I know I can change my habits easier than trying to make many orgs think clearly about how to handle security risks.

Professionally: I'm currently in the midst of considering some fantastic opportunities from various organizations that have reached out to me. I can't tell you how lucky I feel to have so many believe in me. I'm delaying making a final decision until I'm a little healthier (should only be a few days). I want to ensure that whichever route I take it makes sense for me, the company, their user-base and the segment of the security industry I can influence. I'll let everyone know where I wind up once things settle down.

Another Note: I'm moving my personal blogging efforts over to securityoperations.blogspot.com. I'll probably dual post for a while as Decurity's blog has much more critical mass, but I'd imagine I'll keep up with securityoperations.blogspot.com more often from now on.

FUDSEC Guest Post

I was asked to provide a guest post for the FUDSEC Blog. After reading so many of the other guest posts I felt a little overwhelmed to put my ramblings alongside those gems. I'm thrilled Craig allowed me the opportunity and look forward to hearing your input. Please enjoy ripping my thoughts into pieces, chewing on them and then letting me know how you really feel!
FUDSEC: Liberate Yourself: Change The Game To Suit Your Needs

Comments are encouraged directly on FUDSEC or you can reach me on Twitter (@rockyd) or reach me on this Blog any way you chose to reach out I'd love to hear your input.



ORIGINAL TEXT FROM FUDSEC.COM POST FOLLOWS:


December 4, 2009
Liberate Yourself: Change The Game To Suit Your Needs

I'm very pleased to have Rocky as this weeks "Fudsec Friday" guest. I've had the pleasure of meeting Rocky in a business context. I quickly came to appreciate he is one of the minority: an information security professional providing true insight and solutions based on real world experience of what works. To put it simply, Rocky "gets it". If you read just one blog post today, read this one. Thanks Rocky!

By Rocky DeStefano

Recently, I was fortunate enough to have the opportunity to listen in on a speech from General Hayden (former Director of the NSA and CIA, in addition to his service as a four star general in the US Air Force). This man has executed at a level most of use only see through fiction writers and movies and he has done so for 30 + years. I provide that backdrop only to say that when General Hayden speaks, I not only listen, I listen intently and replay his words and overall sentiment in my head very carefully. What he said at this event was encapsulated very well by Richard Bejtlich in this blog post so I won’t go into all the areas described in this post. In short, General Hayden’s speech sparked some long-dormant thought in my feeble brain. His thoughts energized me to refocus my thoughts and actions to go beyond the day-to-day struggles we constantly fight. I was stuck in a rut and didn’t even realize it.

In order to navigate our world and interact with it and one another, we as humans had to learn to fly, we had to learn to navigate the oceans, and we had to learn to overcome distances and difficult terrain, by creating solutions to work with the landscape. We’ve done something quite unique though, we created a new terrain and new domain. The domain we’ve created is fundamentally different while at the same time it is every bit as tangible as the natural domains we exist in. The difference is that this information domain is of human ingenuity and therefore in addition to building tools to work within the landscape, we can actually alter the landscape as we see it. This information domain also exists separately as its own entity and as such evolves at a rate much different than the physical domains. Perhaps most importantly this information domain evolves, dies or otherwise is influenced based on our human interactions. It is moldable. Sure I can agree that humans might affect the temperature of the planet every few thousand years by a fraction of a degree, but we can fundamentally change our information domain on a daily basis if we chose to. Think about it, we all know that, it isn’t new, but at the same time it’s quite liberating to think about the fact that we can change the entire game to suit our needs, versus playing by rules we can’t change or worse yet play in an environment that highlights the strengths of our adversary.

As this domain has evolved we have set in motion a series of evolutionary steps based on tactical requirements without really having a strategic plan for where it should be headed. We made decisions along the way that were necessary to get us past a hurdle, but without much rational thought about the impact. To put it simply there is no city planning going on. We’re continually developing “solutions” to meet short term needs. Granted these are real needs, no question, but who is providing the strategic vision of how our decisions will affect how we interact in the future? For far too long we have applied “fixes” that fit the bounds of the information domain as it exists today. It is time to start looking at how we can transform the domain itself to more appropriately suit our needs moving forward. I’m convinced we are in the very earliest of stages in the evolution (perhaps on the doorstep of revolution) with regard to this domain, but unlike evolution on the natural plain this domain can’t and won’t change itself, we must act to influence it to better meet our needs.

