Wednesday, July 10, 2013

Information Security Operations - I wrote a book.

Hello there fellow infosec people,
I have put virtual pen to paper and crafted an ebook called "Information Security Operations".  It outlines a process model for a security operations centre (or security operations center if you are american ) and then walks through each of the processes sharing my thoughts on key activities and considerations for each of the processes. The information contained in it is based on research, experience and more than a year of thought. I put it together and put it out there because of a real gap in knowledge available in the market. The only book close to similar content is "Visible Security Ops" by Love, Kim and Spafford. I think it is "all killer no filler" and delightfully free of pro SIEM vendor propaganda. Also there isn't too
much CMM gumf in there as I have written the book in order of how you should implement the processes. 

It has been interesting using Kindle Direct Publishing to distribute this book. It seems easier to get started and supported on more platforms than the apple alternative.I envisioned publishing frequent new editions with free upgrades to previous purchasers. This may not be possible, as the upgrade process seems to have some

The approach I took was to put $10 worth of content into the ebook. I hope this can fund more writing and perhaps even the development of a textbook.  My time is limited at the moment and in later editions I would like to include stock "swim lane" process diagrams for the key processes, numbered Standard Operating Procedures, a  sample enterprise zone model, sample approved network communications principles etc. I could probably do a better job of explaining to the layman why I selected the processes did. 

Some of the key principles driving the processes were:

Incident response needs to be implemented first, because as soon as you start looking you will find suspicious activity to investigate.

SIEM alone does not solve security operations. the SOC's key role is responding to broken technology and processes that have resulted in security vulnerabilities or incidents. Hence "threat management"
processes are required to maintain (patch, upgrade, tune) effective protective security controls(e.g. IPS). 
Vulnerability management is required to act preventatively with "threat intelligence" and detectively as a quality assurance function to identify when secure comfiguration has not occurred.
Data needs to be secured first, then access management can be implemented.
Change management oversight is required before security operations monitoring can be effective as approved administrative activities can't be identified from malicious ones. 

Well it isn't perfect but I think it is a good start.

It would be nice to have some feedback and suggestions for additional content.

If anyone buys the new version let me know if the tables arw gone and the new appendices are in :) 

Matthew Hackling B.Sc. (Security) CISSP
Ronin Security Consulting Pty Ltd
ACN 138 311 681
"At Your Service"

Monday, December 10, 2012

A little update

Well, since I started regularly blogging for CSO Australia magazine,
my personal blog hasn't had many updates!

Well a little update:

- I started writing a book on security operations that I hope to
electronically publish via amazon and or apple.

- working as a security architect full time at an institution

- my start ups and are parked pending
some breakthroughs in time management

- doing a little work with Enex TestLab when I should be sleeping,
eating mostly with state and federal government

Wednesday, February 15, 2012

Infosec bucket list

Just once I'd like to hear with my own ears see with my own eyes the
following then I'll die a happy "security purist":

-A CISO who is more than a sacrificial lamb. To qualify their tenure
must be of a serious duration and have survived a major security
incident or made quantifiable material risk reduction.

-An executive who thinks strategically about IT risk and doesn't "knee
jerk" after an incident or do the minimum to "cover their proverbial"

- a security solution that is well maintained and configure in line
with it's documented and approved configuration

- a project manager who will delay a milestone to ensure that a
security governance requirement is adequately met.

What things would you like to tick off on your infosec bucket list?

Wednesday, February 8, 2012

Dear Telstra your mobile data performance is rubbish

Hi Telstra,

Since you won't accept an email I have created this blog post to submit this link via your web form on your website.

The mobile data tower in the Melbourne CBD is intermittent in its performance, I sometimes experience garbled voice calls and often have no mobile data coverage.

Please find attached evidence of GPS location and network performance. I get exponentially better performance at my home, results not included below for privacy purposes.

Date ConnType Lat Lon Download Upload Latency ServerName InternalIp ExternalIp

8/02/2012 15:03 Cell -37.816157 144.957394 402 884 180 Melbourne
8/02/2012 14:44 Cell -37.815999 144.952952 1608 957 82 Melbourne
8/02/2012 14:31 Cell -37.816224 144.958403 583 801 228 Melbourne
13/12/2011 13:02 Cell -37.816224 144.961198 4797 237 207 Melbourne
25/11/2011 13:56 Cell -37.81611 144.959405 844 999 105 Melbourne
24/11/2011 11:16 Cell -37.816381 144.958401 407 106 118 Melbourne
22/11/2011 14:11 Cell -37.816366 144.959105 170 54 163 Melbourne
1/08/2011 12:55 Cell -37.817752 144.957122 235 2 187 Melbourne

Wednesday, November 30, 2011

AISA Revolution!

Well it's been a couple of weeks since the AISA annual conference in Sydney and I've just about caught up from the day off!

I just really wanted to post an account of the conference as it truly was a red letter day for the Australian Information Security Association.

I've been to a few annual seminar days held in Sydney usually hosted at one of the bank's and spoken at one in Melbourne (as one of my last duties as outgoing branch executive) and this was the best!

Let's just go through some key points why it was so awesome:

- Sydney conference center

- delegates from Melbourne, Sydney and Brisbane.

