Suggested Blog Reading – Wednesday May 9th, 2007

ReadLittle late posting this one today…better late than never!

Here’s the list for today:

Note to Universities: Web Sites Providing A Security Breach Playground – Remember when Universities were only breeding grounds for STD’s?

While I was compiling the Educational Security Incidents (ESI) Year in Review – 2006, I noticed something interesting. Of the 83 information security incidents in 2006 reported by colleges and universities, 20 such incidents were due to Unauthorized Disclosure. Unauthorized Disclosure on ESI is defined as incidents involving the release of information to unknown and/or unauthorized individuals. In other words, Unauthorized Disclosure tends to involve employee or organizational mistakes at some level.

Management and security: Still separate but equal? – Should they really be separate?

I’ve said it before and I’ll say it again: It makes sense to use certain technologies to both manage and secure your network. Yet while vendors continue to provide integration between, say, configuration management software and endpoint security products, most companies are keeping the tools separate — for now.

Liability of reverse engineering – I’m not sure where I stand on this…

Christopher Hoff asks an admittedly naïve question: “If I … engage in reverse engineering of a product that is covered by patent/IP protection and/or EULA’s that expressly forbids reverse engineering, how would I deflect liability for violating these tenets …”.

This reflects that while such issues are frequently discussed in our industry, few know what the words actually mean. For example, reverse-engineering a patent is a contradiction in terms, because you can just read the patent rather than reversing the code that implements a patent.

Automated Security Scanning Considerations – Good article.

I noticed a question on a listserv that I monitor. The person asked for an opinion on how an auditor might look at a automated vulnerability scanner that logs into the target host and performs local checks. Many vendors have been doing this for a while now. It is a great feature that really allows these tools to help companies ensure that their systems are maintaining compliance with company policies and procedures. It also assists with change management and security validation as well.

Is Snort 3.0 going to be open sourced? – I think it would be a mistake to close the source on this now. It would only look bad on Marty.

This is a question which has come up recently and I understand was a recent topic on a Snort IRC channel. It seems recent comments by me and on our podcast have raised some questions about what the future course of licensing for new versions of Snort are going to be. I also spoke about this with Thomas Ptacek of Matasano a while back and we never finished our conversation. Obviously, I am not the final word on this topic and you should look at Sourcefire for the definitive answer. However that being said, my understanding is that Snort 3.0 will have some license changes. My belief is it will still be open sourced and released under a GPL license as Marty Roesch has said many times. However, the licensing change, again from what I understand, will deal with people who embed Snort into their applications and under current license do not fall under the derivative clauses of the GPL. So under Snort 3.0 there will be changes to the base GPL as to what constitutes a derivative work. My opinion is that in essence what is happening here is Sourcefire is going to move Snort to more of a dual-licensed system.

The five phases of recovering digital evidence – Part 2 in the series…

This is the second post in a series about the five phases of recovering data structures from a stream of bytes (a form of digital evidence recovery). In the last post we discussed what data structures were, how they related to digital forensics, and a high level overview of the five phases of recovery. In this post we’ll examine each of the five phases in finer grained detail.

Another educational institution, another SIEM eval – Most people, just like Michael Farnum, complain about the cost of a SEM/SIM/SEIM solution without taking the time to think about the people power required to do the same task. Think of the sick days, vacation, salary, and compensation package money saved on a product of this nature. Michael also complains that the correlation doesn’t work. Sure, out of the box it may not be able to handle all security events properly but that is where tuning comes into play. Just like any piece of hardware on your network you can’t expect it work for every environment out of the box…it has to be customized to your environment and policies.

I went to another client of ours from an educational institution (this time in Dallas), and they were similar to the client I spoke of in my last post. However, this site seemed to be a bit more proactive when it came to security, and he didn’t seem near as stressed as the other client.

Report available for WASCs Distributed Open Proxy Honeypot Project – It’s quite a good report. Lots of detail.

Ryan C. Barnett, WASCs Distributed Open Proxy Honeypot Project Lead, released his first Threat Report! This is wicked cool stuff.

That’s all for today…I’m busy 🙂

2 comments

  1. Michael R. Farnum says:
    May 9, 2007 at 7:58 am

    Andrew,

    I never complained about the cost of SIEM, and I fully understand the load it can possibly take from having a dedicated resource watching logs. I am speaking from the standpoint of a reseller, and I am referring to what I hear from clients. Heck, I used to be a client, and I complained about it then as well.

    A fact is that many companies do not have a dedicated resource to check logs now, so when they buy a SIEM, they are looking at pure dollars of the project, not a comparison to what it would cost to hire someone to do it. Most companies I work with never even consider that cost savings because they know it is not possible for a human to watch all of that and have a meaningful result.

    And honestly, if they do have a resource looking at logs, do you think most companies go into a SIEM deal thinking about laying off a bunch of people when they implement it? Not the companies I deal with. Maybe the gargantuan enterprises do, but most reassign those people to other security and network tasks. So there is no tangible savings other than they have resources to put in other projects.

    And when it comes to correlation, yes the brains are there if you setup the rules correctly. What I didn't quantify (and I should have – sorry) is that people want the intelligence more built in, with a way of discovering and mapping out the network and having more intelligence on knowing what devices "should" be considered important. Kind of a suggested model and then let you cut it back and change it how you see fit, rather than a complete blank slate. That's what I meant when I said we will always have that gap.

    BTW, I work for Accuvant, and we are a Q1 partner (and you probably already knew that). I saw your stuff at that same client. I didn't get a close enough look at it, but the dashboard is very nice, and it seemed to do a good job at auto-recognizing logs coming different devices being fed from a Syslog NG server.

    Michael

    Reply
  2. Pingback: An Information Security Place » Blog Archive » A response to Andrew Hay’s response to my SIEM post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to top