Much to my own amusement I see this domain much like a scene from a kids movie - when Jafar turns is transformed into genie in Disney’s Aladdin and he boasts something like “The Power, The absolute Power, The universe is mine to command, to control, to create” and we get it without the constraint of living in a bottle. The constraints that apply only exist in our minds and actions. We need to get out of the mindset of applying protection techniques based on physical realms and focus on evolving the entire environment to better suit our needs moving forward.

I’m certain as we start this dialogue that more fundamental aspects will arise – which is exactly what I hope to elicit from this dialogue but here his where my current thought process has lead me to consider with regards to how to step out of our box and move our eyes towards the horizon. I’ve bundled my thoughts into a few categories, leadership, research and information sharing. I’m sure your thoughts will help us all to refine this into much more!

Leadership: I’ve come to realize that there is no one coming to save us from ourselves here. No government czar, compliance initiative, nor vendor product suite is going to pave the way. Homeland Security, NSA, Military, Congress, The White House – they’ll all continue to play their part, but let’s be honest here they have not and should not drive the overall thought process here. We must all define how we chose to exist in this domain.

Certainly we should encourage government and legal involvement along the way so that they can contribute as appropriate. In the end the government should be involved to enable us to succeed in this domain, not to define how it should be crafted – at least not without our agreement. Yet we wait the announcement of the all mighty czar… it’s crazy. I believe that we can lead from right here, wherever here happens to be. There are dozens of examples, but I chose just a few to highlight some of the decisions we’ve made and how we can start making better ones moving forward.

1. Information Security Leadership. We need to start pushing back at all levels here. It’s my opinion that business’s need to care much less about being compliant and more about being fundamentally secure – or if you prefer having better visibility into real risk. Risk to the mission, risk to the business not the risk to an asset. We continue to create irrelevant measurements – irrelevant because they are point in time, against a less-than secure model and on a playing field that is skewed towards the success of our adversary.

As information security professionals how on earth did we let the primary financial driver for security spending be compliance initiatives? We sold our souls because we lacked the knowledge of the business and how to apply what we do in a meaningful way to the business. We let compliance initiatives that promised “measurable” results have their way because we thought we could tag along for the ride and implement best possible solutions given the situation. As I see it we are no better off for this and now our teams have either competing agendas or more work to drive us away from protecting our organizations. Sure we’ve created some “building codes” but do “point in time” snapshots matter anymore when the attacker can mold his approach on a whim?

Partners, Vendors play a critical role in helping us reach our goals; they should also play a role in the thought leadership moving forward. Product and solution vendors have done a great job in developing solutions to meet our defined needs along the way as we’ve evolved in our usage of information systems. We’ve all witnessed some seriously cool steps forward over the last 15-20 years, but recently many of those solutions have been evolutionary in nature, not necessarily innovative, but more and more they are band-aid fixes for problems we’ve encountered or realized.

Don’t get me wrong it is a very necessary evolution, but we’ve hit a point that we need to start thinking about long-term health and welfare of how we interact as humans. We need to find ways to encourage that vendor thought leadership onto a larger more strategic problem-set. I would encourage those customer facing people with consulting and/or vendor organizations to take a very basic consultative approach on a daily basis: listen to your customer’s actual needs, not always what they state as a need (PCI Compliance, etc) but to the goals they are really trying to solve and communicate those findings inwardly to your organization (and in general terms externally to the community). The more inputs for this information stream the more refined the thought process can be. You can’t imagine the amount of information that some of these folks have in their heads they just haven’t been heard appropriately.

To those that manage consultants - please encourage your staff to listen and enable meaningful communications, in fact I would challenge you to incentive your staff to provide this input. Give them the opportunity to buy in to more than just a single technology, but into solving a much greater problem. This may mean some major internal change in thought about how to approach management of teams, customer engagements, support, product development, etc – that’s exactly the point – we need to learn to listen better to the larger picture and not the point in time snapshot.

