Incite 10/5/2011: Time waits for no oneBy Mike Rothman
Time is a funny thing. You don’t really think about it until it’s running out. Deadlines. Mortality. It’s all the same. Time just sneaks up on you, and then it’s gone. Yeah, I’m a little nostalgic this week because my birthday is Friday. And yes, there is some fodder for you social engineers out there. The kids get more excited about my birthday than I do. They want to know about cakes, parties, and the like. Personally, I’d take a day to sleep in, but who has time for that? There are things to do and places to be.
We at Securosis hit a milestone this week, unveiling the Securosis Nexus on Monday night. Honestly, I’m both exhilarated and terrified. We (especially Rich) have spent many hours conceiving, building, and populating our new online research ‘product’. I joke that building the Nexus took twice as long and cost 3 times as much as we expected. I’m probably understating it. But all of us have built software before, so we knew what to expect. What’s a little different this time is that we funded the project out of cash flow. So every check we wrote to our developers and designers could have been used to pay my mortgage. That really makes the investment real.
Rich, Adrian, and I aren’t really gamblers. We all go to Vegas a few times a year for conferences, and you’ll find us hanging out at a bar – not the tables. We live conservative lifestyles (even if Adrian drives a Corvette). On the other hand, we’re making a huge bet folks who don’t have the word Security in their titles will pay for impactful, actionable security research. And that even some folks who do have Security in their titles will find enough value to make a modest investment.
But what if we are wrong? It’s not like anyone has ever successfully delivered a research product to this market segment. Are we nuts? Compound that with the fact that we have built a pretty good business. We’re very busy writing blog series, pontificating, and doing strategy work, all of which I love. So why take the risk? Why make the investment? Why not just sit on our hands, keep pontificating, and enjoy the lifestyle?
I’ll tell you why. Because time waits for no one. Rich and I decided back in 2006 that this market opportunity was real, and we believe it. Just because no one has tried it before doesn’t mean we are wrong. We want to build leverage into our business and be bigger than just Rich, Mike, and Adrian showing up and waving our hands. Ultimately we want to make a difference and believe the Nexus provides a great opportunity to help folks who can’t afford Big IT research. But we aren’t kidding ourselves – it’s scary.
Fear is no excuse. It won’t hold us back. The train has left the station and now we will see where it takes us. The only thing we can’t get is more time, so we plan to make the most of it. Check out the Nexus. Sign up for the beta. Help us make it great.
Photo credits: “Time” originally uploaded by Jari Schroderus
Incite 4 U
Die or piss off users? Not an easy decision… I do love Gunnar’s > 140 Conversations on his blog. This time he banters with Marcus Ranum, and there is a lot of good stuff in there. I’ll zoom in on what Marcus calls enumerating goodness, which I call a positive security model. He’s absolutely right that most organizations overstate the challenge of looking at a positive model and underestimate the equally important cultural impediments. The difference comes into play when you haven’t seen something before. In a negative model, you don’t know to block it and it could kill you. In a positive model you block it, but it might not be bad. Users don’t understand the former, and get really pissed off by the latter. So most security accepts the low-probability event of getting killed rather than the high-probability event of pissing off users. – MR
Privacy dies. Again: I think we all know the problem with privacy in the Internet age. Anything you do is tracked. It’s kept forever. Privacy policies change without warning. Those drunken Facebook posts from high school? Yep, permanently on your timeline (and Facebook keeps them even if they are ‘deleted’). I don’t think Facebook, Google, and friends are deliberately evil, but it isn’t like you have any control over that stuff once it’s released. So it should come as no surprise that governments are strip mining the data like a Texan in heat. (I’m not sure that metaphor makes sense, but it rolled off the keyboard so nicely). Me? I don’t think I have anything really to hide (not that I’d want everything I ever wrote public). But the whole idea still creeps me out. – RM
