Andrew Hay

• Anton Chuvakin Blog – "Security Warrior": How Do I Get The Best SIEM?
  Great post by Anton on picking the best SIEM even though I disagree with some of his statements.
  (tags: SIEM ESIM chuvakin)
• Web Server Log Forensics App Wanted ha.ckers.org web application security lab
  I read this and immediately thought "Wow, every ESIM vendor needs to read this post and think about how to tackle the problem".
  (tags: SIEM ESIM log web application security)
• McAfee Security Insights Blog » Blog Archive » Advanced Persistent Threat (APT)
  Another good write-up on APT by Eric Cole.
  (tags: APT hacker)
• Security Intelligence: Defining APT Campaigns
  Excellent write-up about how to define APT campaigns
  (tags: hacker APT)
• Logblog: An event by any other name
  Ever curious about what the acronym EPS was referring to in everyones ESIM marketing documentation?
  (tags: SIEM ESIM log logging)
• TaoSecurity: CloudShark, Another Packet Repository in the Cloud
  Wow, this is a very interesting method for collaborative packet analysis.
  (tags: cloud packet wireshark)

When you say you’re good at something, people usually don’t jump all over you. When you say that you’re “The Worlds Number 1″ something, however, you’re just asking to draw criticism from your peers. LIGATT Security International CEO Gregory Evans, arguably one of the best self-pitchmen since Muhammad Ali, claims to be “The World’s No. 1 Hacker” and has written a book telling others how to get to his level. Entitled “How To Become The Worlds No. 1 Hacker” (I’m not linking to it), the book has drawn voracious criticism from the security industry who have labeled it self-serving propaganda and plagiarism. I have not personally read the book but I trust the research skills and opinions of my peers in the industry who have splattered the big “DO NOT BUY” label across its cover.

While some would simply shrug off this attack, Evans has chosen to go on the offensive. Using videos, podcasts, and social media, Evans has attacked his critics and attempted to reinforce his label by denying everything and attacking his attackers like a brawler. The problem with fighting like a brawler is that you typically wear yourself out fairly quick in the hopes of knocking your opponent out as quickly as possible. Their slowness and predictable punching patterns (single punches with obvious leads) often leaves them open for counterpunching, as noted by Wikipedia. The industry is certainly counterpunching and, based on the score cards thus far, is winning.

If Evans is going to trash talk like Ali, he should be fighting like Ali and leveraging a rope-a-dope strategy. From Wikipedia, the rope-a-dope is performed by a boxer assuming a protected stance, in Ali’s classic pose, lying against the ropes, and allowing his opponent to hit him, in the hope that the opponent will become tired and make mistakes which the boxer can exploit in a counterattack. If Evans were smart, he’d simply take the criticism, move on for now, and look for a future opportunity to prove himself. Instead he’s trying to knock out everyone he sees which will inevitably hurt him. Professional boxers have to fight one person at a time and would likely fair poorly against a thousand or so opponents at a time.

Sometimes it’s just better to ignore the noise permanently and take a more humble stance. Don’t say you’re the best…just prove to people that you’re good at something through your work and commitment to solving problems. I would never be so arrogant to say that I’m “the best” at anything. Hell, my friends and colleagues wouldn’t let me. Keeping your ego in check is something that responsible adults are supposed to be able to do.

Finally, always remember that you can’t win every fight. Even Ali got knocked out by Holmes in 1980. Sometimes you need to see the writing on the wall that it’s time to move on.

Well we finally decided on Friday, November 12th & Saturday, November 13th, 2010 for the first Security BSides Ottawa conference. We’re still finalizing the venue but we’re quite close to locking it down.

Information about BSides Ottawa can be found here.

The Call For Papers (CFP) can be found here and is open to all.

Remember, this is a free event and we expect numerous speakers and attendees from Government, Education, Defence, Healthcare, Financial Services, and Technology sectors. It’s win-win.

Invite your friends by posting this on Twitter: “#BSidesOttawa Friday, November 12th & Saturday, November 13th 2010: Discover the next big thing! http://bit.ly/BSidesOttawa”

I”ve been thinking of the best location to host a Security BSides event in Canada and, after speaking with Justin Foster, I think I’ve decided on Ottawa.

I guess what I need to know is:
a) Who would be interested in attending such an event?
b) Who would be interested in presenting at such an event?
c) Who would be willing to attend/present in November (thinking Friday, November 12th and Saturday, November 13th)?

Please take the following survey to help me measure the level of interest in this event.

Here are some fun facts about Ottawa:
Ottawa is Canada’s capital and the country’s fourth largest city with a population of approximately 900,000 people living within the city limits.

From its beginnings as a lumber town, it had a rough and boisterous reputation to becoming Canada’s Capital in 1857; from its fascinating and secret Cold War history to its modern multiculturalism, Ottawa has a fascinating and unexpected story.

With special thanks to Rob Lee, I will be presenting at the 2010 SANS Digital Forensics and Incident Response Summit in Washington, D.C.

Here are the two sessions that I’m involved with:

Friday, July 9th, 2010 – 9:30am – 10:30am
Bringing a Knife to a Gun Fight: The Arsenal Required for Modern Forensic Combat!

One of the most time consuming yet important aspects of any forensic investigation is the analysis of forensic information not located on the compromised machine. For example, logs from compromised systems and ancillary devices, such as routers, firewalls, and intrusion devices, combined with network-level flow and packet analysis help paint a picture of the compromise from start to finish. Reviewing data by hand, however, could take days, weeks, or even months to stitch together a timeline of events.

This talk serves to highlight the current forensic capabilities of Enterprise Security Information Management (ESIM) products, such as Security Information and Event Management (SIEM) and Log Management systems, and how you can best leverage the collected data to aid in forensic exercises. The speaker will also highlight how ESIM products need to evolve to best serve the forensic and incident response community in the future.

Speaker:

• Andrew Hay – Senior Security Analyst , The 451 Group.

Friday, July 9th, 2010 – 10:50am – 11:50pm
Network Forensics Panel

Panelists will tell you the challenges faced by properly collecting and analyzing network based evidence. It is critical in investigations. Data collected from intrusion detection systems, firewalls, routers, proxies, and access points all end up telling unique stories that could be critical to solving your case. Learn the latest techniques thata re utilized in reacting to real attacks that these experts have responded to. This panel includes some of the best minds for the future of Network Forensics. Listen to what they have to say. Network Forensics: No Hard Drive? No Problem.

Panelists:

• Moderator: Jonathan Ham – SANS Institute and Lake Missoula Group
• George Bakos – Senior Engineer, Northrup Grumman
• Andrew Hay – Senior Security Analyst , The 451 Group’s Enterprise Security
• Charles Smutz – Software Engineer Lockheed Martin-CIRT

Hopefully I’ll see you there. Sign up today!