I found this article, written by Paul Stamp, that talks about using your Security Incident and Event Management (SIEM – sometimes defined as SEIM) system to identify the really important stuff. In his post he states that:

A good SIEM system should be able to analyze all the event data and contextual information it has at its disposal to alert only on that really important event – when a critical vulnerable server is being attacked.

This is, of course, true. You purchase a SIEM solution to assist in the identification of events of interest (EOI) but, contrary to what vendors will tell you, it’s not as simple as plugging their solution into your network and turning on all of the canned rules. Although vendors try their best to create blanket rules that apply to the different types of environments, such as University vs. Enterprise, PCI vs. SCADA, and so on, the truth is that the vendor cannot take all possible scenarios into account when defining their rules. What traffic looks like in one PCI-enforced environment might not be the same as another, or any other for that matter.

No matter what your vendor tells you before you plunk their solution into your network, you need to account for a rigorous tuning exercise as part of your implementation plan. You must also plan for tuning updates at regular intervals throughout the life of the solution to account for change, updates, etc.

As with any solution, take what the vendor says with a grain of salt.

Here is a snippet of my latest Security Catalyst post entitled Do as I Say, Not as I Do:

Security professionals have a duty to promote security in the enterprise. In fact, most professionals take on the role of a “security herald” for their organization or customer quite seriously. At the end of the day, however, many practitioners pack up their things, make their way home, and completely throw all of their beliefs out the window.

The sad and unfortunate truth is that security professionals do not always practice what they preach…

You can read the entire article here. I hope you enjoy it.

Twitter, like a hammer, is a tool. Many wouldn’t think to bring a hammer to a wedding, board meeting, or maybe even to a super secret trip. One House Intelligence Committee member however, who would probably have been better off bringing a hammer instead of his Twitter-enabled device with him, let slip a secret Iraq trip on Twitter last Tuesday.

Rep. Peter Hoekstra, R-Mich., tweeted a secret congressional trip to Iraq, which Hoekstra was told to keep secret before leaving Washington D.C., on his Twitter feed. The first tweet, sent on Tuesday, announced:

“Heading to Iraq and Afghanistan weds night.I’ll update on twitter and web pg as links are available.I’ll ne back in touch mid next week,”

The second, sent just after he landed in Baghdad, stated:

“Just landed in Baghdad. I believe it may be first time I’ve had bb service in Iraq. 11 th trip here.”

Common sense would dictate that if you were told to keep something secret, you probably shouldn’t talk to people about the aforementioned secret. Common sense would also dictate that if you were assigned to the House Intelligence Committee, you should be fairly adept at keeping secrets.

The ironic part of this whole debacle, is that in January 13th, 2009 opinion piece, entitled
Our Broken CIA and the Death of Innocents, he stated:

I have been long concerned that some within the agency have intentionally undermined the Bush administration and its policies over the last few years. This argument is supported by the Valerie Plame case, and the long string of unauthorized disclosures to the news media from an organization that prides itself on being able to keep secrets.

I guess that opinion piece excluded his personal use of Twitter.

Social media technologies, like Twitter, need to be treated with care and respect. They can be a fun tool to keep in touch with friends and family or, when improperly used, just as dangerous as leaving a manilla envelope of state secrets on a public bench.

Congressman Hoekstra kept posting his every move on Twitter and has not yet had his BlackBerry taken away from him. I suspect that this issue won’t be addressed until he gets back home but the Congressman may want to start thinking about no longer using Twitter at work.