Incite 10/23/2013: What goes up…

  Every so often I realize how spoiled I am. Sure, I am more aware of my good fortune than many, but I definitely take way too much stuff for granted. My health is good. I do what I like (most days). My family still seems to like me. I provide enough to live a pretty good lifestyle. It’s all good. I don’t have much to complain about. The fact that one of my biggest problems is that my favorite NFL teams are a combined 3-10 is a good thing, right? You get spoiled when your favorite teams are competitive at the end of the season and usually make the playoffs. New England fans know what I mean. So do Pittsburgh and Baltimore fans. When the team doesn’t perform up to expectations (like this year’s Falcons), it’s jarring. You dream of Super Bowl fairies in August, then lose half your starting team to injuries, and by October you are making alternative plans for Divisional weekend. So when the NY football Giants got their first win on Monday night, I heaved a major sigh of relief. Having watched a bunch of their games, I had legitimate concerns that they wouldn’t win a game all season. Seeing them beat up hapless Minnesota didn’t really allay my fears too much. The G-men aren’t a very good football team right now, and face a significant rebuild over the next few years. Oh well, that’s the way it goes in the NFL. In baseball and basketball, the soft salary cap just means owners have to pay a tax to buy a competitive team. And that’s what some owners do year in and year out. But that’s not an option in the NFL. The cap is the cap, and that means tough decisions are made. Great players are let go. And what goes up for a little while (usually on the shoulders of a franchise QB) inevitably comes down. Parity is great, until your team is on the wrong side. It will be interesting to see how teams with younger QBs – like the 49ers, Seahawks, Redskins, and Colts – manage their salary caps once their QBs start getting $20MM a year and eating up 15-20% of the cap. These teams can stock up now on expensive players while their QBs are cheap, but won’t be able to in 2-3 years. They will need to make tough decisions. What goes up, eventually comes down. At least in the NFL. Then there are teams that don’t seem to ever come up. Jacksonville hasn’t been competitive for a decade. Detroit has been to the playoffs once in like 20 years. St. Louis is in the same boat. And I won’t even mention Cleveland. These long-suffering fans should be applauded for showing up and being passionate, even where there isn’t much to cheer about. So I’ll keep the faith. I know all NFL teams have off years, and my teams do things the right way to produce winning seasons more often than losing ones. I’ll let go of the Super Bowl fairy this year, and I’ll be able to enjoy the rest of the season with reasonable expectations. Which is probably how I should be treating each new season anyway. Nah, forget that. Without chasing the Super Bowl fairy, what fun is it? –Mike Photo credit: “IZ NOT AKKCIDENT” originally uploaded by Aaron Muszalski Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Security Awareness Training Evolution Quick Wins Focus on Great Content Why Bother? Defending Against Application Denial of Service Introduction Newly Published Papers Firewall Management Essentials Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U If business users don’t care… We are screwed as an industry. Daniel Miessler works through a thought experiment, wondering what would happen if business users realized that getting hacked doesn’t necessarily affect company value. Wouldn’t it be logical from a shareholder perspective to minimize security spend and maximize profit? To be clear, lots of organizations already do this, but I doubt it as a conscious decision not to be secure. Daniel evaluates Apple, Adobe, and the granddaddy of high-profile breaches, TJX – and finds no negative impact from those breaches. Awesome, but we already knew that in a recession people choose cheap underwear over security. It is an interesting concept, and over the long term I believe the impact of breaches is far overblown. But what about in the short term? I’m not sure market value is the best determinant of short-term value – it’s a long-term metric. Instead I would rather try to understand the impact on short-term revenue. Do customers defer deals or reduce spending in the immediate aftermath of a breach? That would be a much more interesting analysis. And I guess we should say a few thank-yous to China and compliance, which are still the engines driving security. – MR Techno two-fer: I have taken to calling big data the new normal for databases. One architectural theme I see over and over again for security analysis is the two-headed cluster: Hadoop for analytics and Cassandra/Splunk/Mongo for fast references or lookup. Consider this today’s take on normalization and correlation. Rajat Jain has a very good illustration of this concept with Lambda Architecture for batch data, which balances fast lookup against historic views of data. A batch layer – often Hadoop – computes views on your data as it comes in, and a second parallel high-speed processing layer – in this case Storm – constantly processes the most recent data in near-real-time. This enables the system to

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.