The last time I took 2 weeks off was probably 20 years ago. As I write that down, it makes me sad. I’ve been been running pretty hard for a long time. Even when I had some forced vacations (okay, when I got fired), I took maybe a couple days off before I started focusing on the next thing. Whether it was a new business or a job, I got consumed by what was next almost immediately. I didn’t give myself any time to recharge and heal from the road rash that accumulated from one crappy job after another.

Even when things are great, like the past 6 years working with Rich and Adrian, I didn’t take a block of time off. I was engaged and focused and I couldn’t wait to jump into the next thing. So I would. I spent day after day during the winter holidays as the only person banging away at their laptop at the coffee shop while everyone else was enjoying catching up with friends over Peppermint Mocha lattes.


I rationalized that I could be more productive because my phone wasn’t ringing off the hook and I wasn’t getting my normal flow of email. There wasn’t much news being announced and my buddies weren’t blogging at all. So I could just bang away at the projects I didn’t have time for during the year. Turns out that was nonsense. I was largely unproductive during winter break. I read a lot, spent time thinking, and it was fine. But it didn’t give me a chance to recharge because there was no separation.

The truth is I didn’t know how to relax. Maybe I was worried I wouldn’t be able to start back up again if I took that much time away. It turns out the projects that didn’t get done during the year didn’t get done over break because I didn’t want to do them. So they predictably dragged on through winter break and then into the next year.

That changed this year. I’m just back from two weeks pretty much off the grid. I took a week away with my kids. We went to Florida and checked out a Falcons game in Jacksonville, the Kennedy Space Center in Cape Canaveral, and Universal Studios in Orlando. We were able to work in some family time in South Florida for Xmas before heading back to Atlanta. I stayed on top of email, but only to respond to the most urgent requests. All two of them. I didn’t bring my laptop, so if I couldn’t take care of it on my iPad, it wasn’t getting done.

Then I took a week of adult R&R on the beach in Belize. I’m too cheap to pay for international cellular roaming, so my connectivity was restricted to when I could connect to crappy WiFi service. It was hard to check email or hang out in our Slack room during a snorkeling trip or an excursion down the Monkey River. So I didn’t. And the world didn’t end. The projects that dragged through the year didn’t get done. But they weren’t going to get done anyway and it was a hell of a lot more fun to be in Belize than a crappy coffee shop pretending to work.

I came back from the time off recharged and ready to dive into 2016. We’ve got a lot of strategic decisions to make as the technology business evolves towards cloud-everything and we have to adapt with it. I don’t spend a lot of time looking backwards and refuse to judge myself for not unplugging for all those years. But I’ll tell you, there will be more than one period of time where I’ll be totally unplugged in 2016. And I’ll be a hell of a lot more focused and productive when I return.


Photo credit: “Recharging Danbo Power” from Takashi Hososhima

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.

Securosis Firestarter
Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Dec 8 – 2015 Wrap Up and 2016 Non-Predictions
Nov 16 – The Blame Game
Nov 3 – Get Your Marshmallows
Oct 19 – re:Invent Yourself (or else)
Aug 12 – Karma
July 13 – Living with the OPM Hack
May 26 – We Don’t Know Sh–. You Don’t Know Sh–
May 4 – RSAC wrap-up. Same as it ever was.
March 31 – Using RSA
March 16 – Cyber Cash Cow
March 2 – Cyber vs. Terror (yeah, we went there)
February 16 – Cyber!!!
February 9 – It’s Not My Fault!
January 26 – 2015 Trends
January 15 – Toddler
Heavy Research
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building a Threat Intelligence Program
Success and Sharing
Using TI
Gathering TI
Network Security Gateway Evolution
Recently Published Papers
Threat Detection Evolution
Building Security into DevOps
Pragmatic Security for Cloud and Hybrid Networks
EMV Migration and the Changing Payments Landscape
Applied Threat Intelligence
Endpoint Defense: Essential Practices
Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications
Security and Privacy on the Encrypted Network
Monitoring the Hybrid Cloud
Best Practices for AWS Security
The Future of Security
Incite 4 U
Cloud vs. on-prem. Idiotic discussions continue: Do me a favor and don’t read this article trying to get to the bottom of whether the public cloud or on-prem is more secure. It’s an idiotic comparison because it depends on way too many factors to make a crass generalization. Period. You can architect a public cloud environment that is more secure than an environment built on-prem. But for a different use case you could make a case for the converse. It’s not about the environment an application and technology stack is built and run in, it’s about how it’s architected and how it takes advantage of the native capabilities of each option. We believe (and are making pretty significant corporate bets) that a public-cloud environment can be more secure than something built on-prem. But it depends, and we cannot wait until everyone is doing their innovative work in the cloud, and then discuss how to make the public cloud as secure as possible, instead of whether it’s more secure than something else. – MR

In front of our eyes: Volkswagen was discovered to have modified diesel vehicles engine management software to reduce emissions temporarily, during the emissions testing process. Think about it for a minute: millions of vehicles were tested each year, by trained techs with tools and software designed to audit vehicle emissions, and yet software designed to circumvent the audits went undetected for years. While that story has nothing to do with security per se, the ‘attack’ used to bypass the test (and therefore the certification process), and the third-party discovery, is a story we see played out over and over with IT breaches. When you have a sophisticated and motivated adversary, they will be aware of (and work around) your defenses and assessment techniques. A single static test with an unquestioned binary response does not cut it. Think about that the next time you are looking to catch fraud or look for compromised systems in a complicated environment. – AL

The invisible malware: With all of the innovation happening around malware detection, it’s getting easier to detect attacks, right? Yeah, not so much. Turns out it’s getting harder. As Dark Reading described, the newly discovered Latentbot uses so much obfuscation it’s largely invisible to current-generation detection tools. It’s a good thing China isn’t hacking so much (according to FireEye’s last earnings call anyway) because that gives researchers plenty of time to find cool botnets. And it’s interesting to learn how this new malware injects code multiple times, never stays installed for too long, and exploits device at multiple levels to ensure persistent access and control over them. Yeah, it is clear you can’t stop attacks like this, so focusing on detecting lateral movement and exfiltration are your best options for finding pwned devices. – MR

Banking on irrelevance: SSL and (to a lesser extent) TLS 1.0 have a handful of known vulnerabilities and weaknesses, depending on how they are deployed. The PCI Council previously required firms to update before the end of 2015, but recently the Council pushed its mandatatory migration date from SSL to TLS out to June 2018. Because, well, the big retailers pulling the PCI-DSS strings couldn’t get there in time. Attackers have bags full of tricks for attacking these older protocols and accessing the network sessions they were designed to protect. It’s not clear how the Council decided pushing back the date two and a half years made any sense, but since they don’t mandate end-to-end encryption and pass card data in clear text, you are probably thinking “What is the point?” And from a PCI assessment perspective, if Apple Pay, Samsung Pay, and the like continue to gain acceptance, in three years payment tokens will likely make most of current PCI compliance irrelevant. But sometimes compliance drives needed change, and migrating to TLS 1.2 will be beneficial to data security. At some point, if it ever happens. – AL

The few, the proud, the cyber: It’s good to see the military continuing to invest in cyber capabilities. The Army National Guard is standing up new cyber units to help do surveillance and recon for the nation’s adversaries. Ho hum, right? Actually it’s interesting because the National Guard may be able to get access to security professionals otherwise gainfully employed by commercial entities. It’s a big sacrifice to do security for military pay, when commercial organizations have totally different pay scales. But being able to help out (via the National Guard) could be a good alternative for patriotic folks who want commercial jobs. – MR