Yesterday on twitter I was thinking out loud and mentioned that I have a need for something more than blog drafts to help me get out my blog posts.  I tend to get stuck halfway through dozens of ideas, follow one rabbit hole and post a very few of my thoughts and so many others languish in wait until I have time/inclination or get a “spark”.  On the other hand I REALLY enjoy the collaboration on thoughts/ideas I get when I interact with the community at conferences, on skype or on twitter to help refine my thought process and always get a “spark” out of those conversations. 

So why not combine those ideas into a thought incubator a place to put ideas so that can grow!

Think of it as conversation using bits and pieces of blog posts as the kindling and the community’s collective wisdom as the oxygen to feed the fire.  This entire post is an example of how it could work - This idea was further corroborated by Paul Melson and Ben Tomhave and others on twitter.

(extract of the twitter lead-in follows in reverse time order)

Ben (@falconsview) suggested SBN as a place to host the “incubator”.  I haven’t talked to Alan Shimel (@ashimmy) yet but I don’t disagree with that idea at all.  As long as it is a community resource and I can be invloved I’m open to it.  But before we get there I thought it prudent to at least start the requirements part of the discussion and see where it goes before we jump into a solution.

When I mentioned this topic yesterday @Grecs suggested some great resources to consider - a wiki, google docs solution or using the blog drafts feature - all three ideas have merit and they do have pieces of what I’m looking for but none of them is really perfect for what I’m looking for.  I spent yesterday looking at potential solutions, but I think it makes sense to talk about how and why I would use something like this and then we can all figure out what tools might make it work.

Requirement 1: Passionate Community

Twitter is the perfect starting place.  A passionate community of professionals, the beginnings of conversations (sometimes even using #hashtags to help identify the conversation thread).

Twitter isn’t perfect as an delivery mechanism because of text limitations and inability to thread and easily sort/find.  I certainly think Twitter is a key element of the overall solution though, in fact I can’t see this project moving forward at all without figuring out the right way to use twitter!

Requirement 2: Collaborative Environment

The entire concept is predicated on active participation.  People must be willing to share “ugly baby” ideas, ask questions and share their knowledge in a positive but honest environment.  A certain amount of ownership and moderation would have to apply given the world we live in, but that might be mitigated by registration/invitation for a while.  It has to be perfectly acceptable to have incomplete ideas posted and differing opinions.  We’re all learning and growing.  There are some that won’t see the benefit of reading half-baked ideas and that’s fine no one is forcing participating at gunpoint.

As for a tool to help fill these needs something like Google Wave or a wiki helps thread the conversations and encourage feedback both “live” and perpetual.

Requirement 3: Attribution/Sourcing/Mentoring

So many people influence my thought process on a daily basis I’d love to be able to sort and give them all credit for the pieces that are floating around in my head.  It may not always be a new new idea, it may simply add more confidence in a certain area, but usually it is a refinement or new perspective that fills out the picture.  I’d like to have a way to “tag” people to “thoughts” and show my appreciation for their contribution.  At another level if the conversation expands via the tool in the text, video, voice (we shouldn’t limit it to text) attached to the object then I think everyone involved in that discussion should have partial ownership of the ideas and be allowed to move the conversation to their blog/podcast outlet and reference the origins of the thought.

The opportunities to help incubate ideas or refine thought on a continuous basis has at least some of its roots in watching the Great PCI Debate move from conference to conference.  Such great perspectives and many have gained tolerance and understanding over time.  This has the potential to do the same for hundreds of ideas across so many more participants.

Requirement 4: Data Extract. 

We all using different blogging platforms and I would hope that one of the goals of the incubator is one or more blog posts by everyone involved in “raising the baby”.  That means the data (with or without formatting) should be easily exportable.

Requirement 5:  Ease of Use

We’re asking for yet another way to interact and share ideas which means we need to leverage the tools they are already using (as input and/or output).  Tools Jive or any of the products that Vendors / Conferences use to interact with their user communities are good examples of the overall framework I’d like to see long term, but are way to expensive and cumbersome to set up/manage at first.  But a wiki or forum is too far isn’t enough to kick it off either.

This post is intentionally pre-mature - I need your help to incubate this baby.  How would you add to requirements and use-cases?

