Login  |  Register  |  Contact
Wednesday, August 26, 2015

Incite 8/26/2015: Epic Weekend

By Mike Rothman

Sometimes I have a weekend when I am just amazed. Amazed at the fun I had. Amazed at the connections I developed. And I’m aware enough to be overcome with gratitude for how fortunate I am. A few weekends ago I had one of those experiences. It was awesome.

It started on a Thursday. After a whirlwind trip to the West Coast to help a client out with a short-term situation (I was out there for 18 hours), I grabbed a drink with a friend of a friend. We ended up talking for 5 hours and closing down the bar/restaurant. At one point we had to order some food because they were about to close the kitchen. It’s so cool to make new friends and learn about interesting people with diverse experiences.

The following day I got a ton of work done and then took XX1 to the first Falcons pre-season game. Even though it was only a pre-season game it was great to be back in the Georgia Dome. But it was even better to get a few hours with my big girl. She’s almost 15 now and she’ll be driving soon enough (Crap!), so I know she’ll prioritize spending time with her friends in the near term, and then she’ll be off to chase her own windmills. So I make sure to savor every minute I get with her.

On Saturday I took the twins to Six Flags. We rode roller coasters. All. Day. 7 rides on 6 different coasters (we did the Superman ride twice). XX2 has always been fearless and willing to ride any coaster at any time. I don’t think I’ve seen her happier than when she was tall enough to ride a big coaster for the first time. What’s new is the Boy. In April I forced him onto a big coaster up in New Jersey. He wasn’t a fan. But something shifted over the summer, and now he’s the first one to run up and get in line. Nothing makes me happier than to hear him screaming out F-bombs as we careen down the first drop. That’s truly my happy place.

If that wasn’t enough, I had to be on the West Coast (again) Tuesday of the following week, so I burned some miles and hotel points for a little detour to Denver to catch both Foo Fighters shows. I had a lot of work to do, so the only socializing I did was in the pit at the shows (sorry Denver peeps). But the concerts were incredible, I had good seats, and it was a great experience.

in the pit

So my epic weekend was epic. And best of all, I was very conscious that not a lot of people get to do these kinds of things. I was so appreciative of where I am in life. That I have my health, my kids want spend time with me, and they enjoy doing the same things I do. The fact that I have a job that affords me the ability to travel and see very cool parts of the world is not lost on me either. I guess when I bust out a favorite saying of mine, “Abundance begins with gratitude,” I’m trying to live that every day.

I realize how lucky I am. And I do not take it for granted. Not for one second.

–Mike

Photo credit: In the pit picture by MSR, taken 8/17/2015


Thanks to everyone who contributed to my Team in Training run to support the battle against blood cancers. We’ve raised almost $6000 so far, which is incredible. I am overwhelmed with gratitude. You can read my story in a recent Incite, and then hopefully contribute (tax-deductible) whatever you can afford. Thank you.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building a Threat Intelligence Program

EMV and the Changing Payment Space

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Can ‘em: If you want better software quality, fire your QA team – that’s what one of Forrester’s clients told Mike Gualtieri. That tracks to what we have been seeing from other firms, specifically when the QA team is mired in an old way of doing things and won’t work with developers to write test scripts and integrate them into the build process. This is one of the key points we learned earlier this year on the failure of documentation, where firms moving to Agile were failing as their QA teams insisted on hundreds of pages of specifications for how and what to test. That’s the opposite of Agile and no bueno! Steven Maguire hit on this topic back in January when he discussed documentation and communication making QA a major impediment in moving to more Agile – and more automated – testing processes. Software development is undergoing a radical transformation, with restful APIs, DevOps principles, and cloud & virtualization technologies enabling far greater agility and efficiency than ever before. And if you’re in IT or Operations, take note, because these disruptive changes will hit you as well. Upside the head. – AL

  2. Security technologies never really die… Sometimes you read an article and can’t tell if the writer is just trolling you. I got that distinct feeling reading Roger Grimes’ 10 security technologies destined for the dustbin. Some are pretty predictable (SSL being displaced by TLS, IPSec), which is to be expected. And obvious, like calling for AV scanners to go away, although claiming they will die in the wake of a whitelisting revolution is curious. Others are just wrong. He predicts the demise of firewalls because of an increasing amount of encrypted traffic. Uh, no. You’ll have to deal with the encrypted traffic, but access control on the network (which is what a firewall does) are here to stay. He says anti-spam will go away because high-assurance identities will allow us to blacklist spammers. Uh huh. Another good one is that you’ll no longer collect huge event logs. I don’t think his point is that you won’t collect any logs, but that vendors will make them more useful. What about compliance? And forensics? Those require more granular data collection. It’s interesting to read these thoughts, but if he bats .400 I’ll be surprised. – MR

  3. Don’t cross the streams In a recent post on Where do PCI-DSS and PII Intersect?, Infosec Institute makes a case for dealing with PII under the same set of controls used for PCI-DSS V3. We take a bit of a different approach: Decide whether you need the data, and if not use a surrogate like masking or tokenization – maybe even get rid of the data entirely. It’s hard to steal what you don’t have. Just because you’ve tokenized PAN data (CCs) does not mean you can do the same with PII – it depends on how the data is used. Including PII in PAN data reports is likely to confuse auditors and make things more complicated. And if you’re using encryption or dynamic masking, it will take work to apply it to different data sets. The good news is that if you are required to comply with PCI-DSS, you have likely already invested in security products and staff with experience in dealing with sensitive data. You need to figure out how to handle data security, understanding that what you do for PII will likely differ from what you do in-scope PCI data because the use cases are different. – AL

  4. Applying DevOps to Security Our pal Andrew Storms offers a good selection of ideas on how to take lessons learned in DevOps and apply them to security on the ITProPortal. His points about getting everyone on board and working in iterations hit home. Those are prominent topics as we work with clients to secure their newfangled continuous deployment environments. He also has a good list of principles we should be following anyway, such as encrypting everything (where feasible), planning for failure, and automating everything. These new development and operational models are going to take root sooner rather than later. If you want a head start on where your career is going, start reading stuff like this now. – MR

—Mike Rothman

Wednesday, August 12, 2015

Incite 8/12/2015: Transitions

By Mike Rothman

The depths of summer heat in Atlanta can only mean one thing: the start of the school year. The first day of school is always the second Monday in August, so after a week of frenetic activity to get the kids ready, and a day’s diversion for some Six Flags roller coaster goodness, the kids started the next leg of their educational journey.

XX1 started high school, which is pretty surreal for me. I remember her birth like it was yesterday, but her world has got quite a bit bigger. She spent the summer exploring the Western US and is now in a much bigger school. Of course her world will continue to get bigger with each new step. It will expand like a galaxy if she lets it.

The twins also had a big change of scene, starting middle school. So they were all fired up about getting lockers for the first time. A big part of preparing them was to make sure XX2’s locker was decorated and that the Boy had an appropriately boyish locker shelf. The pink one we had left over from XX1 was no bueno. Dark purple shelves did the trick.

Ever expanding

Their first day started a bit bumpy for the twins, with some confusion about the bus schedule – much to our chagrin, when we headed out to meet the bus, it was driving right past. So we loaded them into the car and drove them on the first day. But all’s well that ends well, and after a couple days they are settling in.

As they transition from one environment to the next, the critical thing is to move forward understanding that there will be discomfort. It’s not like they have a choice about going to the next school. Georgia kind of mandates that. But as they leave the nest to build their own lives they’ll have choices – lots of them. Stay where they are, or move forward into a new situation, likely with considerable uncertainty.

A quote I love is: “In any given moment we have two options: to step forward into growth or to step back into safety.” If you have been reading the Incite for any length of time you know I am always moving foward. It’s natural for me, but might not be for my kids or anyone else. So I will continue ensuring they are aware that during each transition that they can decide what to do. There are no absolutes; sometimes they will need to pause, and other times they should jump in. And if they take Dad’s lead they will keep jumping into an ever-expanding reality.

–Mike

Photo credit: “Flickrverse, Expanding Ever with New Galaxies Forming” originally uploaded by cobalt123


Thanks to everyone who contributed to my Team in Training run to support the battle against blood cancers. We have raised over $5,000 so far, which is incredible. I am overwhelmed with gratitude. You can read my story in a recent Incite, and then hopefully contribute (tax-deductible) whatever you can afford. Thank you.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building a Threat Intelligence Program

EMV and the Changing Payment Space

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Business relevance is still important: Forrester’s Peter Cerrato offers an interesting analogy at ZDNet about not being a CISO dinosaur, and avoiding extinction. Instead try to be an eagle, whose ancestors survived the age of the dinosaurs. How do you do that? By doing a lot of the things I’ve been talking about for, um, 9 years at this point. Be relevant to business? Yup. Get face time with executives and interface with the rank and file? Yup. Plan for failure? Duh. I don’t want to minimize the helpfulness or relevance of this guidance. But I do want make clear that the only thing new here is the analogy. – MR

  2. The Dark Tangent is right: What did I learn at Black Hat? That people can hack cars. Wait, I am pretty sure I already knew this was possible. Maybe it was the new Adobe Flash bugs? Or IoT vulnerabilities? Mobile hacks or browser vulnerabilities? Yeah, same old parade of vulnerable crap. What I really learned is that Jeff Moss is right: Software liability is coming. Few vendors – Microsoft being the notable exception – have really put in the effort to address vulnerable software. Mary Ann Davidson’s insulting rant reinforces that vendors really don’t want to fix vulnerabilities – to the extent they will threaten and sue their customers to retain the status quo. We have seen it in the past with automotive Lemon Laws and in meat packing industry of the early 1900s – when vendors won’t address their $#!?, legislators will. – AL

  3. Hygiene separates those who know what they are doing… As security becomes a more common topic of discussion with the masses (thank the daily breach-o-rama for that), it’s interesting to see how experienced folks think differently than inexperienced people. Google did some research to get a feel for what separates ‘experts’ from ‘non-experts’ in terms of how they attempt to stay safe. The biggest difference? If you had patching, you win the pool. Both groups are aware of strong passwords. The experts like MFA (as they should) and the n00bs change passwords frequently (which doesn’t help). But it’s keeping devices up to date and configured correctly that makes the difference. Who knew? You did, because this is what you do for a living. – MR

  4. Double Trouble: Encryption is an amazingly effective security control – when properly implemented and deployed. Both are hard to do, and it is shocking how often big companies get this wrong. It turns out that SAP Hana is storing the same encryption key in the same memory location for all servers. Security researchers found the weakness after the discovery of a SQL injection bug that allowed them to remotely execute code on the Hana cluster. The good news is that customers can – and should – change the key after the software is installed, so there is a workaround. But given the complexity of the process and the fear of encrypting data and losing keys, many don’t. And even if you do, until you patch the known attack vectors, the new key can also be obtained by hackers, who can then decrypt at will. Given SAP’s prevalence at large firms, attackers and security researchers have turned their attention to SAP products in the last couple years. So if you’re an SAP Hana customer patch and change your keys now! – AL

  5. Control? Ha! As always, Godin puts everything in perspective. This time he tackles the illusion of control. So many folks get pissed when things don’t go their way. They don’t get a project funded. Their prodigy leaves for a high-paying consulting job. You get owned because an employee clicked the wrong thing. You can let this result in disappointment, or not. Your choice. Control is a myth. The post ends with a truism we all should keep front and center in our daily activities: “You’re responsible for what you do, but you don’t have authority and control over the outcome. We can hide from that, or we can embrace it.” – MR

—Mike Rothman

Wednesday, July 29, 2015

Incite 7/29/2015: Finding My Cause

By Mike Rothman

When you have resources you are supposed to give back. That’s what they teach you as a kid, right? There are folks less fortunate than you, so you help them out. I learned those lessons. I dutifully gave to a variety of charities through the years. But I was never passionate about any cause. Not enough to get involved beyond writing a check.

I would see friends of mine passionate about whatever cause they were pushing. I figured if they were passionate about it I should give, so I did. Seemed pretty simple to me, but I always had a hard time asking friends and associates to donate to something I wasn’t passionate about. It seemed disingenuous to me. So I didn’t.

I guess I’ve always been looking for a cause. But you can’t really look. The cause has to find you. It needs to be something that tugs at the fabric of who you are. It has to be something that elicits an emotional response, which you need to be an effective fundraiser and advocate. It turns out I’ve had my cause for over 10 years – I just didn’t know it until recently.

