Ok I can’t resist. I tried but I can’t. Let’s just get it out of the way that I’m a big ArcSight fanboi. Does it have it’s faults, bugs, and places that could use some TLC work/rework?; you bet. What software doesn’t though? Is it a powerful platform that can act as a force multiplier when it comes to your InfoSec program?; absolutely! Does it do stuff natively that other products haven’t even thought of?; only in ways I didn’t fully realize until using other products that leave me scratching my head in wonderment. Would I like to work at ArcSight if the right position came up that didn’t require a ton of travel?; yup. Might this post kill that chance?; doh – maybe.
So I’m reading the July/August Information Security magazine (pdf link) and I come across a full page ArcSight ad with a line that reads “Finely tuned to combat cybertheft and cyberfraud, the ArcSight ETRM (Enterprise Threat and Risk Management Platform) gives you better visibility of real-time events and better context for risk assessment, resulting in reduced response time and costs.”
Wednesday, December 7, 2011
Tuesday, October 25, 2011
Playing Sudoku in your metrics
This has been percolating in my head for a bit so figured I might as well get it out =). One of the best apps for the iPhone is Sudoku2 by fingerarts. If you aren’t familiar with the Sudoku here is a screenshot.
Each of the smaller boxes needs to have just one of the numbers 1 – 9 while each line vertical and horizontal line can also only have just one of the numbers 1 – 9. It really becomes a process of elimination based on the number you are trying to solve for and where it can go. For example, when I took the screenshot I was solving for 1s. Take a look at the bottom left box. Based on the intersection of other 1s, the 1s in this box have to be in the first vertical column although it isn’t known which of the two it might be (yellow cirlce). Because the ones are in that column though if you look at the top left box there is only one open box where the 1 could go (black 1). By filling that in there is only one open square in the top right square (red 1). And on you go through all the numbers.There was always a tickle in the back of my mind that there was a security analogy with Sudoku but it didn’t really hit me until a few months ago when I was trying to figure out a way to create a metric-y type view of some virus and incident data.
Wednesday, October 19, 2011
What's the value of chasing alerts and other musings
I don’t know what your thoughts on this are but I’m trying to work out an illustration on how the churn related to the hamster wheel of your run of the mill incident detection and response doesn’t really lead to a whole lot of increased security posture or reduced risk – at least not directly or by itself. Don’t get me wrong, that work needs to be done and isn’t a trivial component of your overall program. At the same time I think this is one of those things where activity doesn’t necessarily indicate/translate/equal accomplishment. Great – you cleaned X machines with Y malware. Next week it will be N machines with Z malware. Soooo….does that mean you are more or less secure than the month before?
I’m of the general opinion that an improved security posture/reduced risk/reduced exposure is a by-product of doing analysis on the information gathered from your incidents and using that to drive change in either various configuration settings or policies (or both). Not rocket science or an original thought really. Hopefully that makes some sense.
I’m of the general opinion that an improved security posture/reduced risk/reduced exposure is a by-product of doing analysis on the information gathered from your incidents and using that to drive change in either various configuration settings or policies (or both). Not rocket science or an original thought really. Hopefully that makes some sense.
Monday, October 17, 2011
Do you need a visionary or remodeler?
While watching Holmes on Homes this evening with the wife I was reminded of a comment Rich Mogull made after Steve Jobs passed; that we don’t have a Steve Jobs of security. The intersection of the two things is which does the security industry need? For those that aren’t familiar with the show it is basically about a general contractor, Mike Holmes, and his team who goes into houses and fixes what others have jacked up; either the initial builder or other contractors who have come in after the fact to do remodeling, expansion projects, whatever. This usually involves peeling back successive layers around the problem spots until the issues are found, remediated (in our vernacular), and the area brought back to a pristine state.
Part of the problem in my mind is our networks aren’t very tangible. No doubt we can touch routing gear, systems, etc. However, it is one thing to point out where the flow of water from the roof can pool around your foundation leading to issues and somewhat of another to point at where elements of your defense in depth implementation/points of possible exposure are weaker than others. Especially to non technical folks whose eyes glaze over quickly.
In the end I guess the answer to my original question is it isn’t an either/or. The industry could use folks better at both roles – visionaries and folks that can spot the issues and correct them. The more appropriate question is probably what does your company need and what role are you playing about either end of that need spectrum?