Last week there was talk about the lack of recent in-depth conversation occuring in blogs.  This was attributed to at least partially to twitter dumbing down the conversation into bite size increments and that overall the larger stories may not be getting explored in depth.  I certianly found myself in that cycle.  For me sometimes it is easier to have a quick conversation and reset my thermastat by releasing steam on twitter than it is to create a post for the blog.  The downside to that has been lack of in-depth public conversation because twitter more a “live” communications mechanism.  So this last week I focused on blogging and engaging in conversation and “wow” - what a series of conversations I was able to be involved with.  Here is a sample of the public conversations that occured.

Topic 1:  LogLogic

LogLogic announed last week about slashing price on SIEM (well actually SEM) I posted my thoughts about their move here.  Who knew the response I’d get.  Here’s a sample of how the conversation exploded via blogs over the last week. 

The Response (so far):

LogLogic was nice enough to email and call me to help me understand their thinking, they also crafted 3 blog posts on the subject (Part 1, Part 2 and Part 3). 

Paul Melson enhanced the conversation (“Twitter Killed the Blog Star” and “SIEM Market Conversation Continues” and now Q1Labs jumps into the fray with their perspective.  There were plenty of private conversations from other vendors, analysts, end-users that occured off-line - I’m hoping more of those will see the light of day soon!

 Count: 1 post (6 Blog Responses + comments)

Topic 2: Tetragon

Then the real fun started.  Gartner released their Magic Quadrant for SIEM and I had a little fun with it and then I had an absolute blast with my Tetragon post.

The Response (so far):

Chris Blask on the new AlienVault Blog responded to my First MQ post with his insightful perspective.

Rich Mogull and Mike Rothman of Securosis had some fun with my Tetragon post and did a great job adding even more perspective to how and why these “tetragon’s” get so much attention. 

Anton Chuvakin made reference to the posts here.

Q1Labs talks about the MQ any my post here.

Count: 2 Posts (4 Blog Responses + Comments and more coming)

I’d like to thank everyone that participated in the conversations (public and private), everyone who publicized the conversation via blog, re-tweeting or email.  Analysts, Vendors and End-Users everyone was involved over the last week!

As numerous and insightful as the public blog and twitter conversations were, the private DM, Skype, Email and Phone call were also insightful and at times absolutely hilarious.  I wish I could share some of them, but I’m hoping some those conversation will take the form of a blog post or 12 soon.  There are a lot of great ideas waiting to push these conversations even further.  All in all it was an amazing experience to jump in, start a conversation or two and see where passionate people take it. 

Now that I know more people are paying attention and willing to join the conversation I think I’ll do this more often :) 

-Rocky

Today LogLogic announced it is attempting to push the market towards a more cost effective solution for SEM/SIEM.  On one hand I get “it” and applaud the attempt to push price downward, but on the other hand the overall strategy seems to me, albeit without the benefit of the larger picture, ill-conceived, ill-timed and in my opinion it may devalues the company’s effort in that space especially when you consider the quote at the end of the press release (more on that later).

Positive Reflections on this announcement:

LogLogic is a almost exclusively a channel driven sales entity and the “channel play” with a move like this makes perfect sense.  It allows even more flexibility by the channel to sell downmarket, but I would have expected an announcement like this to coincide with a major channel or partner strategy announcement.  A refreshed service offering being made available through partners or a partnership with several managed services to deliver more value, etc.  Something that would represent a larger strategy is in play.  Maybe I missed it?

Help me maybe I’m missing something:

If the focus of the pricing strategy was log management, storage or just about any product outside of SIEM that might be considered a commodity within the IT world I’d understand the pricing movement.  To me SIEM is much more complex and as such requires continuous effort and is not ready for this pressure.  Right strategy, wrong product.  In my opinion they should have lowered price on the commodity (Log Management / IT Search).

Very often I’ve heard of Symantec, RSA (via EMC), Q1 (through Juniper/Enterasys), SenSage (through HP) and of course Mars (via Cisco) basically giving SIEM away for free as a bundle with other products or services, yet companies like Q1 and ArcSight continue to knock the ball out of the park at a “premium” rate (via direct or indirect sales). 

If the leaders in the space can compete at that level with the huge machines in this environment how does LogLogic affect the market at all with this announcement?  Without the context of a larger product strategy or channel/partner offering this new pricing effort seems like a missed opportunity at best and a last ditch effort at worst.  (I hope it is not the latter).

