I often get asked questions like, “I like Splunk but how much data should I be collecting for security purposes? Is there such a thing as too much data? How do I know what matters in my data?

These are good questions but unfortunately the answer really can be, “it depends.” I still believe there’s no such thing as too much data for security purposes if you are using Splunk. For me there are only two types of data, the data your are using for security and the data you’ll need later that you didn’t think you needed at the time. There will come a time when security folk will be looking at the fidelity of the data as an…

…

Vacations are good for you. You get a chance to decompress, experience new things and sometimes look at things in a new way or make a connection between things that at first glance may not seem connected at all. When I go on vacation I try to let my mind wander. Usually, I get rewarded with an epiphany or two that I take back to work when the vacation is done.

This vacation I read Imagine: How Creativity Works, by Jonah Lehreh, 2011 published by Canongate London. At 253 pages, it wasn’t very long read but as a former security practitioner it got me thinking a lot about the role of imagination and creativity in a security practice.…

Use Cases, Use Cases and more Use Cases. During the APAC Partner Kick Off, we had recently crowned a few apps and named them as the “Splunk Apps of the Year”. Before that, we had a Call for Submissions back in December 2011, and had invited all our APAC partners to participate in this competition. The response was overwhelming, and we had received 15 best-of-the-breed apps that showcase just how Splunk can be used across the industries.

Bounded by a set of Judging Criteria, we began the arduous task of scoring the apps. There weren’t any firm conclusions as each and every one of the apps were stellar and we had to go thru 23 rounds of debates and discussions…

“The United States confronts a dangerous combination of known and unknown vulnerabilities in the cyber domain, strong and rapidly expanding adversary capabilities, and limited threat and vulnerability awareness.”^[1]

I recently listened to the final set of hearings on The Cyber Security Act of 2012. The bill was developed, “…in response to the ever-increasing number of cyber attacks on both private companies and the United States government.” The bill is really about critical infrastructure protection as may be managed, owned or operated by either the government or the private sector.  It’s a bi-partisan bill and combines efforts from past sessions from the Senate Committees on Commerce, Homeland Security and Governmental Affairs, and Intelligence Committees. The bill would empower the Department…

There is a lot to like in Splunk 4.3 for security use cases, but three items should be of particular interest to security professionals.

Sparklines – Adding Time to Tables for Reporting

I use tables of information in several of the security reports I create. Usually I’ll want to track a particular type of event and include the number of times it happens along with an average over a period of time. This allows me to benchmark a particular threshold and use that as the impetus for an investigation. For example:

I want to track the number of successful accesses against assets where critical data is stored over a twenty-four hour period by user. My table will contain the name…

The recent article, “China Hackers Hit U.S. Chamber,” in the Wednesday, December 21, 2011, online version of the Wall Street Journal highlights yet another in a growing list of cyber attacks against US companies.

According to the article, the attack apparently started with a spear phishing scheme and social engineering tactics targeting a single employee in 2009. The attack followed a typical path of spreading to other systems, hiding behind credentialed activity, creating backdoors for access, reporting back to the attacker weekly, and granting the attacker remote access to Chamber member information and business policy documentation.  The bad guys even gained access to an HVAC system at a housing unit owned by the Chamber.

There are some notable takeaways…

Several people have asked for my feelings about the sale of Q1 Labs to IBM and Nitro Security to Intel/McAfee.  In general, I can understand why Nitro and Q1 may have concluded that this is a good time to sell their businesses.

Personally, I classify these two companies as very good at what they do—to watch for what I’d call ‘known threats’ as reported from other signature and rule based systems.   At the same time, traditional SIEM vendors such as Q1 and Nitro face many stresses.  I believe that both Nitro and Q1 are challenged by ongoing support for specific data types, scalability, and new threats—namely Advanced Persistent Threat (APT) style malware deposited on systems using social engineering that can…

Sometimes I’m glad I keep around the mounds of free trade publications that tend to pile up on my desk.  About once a month I start going through the stack but I never quite finish.  I got through placing 4 or 5 publications into the recycling bin before I read How to be an effective security buyer by Andreas M. Antonopoulos in the May 2011 on-line edition of Network World. This article (more than others I’ve read) takes a basic and practical approach to the hard buying decisions (and trade-offs) we all have to make.  The buying decision criteria is crisp and fresh and discourages simply relying on vendors that would…

I was at a CISO summit in Atlanta and one of the CISOs gave a presentation on creating a security awareness program.  He was able to get good support throughout the organization eliciting the help of the marketing department, legal department and other groups.  His team created videos about laptop theft and password sharing that featured a character called the Data Thief.  Yet, they we challenged on how to measure it’s effectiveness.  They ended up creating a number of surveys that they used to get some sense of the effectiveness of the program.  According the the survey overall, security awareness rose throughout the organization.  In a conversation with him afterwords I asked him if they’d thought about using log data…