I was asked to provide a guest post for the FUDSEC Blog.  After reading so many of the other guest posts I felt a little overwhelmed to put my ramblings alongside those gems.  I’m thrilled Craig allowed me the opportunity and look forward to hearing your input.  Please enjoy ripping my thoughts into pieces, chewing on them and then letting me know how you really feel!  FUDSEC: Liberate Yourself: Change The Game To Suit Your Needs  Comments are encouraged directly on FUDSEC or you can reach me on Twitter (@rockyd) or reach me on the Decurity Blog any way you chose to reach out I’d love to hear your input.

So if you follow me on Facebook or Twitter you may have heard our family had a bit of excitement over the weekend.  My wife and two youngest children (2 and 7)  got stuck at the top of a ride at Busch Gardens due to a “technical malfunction”.  I know that mechanical and/or technical failures happen all the time at theme parks, but when it’s your family up there and you’re on the ground, it sucks.

Busch Gardens did everything right, they quickly informed everyone on the ride of the malfunction, asked them to stay calm and at the same time sent emergency responders up to the top of the ride to help get everyone off safely.  No running around crazy, no unnecessary escalations, no waiting on approvals, no idle hands… Everyone played their role.  It got me thinking about the obvious parallels in incident response (well parts of it at least)

The ride was designed with safety mechanisms including emergency exit and communication mechanisms.  The “owners” had procedures that were extremely well tested, communicated and executed by the “administrators”.  Everyone had their role, understood it and was authorized to just “do it” and it worked out.  Once completed, they accomplished the repair, tested the ride, re-tested it from another perspective and then once approved by management they put the ride back into production for the park visitors (“users”).  Sure the visitors had to wait a few minutes, but everyone was understanding once they had the right information made available to them.  Certainly, I’d prefer this sort of thing to never happen, but that’s unrealistic given all variables in place at a Theme park in Florida with millions of visitors.  I’m just happy everyone was safe and we were able to enjoy the rest of the day.    and then just when you think it’s over…

Not more than 20 minutes later we saw another ride fail.  The sky-ride (gondola) got stuck mid-ride for over 10 Minutes.  Luckily, we were not on that ride.  I’d have gotten a bit suspicious at that point . 

Actually, at that time we were on a train ride enjoying a peaceful ride through the park, pointing out animals to my two year old, when a grumpy Rhino tried to prove to the train that he was in control and decided to give it a little shove to encourage the train to keep moving along.  I’m not sure if it was a full moon, an everyday occurrence for the park or Murphy’s Law that caused all the excitement. 

It just goes to show you that you can’t predict what’s going to go wrong, just that something will go wrong - it always does.  We must prepare for as many types of Incidents as we can and enable our teams to react effectively, and expect that they will.  Obviously, a lot of pre-planning, risk assessment, exercise activities, documentation and training goes into the equation.  Everyone has to become involved, if a barely over minimum wage them park worker can be trained to play a role during an emergency, certainly we can figure out how to more effectively involve our “owners”, “administrators”, and management in our incident response activities. 

Ok, enough excitement for one evening I’m off to bed,  I can’t wait for next week’s cruise and the lessons that will bring..

I recently attended a security conference as a member of a team presenting on log management and SIMs and during one of the sessions a very interesting trend was introduced. A couple of companies have actually moved their network engineering team into the security group.

Like many things in the IT world, many executives are led to believe that just implementing a SIEM will be a reason for great rejoicing as all their security problems go away.  Unfortunately, this is not the case.
Successfully implementing the technology to perform security event correlation is the beginning of a journey, a journey that has many benefits, some foreseen, and many unforeseen.

Arcsight recently announced a new product, called IdentityView, which links a user’s identity and role to his or her IT activity.  This is an important move and reflects a growing trend in Security Event Correlation systems that, I think, will move the security-monitoring model into the next phase of evolution.  The SIM vendors out there are starting to move up the ISO stack.

Virtualization in all of its forms (whether you are thinking of data centers or Windows 2008 or in the future with virtualized desktops) looks like it is going to be a success.  However, there appears to be different deployment visions for leveraging the power of virtualization.  Many people jump at the idea of dynamic environments where server resources are leveraged for different applications, on the fly, instantaneously being deployed to meet a jump in demand.  Unfortunately, for the moment, this idyllic vision cannot really be leveraged for most situations.  Yes, there will be examples where companies dynamically bring online and reconfigure their IT infrastructure to reflect seasonal or event driven demand where planning the actual demands is difficult.  But for the moment, I am going to focus on the security operations aspects of a planned virtualization scenario for this series of articles.

Last week I attended the Boston SecureWorld Expo (http://www.secureworldexpo.com/).  I found it to be a worthwhile event with some good sessions and a chance to meet up with some of my colleagues of the IT Security Profession. 

One of the sessions I attended was a panel discussion with various IPS and NAC vendors such as Tipping Point, ForeScout and TopLayer.  At the beginning, it was fairly embarrassing as each of the vendors introduced themselves, each one espousing why their product was better.  After the initial boasts, the questions got down to the nitty gritty of the subject area of where an enterprise should leverage IPS and/or NAC.

All of this discussion, got my mind going and a question formulated itself in my mind.