Those were two very basic examples of how we can lead from wherever we sit in the organization there are literally thousands of other examples out there. I hope you can see that I’m suggesting leadership by example – you can still enable business using these techniques, you just have to get past “the way its been done”.

2. A key component in moving forward has to be a dedicated focus on Research and Development. I mean significant investment in R&D on a national and international scale, information sharing about current and proposed strategies across industries, etc. We need to be pushing our employers, VC’s, governments into broader research initiatives. We need an innovation revolution at this point, not just evolutionary point solutions.

There are some very recent initiatives that show promise, like the announcements by Northrop Grumman that NG is sponsoring information research in conjunction with Carnegie Mellon, The Massachusetts Institute of Technology and Purdue University.

If you will, think of these research opportunities as form of health care for our future, I don’t care how it’s justified but we need to act in support of efforts like this in every way we can, perhaps by offering state or federal tax credits? Certainly I can agree that we need to watch spending and as such we should have to pay for performance, but we need to encourage strategic innovation versus tactical evolution (band-aids). The investment in long-term strategy has been anemic at the federal level. We’ll spend millions on watching the effect of gnat bites on mouse nuts, but we haven’t found the necessary stomach to pay for the ability to effectively comprehend where we’re headed as a species as it relates to communications, business and everyday life.

3. Perhaps the most immediate thing we can influence is better Information Sharing. We need to start thinking about how we can change the IT Domain into something that allows for a level playing field. The old adage “The enemy of my enemy is my friend” applies very well here. It’s ridiculous to think that our teams are better off not talking with industry competition about defensive strategies. The other side is free to share, adapt and overcome as they see fit, yet we tie our own hands and ask for beatings – and hope they don’t hurt too much. I’m really not into S&M. I’d rather retake control – how about you?

A few good examples to learn from already exist, the Defense Industrial Base (DIB) has an information sharing related to APT (Advanced Persistent Threat) detection profiles, and workshops like SANS “What Works” or IANS Summits are a great beginning to this conversation, but in reality they are very limited in reach and only relevant at a point in time. We need to develop more daily interaction at a deeper level.

Summary: I’m in no way suggesting I’m intelligent enough to have all the answers, or to have even fully described the problems, I’m simply stating that we need to elevate our thinking and we must invest in the thought process and commit to the information sharing required to make the decisions necessary so that we may shape our own destiny. As I see it we must all act on the relevant fronts (Leadership, Research, Information Sharing, others?) to better comprehend the changes and position ourselves to be able to make the changes necessary in the future. That’s my starting point, how will you enhance the conversation?

Disclaimer:
The opinions expressed here are my personal opinions. My views and opinions are subject to change based on the input I consume and the analysis I apply to those inputs. Content published here is neither read nor approved in advance by my employer and does not necessarily reflect the views and opinions of my employer.

More SIEM Vendor Leap Frog

Network World's recent article provides additional evidence that Log Management and SIEM Vendors are still trying to evolve.

Dominique Levin (EVP of Strategy/Marketing at Log Logic writes in this Network World article posted last night (03/19/2009) about the development and convergence of SIEM and Log Management. I'm glad that Log Logic finally understands the model and is trying to address a broader market opportunity by incorporating SIEM into their offering. If you didn't already know, last month Log Logic partnered with ExaProtect to be able to provide a more native (to Log Logic) SIEM solution. As a side note, it has been my experience that you can make other SIEM's work in conjunction with Log Logic (at least in an unidirectional manner) by forwarding events to a SIEM from the Log Management platform. I hope that Log Logic (and other vendors) continue to read my SIEM Vendor Leap Frog post and take some of the challenges in current technologies to heart. Bi-directional search between Log Management and SIEM, shared user authorization and authentication techniques, more robust shared management options - all of which really need to evolve from these types of offerings. I hope they and the other vendors look at this as an opportunity to truly merge the products into a solution versus the current "bolt-on" approach some in the market have taken. It is not enough to just have the technology available, the vendors must understand how the customers will use this in the field and make it more simple to deploy, manage and ultimately actually use these products. ArcSight, RSA and other key players are working on this very diligently and have made great strides to making this vision a reality. It's still nowhere near perfect but I think it will get much more emphasis over the next 12-18 months or so as more people demand better integrated solutions during their acquisition or renewal cycles.

