You are currently browsing the monthly archive for November 2009.

In a bit of fun and interesting timing it turns out I’ll be going to flocon in New Orleans this January.

Since I’ve spent the past 2-3 years doing business risk and security architecture, national sector level strategy, policy, etc….but now find myself getting into the technical details of building a CERT (ICS-CERT, specifically)…it’s suddenly time to get more up to speed on flows and how people are using them these days (Especially since I’d previously spent most of my time with firewalls and IDS data and not netflow / SiLK stuff).

My work on and release of pkviz this past weekend has helped a bit to get me re-focused on data analysis and playing with correlation tools and methodologies, but I’m still finding it odd going back to my earlier technology-centric security role  – which I’d thought I’d given up.  My head space has to be completely different than it was and I have to work around what some have called my fatalistic belief that technical security measures and analysis are doomed to fail in the face of our complete lack of interest in doing business risk architectures.

What scares me a little, though, is when I’ve been talking to people and doing research lately, it seems the state of the art of IDS, Flows, SEMS, SIEMS, network data analysis, etc. hasn’t changed all that much in the past few years. More vendors have sold more products, but they still do the same (questionable) things it seems. What gives? Am I off base?

Still, I’m pretty excited to get back into this type of thing and about the con. Who’s going to be there?


Whew. I can relax.

For the past 2-3 months, I’ve been working on my first real Objective-C project (my iphone app is still going, it just took a back seat to this): An application that will read tcpdump output and animate the packets over time using their inherent byte / packet structure

And now…it’s up and in beta-ish quality. (Meaning it works, though some error checking and minor features arent quite where I want them.)

You can download it here for free:

See it in motion here:

This project was important to me and has been a long time coming. I’ve wanted to write a packet visualizer since I first started working with data viz 5 or so years ago at NetSec and was using Advizor. That tool cost thousands of dollars per seat, didnt really animate (at least the way I needed), and only parsed CSV or databases. The free tools – like GnuPlot, just weren’t up to the task at all.

I also wanted something that could plot out data in interesting, pretty ways for some art projects I have in mind.

So, I originally started this time around on a quest to write a short python parser for tcpdump ascii hex output to put into <some generic viz tool> just to get started…but somehow I ended up writing a full-fledged visualizer (my first GUI project ever, I might add!). The learning process was a blast – I feel like I’m a much better coder for it – and I’ll be able to extend/expand on this to use for other art and security projects that are on my plate or are coming up.

I’m pretty excited about it. To see this finished through after years of whining to myself about it, procrastinating, and genuinely not having enough time, is pretty awesome. I’ve even already created a couple of cool shots that I’m happy to call “art” (granted, there is some photoshop processing here, but they’re both true to their originals!):

Anyway, Mac Users, check out the tool and let me know what you think!

So I was sitting in a critical infrastructure cyber security talk earlier this week and had a small revelation.  The talk itself wasn’t all that interesting – it was another attempt to collect and identify consensus best practices for critical infrastructure security from a governance point of view – but it still led me down a path that surprised me.

The authors of the paper being presented had done interviews and other research and derived a number of principles required for critical infrastructure cyber security governance based on what they commonly heard over and over. At the talk, we had break-out sessions where they were pinging us for our thoughts on their findings.  During the session, I realized that I’d heard it all before (obviously, right? It’s a consensus paper) and was wondering why we couldn’t get past the stale “wisdom” repeated ad nauseam without effect…when it hit me: the use of their paper might be directly opposite of what they might think it is, but it’s still useful!

The thought process is as follows:

  1. Assumption: We all “agree” that cybersecurity for critical infrastructure is insufficient and we’re missing something.
  2. Assumption: The paper represented the community opinion, to date, on what needs to happen for good cyber security
  3. People are trying to improve security, but despite sporadic improvements, we haven’t made nearly as much progress as we think we should. Something is missing.

Conclusion: Whatever it is we need to do …..isn’t in that paper.  If we collect a series of best practices and community consensus on a topic where we generally consider ourselves to have failed, collecting that consensus should be used – instead of as a driver of activity – a hint at what won’t, by itself, get us where we need to be. The lists should be considered things to exclude as solutions to our unidentified sticking points, but the solutions themselves.

Follow me on Twitter

My Art / Misc. Photo Stream