Login  |  Register  |  Contact
Tuesday, April 21, 2015

RSA Conference Guide 2015 Deep Dives: Network Security

By Mike Rothman

We had a little trouble coming up with a novel and pithy backdrop for what you will see in the Network Security space at RSAC 2015. We wonder if this year we will see the first IoT firewall, because hacking thermostats and refrigerators has made threat models go bonkers. The truth is that most customers are trying to figure out what to do with the new next-generation devices they already bought. We shouldn’t wonder why the new emperor looks a lot like the old emperor, when we dress our new ruler (NGFW) up in clothes (rules) that look so similar to our old-school port- and protocol-based rulesets.

But the fact is there will be some shiny stuff at this year’s conference, largely focused on detection. This is a very productive and positive trend—for years we have been calling for a budget shift away from ineffective prevention technologies to detecting and investigating attacks. We see organizations with mature security programs making this shift, but far too many others continue to buy the marketing hyperbole, “of course you can block it.” Given that no one really knows what ‘it’ is, we have a hard time understanding how we can make real progress in blocking more stuff in the coming year.

Which means you need to respond faster and better. Huh, where have we heard that before?

Giving up on Prevention…

Talking to many practitioners over the past year I felt like I was seeing a capitulation of sorts. There is finally widespread acknowledgement that it is hard to reliably prevent attacks. And we are not just talking about space alien attacks coming from a hacking UFO. It’s hard enough for most organizations to deal with Metasploit.

Of course we are not going all Jericho on you, advocating giving up on prevention on the network. Can you hear the sigh of relief from all the QSAs? Especially the ones feeling pressure to push full isolation of protected data (as opposed to segmentation) during assessments. Most of those organizations cannot even manage one network, so let’s have them manage multiple isolated environments. That will work out just great.

There will still be a lot of the same old same old—you still need a firewall and IPS to enforce both positive (access control) and negative (attack) policies on your perimeter. You just need to be realistic about what they can block—even shiny NGFW models. Remember that network security devices are not just for blocking attacks. We still believe segmentation is your friend—you will continue to deploy those boxes, both to keep the QSAs happy and to make sure that critical data is separated from not-so-critical data.

And you will also hear all about malware sandboxes at the RSAC this year. Again. Everyone has a sandbox—just ask them. Except some don’t call them sandboxes. I guess they are discriminating against kids who like sand in today’s distinctly un-politically-correct world. They might be called malware detonation devices or services. That sounds shinier, no? But if you want to troll the reps on the show floor (and who doesn’t?), get them to debate an on-premise approach versus a cloud-based approach to detonation. It doesn’t really matter what side of the fence they are on, but it’s fun seeing them get all red in the face when you challenge them.

Finally, you may hear some lips flapping about data center firewalls. Basically just really fast segmentation devices. If they try to convince you they can detect attacks on a 40gbps data center network, and flash their hot-off-the-presses NSS Lab results, ask what happens when they turn on more than 5 rules at a time. If they bother you, say you plan to run SSL on your internal networks and the device needs to inspect all traffic. But make sure an EMT is close by, as that strategy has been known to cause aneurysms in sales reps.

To Focus on Detection…

So if many organizations have given up trying to block all attacks, what the hell are they supposed to do? Spend tons of money on more appliances to detect attacks they missed at the perimeter, of course. And the security industrial complex keeps chugging along. You will see a lot of focus on network-based threat detection at the show. We ourselves are guilty of fanning the flames a bit with our new research on that topic.

The fact is, the technology is moving forward. Analyzing network traffic patterns, profiling and baselining normal communications, and then looking for stuff that’s not normal gives you a much better chance of finding compromised devices on your networks. Before your new product schematics wind up in some non-descript building in Shanghai, Chechnya, Moscow, or Tel Aviv. What’s new is the base of analysis possible with today’s better analytics. Booth personnel will bandy about terms like “big data” and “machine learning” like they understand what they even mean. But honestly baselines aren’t based only on Netflow records or DNS queries any more—they can now incorporate very granular metadata from network traffic including identity, content, frequency of communication, and various other attributes that get math folks all hot and bothered.

The real issue is making sure these detection devices can work with your existing gear and aren’t just a flash in the pan, about to be integrated as features in your perimeter security gateway. Okay, we would be pulling your leg if we said any aspect of detection won’t eventually become an integrated feature of other network security gear. That’s just the way it goes. But if you really need to figure out what’s happening on your network, visit these vendors on the floor.

While Consolidating Functions…

What hasn’t changed is that big organizations think they need separate devices for all their key functions. Or has it? Is best of breed (finally) dead? Well, not exactly, but it has more to do with politics than technology. Pretty much all the network security players have technologies that allow authorized traffic and block attacks. Back when category names mattered, those functions were called firewalls and IPS respectively. But wait—now everything is a next-generation firewall, right? But it does a lot more than a firewall. It also detonates malware (or integrates with a cloud service that does). And it looks for command-and-control traffic patterns. All within one or many boxes, leveraging a single policy, right?

But that’s a firewall. Just ask Gartner. Sigh. And no, we won’t troll you any more by calling it an Enterprise UTM, for old time’s sake.

Product categories aside, regardless of whether a network security vendor started as a firewall player or with IPS (or both, thanks to the magic of acquisitions), they are all attacking the same real estate: what we call the network security gateway. The real question is: how can you get there? So on the show floor focus on migration. You know you want to enforce both access control and attack policies on the device. You probably want to look for malware on ingress, and C&C indicators on egress. And you don’t want to wrestle with 10 different management interfaces. Challenge the SEs in the booths (you know, the folks who know what they are doing) to sketch out how they’d solve your problem on a piece of paper. Of course they’ll be wrong, but it should be fun to see what they come up with on the fly.

And Looking for Automation…

Another hot topic in network security will be automation. Because managing hundreds of firewalls is a pain in the ass. Actually, managing hundreds of any kind of complicated technology causes ulcers. So a bunch of new startups will be in the Innovation Sandbox detonating malware. No, not that kind of sandbox. ISB is RSAC’s showcase for new companies and technologies, where they will happily show you how to use an alert from your SIEM or a bad IP address from your threat intelligence provider to make changes automagically on your firewalls. They have spent a bunch of time making sure they support vintage 2007 edge routers and lots of other devices to make sure they have you covered.

But all the same, you have been flummoxed by spending 60 percent of your time opening ports for those pesky developers who cannot seem to understand that port 443 is a legitimate port, and they don’t need a special port. Automating some of those rote functions can free you up to do more important and strategic things. As long as the sales rep in the booth isn’t named John Connor, everything should be fine.

automate the network

In the Cloud…

Even though you focus on network security, don’t think you can escape the cloud hype monster at RSAC. No chance. All the vendors will be talking about how their fancy 7-layer inspection technology is now available as a virtual machine. Of course unless they are old (like us), they won’t remember that network security appliances happened because granular inspection and policy enforcement in software did not scale. Details, we know. You are allowed to laugh when they position software-based network security as new and innovative.

