Zen 2.0

According to this CNET news,

A Democratic member of the U.S. House of Representatives said Thursday that she plans to introduce legislation next week that would force Internet providers to record customer information for one year.

Personally I think it’s stupid for the gov’t to create such mandate, especially for the reasons they are citing.

because members of Congress have “learned that Internet service providers and social networking sites have information that law enforcement needs when investigating pedophiles online, and that is the IP address on a particular date and time that will help identify those involved,”

It’s one thing that ISPs retain logs as best practices, e.g., for forensic analysis and troubleshooting, it’s totally another for the gov’t to make it a mandate.

I certainly don’t want anyone to nose around in my stuff. Total violation of privacy if you ask me.

Earlier we mentioned that EMC is buying Network Intelligence, well, there’s a bunch of analyst/editor comments out now.

EMC and Network Intelligence: What it Means.

In the last few months, Novell bought e-Security and IBM got GuardedNet through its acquisition of Micromuse. Cisco grabbed Protego about and year ago and rumor has it that Oracle is about to buy either NetForensics or Intellitactics. It’s likely that HP, McAfee, and BMC are looking at other leaders like LogLogics as well as network behavior specialists like Mazu and Q1.

Building The New EMC, One Acquisition At A Time

Interesting comments from Dennis Hoffman, vice president of information security at EMC

Network Intelligence plays in three areas of the security industry, he said. The first is log management, a space where the leader is another company, LogLogic, San Jose, Calif., Hoffman said.

The second is event management, or the real-time processing of data for security purposes. “ArcSight is the leader,” Hoffman said. “There are lots of others in this space, too. Names you’ve never heard of.”

The third is security information management, which includes the reporting and forensic analysis of where security problems occur. Network Intelligence is the leader here, Hoffman said.

On a side note, here’s an article about ArcSight.

Ray Lane buys dinner - Who buys ArcSight?

One of ArcSight’s board members told me the company is hitting close to the $75m revenue number, that’s getting close to the magic $80m to $100m level that could initiate an IPO–except that the IPO market is in the doldrums.

Another article from my SLA series…

In this installment of a series on understanding service-level agreements, I’ll look at what you need to consider when choosing the hardware used to provide the services.

Service providers offer various hardware options depending on the nature of the security service for which users sign up. Some services will require the installation of dedicated hardware at the customer’s site or, if the service provider will be providing hosting services, in their cage. Some service providers host their own hardware in their own network operations center. Some provide the security service through hardware that is shared with many other customers.

Which option is better for your business depends on many factors, including your security policies, budget, trust in the service provider and the actual products used. In many cases, dedicated hardware may be more expensive than shared hardware.

My third article on the SLA series, SLA 103: Security Reviews, is out.

Some service providers, as part of your security-services installation, include a free design review when you buy their managed security service. If your SLA doesn’t include such a review, try negotiating with your service provider to get it.

Some service providers require the customer to initiate the review process. If it’s not initiated within a stated time frame, the customer loses the opportunity to have the service performed. Be sure to understand the process by which you will obtain your security review and in what time frame your initial request needs to be made.

My second article on the SLA series, SLA 102: The Service Summary, is out.

In this article, I’ll focus on the service summary. In most SLAs, this section describes the service you will be receiving in general terms. Here are some of the areas you should keep in mind as you negotiate your contract with your service provider.

Computerworld is starting to publish a series of SLA 101 articles, written by yours truely: SLA 101: What to look for in a service-level agreement

Many IT administrators aren’t comfortable handing over control of the most critical security components of their infrastructure. But in recent years, security outsourcing has become a popular and viable means of lowering the cost of perimeter security management. More and more companies are outsourcing parts of their security infrastructure, including firewalls, intrusion-detection systems and virtual private networks, to managed security service providers (MSSP).

Anyone thinking about outsourcing such a mission-critical aspect of their network should understand in detail the potential implications to their IT security infrastructure and their company as a whole. One of the biggest differences among providers of security services is the service-level agreement (SLA). In this five-part series of articles, we will dive deep into the various aspects of the SLA and attempt to explain in details what the SLA should contain and why each of the items is necessary.