Part of the problem in my mind is our networks aren’t very tangible. No doubt we can touch routing gear, systems, etc. However, it is one thing to point out where the flow of water from the roof can pool around your foundation leading to issues and somewhat of another to point at where elements of your defense in depth implementation/points of possible exposure are weaker than others. Especially to non technical folks whose eyes glaze over quickly.
In the end I guess the answer to my original question is it isn’t an either/or. The industry could use folks better at both roles – visionaries and folks that can spot the issues and correct them. The more appropriate question is probably what does your company need and what role are you playing about either end of that need spectrum?
Saturday, September 17, 2011
SIEM is dead?
My life has been a wreck since Wednesday. That is when, according to John Linkous’ article, I found out SIEM is dead. Only now am I able to pull myself together enough to write this. It certainly isn’t because I have been busy extracting value out of what we are currently using in that technology space and am now chillin in a Chick-fil-A while a few things get looked at on my car.
Oyie – how to write this. My reaction to his article swung between humor and WTH is your expectation of what value a SIEM provides? I will try to summarize and talk a little to each of this three points.
Oyie – how to write this. My reaction to his article swung between humor and WTH is your expectation of what value a SIEM provides? I will try to summarize and talk a little to each of this three points.
Friday, September 9, 2011
A few thoughts on Symantec's MSS
Looking back I’m sort of surprised I haven’t really written anything about Symantec’s MSS yet. On some level I’m guessing the ArcSight folks might have thought I was beating them up a little in some of my posts but for whatever reason I’m not as inclined to do that with this. I think maybe it has something to do with making my momma proud and listening to the old adage of ‘if you don’t have anything nice to say….’ Don’t get me wrong, Symantec’s MSS has some great people and has been good as a service that detects and alerts on bad stuffs.
Saturday, September 3, 2011
Monitoring business segments
I think we have all heard the ‘best practice’ that speaks to monitoring portions of your network. The question is how do you do that even from a strictly network traffic view given the volume of traffic you are likely to see. I mean we can all talk ethereally about taking things piecemeal/not trying to boil the ocean, establishing baselines, monitor for anomalies because AV as a whole isn’t as trustworthy as we would like it to be from a detection standpoint. My question is how are people doing this?
In my old job I used ArcSight to create an approach that while worked and addressed a number of areas I’m not sure it was the best. Perhaps sharing this will spark some discussion or if nothing else help someone else get a step farther down the road if they are trying to do the same thing.
In my old job I used ArcSight to create an approach that while worked and addressed a number of areas I’m not sure it was the best. Perhaps sharing this will spark some discussion or if nothing else help someone else get a step farther down the road if they are trying to do the same thing.
Saturday, August 20, 2011
Where do you sit in the boat?
 |
| pic found on Google images |
I once took a sailing trip with my dad and 2 family friends across Pamlico Sound to the Outer Banks in NC. The sound is relatively shallow and on this particular day we had some pretty good sized rolling waves going on. I tried to find a picture to help convey the scene and this was the closest I could find. We were heeling the boat over pretty good though not quite to the extreme shown in the picture. At one point I was sitting about where the guy in the red pants has his left foot. I’m inches from the water, the edge of the boat is underwater similar to the picture, and the rest of my view is blocked by the sail – basically a 1 foot square view with water RIGHT there. With my limited view and position every time a wave came along from the other side of the boat it felt like we were going to capsize. After a couple of minutes of sitting there staring into the water it started to become hypnotically depressing. I finally stood up and by doing just that it totally changed my perspective. Nothing about how we were sailing the boat had changed but now I could see the sky, the horizon, and the waves before they hit the boat.
Saturday, August 6, 2011
Where do you fit on the chart?
It’s been too long since I have written. The problem, as it were, is I have had some ideas to write about but they are either incomplete or they are still percolating in mah head. I guess that isn’t too far from being the same thing. At any rate, the other day….actually the other week now that I think about it…I was working on some visualization and metric stuffs and had the thought to create the following tongue in cheek quadrant chart.
Wednesday, June 29, 2011
Are you using the tools you have?
I was going to write a quick blog entry comparing ArcSight as a SIEM to Symantec’s MSSP services which my current company is using. While there are pros and cons there is a bigger thought that keeps bubbling to the surface. For as much as our industry whines talks about the need for more innovation from vendors – no one is looking at the tools they have!
Saturday, June 4, 2011
Low hanging fruit vs sour grapes
While on a drive today I got to thinking about low hanging fruit and came up with a Runalism. Will have to vet this over time.
Generally speaking, the difference between low hanging fruit and sour grapes is perspective.
