Friday, August 27, 2010

New Role

This blog has been quite silent lately as I haven't been finding anything interesting to write about. Even the Verizon report, there's certainly interesting stuff there, but so many people have talked about it that I don't even feel compelled to do it.Anyway, there's at least one thing to mention. I've just changed to a new role on my job. This week I've started as a "Security Architect". I believe it will be a very interesting job, as I was getting a little tired of having to deal with project implementation details. I really like to work on roadmaps and long term planning for security services, and that's exactly what I'll be doing now. I hope my day job now can bring me new ideas about things to write here. Let's see :-)

Thursday, August 12, 2010

The big FAIL of log analysis

I was trying to find words to add to this post from Anton Chuvakin about the current state of log analysis, caused by the numbers in the last Verizon report. I simply can't find anything to add. He's dead right about everything. If you are interested in log analysis / log management, that's something to read and think (AND DO SOMETHING) about.

Thursday, August 5, 2010

Razorback and IF-MAP?

I was reading about the new framework from SourceFire, Razorback, and I realized it has a lot of similarities with TCG's  IF-MAP. There is a lot of vendors mentioning things go beyond the simple correlation so common in the SIEM tools. It is a drive from CORRELATION to COOPERATION between security tools. That's awesome. Instead of having several tools waiting to receive data from different places, we need a security metadata bus that can be used by other tools. In that way a lot of things that make security hard to do will become far more easy. Firewall rules won't be " to using TCP4567" anymore, but "users from Finance going to the Finance App". We can build blocking and response rules using definitions such as "users infected with malware", "servers containing sensitive information", and far more interesting stuff. What's most important is to have those things following standards, in a way that the infrastructure will become less important, making it easier to apply security independently if things are running in your data center or in the cloud.But, again, only if initiatives like Razorback start working with standards like IF-MAP...