It’s hard to believe, but my family and I have been in Atlanta almost 9 years. The twins were babies; now they are people. Well, kind of. I grew up in the Northeast and spent many days shoveling our driveway during big snowstorms. Our 15 years in Northern Virginia provided a bit less shoveling time, but not much.
But the ATL is a different animal. It snows maybe once a year, and the dusting is usually gone within a few hours. I can recall one time, over the past 8 winters, when we got enough snow to actually make a snowman. We are usually pummeled by one good ice storm a year, which wreaks havoc because no one in the South knows how to drive in bad weather, and I think there are a total of 3 snow plows in the entire state. Now that it’s starting to warm up a bit I look forward to breaking out my flipflops and summer work attire, which consists of shorts and T-shirts. Unless I have a meeting – then I wear a polo shirt.
But that’s still probably 6 weeks away for me. Having grown up with the cold, I hate it now. I just don’t like to be cold. I get my Paul Bunyan on with a heavy lumberjacket (one of those flannel Thinsulate coats) to take the kids out to the bus in the AM. Even if it’s in the 40s. I have been known to wear my hat and gloves until May. Whatever it takes for me to feel toasty warm, regardless of how ridiculous I look.
The Boy has a different opinion. It’s like he’s an Eskimo or something. Every morning (without fail) we have an argument about whether he can wear shorts. Around freezing? No problem, shorts work for him. Homey just doesn’t care. He’ll wear shorts at any time, literally. There was one morning earlier this year where I called his bluff. I said “fine, wear your shorts.” It was about 35 degrees. He did, and he didn’t complain at all about being cold. I even made him walk the two blocks to the bus and stand outside (while I sat in the warm car). He didn’t bat an eyelash. But the Boss did. I took a pounding when he came off the bus in shorts that afternoon. I tried to prove a point, but he took my point and fed it back to me, reverse alimentary style. No matter the temperature, a hoody sweatshirt and shorts are good for him.
His behavior reminds me of returning to NYC after a college spring break in Acapulco many moons ago. Most of us were bundled up, but one of my buddies decided to leave his Jose Cuervo shorts on, while wearing his winter jacket. It was about 20 degrees, and after a week of chips and guacamole and Corona and 4am Devil Dogs (and the associated Montezuma’s revenge), we just absolutely positively needed White Castle. Don’t judge me, I was young. My friend proceeded to get abused by everyone in the restaurant. They asked if he was going to the beach or skiing. It was totally hilarious, even 25 years later. I can totally see the Boy being that guy wearing shorts in the dead of winter.
But part of being a parent is saving the kids from making poor decisions. The Boss is exceptional at that. She proclaimed the Boy cannot wear shorts if it will be below 50 degrees at any time during the day. There were no negotiations. It was written on a stone tablet and the Boy had no choice but to accept the dictum. Now he dutifully checks the weather every night and morning, hoping to get the high sign so he can wear his beloved shorts. Who knows, maybe he’ll become a meteorologist or something. Unless they tell him he can’t wear shorts on air – then he’ll need to find something else to do.
–Mike
Photo credits: Taking a jog in shorts after Winter Storm Nemo originally uploaded by Andrew Dallos
Upcoming Cloud Security Training
Interested in Cloud Security? Are you in EMEA (or do you have a ton of frequent flyer miles)? Mike will be teaching the CCSK Training in Reading, UK April 8-10. Sign up now.
Heavy Research
We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.
Email-based Threat Intelligence
Understanding Identity Management for Cloud Services
Newly Published Papers
- Network-based Threat Intelligence: Searching for the Smoking Gun
- Understanding and Selecting a Key Management Solution
- Building an Early Warning System
- Implementing and Managing Patch and Configuration Management
- Defending Against Denial of Service Attacks
Incite 4 U
- Everything increases risk if firewall management sucks: In this week’s mastery of the obvious piece, we hear that Segmentation Can Increase Risks If Firewalls Aren’t Managed Well. The article provides a bully pulpit the firewall management vendors to tell us how important their stuff is. Normally I’d lampoon this kind of piece, but operating a large number of firewalls really is hard. Optimizing their use is even harder. Do it wrong, and you create a hole big enough to drive a truck through. So after years of maturing, these tools are finally usable for large environments, which means we will be doing a series within the next month or so. Stay tuned… – MR
- Preparation: I loved the idea of Netflix’s Chaos Monkey when I heard of it. An application that looks for inefficient deployments and deliberately causes them to fail. Very much in the Big Data design philosophy, where you assume failure occurs regularly – which both makes Netflix service better and continually verifies system resiliency. So when I read Threatpost’s How Facebook Prepared to Be Hacked I thought it would be awesome if these red-team/blue-team scenarios were automated to mimic legitimate attacks – a security Chaos Monkey, if you will. It dawned on me that in some ways APT is a real-world Chaos Monkey. Yes, a free mostly-automated program to attack your network would make a huge difference for pointing out the kinks in your defenses, but most companies aren’t quite on board with the concept. Certainly paid employees offer an additional benefit: telling you that you got hacked, so you can either clean things up before it gets real, or mitigate damages when attacks do occur. Outside freelancers … not so much. – AL
