Every so often I realize how spoiled I am. Sure, I am more aware of my good fortune than many, but I definitely take way too much stuff for granted. My health is good. I do what I like (most days). My family still seems to like me. I provide enough to live a pretty good lifestyle. It’s all good. I don’t have much to complain about.
The fact that one of my biggest problems is that my favorite NFL teams are a combined 3-10 is a good thing, right? You get spoiled when your favorite teams are competitive at the end of the season and usually make the playoffs. New England fans know what I mean. So do Pittsburgh and Baltimore fans. When the team doesn’t perform up to expectations (like this year’s Falcons), it’s jarring. You dream of Super Bowl fairies in August, then lose half your starting team to injuries, and by October you are making alternative plans for Divisional weekend.
So when the NY football Giants got their first win on Monday night, I heaved a major sigh of relief. Having watched a bunch of their games, I had legitimate concerns that they wouldn’t win a game all season. Seeing them beat up hapless Minnesota didn’t really allay my fears too much. The G-men aren’t a very good football team right now, and face a significant rebuild over the next few years.
Oh well, that’s the way it goes in the NFL. In baseball and basketball, the soft salary cap just means owners have to pay a tax to buy a competitive team. And that’s what some owners do year in and year out. But that’s not an option in the NFL. The cap is the cap, and that means tough decisions are made. Great players are let go. And what goes up for a little while (usually on the shoulders of a franchise QB) inevitably comes down. Parity is great, until your team is on the wrong side.
It will be interesting to see how teams with younger QBs – like the 49ers, Seahawks, Redskins, and Colts – manage their salary caps once their QBs start getting $20MM a year and eating up 15-20% of the cap. These teams can stock up now on expensive players while their QBs are cheap, but won’t be able to in 2-3 years. They will need to make tough decisions. What goes up, eventually comes down. At least in the NFL.
Then there are teams that don’t seem to ever come up. Jacksonville hasn’t been competitive for a decade. Detroit has been to the playoffs once in like 20 years. St. Louis is in the same boat. And I won’t even mention Cleveland. These long-suffering fans should be applauded for showing up and being passionate, even where there isn’t much to cheer about.
So I’ll keep the faith. I know all NFL teams have off years, and my teams do things the right way to produce winning seasons more often than losing ones. I’ll let go of the Super Bowl fairy this year, and I’ll be able to enjoy the rest of the season with reasonable expectations. Which is probably how I should be treating each new season anyway. Nah, forget that. Without chasing the Super Bowl fairy, what fun is it?
–Mike
Photo credit: “IZ NOT AKKCIDENT” originally uploaded by Aaron Muszalski
Heavy Research
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.
Security Awareness Training Evolution
Defending Against Application Denial of Service
Newly Published Papers
- Firewall Management Essentials
- Continuous Security Monitoring
- API Gateways
- Threat Intelligence for Ecosystem Risk Management
- Dealing with Database Denial of Service
- Identity and Access Management for Cloud Services
- The 2014 Endpoint Security Buyer’s Guide
- The CISO’s Guide to Advanced Attackers
Incite 4 U
- If business users don’t care… We are screwed as an industry. Daniel Miessler works through a thought experiment, wondering what would happen if business users realized that getting hacked doesn’t necessarily affect company value. Wouldn’t it be logical from a shareholder perspective to minimize security spend and maximize profit? To be clear, lots of organizations already do this, but I doubt it as a conscious decision not to be secure. Daniel evaluates Apple, Adobe, and the granddaddy of high-profile breaches, TJX – and finds no negative impact from those breaches. Awesome, but we already knew that in a recession people choose cheap underwear over security. It is an interesting concept, and over the long term I believe the impact of breaches is far overblown. But what about in the short term? I’m not sure market value is the best determinant of short-term value – it’s a long-term metric. Instead I would rather try to understand the impact on short-term revenue. Do customers defer deals or reduce spending in the immediate aftermath of a breach? That would be a much more interesting analysis. And I guess we should say a few thank-yous to China and compliance, which are still the engines driving security. – MR
- Techno two-fer: I have taken to calling big data the new normal for databases. One architectural theme I see over and over again for security analysis is the two-headed cluster: Hadoop for analytics and Cassandra/Splunk/Mongo for fast references or lookup. Consider this today’s take on normalization and correlation. Rajat Jain has a very good illustration of this concept with Lambda Architecture for batch data, which balances fast lookup against historic views of data. A batch layer – often Hadoop – computes views on your data as it comes in, and a second parallel high-speed processing layer – in this case Storm – constantly processes the most recent data in near-real-time. This enables the system to accommodate two distinct use cases, with each underlying cluster optimized for its specific task. But this is the first time I have seen such disparate query engines merge results, which will be helpful from a security standpoint. They make it possible to retrieve suspicious event data and all the temporal drill-down data with a single query. Spiffy. – AL