As a company LogLogic seems to be doing well (43% year over year growth) but I think this SIEM pricing strategy confirms that the growth is relative to the strengths of their Log Management product.

Another Possibility:

Ok so there is another thread running through my head about this subject.  Which is that this pricing move simply reflects the reality of their effective price book.  Depending on the spin doctor this might be taken a few different ways:

1. SIEM has a ton of features that most users can’t quite implement because the vendors haven’t made it easy enough - so why charge a premium?

- or -

2. We don’t have the ability to do “x” or “y” so we can’t charge a premium and compete in that space.

Given what I know about the LogLogic team, it actually makes sense that this was the thought process.  They are sharp and motivated to do the right thing.  Even so, it doesn’t detract from some of the things I presented above as potential missed opportunities.  If this is true then does it also mean when (if) those advanced features are developed the pricing model gets complicated?

Misguided Quote:

The quote at the end of the press release is even more haphazard than the announcement itself.  (Paraphasing the quote by Mike Davis: “We see 80+% of the needs of the SIEM space being satisfied by log management. SEM fulfills a further 10+% of those needs” to be that quote is dangerously misguided on two fronts.

1. This quote signifies the lack of market understanding, a lack of appreciation of SIEM or maybe just an overestimation of Log Management. Perhaps the quote is relative to only the qualities of a SEM (versus SIEM), but that doesn’t reflect the reality of the market today (Log Management and SIEM) and serves no real purpose other than to discount the value of SIEM/SEM.
2. The quote also serves to invalidate a product that LogLogic invested in with the purchase of ExaProtect and continues to attempt to sell as a competitive offering in the space.  It seems odd to invest in a technology that only meets 10% of a market need (still leaving 10% unfulfilled).  It is my opinion that the quote does more damage than service to Log Logic.

Summary:

I don’t disagree that there should be pricing rationalization that occurs across the market, but I’m not convinced LogLogic took the best approach (or perhaps I simply don’t understand the strategy well enough at this point).  I’m hoping they’ll take the time to enlighten me!

Reference:  http://loglogic.com/news/news-releases/2010/05/loglogic-slashes-sem-prices/

Note:  I apologize I wasn’t able to get input from LogLogic in time for this initial post but I will update the comments of this post with any lessons learned from LogLogic.   I really do want to understand and not just seem like I’m beating them (or anybody) down.

The 2010 Gartner Magic Quandrant for Security Information and Event Management. 

I took some liberties with the MQ in order to segment it out the information in the report for my own analysis.  Simple geographical/mathmatical groupings were applied and a few notes added.

The cluser of providers in the middle was not unexpected as I have a similar group in my head as I think about this.  Having an outlyers like RSA to me means that RSA’s vision resonated very well with Gartner.  As it should, however I’d expect that to be meaningful once they get to that execution.  I can’t find the rationale for them escaping the “Clump”.  I did use RSA’s relative position as a measuring stick to divide the clump and segment out a couple of “Maybe’s”

The “Clump”: Symantec, IBM, CA, LogLogic, Novel, SenSage, LogRhythm, Trustwave, NetIQ, TriGeo, NetForensics, eIQnetworks

The “Maybes”: Nitro and Q1 Labs

The “Others” Quest, Prism, Tenable, LogMatrix

Next Year:  AlienVault and several others might add more to the middle of the page.  Splunk was left off of SIEM this year for a reason and I applaud Gartner for doing so!

Note:  I do beleive that the The Strengths and Cautions tell a little better story this year than previous years. 

Trends and Subplots:

1. The re-emergance of NetIQ & SenSage as a SIEM (and SenSage’s continued relationship with HP) is interesting.

2. The “Clump” is a great way to illustrate that there are way to many products that are virtually indistinguishable to the market.

3. I’d had expected more from Q1 via the Enterasys and Juniper OEM deals.  I also expected Tenable to fair a little better, but Security Center 4 was just released so I understand it’s standing based on a review of the older technology.

4. Enterprise Players (RSA, IBM, CA, Symantec) seperating out functionality into various products instead of having it all within the SIEM.  I think these guys are ranked a bit too high and right.  RSA with Archer will be a great improvement, someday.  Even more importantly RSA has a chance with EMC to really do well in virtualization if they focus on it.  We’ll see what happends.

