Incite 2/19/2014: Outwit, Outlast, OutRSABy Mike Rothman
No, we aren’t talking about Survivor, which evidently is still on the air. Who knew? This week the band of merry Securosis men are frantically preparing for next week’s RSA Conference. We’ll all descend on San Francisco Sunday afternoon to get ready for a week of, well, work and play.
I saw Stiennon tweet about his 50 meetings/briefings, etc. – claiming that’s a new personal record. That’s not #winning. That’s #losing – at least to me. I have way too many meetings scheduled – and that even doesn’t count all the parties I have committed to attending. Pretty much every minute of every day is spoken for.
My liver hurts already. RSA is a war of attrition. By Friday when I fly home I am always a mess. A few years ago I ran into Andy Jaquith on the BART train back to the airport afterwards. He tried his best to make conversation, but I had nothing. I could hardly string three words together. I grunted a bit and scrawled a note that I’d call him the following week. I sleep well on Friday night when I get home. And most of Saturday too. I pray to a variety of deities to fend off the con flu. Usually to no avail – the RSA Conference grinds even the hardiest of souls into dust.
But I really can’t complain much. As much as I whine about the crazy schedule, the lack of sleep, and the destruction of billions of brain cells, I love the RSA Conference. I get to see so many friends I have made over the past 20 years in this business. I get to see what’s new and exciting in the business, validate some of my research, and pick the brains of many smart folks. We are lucky to meet up with many of our clients and provide our view of the security world. I also find out about many new opportunities do work with those clients, and based on early indications March and April should be very busy indeed.
So it’s all good. Based on early RSVPs we expect record numbers at our Disaster Recovery Breakfast Thursday morning. A ton of folks are interested in the talk on mindfulness JJ and I are doing at the show. And the 2014 Security Bloggers Meetup will be bigger and better than ever.
Yes, if you can’t tell, I’m really looking forward to the Conference. And I look forward to seeing many of you there.
PS: I learned yesterday that a pillar of the Atlanta security community passed away recently. So I’ll have a drink or ten in honor of Dan Combs. He was a good man. A good security guy. And he will be missed. RIP Dan. It’s just another reminder that our time here is short, so enjoy it, have fun, maximize each day, and live as large as you can. You never know which RSA Conference will be your last…
Photo credit: “Survivor Finale” originally uploaded by Kristin Dos Santos
Have you checked out our new video podcast? Basically Rich, Adrian, and Mike get into a Google Hangout and, well, hang out. We talk a bit about security as well. We try to keep to less than 15 minutes and usually fail.
- Feb 17 – Payment Madness
- Feb 10 – Mass Media Abuse
- Feb 03 – Inevitable Doom
- Jan 27 – Government Influence
- Jan 20 – Target and Antivirus
- Jan 13 – Crisis Communications
2014 RSA Conference Guide
We’re at it again. For the fifth year we are putting together a comprehensive guide to want you need to know if you will be in San Francisco for the RSA Conference at the end of February. The full guide (with tons of memes and other humor that doesn’t translate to the blog) will be available later today.
We will also be recording a special Firestarter video on Thursday, since you obviously can’t get enough of our mugs. Look for that on Friday…
- Watch List: DevOps
- Key Theme: Cloud Everything
- Key Theme: Crypto and Data Protection
- Key Theme: Retailer Breaches
- Key Theme: Big Data Security
- Key Theme: APT0
- Data Security
- Cloud Security
- Endpoint Security
- Identity and Access Management
- Security Management and Compliance
- Application Security
- Network Security
And don’t forget to register for the Disaster Recovery Breakfast, 8-11am Thursday, at Jillian’s.
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.