They also don’t understand that inserting inspection points and bottlenecks in a cloud environment (public, private, or hybrid) breaks the whole cloud computing model. And they won’t be even paying lip service to SDN (Software Defined Networks) for the most part. SDN is currently a bit like voodoo for security people. So we guess avoidance is the best strategy at this point. Sigh, again.

The booth staff will faithfully stick to the talking points marketing gave them about how it’s the same, but just in the cloud… Smile politely and then come to our Pragmatic SecDevOps lab session, where we will tell you how to really automate and protect those cloud-based thingies that are popping up everywhere like Tribbles.

—Mike Rothman

Monday, April 20, 2015

RSA Conference Guide 2015 Deep Dives: Application Security

By Mike Rothman

Coming Soon to an Application Near You: DevOps

For several years you have been hearing the wonders of Agile development, and how it has done wondrous things for software development companies. Agile development isn’t a product – it is a process change, a new way for developers to communicate and work together. It’s effective enough to attract almost every firm we speak with away from traditional waterfall development. Now there is another major change on the horizon, called DevOps. Like Agile it is mostly a process change. Unlike Agile it is more operationally focused, relying heavily on tools and automation for success. That means not just your developers will be Agile – your IT and security teams will be, too!

The reason DevOps is important at RSA Conference – the reason you will hear a lot about it – is that it offers a very clear and positive effect on security. Perhaps for the first time, we can automate many security requirements – embedding them into the daily development, QA, and operational tasks we already perform. DevOps typically goes hand in hand with continuous integration and continuous deployment. For software development teams this means code changes go from idea to development to live production in hours rather than months. Sure, users are annoyed the customer portal never works the same way twice, but IT can deliver new code faster than sales and marketing wanted it, which is itself something of a miracle. Deployment speed makes a leap in the right direction, but the new pipeline provides an even more important foundation for embedding security automation into processes. It’s still early, but you will see the first security tools which have been reworked for DevOps at this year’s RSA conference.

I Can Hardly Contain Myself

Containers. They’re cool. They’re hot. They… wait, what are they exactly? The new developer buzzword is Docker – the name of both the company and the product – which provides a tidy container for applications and all the associated stuff an application needs to do its job. The beauty of this approach comes from hiding much of the complexity around configuration, supporting libraries, OS support, and the like – all nicely abstracted away from users within the container. In the same way we use abstract concepts like ‘compute’ and ‘storage’ as simple quantities with cloud service providers, a Docker container is an abstract run-anywhere unit of ‘application’. Plug it in wherever you want and run it. Most of the promise of virtualization, without most of the overhead or cost.

Sure, some old-school developers think it’s the same “write once, crash anywhere” concept Java did so well with 20 years ago, and of coures security pros fear containers as the 21st-century Trojan Horse. But containers do offer some security advantages: they wrap accepted version of software up with secure configuration settings, and narrowly define how to interact with the container – all of which reduces the dreaded application “threat surface”. You are even likely to find a couple vendors who now deploy a version of their security appliance as a Docker container for virtualized or cloud environments.

docker makes me look fat

All Your Code-base Belong to Us

As cloud services continue to advance outsourced security services are getting better, faster, and cheaper than your existing on-premise solution. Last year we saw this at the RSA Conference with anti-malware and security analytics. This year we will see it again with application development. We have already seen general adoption of the cloud for quality assurance testing; now we see services which validate open source bundles, API-driven patching, cloud-based source code scanning, and more dynamic application scanning services. For many the idea of letting anyone outside your company look at your code – much less upload it to a multi-tenant cloud server – is insane. But lower costs have a way of changing opinions, and the automated, API-driven cloud model fits very well with the direction development teams are pulling.

—Mike Rothman

RSA Conference Guide 2015 Deep Dives: Data Security

By Mike Rothman

Data security is the toughest coverage area to write up this year. It reminds us of those bad apocalypse films, where everyone runs around building DIY tanks and improvising explosives to “save the children,” before driving off to battle the undead hordes and—leaving the kids with a couple spoons, some dirt, and a can of corned beef hash.

We have long argued for information-centric security—protecting data needs to be an equal or higher priority than defending infrastructure itself. Thanks to a succession of major breaches and a country or two treating our corporate intellectual property like a Metallica song during Napster’s heyday, CEOs and Directors now get it: data security matters. It not only matters—it permeates everything we do across the practice of security (except for DDoS).

But that also means data security appears in every section in this year’s RSAC Guide. But it doesn’t mean anyone has the slightest clue of how to stop the hemorrhaging.

Anyone Have a Bigger Hammer?

From secret-stealing APTs, to credit-card-munching cybercrime syndicates, our most immediate response is… more network and endpoint security.

That’s right—the biggest trends in data security are network and endpoint security. Better firewalls, sandboxes, endpoint whitelisting, and all the other stuff in those two buckets. When a company gets breached the first step (after hiring an incident response firm to quote in the press release, saying this was a “sophisticated attack”) is to double down on new anti-malware and analytics.

It makes sense. That’s how the bad guys most frequently get in. But it also misses the point.

Years ago we wrote up something called the “Data Breach Triangle.” A breach requires three things: an exploit (a way in), something to steal (data) and an egress (way out). Take away any side of that triangle, and no breach. But stopping the exploit is probably the hardest, most expensive side to crack—especially because we have spent the last thirty years working on it… unsuccessfully.

The vast majority of data security you’ll see at this conference, from presentations to the show floor, will be more of the same stuff we have always seen, but newer and shinier. As if throwing more money at the same failed solutions will really solve the problem. Look—you need network and endpoint security, but doubling down doesn’t seem to be changing the odds. Perhaps a little diversification is in order.

The Cloud Ate My Babies

Data security is still one of the top two concerns we run into when working with clients on cloud projects—the other is compliance. Vendors are listening, so you will see no shortage of banners and barkers offering to protect your data in the cloud.

Which is weird, because if you pick a decent cloud provider the odds are that your data is far safer with them than in your self-managed data center. Why? Economics. Cloud providers know they can easily lose vast numbers of customers if they are breached. The startups aren’t always there, but the established providers really don’t mess around—they devote far more budget and effort to protecting customer data than nearly any enterprise we have worked with.

Really, how many of you require dual authorization to access any data? Exclusively through a monitored portal, with all activity completely audited and two-factor authentication enforced? That’s table stakes for these guys.