Another side note: At the recent IANS DC forum and again at SOURCE Boston Peter Kuper noted that security vendors are going to have to make more of an effort to partner with their customers to really thrive in this market. Peter also made the point that customers have to demand more value from their vendors in order to show value to their own management. I think everyone should take that message to heart!

The information presented in the Network World article further validates some of the positions I presented in my SIEM Vendor Leap Frog post earlier this week. For that matter so does a recent "tweet" from NitroSecurity (Twitter: @nitrosecurity) as well as, a "tweet" from RSA's SIEM Solutions Evangelist Paul Stamp (Twitter: @tknsecurityguy) and a recent post Paul Stamp in his personal blog.

The idea of combining Log Management and SIEM isn't novel (in fact it is several years old) but only recently has it become the "standard" for gaining "Enterprise Visibility" and then moving towards making security operations work more fluidly through the use of a SIEM. The combining of Log Management and SIEM is not trivial to accomplish but can be done quite well and adds huge value, if architected correctly.

The article explains the evolution of SIEM through the years, beginning with Perimeter Security "Use-Cases", moving through certain "Internal Monitoring" Use-cases and then describes how SIEM gained critical mass through "Compliance" Use-Cases. I will not debate the relevance of SIEM in each of these situations other than to say - Both the Log Management and SIEM's product sets are nothing more than tools. They can be a powerful resource in the right hands and have a great many potential applications, but the team wielding that power has to know how to apply it and when (and when not to). While it is true that some SIEM platforms are flexible enough to move beyond simple network security based use-cases, the complexity involved in making those transitions requires expert touch. Let's get these systems working correctly in security first then we can think about expansion into other areas (business intelligence, etc). There is no magic fairy dust here. It is hard work at each and every step, but there is a payoff. You can automate many labor intensive tasks including identification and escalation of alerts, which should free up some analytical cycles to find new and more complex activities that they can turn into "events of interest" for future correlation. BTW I didn't mean to dismiss the value of Log Management and SIEM outside the context of Security - it is possible (it requires great flexibility in the vendor solution but I know many organizations that have made interesting solutions work in very unique ways) I'm simply saying there is a lot more work we can do to get the actual security focused portion of these solutions to work better before we try and show value (and over exert our reach/resources) in other areas.

Let's keep working together to encourage the right partnership and evolution from our vendors! They are doing the best they can, but it is up to the community at large to focus them in the right direction.

SIEM Vendor Leapfrog

Recently, Log Management and SIEM vendors have spent a lot of time updating/fixing their products. Over the past few months some vendors have quietly passed over other solutions in terms of market relevance and certainly the door has been opened to a whole bunch of upstarts trying to make a name for themselves. While the majority of Log Management and SIEM business (and therefore product direction) is driven by compliance activities, I appreciate the forward movement towards enterprise security that many in the field are trying to make. The initial execution on that product vision I'm seeing from many of the vendors this year is very welcome. IMHO the entire space had gotten very stale with the big guys mainly focusing on compliance appliances or playing feature catch-up with one another. Here's my summary of what's going on in SIEM and Log Management so far in 2009.


My observations about recent SIEM and Log Management Vendor announcements and my thoughts about what is still needed to make it more effective for most customers.

1. Log Management appliance based solutions continue to rule the land. See ArcSight's last quarterly results announcement and extract from that the fact that something like 46% of product revenue was based on their appliances or talk with Intellitactics about their recent growth in SAFE Logging Appliance sales if you don't believe me. Splunk may be exception to that appliance rule as they continue to gain ground on everyone but the fact remains if you don't have a solid Log Management offering you're toast in 2009. Conversely, pure Log Management solutions have seen the importance of having a SIEM offering available to be able to effectively compete on larger accounts (see the link below about Log Logic partnership with ExaProtect as one example).

