DK 'Log

Just a short post in order to wish everybody a happy 2010. 2009 has been an awesome year for OSSIM and 2010 promises to be even better; hope it's been as this for all of you too. Will be updating on that after holidays.

As said, happy new year! :-)

School year is starting again and so were I feeling too after coming back from the beach :-). Relax time is over tho and there's a lot of exciting stuff going on around AlienVault/OSSIM.

First of all I'd like to mention our new look&feel. After releasing 2.1 we decided the web should be undergoing a long-needed revamp, so here it is. As you may have noticed too, we unified the looks of the original ossim.net site and integrated it into the community section, very much like MySQL does (was inspired on them actually).

Another important addition is the new Roadmap. Now that we're becoming a serious project with a serious company behind, we've got to take care of things like these which we might have neglected in the past.
You'll see that the next major release, 2.2, is scheduled for the 15th of February 2010. We're already working on the items planned for that, and I wanted to share a quick screenshot of what will be the unified report for hosts and networks. Basically you'll be able to right click on any host anywhere on the system and get out a quick overview of anything that the system knows about it. Here are two quick screenshots (work in progress ofc):

Anyway, this is just one of the many improvements there will be, so stay tuned...

Now comes the shameless plug. As part of the website redesign we also started to launch the online courses and training at elearning.alienvault.com. Right now there are only two courses available, the "OSSIM Essentials" and "Build your own plugin" ones. If this initiative succeeds we'll continue to invest into it and prepare all the others, which in the end should cover all the material covered by the presential courses.
Prices are really cheap for promotion, 50 euro for around 3 or 4 hours worth of training, and although I'm biased I think they really do a good job in introducing OSSIM to those who're new to it, even if they're lacking deep computer or security skills.
So, if yuou're interested or know someone who could be, please give it a try. It's worth the money, we put a ton of work into it and it will help support your favourite SIM *grin*.

And here ends the plug and the post. I'm working right now on a plugin wizard which I'll be talking about soon. Once finished it will raise the amount of plugins available for OSSIM by around 2000 ;-)

Hello all,

we're looking for somebody to assist us in the elaboration of documentation around OSSIM, it's components and Open Source Security in general. We require strong knowledge both in English written skills as well as experience on OSSIM. We are willing to pay on a per-work basis up to 3000 or 4000 . a month, with an option to get a permanent contract if the initial work is satisfying.

I don't want to sound harsh, but the two aforementioned requirements are a must and a strong filter. The english has to be perfect (much better than mine of course :-) ) and knowledge of OSSIM has to be deep, based on interest and/or experience already present before reading this job offering. I mean, even if your english is perfect don't try to download OSSIM, check out a couple of things and apply, or if you know lots and lots about OSSIM don't start with an intensive english course.

If you're interested we'd like you to send in a sample of your work along with a curriculum vitae. We don't care about your nationality or where you are located. the payment will remain the same of course. The sample we're asking for would be to document the current alarm section (Incidents->Alarms). Think about a user that's new to OSSIM, clicks on the help in order to see what that alarm panel means and gets to that document you've written. The desired document format would be pdf, although when documentation gets live some sort of wiki is going to be used. Remember, there are three things that should excel in this sample:

• We should raise our eyebrows in awe at your english written skills.
• We should be impressed by the deep knowledge of OSSIM that we can see in those words.
• On the other hand, this is no technical document, it should be clear for a new OSSIM user with little or no previous SIEM experience.

Please send this sample to "jcasal" and "dk", both at the alienvault.com domain. If you include "OSSIM Documentation Writer" in the subject you'll ensure it will reach us asap :-).

Good luck!

If you haven't played Little BiG Planet before I must say it's an incredible fun, original and refreshing game to play. A bit short tho but it's supposed to benefit from community content, which I haven't tested.
Warning: don't read any further if you're under 18 (or was it 21?) and/or don't have much of a sense of humour.

This morning while walking back to my seat I had a look at how our poor Elmo ended after the whole financial crisis staff, and he resembled a bit of the sackman in LBP. Here's a pic of him:

There's a whole bunch of addons we've unlocked for him, ranging from the AntiSwineFluMask to the beach sandals, his flags denoting various political and sexual orientations, his lupanar flyer or his RJ45 directly into the brain.

See you at the webinar this thursady ;-)

Just before vacation we're going to do another webinar in order to introduce our recently released version 2.1. It's very similar to the previous two we've done, so if you've already attended I'd suggest skipping this one (we're going to vary the content often) but for those who've missed it: meet you the 30th :-)

The story starts as following. A couple of years ago Dr. Anton Chuvakin (for those who might not know him a well renowned security professional and speaker) made a prediction for 2006: that a Credible Open-Source SIM would not arrive.

A year later he said this goal hasn't been reached (as predicted). I remember being quite pissed off and upset at that time, but his point was right. Development had been slow, we didn't have resources and everything was a bit stalled. But that has changed and AlienVault is about two years old now, we made a huge step forward and I think OSSIM is nowadays more than S/MB as well as Enteprise ready. (And sadly our resources are still very limited compared of those which Arcsight, Symantec or others might have).

