Gunnar Peterson posted a presentation a while back on how being an investor makes him better at security, and conversely how being in security makes him better at investing. It’s a great concept, and my recent research on different investment techniques has made me realize how amazing his concept is. Gunnar’s presentation gets a handful of the big ideas (including defensive mindset, using data rather than anecdotes to make decisions, and understanding the difference between what is and what should be) right, but actually under-serves his concept – there are many other comparisons that make his point. That crossed my mind when reading An Investor’s Guide to Famous Last Words.
Black Swan author Nassim Taleb: “People focus on role models; it is more effective to find antimodels – people you don’t want to resemble when you grow up.”
The point in the Fool article is to learn from others’ mistakes. With investing mistakes are often very public, and we share them as examples of what not to do. In security, not so much. Marcus Ranum does a great presentation called the Anatomy of The Security Disaster, pointing out that problem identification is ignored during the pursuit of great ideas, and blame-casting past the point of no return is the norm. I have lived through this sequence of events myself. And I am not arrogant enough to think I always get things right – I know I had to screw things up more than once just to have a decent chance of not screwing up security again in the future. And that’s because I know many things that don’t work, which – theoretically anyway – gives me better odds at success. This is exactly the case with investing, and it took a tech collapse in 2001 to teach me what not to do. We teach famous investment failures but we don’t share security failures. Nobody wants the shame of the blame in security.
There is another way investing makes me better at security and it has to do with investment styles, such as meta-trending, day trading, efficient market theory, cyclic investing, hedging, shorting, value investing, and so on. When you employ a specific style you need to collect specific types of data to fuel your model, which in turn helps you make investment choices. You might look at different aspects of a company’s financials, industry trends, market trends, political trends, social trends, cyclic patterns, the management team, or even disasters and social upheaval as information catalysts. Your model defines which data is needed. You quickly realize that mainstream media only caters to certain styles of investing – data for other styles is only a tiny fraction of what the media covers. Under some investment styles all mainstream investment news is misleading BS. The data you don’t want is sprayed at you like a fire hose because those stories interest many people. We hear about simple and sexy investment styles endlessly – boring, safe, and effective investment is ignored.
Security practitioners, do you see where I am going with this?
It is very hard to filter out the noise. Worse, when noise is all you hear, it’s really easy to fall into the “crap trap”. Getting good data to base decisions on is hard, but bad data is free and easy. The result is to track outside of your model, your style, and your decision process. You react to the BS and slide toward popular or sexy security models or products – that don’t work. It’s frightfully easy to do when all anyone talks about are red herrings.
Back to Gunnar’s quote… Know what you don’t want your security model to be. This is a great way to sanity check the controls and processes you put into place to ensure you are not going down the wrong path, or worrying about the wrong threats.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian’s Dark Reading post: What’s the threat?
- Rich’s Dark Reading post: Security Losses Remain Within Range of Acceptable
- Adrian’s research paper: Securing Small Databases.
- Mike’s upcoming webcast: I just got my WAF, Now What?
Favorite Securosis Posts
- Mike Rothman: Securing Big Data: Operational Security Issues. This stuff looks a lot like the issues you face on pretty much everything else. But a little different. That’s the point I take away from this post and the series. Yes it’s a bit different, and a lot of the fundamentals and other disciplines used through the years may not map exactly, but they are still useful.
- Adrian Lane: Incite: Cash is King. How many startups have I been at that hung on the fax machine at the end of every quarter? How many sales teams have I been with where “the Bell” only rang the last three days of a quarter? Good stuff.
- Rich I’m picking my Dark Reading post this week. It stirred up a bit of a Twitter debate, and I think I need to write more on this topic because I couldn’t get enough nuance into the initial piece.
Other Securosis Posts
- New Series: Understanding and Selecting Identity Management for Cloud Services.
- Endpoint Security Management Buyer’s Guide Published (with the Index of Posts).
- Securing Big Data: Operational Security Issues.
Favorite Outside Posts
- Mike Rothman: DDoS hitmen for hire. You can get anything as a service nowadays. Even a distributed denial of service (DDoS). I guess this is DDoSaaS, eh?
- Adrian Lane: Think differently about database hacking. Lazlo Toth and Ferenc Spala’s DerbyCon presentation shows how to grab encryption keys and passwords from OCI clients. A bit long, but a look at hacking Oracle databases without SQL injection. Yes, there are non-SQL injection attacks, in case you forgot. Will we see this in the wild? I don’t know.
- Rich: Antibiotic Resistant security by Valsmith. What he’s really driving at is an expansion of monoculture and our reliance on signature-based AV, combined with a few other factors. It’s a very worthwhile read. The TL;DR version is that we have created an environment where the only things that get in are the ones we can neither detect nor stop, at least using our current toolset and mindset.
Project Quant Posts
- Malware Analysis Quant: Index of Posts.
- Malware Analysis Quant: Metrics – Monitor for Reinfection.
- Malware Analysis Quant: Metrics – Remediate.
- Malware Analysis Quant: Metrics – Find Infected Devices.
- Malware Analysis Quant: Metrics – Define Rules and Search Queries.
Research Reports and Presentations
- The Endpoint Security Management Buyer’s Guide.
- Pragmatic WAF Management: Giving Web Apps a Fighting Chance.
- Understanding and Selecting Data Masking Solutions.
- Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks.
- Implementing and Managing a Data Loss Prevention Solution.
Top News and Posts
- Google, publishers settle book-scanning dispute. Not security, but a Digital Rights Management squabble resolved.
- FTC Takes On Scareware Marketers, Court Imposes $163M Judgment.
- DDoS attacks on major US banks are no Stuxnet–here’s why.
- Sandia builds massive Android network to study security, more.
- HBR on Big Data.
- Information, not Hope, is the Key to Surviving DDoS attacks.
- Reported White House Hack Attack.
- DHS Issued False ‘Water Pump Hack’ Report; Called It a ‘Success’.
- In a Zero-Day World, It’s Active Attacks that Matter.
Blog Comment of the Week
Hi Mike, one small correction for you:
“Likewise the RefRef attack leverages SQL injection to inject a rogue .js file on a server, which then hammers a backend database into submission with seemingly legitimate traffic originating from an application server.” That’s what RefRef was supposed to do and was hyped to the press as “giving a beast a carrot then watching it choke to death on that carrot” (paraphrased). In the end, there was no RefRef and security researchers now figure it was all a hoax to get R&D donation money.
The only code that was released was refref.pl which uses the MySQL benchmark function to execute a particular query numerous times. It’s similar to SQL Injection attack but the goal is to create a large workload on the database server instead of extracting information out of the database.