I remember back in my 20s, when I though my success and wealth were assured. I was a high-flying analyst during the Internet bubble and made a bunch of coin. Then I lost a bunch of coin as the bubble deflated. Then I started a software company, which was sold off for the cash on our balance sheet. Then I chased a few hot startups that got less hot once I got there. None had a happy ending.

Maybe my timing just sucks. Maybe I wasn’t very good at those specific jobs. Probably some combination of the two. But at the end of the day it doesn’t matter. I have reached the conclusion, 15 years later, that success rarely happens quickly. Some outliers get lucky, know a guy at Instagram, and walk away with big bucks in 18 months, but that is rare. You have a slightly better chance of quick startup riches than winning the lottery, and slightly worse odds than getting run over by a semi walking to the corner store.

For every two steps forward, you are likely to take a step and a half back. Sometimes you have a bad day and take 3 steps back. Overnight success is usually 20 years in the making. Conversely, the express train to the mountaintop usually ends with a fall from grace and a mess at the bottom of the hill. Just check out the horror stories of all those folks who won the lottery… and were broke or dead 5 years later. It comes back to sustainability. If the change happens too fast it may not be sustainable, and sooner or later you will be right back where you started. Probably sooner.

Small changes that add up over a long period of time become very substantial. Yes, you learned that in elementary school, or perhaps back when you discovered the magic of compound interest. It seems silly but it does work. Let’s take my weight as an example. I have been in good shape. I have been in bad shape as well. It has been a challenge since I was a kid. When I finally make up my mind to drop some pounds, it’s never a straight line. I lose some. I backslide a bit. I try to have more good days than bad. But if I can stay consistent with small changes the trend continues in the right direction.

It’s all about tracking those trends. At some point I will get my weight to the point where it’s both comfortable and sustainable. The same goes for the size of the business. I’m looking for higher highs and higher lows, which we have been able to achieve over the past four years. If you’re trying to grow at 15% quarter over quarter, that’s probably not sustainable… not for an extended period of time. But having bigger quarters year over year? Achievable. Definitely.

In other words, remember to take the scenic route. If it happens too fast don’t believe it – it’s probably not sustainable. If the trend starts to go against you think differently – what you’re doing may not be working. But don’t be surprised when an instant change vaporizes into thin air. It was never real to begin with…


Photo credit: “November 7 2007 day 27 – Graphs, trends, averages, numbers…” originally uploaded by sriram bala

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Continuous Security Monitoring

