Monday, December 18, 2006

Practicing What I Preach

Imagine for a moment that you worked for an employer who didn't do regular backups of their important data. As a security pro, the idea of regular backups is a central part of a good information protection strategy. If you're like me, you'd probably never agree that a lack of backups was a good long-term strategy for a business. That's just obvious.

Now stop imagining, and ask yourself whether or not you're following your own advice: are you backing up your personal data just as dilligently as protect your employer's?

I asked myself that same question last week, and the answer was, "no." I'm sure most of my readers are in the same boat, so consider this my Christmas present to you: a recommendation for a cheap, easy way to backup your personal data. (Sorry, it's Windows only, since that's most of what I run at home.)

It turns out that there are a lot of players in this area, many of which are targeted to the individual home user as well as to the small business. This is a pretty good roundup of several services. After doing a bit of reading, I decided to give one of them a try.

I chose Mozy, partly for it's price ($4.95/month for unlimited storage), partly for it's ease of use (set it and forget it), but mainly because it is the only one I saw that would allow me to both encrypt my backups and to set my own encryption key that is not stored by the company itself. The key is only available on my own PC, and as their warning dialog says, I'm "hosed" if I ever forget it. Still, it means that it's very unlikely that anyone but myself will ever be able to recover my files from the company's backup servers.

My initial experiences so far have been quite positive. Setup was dead simple, and although it's going to take quite a while to upload that first massive 52GB bolus, block-level incremental backups should help keep the volume down after that. I've tried some sample restores from the Web, and they've worked out well. For an additional fee, Mozy will even FedEx me a set of restore DVDs if I need to do a full recovery and don't want to wait for a giant download. About the only thing I don't like is that Mozy won't back up the simple NAS box I just bought, but I guess I can live with that.

New Year's Day is fast approaching, and setting up a good personal backup system would make a great resolution. You can try many of these systems for free (including Mozy) and choose which you like best. Then you can party all night, secure in the knowledge that all those boozy, embarrassing digital photos from the office party will be safe from "accidental" deletion.

PS. If you do decide to try Mozy, you'll get 2GB of storage for free. For an extra bonus, you can click through this link and get an extra 256MB. I've already paid for the full Mozy subscription, so I'm not getting any referral bonus, but I thought I'd post it anyway. Who couldn't use an extra 256MB of space?

Update 2007-01-02 08:43: Just for your reference, it took me about 12 days to complete the first full backup. It actually came out to about 62GB, as I added some more files to be backed up even before the initial set finished. Also, I also installed Mozy on my wife's computer, so I was doing two backups over a single connection for about 5 days.

All in all, everything has worked well so far. The biggest problem I've had was that the servers tend to disconnect the backup session during large (multi-gigabyte) transfers. This isn't a serious problem, because the clients will simply restart the backup again in a little while, but I'm sure it slowed things down a lot. I don't see this much now that I've completed my initial backup, though. Things seem to be going quite smoothly, and I'm still very pleased with the service.

Thursday, December 14, 2006

Sguil vs. BASE

This afternoon, someone asked me how I would categorize the differences between Sguil and BASE. I started with the standard response: "BASE is an alert browser, but Sguil encourages a more structured approach."

By the end of my reply, though, I found myself thinking about how to express this in a different way, something that emphasized the functionality of the two systems.

Here's what I came up with, excerpted from my own private email reply:

You can think of the process of intrusion analysis as formulating and
then trying to answer a series of questions. For example, one series
might be:


  1. Was this an actual attack?
  2. If so, was the attack successful?
  3. What other systems may also have been attacked?
  4. What activities did the intruder try to carry out?
  5. What other resources were they able to gain access to?
  6. How should we contain, eradicate and recover from the intrusion?

In this sequence, BASE does a great job of answering question #1. It may also have certain information about #3, but it probably wouldn't supply enough information to give good answers to questions #2, #4 or #5. By correlating the additional information sources, Sguil is often able to come up with very good answers to each of the first five questions. Of course, the more information you have at your disposal, the easier it will be to answer the most important question, #6.


Of course, I'd be very interested to hear from any BASE users who would like to either confirm or dispute my analysis. If that's you, leave a comment!