September 6, 2008

The Process of Writing the Applied Security Visualization Book

Category: Uncategorized — Raffael Marty @ 12:55 pm

img_0365.jpgA little bit more than two years ago, I approached Jessica Goldstein from Addison Wesley to write a book about security visualization. We sat down during BlackHat 2006 and discussed my idea. It didn’t take much to convince her that they should get me on board. I went home after the conference and started putting together a table of contents. Here is the very first TOC that I submitted:

  1. Introduction
  2. Data Sources
  3. Visualization
  4. From Data To Visuals
  5. Visual Security Analysis
  6. Situational Awareness
  7. Perimeter Threat
  8. Compliance
  9. Insider Threat
  10. Data Visualization Tools

If you read the book, you will notice that this is pretty much what I ended up with. More or less. An interesting fact is that at the time of submitting the TOC, I had no idea what to exactly write about in the compliance and insider threat chapters. The even more interesting fact is that a lot of people told me that their favorite chapter is the insider threat chapter.

img_0336.jpgAfter submitting the TOC to Jessica, she had me fill out some more marketing questions about the book. Things like target audience, competitive books, etc. After handing that in, it went silent for a bit. Jessica was selling the book internally. And then things started to look not so good. Jessica went on maternity leave. Kristin took over and got the proposal review process lined up. I asked some people in the industry to have a look over my proposal and provide feedback to the publisher. Questions like: “Why is Raffy the right person to write this book?” “Is there a market for this book?”  etc. were being asked. I received the six really great reviews (thanks guys!) mid December 2006. On December 19th, I received an email with the contract to write the book. I sent the contract off to a friend of mine who is a lawyer, just because I was a bit worried about intellectual property rights. After a few emails also with Addison, I felt much better. They are not at all interested in any IP. They just want the copyright, which was totally fine with me. Then, finally, on January 17th, I signed and was under contract to write about 300 pages about security visualization.

After a few days, I received an ISBN number for the book and a ton of material about style guides and how to go about writing the book. All very exciting. I decided to not write my book in TeX, unlike my masters thesis. That was definitely a smart decision. It turned out that using Word wasn’t that bad. The template from Addision made it really easy to format the text correctly. I actually ended up using VI to write the original text without any formatting. Once it was all done, I copied the raw text into Word and started formatting. The reason for doing this is that I am so much quicker in VI than I am in Word. (And hitting the ESC key in Word is not something you want to be doing too much.)

cimg2403.jpgOne of the next steps was to put together a timeline. Well, it was sort of aggressive. The version of the schedule I could find in my archives shows that I was planning on being done mid September 2007. Well, I missed that by only a year 😉 I attribute a lot to the fact that I didn’ really know how to write (seriously) and to the chatpers for which I had to do a lot of research.

I definitely enjoyed the process of writing the book. The folks at Addison Wesley were awesome. They kept motivating me along the way and provided great insights into the writing process. What I am still very impressed with is the PR aspects. Early on, they hooked me up to film a video cast about the book. After publishing the book, I get about an email a week for some press opportunity. Keep them coming 😉

Here is a fun fact: In ~/Data/projects/vis_addision, where I have all the material for the book, I accumulated 1.1GB of data. Pretty crazy.

img_0260.JPGcimg2019.jpgAre you thinking about writing a book? Do it, but make sure you have time! I spent a LOT of time in the local coffee shop (picture on the left). I always had printouts with me to work on corrections. The picture on the right I took at 6.30am in Taipei. Yes, it’s a full-time job! I learned a lot! I made amazing connections. And I had fun! One piece of advice: make sure you have a good publisher!