Cancer runs in my family. Mostly on my mother’s side or so I thought. Almost 15 years ago Dad was diagnosed with Stage 0 colon cancer. They were able to handle it with a (relatively) minor surgery because they caught it so early. That was a wake-up call, but soon I got caught up with life, and never got around to getting involved with cancer causes. A few years later Dad was diagnosed with Chronic Lymphocytic Leukemia (CLL). For treatment he’s shied away from western medicine, and gone down his own path of mostly holistic techniques. The leukemia has just been part of our lives ever since, and we accommodate. With a compromised immune system he can’t fly. So we go to him. For big events in the South, he drives down. And I was not exempt myself, having had a close call back in 2007. Thankfully due to family history I had a colonoscopy before I was 40 and the doctor found (and removed) a pre-cancerous polyp that would not have ended well for me if I hadn’t had the test.

Yet I still didn’t make the connection. All these clues, and I was still spreading my charity among a number of different causes, none of which I really cared about. Then earlier this year another close friend was diagnosed with lymphoma. They caught it early and the prognosis is good. With all the work I’ve done over the past few years on being aware and mindful in my life, I finally got it. I found my cause – blood cancers. I’ll raise money and focus my efforts on finding a cure.

It turns out the Leukemia and Lymphoma Society has a great program called Team in Training to raise money for blood cancer research by supporting athletes in endurance races. I’ve been running for about 18 months now and already have two half marathons under my belt. This is perfect. Running and raising money! I signed up to run the Savannah Half Marathon in November as part of the TNT team. I started my training plan this week, so now is as good a time as any to gear up my fundraising efforts. I am shooting to run under 2:20, which would be a personal record.

Team in Training

Given that this is my cause, I have no issue asking you to help out. It doesn’t matter how much you contribute, but if you’ve been fortunate (as I have) please give a little bit to help make sure this important research can be funded and this terrible disease can be eradicated in our lifetime. Dad follows the research very closely as you can imagine, and he’s convinced they are on the cusp of a major breakthrough.

Here is the link to help me raise money to defeat blood cancers: Mike Rothman’s TNT Fund Raising Page.

I keep talking about my cause, but this isn’t about me. This is about all the people suffering from cancer and specifically blood cancers. I’m raising money for all the people who lost loved ones or had to put their lives on hold as people they care about fight. Again, if you can spare a few bucks, please click the link above and contribute.

–Mike


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building a Threat Intelligence Program

EMV and the Changing Payment Space

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Zombie software: Every few years a bit of software pops up that advocates claim will identify users through analysis of typing patterns. Inevitably these things die because nobody wants or uses them. That old technology looking for a problem problem. Over the years it has been positioned as a way to keep administrative terminals safe, or for use by banks to ensure only legitimate customers access their accounts. And so here we go again, for the 8th time in my memory, a keyboard-based user profiler, only now it’s positioned as a way to detect users behind a Tor session. What we are looking at is a bit of code installed on a computer which maps the timing intervals between characters and words a user types. I first got my hands on a production version of this type of software in 2004, and lo and behold it could tell me from my co-workers with 90% certainty. Until I had a beer, and then it failed. Or when I was in a particularly foul mood and my emphatic slamming of keys changed my typing pattern. Or until I allowed another user on the machine and screwed up its behavioral pattern matching because it was retraining the baseline. There are lots of people in the world with a strong desire to know who is behind a keyboard – law enforcement and marketers, to name a few – so there will always be a desire for this tech to work. And it does, under ideal conditions, but blows up in the real world. – AL

  2. Endpoint protection is hard. Duh! With all the advanced attacks and adversaries out there, it’s hard to protect endpoints. And in other news, grass is green, the sky is blue, and vendors love FUD. This wrapup in Network World is really just a laundry list of all the activity happening to protect endpoints. We have big vendors and start-ups and a bunch of companies in between, who look at a $5B market where success is not expected and figure it’s ripe for disruption. Which is true, but who cares? Inertia is strong on the endpoint, so what’s different now? It’s actually the last topic in the article, which mentions that compliance regimes are likely to expand the definition of anti-malware to include these new capabilities. That’s the shoe that needs to drop to create some kind of disruption. And once that happens it will be a mass exodus off old-school AV and onto something shinier. That will work better, until it doesn’t… – MR

  3. Hippies and hackers: According to emptywheel, only hippies and hackers argue against back doors in software. Until now, that is. Apparently at the Aspen Security Forum this week, none other than Michael Chertoff made a surprise statement: “I think that it’s a mistake to require companies that are making hardware and software to build a duplicate key or a back door … ” All kidding aside, the emptywheel blog nailed the sentiment, saying “Chertoff’s answer is notable both because it is so succinct and because of who he is: a long-time prosecutor, judge, and both Criminal Division Chief at DOJ and Secretary of Homeland Security. Through much of that career, Chertoff has been the close colleague of FBI Director Jim Comey, the guy pushing back doors now.” This is the first time I’ve heard someone out of the intelligence/DHS community make such a statement. Back doors are synonymous with compromised security, and we know hackers and law enforcement are equally capable of using them. So it’s encouraging to hear from someone who has the ear of both government and the tech sector. – AL

  4. Survival of the fittest: Dark Reading offered a good case study of how a business deals with a DDoS attack. The victim, HotSchedules, was targeted for no apparent reason – with no ransom or other demands. So what do you do? Job #1 is to make sure customers have the information they need, and all employees had to work old-school (like, via email and phones) to make sure customers could still operate. Next try to get the system up and running again. They tried a few options, but ultimately ended up moving their systems behind a network scrubbing service to restore operations. My takeaways are pretty simple. You are a target. Even if you don’t think you are. Also you need a plan to deal with a volumetric attack. Maybe it’s using a Content Delivery Network or contracting with a scrubbing service. Regardless of the solution, you need to respond quickly. – MR

—Mike Rothman

Wednesday, July 15, 2015

Incite 7/15/15 — On Top of the Worlds

By Mike Rothman

I discussed my love of exploring in the last Incite, and I have been fortunate to have time this summer to actually explore a bit. The first exploration was a family vacation to NYC. Well, kind of NYC. My Dad has a place on the Jersey shore, so we headed up there for a couple days and took day trips to New York City to do the tourist thing.

For a guy who grew up in the NY metro area, it’s a bit weird that I had never been to the Statue of Liberty. The twins studied the history of the Statue and Ellis Island this year in school, so I figured it was time. That was the first day trip, and we were fortunate to be accompanied by Dad and his wife, who spent a bunch of time in the archives trying to find our relatives who came to the US in the early 1900s. We got to tour the base of Lady Liberty’s pedestal, but I wasn’t on the ball enough to get tickets to climb up to the crown. There is always next time.

WTC

A few days later we went to the new World Trade Center. I hadn’t been to the new building yet and hadn’t seen the 9/11 memorial. The memorial was very well done, a powerful reminder of the resilience of NYC and its people. I made it a point to find the name of a fraternity brother who passed away in the attacks, and it gave me an opportunity to personalize the story for the kids. Then we headed up to the WTC observation deck. That really did put us on top of the world. It was a clear day and we could see for miles and miles and miles. The elevators were awesome, showing the skyline from 1850 to the present day as we rose 104 stories. It was an incredible effect, and the rest of the observation deck was well done. I highly recommend it for visitors to NY (and locals playing hooky for a day).

Then the kids went off to camp and I hit the road again. Rich was kind enough to invite me to spend the July 4th weekend in Boulder, where he was spending a few weeks over the summer with family. We ran a 4K race on July 4th, and drank what seemed to be our weight in beer (Avery Brewing FTW) afterwards. It was hot and I burned a lot of calories running, so the beer was OK for my waistline. That’s my story and I’m sticking to it.

The next day Rich took me on a ‘hike’. I had no idea what he meant until it was too late to turn back. We did a 2,600’ elevation change (or something like that) and summited Bear Peak. We ended up hiking about 8.5 miles in a bit over 5 hours. At one point I told Rich I was good, about 150’ from the summit (facing a challenging climb). He let me know I wasn’t good, and I needed to keep going. I’m glad he did because it was both awesome and inspiring to get to the top.

Mike on Bear Peak

I’ve never really been the outdoorsy type, so this was way outside my comfort zone. But I pushed through. I got to the top, and as Rich told me would happen before the hike, everything became crystal clear. It was so peaceful. The climb made me appreciate how far I’ve come. I had a similar feeling when I crossed the starting line during my last half marathon. I reflected on how unlikely it was that I would be right there, right then. Unlikely according to both who I thought I was and what I thought I could achieve.

It turns out those limitations were in my own mind. Of my own making. And not real. So now I have been to the top of two different worlds, exploring and getting there via totally different paths. Those experiences provided totally different perspectives. All I know right now is that I don’t know. I don’t know what the future holds. I don’t know how many more hills I’ll climb or races I’ll run or businesses I’ll start or places I’ll live, or anything for that matter. But I do know it’s going to be very exciting and cool to find out.

–Mike

Photo credit: “One World Trade Center Observatory (5)” originally uploaded by Kai Brinker and Mike Selfie on top of Bear Peak.


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Threat Detection Evolution

Network-based Threat Detection

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. It takes a data scientist to know one: Data science is hot, hot, hot. Especially in security, where the new hotness is analytics to detect space alien attackers. And the data scientists have the keys to find them. Of course, then you actually have to hire these folks. And it’s not like when I ran marketing teams, and knew the jobs of my team as well as they did. So if you’re not a math person, how do you hire a math person? The good news is that one of my favorite math people, Jay Jacobs (now of BitSight) has listed 5 things to think about when hiring a data scientist. His first suggestion is to give them data and let them do their stuff. Which makes a huge amount of sense. That’s what I did for every job I interviewed for. I either prepared a research report or presentation, or built a marketing plan. You also need to ask questions (even if you think they are dumb questions), understand what they’ve done, and see if they can communicate the value of their efforts in business terms. Jay’s last point is the most critical. Data scientists are kind of like unicorns. If you hold out for the perfect one, you will be looking for a long time. As in every emerging field, you need to balance substance and experience with intelligence and drive, because the function will change and you will need your hires to grow along with it. – MR

  2. Tortoise and Hare: Our own Dave Lewis’ recent post on Forbes – The Opportunity Presented By Shadow IT – mirrors a trend I am seeing with CISOs. Several CISOs I heard from during a recent panel said much the same thing. They had come to view rogue IT as an opportunity to learn. It showed them their users’ (their real customers’) pain points, and where resources should be allocated to address these issues. It showed the delta between IT-governed rollouts and rogue IT, and made very clear the cost differential between the two. Shadow IT showed where security controls went unnoticed, and which users fought or ignored/avoided ‘real’ IT altogether. Dave’s point that the rogue project put the company at risk is on the mark, but it should be clear that a lack of agility within IT – across all industries – is an issue which IT and operations teams need to work on. The status quo is not working. But that’s not news – the status quo has been broken for a long time. – AL

  3. Sucking less at security operations: When I’m doing a talk, I usually get big laughs when I state the obvious: most organizations suck at security ops. Of course the laughs are a bit forced: “Is he talking about me?” Odds are I am, because security ops, like consistent patch and configuration management, is hard. Hygiene is not sexy, but neither is flossing your teeth. Until you lose all your teeth, as my dentist constantly reminds me. SecurityWeek ran a good reminder of the challenges of patching consistently a while ago. But it’s worth revisiting, especially given that almost every major software company has some kind of patching process for their stuff. Of course, as we enter cloud-based reality, patching and ops take on different connotations (and we have a lot to say about that), but for now you need to continue paying attention to the security ops side of the house. Which is a reminder that never gets old, mostly because we as an industry still can’t seem to figure it out. – MR

  4. Bit Split Reduce: Homomorphic encryption is essentially encrypted data that you can still do real work with, including sorting and summing values. A recent Wired article, MIT’s Bitcoin-Inspired ‘Enigma’ Lets Computers Mine Encrypted Data discusses a new take. We have seen many of these claims in the past, including many variants which force cryptographic compromises to enable computation. And we’ve seen the real thing too, but only in laboratory experiments – the processing overhead is about 100k times higher than normal data processing, so not feasible for normal usage. The MIT team’s approach sounds like a combination of the ‘bitsplitting’ storage strategies used by some cloud providers to obfuscate customer data, and big data style distributed processing. With a big data MapReduce function, they use the reduce part to arrange or filter data, protecting its integrity by assigning each node tiny data elements that – on their own – are meaningless. In the aggregate they can produce real results. But the real question is “Is this secure?” Unfortunately I have no clue from the white paper, because security issues are more likely to pop up in practical application, rather than in general concepts. That said, statements like “Thanks to some mathematical tricks the Enigma creators implemented” make me very nervous… so the jury is still out, and will remain so until we have something we can test. – AL

  5. It’s bad. Trust me. Ever the contrarian, Shack goes after the valuation in the wake of a breach bogeyman. A key message in most security vendor pitches is that breaches are bad for market cap. But what if that’s not really the case? What if the data shows that over time a breach can actually be good for business, if only to shine a spotlight on broken processes and force the business to be much more strategic and effective about how they do things? Like most transformation catalysts, it really sucks at the time. Anyone who has lived through a breach response and the associated public black eye knows it sucks. But if that results in positive change and a stronger company at the end of the process, maybe it’s not the worst thing. Nah, never mind. That’s crazy talk. What would all the vendors talk about if they couldn’t scare you with FUD? They’d actually have to address the fact their products don’t help (for the most part). Oh, did I actually write that down? Oops. – MR

—Mike Rothman

Wednesday, July 01, 2015

Incite 7/1/2015: Explorers

By Mike Rothman

When I take a step back I see I am pretty lucky. I’ve seen a lot of very cool places. And experienced a lot of different cultures through my business travels. And now I’m at a point in life where I want to explore more. Not just do business hotels and see the sights from the front seat of a colleague’s car or taxi. I want to explore and see all the cool things this big world has to offer.

