Bacon as a yardstick: This year will see the 6th annual Securoris Disaster Recovery Breakfast, and I am measuring attendance in required bacon reserves. Jillian’s at the Metreon has been a more than gracious host each year for the event. But when we order food we (now) do it in increments of 50 people. At the moment we are ordering bacon for 250, and we might need to bump that up! We have come a long way since 2009, when we had about 35 close friends show up, but we are overjoyed that so many friends and associates will turn out. Regardless, we expect a quiet, low-key affair. It has always been our favorite event of the week because of that. Bring your tired, your hungry, your hungover, or just plain conference-weary self over and say ‘Howdy’. There will be bacon, good company, and various OTC pharmaceuticals to cure what ills you.

Note from Rich: Actually we had a solid 100 or so that first year. I know – I had to pay the bill solo.

Big Spin: More and more firms are spinning their visions of big data, which in turn makes most IT folks’ heads spin. These visions look fine within a constrained field of view, but the problem is what is left unsaid: essentially the technologies and services you will need but which are not offered – and vendors don’t talking about them. Worse, you have to filter through non-standard terminology deployed to support vendor spin – so it’s extremely difficult to compare apples against apples. You cannot take vendor big data solutions at face value – at this early stage you need to dig in a bit. But to ask the right questions, you need to know what you probably don’t yet understand. So the vendor product demystification process begins with translating their materials out of vendor-speak. Then you can determine whether what they offer does what you need, and finally – and most importantly – identify the areas they are not discussing, so you can discover their deficiencies. Is this a pain in the ass? You betcha! It’s tough for us – and we do this all day, for a living. So if you are just learning about big data, I urge you to look at the essential characteristics defined in the introduction to our Securing Big Data Clusters paper – it is a handy tool to differentiate big data from big iron, or just big BS.

Laying in wait. I have stated before that we will soon stop calling it “big data”, and instead just call these platforms “modular databases”. Most new application development projects do not start with a relational repository – instead people now use some form of NoSQL. Which should be very troubling to any company that derives a large portion of its revenue from database sales. Is it odd that none of the big three database vendors has developed a big data platform (a real one – not a make believe version)? Not at all. Why jump in this early when developers are still trying to decide whether Couch or Riak or Hadoop or Cassandra or something else entirely is best for their projects? So do the big three database vendors endorse big data? Absolutely. To varying degrees they encourage customer adoption, with tools to support integration with big data – usually Hadoop. It is only smart to play it slow, lying in wait like a giant python, and later swallow the providers that win out in the big data space. Until then you will see integration and management tools, but very tepid development of NoSQL platforms from big relational players. Yes, I expect hate mail on this from vendors, so feel free to chime in.

Hunter or hunted? One the Securosis internal chat board we were talking about open security job positions around the industry. Some are very high-profile meat grinders that we wouldn’t touch with asbestos gloves and a 20’ pole. Some we recommend to friends with substantial warnings about mental health and marital status. Others not at all. Invariably our discussion turned to the best job you never took: jobs that sounded great until you go there – firms often do a great job of hiding dirty laundry until after you come on board. Certain positions provide a learning curve for a company: whoever takes the job, not matter how good, fails miserably. Only after the post-mortem can the company figure out what it needs and how to structure the role to work out. Our advice: be careful and do your homework. Security roles are much more difficult than, say, programmer or generic IT staffer. Consult your network of friends, seek out former employees, and look at the firm’s overall financial health for some obvious indicators. Who held the job before you and what happened? And if you get a chance to see Mike Rothman present “A day in the life of a CISO”, check it out – he captures the common pitfalls in a way that will make you laugh – or cry, depending on where you work.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

• Rich quoted in “Building the security bridge to the Millennials”.