- First crack or lip service? In 2010 I wrote that China won’t stop hacking until there are consequences. I then suggested that those consequences are starting. Thanks to the coordinated release of the Mandiant APT1 report and additional moves by the US federal government, China just might be feeling a little pressure. The AP now reports that Beijing is willing to “talk’ about cybersecurity. Usually this involves saying hacking is illegal and claiming they are the victims, but I won’t be surprised if this is the start of a long process that gradually pushes state-sanctioned (and probably sponsored) hacking deeper underground. You didn’t think it would completely stop, did you? – RM
- But crypto is HAAAAAAARD: Yep, I’m sick of those guys, always complaining that it is impossible to include crypto in a solution because it’s too expensive or too incomprehensible for the developers. Just use what we’ve got – it’s better than nothing. And no, it doesn’t consume 50% of a modern processor to require HTTPS connections on websites. I am constantly fighting the vendors who bring in “proprietary encryption” as a solution to an information management problem. Implementation is always where crypto breaks. Or is it? DJB claims (backed by a majillion graphs and math that I just cannot understand) that what we really need is to focus on both the algorithm and implementation, and we really need to start doing a better job. He’s absolutely right. But I’m still skeptical that we’ll ever reach a point where it’s possible to send a piece of email that is properly encrypted from sender to receiver. – JA
- Skills to climb the CISO ladder: NetworkWorld has a article talking about Hot security skills of 2013 and they lead off with the need to understand information and physical security? Uh, no. There have been calls for this kind of functional integration for years, but it just doesn’t happen. Not that physical security isn’t important (it’s part of PCI-DSS, after all), but to think it needs to reside under a single CSO? Not so much. Then some nonsense about the ability to anticipate needs. What the hell does that mean? A crystal ball. Here, I have one. My crystal ball says you’ll be hacked. Only on the second page do they discuss “business and financial acumen.” Now they’re talking, and they follow up with “good communication skills”. Bingo. The senior security job is all about influence, which means you need to understand your business and be able to communicate the value of security. Whether you can manage the proximity access cards or the former football players who guard the front door is beside the point. – MR
- Painful learning (is there any other kind?) Public root cause analysis of a major failure is never fun, but it’s the only way to rebuild customer trust, and as a side benefit it helps educate the rest of the community. So I highly recommend Microsoft’s post-mortem of their Azure Storage outage. TL;DR: some SSL certificates expired, and although they prepared new certificates for deployment, “the team failed to flag the storage service release as a release that included certificate updates.” As we move toward more cloud and better automation (and we all will), this is the kind of error that even someone with their sht together can easily make. Learn from it. Or prep your own *mea culpa post. – RM
- Asking questions they don’t understand: In recapping the RSA Conference buzz around Big Data, NetworkWorld looks to confuse their readership with a recap asking is Big Data the security answer?. While the author asks some of the right questions – “So, if we can’t get small data right with SIEM, why do we think we can get big security data right?” – and then mixes them in with the absurd: “Do we need fancy new Big Data tools based on technologies like Hadoop … you can use tools like Splunk to correlate it”. WTF? The later point, attributed to David Hannigan, might have been relevant if Splunk was based upon a relational database and not a proprietary NoSQL-like repository. Let’s be clear: Big Data for security analytics is very early, and it’s right to be talking about it because it’s uncertain how well it will work. Whether or not big data can deal with the performance, scalability and data velocities SIEM needs to contend with is a question Google answered in 2004 – absolutely! – AL
Reader interactions
2 Replies to “Incite 3/13/13: Get Shorty”
@Nate – Yes! Exactly. But that’s the main reason why comment on ‘fancy new big data tools’ is ludicrous. And for the record I don’t recommend security pro’s ‘rolling their own Hadoop’ deployments, but I do think a) all of the SIEM/LM vendors _not_ on big data have now found religion, and b) security pro’s _should_ read some books on MR and big data so they understand how to get value from the data and data management systems in/coming to their companies.
-Adrian
I certainly make no claims to be a “Big Data” expert, but doesn’t the fact that Splunk is built on a MapReduce architecture make it a big data tool? Heck every relational database rooted SIEM vendor is pitching their wares as “Big Data” because it’s the fuzzy buzzy word of the moment. Splunk to me at least has some semblance of right to the moniker. Now a better question might be should security teams be rolling their own Hadoop deployments and building their own analytic capabilities. Like most any new cool complicated technology if your the biggest of the big and have the resources or are smaller but (by nature of your vertical/company model) rich in technical talent you could probably create some value. For the rest of us Joe Schmoes we need someone to productize the tech and make it usable for us aka Splunk…