In general, an MSSP SLA should cover the following areas:

more…

Opinion: Making the case for an audit standard

Interesting article by Oracle’s CSO Mary Ann Davidson

Some one on the loganalysis mailing list posted a link to a Google Labs paper: Interpreting the Data: Parallel Analysis with Sawzall.

It talks about a distributed aggregation and filtering method using Google’s Sawzall interpreted language. Very interesting paper, the concept of applying distributed computing resources to do work in parallel is not new. LogLogic have implemented this concept to achieve massive parallelism and performance on log analysis for quite sometime now.

The interesting part of the paper relates to its new language, Sawzall. It’s a new language designed specifically for simplicity and parallelism.

First I don’t understand why they couldn’t have created Sawzall as a library for one of the existing languages such as Perl or Python. After some discussion with a Googler, I am somewhat convinced that there might be good reason for a new language. The main reason being parallelism. Most of the languages aren’t designed to program and execute in parallel from the ground up.

However, I have to nitpick the performance example they gave in the paper. The benchmark test cases are all CPU-bound cases. However, earlier in the paper, the authors talked about the applications for this language being mostly IO-bound. It would seem to make sense if they gave some examples that are IO-bound and still be able to show the performance advantage of Sawzall.

Another question I have is how much Sawzall relies on GFS. I am assuming that the parallel execution of Sawzall depends on many of the GFS features, but I have no basis for that.

As a security professional and a developer, I have always been very frustrated in the carelessness of some developers when it comes to conforming to the simple security practices. The most common ones I see are throwing unchecked user inputs to the system call or database queries.

Ruby Qurashi’s article on Eight steps for integrating security into application development is a good summary of a process one should take to ensure security’s built into the applications from the start.

1. Initial review
2. Definition phase: Threat modeling
3. Design phase: Design review
4. Development phase: Code review
5. Deployment phase: Risk assessment
6. Risk mitigation
7. Benchmark
8. Maintenance phase: Maintain

The threat modeling step is, I believe, one of the most critical steps in this whole process. This belief is mainly due to that many of the application developers are not familiar with the various attacks that could happen to their software. This step would serve as a great training step for these developers.

If this step is performed correctly, the following steps will be much easier for everyone.

Good summary, worth reading.

I am surprised I didn’t post this one. In any case, here it is.

The Top Five I.T. Control Weaknesses by BEN WORTHEN.

1. Failure to segregate duties within applications, and failure to set up new accounts and terminate old ones in a timely manner.
2. Lack of proper oversight for making application changes.
3. Inadequate review of audit logs.
4. Failure to identify abnormal transactions in a timely manner.
5. Lack of understanding of key system configurations.

This is the sidebar for the article How To Dig Out From Under Sarbanes-Oxley.

Another sidebar for the same article, Sarbanes-Oxley Compliance and the CIO: Year Two.

Good article on risk management on Computerworld by Samir Kapuria.

In this article, Samir described a 3 step process in which a security assurance team should take for risk management. The only thing I would recommend changing is to separate the incident response step from the Application step. Right now Samir has both mixed into one.

The risk management process is continuous; it should never be considered a point-in-time solution.

Q1 Labs’ entry into the SEM market. Seems like they are competing with the Cisco MARS product.

A friend pointed me to this article on How to Fund a Startup by Paul Grahm. Very good summary of the different funding options.

Richard Stiennon recently wrote an article on Evaluating Security Startups. In this article, Richard listed six rules in which he uses to evaluate products from security startups.

Even though the article’s got some points, I can’t say I agree with everything he says. As an example, in the article, Richard said, “Security is all about countering threats.” Well, that’s not always true.

Security is really about risk mitigation. It’s about mitigating the risk of

Douglas Schweitzer had this to say regarding my article on Steps for preserving the integrity of log data.

He’s absolutely right. He’s also written previously an article on Don’t Ignore Lowly Log Analysis.