Security is a Holistic Proposition

Gorka Sadowski

Subscribe to Gorka Sadowski: eMailAlertsEmail Alerts
Get Gorka Sadowski: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Top Stories by Gorka Sadowski

Performance Tolls - Why you cannot correlate 100% of your logs...? Compounding the combinatory explosion in the number of static-based correlation rules, it is impossible to correlate 100% of all your logs, it is just too expensive and not practical. Read on... A correlation engine works really hard, even when dealing with a limited set of scenarios: Each scenario requires lots of rules and exceptions, and most of these rules need to be interpreted further as dozen, if not hundred of simple checks and tests. For example, you may want to flag loops with a simple rule such as "IP Origin" = "IP Destination". If you have 1 000 logs this means that for each log you need to do 1 000 tests. Imagine having a million logs, a trillion logs, which is not uncommon on a medium sized infrastructure over a couple days. Each scenario requires state information to be kept and managed ... (more)

From Data to Information to Knowledge to Intelligence

The debate between data and information has been going on for quite some time. When people say "knowledge is power", are they referring to data or information? Is knowledge different still? And how about "intelligence" where does that fit? How can we go from data to information to knowledge to intelligence? The answer is simple. By understanding the animated nature of data evolution and transformation, and acting upon this understanding. And this is brought to light by logs from your Information Systems. Understand this and unleash the Power of Logs. Figure 1 - Data to Informatio... (more)

Preventive Security Through Behavior Modification - Part 3

This week let's review why logs are such a popular and powerful tool when performing forensics, and how to insure that investigators are working from a clean stream of data. Logs used in forensics have several distinct advantages. First, logs can be used not only to solve the IT crime, but also as evidence in a court of law, provided that they have been properly managed. Second, logs are widely available. Logs have been around for the past 25 years and today all electronic equipments are capable of generating logs. Third, best practices for log management are mature, all system adm... (more)

Why Rule-Based Log Correlation Is Almost a Good Idea: The Future of SIEM

These past few weeks, I published several blogs pointing out problems with static rule-based correlation, their current limitations, their high TCO, etc. Because these solutions have been sold for many years as the be all and end all to security problems, it has created false expectations in the industry and among clients. But SIEM as a general discipline holds plenty of promises, so let's not throw the baby with the bathwater. Let's think of static rule-based correlation as the engine for the first generation of Security Information and Event Management (SIEM). Looking in my c... (more)

Why Rule-Based Log Correlation Is Almost a Good Idea (Part 8)

You bought a static rule-based correlation and you want to get the most out of it, or are you planning on getting and deploying one? There are some simple steps you can take to maximize its efficiency. Ask Yourself If You Can Really Afford In-house Real-Time Incident Management The main use case for correlation is real-time incident management, so you need a 24x7x365 team of forensics experts to validate and follow-up on alerts - in real time. No need to have real-time correlation if you only have a 9-5 operation... If an alarm goes on at 3.a.m., do you have the skilled staff to act... (more)