A couple weeks ago we went to see the kids at camp on visiting day. They have so much fun, learn new skills, and grow as individuals at camp – despite being away from the watchful eyes of their parental units. Go figure – let your kids spread their wings, and they do. One of the new skills both XX2 and the Boy tried out was waterskiing. So during visiting day they get to show off for the folks.

So we walk down to the lake, and have a few minutes before the kids get into the water. I sit down in a nice white gazebo next to the lake. Up flies a butterfly to perch on the rail right next to me. It’s basically just staring at me. No fear. No need to go anywhere else. Just hanging out. I bust out my camera and take a few pictures. The butterfly doesn’t move. My dad comes over and takes a few pictures – butterfly still doesn’t move. I don’t think much of it, and then we go see the kids ski. XX2 even gives us a wave as she motors on by. The Boy does get up on the skis. For about 4-5 seconds. Guess he can work on that some more next summer.

Then I was at Black Hat last week, and it was crazy how much the conference has changed over the past 5 years. The hallway booths are now an exhibit hall. The audience is much larger, and now a bunch of senior security folks show up as well. It reflects the crazy growth of the security business. Though it seems many hands-on practitioners still attend, which is the key to maintaining the show’s value.

During my meetings at Black Hat I was constantly talking about the change that is coming to security. We have been thinking a lot about what the future of security looks like, and we have some ideas. We will be right on some things, and wrong on others. But things will change. That much I can guarantee.

On Monday we put the kids back on the bus for another year of school. Lots of change happening at school as well. The twins are now broken up into 4 groups this year, with different teachers to specialize by subject. And there is a new principal in the elementary school, so no telling what else will change.

Then I can reflect on my own physical and mental evolution over the past few years. Lots of change there too. You seeing a theme here? The only constant is change.

Then the butterfly from visiting day flew back into my consciousness. Butterflies represent change. Starting life as a caterpillar, molting, and then emerging as a butterfly: a perfect representation of everything. Constantly changing and growing into something new.

You cannot stop change. Just like you cannot force a caterpillar to remain a caterpillar. You can resist but that will not end well. Change always wins. So embrace it. Lean into it. Don’t fear it. Treat every change as an opportunity to grow. Because that’s what it is…

–Mike

Photo credit: “Butterfly eye – canon 550d” originally uploaded by @Doug88888

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

• July 22 – Hacker Summer Camp
• July 14 – China and Career Advancement
• June 30 – G Who Shall Not Be Named
• June 17 – Apple and Privacy
• May 19 – Wanted Posters and SleepyCon
• May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling
• May 5 – There Is No SecDevOps
• April 28 – The Verizon DBIR
• April 14 – Three for Five
• March 24 – The End of Full Disclosure

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

The Security Pro’s Guide to Cloud File Storage and Collaboration

• Additional Security Features
• Core Security Features
• Overview and Baseline Security
• Introduction

Leveraging Threat Intelligence in Incident Response/Management

• Quick Wins
• The (New) Incident Response & Management Process Model
• Threat Intelligence + Data Collect = Responding Better
• Really Responding Faster
• Introduction

Trends in Data Centric Security

• Deployment Models
• Tools
• Introduction
• Use Cases

Understanding Role-based Access Control

• Advanced Concepts
• Introduction

NoSQL Security 2.0

• Understanding NoSQL Platforms
• Introduction

Newly Published Papers

• The 2015 Endpoint and Mobile Security Buyer’s Guide
• Open Source Development and Application Security Analysis
• Advanced Endpoint and Server Protection
• Defending Against Network-based DDoS Attacks
• Reducing Attack Surface with Application Control
• Leveraging Threat Intelligence in Security Monitoring
• The Future of Security
• Security Management 2.5: Replacing Your SIEM Yet?
• Defending Data on iOS 7

Incite 4 U

1. If I ran the zoo: Dan Geer provided keen insight on several critical computer-related public policy debates during his keynote at BlackHat last week, and posted his full full talk. On net neutrality he provided the simplest – and sanest – solution I have heard to date. Dan suggests making network carriers choose to be either just a telco passing bits, or an ISP working at the content layer. If they are inspecting content, then they can decide what to throttle (such as Netflix), but that requires accepting liability for content as a “content carrier”. On the other hand, bit pushers neither throttle nor inspect – they just let the content flow. Dan put his considerable intellect to good use, offering a very clear distillation of several policy discussions that will affect our lives for decades, so it is well worth the read. – AL
2. Introducing Fred Uri Dickson: Yes, this guy’s initials are FUD – evidently Fear, Uncertainty, and Doubt continue to sell. At least in tech media. Some cool research surfaced at Black Hat last week, so how did NetworkWorld handle it? The 10 most terrifying security nightmares revealed at the Black Hat and Def Con hacker conferences. Sigh. Double sigh. I mean, really? I don’t know why I expect better from the trade press. It is idiotic on my part at this point. I talk about not having expectations, but as you can see I am still human. I am disappointed that page view whores actually whore for page views. Yeah, I just need to let it go. – MR
3. Boogie Man: When I read articles like someone frying a hairdryer through radio wave interference, my first thought is that people are hacking to learn about the world around them and better understand all the devices they use. That’s cool and liberating. Empowering. Fun. Every kid should know how. To bad the press doesn’t see it that way. They seem to think that hackers are going to kill your children by reprogramming Elmo dolls to act like Chucky, and if we don’t fix security for The Internet of Things, then digital devices will eradicate mankind. Scary. Panic. Fear! But they figured it out: Panic and fear drive page views. Yes they do! A note to those in the security press: before you write your next “Car Hacking could kill millions” story, spend a week reading Hackaday, buy a Raspberry Pi, and build something! It will lend some balance to your story, and you might actually understand how some of this stuff works. – AL
4. Job monogamy? Shack offered an interesting thought balloon on Infosec Monogamy, where he talks about the pros and cons of job hopping in security. Some folks (like me) haven’t had a choice. I am usually asked to go find somewhere else to play. But if you can stay in one job, should you? IMO it comes back to learning and growing. If you want to climb the ladder and be CISO one day, you need to understand the company and the business, so there are advantages to staying in one spot. If you want to be a tech wizard, then see and experience as many sites and skills as you can. There is no single answer, and once you climb the ladder it becomes much easier to move between companies (especially because CISO tenures tend to be short). So I guess my net is that you shouldn’t be scared of jumping to a new gig. And read Shack’s post – he brings up a bunch of good points. – MR
5. Who you calling a paranoid skeptic? I am usually not a huge fan of classifying people and characterizing them into arbitrary boxes. But sometimes you just have to accept reality. WatchGuard’s Corey Nachreiner goes into the general personality of the security professional and comes up with Paranoia + Skepticism. To do security (and get any kind of job satisfaction from it) you need to think about how someone could take advantage of every situation. Is that paranoia? I guess. I view it more as curiosity. It’s there, so how can I break it? And when you job is to protect things (not just in security) you need to be skeptical, so I buy that. Perhaps I would prefer “curious skeptic”. At the end of the day security is not for everyone, and as the industry grows, the more closely we can profile the kinds of folks who are more likely to be successful, the better we will do overall. That doesn’t mean people who don’t neatly fit our box cannot do the job. But folks with certain personality characteristics are more likely to be successful. And there I bust out the old software engineering parable: “If you can’t fix it, you might was well feature it…” – MR