Incite 12/9/2015: Looking Backwards
As a guy who pretty much always looks forward, I still find it useful at the end of each calendar year to look backwards and evaluate where I am in life and what (if anything) I want to focus on in the coming year. 2015 has been a very interesting year, both personally and professionally. I’m at an age where transformation happens, and that has been a real focus for me. I’ve spent a long time evaluating every aspect of my life and making changes, some small and some very significant. Trying to navigate those changes gracefully requires focus and effort. From a business perspective, it’s a pretty good time to be in the security industry. You have seen a slowdown in our blog activity over the past couple months because our business continues to evolve and we’ve been doing a lot more work out of the public eye. We’ve been called in to do a lot more strategic advisory, and we’re even starting to do security architecture work for some enterprise organizations, typically around cloud initiatives. We’re also increasingly being called into diligence efforts for companies considering acquisitions, and investors considering putting large sums of money to work in this space. These are pretty intense gigs and that usually means more external projects lag a bit. We also aren’t sure how long the good times will continue to roll, so we usually jump on diligence projects. Personally, suffice it to say things are substantially different for me, though I’m not going to go into detail at this point. Different is scary for most people, but I’ve always embraced change, so my challenge is more about having the patience to let the world around me adapt. My kids continue to amaze me with how they are growing into fantastic people, and this past year they’ve navigated new schools and additional workload with minimum drama and angst. You can’t entirely avoid drama and angst (not as a teenager anyway), but their Mom and I are proactive about making them aware of the drama. Physically I’m still working my program, running two half marathons and continuing my yoga practice. I’m making many new friends who provide different perspectives on life, and I’ve been able to fulfill a need for social activity I didn’t even know I had. As I look back at 2015, I realize that the signs of significant disruption were there both personally and professionally. It has been a long road, and I finally feel that my world is opening up and I’m moving toward my potential, away from my self-imposed limitations. I’m really excited for what’s next. All is see ahead is blue sky. As I wrap up the Incite next week, I’ll ruminate a little into what the path ahead looks like. –Mike Photo credit: “Emu (Dromaius novaehollandiae) looking backwards at Auckland Zoo” from Wikimedia Commons The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Dec 8 – 2015 Wrap Up and 2016 Non-Predictions Nov 16 – The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Building Security into DevOps The Role of Security in DevOps Tools and Testing in Detail Security Integration Points The Emergence of DevOps Introduction Building a Threat Intelligence Program Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security Securing Enterprise Applications Secure Agile Development The Future of Security Incite 4 U R marks the spot: NetworkWorld ran a great article examining how the Verizon Data Breach report folks use R to do the analysis and generate the charts in their widely read report. I personally haven’t played with statistical programs since I was in college, but there is an increasing need for math people (although we call them data scientists now) to perform the analysis to mine through all of that security data and figure out what’s going on. I tell many younger folks, who ask what they should focus on, to dust off their programming/scripting skills – security automation is coming. The other thing I now suggest is for the math-inclined to study a lot more statistics and get to know these kinds of tools. The future is here and it seems to require math (so says the writer). – MR Pre-owned: If you’re wondering how the credit card you just got two weeks ago already got popped, here is on possible answer. Samy Kamkar demonstrated that AmEx-based new card numbers are predictably generated from the previous numbers allowing crackers to guess the number of the next card they issue you. If you’re an application developer, this is why you need to be careful with sequence generators – they tend