Archive for February, 2005
Interesting papers on statistical analysis
Saturday, February 26th, 2005OsAudit v0.1 (log gathering, monitoring and analysis) available.
Friday, February 18th, 2005OsAudit version 0.1 is available for download.
OsAudit is a complete system for log gathering,
monitoring and analysis. It has two different running
modes: server and client.
For more information, go to:
http://www.ossec.net/osaudit/
http://osaudit.sourceforge.net
http://sourceforge.net/projects/osaudit/
For comments, suggetions or questions:
daniel.cid @ (at) gmail.com
Kewl ppl and projs
Thursday, February 17th, 2005Met some really kewl ppl at the RSA show the last couple of days. Saw many of my old collegues from Addamark, Cable & Wireless, and Exodus. Everyone’s walking the floor and chatting away.
Met Raffy Marty from ArcSight. He’s an SE over there. Seems like a really kewl guy. He’s started a mailing list on incidents handling and stuff. When I get more info I’ll post it here.
Met a friend of Raffy’s (sorry, forgot the name) from OVAL.Mitre.org. He’s working on this new standard on describing how to check for vulnerabilities on hosts. Currently they have many of the host-based vulnerabilities described in OVAL. Definitely worth checking out.
This year’s show seems to be much busier than the last couple of years. From what I hear, the show was sold out quite a while back, unlike a couple years ago where you can make a deal w/ RSA even a week before the show started. Hopefully that will indicated a great rooster year ahead.
RSA is a Biz Dev show
Thursday, February 17th, 2005I manned the LogLogic booth for two days and I must have had a dozen people came by to try to sell us stuff or partner w/ us. Dell, Precise Terms, EventGnosis, etc etc etc. A long list of them.
Just thought it was interesting.
Interesting ArcSight Comments
Wednesday, February 16th, 2005So I was at RSA today talking to the various SEM/SIM vendors. I talked to one of the ladies at the ArcSight booth and I asked her whether ArcSight is a good solution for a company that’s got a bunch of Windows and UNIX servers and getting about 500 messages per second. The lady said several interesting things.
First, “we don’t play the numbers game.” I was actually told by High Tower to ask ArcSight this question coz High Tower kept saying ArcSight can’t handle the volume. I am not sure how to take it. Not sure if ArcSight can’t handle the volume or they just don’t want to measure their software that way.
Second, “we are not just a SIM vendor, we are in ESM. SIM’s just a component.” ESM being Enterprise Security Management. It’s ArcSight’s new marketing campaign but I am not sure what it exactly entails.
Third, she asked me “does the company have $1 BILLION in revenue?” I was like, what?! NO! She then said, “well, we really focus on LARGE enterprise customers with revenue over $1 BILLION. That company really should look at someone like LogLogic. They focus on the Global 2000 companies.”
I just thought these were interesting comments. Draw your own conclusions obviously.
SHA-1 broken?
Tuesday, February 15th, 2005From Schneier’s blog:
SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing.
The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper announcing their results
Definitely watch Schneier’s site for more information if you are interested.
More News during RSA
Tuesday, February 15th, 2005More news…who’s reading news when they can be at RSA?!
ARCSIGHT Closes Record-Breaking Year, Welcomes 100th Customer
PR Newswire (press release) - USA
15 /PRNewswire/ — ArcSight, Inc., the global leader in Enterprise Security
Management (ESM), today announced that it has surpassed 100 customers,
driving …
GUARDEDNET(R) First to Enable Automated, Proactive Policy …
PR Newswire (press release) - USA
15 /PRNewswire/ — Today, during the 2005 RSA Conference & Expo, GuardedNet
announced automated, real-time policy monitoring and enforcement capabilities
in …
BMC Software and Consul Announce Global Adoption of Their Audit …
PR Newswire (press release) - USA
15 /PRNewswire-FirstCall/ — BMC Software, Inc. (NYSE: BMC), a leading
provider of enterprise management solutions, and Consul risk management,
Inc., a …
RSA News Day
Monday, February 14th, 2005Seems like everyone’s trying to come out w/ some big news this RSA week.
