July 29, 2007

Chief Security Strategist @ Splunk

Category: Log Analysis — Raffael Marty @ 8:12 pm

Effective immediately, I have a new employer! I am leaving ArcSight to start working for Splunk, an IT search company in San Francisco. As their Chief Security Strategist, I will be working in product management, with responsibility for all of the UI and solutions.

The work I have been doing in my past with log management and especially visualization is going to directly apply to my new job. I will be spending quite some time to help further the visual interfaces and define use-cases for log management. Exactly what I’ve been doing for the last four years already 😉

Please don’t send me any emails to my arcsight email anymore. My new address:
raffy at splunk . c o m

I found out that a lot of the Splunk developers hang out on IRC (#splunk). I’ve been hanging out in there for the last couple of days. Maybe you can catch me there too 😉

These Splunk guys are funny. One of the first things they did is giving me a Mac book. Darn. I have never used a Mac before. This is crazy. All the little things I had developed and installed on my Linux boxen I now have to translate to OS X. I am slowly getting used to this beast, but there are still things I wasn’t able to figure out. Maybe some of you want to help me out?

  • The first thing that I did was looking for something to cover the built-in camera. I don’t trust this thing. Who knows who’s watching 😉 I finally found the iPatch. Unfortunately they are out of stock. Well, I just built my own …
  • Then I discovered that the plugs I have for the microphone and headphone jacks are not working either. They are slightly too big. Well, I will have to talk to Josh about that during DefCon 😉
  • Then the other thing that I am struggling with is logging and auditing. I used tcpspy before to log all the connections that are opened to and from my machine. I downloaded the source and started compiling. No luck. Here is the error during compilation. Anyone know how to fix this?
    tcpspy.c: In function 'ct_read':
    tcpspy.c:236: error: 'TCP_ESTABLISHED' undeclared (first use in this function)
  • Maybe there is another tool that I can use to record all the connections? The nice thing about tcpyspy is that it also logs the application that opened or accepted the connection and the user associated with that.
  • What do I do about auditing? Are there instructions somewhere on how to enable either BSM auditing for Mac OSX or is there something else? I would like to mainly audit access to critical files on my box.
  • There are all kinds of other little odd things, but these are the items bugging me right now 😉

See ya all at BlackHat! Hit me up so we can meet up!


  1. Raffy,

    Congrats! Splunk is a company I really admire. Just one request about the UI – don’t change anything unless you have to! It’s one of the best in the industry.

    About the Mac – my first recommendation for all new Mac Users is Quicksilver. It’s the best.

    There’s shareware for monitoring TCP – is it little spy? little sneak? There’s something out there with a GUI – I’m sure you can figure the CLI functionality with enough time.

    I’m also assuming you’ve got Fink running.

    Good Luck,


    Comment by Alex — July 29, 2007 @ 8:27 pm

  2. Grats on the new gig!!

    Comment by LonerVamp — July 30, 2007 @ 4:59 pm

  3. Hey Raffy, congratulations on the new job!

    And you are complaining that they gave you a Mac! I’ll exchange you my Thinkpad if you want it 😉 But seriously, MacOSX is essentially BSD (Darwin is a derivative of FreeBSD), so indeed many Linux-specific things won’t compile, but anything that compiles in BSD should work fine.

    I don’t know about logging network connections (snort?). For auditing, I think this may be what you want:
    (found through http://lists.apple.com/archives/fed-talk/2005/Jul/msg00012.html). It seems Apple’s audit subsystem even uses BSM format!

    Feel free to drop me an email if I can help with your transition to Mac 🙂

    Comment by Diego — July 31, 2007 @ 1:38 am

  4. Congrats on the new role but I thought Arcsight was going IPO? With all the hard work you put in, why leave before cashing out?

    Comment by Dave — July 31, 2007 @ 8:22 am

  5. Congrats Raffy on the new job! Good luck.

    Comment by Kris Krishnan — July 31, 2007 @ 9:13 am

  6. I am the paranoid type too, so I looked around for a solution:


    You can also just rename QuickTimeUSBVDCDigitizer.component and this will disable the camera (you probably already figured this one out):

    Comment by Alex Raitz — September 24, 2007 @ 4:14 pm

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> .