As we started recording the Firestarter Monday Rich announced the date. When he said “March 30”, it was kind of jarring. It’s March 30? How did that happen? Wasn’t it just yesterday we rang in the new year? I guess it was almost 90 yesterdays. Thankfully Rich cut me off as I went down the rabbit hole of wondering where the time went.


Every year is getting shorter, never seem to find the time
Plans that either come to naught or half a page of scribbled lines
Hanging on in quiet desperation is the English way
The time is gone, the song is over, thought I’d something more to say
– Pink Floyd, “Time”

Yup, I’m in one of those moods. You know, the mood where you are digging up Pink Floyd lyrics. Though it’s true – every year does seem to get shorter. It’s hard to find the time to do everything you want to. Everything you plan to. You can’t fool time, even on April Fool’s day. Time just keeps moving forward, which is what we all need to do.

I have become painfully aware of the value of time this year. It seems I have been in a cycle of work, run, yoga, travel, car pools, LAX games, and maybe a little sleep now and again. But when I pick my head up every so often, I see things changing. Right before my eyes. XX1 is no longer a little girl. She’s almost as tall as the Boss and is talking to me about getting her driver’s permit in 6 months. What? My little muncha driving? How can that be?

And people you know unexpectedly pass on. Many of us in the security community knew Michael Hamelin (@hackerjoe), and then over the holidays he was gone. Taken in a freak car accident. It makes you think about how you are using the short amount of time you have. I had a wave of inspiration and posted a few things on Twitter that day.


I’m fortunate to be a mentor, advisor, and friend to lots of folks who come to me for advice and perspective. I talk about courage a lot with these people. The courage to be who you want to be, regardless of who you ‘should’ be. The courage to make changes, if changes are necessary. The courage to get beyond your comfort zone and grow. It’s not easy to be courageous.

Ticking away the moments that make up a dull day
Fritter and waste the hours in an off-hand way
Kicking around on a piece of ground in your home town
Waiting for someone or something to show you the way
– Pink Floyd, “Time”

Many people choose to just march through life, even if they aren’t happy or fulfilled, and that’s okay. But time will move on, regardless of what you decide to do, or not do. If you think things will change without you changing them, you aren’t fooling time. You are only fooling yourself.


Photo credit: “hourglass_cropped“_ originally uploaded by openDemocracy

Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) so we know how much food to get…

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers

Incite 4 U

  1. Better breach disclosure: I hate it when stuff I use gets breached. I have to change passwords and the like. It’s just a hassle. But it does provide a learning opportunity, if the pwned company will talk about what happened. The latest disclosure darling seems to be Slack. You know, the chat app everyone seems to use. Evidently they had an attacker in their user database and some private information was accessible. Things like email addresses and password hashes. Theor payment and financial information was apparently not accessible (segmentation FTW). Now they don’t know whether user data was actually accessed (but we need to assume it was). Nor do they have any proof passwords were decrypted. But at least they are candid about what they don’t know. And even better, they took action to address the issue. Like turning on two-factor authentication before it was quite ready. And providing a tool for an administrator to log everyone out of the system and force a password reset. As they learn more, we can only hope Slack shares more of the details of this attack. – MR
  2. The wisdom of retailers: Over the last decade I have been involved in two research projects to show how data breaches impacted firm’s brand value and stock prices. And yes, I worked for a security vendor at the time, who had a financial incentive to link them. What did I find? Nothing. The data was inconsistent, bu if anything it suggested breaches and company value were unrelated. Our own Gunnar Peterson has been tracking this topic for as long as I’ve known him, and based solely on stock price, finds that breached companies outperform the market. The Harvard Business Review has done many great case studies on firms that have been breached, going back at least to 2007, but I believe this is the first time the HBR has come out with reasons why data breaches don’t hurt stock prices. But does that mean those retailers with a laissez-faire approach to security were right all along? If breaches are “… an inevitability of doing business …”, does that mean firms should only invest in “cyber insurance” to help pay the costs of cleanup? – AL
  3. Darwin and the WAF: Brian McHenry of F5 calls for the death of WAF as we know it and even references some of Adrian’s and my research. And who says flattery gets you nowhere? Brian’s point is that WAF needs to evolve with the advent of DevOps and more agile development processes, because you can’t tune the WAF to keep up with every application change. He’s right, but it’s a bigger issue than just WAF. Though given Brian is in the WAF business, that is his focus. DevOps and cloud and mobility disrupt the game. You need to rethink security and data protection… or not. As Deming said, “It is not necessary to change. Survival is not mandatory.” It applies to pretty much everything. Technologies, but also processes. If those don’t evolve (and drag technology with it), you’ll be on the endangered species list. But don’t fret – you won’t be lonely. A lot of technologies, vendors and practitioners won’t be able to make the jump. Maybe there is a gig available for a front-end processor engineer. (Old school) – MR
  4. Grab the popcorn: Now that vendors have reassessed their approaches to mobile payments, subsequent to Apple Pay shaking things up, we see new payment products from every corner. Square announced the acquisition of Kili, giving them NFC capabilities. Now merchants using Square can support either card-swipe or NFC transactions. Vodafone will also standardize on NFC communication, but will deliver a SIM card that embeds a secure element to hold the encryption keys needed for secure payment on mobile devices. These secure elements are the preferred choice for carriers, because anyone who wants access must pay the carrier. Unsurprisingly, Visa and Mastercard recently announced they are backing the more open Host Card Emulation approach – effectively a virtual secure hardware element – but now Microsoft has also announced use of HCE for their new Tap To Pay offering on Windows phones. We went from a snail’s pace to hair-on-fire product delivery, which means we can expect implementation flaws and notable hacks during this vendor stampede for market share. – AL
  5. It’s a mobile app – what could possibly go wrong? You all know what a big fan of surveys I am, but sometimes the data makes a point worth making. Without less-than-rigorous math, that is. The Ponemonsters did a survey for IBM which analyzed mobile app security. Basically there isn’t much, which I’m sure is a shock to most of you. In another surprising turn, the rush to get mobile apps out there and to meet customer needs is forcing organizations to take security shortcuts. Really! I know you are shocked. Yes, I took my sarcasm pills today. If there is an upside it is that mobile OSes are inherently better protected than PCs. I did not say fully protected – just better protected. But this is a systemic issue. Why would mobile apps be much different than anything else? Companies feel pressure to ship, they take shortcuts, security suffers. Breach happens, company gets religion. Until next time they have to take a shortcut. Wash, rinse, repeat. And we needed a survey to tell us that? – MR