Andrew Hay

I’ll be presenting a SANS Tool Talk Webcast entitled “Log Management: No Longer Optional” on Tuesday, June 2nd at 1pm EST.

About the session:
Both network and security professionals agree – a log management solution is no longer optional. It’s now a required tool in their arsenal.

Unfortunately, many of their log management projects have failed because the solution they chose was unable to support the size and scope of the deployment and/or effectively deliver useful results.

During this webcast Andrew Hay will discuss important considerations when selecting and deploying a log management solution for your organization and how to avoid some of the pitfalls.

Join this webcast and learn about:

• Drivers of log management, including security best practices and regulatory mandates
• Architectural considerations for supporting large distributed enterprise networks
• Deployment considerations for supporting a multi-vendor network
• Correlation considerations to effectively make sense of enterprise-wide network & security events
• Advanced security management considerations to improve an organization’s ability to detect more complex integrated network threats
• Reporting, auditing and forensics considerations that support compliance initiatives

Sign up for the webcast here.

The following post has nothing to do with security but should serve as a reminder if you’re traveling to a security conference or meeting in the near future:

1) Thou shalt not plan to go to the bathroom (especially Number 2) on the plane instead of taking the time to go at the airport prior to boarding.

Come on people…it’s really not that nice a place to go to the bathroom. It’s small, it’s cramped, and it smells funny. They have bathrooms at terminal for a reason. There is nothing worse than having to sit across from the toilet after someone dropped a dingo before takeoff.

2) If thou art too old, weak, or short to sit in the exit row thou shalt give up your seat to the 6’4″ gentleman that can’t sit comfortably in the regular seats.

Let’s review…most planes were built in the 1950′s-1970′s. Aparently, during this period in history, our entire civilization was made up of 5’0″ / 100lb humans that could easily travel in “spacious airline accommodations”. Guess what…there’s people who are taller than 5’0″ and heavier than 100lbs. How about we accommodate them for a change?

3) Thou shalt not talk the ear off of the person who is trying VERY HARD to ignore you.

You know who you are. You’re the person who didn’t bring a book to read, doesn’t have an iPod, or just likes to talk the entire flight. If the person beside you inserts their headphones into their ears that means that the conversation is over.

4) Thou shalt not unbuckle your seatbelt and start to get your luggage from the overhead compartment before the pilot tells you to.

Are you that important that waiting 30 seconds is going to kill you? I didn’t think so.

5) Thou shalt not try to recline your seat if you notice that the 6’4″ gentleman behind you has his knees flush with the back of your seat.

I think I’m actually getting a headache from the blinding rage I feel when I think about how many people have done this to me. I can remember one older gentleman telling me that I should really find another seat so that he could recline his seat in front of me. He then proceeded to ask the flight attendant where I could be moved too. Grrrrrr…..

And with that last one I’ll stop my post and continue with Part 2 next week. I have another flight out to Seattle (12hrs of flights, layovers, etc.) so I’m sure I’ll have more commandments to share.

This is a term that I’ve been throwing around for a while now so I thought I’d take the time to define it for everyone.

Virtualized Network Security Management (vNSM)
The extension of existing Network Security Management (NSM) policies and procedures to include “virtualized” deployments. This includes, but is not limited to, the collection, correlation, and normalization of:

• logs (e.g authentication, authorization, status, etc.) generated by “virtualized” hosts (e.g. servers, workstations, etc.)
• logs generated by non-security related applications (e.g. mail server, web server, etc.) installed on “virtualized” hosts
• logs generated by security related applications (e.g. firewall messages, anti-virus alerts, rootkit installation prevented, etc.) installed on “virtualized” hosts
• logs (e.g authentication, authorization, status, etc.) generated by “virtualized” network components (e.g. virtual switches, virtual hubs, etc.)
• network flows (e.g. NetFlow) generated by “virtualized” network components
• expected, anomalous, or malicious network communications to/from/between “virtualized” hosts (e.g. web server communicating with “virtualized” database, “virtualized” workstation retrieving file from “virtualized” FTP server, etc.)
• logs generated from the operation of the host virtualization platform

I may expand on, or refine, this definition in the future but I wanted to make sure I had my ideas down on “paper” before I lost them.

Stephen Northcutt, of SANS Institute fame, recently recognized me as a Thought Leader in the area of log management. I’m quite humbled to be included with the likes of Dr. Anton Chuvakin, Jeremiah Grossman, and Ron Gula (among others).

The interview has been posted on the SANS Technology Institute site here. This has certainly made my week

As most of you already know, yesterday I was involved in the SANS Toronto 2008 keynote along with Rob Lee, Bryce Galbraith, Peter Giannoulis, Dave Shackleford, Dr. Johannes Ullrich, Stephen Sims, and Guy Bruneau. This was the first keynote that I had the pleasure to be involved with but I hope it won’t be the last.

We had a full room with a mix of local and out of town students, all of whom were having a blast. “How do you know they were having a blast” you might ask? Even though we were talking about serious topics pertaining to security, my fellow panelists and I had the entire room laughing like crazy. In fact, I think I saw a few people whipping away tears from laughing too hard.

I think everyone had a good time, myself included, and the thing that set this keynote apart from previous keynotes that I’ve seen is how laid back and fun the talk was. There were questions about social media and the validation of identities, acceptance and rate of deployment for mainstream wireless infrastructure, the shaping of traffic to prevent P2P transmissions, and several others. All of the panelists were able to add their insight into the posed questions and I think the crowd appreciated how frank we were in our responses.

I think they also enjoyed the running joke about including www.theacademy.ca, in one way or another, in almost all of our responses. It was one of those “you had to be there” jokes but, trust me, it was hilarious. I didn’t get a chance to see the reviews filled out by the students but I hope they enjoyed the session as much as we all enjoyed presenting it.

Maybe SANS will let us do it again some time.