Since I’m on the East Coast of the US, when the ball drops in Times Square that’s it. The old year is done. The new year begins. With some of Dublin’s finest coursing through my veins, I get a little nostalgic. I don’t think about years in terms of “good” or “bad” anymore – instead I realize that 2013 is now merely a memory that will inevitably fade away.

The new year brings a time of renewal. A time to thoughtfully consider the possibilities of the coming 12 months because 2014 is a blank slate. Not exactly blank because my responsibilities didn’t disappear as the ball descended – nor have yours. But we have the power to make 2014 whatever we want. That’s exciting to me. I don’t fear change, I embrace change. Which is a good thing because change always comes every year without fail. You grow. You evolve. You change.

I can’t wait to try new stuff. As Rich said in Thank You, we will do new things in 2014. Some of the will work, and some won’t. I don’t have the foggiest idea which will fall into each category. Uncertainty makes some folks uncomfortable. Not me. The idea of a certain future is not interesting at all. That would mean not getting an unexpected call to work on something that could be very very cool. But I also might not get any calls at all. You just don’t know. And that’s what makes it exciting.

I can’t wait to learn new things. About technology,because security continues to evolve quickly, which means that if you sit still you are actually falling behind. I am also learning a lot about myself, which is kind of strange for a guy in his mid-40s, but it’s true. In researching the Neuro-Hacking talk I’m doing with JJ at RSA, I am adding to my current practices to improve as a person.

Like everyone else, I find that being reminded of my ideals helps keep them at the forefront of my mind. So over the holiday, I treated myself to a few Hugh McLeod prints to hang in my office. The first is called Abundance and the quote on the picture is: “Abundance begins with gratitude.” It’s true. I need to remain thankful for what I have. That appreciation and a dedication to helping others will keep me on a path to achieve bigger things.

The other is One Day is Dead, which is a reminder to make the most of every day and focus on living right now. This has been a frequently theme in my writing lately and will remain. I write the weekly Incite for me as much as for anyone else. It is a public journal of my thoughts and ideas each week. I also spent some time looking back through some of the archives, and it’s fascinating to see how I have changed over the past few years.

But not half as fascinating as imagining how much I’ll change over the next few. So I jump into 2014 with both feet. Happy ReNew Year.


Photo credit: “Renewing shoe” originally uploaded by Adam Fagen

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Security Management 2.5: You Buy a New SIEM Yet?

