The Friday summary is our chance to talk about whatever, and this week I am going to do just that. This week’s introduction has nothing to do with security, so skip it if you are offended by such things.
I am a fan of basketball – despite being too slow, too short, and too encumbered by gravity to play well. Occasionally I still follow my ‘local’ Golden State Warriors despite their playoff-less futility for something like 19 of the last 20 years. Not like I know much about how to play the game, but I like watching it when I can. Since moving to Phoenix over 8 years ago it’s tough to follow, but friends were talking last summer about the amazing rookie season performance of Stephen Curry and I was intrigued. I Googled him to find out what was going on and found all the normal Bay Area sports blogs plus a few independents – little more than random guys talking baskeball related nonesense. But one of them – feltbot.com – was different. After following the blog for a while an amazing thing happened: I noticed I could not stomach most of the mainstream media coverage of Warriors basketball. It not only changed my opinion on sports blogs, but cemented in my mind what I like about blogs in general – to the point that it’s making me rethink my own posts.
The SF Bay Area has some great journalists, but it also has a number of people with great stature who lack talent, or the impetus to use their talent. These Bay Area personalities offer snapshots of local sports teams and lots of opinions, but very little analysis. They get lots of air but little substance. Feltbot – whoever he is – offers plenty of opinions, just like every other Bay Area sports blogger. And he has lots of biases, but they are in the open, such as being a Don Nelson fanboi. But his opnions are totally contrary to what I was reading and hearing on the radio. And he calls out everyone, from announcers to journalist when he thinks they are off the mark. What got me hooked was him going into great detail on why why – including lots of analysis and many specific examples to back up his assertions. You read one mainstream sports blog that says one thing, and another guy who says exactly the opposite, and then goes into great detail as to why. And over the course of a basketball season, what seemed like outlandish statements week one were dead on target by season’s end.
This blog is embarrasing many of the local media folk, and downright eviscerating a few of them – making them look like clueless hacks. I started to realize how bad most of the other Bay Area sports blogs were (are); they provide minimal coverage and really poor analysis. Over time I have come to recognize the formulaic approach of the other major media personalities. You realize that most writers are not looking to analyze players, the coach, or the game – they are just looking for an inflammatory angle. Feltbot’s stuff is so much better that the other blogs I have run across that it makes me feel cheated. It’s like reading those late-career James Patterson novels where he is only looking for an emotional hook rather than trying to tell a decent story.
For me, feltbot put into focus what I like to see in blogs – good analysis. Examples that illustrate the ideas. It helps a basketball noob like me understand the game. And a little drama is a good thing to stir up debate, but in excess it’s just clumsy shtick. Sometimes it takes getting outside security to remind me what’s important, so I’ll try to keep that in mind when I blog here.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian’s Dark Reading post: DAM Market Observation.
- Mort cited for talking about cloud security at Bsides.
- Rich and Mike covered on the Tripwire blog.
- Rich quoted on SearchSecurity.
Favorite Securosis Posts
- Rich: Always Assume. This is a post I did a while back on how I think about threat/risk modeling. In a post HBGary world, I think it’s worth a re-read.
- Mike Rothman: What No One Is Saying about That Big HIPAA Fine. Sometimes you just need to scratch your head.
- Adrian Lane: FireStarter: Risk Metrics Are Crap. Yeah, it was vague in places and intentionally incendiary, but it got the debate going. And the comments rock!
Other Securosis Posts
- On Science Projects.
- Random Thoughts on Securing Applications in the Cloud.
- Network Security in the Age of Any Computing: the Risks.
- Incite 3/2/2011: Agent Provocateur.
- React Faster and Better: Index.
- React Faster and Better: Piecing It Together.
Favorite Outside Posts
- Rich: Numbers Good. Jeremiah’s been doing some awesome work on web stats for a while now, and this continues the trend.
- Mike Rothman: Post-theft/loss Response & Recovery With Evernote. We need an IR plan for home as well. Bob does a good job of describing one way to make filing claims a lot easier.
- Adrian Lane: Network Security Management-A Snapshot. Really nice overview by Shimmy!
Project Quant Posts
- NSO Quant: Index of Posts.
- NSO Quant: Health Metrics–Device Health.
- NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS.
- NSO Quant: Manage Metrics–Deploy and Audit/Validate.
- NSO Quant: Manage Metrics–Process Change Request and Test/Approve.
Research Reports and Presentations
- The Securosis 2010 Data Security Survey.
- Monitoring up the Stack: Adding Value to SIEM.
- Network Security Operations Quant Metrics Model.
- Network Security Operations Quant Report.
- Understanding and Selecting a DLP Solution.
- White Paper: Understanding and Selecting an Enterprise Firewall.
- Understanding and Selecting a Tokenization Solution.
- Security + Agile = FAIL Presentation.
Top News and Posts
- Alleged WikiLeaker could face death penalty.
- SMS trojan author pleads guilty.
- NIST SHA-3 Status Report.
- Robert Graham Predicts Thunderbolt’s an Open Gateway.
- Malware infects more than 50 Android apps.
- Thoughts on Quitting Security.
- Gh0stMarket operators sentenced.
Blog Comment of the Week
Fine Mike, I won’t disappoint.
“BTW, I’m not taking a dump on all aspects of quantification. I’ve always been a big fan of security (as opposed to risk) metrics.”
In the end, the only difference between a “risk” metric and a “security” metric is the fact that there are loss distributions involved. And those loss distributions are actually the EASIEST ones to develop in terms of meaning.
So ultimately, I guess your head is so far up there that you might actually be seeing daylight.