It hasn’t always been this way. For the first two decades of my career, I was so focused on getting to the next rung on the career ladder that I forgot to take in the sights. And forget about smelling the roses. That would take time away from my plans for world domination. In hindsight that was ridiculous. I’m certainly not going to judge others who still strive for world domination, but that does not interest me any more.

I’m also at a point in life where my kids are growing up, and I only have a few more years to show them what I’ve learned is important to me. They’ll need to figure out what’s important to them, but in the meantime I have a chance to instill a love of exploration. An appreciation of cultures. And a yearning to see and experience the world. Not from the perspective of their smartphone screen, but by getting out there and experiencing life.

Dora is an explorer

XX1 left for a teen tour last Saturday. Over the next month she’ll see a huge number of very cool things in the Western part of the US. The itinerary is fantastic, and made me wonder if I could take a month off to tag along. It’s not cheap and I’m very fortunate to be able to provide her with that opportunity. All I can do is hope that she becomes an explorer, and explores throughout her life. I have a cousin who just graduated high school. He’s going to do two years of undergrad in Europe to learn international relations – not in a classroom on a sheltered US campus (though there will be some of that), but out in the world. He’s also fortunate and has already seen some parts of the world, and he’s going to see a lot more over the next four years. It’s very exciting.

You can bet I’ll be making at least two trips over there so we can explore Europe together. And no, we aren’t going to do backpacks and hostels. This boy likes hotels and nice meals.

Of course global exploring isn’t for everyone. But it’s important to me, and I’m going to try my damnedest to impart that to my kids. But I have multiple goals. First, I think individuals who see different cultures and different ways of thinking are less likely to judge people with different views. Every day we sees the hazards of judgmental people who can’t understand other points of view and think the answer is violence and negativity.

But it’s also clear that we move in a global business environment. Which means to prosper they will need to understand different cultures and appreciate different ways of doing things. It turns out the only way to really gain those skills is to get out there and explore.

Coolest of all is the fact that we all need travel buddies. I can’t wait for the days when I explore with my kids – not as a parent/child thing, but as friends going to check out cool places.

–Mike

Photo credit: “Dora the Explorer” originally uploaded by Hakan Dahlstroem


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Threat Detection Evolution

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Polishing the crystal ball: Justin Somaini offers an interesting perspective on The Future of Security Solutions. He highlights a lot of disruptive forces poised to fundamentally change how security happens over the next couple of. To make the changes somewhat tangible and less overwhelming, Justin breaks the security world into a few buckets: Network Controls Management, Monitoring and Threat Response, Software Development, Application Management, Device Management, and Risk Management/GRC. Those buckets are as good as any others. We could quibble a bit about where the computing stack resides, which is really about the data. But he highlights a lot of concepts we published in our own Future of Security research. Suffice it to say, it really makes no difference whose version of the future world you believe, because we will all be wrong somehow. Just understand that things are changing for security folks, and you’ll either go headlong into the change or get run over. – MR

  2. Less bad: Bruce Schneier offered a personal look into his selection of full disk encryption options for Windows machines. Surprised he didn’t write his own? Don’t be. Design principles and implementation details make this a hard problem to simplify, and that’s what most users need. He calls his selection “the least bad option”, but honestly it’s noteworthy that the industry has (mostly) progressed past some kid fresh out of school forming a new company based on an algorithm he cobbled together during his graduate studies. Historically you couldn’t audit this superduper new encryption code, because it was someone’s intellectual property and might compromise security if anyone else could see it. The good news is that most of you will be fine with any of Bruce’s options, because you just need to make sure the contents of your drive can’t be copied by whoever steals your laptop. As long as you’re not worried about governments breaking into your stuff, you’re good. If you are worried about governments, then you understand how hard it is to defend against an adversary with vast resources, and why “the least bad option” is really the only option for you. – AL

  3. Due care and the profit motive: Given the breach du jour we seem to read about every day, Trey Ford on the Rapid7 blog reiterates a reasonable question he heard at a recent convention from a government employee: “How do you build a standard of due care?” The Feds think putting Mudge in charge of a CyberUL initiative is a good place to start. I can’t disagree – yet. But I still believe we (as an industry) cannot legislate our way out of the issues of crap security and data protection. Trey mentions the need for information sharing (a NTSB of sorts for breaches) and cyberinsurance underwriting based on data instead of voodoo. I agree on both counts, but add that we need a profit driver to focus the innovation on options that make sense for enterprises, large and small. NIST puts out a bunch of great stuff, but it’s not always relevant to everyone. But if they had to pay their own way, Mr. Market says they’d figure out something that works for a large swath of businesses. Or they’d go away. We have threat intel as a business, and have always talked about the need for metrics/benchmarking businesses to help organizations know how they compare to others, and to optimize their limited resources accordingly. Needing to generate money to keep the lights on tends to help organizations narrow their efforts down to what matters, which legislation doesn’t. – MR

  4. The failure of documentation: I had a peer to peer (P2P) session at the RSA Conference this year on moving security into the Agile development process. But that is not what happened – instead security played a small part, and general process failures a much larger one. In fact it was a room filled mostly with people who had recently tried to move to Agile, and were failing miserably. The number one complaint? “How do we handle documentation?” QA, design, and all the other groups demand their specifications. I stepped on my instinct to say “You’re doing it wrong” – documentation is one of the things you are striving to get rid of, but a lack of agility across the rest of the company trips up many Agile efforts. A handful of people in the room had adopted continuous integration and continuous deployment, which offer one or more solutions to the group’s problems. I am not saying all problems are solved by DevOps – just that the failure common modes in that P2P discussion can be traced back to the silos we created in the days of waterfall, and need to be broken up for Agile processes to thrive. Darknet’s discussion on Agile Security raises the same concerns, and reached a similar conclusion. Security – and the rest of the team for that matter – needs to be better integrated with development. Which we have known for a long time. – AL

  5. Bootstrapping the IR report: Too many incident response reports are pretty short. Slide 1: We got owned. Slide 2: Please don’t fire me. Ugh. Okay, maybe not quite that short, but it’s not like the typical practitioner has models and guides to help document an incident – and, more importantly, to learn from what happened. So thank Lenny Zeltser, who posted a template which combines a bunch of threat, intrusion, and response models into a somewhat coherent whole. It is obviously valuable to have a template for documentation, and you can refine the pieces that work for you after a response or ten. Additionally you can use his template to guide your response if you don’t have an established incident response process. Which is really the first thing you should create. But failing that, Lenny’s template can help you understand the information you should be gathering and its context. – MR

—Mike Rothman

Thursday, June 11, 2015

Incite 6/10/2015: Twenty Five

By Mike Rothman

This past weekend I was at my college reunion. It’s been twenty five years since I graduated. TWENTY FIVE. It’s kind of stunning when you think about it. I joked after the last reunion in 2010 that the seniors then were in diapers when I was graduating. The parents of a lot of this year’s seniors hadn’t even met. Even scarier, I’m old enough to be their parent. It turns out a couple friends who I graduated with actually have kids in college now. Yeah, that’s disturbing.

It was great to be on campus. Life is busy, so I only see some of my college friends every five years. But it seems like no time has passed. We catch up about life and things, show some pictures of our kids, and fall right back into the friendships we’ve maintained for almost thirty years. Facebook helps people feel like they are still in touch, but we aren’t. Facebook isn’t real life – it’s what you want to show the world. Fact is, everything changes, and most of that you don’t see. Some folks have been through hard times. Others are prospering.

Dunbar's Ithaca NY

Even the campus has evolved significantly over the past five years. The off-campus area is significantly different. Some of the buildings, restaurants, & bars have the same names; but they aren’t the same. One of our favorite bars, called Rulloff’s, shut down a few years back. It was recently re-opened and pretty much looked the same. But it wasn’t. They didn’t have Bloody Marys on Thursday afternoon. The old Rulloff’s would have had galloons of Bloody Mix preparing for reunion, because that’s what many of us drank back in the day. The new regime had no idea. Everything changes.

Thankfully a bar called Dunbar’s was alive and well. They had a drink called the Combat, which was the root cause of many a crazy night during college. It was great to go into D-bars and have it be pretty much the same as we remembered. It was a dump then, and it’s a dump now. We’re trying to get one of our fraternity brothers to buy it, just to make sure it remains a dump. And to keep the Combats flowing.

It was also interesting to view my college experience from my new perspective. Not to overdramatize, but I am a significantly different person than I was at the last reunion. I view the world differently. I have no expectations for my interactions with people, and am far more accepting of everyone and appreciative of their path. Every conversation is an opportunity to learn, which I need. I guess the older I get, the more I realize I don’t know anything.

That made my weekend experience all the more gratifying. The stuff that used to annoy me about some of my college friends was no longer a problem. I realized it has always been my issue, not theirs. Some folks could tell something was different when talking to me, and that provided an opportunity to engage at a different level. Others couldn’t, and that was fine by me; it was fun to hear about their lives.

In 5 years more stuff will have changed. XX1 will be in college herself. All of us will undergo more life changes. Some will grow, others won’t. There will be new buildings and new restaurants. And I’ll still have an awesome time hanging out in the dorms until the wee hours drinking cocktails and enjoying time with some of my oldest friends. And drinking Combats, because that’s what we do.