I haven’t seen the book in my local Barnes and Nobles yet. Well, I checked two weeks ago. But a friend (@jjx) sent me this picture. So, apparently some book stores have it in stock:

478019.jpg

April 12, 2008

RSA Security Conference 2008 – What a Week

Category: Uncategorized — Raffael Marty @ 6:41 pm

Last week the RSA security conference was held in San Francisco. It’s hard to put all the impressions I gathered during the week into words. Let me just highlight some things that I thought were interesting:

img_0292.jpgimg_0292.jpgRSA is a business development conference. It’s been that way for years and this year was definitely not different. At all! Don’t believe me? If even I, who is not in business development can collect this many cards, it has to be a biz dev con.

img_0292.jpgThe Security Blogger meetup was great. Unfortunately I had to bounce very early. Sorry guys! I would have loved to stick around. The caliber of people hanging out in that room was crazy. Everyone that has a name, and more importantly a voice in the security industry, was there. Thanks to Jennifer for organizing it. Love the t-shirt!

.
img_0292.jpgTalking about everybody being at RSA: I met the CISO of the Vatican 😉

.

.

.

.

cimg2666.jpgWe had the first in-person common event expression (CEE) meeting. Some people from XDAS
showed up and we had some fairly good discussions around what to do with both the standards, how they can be aligned and how we can move forward.

.

cimg2678.jpgWalking around on the floor, I found some interesting security visualizations. This one is from DeepSight. Very visually appealing. I haven’t spent much time to understand what’s on the displays, but it looks interesting.

.

.

January 24, 2008

Bridging Security and Visualization

Category: Log Analysis,Uncategorized,Visualization — Tags: , , – Raffael Marty @ 5:56 pm

picture-8.png

OnSecrity just released another video of the conversation we recorded last year during RSA. I am talking about security visualization in light of the book I am working on. This video cast is the sequel to the first one that I posted a few days ago.

picture-5.pngOne of the topics I am discussing in the video is the “false dichotomy” between security and visualization. This is a topic that I talked about during a talk at the MIT Lincoln Labs at the beginning of December. The presentation showed how there are really two disciplines that come together in security visualization: Security and Visualization. The problem with this is that visualization people don’t know much about security and the other way around. It’s a very interesting topic to explore and it explains some of the mistakes that are being made with visualization tools and is also reflected in visualization research.

Technorati Tags: , ,

January 22, 2008

500 Linkedin Connections

Category: Uncategorized — Raffael Marty @ 2:24 pm

picture-7.pngI have been using Linkedin for quite a while now. Today marks the day where I actually have 500 connections. I wonder whether I would be able to go through all of them and remember who each and everyone is. I would probably get a 95% hit rate. I don’t think I am actually making complete use of my network on Linkedin network, but one of my New Year’s resolutions is to get a bit better with my networking.

Connect to me if I know you and you are not in my network yet!

December 3, 2007

My Splunk Blog

Category: Uncategorized — Raffael Marty @ 4:02 pm

logo_splunk.gifI wanted to mention this a long time ago, I am really behind with blogging …

I started another blog. I hope this is not going to be too confusing.

Here is what goes where:

November 25, 2007

SOURCE: Boston

Category: Uncategorized — Raffael Marty @ 9:18 pm

clear_06.jpgThere are a number of security conferences out there. Deciding which ones to attend is no easy task. As part of the advisory committee for SOURCE: Boston, I might be a bit biased, but this is going to be a one of a kind security conference. We don’t want to organize yet another security conference. We realize that security has become more and more of a business concern. The security conference of the future needs to bridge the business and the technology. Therefore, three tracks are offered: business, technology, and application security. With the keynote speakers of Dan Geer and Steven Levy, you can be sure to get some interesting perspectives on security!

See you March 12th to 14th, 2008 in Boston!

October 18, 2007

CSI Conference 2007 – Free Pass

Category: Uncategorized — Raffael Marty @ 7:15 pm

How often is it that you get something in return for reading someone’s blog? Well, today is your lucky day. Are you interested in going to the CSI Conference in Arlington, VA from November 3-9? The first person to send me an email will get a registration code.

Unfortunately, I won’t be able to attend as I am going to be presenting in Jakarta at BCS.