Generally speaking, the difference between low hanging fruit and sour grapes is perspective.
Friday, June 3, 2011
Incremental changes and long term benefits
For those that don’t know, my wife and I have lead several groups though Dave Ramsey‘s Financial Peace University (FPU). Very cool stuff; YOU should look into it. That something like 70% of Americans, regardless of income level, live paycheck to paycheck is horrible. The group that we just finished up with had two folks in the medical field. At one point we got to talking about the long term cumulative effects incremental changes and small efforts can have (positive or negative) in your life from both a health and financial perspective.
That got me to thinking about InfoSec and if the line of thought and other FPUisms translated over. I came up with a couple ideas.
That got me to thinking about InfoSec and if the line of thought and other FPUisms translated over. I came up with a couple ideas.
Thursday, June 2, 2011
SIEM alerts and an analogy to help people 'get it'
It may just be me but does anyone else struggle with people in general and over-arching 'management' not really getting it that when you get or see a security based event from your LM or SIEM; that this is just the beginning of a process and not the end? I mean they say they get it but you just have this feeling that they really don’t get it? Now I’m not saying my statement reflects my current management, it is more a generalized observation as you start to bring people into the conversation who might not have been exposed to this sort of technology or the exposure is limited to a conversation about needing to monitor something. And there is a level of irony as some of these folks are in the actual vendor space.
I’m sort of an analogy guy and this has been one of those things that has plagued me for some years now – what is a good equivalence that helps people get it? I thought of one today that might work but still feels sort of rough. Figured I would use this as a sounding board and hopefully get some feedback. Who knows, maybe just putting it down on paper will help refine it.
While driving around in your car you generally are vaguely aware of, but may or may not pay a whole lot of attention to, your gas gauge. Some probably have more of an alert mentality and wait for the gas to get to the last X% when you get the audible chime indicating you are low. You now are more focused on the situation and ‘remediate’ the issue by stopping off at a gas station and filing up. I think this is somewhat analogous what ‘management’ thinks of when they hear things along the line of monitoring alerts. That the process is generall closed and ends when you get the alert. Alert > gas station > fixed. The problem is that isn't what we are talking about. SIEM/LM alerts, I think, are more akin to all of the gauges in your car that don’t even show until there is an issue. Things like low oil pressure, over heating, your engine service light. Any of those things coming on means something isn’t right somewhere but unless you pop the hood and/or break out some diagnostic equipment you don't know the severity. Could be a complex, multi-component breakdown or just something a little out of whack that takes a simple fix. Oh and don't forget the number of things that can happen to your car that you don't have a gauge for: breaks, suspension, tire alignment, etc. Multiply that picture by the number of end point systems you have in your environment and I think we are getting a little closer to a decent analogy. The point is the alert often isn't actionable other than letting you know you need to start an investigative process.
What do you think - does it work? Do you have suggestions, tweaks, or better analogies that have worked for you as you try to convey to people that monitoring alerts is more than just sitting around waiting for them to pop in your inbox?
I’m sort of an analogy guy and this has been one of those things that has plagued me for some years now – what is a good equivalence that helps people get it? I thought of one today that might work but still feels sort of rough. Figured I would use this as a sounding board and hopefully get some feedback. Who knows, maybe just putting it down on paper will help refine it.
While driving around in your car you generally are vaguely aware of, but may or may not pay a whole lot of attention to, your gas gauge. Some probably have more of an alert mentality and wait for the gas to get to the last X% when you get the audible chime indicating you are low. You now are more focused on the situation and ‘remediate’ the issue by stopping off at a gas station and filing up. I think this is somewhat analogous what ‘management’ thinks of when they hear things along the line of monitoring alerts. That the process is generall closed and ends when you get the alert. Alert > gas station > fixed. The problem is that isn't what we are talking about. SIEM/LM alerts, I think, are more akin to all of the gauges in your car that don’t even show until there is an issue. Things like low oil pressure, over heating, your engine service light. Any of those things coming on means something isn’t right somewhere but unless you pop the hood and/or break out some diagnostic equipment you don't know the severity. Could be a complex, multi-component breakdown or just something a little out of whack that takes a simple fix. Oh and don't forget the number of things that can happen to your car that you don't have a gauge for: breaks, suspension, tire alignment, etc. Multiply that picture by the number of end point systems you have in your environment and I think we are getting a little closer to a decent analogy. The point is the alert often isn't actionable other than letting you know you need to start an investigative process.
