I just saw the first Amazon review for my book. I just don’t understand why the person only gave it four stars, instead of five 😉 Just kidding. Thanks for the review! Keep them coming!

The Applied Security Visualization book is DONE and available in your favorite store!

Last Tuesday when I arrived at BlackHat, I walked straight up to the book store. And there it was! I held it in my hands for the first time. I have to say, it was a really emotional moment. Seeing the product of 1.5 years of work was just amazing. I am really happy with how the book turned out. The color insert in the middle is a real eye-catcher for people flipping through the book and it greatly helps making some of the graphs better interpretable.

I had a few copies to give away during BlackHat and DefCon. I am glad I was able to give copies to some people that have contributed by inspiring me, challenging me, or even giving me very specific use-cases that I collected in the book. Thanks everyone again! I really appreciate all your help.

People keep asking me what the next project is now that the book is out. Well, I am still busy. secviz.org is one of my projects. I am trying to get more people involved in the discussions and get more people to contribute graphs. Another project I am starting is to build out a training around the book, which I want to teach at security conferences. I have a few leads already for that. Drop me a note if you would be interested in taking such a training. Maybe I will also get some time to work on AfterGlow some more. I have a lot of ideas on that end…

During DefCon, I recorded a PodCast with Martin McKeay where I talk a little bit about the book.

I just finished reading the NIST 800-41 draft about “Guidelines on Firewalls and Firewall Policy“. The guideline does a great job of outlining the different types of firewalls that exist and how to correctly setup a firewall architecture.

The topic that falls fairly short is logging:

• Section 5.2.3 (Configuring Logging and Alerts) mentions logging very briefly.
• I am positively surprised that it mentions the logging of rule changes on the firewall, which is inherently hard in, for example, IPTables.
• NIST asks for storing the logs locally on the firewall. I don’t agree with that at all. I don’t care whether the logs are kept locally. What I really care about is that the logs are centrally collected. Or in a very small environment, that there are logs at all.
• I was really hoping that this was finally the document which would outline what to log exactly. What traffic should I be logging on the firewall? All the traffic? Just denied packets? Do you log on the incoming interface? And so on. None of these questions is addressed. Not even whether passed traffic should be logged at all. There should at least be some discussion around that.
• Log analysis is not mentioned either. I was hoping that aside from just logging recommendations, the guideline would quickly mention what to do with the log files. How do you use them? Are they meant mainly for forensic purposes or are they used for proactive analysis? This would help justify the storage cost of the logs and push some implementations to actually implement logging.

I sent this blog post to the authors of the guidelines. Hopefully they are going to address some of this. And again, the general structure and contents of NIST 800-41 are great!

I am presenting at the FIRST 2008 conference in Vancouver next week. I am speaking on my birthday, June 25th, from 9.50 until 12.50. The topic is “Applied Security Visualization” – the same as my book title. I am going through some of the material from the book and show how visualization can be used to analyze log files.

Some of the highlights:

• I am going to show how you can use Splunk to manage not just single-line logs, but also analyze multi-line data, such as data from top, ps, etc.
• I am showing how you can use AfterGlow with Splunk.
• I am probably going to show a sneak peak of DAVIX. The Data Visualization and Analysis Linux (DAVIX) is a live CD that will be released at BlackHat this year.

The Applied Security Visualization book is slowly coming together. I finished implementing all the reviews from my reviewers yesterday. This means I am almost done. The only thing left is the introduction.

By the way, my reviewers were absolutely amazing. I couldn’t have wished for a better team. Thanks guys!

The rought-cuts version of “Applied Security Visualization” is now also available. It’s an electronic version of, I think, 4 of the chapters. You can also pre-order the book on Amazon. This is all really exciting. Finally, after 1.5 years, the book is close to be done. Let’s hope for a launch in August, at BlackHat!

I just joined the program committee for this year’s WASL conference. I am really curious what papers will be submitted for this. Talking about papers, I have been busy lately reviewing papers for RAID and soon the papers for VizSec are due as well. While I enjoy reading these papers, it’s been too busy lately with finishing my book and looking these papers. But at least the book is getting close!

Here is the description for WASL:

Join us in San Diego, CA, December 7, 2008, for the First USENIX Workshop on the Analysis of System Logs. System logs represent a rich source of information for the analysis and diagnosis of system problems and prediction of future system events. However, their lack of organization and the general lack of semantic consistency among the information from various software and hardware vendors means that most of this information content is wasted. WASL ’08 will focus on novel techniques for extracting more information from existing logs and on methods to improve the information content of future logs.

This week, the RSA Security conference is taking place in San Francisco. Just a few things I want to capture:

• I will be speaking on Thursday morning 8am! Topic of the presentation: “A Journey Through Security Visualization“. I am co-presenting with Alain Mayer from RedSeal.
• I am announcing the rough-cuts version of my Applied Security Visualization book. This is an online version of three chapters of the book. You can get an electronic version and give me feedback on them. Not that I didn’t have enough to do with the comments from my reviewers already 😉
• I am going to be hanging out at various events and parties during the week. My schedule during the day is really full at this point, but I would love to meet you during the evening activities. Hit me up or check my Twitter feed for where I am at: @zrlram.
• I am most likely going to be at the Blogger Meetup on Wednesday. [If Splunk is not going to drag me into the Analyst dinner.]

So, given all this, it’s going to be both a busy and a fun week. Hope to see ya all there!

Technorati Tags: visualization, rsa security, visualization

Thanks to the design department at Addison Wesley, I have a proposal for a cover page of my upcoming book:

This is really exciting. I have been working on the book for over a year now and finally it seems that the end is in sight. I have three chapters completely done and they should appear in a rough-cuts program, as an electronic pre-version, very soon (next three weeks). Another three chapters I got back from my awesome review committee and then there are three chapters I still have to finish writing.

Applied Security Visualization should be available by Black Hat at the beginning of August. I will do anything I can to get it out by then.

Technorati Tags: applied security visualization, security visualization, visualization, security, applied

I will be at Source Boston next week, which is going to be probably one of the coolest conferences this year. The speaker lineup is absolutely fantastic. And I am not saying that because I am going to be speaking there. You can keep up with the conference on the Source Boston Blog or on the Twitter @SourceBoston feed.

My presentation carries the title: All the data that’s fit to visualize. Recognize this? It’s the New York Time’s headline. I am going to talk about what security visualization can learn from the NYT. I am very excited about the talk. I am going to try out some new presentation methods. Come and see it!

[ tags]security visualization, source boston, applied security visualization[/tags]

A bunch of log analysis professionals started blogging on a new blog, located at: http://www.loganalysispros.com . Let’s see how much people actually are going to contribute there. I did my first post today about the new CEE Field List that was just posted on the CEE mailinglist. Here is where you can get more information about CEE and the newly posted field list.