2. Some vendors are still playing feature catch-up adding things like Trouble Ticket Integration of Vulnerability Assessment Tool Integration. It is amazing to me that these are "new feature sets" in several products, but progress is progress and I'll take it. I'm still not thrilled with most vendors idea of integration being unidirectional SMTP based updates but it's a start. The idea of Vulnerability Management and then furthering that by full CMDB integration is awesome in theory but in many cases it is very hard to scale. This has made significant stride forward but in my mind much more is left to be accomplished.

3. Database Activity Monitoring seems to be catching on. Interesting given how difficult this really is to accomplish in an enterprise - Admin level monitoring is easy enough but field level and/or transaction level auditing like Oracle FGA is a non-trivial task to accomplish. Most vendors have approached this solution set through 3rd party product support (Imperva, Guardium, etc) but at least a couple have tackled this directly through development or acquisition.

4. Enterprise Visibility is a growing trend. I've previously stated my appreciation for having proper visibility across the enterprise. When NetWitness announced their free version of Investigator I posted my comments and review of the technology. Last year in my "Best Practices in Security Operations: Collection" post I expressed my thoughts on what it takes to really do Enterprise Security Operations correctly and that the foundation of the entire process is Collection. Part of that collection is filling in the gaps missed by other products and Full Packet Capture is an awfully powerful tool to have in your arsenal. Several vendors have announces partnerships with 3rd party providers and/or announced network capture/replay as an internal capability through development or acquisition (see NitroSecurity).

5. Hard stuff is still hard - Windows Event Logs, Custom Applications, CMDB Integration, Database Monitoring are all hard problems to tackle. No vendor has this perfect (how could we expect them to) but several have started to think about ways to make this easier, rather than just saying "start with critical systems" they are developing more reliable/scalable/flexible solutions. I'm interested to see how far the vendors get with the more complex logs and more meaningful IT operations integrations in 2009.

6. Relevant content is king. The default content (Correlation, Reports, etc) from most of the vendors is not going to work in your enterprise. Sure some of it works at least some of the time but seriously on average how could 1500+ reports ever apply to your environment. Content Tuning is the #1 area vendors can make these solutions more relevant and easier for customers. I believe this so much that Decurity has re-focused much of its energy to address this issue head on hey, it's my blog and I'll pimp if I want to.

7. Consolidation/Contraction. I do expect to see more industry consolidation. High Tower won't be the last failure and some of the big boys need to revamp their overall integrated solutions. The Log Management side may be commodity ready but SIEM is not (yet). I expect at least 2 more acquisitions/failures to occur in the space in the coming months and not necessarily because of bad technology. A great technology in the wrong hands or begin put against the wrong goals is no better than a crappy technology.

Additional Thoughts:
SIEM: The Fortune 100 seems to be saturated with products/solutions (a lot have failed and some are actually working) and they have plenty of war stories that hey are more than willing to share. The overall take-away is simple - you need to be ready to invest in success if you jump into SIEM, product flexibility, product expertise, documented internal requirements and perhaps most importantly internal processes/procedures for making it work.
Fortune 200-2000: I'm happy to see that many organizations are now starting to push-back on vendors (and their own management) after learning from the mistakes of others. I think they will take a more reasonable approach of making Log Management work first before moving to SIEM and when they get to SIEM I'm encouraged by the increasing trend of documenting actual use-cases and requirements.
Channel: Nearly all the of vendors are trying enabling better global channel programs and at least in Log Management these are very successful programs helping them gain foreign market share and SMB market in the US.

SIEM: Some idea's for improvement:
1. Most of the SIEM products require significant expertise to deploy, manage and maintain effectively. There is a good business there for the right partnerships and companies should leverage that expertise. Today the number of VAR's and Consulting organizations that really can be considered "expert" in this area can be counted on one hand. I still think the vendors are going to have to do better to make their SIEM products more user-friendly and that will require a true partnership with their customers.
2. If your SIEM can't correlate events (Raw or Meta events) between engines you should be pushing your Vendor towards making that work in 2009. Linear scalability is irrelevant you are going to need flexibility in the future. Even if your organization is not mature enough to use that functionality today, you will eventually get there, make sure your vendors are partnered with you to help you achieve your long-term goals.