Before investing in extra data security for the cloud, ask yourself what you are protecting it from. If the data is regulated you may need extra assurance and logging for compliance. Maybe you aren’t using a major provider. But for most data, in most situations, we bet you don’t need anything too extreme. If a cloud data protection solution mostly protects you from an administrator at your provider, you might want to just give them a fake number.

who else is going to protect the data

BYOD NABD

One area trending down is the concern over data loss from portable devices. It is hard to justify spending money here when we can find almost no cases of material losses or public disclosures from someone using a properly-secured phone or tablet. Especially on iOS, which is so secure the FBI is begging Congress to force Apple to add a back door (we won’t make a joke here—we don’t want to get our editor fired).

You will still see it on the show floor, and maybe a few sessions (probably panels) where there’s a lot of FUD, but we mostly see this being wrapped up into Mobile Device Management and Cloud Security Gateways, and by the providers themselves. It’s still on the list—just not a priority.

Encrypt, Tokenize, or Die (well, look for another job)

Many organizations are beginning to realize they don’t need to encrypt every piece of data in data centers and at cloud providers, but there are still a couple massive categories where you’d better encrypt or you can kiss your job goodbye. Payment data, some PII, and some medical data demand belt and suspenders.

What’s fascinating is that we see encryption of this data being pushed up the stack into applications. Whether in the cloud or on-premise, there is increasing recognition that merely encrypting some hard drives won’t cut it. Organizations are increasingly encrypting or tokenizing at the point of collection. Tokenization is generally preferred for existing apps, and encryption for new ones.

Unless you are looking at payment networks, which use both.

You might actually see this more in sessions than on the show floor. While there are some new encryption and tokenization vendors, it is mostly the same names we have been working with for nearly 10 years. Because encryption is hard.

Don’t get hung up on different tokenization methods; the security and performance of the token vault itself matters more. Walk in with a list of your programming languages and architectural requirements, because each of these products has very different levels of support for integrating with your projects. The lack of a good SDK in the language you need, or a REST API, can set you back months.

Cloud Encryption Gets Funky

Want to use a cloud provider but still control your own encryption keys? Want your cloud provider to offer a complete encryption and key management service? Want to NSA proof your cloud?

Done. Done. And sort of doable.

The biggest encryption news this year comes from the cloud providers themselves, and you will start seeing it all over the place. Box now lets you manage the encryption keys used by the platform. Amazon has two different customer-managed encryption options, one of them slowly being baked into every one of their services, and the other configurable in a way you can use to prevent government snooping. Even Microsoft is getting into the game with customer-manageed keys for Azure (we hear).

None of this makes the independent encryption vendors happy. Especially the startups.

But it is good news for customers, and we expect to see this trend increase every year. It really doesn’t always make sense to try bolting encryption onto the outside of your cloud. Performance and fundamental application functionality become issues. If your provider can offer it while you retain control? Then you are golden.

—Mike Rothman

Sunday, April 19, 2015

RSA Conference Guide 2015 Deep Dives: Cloud Security

By Mike Rothman

Before delving into the world of cloud security we’d like to remind you of a little basic physics. Today’s lesson is on velocity vs. acceleration. Velocity is how fast you are going, and acceleration is how fast velocity increases. They affect our perceptions differently. No one thinks much of driving at 60mph. Ride a motorcycle at 60mph, or plunge down a ski slope at 50mph (not that uncommon), and you get a thrill.

But accelerate from 0mph to 60mph in 2.7 seconds in a sports car (yep, they do that), and you might need new underwear. That’s pretty much the cloud security situation right now.

Cloud computing is, still, the most disruptive force hitting all corners of IT, including security. It has pretty well become a force of nature at this point, and we still haven’t hit the peak. Don’t believe us? That’s cool—not believing in that truck barreling towards you is always a good way to ensure you make it into work tomorrow morning.

(Please don’t try that—we don’t want your family to sue us).

Clouds Everywhere

The most surprising cloud security phenomena are how widespread cloud computing has spread, and the increasing involvement of security teams… sort of. Last year we mentioned seeing ever more large organizations dipping their toes into cloud computing, and this year it’s hard to find any large organization without some active cloud projects. Including some with regulated data.

Companies that told us they wouldn’t use public cloud computing a year or two ago are now running multiple active projects. Not unapproved shadow IT, but honest-to-goodness sanctioned projects. Every one of these cloud consumers also tells us they are planning to move more and more to the cloud over time.

Typically these start as well-defined projects rather than move-everything initiatives. A bunch we are seeing involve either data analysis (where the cloud is perfect for bursty workloads) or new consumer-facing web projects. We call these “cloud native” projects because once the customer digs in, they design the architectures with the cloud in mind.

We also see some demand to move existing systems to the cloud, but frequently those are projects where the architecture isn’t going to change, so the customer won’t gain the full agility, resiliency, and economic benefits of cloud computing. We call these “cloud tourists” and consider these projects ripe for failure because all they typically end up doing is virtualizing already paid-for hardware, adding the complexity of remote management, and increasing operational costs to manage the cloud environment on top of still managing just as many servers and apps.

Not that we don’t like tourists. They spend a lot of money.

One big surprise is that we are seeing security teams engaging more deeply, quickly, and positively than in past years, when they sat still and watched the cloud rush past. There is definitely a skills gap, but we meet many more security pros who are quickly coming up to speed on cloud computing. The profession is moving past denial and anger, through bargaining (for budget, of course), deep into acceptance and…DevOps.

Perhaps we pushed that analogy. But the upshot is that this year we feel comfortable saying cloud security is becoming part of mainstream security. It’s the early edge, but the age of denial and willful ignorance is coming to a close.

Wherever You Go, There You Aren’t

Okay, you get it, the cloud is happening, security is engaging, and now it’s time for some good standards and checklists for us to keep the auditors happy and get those controls in place.

Wait, containers, what? Where did everybody go?

Not only is cloud adoption accelerating, but so is cloud technology. Encryption in the cloud too complex? That’s okay—Amazon just launched a simple and cheap key management service, fully integrated through their services. Nailed down your virtual server controls for VMWare? How well do those work with Docker? Okay, with which networking stack you picked for your Docker on AWS deployment, that uses a different management structure than your Docker on VMWare deployment.

Your security vendor finally offers their product as a virtual appliance? Great! How does it work in Microsoft Azure, now that you have moved to a PaaS model where you don’t control network flow? You finally got CloudTrail data into your SIEM? Nice job, but your primary competitor now offers live alerts on streaming API data via Lambda. Got those Chef and Puppet security templates set? Darn, the dev team switched everything to custom images and rollouts via autoscaling groups.

None of that make sense? Too bad—those are all real issues from real organizations.

Everything is changing so quickly that even vendors trying to keep up are constantly dancing to fit new deployment and operations models. We are past the worst cloudwashing days, but we will still see companies on the floor struggling to talk about new technologies (especially containers); how they offer value over capabilities Amazon, Microsoft, and other major providers have added to their services, and why their products are still necessary with new architectural models.