5. The exists a Vast Ocean between ArcSight and the rest of the field.  Out of the “Clump or Maybe’s” I’d expect 1 or 2 to rise over the next year and begin to challenge more directly for #2 in the space.  This will require innovation on either User Anomaly/Behavior (beyond IAM), System Config (FIM?), Network Content (beyond netflow), and of course ease of use for Security Use-Cases such as Threat Monitoring and Dynamic Updates!

6. The inability to execute in a viable manner with applications, hosts attributes, vulnerability information or even get data out of the system still plagues many vendors in this space - whether or not they admit to it.  Read between the lines of the report to figure out who this affects.

You should read the report.  Each of the vendors will have copies linked off their webpages and with minimal registration you should have it in a matter of seconds.  Enjoy!

I just finished up facilitating the Security Operations Track at the New York Metro Information Security Forum and some related IANS projects for customers in the area.  The conversations on Security Operations, SIEM, Log Management, Incident Response and Detection Techniques are always fantastic becuase they come from real world practitioners.   

Insights:

Participants in the track that Marcus and I lead provided some wonderful details about really scary incidents and outlined some fascinating detection techniques.  At least in my mind a couple of facts were clear related to the disparity in an organization’s ability to detect and respond to incidents - (1) The skill set of the team is the key to success as is (2) having complete enterprise visibility.  It is obvious but worth mentioning - the tools used ranged from custom built systems to top of the line commerical products but in the end the more information available and the better the capabilities of the team the more likely they were to focus on the detection of meaningful incidents. 

The trend on focusing on threat management versus solely on vulnerability management also seems to be experiencing a very welcome uptick.  If a company understands the difference, it seems that they almost always have started a project to focus on threat management.  Not that the % comprehension is very high across the board, but at least from my perspective there seems to be a noticable increase from a year ago.

The interest in APT seemed amazing to me, both in terms of number of people listening in and in the number of offline conversations I was involved in directly.  Let me explain a bit further, the interest I noticed was not in assigning attribution nor focusing on a single actor but seeking to understand how their current security program lacked the ability to detect or respond to a threat of that nature. There was a great interest in sharing information both in terms of tools and tactics - we’ll see where that heads…

Further, it seemed to me that there is a a growing realization that we need to “unbind” our thought process on security from specific activities (compliance?!?!) and focus on solving the problems we face by creating flexible and comprehensive solutions that fit our specific situations.

The analogy I’ve used recently goes like this - we’re in the middle of The Pacific Ocean on a submarine (The size and stealth of our sub is relative to our Company) and as the security team we’ve been asked to build visibility into risk for our business, in response to the box that we’ve been placed in, we’ve built a periscope. The periscope we’ve built does offer some visibility, if we’re near the surface and if the threat is within our line of sight then hopefully we’ll be able to convince the team to steer around it.  The periscope obviously does not offer nearly enough visibility for the environment we’re in and certainly offers no real defensive capabilities nor can it be used to provide us with a holistic sense of the risks we face.  Don’t get me wrong, I’m not suggesting we build torpedo’s, but perhaps it is time to remove the binders from our security teams and help them to build night vision, sonar, radar, perhaps incorporate some stealth technology and add some additional manueverability to the sub so that we can expand both our visibility and flexibility in dealing with the threats we face. 

Finally, I have just confirmed that I’ll be participating in at least two more IANS events later in the year - I hope to see you there!

IANS Lonestar Information Security Forum Dallas: June 23-24
IANS New England Information Security Forum Boston: September 28-29

-Rocky

  I will be at the IANS New York Metro Information Security Forum May 4th and 5th.  Marcus Ranum and I will be facilitating the Security Operations Track of the Forum.  These forums are amazing for everyone involved.  These are not presentations, they are active discussions with everyone in the room.  In the Security Operations track Marcus and I will have sessions on Threat management, SIEM Use Cases and Best Practices for Incident Response.  There will also be a focus topic during the forum on APT.  Looks like Nick Selby, Josh Corman and Aaron Turner among others will also be facilitating during the week!

If you’re in the area you should stop by…. You do have a relationship with IANS, don’t you?

- Rocky

While researching some ideas I have related to a “Board”or “Peer” Incident Review process I came across the Verizon Business Incident Sharing Framework.  I’m thrilled that Verizon Business took the time and effort to put together this framework and publish it, I’m even happier that they are willing to consider comments and extend upon it over time!  I’ve got a lot of respect for that team and always enjoy the Data Breach Report and while this framework has obvious implications for future versions of that report the framework’s usefulness extends well beyond that single publication.