Photo recon: In my first IT job, circa 1987, the division manager was ex-USAF. On his desk was a photo of a Russian factory worker looking at his watch, taken over the man’s shoulder, so you could faintly see what time it was. The interesting thing was the photo had been taken from an SR-71 Blackbird, 10-15 years earlier, from the very edge of space. I can only imagine what is available now, but that photo came to mind when I saw the panoramic photos of Vancouver Canuck fans just before the riot. This is not your typical crappy security camera stuff – you can clearly make out faces four blocks away, all from a series of photos stitched together. Fans, tourists, law enforcement – they are all captured. Combine this with facial recognition software, and you have a powerful identity tool. And those Facebook photos provide a public – and legal – way for anyone to get basic identity and photos for comparison. It’s an interesting mixture of physical and electronic data harvesting. How this will be used is anyone’s guess, but it certainly will (is?). – AL
SIEM + Packet Capture = More APT hype: Oy. Another holy grail answer to the APT problem is discussed in this Dark Reading post. Basically it’s a vendor circle jerk about how great it is when you attach your SIEM to your full packet capture engine to really be able to investigate something bad. Here’s the rub. You need to know that something is bad, which means having an APT-type attack enumerated in your SIEM. Since you can just buy the APT playbook on eBay that should be easy, right? When will everyone finally realize the APT is an attacker, not an attack, and it’s not simple to just run a tool to find it. To be fair, the second part of the article is closer, which is to define normal and then to look for not normal as a possible indicator of an attack; and then to use the full packet stream to do the investigation. That’s closer to the answer, but in reality no SIEM is going to find an APT, unless you know how they are going to attack in advance, in which case you might even need SIEM. – MR
Who to trust? There is no doubt that Amazon will have tighter control over the Kindle Fire user experience than other tablet providers, but I don’t see why eWeek thinks this is a major privacy issue. Compared to what? How is this different than existing mobile phones, or something like an iPad? You still leak identity, geolocation, device, and browsing information – just to a smaller audience. You can’t customize the Silk browser to use protections like NoScript, Ghostery, or Flashblock – it’s the same as other mobile browsers that way. But you could potentially be more secure if Amazon allows you to encrypt your session under an EC2 certificate for your Kindle account. That way all your content would be delivered over a secure channel, and your web requests would be proxied generically from Amazon to the Internet. Amazon has the capability to track you, and probably will – it’s technically correct to say Silk won’t do this, but there will be a different mechanism on the backend that does. The data is too valuable for them to not collect and analyze it. This provides a significant advantage for them: targeted retail. And even better (for Amazon), it denies Google the data. For device users, Amazon can market the ability to cache popular sites for performance – something like Akamai does. Is this a privacy issue? Yes, but no worse than any other device – unless you’re Google. – AL
DLP goes small: I keep thinking I’m done talking about DLP, but interest remains high. I spent an hour today talking to a financial institution about it, and next month will spend an entire day helping a different enterprise-class company develop their DLP strategy. Dealing with mobile devices is one of the big questions that inevitably pop up – partially due to the devices’ processing constraints, but mostly because Apple won’t let anyone install any persistent background tasks – which would break their entire security model – to implement proper security monitoring. Today Symantec announced their new DLP for tablets, and a few others (like Websense) are taking different approaches. We finally have an interesting continuum of approaches for organizations looking for different levels of content control on devices. Enough that I will try to write this up as a full post. – RM
More proof that security is a feature: Yesterday we saw deals in the SIEM/Log Management space where (certainly in the case of IBM/Q1), security management will become part of a bigger IT stack. Another deal hit last week which isn’t getting much discussion: was IronKey is selling off their secure USB hardware business to … wait for it … a storage company. I know, it’s a shock that a company like Imation would find value in selling secure USB drives, while IronKey can focus on their porn surfing network technology – I mean their secure browsing network. This one didn’t make news, but continues to demonstrate that security must add value somehow to be sustainable. You don’t just protect something for protection’s sake. – MR