The good news is that not everything lives on the bleeding edge. The bad news is that this rate of change won’t let up any time soon, and the bleeding edge seems to become early mainstream more quickly than it used to.

This theme is more about what you won’t see than what you will. SIEM vendors won’t be talking much about how they compete with a cloud-based ELK stack, encryption vendors will struggle to differentiate from Amazon’s Key Management Service, AV vendors sure won’t be talking about immutable servers, and network security vendors won’t really talk about the security value of their product in a properly designed cloud architecture.

On the upside not everyone lives on the leading edge. But if you attend the cloud security sessions, or talk to people actively engaged in cloud projects, you will likely see some really interesting, practical ways of managing security for cloud computing that don’t rely on ‘traditional’ approaches.

Bump in the Cloud

Last year we included a section on emerging SaaS security tools, and boy has that market taken off. We call them Cloud Security Gateways and Gartner calls them Cloud Access and Security Brokers (hint, you only get to have 3-letter acronyms for product categories, even if you’re Gartner, or a kitten dies).

There are at least a dozen vendors on the market now, and on the surface most of them look exactly the same. That’s because the market has a reasonably clear set of requirements, and there are only so many ways to message that target. You want products to find out what cloud stuff you are using, monitor the stuff you approve, block the stuff you don’t, and add security when your cloud provider doesn’t meet your needs.

There actually is a fair amount of differentiation between these products, but it is hard to see from the surface. Most if not all of these folks will be on the show floor, and if you manage security for a mid-size or large organization, they are worth a look. But, as always, have an idea of what you need before you go in. Discovery is table stakes for this market, but there are many possible directions to take after that. From DLP, to security analysis and alerts (such as detecting account takeovers), all the way up to encryption and tokenization (often a messy approach, but also likely your only option if you do not trust your cloud provider).

blue horseshoe loves the cloud

One key question to ask is whether they integrate with cloud provider APIs (when available), and which. The alternative is to proxy all your traffic to the cloud, which is a really crappy way to solve the problem—but often the only option. Fortunately some cloud providers offer robust APIs that reduce or eliminate the need for a CSG (see what I did there?) to sniff the connection. If they say ‘yes’ then ask for specific examples.

You might see some other vendors pushing their abilities to kinda-sorta do the same thing as a CSG. Odds are you won’t be happy with their kludges, so if this is on your list, stick with folks whose houses are on the line if the product doesn’t actually work.

Calling Mr. Tufte

One thing you won’t see any shortage of is the same damn charts from every damn SIEM and analytics vendor. Seriously—we have been briefed by pretty much all of them, and they all look the same. Down to the color palette.

The upside is that they now include cloud data. Mostly just Amazon CloudTrail, because no other IaaS platform offers management plane data yet (rumor has it Microsoft is coming soon).

We understand there are only so many ways to visualize this data, but the vendors also seem to be struggling to explain how their cloud data and analytics are superior to competitors’. Pretty charts are great, but you look at these things to find actionable information—probably not because you enjoy staring at traffic graphs. Especially now that Amazon allows you to directly set security alerts and review activity in their own consoles.

Cloud Taylor Swift

You have probably noticed that we tend to focus on Amazon Web Services. That isn’t bias—simply a reflection of Amazon’s significant market dominance. After AWS we see a lot of Microsoft Azure, and then a steep dropoff after that.

The interesting trend is that we see much less demand for information on other providers. Demand has declined from previous years.

So don’t be surprised if vendors and sessions skew the same. Amazon really does have a big lead on everyone else, and only Microsoft (and maybe Google) is in the ballpark. That will show through in sessions and on the show floor.

DevOps, Automation, Blah, Blah, Blah

We hate to dump our favorite topics into a side note at the bottom of this section, but we already went long, and are covering those topics… in pretty much every other section of this Guide. DevOps and automation are as disruptive to process as cloud is to infrastructure and architecture.

It’s the future of our profession, folks—there is no shortage of things to talk about. Which you probably figured out 500 words ago, about when you stopped reading this drivel.

—Mike Rothman

RSA Conference Guide 2015 Deep Dives: Overview

By Mike Rothman

With lots of folks (including us) at the RSA Conference this week, we figured we’d post the deep dives we wrote for the RSAC Guide and give those of you not attending a taste of what your missing. Though we haven’t figured out how to relay the feel of the meat market at the W bar after 10 PM nor the ear deafening bass at any number of conference parties nor the sharp pain you feel in your gut after a night of being way too festive. Though we’re working on that for next year’s guide.

Overview

While everyone likes to talk about the “security market” or the “security industry,” in practice security is more a collection of markets, tools, and practices all competing for our time, attention, and dollars. Here at Securosis we have a massive coverage map (just for fun, which doesn’t say much now that you’ve experienced some of our sense of humor), which includes seven major focus areas (like network, endpoint, and data security), and dozens of different practice and product segments.

It’s always fun to whip out the picture when vendors are pitching us on why CISOs should spend money on their single-point defense widget instead of the hundreds of other things on the list, many of them mandated by auditors using standards that get updated once every decade or so.

In our next sections we dig into the seven major coverage areas and detail what you can expect to see, based in large part on what users and vendors have been talking to us about for the past year. You’ll notice there can be a bunch of overlap. Cloud and DevOps, for example, affect multiple coverage areas in different ways, and cloud is a coverage area all on its own.

When you walk into the conference, you are likely there for a reason. You already have some burning issues you want to figure out, or specific project needs. These sections will let you know what to expect, and what to look for.

The information is based in many cases on dozens of vendor briefings and discussions with security practitioners. We try to help illuminate what questions to ask, where to watch for snake oil, and what key criteria to focus on, based on successes and failures from your peers who tried it first.

—Mike Rothman

Friday, April 17, 2015

LAST CHANCE! Register for the Disaster Recovery Breakfast

By Mike Rothman

Holy crap! The RSA Conference starts on Monday. Which means… you don’t have much time left to register for the 7th annual Disaster Recovery Breakfast.*

2015 DRB, the be careful what you wish for edition

Once again we have to provide a big shout out to our DRB partners, MSLGROUP, Kulesa Faul, and LEWIS PR. We’re expecting a crapton of folks to show up at the breakfast this year, and without their support there would be no breakfast for you.

no breakfast for you

As always, the breakfast will be Thursday morning 8-11 at Jillian’s in the Metreon. It’s an open door – come and leave as you want. We will have food, beverages, and assorted recovery items (non-prescription only) to ease your day.

See you there.

To help us estimate numbers, please RSVP to rsvp (at) securosis (dot) com.

*But don’t get nuts if you forget to RSVP – the bouncers will let you in… Right, there are no bouncers.

