Life is a series of ebbs and flows. Highs and lows. Crests and troughs. It’s a yin/yang thing, and unfortunately most folks can’t appreciate that. Especially when they can’t see their way out of a down period. For a lot of security folks, the last two weeks have been such a contrast between those highs and lows that many are probably feeling whiplash.

A lot of folks went to the RSA Conference last week and saw an industry thriving again after 3 years in the doldrums. We all felt good. Those who read blog posts and tweets from folks at the conference felt good. It was one of those highs, and I returned to ATL exhausted but in good spirits. Not necessarily feeling like the tide had turned, but that swimming upstream wouldn’t be as hard for a while – however brief.

Then the discussions about whether we are losing started early this week. Ben’s post on LiquidMatrix verbalized a lot of what we all feel from time to time. And the burnout, building brick by brick which Rich described so eloquently is a clear explanation of the phenomenon. Rich’s point is that we will always have bad days, just as we have good days. And those who can survive in security for a long time don’t take things personally – especially the bad days. They know (and appreciate) the futility of the game, and enjoy the battles. The learning. The teamwork. They don’t get bitter and angry about the stupidity or the politics or the apathy. Or they hit the wall. Hard.

Which is really the point. It’s not about winning or losing. It’s about enjoying the journey. You will lose some battles, just as you will win some. You may lose more than you win, but that’s because the game is rigged. Like Vegas. In the long run, math wins. It’s always been that way, and yet we (amazingly enough) still function. As Ranum says, the Internet will be as secure as it needs to be.

In the wake of the shocking news that Sabu was an informer (sound familiar? Gonzalez the Sequel?) and he provided the smoking guns to take down LulzSec, some folks started gloating. That good wins over evil crap. But now is not the time to gloat. Nor is every compromise or incident the time to let despondency or depression creep in. If you get too high or too low you’ll burn out. Been there. Done that. To remain on even keel requires perspective. Perspective that is hard to appreciate when you are in the trenches and on the front lines.

On the flight back from RSA we flew into a pretty nasty storm. The last 30 minutes of the flight was turbulent. Regardless of my understanding of statistics, which dictates that I’m as safe in the air during heavy turbulence as I am now – sitting in a coffee shop writing this missive – it’s still a bit unsettling. So I closed my eyes and visualized riding a roller coaster, which I love to do. The exhilaration, the perception of danger, the adrenaline rush – you get off a coaster feeling alive. Maybe a bit scared, but alive. And you want to do it again.

That flight was a microcosm of life. Smooth and comfortable for a while, then not so much. Highs, lows, and everything in between. I enjoyed the flight because the bumpy air is part of the deal. You can’t avoid it – not entirely. So I chose to have perspective and enjoy the coaster. I just wish more folks in security could appreciate the journey…


Photo credits: “Learning Perspective” originally uploaded by Yelnoc

Lazy Deal Analysis: Trustwave buys another laggard

We don’t care enough about the Trustwave/M86 merger to do a stand-alone post, but it does warrant a least a little snark… erm… analysis.

  • 86-it: Trustwave announced today that they will be putting M86 out of its misery, acquiring the mixed bag of stuff web and email security vendor for an undisclosed sum. For those with long memories, M86 was formed as the merger of creaky web security appliance vendor 8e6 with the seriously outdated Marshall mail security software. The resultant M86 company tried to acquire themselves into relevance, making sage investments in Finjan’s secure web gateway software and Avinti’s behavior-based malware detection software. Yeah, 10 pounds of crap in a 5-pound bag. While those products were great additions, the core capabilities were several years behind the competition – and worse, never fully integrated. Details, details. While their Firefox secure browsing plugin was a fun toy, their ability to protect cloud data was suspect and the product development roadmap seemed driven by the trend du jour, rather than some holistic vision of web user security. Trustwave’s acquisition strategy has been reminiscent of the island of lost toys: buying laggards like Vericept, Mirage Networks, Breach Security, BitArmor, ControlPath, and Intellitactics. From that perspective M86 is a good fit with little overlap, but without really integrating the offerings, this is just more integration on the PO. More likely they will continue to target customers too lazy to perform a head-to-head comparisons with class-leading products and those trying to make audit deficiencies (found by Trustwave themselves, in an unholy alliance of audit and security product) go away. – AL & MR