What do you think - does it work? Do you have suggestions, tweaks, or better analogies that have worked for you as you try to convey to people that monitoring alerts is more than just sitting around waiting for them to pop in your inbox?
Tuesday, May 24, 2011
What influences your day to day decision making?
Does your strategic vision drive your tactical focus or do your tactical decisions turn into your strategic vision?
Will you have the same answer when you look back in six months?
Will you have the same answer when you look back in six months?
Friday, May 6, 2011
The mortar between your defenses
The other day I read a bit by Andreas M. Antonopoulos on Networkworld about how to be an effective security buyer. Of course when it came to finding the article again when I wanted to write this….I couldn’t find it. +1 to the Interwebs though because Mike Rothman over at Securosis mentioned it in Wednesday's Incite 4 U. Andreas’ advice seems to be when you are buying security tools to not buy something designed to fulfill a singular function. Instead go for multi-purpose tools that can cover down on multiple areas. I think the idea somewhat boils down to knocking out two birds with one stone + it sucks to have to look at one dashboard for each tool you have. Enterprise resource scaling aside though I tend to agree with Mike’s take. What really stood out to me was an analogy Andreas used:
Tuesday, May 3, 2011
SIEM/LM Analyst Training part 2
The conversation in a meeting the other morning led to a thought…well more of an analogy really. It struck me that in some respects a SIEM/LM analyst or content creator is similar to an auditor. What I mean is you have groups of people devoted to keeping lights blinking be that AV, endpoint management, FW, etc. And then you have groups of people outside of care and feeding group(s) that try to distill value out of either those systems’ configuration or logs to some ends leveraging some other toolset be that specific or multiple compliance requirements or SIEM/LM tools. Auditors and SIEM/LM analysts (at least the tools they use) are sort of a force multiplier in a very loose algebraic sense:
Wednesday, April 27, 2011
How do you address training for SIEM/LM analysts?
I struggled a bit with the title but bear with me.
The question arises from time to time and especially now that I am at my new job where we are being asked to submit training requests for next year’s budget cycle – what training would you like to get/attend? Good question. The challenge in the SIEM-esque/LM space (IMHO) is you are getting events from any number of disparate systems which you may or may not have familiarity. My experience is generally there is a team of folks devoted to the care and feeding of a particular piece of technology but they usually don’t actually look at the (log) data coming out of it with an eye towards taking action – they are focused on making sure the blinking lights stay blinking. You come in at the critical juncture point of marrying up conceptual detection use cases to the technical exercise of extracting value out of the logs the blinking lights produce. So how do you bridge that knowledge gap or do you even approach the subject of getting training with an eye towards this gap or leverage the "training" opportunity to dive into other areas?
I sure would be interested in how people have tackled this issue. A “Just in Time” 3rd party SME type education model appeals to me but would guess most shops don’t have enough people (or able to free up enough people) to justify the expense of hosting custom training on-site. No doubt shop maturity factors into the discussion. The SANS Intrusion Detection In-Depth class looks pretty good and looks like it covers a decent swath of topics. Have folks found any other good general type courses or do you tend to focus in on specific items/threat types of training with an eye towards “reverse engineering” your knowledge relative to the specific data streams you have coming into your solutions?
The question arises from time to time and especially now that I am at my new job where we are being asked to submit training requests for next year’s budget cycle – what training would you like to get/attend? Good question. The challenge in the SIEM-esque/LM space (IMHO) is you are getting events from any number of disparate systems which you may or may not have familiarity. My experience is generally there is a team of folks devoted to the care and feeding of a particular piece of technology but they usually don’t actually look at the (log) data coming out of it with an eye towards taking action – they are focused on making sure the blinking lights stay blinking. You come in at the critical juncture point of marrying up conceptual detection use cases to the technical exercise of extracting value out of the logs the blinking lights produce. So how do you bridge that knowledge gap or do you even approach the subject of getting training with an eye towards this gap or leverage the "training" opportunity to dive into other areas?
I sure would be interested in how people have tackled this issue. A “Just in Time” 3rd party SME type education model appeals to me but would guess most shops don’t have enough people (or able to free up enough people) to justify the expense of hosting custom training on-site. No doubt shop maturity factors into the discussion. The SANS Intrusion Detection In-Depth class looks pretty good and looks like it covers a decent swath of topics. Have folks found any other good general type courses or do you tend to focus in on specific items/threat types of training with an eye towards “reverse engineering” your knowledge relative to the specific data streams you have coming into your solutions?
