My paternal grandmother passed away last week at 103. No, that is not a typo. One hundred and three. Ciento tres for you Spanish speakers out there. She would have been 104 in June. That’s a long time. To give you some perspective, per the infoplease site, William Taft was president in 1909. Robert Peary and Matthew Henson reached the North Pole that year. And the big news in the medical community was finding a cure for syphilis. I’m sure that caused much rejoicing around the world. I guess before 1909 you could actually have gone blind, though my folks somehow forgot to tell me about the cure…

My Grandma Hilda was interesting, although I didn’t know her very well. She moved with my grandfather to Florida when I was 5. I’d see them for the occasional winter break trip to North Miami Beach, and they’d come north for some holidays. But they weren’t phone people and long distance calls were pretty expensive back then, so it wasn’t like we’d just chat on the phone. Our kids have it better – they can text, FaceTime, and email their grandparents and cousins. I didn’t have that option.

She grew up in Baltimore and the way she met my grandfather was a great story. She was actually on a date with his brother Sam, but my grandfather had a car, so he drove Sam to Baltimore for the date. Evidently my grandfather liked her because when his brother went to get a pack of smokes, my grandfather took off and stood in on the date. I doubt they called it a ‘CB’ like my buddies would today, but they were married for almost 65 years, so it worked out.

She couldn’t have been more different from my grandfather. The cantor who presided over the the memorial service called the two of them Ying and Yang. But it was really more like the tortoise and the hare. My Grandpa Harry was fast and explosive. He’s been gone for 16 years but we still talk about his tantrums. He talked fast. He walked fast. He did everything fast and had little tolerance for folks who didn’t keep up. Whereas my grandmother was slow and calm. In the face of a Mt. Vesuvius explosion from Harry, she just wouldn’t be bothered. No matter what happened she was calm. She’d make some snide comment and get back to whatever she was doing. She was the only one who could put him in his place. And she did. It was amazing to see.

And when I say slow, I mean sloooooow. She wasn’t in a rush to do anything, not that I can remember anyway. She got there when she got there. She didn’t drive, so if she couldn’t get a ride or didn’t want to take the bus she wouldn’t go. One winter my grandparents took my brother and me to Walt Disney World when we were young. They had just opened EPCOT (yes, I’m dating myself) and I distinctly remember following my grandfather and visiting each ‘country’ in the park. We probably made 4 or 5 loops around the park, and every hour or so we’d pass by my grandmother strolling along at her own pace taking in the sites, not a care in the world.

He got to the finish line first, and she took her time to get there. 103 years to be exact. On an interesting side note, my paternal great-grandfather (Hilda’s Dad) also lasted 103 years. Seriously. So we’re running a pool on my father’s side of the family on who of each generation will go for 103. I’m tempted to make a run for it. Why not? I’ve always said I want to stick around long enough to have my kids change my diapers, just to return the favor. And evidently I have the genetics to do it.

Though if I do want to stick around that long I’ll need to learn to slow down and be calm, like my grandmother. Living until 103 isn’t for folks in a rush.

–Mike

Photo credits: 168/365 – President Taft Faces the Future originally uploaded by davidd

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Understanding Identity Management for Cloud Services

• Buyers Guide
• Architecture and Design
• Integration

Newly Published Papers

• Email-based Threat Intelligence: To Catch a Phish
• Network-based Threat Intelligence: Searching for the Smoking Gun
• Understanding and Selecting a Key Management Solution
• Building an Early Warning System
• Implementing and Managing Patch and Configuration Management
• Defending Against Denial of Service Attacks

