Like many of you, I spend a lot of time sitting on my butt banging away at my keyboard. I’m lucky that the nature of my work allows me to switch locations frequently, and I can choose to have a decent view of the world at any given time. Whether it’s looking at a wide assortment of people in the various Starbucks I frequent, my home office overlooking the courtyard, or pretty much any place I can open my computer on my frequent business travels. Others get to spend all day in their comfy (or not so comfy) cubicles, and maybe stroll to the cafeteria once a day.

I have long thought that spending the day behind a desk isn’t the most effective way to do things. Especially for security folks, who need to be building relationships with other groups in the organization and proselytizing the security mindset. But if you are reading this, your job likely involves a large dose of office work. Even if you are running from meeting to meeting, experiencing the best conference rooms, we spend our days inside breathing recycled air under the glare of florescent lights.

Panther Falls, GA

Every time I have the opportunity to explore nature a bit, I remember how cool it is. Over the long Memorial Day weekend, we took a short trip up to North Georgia for some short hikes, and checked out some cool waterfalls. The rustic hotel where we stayed didn’t have cell service (thanks AT&T), but that turned out to be great. Except when Mom got concerned because she got a message that my number was out of service. But through the magic of messaging over WiFi, I was able to assure her everything was OK. I had to exercise my rusty map skills, because evidently the navigation app doesn’t work when you have no cell service. Who knew?

It was really cool to feel the stress of my day-to-day activities and responsibilities just fade away once we got into the mountains. We wondered where the water comes from to make the streams and waterfalls. We took some time to speculate about how long it took the water to cut through the rocks, and we were astounded by the beauty of it all. We explored cute towns where things just run at a different pace. It really put a lot of stuff into context for me. I (like most of you) want it done yesterday, whatever we are talking about.

Being back in nature for a while reminded me there is no rush. The waterfalls and rivers were there long before I got here. And they’ll be there long after I’m gone. In the meantime I can certainly make a much greater effort to take some time during the day and get outside. Even though I live in a suburban area, I can find some green space. I can consciously remember that I’m just a small cog in a very large ecosystem. And I need to remember that the waterfall doesn’t care whether I get through everything on my To Do list. It just flows, as should I.


Photo credit: _”Panther Falls – Chattachoochee National Forest”_ – Mike Rothman May 28, 2016


Security is changing. So is Securosis. Check out Rich’s post on how [we are evolving our business](

We’ve published this year’s _Securosis Guide to the RSA Conference_. It’s our take on the key themes of this year’s conference (which is really a proxy for the industry), as well as deep dives on cloud security, threat protection, and data security. And there is a ton of meme goodness… Check out the [blog post]( or download [the guide directly (PDF)](

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. [You can check it out on YouTube.]( Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


##Securosis Firestarter

Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

* May 31 — [Where to Start?](
* May 2 — [What the hell is a cloud anyway?](
* Mar 16 — [The Rugged vs. SecDevOps Smackdown](
* Feb 17 — [RSA Conference — The Good, Bad and Ugly](
* Dec 8 — [2015 Wrap Up and 2016 Non-Predictions](
* Nov 16 — [The Blame Game](
* Nov 3 — [Get Your Marshmallows](
* Oct 19 — [re:Invent Yourself (or else)](
* Aug 12 — [Karma](
* July 13 — [Living with the OPM Hack](
* May 26 — [We Don’t Know Sh–. You Don’t Know Sh–](
* May 4 — [RSAC wrap-up. Same as it ever was.](


##Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our [Heavy Feed via RSS](, with our content in all its unabridged glory. And you can get [all our research papers]( too.

