Today I found myself researching “moving average analysis” techniques. Using moving average analysis can be fairly useful in trending risk. Plot the moving average over your risk and compare it with the actual risk numbers, much like you would analyze a stock chart. I will write more extensively about this in my book in the “Visual Security Analysis” chapter.

What I just learned and what really pointed me to write this blog post is that Excel has a data analysis add-in that lets you compute moving averages. In my Excel instance, I had to first enable the “Data Analysis” add-in by going to Tools|Add-Ins… Once enabled, I got a new menu item under Tools which is Data Analysis… There you can choose from a variety of data analysis tools, among them a moving average calculator. This blog post shows exactly to to apply the add-in.

Finally, Common Event Expression (CEE) has its Web site up!

We are working on a few initiatives right now. If you want to contribute to the discussion, join the mailing list. Send an email to cee@mitre.org to subscribe.

I wanted to mention this a long time ago, I am really behind with blogging …

I started another blog. I hope this is not going to be too confusing.

Here is what goes where:

• I will post things that are relevant to my employment and Splunk on my Splunk blog. I will continue my rant on normalization and SIEM over there.
• Things that are non-Splunk related, I will keep on this blog here.
• And in case you forgot, purely visualization related topics I still post on secviz.org and you should too!

There are a number of security conferences out there. Deciding which ones to attend is no easy task. As part of the advisory committee for SOURCE: Boston, I might be a bit biased, but this is going to be a one of a kind security conference. We don’t want to organize yet another security conference. We realize that security has become more and more of a business concern. The security conference of the future needs to bridge the business and the technology. Therefore, three tracks are offered: business, technology, and application security. With the keynote speakers of Dan Geer and Steven Levy, you can be sure to get some interesting perspectives on security!

See you March 12th to 14th, 2008 in Boston!

No news anymore, but still worth a blog entry. Michael Rash wrote a new book on firewalls. His approach is not the traditional one where he looks into firewalls themselves. He explores all kinds of additional tools tat can be used alongside of firewalls to tune them and make them more efficient. I have read part of his book before he published it and I really liked what he was up to. I think the final copy should be on my desk by now. Can’t wait to read it. Here is a link to his Web page:

http://www.cipherdyne.org/blog/2007/09/online-site-for-linux-firewalls-attack-detection-and-response.html

How often is it that you get something in return for reading someone’s blog? Well, today is your lucky day. Are you interested in going to the CSI Conference in Arlington, VA from November 3-9? The first person to send me an email will get a registration code.

Unfortunately, I won’t be able to attend as I am going to be presenting in Jakarta at BCS.

I was playing with database audit logs for a bit to try and visualize some aspects of them. While doing so, I came across a pretty interesting problem. The audit logs contain entries that indicate what exact SQL query was executed. Now, I am not interested in the entire query, but I need to know which tables were touched. I was trying to build some regular expressions to extract that information from the query, but I gave up pretty quickly. It’s just too complicated for a regex. I was wondering whether there is a way to take a SQL query, for example:

select * from a.table1 a, b.tabl2 b join c.table3 on b.id1=c.id2 where a.foo='bar'

and extract all the table names: a.table1, b.table2, c.table3. Are there tools to do that? Remember, I don’t have the database with these tables. I only have a log from some database. The script should support all the SQL perks like joins, nested selects, etc. Anyone have a good way to do this?

Greg Conti wrote a book on security data visualization. It’s all in color. A really nice book. The best parts about the book are the chapters on IDS signature tuning and firewall log analysis. I am just saying that because I wrote those two chapters 😉

He beat me to the punch with publishing a book on security data visualization. That’s all I can say. I hope that I am done with my book soon. Fortunately, I knew about this book early on so I could make sure that we are not writing about the same topics. My book is going to be fairly different. I am diving quite a bit deeper into some visualization topics around security. I am focusing on use-cases. How do you use visualization for compliance, insider threat, and perimeter threat. What are some of the tools out there, what are the data sources, and what are the different types of graphs you should know and understand when you are visualizing security data.

Thanks to Greg for letting me write part of his book!

During the FIRST conference in Seville earlier this year, I was talking to Ben Chai at about 12.30am. We were sitting in the bar area when he suddenly took out his microphone and started interviewing me. The talk is pretty funny. The podcast shows that I don’t have a very good sense of humor 😉 Oh, and by the way, reading tea leaves is probably going to be the topic of one of my next talks!

I don’t think this was my best night, when Ben record this. I spend about 1.5 hours trying to pick a TSA lock with a paper clip. Okay, Adam couldn’t do it anymore either, but still. In the meantime, I learned how it is done for real – the lock picking 😉

Listen to the podcast here.

I spent the first week of September in Kuala Lumpur, Malaysia, where I was speaking about insider crime visualization at Hack In The Box. The conference is held annually and I was surprised about how big it was. A lot of attendees from the area, but also from other parts of the world, for example from Germany. In general I was fairly impressed with the caliber of people that presented.

What I enjoyed a lot as well, was the lock-picking village … The guys running it were real experts on the topic and had excellent tools to teach you the art of lock picking.

For those interested, I have the presentation available here. The download is fairly big. Sorry about that. The conference also made the rest of the presentations available.

On to the next conference. See you in Jakarta end of October.