Yesterday I followed a couple of quick twitter exchanges where I'd like to quote the most significant ones:

• I agree but S/M of SMB probably won't have the capabilities to run something like OSSIM and it's not robust enough for Ent.
• @anton_chuvakin mind you, I simply asked if OSSIM had the potential, not that it was there yet... as always, I wonder, isn't there a better way?
• @falconsview Re: opn src #SIEM Well, show me a sizable deployment (and not one hand-built by its creators) and I will believe you.
• @anton_chuvakin Will you change your mind about opensource SIEM if I get you access to a sizable deployment not created by it's authors ? :P
• @dkarg Re: open src #SIEM Yes, I probably will.

So, there it is, Andrew Hay (another renowned security expert) and Anton say that:

1. OSSIM is not a SIEM.
2. OSSIM is too difficult for S/MB and not reliable enough for the Enterprise

So what do I need? I for myself have received news/feedback of pretty big OSSIM installations and have had my hands on another bunch of them. Ranging from 100 person Real Estate companies to >40000pc governmnet environments with distributed deployments and thousands of events per second (this last one using the COSS version of course). But, the point as mentioned by Anton is that we don't have our hands in it, the testimonial has to come from someone who's got a deployment running not managed by us. Both S/MB as well as large enterprise deployments are valid since there are two points to prove. I'd really like to hear from a large company which is supposedly using Splunk+OSSIM, can't say the name but that would be a good example :-).

So, if any of you reading this is in that situation please let Mr. Chuvakin and Mr. Hay know about it so they hopefully can change their minds on the subject. There's contact information on their respective homepages. Otherwise I'll have to eat my words and admit that OSSIM is no Open Source SIEM (like in The Matrix, "there's no spoon").

Thanks in advance for any help :-)

PS: BTW, we did a first run of the webinar yesterday, thanks everybody for assisting and apologies for the, well, mishappenings. I got quite nervous, next demo will be better.

Edit 2009/06/20: Fixed a misunderstanding on who predicted what, see the comments.

I got talked into speaking at a webinar next week (well, we've got another one this week but it's already crowded so I'm only posting next weeks link. And since this week's is my first webinar ever the second one should be better anyway), namely about Open Source Information Security: Reduce Costs while Improving Security Profile & Compliance. That's it, nice and short name as I like and love them.

I don't know how it work out, guess it shouldn't be very boring and registration is free so if you want to join in you're more than welcome. Additionally you get something called CPE credits for attending (sounds like experience points ;-)).
Here is an excerpt from the description:

A friend of mine is preparing a speech at a security conference this summer around OSSIM. He asked if I could get some feedback, case-studies or anything that could backup and enrichen his speech, this is what this post is for :-).

So please, should you have anything (wether it's good or bad, happy or sad) to say around OSSIM (or should you know about anybody how does) which you would like to share write to feedback@ (created the alias so I wouldn't miss anything, feedback is very important to us).

Anything from "I use OSSIM" to complete papers is welcome, tho in order to avoid confusions I'd please ask to include these couple of lines at the beginning of the mail:

Name (leave empty for anonymous):
Company (leave empty for anonymous or substitute for "english university" or "canadian oil platform" or similar):
Is it ok to tell/foward this?: yes/no (if the answer is 'no' then no one but me will know about this :P)
Is it ok to publish this on ossim.net/alienvault.com?: yes/no

Here again for copy & paste:

Name:
Company:
Ok to tell/forward?:
Ok to publish on ossim.net/alienvault.com?:

I'm happy to announce the availability of the next beta, AV Installer beta6. (md5: 21204ecf2949a1d9ac9838b3c694b72d.

Again, thanks a ton to everybody testing the betas and reporting bugs / improvements, with your help this is already the best release that's been published ever for OSSIM.

The betatesting process is reaching the point where we're going to freeze code and just fix bugs. OpenVAS is now fully integrated and running like a charm, the compliance framework runs out of te box for ISO27001 (install beta6, "apt-get install ossim-compliance" and go to reports->reporting server), many new directives have been added and old ones fixed. A quick warning: OpenVAS takes ages to start the first time, if it looks like it hangs during init don't worry, after maybe 5 or 10 minutes it will get through.

Next steps will be to ensure everything is working, get a new dashboard for PCI and ISO2700[12] compliance, integrate the SEM part (without signing) into the public server, put the new policy interface in place and double check distributed architecture scripts. After this release the final version, throw a party and get a couple of weeks off ;-)

I hope you enjoy this beta.

I wanted to share this news entry with everybody visiting this site. This has very little to do with OSSIM or AlienVault and of course this is my own opinion, not necessarily shared by them.

A week ago I had read a sad sentence convicting those who're running the Pirate Bay torrent tracking site. Now I'm pleased to see that not everybody has sold their soul to what's "supposed to be politcally correct": Telenor, the norwegian ISP hosting the pirate bay have told the copyright lawyers to shove their demands where Long John Silver couldn't see 'em even with his good eye and a very long spyglass.

My sincere admiration (both to TPB admins and Telenor), I'm pre-ordering my support t-shirt right now :-)

More information here.