–Mike

Photo credit: “D-bars” taken by Mike in Ithaca NY


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Threat Detection Evolution

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Vulnerabilities are not intrusions: Richard Bejtlich is a busy guy. As CSO of FireEye, I’m sure his day job keeps him pretty busy, as well as all his external responsibilities to gladhand big customers. So when he writes something on his personal blog you know he’s pissed off. And he’s really pissed that it seems parties within the US federal government doesn’t understand the different between vulnerabilities and intrusions. In the wake of the big breach at the Office of Personnel Management (yeah, the Fed HR department), people are saying that the issue was the lack of implementation of CDM (continuous diagnostic monitoring). But that just tells you what’s vulnerable, and we all know that’s not a defense against advanced adversaries. Even the lagging Einstein system would have had limited success, but at least it’s focusing on the right stuff: who is in your network. Richard has been one of the most fervent evangelicals of hunting for adversaries, and his guidance is pretty straightforward: “find the intruders in the network, remove them, and then conduct counter-intrusion campaigns to stop them from accomplishing their mission when they inevitably return.” Easier said than done, of course. But you never will get there if your answer is a vulnerability management program. – MR

  2. De-Googled: The Internet is a means for people to easily find information, but many large firms use the Internet to investigate you, and leverage it to monitor pretty much everything users do online. Every search, every email, every purchase, every blog comment, all the time – from here to eternity. I know a lot of privacy advocates who read the blog. Heck, I talk to many of them at security conferences, and read their comments on the stuff we post. If that’s you, a recent post from ExpressVPN on How to delete everything Google knows about you should be at the top of your reading list. It walks you through a process to collect and then delete your past Google history. I can’t vouch for the accuracy of the steps – frankly I am too busy to try it out – but it’s novel that Google provided the means, and someone has documented the obfuscated steps to delete your history. Bravo! Of course if you continue to use the embedded Google search bar, or Google+, or Gmail, or any of the other stuff Google offers, you will still be tracked. – AL

  3. What point are you trying to make? There have always been disagreements over the true cost of a lost data record. Ponemon has been publishing numbers in the hundreds of dollars per record for years (this year’s number was $350), and Verizon Business recently published a $0.58 number in the 2015 DBIR. So CSO asks if it’s $350 or $0.58? The answer is neither. There is no standard cost. There is only what it costs you, and how much you want to bury in that number to create FUD internally. Ponemon includes pretty much everything (indirect costs) and then some. Verizon includes pretty much nothing and bases their numbers off insurance claims, which can be supported by objective data. Security vendors love Ponemon’s numbers. Realists think Verizon’s are closer. Again, what are you trying to achieve? If it’s to scare the crap out of the boardroom, Ponemon is your friend. If it’s to figure out what you’ll get from your cyber-insurance policy, you need the DBIR. As we have always said, you can make numbers dance and tell whatever story you want them to. Choose wisely. – MR

  4. Barn door left open: Apache ZooKeeper is a configuration management and synchronization tool commonly used in Hadoop clusters. It’s a handy tool to help you manage dynamic databases, but it moves critical data between nodes, so the privacy and integrity of its data are critical to safe and secure operations. Evan Gilman of PagerDuty posted a detailed write-up of a ZooKeeper session encryption bug found in an Intel extension to Linux kernel modules and XEN hypervisors which essentially disables checksums. In a nutshell, the Intel support for AES within encryption module aesni-intel, which is used for VPNs and SSL traffic, will – under certain circumstances – disable checksums on the TCP headers. That’s no bueno. The bug should be simple to fix, but at this time there is no patch from Intel. Thanks to the guys at PagerDuty for taking the time to find and document this bug for the rest of us! – AL

  5. Cyber all the VC things…: Mary Meeker survived the Internet bubble as the Internet’s highest profile stock analyst, and then moved west to work with VC big shots Kleiner Perkins. She still writes the annual Internet Trends report and this year security has a pretty prominent place. Wait, what? So, in case you were wondering whether security is high-profile enough, it is. We should have been more careful about what we wished for. She devoted two pages to security in the report. Of course her thoughts are simplistic (Mobile devices are used to harvest data and insiders cause breaches. Duh.) and possibly even wrong. (Claiming MDM is critical for preventing breaches. Uh, no.) But she pinpoints the key issue: the lack of security skills. She is right on the money with that one. Overall, we should be pleased with the visibility security is getting. And it’s not going to stop any time soon. – MR

—Mike Rothman

Wednesday, May 20, 2015

Incite 5/20/2015: Slow down [to speed up]

By Mike Rothman

When things get very busy it’s hard to stay focused. There is so much flying at you, and so many things stacking up. Sometimes you just do the easy things because they are easy. You send the email, you put together the proposal, you provide feedback on the document. It can be done in 15 minutes, so you do it. Leaving the bigger stuff for later. At least I do.

Then later becomes the evening, and the big stuff is still lagging. I pop open the laptop and try to dig into the big stuff, but that’s very hard to do at the end of the day. For me, at least. In the meantime a bunch more stuff showed up in the inbox. A couple more things need to get done. Some easy, some hard. So you run faster, get up earlier, rearrange the list, get something done. Wash, rinse, repeat. Sure, things get done. But I need to ask whether it’s the right stuff. Not always.

Slow down. You're going too fast!

I know this is a solved problem. For others. They’ll tell me about their awesome Kanban workflow to control unplanned work. How they use a Pomodoro timer to make sure they give themselves enough time to get something done. Someone inevitably busts out some GTD goodness or possibly some Seven Habits wisdom. Sigh. Here’s the thing. I have a system. It works. When I use it.

The lack of a system isn’t my problem. It’s that I’m running too fast. I need to slow down. When I slow down things come into focus. Sure, more stuff may pile up. But not all that stuff will need to get done. The emails will still be there. The proposal will get written, when I have a slot open to actually do the work. And when I say slow down, that doesn’t mean work less. It means give myself time to mentally explore and wander. With nowhere to be. With nothing to achieve.

I do that through meditation, which I haven’t done consistently over the last few months. I prioritized my physical practices (running and yoga) for the past few months, at the expense of my mental practice. I figured if I just follow my breath when running I can address both my mental and physical practice at the same time. Efficiency, right? Nope. Running and yoga are great. But I get something different from meditation.

I’m most effective when I have time to think. To explore. To indulge my need to go down paths that may not seem obvious at first. I do that when meditating. I see the thought and sometimes I follow it down a rathole. I don’t know where it will go or what I’ll learn. I follow it anyway. Sometimes I just let the thought pass and return my awareness to the breath. But one thing is for sure – my life flows a lot easier when I’m meditating every day. Which is all that matters.

So forgive me if I don’t respond to your email within the hour. I’ll forgive myself for letting things pile up on my to do list. The emails and tasks will be there when I’m done meditating. It turns out I will be able to work through lists much more efficiently once I give myself space to slow down. Strangely enough, that allows me to speed up.

–Mike

Photo credit: “Slow Down” originally uploaded by Tristan Schmurr


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Don’t believe everything you read: The good news about Securosis’ business is that we don’t have to chase news. Sure, if there is something timely and we have room on our calendar, we’ll comment on current events. But if you look at our blog lately it’s clear we’re pretty busy. So we didn’t get around to commenting on this plane hacking stuff. But if we wait around long enough, one of our friends will say pretty much what I’m thinking. So thanks to Wendy who summed up the situation nicely. And that reminds me of something I have to tell my kids almost every day. Don’t believe everything you read on the Internet. You aren’t getting the full story. Media outlets, bloggers, and other folks with websites have agendas and biases. Consider what you read with a skeptical eye and confirm/validate to ensure you have the full story. Or fall in line with the rest of the lemmings who believe what they read, and react emotionally to what usually amounts to a pile of rubbish. – MR

  2. Super-Fish-er: Dennis Fisher over at ThreatPost wrote a great article highlighting ad injector networks and how attackers are hijacking SSL connections to collect ad revenue for bogus ‘clicks’ from bogus sites. It’s a sobering look at how your computer can be leveraged – with a couple simple alterations – to behave just like another person. So much of browsers’ behavior is hidden from users precisely to hide the avalanche of ads and tracking that it’s fairly easy for attackers to hide within that environment. We will see lots more hacking of ad networks while this remains so profitable. – AL

  3. The monster in the closet: I really like Scott Roberts’ discussion of Imposter Syndrome – basically the fear that you will be found out as a fraud. He looks at it from the perspective of DFIR. We all struggle with it. Our brains, in a misplaced attempt to protect us, make us feel unworthy. It turns out that feeling can shut you down, or motivate you to continue growing and learning. Scott’s recommendations include being aware of the feelings and searching out experts who can help you learn and grow. Every time I question my skills I remember that I do different things differently than most everyone else. I’m not trying to be anyone else so I can’t really be an imposter. And if someone doesn’t appreciate what I do or how I do it, that’s fine by me. You can’t make everyone happy all the time, and that includes your internal imposter. Acknowledge it, and then let it go. – MR

  4. Financial aid: In news that surprised no one, the University of California, Los Angeles (UCLA) announced 800k records were accessed by hackers – far bigger than the 2009 UC Berkeley breach. Some of you with mad crazy math skilz may be saying, “Hey, wait, even at 50k students a year, that’s 16 years of student data!” but the stolen records included application data, including all that financial aid related stuff students provide universities. It’s normally at this point where we ask, “What the frack are you doing keeping all those records?!” and recommend deletion or crypto-shredding to dispose of data, but in this case that does not matter as much – the attackers gained access in 2005. Yeah, ten years, so we’ll just say your odds of detecting a compromise without monitoring are pretty much zero. – AL

  5. Maturity is a thing… A while back (I’m a bit behind in my reading) Brian Krebs posted about security maturity. He presented a couple models to describe how a security program changes based on the maturity of the function. We use this concept a lot because it makes sense, especially to those stepping into a very unsophisticated who and need to advance it quickly. First you have to acknowledge where you are today – honestly. Deceiving yourself is not going to help. But even more importantly, you need to figure out where you want to be. What is your goal? And then you can figure out how much that will cost. Not every organization needs a world-class security program. Ultimately this is a convenient metaphor to manage expectations because it forces everyone to think about the end goal, and we all know how critical that is. – MR

—Mike Rothman

Wednesday, May 06, 2015

Incite 5/6/2015: Just Be

By Mike Rothman

I’m spent after the RSAC. By Friday I have been on for close to a week. It’s nonstop, from the break of dawn until the wee hours of the morning. But don’t feel too bad – it’s one of my favorite weeks of the year. I get to see my friends. I do a bunch of business. And I get a feel for how close our research is to reflecting the larger trends in the industry.

But it’s exhausting. When the kids were smaller I would fly back early Friday morning and jump back into the fray of the Daddy thing. I had very little downtime and virtually no opportunity to recover. Shockingly enough, I got sick or cranky or both. So this year I decided to do it differently. I stayed in SF through the weekend to unplug a bit.

be

I made no plans. I was just going to flow. There was a little bit of structure. Maybe I would meet up with a friend and get out of town to see some trees (yes, Muir Woods was on the agenda). I wanted to catch up with a college buddy who isn’t in the security business, at some point. Beyond that, I’d do what I felt like doing, when I felt like doing it. I wasn’t going to work (much) and I wasn’t going to talk to people. I was just going to be.

Turns out my friend wasn’t feeling great, so I was solo on Friday after the closing keynote. I jumped in a Zipcar and drove down to Pacifica. Muir Woods would take too long to reach, and I wanted to be by the water. Twenty minutes later I was sitting by the ocean. Listening to the waves. The water calms me and I needed that. Then I headed back to the city and saw an awesome comedian was playing at the Punchline. Yup, that’s what I did. He was funny as hell, and I sat in the back with my beer and laughed. I needed that too.

Then on Saturday I did a long run on the Embarcadero. Turns out a cool farmer’s market is there Saturdays. So I got some fruit to recover from the run, went back to the hotel to clean up, and then headed back to the market. I sat in a cafe and watched people. I read a bit. I wrote some poetry. I did a ZenTangle. I didn’t speak to anyone (besides a quick check-in with the family) for 36 hours after RSA ended. It was glorious. Not that I don’t like connecting with folks. But I needed a break.

Then I had an awesome dinner with my buddy and his wife, and flew back home the next day in good spirits, ready to jump back in. I’m always running from place to place. Always with another meeting to get to, another thing to write, or another call to make. I rarely just leave myself empty space with no plans to fill it. It was awesome. It was liberating. And I need to do it more often.

This is one of the poems I wrote, watching people rushing around the city.

Rush
You feel them before you see
They have somewhere to be
It’s very important
Going around you as quickly as they can.
They are going places.

Then another
And another
And another
Constantly rushing
But never catching up.

