After I got off the plane Friday night, picked my bag up off the carousel, took the train up to the northern Atlanta suburbs, got picked up by the Boss, said hello to the kids, and then finally took a breath – my first thought was that RSA isn’t real. But it is quite real, just not sustainable. That makes reentry into my day to day existence a challenge for a few days.


It’s not that I was upset to be home. It’s not that I didn’t want to see my family and learn about what they have been up to. My 5 minute calls two or three times a day, while running between meetings, didn’t give me much information. So I wanted to hear all about things. But first I needed some quiet. I needed to decompress – if I rose to the surface too quickly I would have gotten the bends.

For me the RSA Conference is a nonstop whirlwind of activity. From breakfast to the wee hours closing down the bar at the W or the Thirsty Bear, I am going at all times. I’m socializing. I’m doing business. I’m connecting with old friends and making new ones. What I’m not doing is thinking. Or recharging. Or anything besides looking at my calendar to figure out the next place I need to be. For an introvert, it’s hard. The RSA Conference is not the place to be introverted – not if you work for yourself and need to keep it that way.

I mean where else is it normal that dinner is a protein bar and shot of 5-hour energy, topped off with countless pints of Guinness? Last week that was not the exception, it was the norm. I was thankful we were able to afford a much better spread at the Security Blogger’s Meetup (due to the generosity of our sponsors), so I had a decent meal at least one night.

As I mentioned last week, I am not about to complain about the craziness, and I’m thankful the Boss understands my need to wind down on reentry. I make it a point to not travel the week after RSA, both to recharge, get my quiet time, and reconnect with the family.

The conference was great. Security is booming and I am not about to take that for granted. There are many new companies, a ton of investment coming into the sector, really cool innovative stuff hitting the market, and a general awareness that the status quo is no good. Folks are confused and that’s good for our business. The leading edge of practitioners are rethinking security and have been very receptive to research we have been doing to flesh out what that means in a clear, pragmatic fashion.

This is a great time to be in security. I don’t know how long it will last, but the macro trends seem to be moving in our direction. So I’ll file another RSA Conference into the memory banks and be grateful for the close friends I got to see, the fantastic clients who want to keep working with us, and the new companies I look forward to working with over the next year (even if you don’t know you’ll be working with us yet).

Even better, next year’s RSA Conference has been moved back to April 2015. So that gives me another two months for my liver to recover and my brain cells to regenerate.


PS: This year we once again owe huge thanks to MSLGROUP and Kulesa Faul, who made our annual Disaster Recovery Breakfast possible. We had over 300 people there and it was really great. Until we got the bill, that is…

Photo credit: “Reentry” originally uploaded by Evan Leeson

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and, well, hang out. We talk a bit about security as well. We try to keep these less than 15 minutes, and usually fail.

2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Leveraging Threat Intelligence In Security Monitoring

Advanced Endpoint and Server Protection

Newly Published Papers

Incite 4 U

  1. TI is whatever you want it to mean: Interesting experiment from FireEye/Mandiant’s David Bianco, who went around the RSA show floor and asked vendors what threat intelligence (TI) meant to vendors who used the term prominently in their booths. Most folks just use the buzzword, and mean some of the less sophisticated data sources. I definitely understand David’s perspective, but he is applying the wrong filter. It’s like of like having a Ph.D. candidate go into a third grade classroom and wonder why the students don’t understand differential equations. Security is a big problem, and the kinds of things David is comfortable with at the top of his Pyramid of Pain would be lost on 98% of the world. If even 40% of the broad market would use IP blacklists more effectively, that would have a huge impact on security posture. The TTPs he discusses are so far beyond the capabilities of most companies that he is talking a different language. But that’s okay. As the TI market matures we will see better and more sophisticated use of information to improve defenses. Until then TI will largely be a marketing bandwagon everyone needs to jump on. – MR
  2. Pandering from within: Rod Trent’s statement that use of cloud computing means corporate data that resides outside of control of IT puts the entire business at risk is an irresponsible assertion and a disservice to IT professionals. You don’t lose control of data by moving it to the cloud. How you deploy security in the cloud differs from what you need to do within your own data centers, and which capabilities are offered varies from vendor to vendor, but cloud services are no more or less inherently secure than your own hardware. As Chris Hoff said in his RSA presentation this year, “Security is more a function of your operational model than cloud vs. on-prem deployments; if your on-prem security sucks today, it’s likely your cloud security deployment will also suck.” Go figure. Cloud services imply engagement with a third party, so you will by definition need some level of trust in the provider, but you get to choose a provider and service delivery model you are comfortable with. Sweeping generalizations like “I’m not sold on the statement that the Cloud is ‘secure enough to use’” are simply ignorant assertions to prop up the author’s thinly veiled security appliance agenda. – AL
  3. People? Process? Bah! Bejtlich gets pretty fired up as he pulls apart Dave Aitel’s post on the pros and cons of certain defensive technologies. Richard’s point is that “Network defense is more than tools and tactics. It’s more often about people and processes.” Amen to that, but we do need to use the tools out there because no human (or team of humans) can scale to the extent of the problem any more. So you need to be very clear about the capabilities – and more importantly limitations – of the tools you will use to defend yourself. Richard’s real point is the need for a programmatic approach to security. Even people and processes must be brought to bear in the same manner as tools and technologies: as part of an integrated security program. – MR
  4. When bad security is not an option: This week we saw about 12.3% of the BTC on Poloniex was stolen, which is shortly after Mt. Gox was shuttered indefinitely. It’s early days for Bitcoin, and this instability has little to do with the viability of Bitcoin as a currency – more sloppy execution by exchanges and services, and failure to protect their systems. These are new companies with shiny new applications, and they will continue to lose bitcoins until they shake out bugs and learn lessons that banks and traditional financial houses have learned over centuries. In the case of Poloniex, it was an attack on application business logic. Hopefully most of these exchanges will take note and hire professionals to come in for threat modeling and penetration testing, to find flaws before attackers. It’s not like they don’t have genuine financial incentive to be secure. If not money will continue to disappear. – AL
  5. Where the humans at? I have never been a fan of highly probabilistic models of risk or vulnerability. They typically involve assumptions on top of assumptions, and that usually leads to faulty decision making. My quant friends argue constantly that I’m being obtuse, and analysis in the right context can assist in decision making. They are probably right. Russell Thomas has been putting forth models for a while to help provide this context. Lately he has gotten into a little discussion (and yes, I’m being kind) about the role of probability in making security decisions. The reality is that at some point someone has to make a decisions about what to do. You want to feel good about that decision. That could involve prayer, it could involve a hard-core model, or it could involve experience – or more likely all of the above. If you can believe the math, I have no issue with models. Given the amount of data we are all dealing with, you need some way to reduce it and make sense of it, and that will involve probabilities in some way, shape, or form. But security is not high-velocity trading. The models have limitations, and I am not about to trade a 20-year security analyst for a risk model any time soon. And I don’t think Russell is either. – MR