October 18, 2007

CSI Conference 2007 – Free Pass

Category: Uncategorized — Raffael Marty @ 7:15 pm

How often is it that you get something in return for reading someone’s blog? Well, today is your lucky day. Are you interested in going to the CSI Conference in Arlington, VA from November 3-9? The first person to send me an email will get a registration code.

Unfortunately, I won’t be able to attend as I am going to be presenting in Jakarta at BCS.

October 15, 2007

Database Query Analysis

Category: Log Analysis,UNIX Scripting,Visualization — Raffael Marty @ 6:54 pm

icon.jpgI was playing with database audit logs for a bit to try and visualize some aspects of them. While doing so, I came across a pretty interesting problem. The audit logs contain entries that indicate what exact SQL query was executed. Now, I am not interested in the entire query, but I need to know which tables were touched. I was trying to build some regular expressions to extract that information from the query, but I gave up pretty quickly. It’s just too complicated for a regex. I was wondering whether there is a way to take a SQL query, for example:

select * from a.table1 a, b.tabl2 b join c.table3 on b.id1=c.id2 where a.foo='bar'

and extract all the table names: a.table1, b.table2, c.table3. Are there tools to do that? Remember, I don’t have the database with these tables. I only have a log from some database. The script should support all the SQL perks like joins, nested selects, etc. Anyone have a good way to do this?

October 11, 2007

Security Data Visualization Book

Category: Visualization — Raffael Marty @ 8:32 am

Greg Conti wrote a book on security data visualization. It’s all in color. A really nice book. The best parts about the book are the chapters on IDS signature tuning and firewall log analysis. I am just saying that because I wrote those two chapters 😉

He beat me to the punch with publishing a book on security data visualization. That’s all I can say. I hope that I am done with my book soon. Fortunately, I knew about this book early on so I could make sure that we are not writing about the same topics. My book is going to be fairly different. I am diving quite a bit deeper into some visualization topics around security. I am focusing on use-cases. How do you use visualization for compliance, insider threat, and perimeter threat. What are some of the tools out there, what are the data sources, and what are the different types of graphs you should know and understand when you are visualizing security data.

Thanks to Greg for letting me write part of his book!

October 4, 2007

Visualization PodCast – A “Bar Talk”

Category: Log Analysis,Visualization — Raffael Marty @ 5:27 pm

Teal LeafDuring the FIRST conference in Seville earlier this year, I was talking to Ben Chai at about 12.30am. We were sitting in the bar area when he suddenly took out his microphone and started interviewing me. The talk is pretty funny. The podcast shows that I don’t have a very good sense of humor 😉 Oh, and by the way, reading tea leaves is probably going to be the topic of one of my next talks!

I don’t think this was my best night, when Ben record this. I spend about 1.5 hours trying to pick a TSA lock with a paper clip. Okay, Adam couldn’t do it anymore either, but still. In the meantime, I learned how it is done for real – the lock picking 😉

Listen to the podcast here.