Advanced Endpoint and Server Protection

What CISOs Need to Know about Cloud Computing

Newly Published Papers

Incite 4 U

  1. FireEye’s Incident Response Play: Of course the one day I decide to take vacation over the holidays, the FireEye folks buy Mandiant for a cool billion-ish. Lots of folks have weighed in on the deal already so I won’t repeat their analysis. Clearly FireEye realizes they need to become more than just a malware detection box/service, because only a broad network security platform player could provide the revenue to support their current valuation. Obviously this won’t be their last deal. Were there other things they could have bought for less money that would have fit better? Probably. But Mandiant brings a ton of expertise and a security brand juggernaut to FireEye. Was it worth $1 BILLION? That depends on whether you think FireEye was worth $5 billion before the deal, because the price was mostly in FireEye stock, which is, uh, generously valued. The question is whether forensics (both services and products) has become a sustainable mega-growth segment of security. That will depend on whether the technology becomes simple enough for companies without a dedicated forensics staff to use. It ain’t there yet. – MR
  2. Me Too: It’s Tuesday as I write this, right after Mike harassed me to get my Incites in. I open up Pocket to check out what stories I have collected over the past couple weeks. Number four on my list is a post by Luke Chadwick on how his Amazon Web Services account was hacked when he accidentally left his Access Keys in some code he published online. That seems strangely familiar. It seems bad guys are indeed scraping online code repositories to find cloud service keys and then use them for mining Litecoins. It also seems even security-aware developers and analysts like myself, despite our best efforts, can mess up and accidentally make life easy for attackers. I encapsulated my lessons in my post, but the thing I learned all of two minutes ago is that I should read my saved stories on a more timely basis. Facepalm. Again. (Oh, and you had darn well better make sure you find out what your developers are up to. Luke and I can’t be the only ones making this error, and this attack is clearly automated). – RM
  3. Statute of Limitations: It seems Martin McKeay will still be going to the RSA Conference. I will be there too. Though it seems that an increasing number of echo chamber inhabitants (Security Twitterati) are pulling out of their speeches. As I said rather strongly in our video Firestarter on Monday, good riddance! Whether these folks are making an ethical stand or grandstanding for PR to address self-esteem issues, it’s all the same to me. If these folks think they know the truth, I posit they are wrong. It appears nobody has actually seen the RSA/NSA contract. But those are just pesky details, right? There is a statute of limitations in the US for everything besides murder and crimes against a court, of between 1 and 7 years. This stuff happened maybe 10+ years ago. But those with RSA speaking slots are welcome exercise their brand of armchair justice and choose not to speak at the conference. Although how many of those folks will show up in SF that week anyway? Business stops for no one, not even the NSA… – MR
  4. The Blind Leading the Uninterested: Darren Platt makes a great observation in his post The Long Tail of appears thatSSO. SaaS providers are slow to enable SAML and other standards-based tools for identity federation. But SaaS providers don’t care about Single Sign-On – what they care about is that their customers can access their services. Their customers drive the market, and all their customers want to make it easy for their users, and it’s users who ask for Single Sign-On. SAML and standards-based identity solutions are not how they think about solving the problem – that is just technical jargon to them. Worse, it’s new technology, which carries its own stigma for IT professionals. No, IT is not looking for something new – they want what they already have to work with SaaS, so they ask their current IAM provider, “Can you get me to the cloud?” And their vendor gets them there, with what they sell today, which means replicating LDAP to the SaaS provider. There are very good reasons we want to take a fresh approach to identity for cloud services, and the standards-based approaches solve a lot of problems. But we have not yet reached a tipping point for demand yet – customers will have to fail with replication before they consider something new. – AL
  5. McAfee’s Last Stand: At first it was beneficial to keep the McAfee brand when Intel acquired McAfee a few years back. Intel had no security credibility so they relied on McAfee’s longstanding brand to gain a foothold in security. Well the eponymous John McAfee’s continuing branding exercise has become just too painful for Intel. So they are rebranding everything to Intel Security. Of course John McAfee wouldn’t fade quietly into the night, so he bombed Intel with one last slight for good measure. He was quoted on the BBC: “I am now everlastingly grateful to Intel for freeing me from this terrible association with the worst software on the planet. These are not my words, but the words of millions of irate users.” You have to hand it to the guy, – he is pretty funny. – MR
  6. A Matter of Perspective: Voltage’s blog carried an interesting discussion of The State of the Art in Key Cracking, looking at the economics of setting up systems to ‘brute-force’ encryption keys. There are a couple missing points I want to raise. First, we don’t always do brute force analysis of keys, which is what is being done here with DES keys. There are techniques to accelerate cracking keys and the software only gets better with time. Second, not all implementations of Triple DES use the more secure scheme with three distinct keys – most only use two, and some terminals use a single for all three phases, which is no more secure than plain old DES. Finally, criminals are not going to pay for a machine like this. They will use stolen credit cards to spin up cloud instances, or swipe AWS credentials from guys like us – this approach may not be as fast as dedicated hardware, but there are more resources at their fingertips, and someone else pays the bill! I think the point of the post is that despite the hype about the NSA and RSA, keys are pretty secure. Which is true, if you are an ordinary individual, for now. Enterprises probably shouldn’t make the same assumption. Just understand that if an organization with significant resources puts the crosshairs on you, they can and will break your stuff (including your encryption keys). So draw conclusions based on context, as always. – AL
  7. Side-channel Consumerization: I don’t use Snapchat so I wasn’t personally affected when hackers exposed data on 4.6 million accounts using a vulnerability that was reported and ignored. That one doesn’t worry me too much compared to services like Mailbox or Sunrise that link into your mail, calendar, and other services to provide enhanced calendars. You know, the sort of thing that is very appealing to worker types juggling way too much data without proper context – including me. But if you read the privacy and security policies of these services, they come down to “trust us, we use SSL.” And it’s not like these companies have access to a huge amount of your organization data. Wait, oops, they do. What is not well understood is that sending data to these services (consumer focused or not) present a far bigger risk than someone using an iPhone. These companies need to grow up, and I sure hope you have policies to govern and technology to monitor their use. – RM