LOG MANAGEMENT: Log Management will continue to grow across all market segments, no question. The overall channel effectiveness seems to be growing as the acceptance of appliance based solutions grows. Compliance is an easy driver for sales in Log MGMT but at some point the big customers will have to step up and require better and more scalable solutions from the vendors.

Log Management: Some idea's for improvement:
1.) Log Management solutions that attach to an in-house SAN is a great idea - but only if the SAN carve out is unlimited or at least sufficient enough that they aren't required to purchase additional appliances to scale to the enterprise.
2.) Better bi-directional support between Log Management and SIEM solutions is absolutely required. You have to be able to search one/both from a single location for these to gain better traction as combined offerings.
3.) Flexibility is going to be key moving forward. Splunk is gaining ground for a reason (and it is more than marketing). Integration of new event sources will continue to be a key issue.
4.) Content is also an issue on the Log Management end. Some vendors do a fantastic job and others need better partnerships or a renewed internal focus on relevant security content.


Recent Log Management and SIEM Product Update News and Links:
March 2009
Nitro Security Acquires Chronicle Solutions .
EMC RSA RSA releases enVision v4.0 And now Paul Stamp is over there helping them move the product further along!
NetForensics NetForensics releases NFX v4.1 .

Feb 2009
TenableTenable releases Database Auditing Capability
Q1Labs QRadar 6.2 was released. .
LogLogic partners with exaprotect
NetForensics HighTower was gobbled up by NetForensics. I'm reserving judgment for now.

Jan 2009
Nitro Security integrates Database Activity Monitoring (DAM) into SIEM.
eIQnetworks announces a new round of funding and management additions A lot of "buzz" around eIQ right now but I have yet to have the opportunity to see them in action in a global enterprise. I hear good things about their approach, but I'm always cautious.

Late 2008 News:
Symantec SIM v4.6 released" .
Trigeo seeks HighTower's customers Trigeo offered a competitive upgrade to former HighTower customers.
LogRhythm Version 4.1 Released
Sensage version 4.0 Released
Splunk v3.4.6 released I hear rumors of Splunk 4.0 coming this summer!
ArcSight Announces ESM 4.0 SP2 and ArcSight Logger 3.0 ArcSight Logger 3.0 was a VAST improvement over previous versions in terms of speed and capability.
Q1 Labs QRadar product was OEM'ed into Juniper STRM Products. An interesting play, very similar to what Protego did a few years ago (now Cisco MARS).

Combined Log Management and SIEM Architecture Benefits

The following notional diagram provides some basic recommendations to consider when deploying and managing Log Management and SIEM systems together.

A well-maintained Log Management and SIEM deployment can significantly reduce the time to Incident Identification and really enhance your overall information security capability. The diagram attempts to illustrate that all information from the Event Sources are processed through the appropriate Log Collection Mechanism and then forwarded to the Log Management System.

The Log Management system eats, stores and can regurgitate everything put into it. The Log Management Solution also can further refine the data set and forward only applicable events for analysis to the correlation engine (SIEM) through the use of intelligent “tagging” of events.

Overall data reduction is only part of the end goal, more importantly we want to ensure the right data is forwarded and evaluated so that we can gain from the overall efficiencies offered by the SIEM. In short we’re ensuring the system has the correct information available to it so that it can respond to the questions you want to ask of it and reduce the garbage as much as possible.



This post is a mirror of my post at http://blog.decurity.com
SIEM Best Practices: Combined Log Management and SIEM Architecture Benefits

SIEM Best Practices: Evaluation Criteria

SIEM Best Practices: Evaluation Criteria


Decurity often has the opportunity to our customers find the right Log Management and/or SIEM solution. We are honored that our customers trust us with that very important question so we wanted to take a moment and explain our requirements gathering/documentation process for vendor selection and hope that our explanation helps a few of more folks out there! We also get asked by Vendors on how they can improve their products, but that’s a entirely different blog post.

In March of 2008 I authored a couple of posts related to SIEM pre-requisites:

SIEM Best Practices: Very Basic SIEM Implementation Success Criteria and
SIEM Best Practices: Before you buy.