LOGLOGIC’S VP of Product Management to Present at RSA Security …
Business Wire (press release) - San Francisco,CA,USA
This presentation will address one of the fastest growing issues in IT:
“log analysis.” During the session, the panel will discuss relevant topics
surrounding …
GUARDEDNET(R) Launches Latest Innovation in Security Information …
Yahoo News (press release) - USA
14 /PRNewswire/ — Today GuardedNet announced neuSECURE 3.0, the first
Security Information Management (SIM) solution to provide tailored views
of security …
INTELLITACTICS Nominated to Receive Coveted Reader Trust Award …
New Age Media Concepts - USA
… Intellitactics (www.intellitactics.com), provider the premier Security
Information Management solution for the largest, most challenging environments
in the …
TRIGEO Announces the Only SIM Product With Automated Remediation …
Market Wire (press release) - USA
… network attacks. Unlike traditional, passive security information management
products, TriGeo actively defends the network. TriGeo …
MANAGING the security deluge
Techworld.com - London,UK
… To achieve this, companies are turning to security information management
(SIM) software, which is designed to do for security what products such
as Tivoli …
SECURITY tops RSA agenda
iT News - Australia
… threat and vulnerability management. Also, eIQnetworks will launch
a security event management solution. The Network security Analyzer …
CONSUL Selected to Exhibit at RSA Conference 2005 Innovation …
Market Wire (press release) - USA
HERNDON, VA — (MARKET WIRE) — 02/14/2005 — Consul risk management, Inc.,
the worldwide provider of security event audit and compliance solutions
for the …
Test Run: GuardedNet neuSecure 3.0
Friday, February 11th, 2005Greg Shipley has done a review for GuardedNet’s neuSecure product.
Security information management offerings are in mid evolution. One such work in progress, GuardedNet’s neuSecure, is a SIM platform worth watching. I tested an early beta of neuSecure 3.0 and found that, though it’s rough around the edges, it’s a clear step up from version 2.0.
What’s your experience with neuSecure?
Mail Readings
Thursday, February 10th, 2005Logreport.org has some really good information on email log formats. Check it out.
Why IT Projects Fail
Monday, February 7th, 2005A modified version of Five Business Mistakes of Log Analysis has been published on Computerworld’s Feb 7, 2005 issue.
Check Point tool to keep an eye on networks
Friday, February 4th, 2005Check Point tool to keep an eye on networks
Check Point getting into the SIM space? why?
Eventia Analyzer software licenses are expected to cost $1,000 per device.
Holy cow! I don’t know about you but that’s pretty damn expensive! On top of all that, you still need to get all the hardware to run it.
I don’t get it, why do they want to get into the crowded SIM market?
Update, seems like the article has been changed.
Eventia Analyzer software licenses will cost $18,000 per device, but just $1,000 on average per device when purchased in high volume.
HOLY COW!!
Common customer observations
Wednesday, February 2nd, 2005Recently I have been traveling around to talk to our customers. I wanted to find out from them how they are using our products and what else they would like to see.
Some common themes:
- Give me performance, performance, performance. How many messages/sec you can parse is important, but how fast you can give me my report results is even MORE important.
- Don’t add anything extra that will slow down the reports or searches. When I troubleshoot, I need the report or search results in seconds, not minutes, not hours, and definitely NOT days like some products.
- Give me quick access (quick links) to reports from the dashboard. I don’t want to navigate a tree to find the report I use all the time.
- Integrate w/ my enterprise infrastructure. Integrate w/ my ticketing system, w/ my authentication system, w/ my ESM system.
- Don’t give me 10 different ways of doing things. Give me 1 way, the fast way, and make it consistent across the board.
- Give me the enterprise features. Give me true failover capability. Give me virtualization capability.
I guess some of these interesting observations tells me that users don’t generally have time to play w/ the flashy features. Instead, they want the fastest way to get to the most relevant and accurate data. They use that data to solve whatever problem at hand and move on. This is especially true when it comes to operations people who’s day to day tasks are to solve problems and fight immediate fires.
The old saying is also true: 80% of the users use 20% of the features, but a different 20% for every users.