They are going places.
Until they see
that right here
is the only place they need to be.
– MSR, 2015

–Mike

Photo credit: “65/365: be. [explored]“_ originally uploaded by It’s Holly


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Threat intel still smells like poop? I like colorful analogies. I’m sad that my RSAC schedule doesn’t allow me to see some of the more interesting sessions by my smart friends. But this blow-by-blow of Rick Holland’s Threat Intelligence is Like Three-Day Potty Training makes me feel like I was there. I like the maturity model, and know many large organization invest a boatload of cash in threat intel, and as long as they take a process-centric view (as Rick advises) they can get great value from that investment. But I’m fixated on the not Fortune 500. You know, organizations with a couple folks on the security team (if that) and a budget of a few Starbucks cards for threat intel. What do those folks do? Nothing right now, but over time they will expect and get threat intel built into their controls. Why should they have to spend time and money they don’t have, to integrate data their products should just use. Oh, does that sound like the way security products have worked for decades? Driven by dynamic updates from the vendor who produces the device? Right, back to the future. But a better future with better data, and possibly even better results. – MR

  2. Backwards: In the current round of vulnerability disclosure lunacy, the FBI detained security researcher Chris Roberts – who recently disclosed major vulnerabilities in airline in-flight WiFi systems – for questioning after exiting a recent flight. What makes this story suspect is that Robert was cooperating with airlines and the FBI prior to this. He met with both to discuss the issues, so they were fully aware of his findings. From statements it looks like the FBI performed a forensic analysis of the plane’s systems, and given their desire to examine Roberts’ laptop, it looks like this was an attempt to entrap determine whether Roberts stupidly hacked the plane he was on. The disclosure was a month prior, so the FBI could have pulled Roberts prior to boarding, or gone to his office, or even called and asked him to come in – but that’s not what they did. So far as we know, none of the executives who produce the vulnerable WiFi systems has been pulled from their flights; and more troubling, none of those systems were disabled pending investigation prior to Roberts’ flight. If the threat was serious, quietly disabling in-flight entertainment would be the correct action – not a grandstanding public arrest of a guy openly trying to get vulnerabilities fixed. – AL

  3. Even a mindset shift won’t solve the problem: Working through the round-ups of the RSAC 2015, I found some coverage of RSA President Amit Yoran’s keynote. His main contention was that security issues come down to having a change mindset, as opposed to expecting some new widget to solve all problems. I like that message, because I agree that chasing shiny new products and services, seeking a silver bullet, has moved us backwards. Clearly a mindset shift to focus on the people side is necessary, but it’s not sufficient. I think the goal of stopping attackers is a bit misguided, so that’s what we need to shift. It’s about managing loss, not blocking attacks. Some loss is actually necessary, because loss would be too expensive to completely avoid. But how can you find the right balance? That’s the art of doing security. Balancing the value of what’s at risk with the cost to protect it. Feel better now? – MR

  4. Busting the confusion: When the cloud was new some experts told us it was nothing more than outsourced mainframe computing. Lots of rubbish like that gets thrown out there when people don’t fully comprehend innovative or disruptive technology. Such is also the case with DevOps, and Gene Kim’s recent myth-busting article for DevOps makes some great points to address some of the big misconceptions I hear frequently. For me his first point is the biggest: DevOps does not replace Agile. DevOps helps make the rest of the organization more Agile. Additionally, the Agile with Scrum development methodology continues to work as before, but with less friction and impediments from outside groups. Sure, automation of many IT and QA tasks into a development pipeline is a big part of that, but focusing on that aspect diminishes the importance of addressing Work in Progress, a bigger source of friction. Gene’s comments are right on the mark and required reading – at least for those of you who don’t take the time to read The Phoenix Project. And yes, you should make that time. – AL

  5. Cheaters. Shocking! It seems a bevy of Chinese anti-virus vendors keep getting caught cheating on effectiveness tests, according to Graham Cluley. I find this pretty entertaining, mostly because anyone who buys an AV product based on the results of an effectiveness test is a joke. Additionally, it seems people forget that China plays business by different rules. They have no issue with taking your intellectual property, because they view it differently. So why would anyone be surprised that they think differently about AV comparison tests? It comes back to something we learned early on: you can’t expect other folks to act like you. Just because you won’t cheat doesn’t mean other folks are bound by the same ethics. You need to understand how to buy these products, and if you’re relying on third-party testing you will get what you deserve. – MR

—Mike Rothman

Wednesday, April 15, 2015

Incite 4/15/2015: Boom

By Mike Rothman

I’ve been on the road a bit lately, and noticed discussions keep working around to the general health of our industry. I’m not sure whether we’re good or just lucky, but we security folk find ourselves in the middle of a maelstrom of activity. And that will only accelerate over the next week, as many of us saddle up and head to San Francisco for the annual RSA Conference. We’ve been posting our RSA Conference Guide on the RSA Conference blog (are they nuts?) and tomorrow we’ll post our complete guide with all sorts of meme goodness.

The theme of this year’s Disaster Recovery Breakfast is be careful what you wish for. For years we have wanted more internal visibility for security efforts. We wanted to engage with senior management about why security is important. We wanted to get more funding and resources to deal with security issues. But now it’s happening. CISO types are being called into audit committee meetings and to address the full board (relatively) frequently. Budget is being freed up, shaken loose by the incessant drone of the breach of the day. We wanted the spotlight and now we have it. Oh crap.

balloon go boom

And investors of all shapes and sizes want a piece of cybersecurity. We’ve been engaged in various due diligence efforts on behalf of investors looking at putting money to work in the sector. You see $100MM funding rounds for start-ups. WTF is that about? A friend told me his successful friends call him weekly asking to invest in security companies. It’s like when you get stock tips from a cabbie (or Uber driver), it’s probably time to sell. That’s what this feels like.

But security will remain a high-profile issue. There will be more breaches. There will be additional innovative attacks, probably hitting the wires next week, when there is a lot of focus on security. Just like at Black Hat last year. Things are great, right? The security juggernaut has left the dock and it’s steaming full speed ahead. So why does it feel weird? You know, unreal?

Part of it is the inevitable paranoia of doing security for a long time. When you are constantly trying to find the things that will kill you, it’s hard to step back and just appreciate good times. Another part is that I’ve lived through boom and bust cycles before. When you see low-revenue early-stage start-ups acquired in $200MM+ and $50MM+ funding rounds for, you can’t help but think we are close to the top of the boom. The place to go from there is down. Been there, done that. I’m still writing off my investment tax losses from the Internet bubble (today is Tax Day in the US).

But you know what? What’s the use in worrying? I’m going to let it play out and do a distinctly atypical thing and actually enjoy the boom. I was too young and naive to realize how much fun the Internet boom was on the way up. I actually believed that was the new normal. Shame on me if I can’t enjoy it this time around.

I’ll be in SF next week with a huge smile on my face. I will see a lot of friends at RSAC. Rich, Adrian, and I will offer a cloud security automation learning lab and JJ and I will run a peer-to-peer session on mindfulness. I’ll have great conversations with clients and I’m sure I’ll fill the pipeline for the next couple months with interesting projects to work on. I’ll also do some damage to my liver. Because that’s what I do.

These halcyon days of security will end at some point. There is no beanstalk that grows to the sky. But I’m not going to worry about that now. I’ll ride through the bust, whenever it comes. We all will. Because we’re security people. We’ll be here when the carpetbaggers have moved on to the next hot sector promising untold riches and easy jobs. We’ll be here after the investors doing stupid deals wash out and wonder why they couldn’t make money on the 12th company entering the security analytics business. We’ll be here when the next compliance mandate comes and goes, just like every other mandate.

We’ll be here because security isn’t just a job. It’s a calling. And those who have been called ride through the booms and the busts. Today is just another day of being attacked by folks who want to steal your stuff.

–Mike

Photo credit: “Explosion de ballon Polyptyque“_ originally uploaded by Mickael


Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com, so we know how much food to get…


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Slap in the face: Part of the cellphone security model is locking and/or remotely wiping stolen cellphones. Allowing owners to control transfer of ownership makes stolen phones are almost worthless, and should discourage phone theft. But a giant case of insider fraud at AT&T barely made news last week, because it was positioned in the press as just another data breach. The real story is that a handful of employees in foreign markets accessed customer accounts to allow the transfer and activation of stolen phones. What makes the story so painful is that the criminal organization which got its mules into AT&T profited, the US government got the cost of its investigation covered by the $25M fine, and AT&T enjoyed 500k or so new subscribers on stolen phones and a tax write-down on the fine. The slap is to that people who had phones stolen get worthless “credit monitoring”, while FCC chair Tom Wheeler sprays perfume onto this steaming pile by claiming this is a victory for privacy – which implies the insiders actually stole personal information, rather than just transferring phone ownership. – AL

  2. Lay off my forensicators: In what appears to be another example of a company with too many lawyers, one company is sore another company hired a bunch of their people. MasterCard is suing Nike over former MC employees allegedly taking ‘proprietary’ network configurations to their new employer. But the hook in the suit is that some service providers were now working with Nike instead of MC. So apparently we are not in a free-market economy and service providers have become indentured servants to their clients. Bah. Too many damn lawyers. There has to be a better way to handle this. If they wanted to cut down employee churn, perhaps they could make it more interesting and attractive for employees to stick around. And there isn’t much you can do if an employee leaves, taking their multi-decade relationships with service providers. But when you have lawyers, evidently you need to lawyer up. – MR

  3. You’re the product: It’s not a question of whether your emails are tracked – Wired Magazine explains a browser tool to detect common email tracking elements, nicely illustrating that the only question is by whom and how many firms track each email you receive or send. It’s not uncommon to receive email with several trackers embedded – I get some with a half dozen. In some cases the trackers are added unbeknownst to the sender, instead tacked on by service providers. Most email providers earn money by tracking you, and every marketing manager running a ‘campaign’ demands to know not just who – but how – people are reading their precious content, so pretty much every email is tracked. Be it a browser or a dedicated mail tool, these email viewers don’t offer any insight into what’s being requested, by who, or how much data they pull out. Of course not, because that might interfere with their the ability to monetize you. The web pages you visit are far worse: even the Wired web page for that article serves fourteen trackers from sites you didn’t visit and which don’t serve the content you requested. They are solely to track what you do and how you do it, and that data is likely shared and resold yet again. The tools listed in this Wired article – such as UglyMail – lift just one veil obscuring the horrors underneath. If you really want to see – and control – what your email client and browsers transmit, get an outbound firewall to detect and filter. Remember, if you’re not paying, you’re the product. – AL

  4. Minority Security Report: One of the hot hot hot areas of security for 2015 is insider threat detection. These new security analytics tools look at a bunch of data and have means to determine when an employee is doing something that puts corporate data at risk. It turns out these technologies have been under development for a while for other use cases as well. For instance JP Morgan has a system that looks for signs that a trader is going to go rogue. Evidently they’ve profiled and found patterns that indicate an employee is going to do bad stuff. So they can then put the employee under watch. Is this a slippery slope? Yes and no. There is nothing wrong with monitoring an employee’s behavior if they show indicators of doing something bad for the organization. But how do you deal with false positives? And could the tools be used to curry favor for political purposes within the organization? I guess we should expect the equivalent of the Salem Witch Trials at some point. – MR

  5. Any time now: In 1999 I saw my first television ad proclaiming the amazing benefits of chip-based credit cards, and how they would protect customers and banks from fraud. It was the “Internet Age”, these cards looked Star Trek cool, and I wanted one. Too bad: My bank didn’t carry them. And even if they did, none of the merchants used the chip-based capabilities to counter card cloning. Fast forward to today, 16 frigging years later, and it’s still the same. My bank, sadly, still does not issue EMV-based credit cards. They do have a plan to roll them out, oh, sometime in 2016. So while I think it’s beyond pathetic that food retailers have asked for an extension on the EMV deadline – which shifts card fraud liability onto merchants who do not comply – I get it. It’s not just that they have been dragging their feet, but banks have been dragging as well. But honestly, the only way these cards can supplant magstripes in the US is for the card brands to not extend the deadline and to shift liability. When the financial incentive hits, we’ll see action. 16 years is enough warning. – AL

  6. Not a bad thing: Andreas Gal, Mozilla CTO, offers an interesting rant on limited access to Google search data available to other search engines. Over the last decade search engines have used user query data, more than crawling the Internet, to refine their own search results. Other search engines, ISPs, and telcos used to – ahem – collect user search data entered into Google and leverage that information. The crux of Andreas’ rant is that Google started encrypting its search strings, so only Google has access to user queries. But this is exactly what I want as a user – that the information I entrust ti Google not be shared. I want them to encrypt it and keep it to themselves. Further, this is part of Google’s moat, born from early technical advantages and the “network effect” of providing a service people really like, which is a good thing which Google earned. It requires other firms to innovate to attract users – and to do something unique or better before they can assail Google’s moat. Plus, I think Andreas missed that the embedded search bars in browsers like Firefox offer users a feature they do take advantage of: easy switching between search engines when they don’t like the results from their default option. Only vendors see this as a turf war; users see the value in both privacy and different results from different search tools. – AL

—Mike Rothman

Wednesday, April 01, 2015

Incite 4/1/2015: Fooling Time

By Mike Rothman

As we started recording the Firestarter Monday Rich announced the date. When he said “March 30”, it was kind of jarring. It’s March 30? How did that happen? Wasn’t it just yesterday we rang in the new year? I guess it was almost 90 yesterdays. Thankfully Rich cut me off as I went down the rabbit hole of wondering where the time went.

Hourglass

Every year is getting shorter, never seem to find the time
Plans that either come to naught or half a page of scribbled lines
Hanging on in quiet desperation is the English way
The time is gone, the song is over, thought I’d something more to say
– Pink Floyd, “Time”

Yup, I’m in one of those moods. You know, the mood where you are digging up Pink Floyd lyrics. Though it’s true – every year does seem to get shorter. It’s hard to find the time to do everything you want to. Everything you plan to. You can’t fool time, even on April Fool’s day. Time just keeps moving forward, which is what we all need to do.