The VerIS Framework set a baseline of metrics for Risk Management along four intersecting “landscapes” Impact, Control, Asset and Threat and further asserts that you need all of those perspectives to understand and manage your risk within your enterprise.  The data collected would not be survey based or skewed by sensors with limited view, it is real world broad spectrum incident analysis and therefore has incredible value as a tool to inform consistently and accurately.

Moving Forward:
This sort of framework would serve us all better if we could agree on it, standardize it and use it consistently across our industry.  FIRST, US-CERT, SANS, CERT, etc getting behind, enhancing and creating tools for data input and information sharing around this framework would be the ideal situation.  Well actually, the ideal situation might also include a “peer” or “board” review process of incidents to create even more robust findings, recommendations and information sharing - I know it’ll never actually happen, but I can dream.  

Just imagine if Incident Response teams could submit incidents to a panel of experts for formal consideration and the result was the feedback from that board indicating areas for improvement or highlighting areas of considerable expertise.  Your CISO would have independent validation of the Incident, the IR team, the practices in place and the industry could learn from sanitized examples.  We could then create or extend our body of “common knowledge”.  A framework like the one Verizon is starting is a solid starting point!

Some Initial Comments on VerIS:

• Section 1.2 Primary Industry of the company and perhaps more specifically the affected business unit(s)

• Section 1.6 Other - a ton of great points in there that should be expanded on and uniquely identified and measured.  Too much value to be left as “considerations” which might get ignored.

• Incident Classification - The “Who did What to Whom with what result” based on Agent, Action, Asset and Attribute.  While I’m sure many will contribute over time to adding even more specific detail options to enhance this section into being “perfect” it is pretty damn good at this point.  Mandiant’s Indicators of Compromise might be a way to enhance it further. 

• Incident Timeline:  Perhaps one of the few existing “meaningful” metrics in our industry (at least to me) is the time to detection, time to response that VZ does a great job with.  Your IR team should consider this carefully and look at it as a justification for better enterprise visibility, processes or adding personnel to their Incident Detection and Response capabilties. 

Some other points to consider:

• Assigning attribution from a single incident may be difficult given the limited information that may be available, but still worth the effort to identify as much information as you can from what you know.  At least from a perspective of stating facts about the Incident.

• Assessment of motive is an interesting consideration and really should be considered by every incident responder.  “Why” this incident occured from a threat/motivation perspective and not only a technical “vulnerability” based perspective.  

• Assessment of actual impact from the Incident should be highlighted more easily.  Not just the technical impact, or the recovery costs, but the impact to the organization from the perspective of the involved business functions. 

• Employment change - VZ might consider adding layoff (right sizing) as an trend indicator. 

• Impact Classification: This is the most difficult thing to assess especially if the only input is the Security Team.  How would you quantify the losses for an Incident where unknown actors where inside your R&D network for years undetected?  Proving that competitor “x” beat you to market with your own resources is going to be nearly impossible.  Verizon provides a good method of collecting the “right” information, but it means your security team needs to understand the business and communicate with the right people to understand the impact from all appropriate perspectives. 

This sort of framework, once agreed upon should be welcomed by not only practicing professionals but also by vendors looking for a way to consistently report/classify Incidents.  I would encourage Verizon to look at adding a couple of leading Vendors into future discussions or perhaps more appropriately, I would encourage all security vendors to look at how your products might be able to support this sort of reporting framework. 

Additional VerIS resources:
http://discussions.zoho.com/veris-metrics
http://securityblog.verizonbusiness.com

Edit 1 - Add Mindmap link: http://www.mindmeister.com/44961919/veris-incident-classification

Visible Risk is proud to present an “opening” discussion on Advanced Persistent Threat with four of the top professionals in our field (Richard Bejtlich, Mike Cloppert, Shawn Carpenter and Rob Lee - Moderated by Rocky DeStefano).

 Some RSS Readers may have to go to www.visiblerisk.com directly to view video directly.

Update on 13 018 2010 by Rocky DeStefano

The Visible Risk Podcast Episode 1 - Advanced Persistent Threat - “Extended Audio Version” is now up. http://www.visiblerisk.com/podcast/rss.xml

Direct Link: Here

The audio version contains about 30 minutes more than the video.  Additional topics include NSA and Google, Aurora and much more!  Enjoy it!