—Mike Rothman

Thursday, April 16, 2015

Presenting the 2015 RSA Conference Guide

By Mike Rothman

As you’ve seen over the past week, we’ve been reposting our RSAC Guide here. That’s because the RSA Conference folks allowed us to post it on their blog first. Yes, they are nuts, but we aren’t going to complain.

We also take all that raw content and format it into a snazzy PDF with a ton of meme goodness. So you can pop the guide onto your device and refer to it during the show. Without further ado, we are excited to present the entire RSA Conference Guide 2015 (PDF).

Just so you can get a taste of the memish awesomeness of the published RSAC Guide, check out this image. Plenty of folks are first finding out about Securosis through the RSAC blog. So we figured it would be good to provide some perspective on what we do and how we do it.

pontification FTW

Pontification FTW.

And in case you want to check out the coverage area deep dives (which will go up on the Securosis blog next week), check out the RSAC blog posts:

—Mike Rothman

Wednesday, April 15, 2015

Incite 4/15/2015: Boom

By Mike Rothman

I’ve been on the road a bit lately, and noticed discussions keep working around to the general health of our industry. I’m not sure whether we’re good or just lucky, but we security folk find ourselves in the middle of a maelstrom of activity. And that will only accelerate over the next week, as many of us saddle up and head to San Francisco for the annual RSA Conference. We’ve been posting our RSA Conference Guide on the RSA Conference blog (are they nuts?) and tomorrow we’ll post our complete guide with all sorts of meme goodness.

The theme of this year’s Disaster Recovery Breakfast is be careful what you wish for. For years we have wanted more internal visibility for security efforts. We wanted to engage with senior management about why security is important. We wanted to get more funding and resources to deal with security issues. But now it’s happening. CISO types are being called into audit committee meetings and to address the full board (relatively) frequently. Budget is being freed up, shaken loose by the incessant drone of the breach of the day. We wanted the spotlight and now we have it. Oh crap.

balloon go boom

And investors of all shapes and sizes want a piece of cybersecurity. We’ve been engaged in various due diligence efforts on behalf of investors looking at putting money to work in the sector. You see $100MM funding rounds for start-ups. WTF is that about? A friend told me his successful friends call him weekly asking to invest in security companies. It’s like when you get stock tips from a cabbie (or Uber driver), it’s probably time to sell. That’s what this feels like.

But security will remain a high-profile issue. There will be more breaches. There will be additional innovative attacks, probably hitting the wires next week, when there is a lot of focus on security. Just like at Black Hat last year. Things are great, right? The security juggernaut has left the dock and it’s steaming full speed ahead. So why does it feel weird? You know, unreal?

Part of it is the inevitable paranoia of doing security for a long time. When you are constantly trying to find the things that will kill you, it’s hard to step back and just appreciate good times. Another part is that I’ve lived through boom and bust cycles before. When you see low-revenue early-stage start-ups acquired in $200MM+ and $50MM+ funding rounds for, you can’t help but think we are close to the top of the boom. The place to go from there is down. Been there, done that. I’m still writing off my investment tax losses from the Internet bubble (today is Tax Day in the US).

But you know what? What’s the use in worrying? I’m going to let it play out and do a distinctly atypical thing and actually enjoy the boom. I was too young and naive to realize how much fun the Internet boom was on the way up. I actually believed that was the new normal. Shame on me if I can’t enjoy it this time around.

I’ll be in SF next week with a huge smile on my face. I will see a lot of friends at RSAC. Rich, Adrian, and I will offer a cloud security automation learning lab and JJ and I will run a peer-to-peer session on mindfulness. I’ll have great conversations with clients and I’m sure I’ll fill the pipeline for the next couple months with interesting projects to work on. I’ll also do some damage to my liver. Because that’s what I do.

These halcyon days of security will end at some point. There is no beanstalk that grows to the sky. But I’m not going to worry about that now. I’ll ride through the bust, whenever it comes. We all will. Because we’re security people. We’ll be here when the carpetbaggers have moved on to the next hot sector promising untold riches and easy jobs. We’ll be here after the investors doing stupid deals wash out and wonder why they couldn’t make money on the 12th company entering the security analytics business. We’ll be here when the next compliance mandate comes and goes, just like every other mandate.

We’ll be here because security isn’t just a job. It’s a calling. And those who have been called ride through the booms and the busts. Today is just another day of being attacked by folks who want to steal your stuff.

–Mike

Photo credit: “Explosion de ballon Polyptyque“_ originally uploaded by Mickael


Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com, so we know how much food to get…


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Slap in the face: Part of the cellphone security model is locking and/or remotely wiping stolen cellphones. Allowing owners to control transfer of ownership makes stolen phones are almost worthless, and should discourage phone theft. But a giant case of insider fraud at AT&T barely made news last week, because it was positioned in the press as just another data breach. The real story is that a handful of employees in foreign markets accessed customer accounts to allow the transfer and activation of stolen phones. What makes the story so painful is that the criminal organization which got its mules into AT&T profited, the US government got the cost of its investigation covered by the $25M fine, and AT&T enjoyed 500k or so new subscribers on stolen phones and a tax write-down on the fine. The slap is to that people who had phones stolen get worthless “credit monitoring”, while FCC chair Tom Wheeler sprays perfume onto this steaming pile by claiming this is a victory for privacy – which implies the insiders actually stole personal information, rather than just transferring phone ownership. – AL

  2. Lay off my forensicators: In what appears to be another example of a company with too many lawyers, one company is sore another company hired a bunch of their people. MasterCard is suing Nike over former MC employees allegedly taking ‘proprietary’ network configurations to their new employer. But the hook in the suit is that some service providers were now working with Nike instead of MC. So apparently we are not in a free-market economy and service providers have become indentured servants to their clients. Bah. Too many damn lawyers. There has to be a better way to handle this. If they wanted to cut down employee churn, perhaps they could make it more interesting and attractive for employees to stick around. And there isn’t much you can do if an employee leaves, taking their multi-decade relationships with service providers. But when you have lawyers, evidently you need to lawyer up. – MR

  3. You’re the product: It’s not a question of whether your emails are tracked – Wired Magazine explains a browser tool to detect common email tracking elements, nicely illustrating that the only question is by whom and how many firms track each email you receive or send. It’s not uncommon to receive email with several trackers embedded – I get some with a half dozen. In some cases the trackers are added unbeknownst to the sender, instead tacked on by service providers. Most email providers earn money by tracking you, and every marketing manager running a ‘campaign’ demands to know not just who – but how – people are reading their precious content, so pretty much every email is tracked. Be it a browser or a dedicated mail tool, these email viewers don’t offer any insight into what’s being requested, by who, or how much data they pull out. Of course not, because that might interfere with their the ability to monetize you. The web pages you visit are far worse: even the Wired web page for that article serves fourteen trackers from sites you didn’t visit and which don’t serve the content you requested. They are solely to track what you do and how you do it, and that data is likely shared and resold yet again. The tools listed in this Wired article – such as UglyMail – lift just one veil obscuring the horrors underneath. If you really want to see – and control – what your email client and browsers transmit, get an outbound firewall to detect and filter. Remember, if you’re not paying, you’re the product. – AL