I have become painfully aware of the value of time this year. It seems I have been in a cycle of work, run, yoga, travel, car pools, LAX games, and maybe a little sleep now and again. But when I pick my head up every so often, I see things changing. Right before my eyes. XX1 is no longer a little girl. She’s almost as tall as the Boss and is talking to me about getting her driver’s permit in 6 months. What? My little muncha driving? How can that be?

And people you know unexpectedly pass on. Many of us in the security community knew Michael Hamelin (@hackerjoe), and then over the holidays he was gone. Taken in a freak car accident. It makes you think about how you are using the short amount of time you have. I had a wave of inspiration and posted a few things on Twitter that day.

Tweets

I’m fortunate to be a mentor, advisor, and friend to lots of folks who come to me for advice and perspective. I talk about courage a lot with these people. The courage to be who you want to be, regardless of who you ‘should’ be. The courage to make changes, if changes are necessary. The courage to get beyond your comfort zone and grow. It’s not easy to be courageous.

Ticking away the moments that make up a dull day
Fritter and waste the hours in an off-hand way
Kicking around on a piece of ground in your home town
Waiting for someone or something to show you the way
– Pink Floyd, “Time”

Many people choose to just march through life, even if they aren’t happy or fulfilled, and that’s okay. But time will move on, regardless of what you decide to do, or not do. If you think things will change without you changing them, you aren’t fooling time. You are only fooling yourself.

–Mike

Photo credit: “hourglass_cropped“_ originally uploaded by openDemocracy


Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com so we know how much food to get…


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Better breach disclosure: I hate it when stuff I use gets breached. I have to change passwords and the like. It’s just a hassle. But it does provide a learning opportunity, if the pwned company will talk about what happened. The latest disclosure darling seems to be Slack. You know, the chat app everyone seems to use. Evidently they had an attacker in their user database and some private information was accessible. Things like email addresses and password hashes. Theor payment and financial information was apparently not accessible (segmentation FTW). Now they don’t know whether user data was actually accessed (but we need to assume it was). Nor do they have any proof passwords were decrypted. But at least they are candid about what they don’t know. And even better, they took action to address the issue. Like turning on two-factor authentication before it was quite ready. And providing a tool for an administrator to log everyone out of the system and force a password reset. As they learn more, we can only hope Slack shares more of the details of this attack. – MR

  2. The wisdom of retailers: Over the last decade I have been involved in two research projects to show how data breaches impacted firm’s brand value and stock prices. And yes, I worked for a security vendor at the time, who had a financial incentive to link them. What did I find? Nothing. The data was inconsistent, bu if anything it suggested breaches and company value were unrelated. Our own Gunnar Peterson has been tracking this topic for as long as I’ve known him, and based solely on stock price, finds that breached companies outperform the market. The Harvard Business Review has done many great case studies on firms that have been breached, going back at least to 2007, but I believe this is the first time the HBR has come out with reasons why data breaches don’t hurt stock prices. But does that mean those retailers with a laissez-faire approach to security were right all along? If breaches are “… an inevitability of doing business …”, does that mean firms should only invest in “cyber insurance” to help pay the costs of cleanup? – AL

  3. Darwin and the WAF: Brian McHenry of F5 calls for the death of WAF as we know it and even references some of Adrian’s and my research. And who says flattery gets you nowhere? Brian’s point is that WAF needs to evolve with the advent of DevOps and more agile development processes, because you can’t tune the WAF to keep up with every application change. He’s right, but it’s a bigger issue than just WAF. Though given Brian is in the WAF business, that is his focus. DevOps and cloud and mobility disrupt the game. You need to rethink security and data protection… or not. As Deming said, “It is not necessary to change. Survival is not mandatory.” It applies to pretty much everything. Technologies, but also processes. If those don’t evolve (and drag technology with it), you’ll be on the endangered species list. But don’t fret – you won’t be lonely. A lot of technologies, vendors and practitioners won’t be able to make the jump. Maybe there is a gig available for a front-end processor engineer. (Old school) – MR

  4. Grab the popcorn: Now that vendors have reassessed their approaches to mobile payments, subsequent to Apple Pay shaking things up, we see new payment products from every corner. Square announced the acquisition of Kili, giving them NFC capabilities. Now merchants using Square can support either card-swipe or NFC transactions. Vodafone will also standardize on NFC communication, but will deliver a SIM card that embeds a secure element to hold the encryption keys needed for secure payment on mobile devices. These secure elements are the preferred choice for carriers, because anyone who wants access must pay the carrier. Unsurprisingly, Visa and Mastercard recently announced they are backing the more open Host Card Emulation approach – effectively a virtual secure hardware element – but now Microsoft has also announced use of HCE for their new Tap To Pay offering on Windows phones. We went from a snail’s pace to hair-on-fire product delivery, which means we can expect implementation flaws and notable hacks during this vendor stampede for market share. – AL

  5. It’s a mobile app – what could possibly go wrong? You all know what a big fan of surveys I am, but sometimes the data makes a point worth making. Without less-than-rigorous math, that is. The Ponemonsters did a survey for IBM which analyzed mobile app security. Basically there isn’t much, which I’m sure is a shock to most of you. In another surprising turn, the rush to get mobile apps out there and to meet customer needs is forcing organizations to take security shortcuts. Really! I know you are shocked. Yes, I took my sarcasm pills today. If there is an upside it is that mobile OSes are inherently better protected than PCs. I did not say fully protected – just better protected. But this is a systemic issue. Why would mobile apps be much different than anything else? Companies feel pressure to ship, they take shortcuts, security suffers. Breach happens, company gets religion. Until next time they have to take a shortcut. Wash, rinse, repeat. And we needed a survey to tell us that? – MR

—Mike Rothman

Wednesday, March 25, 2015

Incite 3/25/2015: Playing it safe

By Mike Rothman

A few weeks back at BSidesATL, I sent out a Tweet that kind of summed up my view of things. It was prompted by an email from a fitness company with the subject line “Embrace Discomfort.” Of course they were talking about the pain of whatever fitness regimen you follow. Not me. To me, comfort is uncomfortable.

Comfort is uncomfortable

I guess I have always been this way. Taking risks isn’t risky from where I sit. In fact playing it safe feels dangerous. Of course I don’t take stupid risks and put myself in harm’s way. At least I don’t any more – now I have a family who depends on me. But people ask me how I have the courage to start new businesses and try things. I don’t know – I just do. I couldn’t really play it safe it I tried.

Not that playing it safe is bad. To the contrary, it’s a yin-yang thing. Society needs risk-takers and non-risk-takers. However you see yourself, make sure you understand and accept it, or it will not end well.

For instance some folks dream of being a swashbuckling entrepreneur, jumping into the great unknown with an idea and a credit card to float some expenses. If you are risk-averse that path will be brutal and disappointing. Even if the venture is successful it won’t feel that way because the roller coaster of building a business will be agonizing for someone who craves stability.

Risk Takers

Similarly if you put an entrepreneur into a big stable company, they will get into trouble. A lot of trouble. Been there, done that. That’s why it is rare to see true entrepreneurs stay with the huge companies that acquire them, after the retention bonuses are paid and the stock is vested. It’s just soul-crushing for swashbucklers to work in place with subsidized cafeterias and large HR departments.

I joked that it was time to leave META Group back in the mid-90s, when we got big enough that there were people specifically tasked with making my job harder. They called it process and financial controls. I called it bureaucracy and stupid paperwork. It didn’t work for me so I started my own company. With neither a subsidized cafeteria nor an HR department. Just the way I like it.

–Mike

Photo credit: “2012_05_050006 Road to Risk Takers Select Committees” originally uploaded by Gwydion M. Williams


Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com, so we know how much food to get…


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Endpoint Defense Essential Practices

Applied Threat Intelligence

Network Security Gateway Evolution

Newly Published Papers


Incite 4 U

  1. We’re hacking your stuff too, eh! All my Canadian friends are exceedingly nice. I’m sure many of you know our contributors from up North, Dave Lewis and James Arlen, and there aren’t any nicer people. They are cranky security people like the rest of us, but they somehow never seem cranky. It’s a Canadian thing. So when you hear about the Canadians doing what pretty much every other government is doing and hacking the crap out of all sorts of things, you say, “Eh? The Canadians? Really?” Even better, the Canadians are collaborating with the NSA to use social engineering and targeted attacks to “garner foreign intelligence or inflict network damage.” The spinmeisters were spinning hard about the documents being old, blah blah blah. Maybe they need a little Rob Ford action in the cyber department to give us the real low-down. But you know what? I’m sure they were very polite guests and left everything exactly as they found it. – MR

  2. He had me at Manifesto: I love a good manifesto. Nothing gets the blood moving like a call to arms, to rally the troops to do something. My friend Marc Solomon of Cisco advocates for CISOs to write their own manifestoes to get the entire organization thinking about security. I’m not sure how you make security “a growth engine for the business”, but a lot of his other aspirations are good. Things like security must be usable, transparent, and informative. Yup. And security must be viewed as a “people problem,” which really means that if you didn’t have all these pesky employees you would have far fewer security problems. Really it’s a sales document. You (as CISO) are selling the security mindset to your organization, and that is a manifesto worth writing. – MR

  3. E-DDoS coming to a cloud near you: One of the newer attack vectors I highlighted in our denial of service research a couple years ago was an economic denial of service. An adversary can hammer a cloud-based system, driving costs up to the victim’s credit limit. No more credit, no more cloud services. I guess that’s the cloud analogue to “No shoes, no shirt, no dice.” [Dude)…] It seems someone in China doesn’t like that some website allows connectivity to censored websites, so they are blasting them with traffic, costing $30,000/day in cloud server costs. These folks evidently have a lot of credit with Amazon and haven’t been forced to shut down. Yet. Aside from the political reality an attack like this represents, it is a clear example of another more diabolical type of attack. A DDoS that knocks your stuff down may impact sales, but not costs. This kind of attack hits you below the belt: right in the wallet. – MR

—Mike Rothman

Wednesday, March 18, 2015

Incite 3/18/2015: Pause

By Mike Rothman

It’s been over a month since I wrote an Incite. It’ is the longest period of downtime since I joined Securosis. I could talk about my workload, which is bonkers right now. But over the years I’ve written the Incite regardless of workload. I could talk about excessive travel, but I haven’t been traveling nearly as much as last year. I could come up with lots of excuses, but as I tell my kids all the time, “I’m not in the excuses business.”

Here’s the reality: I needed a break. I have plenty to write about, but I found reasons not to write. There is a ton of stuff going on in security, so there were many interesting snippets I let fly right on by. But I didn’t write it, and I didn’t really question it. What I needed was what my Tao teacher calls a pause.

Hit the pause button

You could need a pause for lots of reasons. Sometimes you have been running too hard for too long. Sometimes you need to change things up a bit because the status quo makes you unhappy. Sometimes you need some space to recalibrate and figure out what you want to do and where you want to go. Of course, this could be for very little things, like writing the Incite every week. Or very big things. But without taking a pause, you don’t have the space to make objective decisions.

You are reading this, so obviously I am writing the Incite. So during my pause, it became clear that the Incite is an important part of what I do. But it’s bigger than that. It’s an important part of who I am. I have shared the good and the not so good through the years. I have met people who tell me they have experienced what I write about, and it’s helpful for them to commiserate – even if it’s virtual. Some tell me they learn through my Incites, and there is nothing more flattering. But it’s not why I write the Incite.

I write the Incite for me. I always have. It’s a journal of sorts representing my life, my views, and my situation at any given time. Every so often I go back a couple years and read my old stuff. It reminds me of what things were like back then. It’s useful because I don’t spend much time looking backwards. It’s interesting to see how different I am now. Some people journal in private. I do that too. But I have found my public journal is important to me.

The pause is over. I’m pushing Play. In the coming months there will be really cool stuff to share and some stuff that will be hard to communicate. But that’s life. You take the good and the bad without judgement. You move forward. At least I do. So stay tuned. The next few months are going to be very interesting, for so many reasons.

–Mike

Photo credit: “Pause? 272/265” originally uploaded by Dennis Skley


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Cracking the Confusion

Applied Threat Intelligence

Network Security Gateway Evolution

Newly Published Papers


Incite 4 U

(Note: Don’t blame Rich or Adrian for the older Incite… They got me stuff on time – it just took me a month to post it. You know, that pause I talked about above.)

