A couple years ago, when I decided to lose weight and change my eating habits, I did it with a view to living until I was at least 90. That was the number I envisioned, and given my family history, it should be achievable. So as I celebrated my 45th birthday this week, it was strange to realize that I’m close to halfway done. WTF? How did that happen?

It seems just like yesterday I was loading up the U-Haul for the trek to relocate to DC after college to start my adult life. That yesterday was 24 years ago. I drove that speed limited truck (it wouldn’t go faster than 60) with all my worldly possessions down the 95 with all these expectations. I was going to do this, and do that, and achieve this, and basically become the master of all I survey. No plan survives contact with the enemy, and mine was no exception.

I certainly had the energy and the drive, but I didn’t understand the game. I was too young to have any perspective. All I wanted to be was an adult, and have my own money and buy my own stuff and be responsible for myself. It took 24+ years of screwing things up to finally appreciate how the old saying: “Youth is wasted on the young” is absolutely correct. The young don’t know how to harness their capabilities. They don’t know what they don’t know.

Which is obvious every time I chat with kids just entering the job markets. I love their energy and idealism, but I shake my head at their sense of entitlement. Mostly I’m excited for them to learn stuff the way I learned it – the hard way. That’s really the only way to learn, and these kids will do great things in the few instances when they aren’t screwing up. But 24+ years later, I can appreciate that process and understand that I had to go through the good, the bad, and the ugly to end up where I am today. Which is right where I should be.

So as I enter the second half of my life, I am thankful for the first half. It gave me an opportunity to figure some things out, especially about myself and what’s important to me. I don’t worry so much any more about fitting in or living up to others’ expectations. I’m young enough to still do a lot of stuff, but old enough to kind of know what I’m doing. And that’s a good place to be.


Photo credit: Youth on the Move in Volos 12, originally uploaded by EU Social

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Defending Against Application Denial of Service

Firewall Management Essentials

Newly Published Papers

Incite 4 U

  1. Keep it simple, get it right: I am often highly critical of Poneman Institute reports because their methodology is often flawed, especially using surveys to estimate losses for intellectual assets that can’t really be quantified. But their latest Cost of Cybercrime report moves in the right direction. This time it only counts direct costs related to incident response, not some wild-ass guess at the value of stolen files. I do believe these costs can be quantified, although the odds are many organizations lack the maturity and tracking to really be consistent about what it really costs to clean up a mess. But Ponemon kept a tight scope, with clear definitions, and noted that costs rose 18% (total, not per incident). One reason cited may be the increasing numbers and sophistication of attacks, but I suspect better detection incidents is a larger factor. – RM
  2. Down the river of payments: The card brands very publicly announced a global tokenization proposal to make shopping “simpler and safer”, which they promise to release real soon now. But, with significantly less press coverage, on-line retailer Amazon went one step better – by extending Amazon’s existing payment infrastructure to other retail sites. Amazon customers will leverage their Amazon account, including payment and shipping preferences, when they buy from participating retailers. That is Payment as a Service (PAYaaS), people! Participating merchants will no longer need to manage and secure the payment process, or user accounts and passwords, so they will not need to slog through PCI requirements. Amazon makes money on each transaction. Users benefit from a single account and password, and only need to trust Amazon (who already provides a very good user experience) with their account & payment information. – AL
  3. 3 Keys to security survival: Great overview in Dark Reading of how the core imperatives of a CISO continue to change given the Inevitability of Attacks. The article covers an Interop presentation by Blackstone’s CISO, Jay Leek, and describes three mindset and strategic shifts. The first is to get better visibility into threats and attacks. You also need better intelligence about attacks and attackers. And finally you need a planned response rather than just reacting to the latest attack du jour. It is right on the money so check out the article when you can. And keep in mind that this doesn’t mean you need to dump all your preventative controls. It just means you need to do a better job of being prepared to respond. – MR
  4. Assume the worst: We have been saying for years that you should assume your environment has been breached, or will be, and define your defensive controls around that. As Troy Hunt highlights, this is especially true of internal web applications. While the article dips a bit into hyperbole, the core precept is sound. Internal web applications are often highly customized, lightly secured, and assume only internal people will have access. That’s fine for low-priority items, but can be a real problem for anything important. And you need to also assume those low-priority systems will be compromised and used to attack the juicer stuff. Lateral movement FTW. How do I know? Because that’s what all the breach reports tell us happens. – RM
  5. Barracuda files for IPO: Yup, given the crazy performance of the FireEYE-PO, it is not surprising to see other companies moving toward the public markets. The latest is Barracuda Networks, which filed their S-1 last week. I have yet to really tear through it, but suffice it to say they move a lot of boxes to a lot of customers. The fact is security is a hot market and companies like Barracuda have shown solid growth, and that is highly valued on Wall Street. But going public is only the beginning of the journey – now they need to deal with quarterly reporting cycles and public scrutiny of everything they do. That works well for a lot of companies, but at some point most of the public market security players will be subsumed by bigger IT shops, like Sourcefire, which is now officially part of Cisco. – MR
  6. Getting what you pay for: Katie Moussouris announced on the BlueHat Blog that the Microsoft bug bounty program just paid out to six security researchers, with one of the recipients earning the maximum $100k payout. While Microsoft is not releasing the details, you can be sure that issue was serious. My reason for bringing up bug bounties in the Incite every single freaking time Google or Microsoft announces them is to underscore that these programs work. Lots of organizations still look at this technique as just another way to hire expensive external consultants, but it is actually only paying for success, and a very effective way to leverage creative people who don’t work for you. Better still, Microsoft found the flaws pre-production, reducing their impact on customers. We talked a lot about this trend of leveraging external communities in our API gateway research – if your firm produces software where security is essential, you need to consider ways to incentivize people to examine your code – and share their findings with you. – AL