I am presenting at the FIRST 2008 conference in Vancouver next week. I am speaking on my birthday, June 25th, from 9.50 until 12.50. The topic is “Applied Security Visualization” – the same as my book title. I am going through some of the material from the book and show how visualization can be used to analyze log files.

Some of the highlights:

• I am going to show how you can use Splunk to manage not just single-line logs, but also analyze multi-line data, such as data from top, ps, etc.
• I am showing how you can use AfterGlow with Splunk.
• I am probably going to show a sneak peak of DAVIX. The Data Visualization and Analysis Linux (DAVIX) is a live CD that will be released at BlackHat this year.

The Applied Security Visualization book is slowly coming together. I finished implementing all the reviews from my reviewers yesterday. This means I am almost done. The only thing left is the introduction.

By the way, my reviewers were absolutely amazing. I couldn’t have wished for a better team. Thanks guys!

The rought-cuts version of “Applied Security Visualization” is now also available. It’s an electronic version of, I think, 4 of the chapters. You can also pre-order the book on Amazon. This is all really exciting. Finally, after 1.5 years, the book is close to be done. Let’s hope for a launch in August, at BlackHat!

I just joined the program committee for this year’s WASL conference. I am really curious what papers will be submitted for this. Talking about papers, I have been busy lately reviewing papers for RAID and soon the papers for VizSec are due as well. While I enjoy reading these papers, it’s been too busy lately with finishing my book and looking these papers. But at least the book is getting close!

Here is the description for WASL:

Join us in San Diego, CA, December 7, 2008, for the First USENIX Workshop on the Analysis of System Logs. System logs represent a rich source of information for the analysis and diagnosis of system problems and prediction of future system events. However, their lack of organization and the general lack of semantic consistency among the information from various software and hardware vendors means that most of this information content is wasted. WASL ’08 will focus on novel techniques for extracting more information from existing logs and on methods to improve the information content of future logs.

Last week the RSA security conference was held in San Francisco. It’s hard to put all the impressions I gathered during the week into words. Let me just highlight some things that I thought were interesting:

RSA is a business development conference. It’s been that way for years and this year was definitely not different. At all! Don’t believe me? If even I, who is not in business development can collect this many cards, it has to be a biz dev con.

The Security Blogger meetup was great. Unfortunately I had to bounce very early. Sorry guys! I would have loved to stick around. The caliber of people hanging out in that room was crazy. Everyone that has a name, and more importantly a voice in the security industry, was there. Thanks to Jennifer for organizing it. Love the t-shirt!

.
Talking about everybody being at RSA: I met the CISO of the Vatican 😉

.

.

.

.

We had the first in-person common event expression (CEE) meeting. Some people from XDAS
showed up and we had some fairly good discussions around what to do with both the standards, how they can be aligned and how we can move forward.

.

Walking around on the floor, I found some interesting security visualizations. This one is from DeepSight. Very visually appealing. I haven’t spent much time to understand what’s on the displays, but it looks interesting.

.

.

This week, the RSA Security conference is taking place in San Francisco. Just a few things I want to capture:

• I will be speaking on Thursday morning 8am! Topic of the presentation: “A Journey Through Security Visualization“. I am co-presenting with Alain Mayer from RedSeal.
• I am announcing the rough-cuts version of my Applied Security Visualization book. This is an online version of three chapters of the book. You can get an electronic version and give me feedback on them. Not that I didn’t have enough to do with the comments from my reviewers already 😉
• I am going to be hanging out at various events and parties during the week. My schedule during the day is really full at this point, but I would love to meet you during the evening activities. Hit me up or check my Twitter feed for where I am at: @zrlram.
• I am most likely going to be at the Blogger Meetup on Wednesday. [If Splunk is not going to drag me into the Analyst dinner.]

So, given all this, it’s going to be both a busy and a fun week. Hope to see ya all there!

[tags]visualization, rsa security, visualization[/tags]

Thanks to the design department at Addison Wesley, I have a proposal for a cover page of my upcoming book:

This is really exciting. I have been working on the book for over a year now and finally it seems that the end is in sight. I have three chapters completely done and they should appear in a rough-cuts program, as an electronic pre-version, very soon (next three weeks). Another three chapters I got back from my awesome review committee and then there are three chapters I still have to finish writing.

Applied Security Visualization should be available by Black Hat at the beginning of August. I will do anything I can to get it out by then.

[tags]applied security visualization, security visualization, visualization, security, applied[/tags]

I was quite surprised, when I heard that twitter was around for about a couple of years already. I jumped on the band wagon about 2 weeks ago, just before SOURCEBoston. What’s twitter? It’s a micro-blog. It’s IM that can be read by everybody that you authorize. It’s broadcast. You subscribe to people’s feeds and they subscribe to yours. It’s fairly interesting. There is an entire following of security twits who twitter all day long about more or less interesting thing.

What I find very interesting are the RSS-like twitter feeds from, for example, conferences. We had a feed for @SOURCEBoston. There is also one for the RSA Blogger Meetup. I hope to see you there!

Follow me: @zrlram

Dan Geer just gave his keynote at SOURCEBoston. Have you heard Dan Geer speak? If not, I highly encourage you to watch the video of his talk as soon as it is online. I will have to go back and listen to his talk a few more times to absorb some more of it. Dan throws out so many thoughts and concepts that it is hard to follow him, without knowing some of this stuff already. I am sure those of you who have been following Dan were able to retain much more of his talk. I mostly know about Dan’s work from his postings on the security metrics list.

Risk management is a topic that is often discussed by Dan. “Risk management is about affecting the future, not explaining the past.” says Dan. To do effective risk management we need to measure things as best as we can. We need security metrics. We can’t make much progress in security if we don’t have good metrics. We’ve exhausted what we can do with firefighting. Dan has an entire slide-deck of over 400 slides about the topic of security metrics that is incredibly interesting to read up on security metrics and risk management.

Do you need security analogies from other fields? Read the transcript of Dan’s talk as soon as it is up on the SOURCEBoston site. It’s really worth it.

Richard Clarke, during his keynote at SOURCEBoston, talked about the 2007, non-public Presidential cybersecurity directive. One part of the directive is rumored to talk about building an offensive cyber capability (see also Jennifer’s post). Is the fact that the AirForce has changed their recruiting commercial to contain cybersecurity aspects already a first sign that they are looking for talent that can execute on those objectives?
– Live from SOURCEBoston!

We are frantically preparing for the SOURCE Boston conference which starts tomorrow morning.

You can keep track of the happenings via Twitter. It’s pretty interesting how this Twitter thing is taking off. I will try to update my feed (@zrlram) regularly over the next days so you can keep track of what’s going on.

There are a lot of other Security Twits here who hopefully keep their feeds up to date. I am sure @mediaphyter (Jennifer Leggio) is keeping her feed current with the latest gossip. Careful though, she is not always saying the truth 😉