  1. There are no perfect candidates… There is no such thing as perfect security, so why would there be perfect security candidates? Our friend Andy Ellis, CISO of Akamai, offers a refreshing perspective on recruiting security professionals. Andy focuses on passion over immediate competence. If a person loves what they do they can learn the rest. I think that’s great, especially given the competition for those with the right certifications and keywords on their CVs. Andy also chooses to pay staffers fairly instead of pushing them to find other jobs as their skills increase. Again, very smart given the competition for security staff. The #1 issue we hear from CISO types, over and over, is the lack of staff / recruiting challenge. So you need to find folks in places others aren’t looking, and invest in them – knowing a few will leave for greener pastures at some point. That’s all part of the game. – MR

  2. No love: Another encryption vendor got rolled up recently, with Voltage security acquired by HP. But before you lose your train of thought, with jokes about how HP is where tech companies go to die – yeah, we heard a lot of that in the last 24 hours – note this is occurring with encryption firms of all sizes. In case you missed it, Porticor was acquired by Intuit the week before the HP/Voltage deal. And before that, Safenet to Gemalto, Entrust to Datacard, and Gazzang went to Cloudera. You would think selling data encryption in the age of data breaches would be like giving ice cream to kids on a hot day, but the truth is selling is hard because implementing it is hard. Customers view encryption as a commodity, with one AES variant the same as every other, and complain bitterly about cost and key management headaches. Encryption platforms have matured steadily over the last 10 years, and continually evolved to include format preserving encryption, tokenization, transparent encryption, dynamic masking, key storage, and management, all while integrating with storage systems, apps, applications, cloud services and ‘big data’. The trend is clearly to bake data encryption in, but innovation and growing demand for data security mean this market is far from settled. – AL

  3. Bring Your Own Key: I’m a big fan of the cloud, and of encryption, which is why I’m excited to see Box announce their new Enterprise Key Management product. First a little full disclosure: I have known about this for a while and I done some work with Box (which was not a secret). That said, it isn’t like I get paid more if anyone buys the service from them. I’ve been on record for a few years as not a fan of proxy-based encryption for cloud computing. Shoving an appliance (or service) between your users and the cloud platform so you can encrypt a few fields seems like a kludge prone to breaking application functionality. But almost no providers allow customers to manage their own encryption in a way that can protect against misuse by the provider (or snoops, criminal or government). Box’s EKM enables customers to control their own encryption keys, but all the actual work happens within Box. This reduces the likelihood the application will break. It isn’t necessarily completely subpoena proof, but there is no way for anyone besides you to see your data unless you release the key. Amazon is one of the only other cloud providers supporting customer managed keys, and I really hope this trend grows. But as Mike says, “Hope is not a strategy”, so vote with your dollars if you want more customer-controlled cloud key management. – RM

  4. Vulnerability management, still kicking…: I have voiced my disappointment with the fact that modern product reviews are consistently cursory, and rarely useful for procurement decisions. That doesn’t stop folks like SC Mag from continuing to review products, like their recent Vulnerability Management review. Yes, vulnerability management is still a thing – even if Gartner doesn’t think so anymore. That being said, the major players in the market are changing direction, and they all seem to be going in different directions. One is climbing the stack, another focused on identity, a third morphing into a services driven shop, and yet another preoccupied with executive level dashboards. And yes, they all still scan your stuff and generate long reports of stuff you’ll never get to. Same old, same old. Although as you are looking to renew your product and/or service, it makes sense to actually learn about the longer term strategy of your chosen vendor to ensure it still aligns with what you need. If not, make a change since it’s not like all of the vendors can’t scan your stuff. – MR

  5. Smart cards, disrupted: It’s happening again; the threat of EMV cards. The Smart Card Alliance position is the liability shift for not using EMV will push adoption within mass merchants, while Visa representatives claim 525 million cards will be in the ‘ecosystem’ by the end of 2015. Bull$#!*. For the sake of round numbers say there are about 300 million US citizens – minus those under 18 – which would require each US adult to get two Chip and PIN cards over the next 10 months. Even if the US government issues an ID for every citizen, that milestone is not going to happen. Nor will merchants move fast enough with new terminals to support the cards. I understand the smart card industry’s angst – EMV needs to move or be get over in the US. Apple Pay basically virtualized Chip and PIN for payments, simultaneously showing consumers a model for health and ID cards pushed into mobile devices with less cost and pain. It’s not a new idea by any stretch, but Apple upended a bunch of firms who were positioning for the future. As Apple does from time to time. – AL

  6. Eye of Sauron: Big breaches happen, and no matter what anyone tells you they aren’t going way… ever. The goal of your security program is to minimize the potential damage because it can’t be eliminated. Even with all the high-profile breaches, there’s a lack of motivation for companies, even in regulated industries, to protect their data. Everyone ignored the HIPAA security requirements for years and years, until HITECH put baby teeth in place. But heck, with entirely too many friends still in healthcare, even that threat isn’t enough to be a true catalyst for action. So I’m always interested in events that change the economics of security. Like one of the biggest insurance markets taking a close look at insurer cybersecurity. Nothing may happen here – it isn’t like Elliot Spitzer is back in charge, kicking ass and (er… spanking… no… not going to say it) taking names (no mention of black books either…), but it only takes a couple state regulators in the right markets to move the needle and drive change. – RM

—Mike Rothman

Wednesday, February 04, 2015

Incite 2/4/2015: 30x32

By Mike Rothman

It was a pretty typical day. I was settled into my seat at Starbucks writing something or other. Then I saw the AmEx notification pop up on my phone. $240.45, Ben Sherman, on the card I use for Securosis expenses. Huh? Who’s Ben Sherman? Pretty sure my bookie’s name isn’t Ben. So using my trusty Google fu I saw they are a highbrow mens clothier (nice stuff, BTW). But I didn’t buy anything from that store.

My well-worn, “Crap. My card number got pwned again.” process kicked in. Though I was far ahead of the game this time. I found the support number for Ben Sherman and left a message with the magic words, “blah blah blah fraudulent transaction blah blah,” and amazingly, I got a call back within 10 minutes. They kindly canceled the order (which saved them money) and gave me some details on the transaction.

AmEx on my phone

The merchandise was evidently ordered by a “Scott Rothman,” and it was to be shipped to my address. That’s why the transaction didn’t trigger any fraud alerts – the name was close enough and the billing and shipping addresses were legit. So was I getting punked? Then I asked what was ordered.

She said a pair of jeans and a shirt. For $250? Damn, highbrow indeed. When I inquired about the size that was was the kicker. 30 waist and 32 length on the jeans. 30x32. Now I’ve dropped some weight, but I think the last time I was in size 30 pants was third grade or so. And the shirt was a Small. I think I outgrew small shirts in second grade. Clearly the clothes weren’t for me. The IP address of the order was Cumming, GA – about 10 miles north of where I live, and they provided a bogus email address.

I am still a bit perplexed by the transaction – it’s not like the perpetrator would benefit from the fraud. Unless they were going to swing by my house to pick up the package when it was delivered by UPS. But they’ll never get the chance, thanks to AmEx, whose notification allowed me to cancel the order before it shipped. So I called up AmEx and asked for a replacement card. No problem – my new card will be in my hands by the time you read this.

The kicker was an email I got yesterday morning from AmEx. Turns out they already updated my card number in Apple Pay, even though I didn’t have the new card yet. So I could use my new card on my fancy phone and get a notification when I used it.

And maybe I will even buy some pants from Ben Sherman to celebrate my new card. On second thought, probably not – I’m not really a highbrow type…

–Mike


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Applied Threat Intelligence

Network Security Gateway Evolution

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. It’s about applying the threat intel: This post on the ThreatConnect blog highlights an important aspect that may get lost in the rush to bring shiny threat intelligence data to market. As lots of folks, notably Rick Holland and yours truly, have been saying for a while. It’s not about having the data. It’s about using it. The post points out that data is data. Without understanding how it can be applied to your security program, it’s just bits. That’s why my current series focuses on using threat intel within security monitoring, incident response, and preventative controls. Rick’s written a bunch of stuff making similar points, including this classic about how vendors always try to one-up each other. I’m not saying you need (yet another) ‘platform’ to aggregate threat intel, but you definitely need a strategy to make the best use of data within your key use cases. – MR

  2. Good enough: I enjoyed Gilad Parann-Nissany’s post on 10 Things You Need To Know about HIPAA Compliance in the Cloud as generic guidance for PHI security in the cloud. But his 10th point really hits the mark: HIPAA is not feared at all. The vast majority of HIPAA fines have been for physical disclosure of PHI, not electronic. While a handful of firms go out of their way to ensure their cloud infrastructure is secure (which we applaud), they aren’t doing security because of HIPAA. Few cloud providers go beyond encrypting data stores (whatever that means) and securing public network connections, because that’s good enough to avoid major fines. Sometimes “good enough” is just that. – AL

  3. 20 Questions: Over the years I have been management or, at Gartner, part of a hiring committee at various times. I have not, however, had to really interview for most of my jobs (at least not normal interviews). The most interesting situation was the hiring process at the FBI. That interview was so structured that the agents had to go through special training just to give it. They tested me not only on answering the questions, but answering them in the proper way, as instructed at the beginning, in the proper time window. (I passed, but was cut later either due to budget reductions at the time, or some weirdness in my background. Even though I eliminated all witnesses, I swear!). But I have always struggled a bit a getting technical hires right, especially in security. The best security pros I know have broad knowledge and an ability to assimilate and correlate multiple kinds of information. I really like Richard Bejtlich’s hiring suggestion. Show them a con video, and have them explain the ins and outs and interpret it. That sure beats the programming tests I used when running dev shops because it gives you great insight into their thought process and what they think is important. – RM

  4. Mixed results: IBM is touting a technology called Identity Mixer as a way for users to both conceal sensitive attributes of their identity, and as a secure content delivery mechanism. But this approach is really Digital Rights Management – which essentially means encryption. This approach has been tried many times for both content delivery and user data protection. The issue is that when allowing a third party to decrypt or access any protected data, the data must be decrypted and removed from its protection. If you use this technology to deliver videos or music it is only as secure as the users who access the data. This approach works well enough for DirecTV because they control the hardware and software ecosystem, but falls apart in conventional cases where the user controls the endpoint. Similarly, sharing encrypted data and keys with a third party defeats the point. – AL

  5. Follow the money: I thought about calling this one “Protection racket”, but even the CryptoLocker guys actually unlock your stuff when you pay them, as promised. It turns out the AdBlock Plus folks take money from Microsoft, Google, and Amazon to allow their ads through. The company’s business model is built on whitelisting ‘good’ ads that comply with their policies (which often includes payment to the AdBlock Plus developers). And they do acknowledge this on their site. That change was made around the end of January 2014 (thank you, Internet Archive). I get it, everyone needs to make money, and not all ads are bad. Many good sites rely on them, although that’s a rough business. I would actually stop blocking most ads if they would stop tracking me even when I don’t click on them. But a business model like this is dangerous. A company becomes beholden to financial interests which don’t necessarily align with its users’. That’s one reason I have been so excited by Apple seeing privacy of customer data as a competitive advantage – as much as companies commit to grand ideals (such as “Don’t be evil.”), it sure is easier to stick to them when they help you make piles of money. – RM

  6. Hack your apps (before the other guys do): This has been out there for a while, but it’s disturbing nonetheless. Marriott collected lots of private information about customers, which isn’t a problem. Unless that information is accessible via a porous mobile app – as it was. I know many organizations take their mobile apps seriously, treating them just like other Internet-facing assets in terms of security. It may be a generalization but that last statement cuts both ways. Organizations that take security seriously do so on any customer-facing technology – with security assessments and penetration tests. And those that don’t… probably don’t. Just understand that mobile apps are a different attack vector, and we will see different ways to steal information. So hack your own apps – otherwise an adversary will. – MR

—Mike Rothman

Wednesday, January 28, 2015

Incite 1/28/2015: Shedding Your Skin

By Mike Rothman

You are constantly changing. We all are. You live, you learn, you adapt, you change. It seems that if you pay attention, every 7-9 years or so you realize you hardly recognize the person looking back at you from the mirror. Sometimes the changes are very positive. Other times a cycle is not as favorable. That’s part of the experience. Yet many people don’t think anything changes. They expect the same person year after year.

I am a case in point. I have owned my anger issues from growing up and my early adulthood. They resulted in a number of failed jobs and relationships. It wasn’t until I had to face the reality that my kids would grow up in fear of me that I decided to change. It wasn’t easy, but I have been working at it diligently for the past 8 years, and at this point I really don’t get angry very often.