  4. Minority Security Report: One of the hot hot hot areas of security for 2015 is insider threat detection. These new security analytics tools look at a bunch of data and have means to determine when an employee is doing something that puts corporate data at risk. It turns out these technologies have been under development for a while for other use cases as well. For instance JP Morgan has a system that looks for signs that a trader is going to go rogue. Evidently they’ve profiled and found patterns that indicate an employee is going to do bad stuff. So they can then put the employee under watch. Is this a slippery slope? Yes and no. There is nothing wrong with monitoring an employee’s behavior if they show indicators of doing something bad for the organization. But how do you deal with false positives? And could the tools be used to curry favor for political purposes within the organization? I guess we should expect the equivalent of the Salem Witch Trials at some point. – MR

  5. Any time now: In 1999 I saw my first television ad proclaiming the amazing benefits of chip-based credit cards, and how they would protect customers and banks from fraud. It was the “Internet Age”, these cards looked Star Trek cool, and I wanted one. Too bad: My bank didn’t carry them. And even if they did, none of the merchants used the chip-based capabilities to counter card cloning. Fast forward to today, 16 frigging years later, and it’s still the same. My bank, sadly, still does not issue EMV-based credit cards. They do have a plan to roll them out, oh, sometime in 2016. So while I think it’s beyond pathetic that food retailers have asked for an extension on the EMV deadline – which shifts card fraud liability onto merchants who do not comply – I get it. It’s not just that they have been dragging their feet, but banks have been dragging as well. But honestly, the only way these cards can supplant magstripes in the US is for the card brands to not extend the deadline and to shift liability. When the financial incentive hits, we’ll see action. 16 years is enough warning. – AL

  6. Not a bad thing: Andreas Gal, Mozilla CTO, offers an interesting rant on limited access to Google search data available to other search engines. Over the last decade search engines have used user query data, more than crawling the Internet, to refine their own search results. Other search engines, ISPs, and telcos used to – ahem – collect user search data entered into Google and leverage that information. The crux of Andreas’ rant is that Google started encrypting its search strings, so only Google has access to user queries. But this is exactly what I want as a user – that the information I entrust ti Google not be shared. I want them to encrypt it and keep it to themselves. Further, this is part of Google’s moat, born from early technical advantages and the “network effect” of providing a service people really like, which is a good thing which Google earned. It requires other firms to innovate to attract users – and to do something unique or better before they can assail Google’s moat. Plus, I think Andreas missed that the embedded search bars in browsers like Firefox offer users a feature they do take advantage of: easy switching between search engines when they don’t like the results from their default option. Only vendors see this as a turf war; users see the value in both privacy and different results from different search tools. – AL

—Mike Rothman

Friday, April 10, 2015

RSAC Guide 2015: P.Compliance.90X

By Adrian Lane

Compliance. It’s a principle driver for security spending, and vendors know this. That’s why each year compliance plays a major role in vendor messaging on the RSA show floor. A plethora of companies claiming to be “the leader in enterprise compliance products” all market the same basic message: “We protect you at all levels with a single, easy-to-use platform.” and “Our enterprise-class capabilities ensure complete data security and compliance.” Right.

The single topic that best exemplifies our fitness meme is compliance. Most companies treat compliance as the end goal: you hold meetings, buy software, and generate reports, so you’re over the finish line, right? Not so much. The problem is that compliance is supposed to be like a motivational poster on the wall in the break room, encouraging you to do better – not the point itself. Buying compliance software is a little like that time you bought a Chuck Norris Total Gym for Christmas. You were psyched for fitness and harbored subconscious dreams it would turn you into a Chuck Norris badass. I mean, c’mon, it’s endorsed by Chuck Friggin’ Norris! But it sat in your bedroom unused, right next to the NordicTrack you bough a few years earlier. By March you hadn’t lost any weight, and come October the only thing it was good for was hanging your laundry on, so your significant other posted it on Craigslist.

The other side of the compliance game is the substitution of certifications and policy development for the real work of reducing risk. PCI-DSS certification suggests you care about security but does not mean you are secure – the same way chugging down 1,000-calorie fruit smoothies makes you look like you care about fitness but won’t get you healthy. Fitness requires a balance of diet and exercise over a long period; compliance requires hard work and consistent management towards the end goal over years. Your compliance requirements may hinge on security, privacy, fraud reduction or something else entirely, but success demands a huge amount of hard work.

So we chide vendors on their yearly claims about compliance-made-easy, and that the fastest way to get compliant is buy this vendors class-leading product. But this year we think it will be a little more difficult for vendors, because there is a new sheriff in town. No, it’s not Chuck Norris, but a new set of buyers. As with every period of disruptive innovation, developers start to play a key role in making decisions on what facilities will be appropriate with newer technology stacks. Big Data, Cloud, Mobile, and Analytics are owned by the fitness freaks who build these systems. Think of them as the leaner, meaner P90X fitness crowd, working their asses off and seeing the results of new technologies. They don’t invest in fancy stuff that cannot immediately show its worth: anything that cannot both help productivity and improve reliability isn’t worth their time. Most of the value statements generated by the vendor hype machine look like Olivia Newton-John’s workout gear to this crowd – sorely out of date and totally inappropriate. Still, we look forward to watching these two worlds collide on the show floor.

—Adrian Lane

Thursday, April 09, 2015

RSAC Guide 2015: IOWTF

By James Arlen

Have you heard a vendor tell you about their old product, which now protects the Internet of Things? No, it isn’t a pull-up bar, it’s an Iron Bar Crossfit (TM) Dominator!

You should be mentally prepared for the Official RSA Conference IoT Onslaught (TM). But when a vendor asks how you are protecting IoT, there’s really only one appropriate response:

“I do not think that means what you think it means.”

Not that there aren’t risks for Internet-connected devices. But we warned you this would hit the hype bandwagon, way back in 2013’s Securosis Guide to RSAC:

We are only at the earliest edge of the Internet of Things, a term applied to all the myriad of devices that infuse our lives with oft-unnoticed Internet connectivity. This wonʼt be a big deal this year, nor for a few years, but from a security standpoint we are talking about a collection of wireless, Internet-enabled devices that employees wonʼt even think about bringing everywhere. Most of these wonʼt have any material security concerns for enterprise IT. Seriously, who cares if someone can sniff out how many steps your employees take in a day (maybe your insurance underwriter). But some of these things, especially the ones with web servers or access to data, are likely to become a much bigger problem.