In those posts I tried to create a baseline of information customers looking to purchase and implement a SIEM solution should have before engaging the vendors. The point of those posts really boiled down to this idea: You must have a strong set requirements defined up front for the vendors to indicate how they meet that requirement. Allowing the vendors to "work their magic" and define your problems is roughly equivalent to handing them a blank check. Along those lines I wanted to highlight a strategy we employ when helping company’s to define their SIEM requirements by presenting a sample of the categories of questions we ask of the customer and the vendors during evaluation process.



A couple of quick notes before we begin with the listings:
1.) All of this assumes you’ve answered the initial “Key Problems we are trying to solve” question and the answer is something more tangible than to meet PCI,SOX, Audit requirements.
1a.) If events per second (EPS) is your key measurement you are looking at the wrong product set - seek out Log Management Tools first.
2.) It is also important to note that when we perform the evaluation each of these stated technical requirement categories breaks down into a dozen or more actual testing criteria that is prioritized according to your requirements The "Sample Questions" presented are only a very quick overview of the types of questions that fall into that category.
3.) This post is simply highlighting the fact that significant thought should be given to this decision. Don’t worry if you need help – we’re here.


Sample Categories of Requirements to consider:
Common Requirement Categories
Category (Sample Questions)
Access Control (Application, User, flexibility, inherited controls, etc)
Authentication (LDAP, SSO, AD, Internal, other)
Architecture (Reliable and Scalable)
Event Sources (Supported Technologies and versions, Connection Methods for each, Data Parsing Errors, Normalization Data Loss, Categorization Correctness, Structured/Unstructured Data Handling)
Log Management (Is the Integration Bi-Directional, easy to implement, etc)
Event Forwarding (Security, Methods, Low-Bandwidth options, etc)
Overall Security (System and the data)
External Integrations: (Tool Integration, Ticketing System Integrations, etc)
Storage Requirements (Compression, Costs, Management)
Storage Flexibility (NAS, SAN, Internal, Offline/Online, Tiered Storage)
Data Processing (Internally how does the system handle new event sources with uncommon field requirements "unstructured data")
Installation (Does the solution match our standards?)
Patching and Upgrade (Level of effort required for Minor and Major Versions)
Overall User Experience (Can I see what is important quickly and easily? Can I drill down quickly and intuitively?)
Standard Reporting (Easy, Flexible, Exportable)


Advanced Usage Requirement Categories
Category (Sample Questions)
Basic Alerting Criteria (Pattern Matching or Aggregation/Counting)
Basic Correlation (IF ,THEN, ELSE, AND, NOT, OR type Statements)
Advanced Correlation (Meta Analysis of enriched and/or raw data across technologies, time and result sets in real time.)
Statistical Analysis (Flexible event statistics that can be used in alerting or to enrich data sets for correlation)
Custom Reporting (Can I create my favorite report or extend it)
Data Mining (Can I easily look for patterns across the entire DB?)
Data Visualization (Can data viz be integrated and does it matter for me?)
Vulnerability Integration (Is the correlation useful for our environment and is the reporting useful?)
Network Modeling (How hard is to model our environment and what value is lost/gained?)
Asset Modeling (Can I easily assign systems to relevant categories and assign priorities, can I update them easily, etc)
User/Activity Modeling (Can we realistically “profile” users or activities and alert on deviations?)
External Threat Feeds (Does the vendor or a partner provide daily updates for Hotlists?)
Built in Mgmt Tools (Does the vendor provide a way of measuring the health of the system?)


Other Important Criterion
Category (Sample Questions)
Company Performance (This is becoming more and more a key decision factor.)
Support (What can I escalate, response times, expertise, RMA)
Thought Leadership (What is the vision for the technology?)
Training (Do I need 4 weeks of training to use the product? If so how many types of training opportunities are available?)
Services Support (Do I need 12 weeks of Services? How can I guarantee I don’t get the new guy? Is the team compensated on billability or Customer Success?)
Content Updates (How often can I receive content updates? Do I need constant "workshops" to move forward, Are there external providers that can help?)
Licensing Model (Price can be greatly affected by various pricing models, make sure you understand the total cost of all phases of your deployment before you begin).

This post is a mirror of my personal post on http://blog.decurity.com
http://blog.decurity.com/index.php/dec_template/more/siem_best_practices_evaluation_criteria/