- 650 plus people registered (and it looked like they all turned up)

- 30 plus exhibitors

- two international speakers (Bruce Schneier and Marcus Ranum)

- CIO of one of the largest banks in Australia speaking

- CSO of Cisco speaking

- FREE yes FREE to AISA Members (membership is $55 per year)

I put a few faces to names at the coffee cart by suggesting a tweet up. I quickly realised how tall @caseyjohnellis is in real life and what a cool accent @VS_ has.

I ran into Marcus Ranum at the coffee cart line and Bruce Schneier on the floor. I have to admit to being a little star struck!

I really enjoyed the presentation from John N Stewart Cisco's CSO. I really thought it was a useful presentation with lessons learnt. I was really dreading this one as, I thought it would be very "producty" where it was actually the most pragmatic of the day!

Marcus Ranum's presentation went right off on a tangent! The less free thinking in the audience probably were all like "What is this guy on about? Is he trying to encourage us to start a revolution and commit criminal damage and computer crime?". I really took his presentation as a challenge to us security professionals to think like a "misguided hacktivist" and consider how our organisations could be "pranked" and subjected to "economic denial of service" by protestors motivated by an organisational policy they dis-agree with.

AISA really is kicking a few goals at the moment in my humble opinion some examples below:

-new website (finally)

-ongoing focus group meetings so you can talk to other security professionals in your area of expertise

- 1600 members

- AISA is providing submissions to the Australian Government on their "Cyber Whitepaper" on behalf of Australian information security professionals

- AISA is policing members for non-compliance with the code of conduct.

Monday, October 3, 2011

It's been a while

Well here's a little update from me:

- I have written a product review which was printed and a few online
articles for IDG's publication CSO magazine. I'm now a regular blogger
on that site too. Do I qualify for a press pass? Hmm all readers
please report in on events I can "cover" especially those with
delicious snacks :) CSO seems to be taking off, much more so than my
little venture

- I've been thinking a bit about creating an open source security
operations maturity framework project inspired by OWASP OPENSAMM
project. Just need to find an organisation to help me champion it.
Something like this would really help to illustrate where on the
security journey an organisation is and where they would like to go. I
have thought of ISC2, AISA and the ISF but maybe it is SANS?

- my little business is developing, I've delivered a few successful
engagements and now I even have a glossy brochure.

Friday, September 2, 2011

There's nothing new under the sun....some nostalgia from matt

Back in the day my mother was a sysop of a CDC PLATO 1973 it had all on old school green screen/orange plasma:

touch screen
instant messaging
chat room
screen sharing
bulletin board/news groups
flight simulator
3D multi-player games

and..... wait for it...


I used to dial up to it at the university on a 300baud modem and play games with uni students.  They would make jokes that would go way over my head, I must have been like like eight years of age or so!

  • Plasma display, circa 1964, by Donald Bitzer for PLATO IV
  • Touchscreen, circa 1964, by Donald Bitzer for PLATO IV
  • Answer Judging Machinery, ?date?, a set of about 25 commands in TUTOR that made it easy to test a student's understanding of a complex concept.
  • Show Display Mode, 1975, a graphics application generator for TUTOR software, precursor to Apple's QuickDraw picture language editor.
  • Charset Editor, an early precursor to MacPaint for drawing bitmapped pictures stored in downloadable fonts.
  • Monitor Mode on PLATO, 1974, used by instructors to help students, precursor of Timbuktu screen-sharing software.
  • Pad and a few months later, system-defined Notesfiles, 1973, the first general-purpose computer message board, and precursor to Unix Newsgroups, Digital DECnotes and Lotus Notes.
  • Talkomatic, 1974, a 6-person real-time chat room (text-based), precursor to Instant Messaging Conferences.
  • Term-Talk, 1973, precursor to instant messaging.
  • Gooch Synthetic Woodwind, circa 1972, A music device for the terminal, precursor to sound cards and MIDI.
  • Airfight, 1974, a 3-D flight simulator written for PLATO by Brand Fortner; this probably inspired UIUC student Bruce Artwick to start subLOGIC which was acquired and later became Microsoft Flight Simulator.
  • Empire, circa 1974, a 30 person multi-player inter-terminal 2-D real-time space simulation.
  • Spasim, circa 1974, a 32-player first-person 3D space battle game
  • Pedit5, circa 1974, likely the first graphical dungeon computer game.
  • dnd, 1974–1975, a dungeon crawl game that included the first video game boss.
  • Panther, circa 1975 by John Haefeli, a 3-D tank simulation and forerunner of Atari's Battlezone game.
  • Build-Up, 1975 by Bruce Wallace, based on a story by J. G. Ballard, the first PLATO 3-D walkthru maze game. The maze itself was also 3-D, having holes in the floor and ceiling.
  • Think15, circa 1977, 2-D outdoor wilderness quest simulation, like Trek with monsters, trees, treasures.
  • Avatar, circa 1978, a 2.5-D graphical Multi-User Dungeon (MUD), a precursor to EverQuest.
  • Freecell, 1979 by Paul Alfille, which probably spawned the Windows version.
  • Mahjong solitaire, 1981 by Brodie Lockard, popularised in 1986 by Activision as Shanghai.
  • Emoticons, by 1973

Infamous Agenda © 2008. Design by :Yanku Templates Sponsored by: Tutorial87 Commentcute
This template is brought to you by : Blogger Templates