Incite 1/23/2013: Sustainability
You know those overnight successes who toiled in the background for 10 years before they finally broke through? How did they get there? How did they work through the Dip to reach the other side? I am fascinated by organizations which have success year after year. They seem to take the long view, set up the foundation, and stay committed to the plan. Even when other folks push for (and get) faster results, opting for short-term fixes. These band-aids may provide a short-term pop, but rarely result in longer-term results. Sure that’s part of my rationalization for why the Falcons lost at the precipice of the Super Bowl. That they have built the organization the right way over the past 5 years, and will be back. You see those attributes in all the NFL organizations that seem to be competitive year after year. They work the plan. They build through the draft. They don’t react to a bad season or two. It’s unlikely Pittsburgh or the NY Giants will blow up their environment because they missed the playoffs this year. They have stability. And that stability leads to sustained success. By the way, it’s not just my football obsession that cause me to fixate on this. As Rich said, we had a good 2012. But my paranoid self (I am a security guy, after all) continues to look for our Achilles heel. One good year – hell, even two good years – doesn’t mean the foundation for sustainable success is there. And as you see with all our new linky posts, even when things are going well, we need to adapt and change based on market realities. As Deming so famously said, “It is not necessary to change. Survival is not mandatory.” So I spent a good deal of time over the holidays digging into our good year. Partly because I was curious, but mostly trying to determine whether our results are sustainable. The honest answer is that I don’t know. I know what we did from an activity standpoint and we are still doing that. But past success is no guarantee of future results. So I will keep looking for holes in the story. We all keep looking for holes. We’ll keep trying new things to see what works, and more importantly what doesn’t. But most of all, we will continue to grind. We may not achieve sustained success, but it won’t be due to lack of effort. That I can guarantee. –Mike Photo credits: Sustainable Food Poster originally uploaded by Steven-L-Johnson Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Understanding Identity Management for Cloud Services Integration The Solution Space Introduction Newly Published Papers Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments Pragmatic WAF Management: Giving Web Apps a Fighting Chance Incite 4 U The Hunt for Red October: Not that you had any doubts as to the sophistication of today’s attackers, but Kaspersky’s description of the Red October attack drives it home loudly and clearly. This is a multi-faceted effort undertaken over the past 5 years using sophisticated malware and tactics to infiltrate lots of places where information can be stolen and monetized. AlienVault worked with the Kaspersky folks to isolate the indicators of compromise (IoC) shown by Red October, and this is an example of Early Warning, but not early enough. You can now use the IoC information to see if you have devices already compromised. We will also see lots of hand wringing about who was behind the attacks. The stolen data is sensitive nation-state stuff, but that doesn’t mean nation-states are actually behind the attacks. Kaspersky says it’s Russian crime syndicates, adding a lot of news value to the research, but RSA says there isn’t enough information to draw a conclusion one way or the other. And at the end of the day, I’m not sure identifying the actor really makes a difference. It’s not like you can send them a cease and desist letter. – MR PCI drops pants, doesn’t care: Oh, PCI Standards Council, there you go again. The same people who claim, “no PCI compliant organization has ever been breached” apparently can’t even decide what their own standards are. Approved Scanning Vendors (ASVs) are the companies authorized to perform scans on Internet-facing applications. If you run so much as the smallest doggie donut web store, and you take credit cards, you need to be scanned. There’s an annual review process for ASVs, which costs $10K a shot, and according to Brett Hardin not only does everyone fail the first time, but the same report submitted twice under different letterhead gets graded differently. In the words of the grader, “Well, security and PCI-DSS aren’t exact sciences.” Uh huh, then how about some free passes? – RM Eyes on the prize: Every large retail firm I have spoken with has a VP or Director of Data Analytics. Macy’s foray into big data in the cloud is one example, and Target’s recent ‘success’ has been highlighted as well. Many other verticals have similar positions within marketing or IT. These people are popping up everywhere as data analysis becomes a core function of business. Make no mistake – big data is a huge trend and it is changing the way companies market and sell products. And assess risk. And evaluate investments. But every firm also has Identity and Access management, both for customers and employees. Ever hear about a VP of access and identity? Director? Me either. Every employee uses IAM every day, and it gates access to every electronic service. Think about that the next time you wonder where security ranks