We’ve reached the point where IoT is the most under- or mis-defined term in common usage – among not just the media, but also IT people and random members of the public. Just as “cloud” spent a few years as “the Internet”, IoT will spend a few years as “anything you connect to the Internet”.

If we dig into the definitional deformation you will see on the show floor, IoT seems to be falling into two distinct classes of product: (a) commercial/industrial things that used to be part of the Industrial Control world like PLCs, HVAC controls, access management systems, building controls, occupancy sensors, etc.; and (b) products for the consumer market – either from established players (D-Link, Belkin, etc.) or complete unknowns who got their start on Kickstarter or Indiegogo.

There are real issues here, especially in areas like process control systems that predate “IoT” by about 50 years, but little evidence that most of these products are actually ready to address the issues, except for the ones which have long targeted those segments. As for the consumer side, like fitness bands? Security is risk management, and that is so low on their priority list that it is about as valuable as a detoxifying foot pad. We aren’t dismissing all consumer product risks, but worry about your web apps before your light bulbs.

At RSAC this year we will see ‘IoT-washing’ in the same way that we have seen ‘cloud-washing’ over the last few years – lots of mature technology being rebranded as IoT. What we won’t see is any meaningful response to consumer IoT infiltration in the business. This lack of meaningful response nicely illustrates the other kinds of change we still need in the field: security people who can think about and understand IPv6, LoPAN, BLE, non-standard ISM radios, and proprietary protocols. Sci-Fi writers have told us what IoT is going to look like – everything connected, all the time – so now we’d better get the learning done so we can be ready for the change that is already underway, and make meaningful risk decisions, not based on fear-mongering.

—James Arlen

Wednesday, April 08, 2015

RSAC Guide 2015: DevOpsX Games

By Rich

DevOps is one of the hottest trends in all of IT – sailing over every barrier in front of it like a boardercross racer catching big air on the last roller before the drop to the finish. (We’d translate that, but don’t want to make you feel too old and out of touch).

We here at Securosis are major fans of DevOps. We think it provides opportunities for security and resiliency our profession has long dreamed of. DevOps has been a major focus of our research, and even driven some of us back to writing code, because that’s really the only way to fully understand the implications.

But just because we like something doesn’t mean it won’t get distorted. Part of the problem comes from DevOps itself: there is no single definition (as with the closely related Agile development methodology), and it is as much as a cultural approach as a collection of technical tools and techniques. The name alone conveys a sense of de-segregation of duties – the sort of thing that rings security alarm bells. We now see DevOps discussed and used in nearly every major enterprise and startup we talk with, to varying degrees.

DevOps is a bit like extreme sports. It pushes the envelope, creating incredible outcomes that seem nearly magical from the outside. But when it crashes and burns it happens faster than that ski jumper suffering the agony of defeat (for those who remember NBC’s Wide World of Sports… it’s on YouTube now – look it up, young’ns).

Extreme sports (if that term even applies anymore) is all about your ability to execute, just like DevOps. It’s about getting the job done better and faster to improve agility, resiliency, and economics. You can’t really fake your way through building a continuous deployment pipeline, any more than you can to backflip a snowmobile (really, we can’t make this stuff up – YouTube, people). We believe DevOps isn’t merely trendy, it’s our future – but that doesn’t mean people who don’t fully understand it won’t try to ride the wave.

This year expect to see a lot more DevOps. Some will be good, like the DevOps.com pre-RSA day the Monday before the conference starts. And vendors updating products to integrate security assessment into that continuous deployment pipeline. But expect plenty bad too, especially presentations on the ‘risks’ of DevOps that show someone doesn’t understand it doesn’t actually allow developers to modify production environments despite policy. As for the expo floor? We look forward to seeing that ourselves… and as with anything new, we expect to see plenty of banners proclaiming their antivirus is “DevOps ready”.

Posers.

—Rich

RSA Guide 2015: Get Bigger (Data) Now!!!

By Dave Lewis

This year at RSA we will no doubt see the return of Big Data to the show floor. This comes along with all the muscle confusion that it generates – not unlike Crossfit. Before you hoist me to the scaffolding or pummel me with your running shoes, let’s think about this. Other than the acolytes of this exercise regimen, who truly understands it? Say “Big Data” out loud. Does that hold any meaning for you, other than a shiny marketing buzzword and marketing imagery? It does? Excellent. If you say it three times out loud a project manager will appear, but sadly you will still need to fight for your budget.

Last year we leveraged the tired (nay, exhausted) analogy of sex in high school. Everyone talks about it but… yeah. You get the idea. Every large company out there today has a treasure trove of data available, but they have yet to truly gain any aerobic benefit from it. Certainly they are leveraging this information but who is approaching it in a coherent fashion? Surprisingly, quite a few folks. Projects such as the Centers for Disease Control’s data visualizations, Twitter’s “Topography of Tweets”, SETI’s search for aliens, and even Yelp’s hipster tracking map. They all leverage Big Data in new and interesting ways. Hmm, SETI and Yelp should probably compare notes on their data sets.

These are projects happening, often despite the best intentions of organizational IT security departments. Big Data is here, and security teams need to get their collective heads around the situation rather than hanging about doing kipping pull-ups. As security practitioners we need to find sane ways to tackle the security aspects of these projects, to help guard against inadvertent data leakage as they thrust forward with their walking lunges. One thing we recommend is ahike out on the show floor to visit some vendors you’ve never heard of. There will be a handful of vendors developing tools specifically to protect Big Data clusters, and some delivering tools to keep sensitive data out of Big Data pools. And your Garmin will record a couple thousand more steps in the process. Second, just as many Big Data platforms and features are built by the open source community, so are security tools. These will be under-represented at the show, but a quick Google search for Apache security tools will find more options.

Your internal security teams need to be aware of the issues with big data projects while striking a balance supporting business units. That will truly lead to muscle confusion for some. If you’re looking for the Big Data security purveyors, they will most likely be the ones on the show floor quietly licking wounds from their workout while pounding back energy drinks.

—Dave Lewis

Tuesday, April 07, 2015

RSAC Guide 2015: Key Theme: Security Bonk

By Mike Rothman

The Security Bonk

For better or worse, a bunch of the Securosis team have become endurance athletes. Probably more an indication of age impacting our explosiveness, and constant travel impacting our respective waistlines, than anything else. So we’re all too familiar with the concept of ‘bonking’: hitting the wall and capitulating. You may not give up, but you are just going through the motions.

Sound familiar to you security folks? It should. You get bonked over the head with hundreds or thousands of alerts every day. You can maybe deal with 5, and that’s a good day. So choosing the right 5 is the difference between being hacked today and tomorrow. This alert fatigue will be a key theme at RSA Conference 2015. You’ll see a lot of companies and sessions (wait, there are sessions at RSA?) talking about more actionable alerts. Or increasing the signal to noise ratio. Or some similarly trite and annoying terminology for prioritization.

