Zen 2.0

Finally got a chance to read the 2006 CSI/FBI Computer Crime and Security Survey.

It’s definitely worth scanning through. There are some interesting findings:

• Regulatory compliance related to information security is among the most critical security issues customers face.
• Virus attacks continue to be the source of the greatest financial losses. ($15.7 mil)
• Unauthorized access continues to be second-greatest source of financial losses. (10.6 mil)

It’s also interesting that e-mail and web activity are used by over 50% of the organizations as effective security techniques. (page 17)

Not surprisingly, data protection is cited as the most critical security issue for the companies for the next two years. (page 24)

If you look at any of the SEM/SIM products these days, they all tout how many pre-built reports they have prepared for you. Most of them have a hundred or more, some even have a couple hundred!!

How are you ever going to have time to go through that many reports and find out if they are useful?!

If you look at the report names, they generally go like

That should be ONE report, not THREE!!! It’s a report that shows you the connections aggregated by a certain column!

Vendors should be building more flexible reports that allow users to configure the output. For example, in the example above, the vendor can simple provide one report that has a configurable parameter on which column to aggregate (group by in SQL terms). That way, the user can configure the reports however they like it and then save all the parameters (aggregates, filters, sort order) into a custom report.

Be wary of vendors touting the quantity of reports as a competitive advantage. The two hundred or so reports may really only be 50 or so.

A while back on the loganalysis mailing list there was a long thread of discussion on the “most popular reports”.

Adrian Grigorof from EventID was nice enough to compile the list of reports from the discussion thread.