It’s nice that my kids are still at a stage where they don’t want to disappoint me or the Boss. They need our approval and can be crushed if we show even the slightest measure of dissatisfaction in what they do. My ego-centric self likes that, but the rest of me wants them to learn to stop worrying about what everyone thinks and do what they think is right. Of course, that involves having enough life experience to understand the difference between right and wrong.

I know that a 12 (soon to be 13) year old is not there yet. She still has much to learn. I’m happy to share my experiences so she can learn from them. I told the stories about when I was bullied. About how I learned that hard work creates results (with a bunch of luck). I have tried to impress upon her how important it is to surround yourself with people who appreciate the uniqueness we all possess in different ways. And for all I do, the Boss does 10x. All to give the kids a chance to be productive citizens and good people.

If I could teach her even a portion of my experiences over the past (almost) 45 years, she wouldn’t need to go through my angst, suffer my disappointment, or learn the lessons I’ve learned… the hard way. But I can’t. Because kids don’t listen. Maybe they listen or pretend to, but they certainly don’t understand.

How could they understand? Some things you just have to learn for yourself. But hopefully there aren’t tens of millions of people watching as those hard lessons are learned. And hopefully the lesson isn’t documented in video and photos, and doesn’t go viral via more Tweets per second than the Super Bowl.

Yes, I am talking about the fiasco that Miley Cyrus has become. To be honest, I haven’t watched the performance on the MTV VMAs. I can’t bring myself to do it. I’ve seen that movie before. Child star gets too famous too fast, makes too much money, surrounds themselves with too many vultures and predators, gets very very lost, and becomes tabloid fodder. I’ve got November 10 in the Miley rehab pool. And where are her parents to tell her she’s being an idiot? I mean, what do you think Billy Ray was thinking as he watched her performance?

Actually, I don’t care what he was thinking. What would you be thinking if that was your child? It brings front and center Chris Rock’s famous line: “If you can keep your son off the pipe and your daughter off the pole, you’re ahead of the game.” But you still can’t teach kids everything. Sometimes they have to learn hard lessons themselves. And it’s gonna hurt.

Your job is to pick them up. Dust them off. Then help them get back on the horse. But most of all, they need to know that you love them. During the good times and bad. Especially during the bad times…

–Mike

Photo credit: “Bad Teacher” originally uploaded by Sonya Cheney

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Ecosystem Threat Intelligence

• Use Cases and Selection Criteria
• Assessing Ecosystem Risk
• The Risk of the Extended Enterprise

Continuous Security Monitoring

• Migrating to CSM
• The Compliance Use Case
• The Change Control Use Case
• The Attack Use Case
• Classification
• Defining CSM
• Why. Continuous. Security. Monitoring?

Database Denial of Service

• Countermeasures
• Attacks
• Introduction

API Gateways

• Implementation
• Key Management
• Developer Tools

Newly Published Papers

• The 2014 Endpoint Security Buyer’s Guide
• The CISO’s Guide to Advanced Attackers
• Defending Cloud Data with Infrastructure Encryption
• Network-based Malware Detection 2.0: Assessing Scale, Accuracy, and Deployment
• Quick Wins with Website Protection Services