Incite 4 U

  1. Don’t be Lulzed into a false sense of security: By the time I submit this to Mike I’m sure someone else will slip in a link to the story about LulzSec getting nailed by the FBI with some good old-fashioned police work. You know, attempting to scare the crap out of the perp and turn him against his friends. Uh, like they did to Sabu. To be honest, the headlines don’t really matter that much to those of us in operational security (including me – someone has to keep Mike and Adrian safe) as we are pretty pragmatic about the media’s incentive to work everyone into a frenzy. Rafal Los does a great job pointing out how to handle headline hysteria. Raf’s point is to ignore the headlines, focus on yourself, and don’t assume hype equals risk. One of the best reads of this year. – RM
  2. When tools attack: As the universe attempts to regain its karmic balance after all this Anonymous nonsense (as Rich mentioned above), it turns out someone (Could it be the FBI? Go nuts, conspiracy theorists!) integrated ZeuS into the Slowloris tool used by a bunch of Anon hackers. Does Anon have an App Store where they stock up on Guy Fawkes masks and attack tools? No one thought to check the tool for funny behavior. But sometimes reality follows fiction – I just finished reading Daniel Suarez’s Daemon and Freedom – and without giving away much (you should read them) a big part of the series is both sides planting Trojans in the network. So basically, the Anon folks forgot the first rule: Trust No One. – MR
  3. Touched: Commtouch released a report titled Compromised Websites: An Owners Perspective last week. They surveyed 600 independent site owners who had been compromised and asked some basic questions about what happened and how they resolved the issues. The good news is that 46% of the respondents said they fixed the issue(s) themselves without assistance, and 44% had 3rd party help. More telling is that in half the cases, the owner’s browser threw up a warning that the site had been compromised, with another substantial percentage notified by users browsing the site. What bothers me is that 63% said they did not know how the site was compromised – which makes any remedies suspect, as they small chance of detecting or stopping a repeat attack. Ironically, the report indicates that your front line for detection will be the browser, rather than the sponsor’s security products (email and web security). AV and email security are additional layers to improve detection rates, but their relatively low yields mean you need to invest wisely and patch regularly. That’s still all reactive speed-bumps, so in the end the critical factors are: a) the site owner’s preparation, and b) how well they are equipped to react to a compromise. – AL
  4. Supporting Budget Efforts: Between the public turf war between the NSA and DHS, and the FBI claiming Cyberattacks will surpass terrorism as the #1 threat, I can only guess it’s federal budget allocation week. There’s a lot of FUD coming out of Washington. The tough part is that we know APT threats are real, and that it’s entirely plausible foreign countries would attack our SCADA systems if we went to war against a capable adversary. On the other hand, you’d think we were all going to die from overdosing on ‘male enhancements’, given the way these criminal threats are portrayed. Most security pros worry that the result will be another type of TSA for SCADA, resulting in billions of wasted dollars with little or no real benefit, besides perhaps a Freedom Frisk every time you change a light bulb. If the Feds really wanted to help curb threats, sharing threat data and prosecuting the people behind the attacks would be a big help. You can use FedFUD to secure your security budget, but otherwise don’t expect federal focus to help you get your job done. – AL
  5. The Ops coup of cloud security: Lately I’ve been paying much more attention to the operations side of the cloud. Partially that’s due to needing to understand how it works to maintain our own stuff. But mostly it’s because I suspect the operations side is undercutting much of the applicable security market, without most security vendors or practitioners noticing. EnStratus partnering with Joyent is a great example. How many of you knew you could manage your cloud encryption with an ops tool? Let me rephrase – how many of you in security realized it? Full disclosure: our very own Contributing Analyst David Mortman manages security at EnStratus, but RightScale and others are taking over more than merely patch and configuration management for the cloud. We have always maintained that security is an operational function, and it looks like we are starting to see that in practice, with this awesome example of disruptive innovation. Yeah, I need to write more on this. – RM
  6. Comas, Lameness, and FUD: Before the scars of this year’s RSA Conference fade too much, you should check out Gal Shpantzer’s Coma Scale of Vendor Lameness and FUD to see how your favorite company, competitor, or employer measures up. Lots of APT references, which are clear Indicators of Lameness (IoL). And some ways to gain points by actually having a scalable solution and pricing flexibility. All that kind of stuff is hard to validate on a trade show floor, but Gal’s point is solid. Unfortunately the issue isn’t calling out FUD and/or lameness – it’s getting all the suckers out there to understand they shouldn’t believe everything they read on the Internet or hear from sales reps. And for that we’ll need heavier artillery than a lameness scale. – MR