September 12, 2007

BaySec – September 17th

Category: Uncategorized — Raffael Marty @ 5:16 pm

Yet another BaySec meeting. Come and mingle.

Where: O’Neills

When: September 17th, 7pm

Who: People interested in computer security / geeks / …

Want to be informed of future events? Subscribe to the mailinglist: baysec-subscribe at sockpuppet.org

September 4, 2007

Application Security Log Output Standards – Gartner’s View

Category: Uncategorized — Raffael Marty @ 12:01 am

While I am on a roll, talking about normalization and log standards, let me have a look at a publication from Gartner. It is a bit dated already (May 2006), but people are probably still referring to it. There are a couple of things that I want to make sure people understand.
While I like the fact that someone like Gartner is trying to dive into a technical topic, I am not too certain that this is very productive. The Gartner publication I am looking at is “Define Application Security Log Output Standards” by Amrit Williams. I must say, the publication is not horribly wrong or bad, however, there are some interesting problems that I want to address:

  • The publication outlines what fields should be contained in an “account access event”. Most of the fields make sense. However, there are two fields: “login success” and “login failure”. These fields should be normalized. There shouldn’t be two fields, one for success and one for failure. Just have one that indicates success or failure. That way you can correlate those two events against each other. Otherwise you can’t because you have two different fields. Well, you can, but it’s much more difficult.
  • Another field in the account access event is “access rights”. If you include this field in an event, you need a system which can deal with sets or lists of values. This is not simple and I don’t think any of the SIMs really take care of that. Not that they shouldn’t, but it’s really really expensive to build that into a correlation engine. Now, in this specific instance, for access rights, they should not be in an event anyways. This is static information that should be read into the correlation engine asynchronously or looked up on a need to know bases.
  • The publication further indicates that the access events have additional variables, called “Variable 1”, “Variable 2”, etc. I have no idea what these fields would be used for. But that’s not even important. The important part is that having generic variables without a fixed meaning is not very useful for later consumption in reports or correlation rules. You need a semantic associated with every field. That’s exactly why there is a common event language to start with!
  • The same mistake with splitting out the same type of events into multiple event fields is done in the “account /role management events”. Make one field tat talks about “creation”, “modification”, etc. One of the things to mention in this context is an event taxonomy. I am working on a generic taxonomy right now for CEE, the common event exchange format. CEE is an effort that I pushed Mitre to address a long time ago. Finally, there is a small working group and we should soon have the <A href=”http://cee.mitre.org”>Web presence</A> up and running.
  • I don’t agree with the “Log Output Formats” discussion at all. Sorry. Gartner (or Amrit?) recommends syslog as output format. While I am quite a fan of syslog, it’s definitely not my transport of choice. Read that again: TRANSPORT! Syslog is not a log format. It’s a transport. I am not going to roll-up my rant about formats and transports again. Read my older blog entry about the <a href=”http://raffy.ch/blog/2007/04/19/standard-logging-format-common-event-exchange-cee/”>format vs. transport</A> issue.
  • It seems really interesting to me that syslog is pushed as the “log format” (again, it’s a transport, but whatever). The publication even mentions all the RFCs associated with syslog, but not a single sentence about the draw backs. Unstructured, reliability (okay TCP is mentioned), poor timestamp, etc.

Again, I think it’s great that Gartner picked this topic up. It’s incredibly important, but it takes a fair amount of work and experience to get a decent log standard put together. Stay tuned and check back for more information about <a href=”http://raffy.ch/blog/2007/04/23/common-event-expression-cee/>CEE</A>.

Technorati Tags: , , ,

August 16, 2007

BaySec – Next Meeting August 20th

Category: Uncategorized — Raffael Marty @ 8:35 pm

We have another BaySec meeting scheduled for the coming Monday. 7pm at O’Neills, at 3rd and King Street. Right around the corner from my work 😉