Database Denial of Service

API Gateways

Newly Published Papers

Incite 4 U

  1. It’s you: The slippery use of terminology by the NSA, claiming that they only use metadata and don’t search people’s email content, is ludicrous. In the field of behavioral monitoring we use attributes and metadata (e.g., time of day, location, IP addresses of senders and recipients, type of request, etc.) to detect anomalous behavior – not content! All that’s needed is metadata grouped by or linked to a specific attribute, and then scan for behavioral patterns you deem suspicious. Terrorist detected, right? Keep in mind that an attribute – something like your cellphone number, email address, SIM chip ID, or a random ID token – is used as a reference for you. The NSA neither needs nor wants to read your content, or even know your individual identity, until after they have picked a target, because metadata is all you need for behavioral tracking. This word game is complete BS: saying they are not “reading your email” is a red herring. The fact is you, and your actions, are being monitored. McNealy was right all those years ago. You have no privacy. – AL
  2. Pointing the finger at the mirror: Man, Paul Proctor tells the hard truth in No One Cares About Your Security Metrics and You are to Blame. His main point is that senior management asks you for metrics because they have to – not because they want to, or even care. To change this you need to give them information that helps them make better decisions. He then goes through a bunch of metrics that are completely worthless to senior management, including number of attacks and number of unpatched vulnerabilities. Of course Paul doesn’t put any meat into the post because he wants you to become a client, which is fine. There is no free lunch. But I will reiterate a point he makes as well: it’s not that those typical metrics are totally useless. They are quite useful, but only in an operations context. Not to senior management or as success criteria. – MR
  3. Engineers, meet people: I have been harping on security user experience for a while now. For perspective, this is something that goes back to my Gartner days – not inspired by anything recent. Just ask any vendor who has ever done a demo for me. Thanks to Google, we have another great example. Chrome doesn’t even require a master password to access stored passwords. Google is right that a master password is often trivial to circumvent if you have physical access to a system. But as Kevin Poulson reminds them in the article, in the real world casual snooping when you hand someone your laptop for a few minutes is a far more serious security risk, and prevented by even a weak master password. Google’s security engineers went right to the worst case option, rather than adding practical controls for everyday occurrences. That is a bad habit we often have in security. – RM
  4. Does anyone still care about security awareness? If you want to get a room fired up, start talking about security awareness. The grizzled veterans will poop on your head and tell stories about how their folks still click on nasty links, no matter how many times they get trained. Other folks will talk about how their employees threatened a lawsuit after they fell for an internal phishing exercise. But few will talk about success stories because it’s very hard to quantify whether an educated user is less frequently compromised. We are starting to see partnerships between awareness shops and network security companies, and I think that’s a good thing, because I still believe in the benefits of awareness training. But it’s not that the network security guys really care about awareness. They are worried that customers won’t continue to buy boxes because their devices keep getting pwned, even with those fancy sandbox devices sitting on the edge of the network. So they tell customers things will be rosy if they just keep buying hardware and layer on some awareness training. Follow the money, folks. Always follow the money. – MR
  5. RSA’s cyber espionage blueprint: It certainly isn’t getting as much attention as Mandiant’ APT1 report or the VZ DBIR, but there is some good stuff in RSA’s Blueprint (PDF) released July 31. RSA’s FirstWatch team, headed by @WGragido, created this report after a year of effort, comprising “approximately 2400 samples that span 60 different families of Trojans (including first-stage Remote Access Tool (RAT) and second stage backdoors) used in Cyber Espionage campaigns.” This short report (12 pages) breaks out the attack sequence (usually starting with watering hole attacks or spear-phishing, then proceeding to initial foothold and updated malware), which is fairly well-known by now. The rest of the report has some tidbits that may help defenders, split between host changes and network artifacts. Under host changes we see, for example, that 54% of the 2400 samples RSA analyzed had random filenames, while the rest had ‘trojan’ names that mimic popular processes such as Adobe Acrobat (“AcroRd32.exe, adobe_sl.exe, AdobeRe.exe…”). Another metric they reported is that two-thirds of malware was found in a user profile directory (likely due to the level of privilege of the targeted user account), rather than in an administrative directory. RSA says to look for “atypical location” installs in this directory as a way to even the odds for the defense, because “a large percentage of the malware analyzed ran directly out of the user-profile temp directory. Additionally, in some cases malware would run out of the user profile start directory, which would also provide malware survivability after reboot.” The rest of the report focuses on network artifacts, which we will discuss in a future Incite. – GS (Gal Shpantzer)
  6. Microsoft helps responders: For years now Microsoft has had a program to provide early vulnerability information to security vendors so they could prepare detection and prevention tools before Patch Tuesday releases the details. The Microsoft Active Protections Program started off as something of a secret but is now well known (and may have contributed to at least one 0-day exploit, but we won’t go there today). It recently leaked that the US government gets access to these materials, leading some to speculate that the NSA is using it to steal your porn (no, it was about defensive security). Microsoft is now expanding the program and allowing vetted incident responders to sign up. But instead of getting exploit details and proof of concept code, they will get indicators of compromise to help determine whether vulnerabilities are being used. It is threat intelligence rather than vulnerability details, and a great idea. Bravo, Microsoft! – RM
  7. Waiting for biometrics (again): The use of biometrics seems to be misunderstood, and while they are an important piece of a complex ecosystem, you should know that biometrics is not a technology that Can Revolutionize Mobile Payment Security. Biometrics help authenticate a user to a device or an app. They do not do the dozens of other things you need to worry about with mobile payments – including data security, app validation, device validation, NFC security, pricing modifiers such as promo codes, mapping users to online identities and personae, secure communications, and so on. Biometrics are important for their potential to offer a better user experience (no passwords), while helping merchant sites reduce liability (no stored passwords), while at the same time offering greater certainty that the user is who they claim to be – particularly for mobile apps. This revolution will come, but only when users embrace it as a better means of authentication. Don’t hold your breath. – AL