- Malware on higher ed networks? Thanks, Captain Obvious! To push their secure DNS services in the education market, the folks at OpenDNS did an analysis that showed higher education networks are 300% more likely to contain malware. Can you hear the collective grunt from all the folks in those institutions tasked with protecting those networks? Talk about a job you can’t win. The customers are students, and you can’t tell them no. They are BYOD, by definition. Research is performed in an open and collaborative fashion, so there is no perimeter. Oh, and even if you train everybody to be smart, in 4 years most of them will be gone and you will have a brand-new set of teenagers to deal with. You can only hope to catch the infection before it spreads too far. Will blocking malware at the network layer help? I’d say yes, but discussing higher ed networks as if they should be expected to be clean is, well… uneducated. – MR
- An art of work: This trend toward infographics as a means to spin security news into picture format so you don’t need to think too much, needs to stop. But what is even worse than an infographic? An animated infographic! Google released just such a thing with their Digital Attack Map with which I believe they are trying to paint a picture of where digital attacks come from and where their targets reside. If you stand back and don’t read the fine print it almost looks like useful data! Alas, if you do read the text you learn that more than half the time we only know half the picture, and some of the time we know none of the picture. The rest is a rounding error. I think Slate has it right: the only reason you spend time and money on a tool like this is that you have an agenda to push. Well, that and a latent desire to turn data into abstract impressionism. – AL
- Put on your White Hat for safer browsing: Kudos to our friends at WhiteHat Security, who introduced the Aviator browser this week. It is initially available for OS X (when was the last time you heard of a general purpose web app available for Macs before Windows?), but they will have Windows and Linux versions if the beta checks out. Basically they turned on the security that most current browsers have off by default. They aren’t beholden to ad networks (like some other browsers, ahem, Chrome), so they can block tracking and the like. And some of the savviest web security folks we know use it religiously. I am just glad they finally put it out there so we can use it too. I have already downloaded it, and will be checking it out for the rest of the week. – MR
Reader interactions
2 Replies to “Incite 10/23/2013: What goes up…”
Dear Sir:
Good morning and hope all is well within your respective zone….
Please Note: The view point that little business value is lost when hacked is a valid point….as the business pick themselves up and push on…..yet there is one gentle aside, what happens ten years down the road when the regulators come calling asking questions….about the poor behavior and/or lack of regulatory due diligence in protecting truth, justice and the American creed, (aka: share holders money/value)….? Well for some folks, making bad decisions may take awhile to become an expensive part of doing business in America….re: the PCAOB’s recent disciplinary action, yesterday, Oct. 22nd, 2013….it makes for interesting reading, when you can’t get to sleep at night….
Respectfully yours,
Pw
Re: If business users don’t care…
We’ve known for years (or should have known if we read the research) that security breaches don’t impact stock value. This is a trap many security folks find themselves in because they don’t understand their business, or business at all, so they use the most obvious and coarse metric of business impact.
I’d say “so what?”
HP wrote off $3.3B a few years ago from their WebOS debacle. And yes, their stock took a hit from this and other bad decisions, but it is recovering and in all likelyhood in 5 years this will be a blip on a stead upward trend (unless markets tank generally). If they do recover their value, does that mean they shouldn’t be dilligent in their investments?
The impact from a breach is complex and cannot be measured by one factor. There are fines and penalties. There are negative perceptions which can be leveraged against you (I can’t say how many sales calls I got from RSA competitors after their breach), there is lost productivity from having to divert resources to deal with customer complaints, there is lost focus on strategy while execs try to deal with the press requests and client enquires.
RSA’s breach cost around 100M if you believe the press. This is 100M not spent on developing new products or landing new customers, but instead spent preserving their base and protecting SecureID. This is not 100M well spent.
If you don’t understand the breadth of breach impacts in business terms, you’ll never be able to defend the value security has. Daniel Miessler’s blog is just FUD used against us rather than for us. An overly simple analysis with little value.