Incite 4 U

1. I get AV’s cufflinks: Great thought-provoking post by Wendy Nather about the marketing-driven evolution of anti-malware technology. Succinctly stated: “what comes after advanced?” Her points are well-stated: no AV vendor merely uses signatures, and it’s all about detection – not necessarily prevention – now. I guess this React Faster stuff might have some legs. Though the best line in the post is “Nobody wants to say antivirus is dead, but let’s just say they’re planning ahead for the wake and eyeing the stereo.” That kind of prevention is obsolete, but as evidenced by the IBM/Trusteer deal, clearly there is a great future (at least from a valuation standpoint) for companies with new-age prevention technology. But what happens when that advanced stuff isn’t differentiated anymore? I guess the marketeers will need to come up with a new term to describe the next shiny object. – MR
2. Tick tock: Dealing with a breach is never a lot of fun. First you need to detect it in the first place, then you need to figure out whether it’s real, what exactly is going on, what was affected, and how. All while containing the incident, keeping as many important things running as possible, and figuring out a recovery strategy. For anything resulting in lost data, it is an unenviable process to work through. Then, if regulated data is lost, there is the eventual breach notification, which senior executives love. Okay, now imagine that you have 24 hours to notify authorities of any breach and get all the details to them within 72 hours. Because if you operate in the EU, that is your new time limit. I’m all for breach notification laws, but that one might be a tad unrealistic. Keep in mind that we still need to see how it is going to be enforced, but you had better get your lawyers cracking on it now. You know, just in case. – RM
3. Growth business: The latest Nilson Report on global card fraud rates is out, and fraud now accounts for 5.22% of all card transactions. In fact, even with card usage up 11.4% YoY, fraud is up 14.6% over the same period. And when you’re talking over $21 trillion dollars in card payments, that 5% is a huge number! It’s good to be a cyber-gangsta. A report like this, showing that EMV (chip and pin cards) is steadily pushing fraudsters to Card Not Present (CNP) and mag-stripe transaction abuse, makes a strong case for EMV in the US. In fact, it looks like EMV has done more to combat fraud than PCI compliance. Go figure. I wonder if the card brands will ever sponsor merchant EMV terminals – like phone companies subsidize smart phones – exchanging some $7 billion in fraud savings every year in order to buy merchants new card swipe terminals? Combined with the PCI exception clause to incentivize merchants, there is a strong financial argument. – AL
4. Action Jackson reaction: Last week, I talked about how malware is not just automatically cracking passwords, but that isn’t the only arms race that attackers and defenders engage in. Current DDoS kits actively look for and work around DDoS mitigations. Action & Reaction. The cycle goes on and on and on and on. Although at some point there will be so much evasive logic in downloaded malware that it will be as bloated and useless as Word and PowerPoint today. Either that or the malware will need to basically include a blacklist of all defenses. And we all know how that worked out for the AV vendors… But there is some sweet irony in a 300mb malware downloader that is out of date before the download even completes. – MR
5. Look busy: The preview of the upcoming changes to PCI DSS guidance (version 3, for those keeping score at home) came out last week, and it has a decidedly less prescriptive feel that previous versions. In terms of line items there is not much surprising or new. They want you to evaluate malware threats because malware is bad. You should also use secure authentication methods because passwords are bad too… mm’kay. The real change appears to be their attempt to get organizations out of the check-box mentality, and promote managing to security objectives (think Six Sigma). That’s great and the right thing to do, but it will be a lot harder for PCI assessors to measure than it is for companies to ‘operationalize’ PCI. PCI-DSS is the low bar for security. Companies that care already do this. Companies that just want PCI-DSS to go away don’t – they will just get and check off a list. Perhaps it’s time to grade PCI on a curve, from 1 to 100, and share those results publicly. Have the PCI Council cover your audit fees if you attain 100% compliance. You want people to strive to be better – incentives are how you do that. But we can’t forget, as Mike says: Security isn’t very good at incentives… – AL
6. Roll your own integration: Taking another crack at a piece Mike covered last week, at the Forrester Blog, Rick Holland has a post calling for more security integration. The post is really close, but a slight miss. Most of it focuses on canned integrations, but in the end he opens up a far more important discussion of APIs. Most vendor integrations kind of suck. Some work well, but it is hard enough to get one product working the way you want – never mind two together. Out-of-the-box integrations are typically very limited due to parity constraints. What I see more of, especially in some larger and more advanced shops, is custom scripts to provided the needed integration. Open APIs – and these days they should be RESTful with a couple SDKs for major languages – open up incredible opportunities for customers to make products do exactly what they need. As a vendor they enable your customers to do it themselves with your API, so you don’t get dragged down a rathole of customization for each client – which they don’t want to pay for and you don’t want to support. – RM