Information Security

Monthly Blog Round-Up – August 2010

Saturday, September 4th, 2010

Blogs are “stateless” and people often pay attention only to what they see today. Thus a lot of useful security reading material gets lost. These monthly round-ups is my way of reminding people about interesting blog content. If you are “too busy to read the blogs,” at least read these.
So, here is my next monthly “Security Warrior” blog round-up of top 5 popular posts/topics this month.

My super-rant about log analysis “Pathetic Analytics Epiphany!” has shot to the top like a pig kicked up in the ass by an irate giant. It is about how after looking at logs for so many years, we still use primitive approaches and primitive tools.
Not surprisingly, my belated reading of the Verizon Breach Reports 2010 (“Verizon Breach Report 2010 OUT!”) is in my Top5. VzDBIR is pure awesomeness, as always!
“Updated With Community Feedback SANS Top 7 Essential Log Reports DRAFT2”, “SANS Top 5 Essential Log Reports Update!” and their predecessor “Top5 SANS Log Reports Update DRAFT” finally beat the previous champion of a few months “Simple Log Review Checklist Released!” Now I just need to document all the chosen favorite reports and submit it for community release.
Career posts always get top scores automatically and “Skills for Work vs Skills for Getting Hired” is no exception. Just as its predecessor, “Myth of an Expert Generalist”, it got on my monthly Top 5 posts immediately, was featured on Reddit.com, etc, etc. The next career post is coming soon…don’t despair
News of sinking SIEM and log management vendors alluded to in “To Those Escaping from Sinking SIEM/Log Management Vendors” somehow made it to the top. Maybe links to SIEM jobs did it?
“How Do I Get The Best SIEM?”, a companion to “On Choosing SIEM“, went to the top like lighting a few months ago and stayed there this month as well. If you are thinking of getting a SIEM or a log management tool, check them out and also look at related resources at the end of these posts. “The Myth of SIEM as “An Analyst-in-the-box” or How NOT to Pick a SIEM-II?” and ““I Want to Buy Correlation” or How NOT to Pick a SIEM?” also stay at the top – it seems like smaller organizations are looking at deploying SIEM and log management and there is a lot of interest in simple guidance on this.

Also, below I am thanking my top 5 referrers this month (those who are people, not organizations). So, thanks a lot to the following people whose blogs sent the most visitors to my blog:

See you in September; also see my annual “Top Posts” - 2007, 2008, 2009!
Possibly related posts / past monthly popular blog round-ups:

Source:Monthly Blog Round-Up – August 2010

More : AntiVirus Premium

Posted in Security | No Comments »

Fun Project Honeynet Log Challenge: Log Mysteries

Friday, September 3rd, 2010

Project Honeynet just released its latest Forensic Challenge 5 - Log Mysteries. It is based on logs from a compromised virtual server and requires quite a bit of digging through messy log data.

The Challenge:
Analyze the attached sanitized_log.zip [A.C. – get the logs here] and answer the following questions:

Was the system compromised and when? How do you know that for sure? (5pts)

If the was compromised, what was the method used? (5pts)

Can you locate how many attackers failed? If some succeeded, how many were they? How many stopped attacking after the first success? (5pts)

What happened after the brute force attack? (5pts)

Locate the authentication logs, was a bruteforce attack performed? if yes how many? (5pts)

What is the timeline of significant events? How certain are you of the timing? (5pts)

Anything else that looks suspicious in the logs? Any misconfigurations? Other issues? (5pts)

Was an automatic tool used to perform the attack? if yes which one? (5pts)

What can you say about the attacker’s goals and methods? (5pts)

Bonus. What would you have done to avoid this attack? (5pts)

Go get the challenge here and get to solving it – you have about a month. And, yes, there will be prizes too!

Finally, if you really want to make me happy (hehe…who’d want that? :-)), please invent a new approach while solving the challenge.

Possibly related posts:

Everything tagged Project Honeynet

Source:Fun Project Honeynet Log Challenge: Log Mysteries

More : AntiVirus Premium

Posted in Security | No Comments »

Links for 2010-08-30 [del.icio.us]

Friday, September 3rd, 2010

10 Tips to Thwart Skimming

Source:Links for 2010-08-30 [del.icio.us]

More : AntiVirus Premium

Posted in Security | No Comments »

Another Fun SIEM Whitepaper

Friday, September 3rd, 2010

As promised, here is another detailed SIEM whitepaper called “A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security” that I wrote for a great team at Tripwire earlier this year.

“While recent economic troubles might have something to do with it, many organizations today seek to only do a bare minimum of security. To be more precise, they try to do what they think is the bare necessary minimum. Their perception that security “due diligence” can be reduced all the way down to the level prescribed by regulations, such as PCI DSS, is more common than ever today. All too common result of this thinking is security breaches and other damaging events.

This trend has affected many security safeguards, and SIEM and log management are hard hit by this as well. It is very common to deploy these technologies in order to satisfy the compliance check box. In this paper we will analyze this trend and provide useful guidance for getting value out of SIEM and log management tools while focusing on protecting systems and data – and not simply on checking the box.”

Get the paper here.

Possible related posts:

Source:Another Fun SIEM Whitepaper

More : AntiVirus Premium

Posted in Security | No Comments »

LogChat Podcast 1: Anton Chuvakin and Andrew Hay Talk Logs

Friday, September 3rd, 2010

“LogChat” Podcast is born! Everybody knows that all this world needs is a podcast devoted to logs, logging and log management (as well as SIEM, incident response and other closely related subjects).

And now you have it - through the sheer combined genius of Andrew Hay and myself, Anton Chuvakin.

Administrative items first:

We need a new name! We are not entirely happy with “LogChat” and, sadly, “LogTalk” is taken. Please suggest a name - if we pick yours, you get a free signed copy of my “PCI Compliance” book.
We will post the transcript, not just the MP3 file - in a few days. If you have ideas for a good/inexpensive transcribing service, we are all ears. I will try Amazon Mechanical Turk first, but it might not be good enough for a technical podcast.
Please also suggest topics to cover as well - even though we are not likely to run out of ideas for a few years. Our first topic today is new log source integration - if it sounds boring…well…listen first/judge second
We plan for this to be a monthly podcast. So, the next one will happen sometime early October.
Any other feedback is HUGELY useful. Is it too long? Too loud? Not enough jokes? Too few mentions of the “cloud”? Feedback please! Who knows…maybe there are more PCI books left in my secret stash and you too will earn that glorious prize for the most useful piece of feedback :-)

And now, in all its, glory - the podcast: the link to MP3 is here [MP3].

Enjoy the log chat!