Thursday, March 31, 2011
Is ArcSight harder to use?
Interestingly enough (if I read Google Analytics correctly) the post I created back at the beginning of November related to the question of is ArcSight hard to use was the most visited page over the last month. In fact I think it has been on or towards the top of the list since I posted it. Since I have some time on my hands I figured I would write a sort of follow up to that post. Once again I will state that my only SIEM experience is with ArcSight so maybe someone will speak up for the other SIEM engines out there and/or tell me if I’m way off base.
I still maintain asking if something is “hard”, generally speaking, often only gets you only so far. Having some context implied in your question might get you an answer closer to what you really are looking for. Is calculus hard? Depends on who you are talking to. Is calculus harder than basic algebra? Yup. Is “ArcSight” hard to use? Depends on who you are talking to. Is ArcSight harder to use than some other SIEM? Ahh now we are getting somewhere. I did have sort of an interesting thought while reading the SIEM implementation book I wrote a review of back in January (at least it was interesting to me).
I still maintain asking if something is “hard”, generally speaking, often only gets you only so far. Having some context implied in your question might get you an answer closer to what you really are looking for. Is calculus hard? Depends on who you are talking to. Is calculus harder than basic algebra? Yup. Is “ArcSight” hard to use? Depends on who you are talking to. Is ArcSight harder to use than some other SIEM? Ahh now we are getting somewhere. I did have sort of an interesting thought while reading the SIEM implementation book I wrote a review of back in January (at least it was interesting to me).
Monday, March 28, 2011
How to boil the ocean
I did a very (non)scientific experiment this morning with the idea of trying to see the best way to boil the ocean….well ocean by proxy anyway. I took a liter of water and slowly added it a bit at a time to a pan and timed how long it would take to come to a decent boil; was a little over 6 minutes. Cooled the pan down, filled it with another litter of water, set the heat at the same place, and timed it. This time it took just over 8 minutes to get to about the same state.
What’s the point other than having too much time on my hands? Am guessing you might have heard the cliché “don’t try to boil the ocean.” Relative to SIEM stuffs I take a few things away from my little experiment that are all interrelated:
What’s the point other than having too much time on my hands? Am guessing you might have heard the cliché “don’t try to boil the ocean.” Relative to SIEM stuffs I take a few things away from my little experiment that are all interrelated:
Friday, March 11, 2011
SIEM Maintenance Support Costs and Returns
Anton Chuvakin recently wrote up a great blog article discussing SIEM associated costs. While it is my attention to write a longer post here to go a little more in depth on a comment I made in his article I wanted to post something quickly about a line item that probably doesn’t get a whole lot of attention after the bean counters and upper management have done their thing and papers are signed…until something breaks or there is a technical issue of one flavor or another.
Sunday, January 30, 2011
Book Review - Security Information and Event Management (SIEM) Implementation
In short – if you have been “doing” SIEM for any length of time you probably won’t get a whole lot out of this book. Conversely if you are starting to venture down the SIEM path you might want to pick it up.
I first read about this book on Dr. Anton Chuvakin’s blog. Even though his review was less than stellar, he did give it 4 stars (I'd give it 2.5). Similarly although the book’s title includes “implementation” and I have been using ArcSight for a little over two years now so I figured I would give it a shot. I was hopeful…and ended up sort of disappointed. Don’t get me wrong; I appreciate the time and effort the authors put into the book. There really isn’t a whole lot of SIEM type information “out there” which is one of the main reasons I started my own SIEM-esque blog. I think this book has the most value if you haven’t bought a SIEM through 3 or 4 months into your SIEM deployment as a way to level set the conversation (though the first part of the book is very basic).
Saturday, January 8, 2011
ArcSight - The SIEM Lego Set. Take 2
I wanted to post something a little more positive when it comes to the ArcSight Lego concept. Several months ago a group at work was charged with justifying a particular line item of their budget relating to the use of online resources and subscription fees. What they didn’t have was a way to link users to particular site browsing. The issue was bounced around just a bit until it hit my plate and with ArcSight’s feeds the solution was fairly easy to craft (though the devil is in the details). Everyone’s environment is different and different vendors/solutions generate different logs. Again, I don’t have access to other SIEM solutions so not sure how easy or hard coming up with a similar solution would be. While this isn’t specifically a security use case, the concepts or individual elements could be useful for one down the road. I have reused the login tracker a number of times.
Subscribe to:
Posts (Atom)