Incite 4 U

1. What’s $300K between friends? Very interesting research by our friend Wendy Nather of 451 Group (highlighted by Shimmy at NetworkWorld) on what to buy if you start a security program in a green field. Yeah, I know there are no green fields, but Wendy determined that a 1000 person company would need to spend $300,000-$400,000 for a bare bones security capability. If they wanted a little more they would at least double the cost. She tends to see 1 security person for 500 employees. This isn’t a low-cost scenario, is it? And it doesn’t really help a company sell more stuff, does it? Sure you can spin your wheels talking about enabling this or that, but security remains a significant cost center. But at least the stuff you buy stops the attackers, right? (No, not really.) So there’s that… – MR
2. Two of these are nothing alike: You know big data is a threat to traditional big iron when entrenched providers start marketing off its coattails, as Alex Gorbachev attempts to do by comparing required IT management skills for Hadoop and Exadata. One of the many problems with this article is that the basic premise is not true: big data is not “a pre-integrated, engineered system with built-in management and automation software”, but instead a set of open source tools. The management issue is not moving from IT silos to a unified team – it’s that much of the responsibility moved away from IT and is now defined and implemented by an application development team. NoSQL platforms focus responsibility onto the data system architect for areas such as performance, how the system manages data, and how users access the system. NoSQL stacks must orchestrate data management and processing across a loosely-synchronized cluster of commodity hardware; it’s design work, not run-time configuration. The downside is that there are no radio buttons on an admin console for identity management, data security, vulnerability assessment, or administrative separation of duties. Then again, you don’t need to write a $3M check to get started either. – AL
3. Encrypt all the things: I’m getting (really) tired of some of the ‘blanket fixes’ proposed in various IT circles for perceived security issues. The latest is from Das Kamhout as tweeted by our own Dave Mortman coming from the DEPLOYCON keynote: “Encrypt all the things.” The only problem I have with this statement is that the central issue that reduces the feasibility of large-scale encryption has yet to be solved: How do you manage the keys? Rich is doing a great job untangling IaaS Encryption and wrote a brilliant white paper Understanding and Selecting a Key Management Solution (PDF) on this topic. I am still waiting to see if anyone has implemented his suggested course of action. Actually, I’m still waiting for a lot of good ideas to get from paper to reality. (Note from Mike: No one has told Jamie yet that flattery gets him nowhere. 😉 – JA
4. Kickass threat intelligence: Evidently today is provide some link love to other analysts day here in the Incite. Let me point to a great post by Forrester’s Rick Holland called My Threat Intelligence Can Beat Up Your Threat Intelligence. He basically lampoons the constant and accelerating hyperbole about threat intelligence coming from the vendor community. It is another case of my thingy is bigger than your thingy. Rick highlights a number of questions you should challenge vendors with to figure out what is real. But my favorite is “How have you specifically leveraged threat intelligence in your offerings?” You would be surprised how much some of these companies invest in ‘research’ which they don’t really use in products. Additionally, I expect a wave of standalone threat intelligence to emerge over the next year or so, as it becomes more palatable to spend real money on data/intelligence to benefit from the misfortune of others. Yes, that means seeing how the person next to you got pwned and trying not to get pwned by the same attack vector. Now I can get back to bashing other analysts. 😉 – MR
5. I’ve got big bytes: Wendy Nather pretty much calls BS on all traditional security adjectives in Is There Any Real Measurement In Monitoring. She has the gall to imply traditional security metrics are all nonsense numbers! Size? Speed? Intelligence? Let me tell you, these numbers are real, and we get consistent results in the lab each and every time we measure them across the outlet of the flux capacitor. Don’t you know we need data to identify the “bad guy”, or that naughtiest of naughty people – the malicious insider – so we must compare all sorts of data, meta-data, and attributes, and mash ‘em up with sooper-quantum non-linear homomorphic regression analysis in a big data cluster, and filter it through a governance and compliance framework. Wendy would have you believe that none of this is meaningful. Let me put your doubts to rest: These measurements are real, and they are very meaningful to the vendors who use them. But their success metrics are a bit different than yours. The vendors are all about increasing total dollars generated by making it sound like their trumped-up data will fix your problems. Just ask and I’ll show you a study about security woodchucks that proves it. – AL