The Future of Information Security
- Implications for Cloud Providers
- Implications for Security Vendors
- What it means (Part 3)
- Six Trends Changing the Face of Security
- A Disruptive Collision
Leveraging Threat Intelligence in Security Monitoring
- Quick Wins with TISM
- The Threat Intelligence + Security Monitoring Process
- Revisiting Security Monitoring
- Benefiting from the Misfortune of Others
Advanced Endpoint and Server Protection
Newly Published Papers
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7
- Eliminating Surprises with Security Assurance and Testing
- What CISOs Need to Know about Cloud Computing
- Defending Against Application Denial of Service
- Security Awareness Training Evolution
- Firewall Management Essentials
Incite 4 U
Call it the Llama Clause: Just to get you in the RSA Conference state of mind, check out this great post from the Denim Group folks who are just learning about the nuances of exhibiting at RSA. Yup, there is a “no animals” restriction. Turns out not only can’t you bring a llama, you can’t bring a rhino either. Which is a bummer because a live rhino would be second only to Nir Zuk as booth catnip. You also can’t have loud noises or bad odors. Neither of which seems to be restricted at DEFCON. Apparently they also have a booth babe clause, or at least the right to ban folks unprofessionally or objectionably dressed. By the way, that would seem to be a bit of a subjective measure, no? For those attendees who don’t get out much, seeing a greeter from the Gold Club would probably make their day. And no robots either. It seems like the organizers are bent on taking all the fun out of RSA. Though I guess you need to get caught first – so do it and then ask for forgiveness later. It’s the trade show credo. – MR
TK-421 – why are you not at your post? 2-Factor authentication has gone mainstream – it is now an option for most cloud services and several payment services using SMS validation. Google has been using 2FA for a while now, and their recent acquisition of SlickLogin provides a peek at where the market is heading: proximity detection. Think of those physical cards you use to get into work, only embedded in your phone and used for more than just physical access. These credentials would log you into your laptop, server, or whatever, automatically as you approach. Freaky, right? Sure, the security hype machine will say your account(s) can be compromised if one of your devices is stolen, or by Android malware, or that Bluetooth (or NFC) opens up another attack vector. The reality is that none of this is absolute security – nothing is. But it is better than what we have today. 2FA and proximity verification with devices will be reality going forward, whether you like them or not. Security is learning what every retailer and credit card brand knows: if something makes your life easier, you’ll use it. – AL
Internet of Pwn: The Internet of Things is all the rage. From fitness trackers to Internet-powered Crock Pots, you can’t swing a dead cat without triggering a motion-controlled ceiling fan. And sure, security is important, but this is just more esoteric garbage nobody needs to worry about yet, right? Well perhaps not – our friends at IOActive have cracked the security of the popular WeMo automation products. You know, devices you can buy down the street at some hardware stores. What fascinates me is that these flaws came down to an encryption implementation flaw. Maybe most people don’t care that someone can monitor movement in your house and turn off your lights, but I know for a fact some of these flaws in other systems can disable alarms, open doors, and trash your HVAC. – RM
You had me at Terry Tate: Rick Holland’s post about his definition of actionable intelligence had me cracking up. Not because threat intelligence (TI) is sure to jump the shark at this year’s show – but instead because he dusted off Terry Tate to deal with vendors misusing the term ‘actionable’. Rick has a pretty good list of characteristics you should be looking for in the intelligence. Things like accuracy, integration, and relevance. We have been doing a bunch of research into threat intelligence over the past year, and Rick’s requirements ring true. Though as with every other hot market, you will see a lot of snake oil as well. So RSA attendees beware. By the end of the week you are likely to be confused about what TI even is. – MR
Swamp cloud loggers: Logging in the cloud historically has been a mess. Netflix even had to build its own proxy for its developers so they could log and control management plane access. In response Amazon released CloudTrail a few months ago, which logs all API calls – even internal ones from their tools to any of your AWS (Amazon Web Services) services. Well, sort of. It only works in two regions (data centers) for a few AWS services, and has a 15-20 minute lag. Fortunately multiple little birdies tell me this is just the start, and that the services should improve quite a bit over the next couple years. Kind of like everything else cloudy. Amazon published a white paper on the best way to use its logging capabilities, and if you mostly use one of the supported regions I highly recommend turning it on. I’m not going to criticize a good start, but there’s nothing wrong with being demanding and having massive expectations, right? – RM
Bad software is not mysterious: The appearance of strange software may be alarming, but it’s not a surprise. In the same way seeing advertisements unexpectedly pop up in your browser should not be a surprise. The fundamental problem is that Windows machines and most browsers are designed to be portals to you. The intent was to make it easy to push crap your way, often when you are unaware. Worse – the crap is very difficult to remove. Put in a CD-ROM, click a link, or update software, and you have no idea what gets installed. The result is that once you install software on your machine, you inherently trust everyone who built it, the third-party libraries they used, and everyone they partner with. It is simply a byproduct of poor software design, but a sad reality for deeply entrenched software. We see this problem on every software platform, OS, or browser designed for advertisers rather than users – all of them. The problem is that users would rather take free stuff and cede control of their machines to advertisers. And that is not going to change. – AL