Done with this skin says the snake

But lots of folks still see my grumpy persona, even though I’m not grumpy. For example I was briefing a new company a few weeks ago. We went through their pitch, and I provided some feedback. Some of it was hard for them to hear because their story needed a lot of work. At some point during the discussion, the CEO said, “You’re not so mean.” Uh, what? It turns out the PR handlers had prepared them for some kind of troll under the bridge waiting to chew their heads off.

At one point I probably was that troll. I would say inflammatory things and be disagreeable because I didn’t understand my own anger. Belittling others made me feel better. I was not about helping the other person, I was about my own issues. I convinced myself that being a douche was a better way to get my message across. That approach was definitely more memorable, but not in a positive way. So as I changed my approach to business changed as well. Most folks appreciate the kinder Incite I provide. Others miss crankypants, but that’s probably because they are pretty cranky themselves and they wanted someone to commiserate over their miserable existence.

What’s funny is that when I meet new people, they have no idea about my old curmudgeon persona. So they are very surprised when someone tells a story about me being a prick back in the day. That kind of story is inconsistent with what they see. Some folks would get offended by hearing those stories, but I like them. It just underscores how years of work have yielded results.

Some folks have a hard time letting go of who they thought you were, even as you change. You shed your skin and took a different shape, but all they can see is the old persona. But when you don’t want to wear that persona anymore, those folks tend to move out of your life. They need to go because don’t support your growth. They hold on to the old.

But don’t fret. New people come in. Ones who aren’t bound by who you used to be – who can appreciate who you are now. And those are the kinds of folks you should be spending time with.

–Mike

Photo credit: “Snake Skin” originally uploaded by James Lee


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Applied Threat Intelligence

Network Security Gateway Evolution

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. Click. Click. Boom! I did an interview last week where I said the greatest security risk of the Internet of Things is letting it distract you from all of the other more immediate security risks you face. But the only reason that is even remotely accurate is because I don’t include industrial control systems, multifunction printers, or other more traditional ‘things’ in the IoT. But if you do count everything connected to the Internet, some real problems pop up. Take the fuel gauge vulnerability just released by H D Moore/Rapid 7. Scan the Internet, find hundreds of vulnerable gas stations, all of which could cause real-world kinetic-style problems. The answer always comes back to security basics: know the risk, compartmentalize, update devices, etc. Some manufacturers are responsible, others not so much, and as a security pro it is worth factoring this reality into your risk profile. You know, like, “lightbulb risk: low… tank with tons of explosive liquid: high”. – RM

  2. How fast is a fast enough response? Richard Bejtlich asks a age-old question. How quickly should incidents be responded to? When he ran a response team the mandate was detection and mitigation in less than an hour. And this was a huge company, staffed to meet that service level. They had processes and tools to provide that kind of response. The fact is you want to be able to respond as quickly as you are staffed. If you have 2 people and a lot of attack surface, it may not be realistic to respond in an hour. If senior management is okay with that, who are you to argue? But that’s not my pet peeve. It’s the folks who think they need to buy real-time alerts when they aren’t staffed to investigate and remediate. If you have a queue of stuff to validate from your security monitors, then getting more alerts faster doesn’t solve any problems. It only exacerbates them. So make sure your tools are aligned with your processes, which are aligned with your staffing level and expertise. Or see your alerts fall on the floor, whether you are a target or not. – MR

  3. Positive reviews: What do you do if you think the software you’re using might have been compromised by hostile third parties? You could review the source code to see if it’s clean. It’s openness that encouraged enterprises to trust non-commercial products, right? But what if it’s a huge commercial distribution, and not open source? If you are talking about Microsoft’s or Apple’s OS code, not only is it extremely tough (like, impossible) to get access, but any effort to review the code would be monstrous and not feasible. In what I believe is unprecedented access, China has gotten the okay to search Apple’s software for back doors to give them confidence that no foreign power has manipulated the code. But this won’t be limited to code – it includes an investigation of build and delivery processes as well, to ensure that substitutions don’t occur along the way. A likely – and very good – outcome for Apple (given the amount of business they do in China), and the resulting decreased pressure from various governments to insert backdoors into the software. – AL

  4. Sec your aaS: One weird part of our business that has cropped up in the past year is working more with SaaS companies who actually care about security. Some big names, many smaller ones, all realizing they are a giant target for every attacker. But I’d have to say these SaaS providers are the minority. Most just don’t have money in the early stages (when it’s most important to build in security) to drop the cash for someone like me to walk in the door. So I enjoyed seeing Bessemer Venture Partners publish a startup security guide. More VCs and funds should provide this kind of support, because their investment goes poof if their companies suffer a major data loss. Or, you know, hire us to do it. – RM

  5. You fix it: It’s shocking that Chip and PIN cards, a technology proven to drastically reduce fraud rates in dozens of other countries, have not been widely adopted in the US. But it’s really sad when the US government beats the banks to market: The US is rolling out Chip and PIN cards for all federal employees this year to promote EMV compliant cards and usage in the US. Chips alleviate card cloning attacks and PINs thwart use of stolen cards. In the EU adoption of Chip and PIN has virtually eliminated card-present fraud. But the people who would benefit the most – banks – don’t bear the costs of deploying and servicing Chip and PIN; issuers and merchants do. So each party acts in its own best interest. Leading by example is great, but if the US government wanted to really promote Chip and PIN, they would help broker (or mandate) a deal among these stakeholders to fix the systemic problem. – AL

  6. Same problem. Different technology… During his day job as a Gartner analyst, Anton gets the same questions over and over again. Both Rich and I know that situation very well. He posted about folks now asking for security analytics, but really wonders whether they just want a SIEM that works. That is actually the wrong question. What customers want are security alerts that help them do their jobs. If their SIEM provided it they wouldn’t be looking at shiny new technologies like big data security analytics and other buzzword-friendly new products. Customers don’t care what you call it, they care about outcomes – which is that they have no idea which alerts matter. But that’s Vendor 101: if the existing technology doesn’t solve the problem, rename the category and sell hope to customers all over again. And the beat goes on. Now back on my anti-cynicism meds. – MR

—Mike Rothman

Wednesday, January 21, 2015

Incite 1/21/2015: Making the Habit

By Mike Rothman

Over halfway through January (already!), how are those New Year’s resolutions going? Did you want to lose some weight? Maybe exercise a bit more? Maybe drink less, or is that just me? Or have some more fun? Whatever you wanted to do, how is that going?

If you are like most the resolutions won’t make it out of January. It’s not for lack of desire, as folks that make resolutions really want to achieve the outcomes. In many cases the effort is there initially. You get up and run or hit the gym. You decline dessert. You sit with the calendar and plan some cool activities.

Good habits are hard to break too...

Then life. That’s right, things are busy and getting busier. You have more to do and less to do it with. The family demands time (as they should) and the deadlines keep piling up. Travel kicks back in and the cycle starts over again. So you sleep through the alarm a few days. Then every day. The chocolate lava cake looks so good, so you have one. You’ll get back on the wagon tomorrow, right?

And then it’s December and you start the cycle over. That doesn’t work very well. So how can you change it? What is the secret to making a habit? There is no secret. Not for me, anyway. It’s about routine. Pure and simple. I need to get into a routine and then the habits just happen.

For instance I started running last summer. So 3 days a week I got up early and ran. No pomp. No circumstance. Just get up and run. Now I get up and freeze my ass off some mornings, but I still run. It’s a habit. Same process was used when I started my meditation practice a few years back. I chose not to make the time during the day because I got mired in work stuff. So I got up early. Like really early. I’m up at 5am to get my meditation done, then I get the kids ready for school, then I run or do yoga. I have gotten a lot done by 8am.

That’s what I do. It has become a routine. And a routine enables you to form a habit. Am I perfect? Of course not, and I don’t fret when I decide to sleep in. Or when I don’t meditate. Or if I’m a bit sore and skip my run. I don’t judge myself. I let it go.

What I don’t do is skip two days. Just as it was very hard to form my habits of both physical and mental practice, it is all too easy to form new less productive habits. Like not running or not meditating. That’s why I don’t miss two days in a row. If I don’t break the routine I don’t break the habit.

And these are habits I don’t want to break.

–Mike

Photo credit: “Good, Bad Habits” originally uploaded by Celestine Chua


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. Doing attribution right… Marcus kills it in this post on why attribution is hard. You need to have enough evidence, come up with a feasible motive, corroborate the data with other external data, and build a timeline to understand the attack. But the post gets interesting when Marcus discusses how identifying an attacker based upon TTPs might not work very well. Attackers can fairly easily copy another group’s TTPs to blame them. I think attribution (at least an attempt) can be productive, especially as part of adversary analysis. But understand it is likely unreliable; if you make life and death decisions on this data, I don’t expect it to end well. – MR

  2. The crypto wars rise again: Many of you have seen this coming, but in case you haven’t we are hitting the first bump on a rocky road that could dead end in a massive canyon of pain. Encryption has become a cornerstone of information security, used for everything from secure payments to secure communications. The problem is that the same tools used to keep bad guys out also keep the government out. Well, that’s only a problem because politicians seem to gain most of their technical knowledge from watching CSI: Cyber. In the past couple weeks both Prime Minister Cameron in the UK and President Obama have made public statements that law enforcement should have access to encrypted content. The problem is that there is no technically feasible way to provide ‘authorized’ access without leave encryption technology open to compromise. And since citizens in less… open… countries use the same tech this could surrender any pretense of free speech in those areas as well. The next few years will be messy, and could very well have consequences even for average security Joes. There isn’t much we can do, but we sure need to pay attention, especially those of you on the vendor side. I know, not the funnest Incite of the week, but… sigh. – RM

  3. Nobody cares: If my credit card number is stolen I don’t bear the costs of the fraud and I am usually issued a new card within days to replace the old one. Lord knows I need to keep making card purchases, and nothing will stand in the way of commerce! So other than having to update the dozen web sites that require autopay why would I care about my card being stolen? The only answer I can discern is neurosis. Though apparently I am not alone – Brian Krebs’ How Was Your Credit Card Stolen? discusses the most common ways these numbers are harvested. My Boy Scout sense of fair play has prompted me in the past to put in the work to understand the fraud chain – twice – only to face subsequent frustration when neither local law enforcement nor the card brands cared. So, holiday shoppers, checking your credit statements is about all you can do to help. – AL

  4. More CISO perspective: I have been hammering on CISO-level topics for the past few weeks because folks still want to climb the ladder to get the big title (and paycheck). That’s fine, so I’ll keep linking to tips from folks in the field about how to sit in the top security seat. And then I’ll pimp the PragmaticCSO. Gary Hayslip provides some decent perspective on his 5-step process for the CISO job. It starts with “walk about” and then goes through inventory/assessment, planning, and communication. Seems pretty pragmatic to me. I like the specific goal of walking around for a certain amount of time every day. That’s how you keep the pulse of the troops. The requirements of the CISO job are pretty straightforward. Executing on them successfully? That’s a totally different ballgame. – MR

  5. Soft core payments: Google is reportedly looking to buy Softcard, presumably in an effort to kickstart their stalled mobile payment efforts. Google found that “If you build it they will come” only applies to bad Hollywood scripts – anyone can write a mobile ‘digital wallet’ app, but without cooperation from the rest of the ecosystem you won’t get far. The banks, payment processors, and (just as important) mobile carriers all have a stake in mobile payments, and will get their pound of flesh. For years the carriers have been unwilling to allow others to use the embedded “secure element” on phones for payments unless they got a transaction fee, which meant either pay the carrier tax or go home. Details are slim but Softcard is a carrier-owned business so apparently Google would get a carrier-approved interface to devices and the business relationships needed to make their payment app relevant again. – AL

  6. Bait bike: I’m a cyclist. Bicycle theft is a pretty big business, especially in cities and college towns. In the past few years some police departments have started planting GPS-enabled bait bikes in areas to catch the bad guys. They have done the same thing with cars, but it’s probably easier to plant a bike. That’s why I’m amused by the hackers for hire site. Need someone to break into your ex’s Facebook account? Steal that customer list? Just come on down to Billy Bob’s Trusted Hackers! Send us what’s left of your Bitcoin and we’ll hook you up with the most professional script kiddie in our network! Look, this probably isn’t a bait site, but now that it’s in the New York Times, what are the odds the FBI or Interpol isn’t already scanning the database, tracking clients, and prepping cases? We all know how this story is going to end: with jail time. – MR

—Mike Rothman