Pretty much every year, I spend the winter holidays up north visiting the Boss’s family. I usually take that week and try to catch up on all the stuff I didn’t get done, working frantically on whatever will launch right when everyone returns from their December hangover. But as I have described here, I’m trying to evolve. I’m trying to take some time to smell the proverbial roses, and appreciate things a bit. I know, quite novel.

Is resolving to not have a resolution, a resolution after all???I have to say, this has been a great year on pretty much all fronts. There was a bit of uncertainty this time last year, as I had left my previous job and we were rushing headlong into announcing the new Securosis. There were a lot of moving pieces and it was pretty stressful, with legal documents relating to the new company floating around, web sites to update, and pipelines to build.

A year later, I can say things are great. I’ve told them each collectively, but I have to thank Rich and Adrian for letting me join their band of merry men. Also a big thanks to our contributors (Mort, Gunnar, Dave, and Jamie) who keep us on our toes and teach me something every time we talk. I won’t forget our editor Chris either, who actually helps to make my ramblings somewhat Strunk & White ready. I also want to thank all of you, for reading my stuff and not throwing anything at me during speaking gigs. I do appreciate that.

Mentally, I’m in a good place. Sure I still have some demons, but who doesn’t? I keep looking to exorcise each one in its turn. Physically, I’m in pretty good shape. Probably the best shape I’ve been in since I graduated college. Yes, I had dark hair back then. The family is healthy and they seem to still like me. I have nothing to complain about on that front. Yes, I’m very lucky.

I’m also very excited for 2011. Rich alluded to our super sekret plans for world domination, and things are coming together on that front. No, it’s not fast enough, but when we get there it will be great. I’m looking forward to fleshing out my research agenda and continuing to work with our clients.

Since this is the last Incite of 2010, I guess I’ll divulge my 2011 resolution: Don’t screw it up. No, I’m not kidding. There will be ups and there will be downs. I expect that. But if I can look back 12 months from now and feel the way I do today, it will have been a fantastic year. I hope you have a safe and happy holiday season, and there will be plenty of Incite in 2011. Until then…


Photo credits: “Resolution” originally uploaded by sneeu

Incite 4 U

  1. Gawking at Security 101: Oh how the PR top spins. After spending last week washing egg off their faces due to the massive pwnage Gawker suffered, now they are out talking about all the cool stuff they’ll do to make sure it doesn’t happen again. Like requiring employees to log into Google Apps with SSL. And telling them not to discuss sensitive stuff in chat rooms. Yeah, that’s the answer. Just be thankful that sites like Gawker don’t collect much information. Though we should commend folks like LinkedIn and Yahoo, who used the list of suckers, I mean commenters, and reset their passwords automagically. I’ve had issues with LinkedIn’s security processes before, but in this case they were on the ball. – MR
  2. Fear the PM: Do project managers managers need to “lighten up” and give away some control over development projects? Maybe. Are they being forced to provide transparency into their projects because SaaS management tools allow access to outsiders? Mike Vizard and LiquidPlanner CEO Charles Seybold seem to think so. Personally I think it’s total BS. With Agile becoming a standard development methodology, the trend is exactly the opposite. Agile with Scrum, by design, shields development efforts from outside influencers, leaving product managers more in control of feature sets than ever before. They are the gatekeepers. And when you manage tasks by 3×5 card and prioritize with Post-It notes, you don’t exactly provide transparency. Collaboration and persuasion are interpersonal skills, not an app. I recommend that project managers leverage software for task tracking over and above task cards, but don’t think some cloud-based nag-ware is going to subjugate a skilled PM. – AL
  3. Not your daddy’s DDoS: – I’ve spent a heck of a lot of time explaining denial of service attacks to the media over the past few weeks for some odd reason. While explaining straightforward flooding attacks is easy enough, I found it a bit tougher to talk about more complex DDoS. To be honest I don’t know why I tried, because for the general press it doesn’t really matter. But one area I never really covered too much is application level DDoS, where you dig in and attack resource-intensive tasks rather than the platform. Craig Labovitz of Arbor Networks does a great job of explaining it in this SearchSecurity article (near the bottom). Definitely worth a read. – RM
  4. No slimming the AV pig: Ed over at Security Curve makes the point (again) that the issues around AV, especially performance, aren’t going to get better. Sure the vendors are working hard to streamline things and for the most part they are making progress. Symantec went from a warthog to a guinea pig, but it’s still a pig. And they can’t change the math. No matter how much you put into the cloud, traditional AV engines cannot keep up. Reputation and threat intelligence helps, but ultimately this model runs out of gas. Positivity, anyone? Yes, I’m looking for white listing to make slow and steady inroads in 2011. – MR
  5. Live with it: – This Incite isn’t a link, but a note on a call I had with a vendor recently (not a client) that highlighted 2 issues. First up was an obsession with having a three letter acronym to describe their market… preferably not one of the ones that really described their market, because none of their growth rates were vertical enough. Second was an obsession to get onto some sort of Magic Quadrant, even though there isn’t one even close to what they do. I understand these instincts, but more often than not I see them fail. Trying to redefine an existing market takes massive resources and time – I’ve only seen it done successfully a couple times over the past 10 years, but I have seen it crash and burn many many times. Especially if something else already uses your pet TLA. As for the Magic Quadrant, I realize it does help boost sales when there’s one for your market, but getting onto the wrong one rarely works out as well as you’d hope. When I worked at G I almost never found a user willing to look at anything in the lower left… which is exactly where non-core companies tend to end up. – RM
  6. What? Big company M&A integration FTW: Of course, before I have to put a pin in my big companies suck at M&A balloon, there may be hope. Maybe security technologies don’t go to IBM and HP to die. In the UK, it seems HP has integrated a bunch of operations into a (wait for it) HP Security Group, anchored by a group called ViStorm, which had been acquired by EDS. OMG. One group where you could get ArcSight, Fortify Software, TippingPoint, and some related HP technology? Really? Of course it’s only in the UK (for now), but this is clearly a move in the right direction. And yes, I think I just saw a pig fly by, or maybe that was just the AV engine of the guy sitting next to me. – MR
  7. Two things go great together: Jeremiah Grossman has an excellent editorial on ZDNet regarding the use of sandboxing technologies to help guard against code injection. Code injection is a far more insidious compromise than, say, CSRF or clickjacking, as damage is not limited to browser sessions, but potentially affects the entire OS. Sandboxing is quite literally putting the application in a safe place and not letting it out where it can harm itself or others. And it’s more than a “security speed-bump”, not just slowing attackers down but genuinely preventing most memory attacks, making it very difficult for a compromised browser to wreak mayhem on the underlying system. It really provides at least a single layer of defense when running code from vendors who pay absolutely no attention to security whatsoever. And a good second layer of defense when good code goes bad as (to Jeremiah’s principal point) you now need two successful attacks to exploit the machine. Hopefully every web service application will be sandboxed as a simple safety precaution, because code injection is completely beyond a normal user’s ability to detect or guard against. For the uber-paranoid, you can even put the sandboxed web service on a virtual server and cycle the instance when you are done browsing. – AL