Favorite Securosis Posts

• Dave Lewis: After-School Special: It’s Time We Talked – about Big Data Security.
• David Mortman: RSA Conference Guide 2014 Watch List: DevOps.
• Adrian Lane: RSA Conference Guide 2014 Watch List: DevOps. Just a great post.
• Mike Rothman: RSA Conference Guide 2014 Watch List: DevOps. Sometimes it’s helpful to look into the crystal ball and think a bit about what’s coming. You won’t see that much at the RSAC, but we can at least give you some food for thought.
• Rich: Bit9 Bets on (Carbon) Black. Mike always does the best deal posts in the industry.

Other Securosis Posts

• Security Management 2.5: Replacing Your SIEM Yet? [New Paper].
• Advanced Endpoint and Server Protection: Prevention.
• Incite 2/12/2014: Kindling.
• Firestarter: Mass Media Abuse.
• RSA Conference Guide 2014 Deep Dive: Network Security.
• RSA Conference Guide 2014 Key Theme: Cloud Everything.
• RSA Conference Guide 2014 Key Theme: Crypto and Data Protection.
• RSA Conference Guide 2014 Key Theme: Retailer Hacking.

Favorite Outside Posts

• Dave Lewis: When hacking isn’t.
• David Mortman: Tesla Hires Hacker Kristin Paget to, Well, Secure Some Things.
• Mike Rothman: Your relationship with the future. Philosopher king Seth Godin says you need to make a choice. Focus efforts on folks who hope for a better tomorrow, or those who pine for the “good old days”. I tend to look to the future, but I am working on that right now. It’s hard but worth it…
• Mike Rothman (apparently has two favorites this week): 6 Pieces of Advice from Successful Writers. You are a writer. Whether you get paid to write (like us) or not, you have to document something. There are some good tips for breaking through blocks and writing to make your points.
• Adrian Lane: DRM in the real world. Cory Doctorow’s very good discussion of the “copy protection” side of Digital Rights Management (DRM) issues, and some very astute observations on how they relate to security. Keep in mind that DRM is much more than just copy protection. And Bruce Lehman’s regulatory framework may have been bonkers, but its roots went back to the Xanadu project many years before – people wanted huge compensation to go along with wide distribution.
• Gunnar: BlackBerry laughs at Samsung’s Knox security struggles. The fact that Knox does not run on the majority of Samsung devices – much less all Android devices – is a major problem. And it is sad if your leading feature is supposed to be security, but you don’t have enough to sell your product.
• Rich: American businesses are holding credit card security back. You will hear more form us on this soon. Pathetic.

Research Reports and Presentations

• Security Management 2.5: Replacing Your SIEM Yet?
• Defending Data on iOS 7.
• Eliminate Surprises with Security Assurance and Testing.
• What CISOs Need to Know about Cloud Computing.
• Defending against Application Denial of Service Attacks.
• Executive Guide to Pragmatic Network Security Management.
• Security Awareness Training Evolution.
• Firewall Management Essentials.
• A Practical Example of Software Defined Security.

Top News and Posts

• CSEC’s collection of metadata shows ability to ‘track everyone’.
• Adobe releases out-of-band security update to fix zero-day exploit.
• Adam Shostack: On Bitcoin.
• ‘Mask’ APT.
• Email Attack on Vendor Set Up Breach at Target via Krebs
• Wget -r -l 0 obvious
• The ‘Hello World’ of computer security
• Clever SQL Injection
• We NEED Intel
• Enterprise Mobility Should Not be Risky Business
• Senate grills Target CFO on data breach

Blog Comment of the Week

This week’s best comment goes to Dwayne Melancon, in response to Firestarter: Mass Media Abuse.

One note that is odd: I get a “you don’t have javascript enabled” warning when I “Submit” from this page (and it is enabled on this browser), but it works if I go to Preview, then Submit. Just FYI.

I get that too – have not figured it out yet. Especially considering we don’t use JavaScript on the site so it must be something with the video player. Thanks, and we are working on it!

Note from Rich: That’s part of our anti-spam attempts. Not that it seems to stop much spam.