These vendors come at the problem of prioritization from different perspectives. Some will highlight shiny new analytical techniques (time for the Big Data drinking game!) to help you figure out which attack represents the greatest risk. Others will talk about profiling your users and looking for anomalous behavior. Yet another group will focus on understanding the adversary and sharing information about them. All with the same goal: to help you optimize limited resources before you reach the point of security bonk.

To carry the sports analogy to the next step, you are like the general manager of a football team. You’ve got holes all over your roster (attack surface) and you need to stay within your salary cap (budget). You spend a bunch of money on tools and analytics to figure out how to allocate your resources, but success depends more on people and consistent process implementation. Unfortunately people are a major constraint, given the limited number of skilled resources available. You can get staffers through free agency (expensive experienced folks who generally want long-term deals) or draft and develop talent, which takes a long time.

And in two years, if your draft picks don’t pan out or your high-priced free agents decide to join a consulting firm, you get fired. Who said security wasn’t like life? Or the football life, anyway!

—Mike Rothman

RSAC Guide 2015: Key Theme: Change

By Jennifer Minella, Rich

Every year we like to start the RSA Guide with review of major themes you will most likely see woven through presentations and marketing materials on the show floor. These themes are a bit like channel-surfing late-night TV – the words and images themselves illustrate our collective psychology more than any particular needs. It is easy to get excited about the latest diet supplement or workout DVD, and all too easy to be pulled along by the constant onslaught of finely-crafted messaging, but in the end what matters to you? What is the reality behind the theme? Which works? Is it low-carb, slow-carb, or all carb? Is it all nonsense designed to extract your limited financial resources? How can you extract the useful nuggets from the noise?

This year we went a little nutty, and decided to theme our coverage with a sports and fitness flavor. It seemed fitting, considering the growth of security – and the massive muscle behind the sports, diet, and fitness markets. This year Jennifer Minella leads off with our meta theme, which is also the conference theme: change.

–Rich

This year at RSA the vendors are 18% more engaged, solutions are 22% more secure, and a whopping 73% of products and solutions are new. Or are they? To the untrained eye the conference floor is filled with new and sensational technologies, ripe for consumption – cutting-edge alongside bleeding-edge – where the world comes to talk security. While those percentages may be fabricated horse puckey, the underlying message here is about our perception of — and influence over – real change.

“It’s like deja-vu, all over again,” as Yogi Berra once mused. Flipping through the conference guide, that will be the reaction of observers who have made their way by watching the ebbs and flows of our industry for years. The immediate recognition of companies acquired, products rebranded, and solutions washed in marketing to make them 84% shinier, feeds a skeptical doubt that we are actually making progress through this growth we call ‘change’. So here is our Public Service Announcement: change is not necessarily improvement.

Change can be good, bad, or neutral, but for some reason our human brains crave it when we are at an impasse. When we hit a wall or bonk – when we are frustrated, confused, or just pissed off – we seek change. Not only seek, but force and abuse it. We wield change in unusual and unnatural ways because something that’s crappy in a new and different way is better than the current crappy we already have. At least with change there’s a chance for improvement, right? And there is something to be said for that. Coach John Wooten said “Failure is not fatal, but failure to change might be.” If we keep changing – if we keep taking more shots on goal – eventually we’ll score.

But are we changing the right things? Does reorganizing, rebranding, or reinventing the cloud or the IoT help in a meaningful way? Perhaps, but you are not simply at the mercy of change around you. You, too, can influence change. This year as you walk around the sessions, workshops, and booths at RSA, look for opportunities to change other things. Change your perspective, change your circle of influence, change your approach, or change your habits. Ask questions, meet new people, and consider the unimaginable. We guarantee at least 19% change with a 12% effort, 99% of the time.

by Jennifer Minella, Contributing Analyst

This article first appeared on the RSA Conference blog at http://www.rsaconference.com/blogs

Jennifer Minella, Rich

Friday, April 03, 2015

Friday Summary: April 3, 2013: Getting back in

By Adrian Lane

Running. I started running when I was 9. I used to tag along to exercise class at the local community college with my mom, and they always finished the evening with a couple laps around the track. High school was track and cross country. College too. When my friends and I started to get really fast, there would be the occasional taunting of rent-a-cops, and much hilarity during the chase, usually ending in the pursuers crashing into a fence we had neatly hopped over. Through my work career, running was a staple, with fantastic benefits for both staying healthy and washing away workday stresses.

Various injuries and illness stopped that over the last few years, but recently I have been back at it. And it was … frigging awful and painful. Unused muscles and tendons screamed at me. But after a few weeks that went away. And then I started to enjoy the runs again. Now I find myself more buoyant during the day – better energy and just moving better. It’s a subtle thing, but being fit just makes you feel better in several ways, all throughout the day.

This has been true for several other activities of late — stuff I love to do, but for various reasons dropped. Target shooting is something I enjoy, but the restart was awful. You forget how critical it is to control your breathing. You forget the benefit of a quality load. You forget how the trigger pull feels and how to time the break. I grew up taking two or three fishing trips a year, but had pretty much stopped fishing for the last 10 years – lack of time, good local places to go, and people you wanted to go with. You forget how much fun you can have sitting around doing basically nothing. And you forget how much skill and patience good fishermen bring to the craft.

In this year of restarts, I think the one activity that surprised me most was coding. Our research has swung more and more into the security aspects of cloud, big data, and DevOps. But I can’t expect to fully understand them without going waist-deep to really use them. Like running, this restart was painful, but this was more like being punched in the mouth. I was terrible. I am good at learning new tools and languages and environments, and I expected a learning curve there. The really bad part is that much of what I used to do is now wrong. My old coding methods – setting up servers to be super-resilient, code re-use, aspects of object-oriented design, and just about everything having to do with old-school relational database design, needs to get chucked out the window. I was not only developing slowly, but I found myself throwing code out and reworking to take advantage of new technologies. It would have been faster to learn Hadoop and Dynamo without my relational database background – I needed to start by unlearning decades of training. But after the painful initial foray, when I got a handle on ways to use these new tools, I began to feel more comfortable. I got productive. I started seeing the potential of the new technologies, and how I should really apply security. Then I got happy!

I’ve always been someone who just feels good when I produce something. But over and above that is something about the process of mastering new stuff and, despite taking some lumps, gaining confidence through understanding. Getting back in was painful but now it feels good, and is benefitting both my psyche and my research.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

  • In case you missed it, Dave Lewis, JJ, James Arlen, Rich, Mike, and Adrian posted some of our yearly RSA Conference preview on the RSAC Blog. We will post them and the remaining sections on the Securosis blog next week.
  • Mike on Endpoint Defense.

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Research Reports and Presentations

Top News and Posts

—Adrian Lane