I’m spent after the RSAC. By Friday I have been on for close to a week. It’s nonstop, from the break of dawn until the wee hours of the morning. But don’t feel too bad – it’s one of my favorite weeks of the year. I get to see my friends. I do a bunch of business. And I get a feel for how close our research is to reflecting the larger trends in the industry.

But it’s exhausting. When the kids were smaller I would fly back early Friday morning and jump back into the fray of the Daddy thing. I had very little downtime and virtually no opportunity to recover. Shockingly enough, I got sick or cranky or both. So this year I decided to do it differently. I stayed in SF through the weekend to unplug a bit.


I made no plans. I was just going to flow. There was a little bit of structure. Maybe I would meet up with a friend and get out of town to see some trees (yes, Muir Woods was on the agenda). I wanted to catch up with a college buddy who isn’t in the security business, at some point. Beyond that, I’d do what I felt like doing, when I felt like doing it. I wasn’t going to work (much) and I wasn’t going to talk to people. I was just going to be.

Turns out my friend wasn’t feeling great, so I was solo on Friday after the closing keynote. I jumped in a Zipcar and drove down to Pacifica. Muir Woods would take too long to reach, and I wanted to be by the water. Twenty minutes later I was sitting by the ocean. Listening to the waves. The water calms me and I needed that. Then I headed back to the city and saw an awesome comedian was playing at the Punchline. Yup, that’s what I did. He was funny as hell, and I sat in the back with my beer and laughed. I needed that too.

Then on Saturday I did a long run on the Embarcadero. Turns out a cool farmer’s market is there Saturdays. So I got some fruit to recover from the run, went back to the hotel to clean up, and then headed back to the market. I sat in a cafe and watched people. I read a bit. I wrote some poetry. I did a ZenTangle. I didn’t speak to anyone (besides a quick check-in with the family) for 36 hours after RSA ended. It was glorious. Not that I don’t like connecting with folks. But I needed a break.

Then I had an awesome dinner with my buddy and his wife, and flew back home the next day in good spirits, ready to jump back in. I’m always running from place to place. Always with another meeting to get to, another thing to write, or another call to make. I rarely just leave myself empty space with no plans to fill it. It was awesome. It was liberating. And I need to do it more often.

This is one of the poems I wrote, watching people rushing around the city.

You feel them before you see
They have somewhere to be
It’s very important
Going around you as quickly as they can.
They are going places.

Then another
And another
And another
Constantly rushing
But never catching up.

They are going places.
Until they see
that right here
is the only place they need to be.
– MSR, 2015


Photo credit: “65/365: be. [explored]“_ originally uploaded by It’s Holly

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers

Incite 4 U

  1. Threat intel still smells like poop? I like colorful analogies. I’m sad that my RSAC schedule doesn’t allow me to see some of the more interesting sessions by my smart friends. But this blow-by-blow of Rick Holland’s Threat Intelligence is Like Three-Day Potty Training makes me feel like I was there. I like the maturity model, and know many large organization invest a boatload of cash in threat intel, and as long as they take a process-centric view (as Rick advises) they can get great value from that investment. But I’m fixated on the not Fortune 500. You know, organizations with a couple folks on the security team (if that) and a budget of a few Starbucks cards for threat intel. What do those folks do? Nothing right now, but over time they will expect and get threat intel built into their controls. Why should they have to spend time and money they don’t have, to integrate data their products should just use. Oh, does that sound like the way security products have worked for decades? Driven by dynamic updates from the vendor who produces the device? Right, back to the future. But a better future with better data, and possibly even better results. – MR
  2. Backwards: In the current round of vulnerability disclosure lunacy, the FBI detained security researcher Chris Roberts – who recently disclosed major vulnerabilities in airline in-flight WiFi systems – for questioning after exiting a recent flight. What makes this story suspect is that Robert was cooperating with airlines and the FBI prior to this. He met with both to discuss the issues, so they were fully aware of his findings. From statements it looks like the FBI performed a forensic analysis of the plane’s systems, and given their desire to examine Roberts’ laptop, it looks like this was an attempt to entrap determine whether Roberts stupidly hacked the plane he was on. The disclosure was a month prior, so the FBI could have pulled Roberts prior to boarding, or gone to his office, or even called and asked him to come in – but that’s not what they did. So far as we know, none of the executives who produce the vulnerable WiFi systems has been pulled from their flights; and more troubling, none of those systems were disabled pending investigation prior to Roberts’ flight. If the threat was serious, quietly disabling in-flight entertainment would be the correct action – not a grandstanding public arrest of a guy openly trying to get vulnerabilities fixed. – AL
  3. Even a mindset shift won’t solve the problem: Working through the round-ups of the RSAC 2015, I found some coverage of RSA President Amit Yoran’s keynote. His main contention was that security issues come down to having a change mindset, as opposed to expecting some new widget to solve all problems. I like that message, because I agree that chasing shiny new products and services, seeking a silver bullet, has moved us backwards. Clearly a mindset shift to focus on the people side is necessary, but it’s not sufficient. I think the goal of stopping attackers is a bit misguided, so that’s what we need to shift. It’s about managing loss, not blocking attacks. Some loss is actually necessary, because loss would be too expensive to completely avoid. But how can you find the right balance? That’s the art of doing security. Balancing the value of what’s at risk with the cost to protect it. Feel better now? – MR
  4. Busting the confusion: When the cloud was new some experts told us it was nothing more than outsourced mainframe computing. Lots of rubbish like that gets thrown out there when people don’t fully comprehend innovative or disruptive technology. Such is also the case with DevOps, and Gene Kim’s recent myth-busting article for DevOps makes some great points to address some of the big misconceptions I hear frequently. For me his first point is the biggest: DevOps does not replace Agile. DevOps helps make the rest of the organization more Agile. Additionally, the Agile with Scrum development methodology continues to work as before, but with less friction and impediments from outside groups. Sure, automation of many IT and QA tasks into a development pipeline is a big part of that, but focusing on that aspect diminishes the importance of addressing Work in Progress, a bigger source of friction. Gene’s comments are right on the mark and required reading – at least for those of you who don’t take the time to read The Phoenix Project. And yes, you should make that time. – AL
  5. Cheaters. Shocking! It seems a bevy of Chinese anti-virus vendors keep getting caught cheating on effectiveness tests, according to Graham Cluley. I find this pretty entertaining, mostly because anyone who buys an AV product based on the results of an effectiveness test is a joke. Additionally, it seems people forget that China plays business by different rules. They have no issue with taking your intellectual property, because they view it differently. So why would anyone be surprised that they think differently about AV comparison tests? It comes back to something we learned early on: you can’t expect other folks to act like you. Just because you won’t cheat doesn’t mean other folks are bound by the same ethics. You need to understand how to buy these products, and if you’re relying on third-party testing you will get what you deserve. – MR