###Evolving Encryption Key Management Best Practices

* [Part 2](
* [Introduction](

###Incident Response in the Cloud Age

* [In Action](
* [Addressing the Skills Gap](
* [More Data, No Data, or Both?](
* [Shifting Foundations](

###Understanding and Selecting RASP

* [Integration](
* [Use Cases](
* [Technology Overview](
* [Introduction](

###Maximizing WAF Value

* [Management](
* [Deployment](
* [Introduction](

###Shadow Devices

* [Seeing into the Shadows](
* [Attacks](
* [The Exponentially Expanding Attack Surface](

###Recently Published Papers

* [Building a Vendor (IT) Risk Management Program](
* [SIEM Kung Fu](
* [Securing Hadoop](
* [Threat Detection Evolution](
* [Building Security into DevOps](
* [Pragmatic Security for Cloud and Hybrid Networks](
* [EMV Migration and the Changing Payments Landscape](
* [Applied Threat Intelligence](
* [Endpoint Defense: Essential Practices](
* [Monitoring the Hybrid Cloud](
* [Best Practices for AWS Security](
* [The Future of Security](


##Incite 4 U

1. **Healthcare endpoints are sick:** Not that we didn’t already know, given all the recent breach notifications from healthcare organizations, but they are having a tough time securing their endpoints. [The folks at Duo provide some perspective on why.]( It seems those endpoints log into twice as many apps, and a large proportion are based on leaky technology like Flash and Java. Even better, over 20% use unsupported (meaning unpatched) versions of Internet Explorer. LOL. What could possibly go wrong? I know it’s hard, and I don’t mean to beat up on our fine healthcare readers. We know there are funding issues, the endpoints are used by multiple people, and they are in open environments where almost anyone can go up and mess around with them. And don’t get me started on the lack of product security in too many medical systems and products. But all the same, it’s not like they have access to important information or anything. Wait… Oh, they do. Sigh. — MR

1. **Insecure by default:** Scott Schober does a nice job outlining [Google’s current thinking on data encryption]( and the security of users’ personal data. Essentially for the new class of Google’s products, the default is to disable end-to-end encryption. You do have the option of turning it on, but Google still manages the encryption keys (unlike Apple). But their current advertising business model, and the application of machine learning to aid users beyond what’s provided today, pretty much dictate Google’s need to collect and track personally identifiable information. Whether that is good or bad is in the eye of the beholder, but realize that when you plunk a Google Home device into your home, it’s always listening and will capture and analyze everything. We now understand that at the very least the [NSA siphons off all content sent to the Google cloud](, so we recommend enabling end-to-end encryption, which forces intelligence and law enforcement to crack the encryption or get a warrant to view personal information. Even though this removes useful capabilities. — AL

1. **Moby CEO:** It looks like attackers are far better at catching whales than old Ahab. In what could be this year’s CEO cautionary tale (after the Target incident a few years back), an [Austrian CEO got the ax because he got whaled to the tune of $56MM]( Yes, million (US dollars, apparently). Of course if a finance staffer is requested to transfer millions in [$CURRENCY], there should be some means of verifying the request. It is not clear where the internal controls failed in this case. All the same, you have to figure that CEO will have “confirm internal financial controls” at the top of his list at his next gig. If there is one. — MR

1. **Tagged and tracked:** It’s fascinating to watch the number of ways users’ online activity can be tracked, with just about every conceivable browser plug-in and feature minable for user identity and activity. A recent study from Princeton University called [The Long Tail of Online Tracking]( outlines the who, what, and how of tracking software. It’s no surprise that Google, Facebook, and Twitter are tracking users on most sites. What is surprising is that many sites won’t load under the HTTPS protocol, and degenerate to HTTP to ensure content sharing with third parties. As is the extent to which tracking firms go to identify your devices — using AudioContext, browser configuration, browser extensions, and just about everything else they can access to build a number of digital fingerprints to identify people. If you’re interested in the science behind this, that post links to a variety of research, as well as the [Technical Analysis of client identification mechanisms]( from the Google Chromium Security team. And they should know how to identify users (doh!). — AL

1. **Why build it once when you can build it 6 times?** I still love that quote from the movie Contact. “Why build it once, when you can build it twice for twice the price?” Good thing they did when the first machine was bombed. It seems DARPA takes the same approach — they are evidently [underwriting 6 different research shops to design a next generation DDoS defense]( It’s not clear (from that article, anyway) whether the groups were tasked with different aspects of a larger solution. DDoS is a problem. But given the other serious problems facing IT organizations, is it the most serious? It doesn’t seem like it to me. But all the same, if these research shops make some progress, that’s a good thing and it’s your tax dollars at work (if you pay taxes in the US, anyway). — MR