Tonight at sundown the holiday of Rosh Hashanah starts, and Jewish folks all over the world will celebrate the coming of the year 5772. Or so the story goes. But I know better than to discuss politics or religion on the blog. You believe what you believe and I believe what I believe, and it’s all good. But the coming of a new year is a time for reflection and renewal. At least for me.

All in all, it's just another (renewable) brick in the wall...As most of you know from my weekly rants, I have a lot of balls in the air. Starting a business, managing a family, and all the other things that make life in the 21st century pretty complicated. I also have specifically stopped setting goals and I’m working on trying to enjoy the journey without worrying too much about where it leads. I am working on not being limited by what my peer group considers success. And I can say I’m much happier for it.

Notice I didn’t say happy – I said happier. One of my other challenges is actually celebrating accomplishment. I’m trying to rewire my cranium, but it’s hard. I still don’t celebrate enough. So over the next few days, as opposed to focusing on what I’m going to get done over the next 12 months with my head in the future, and then building a list of all the things I want to accomplish, I’m going to spend some quiet time remembering what I got done over the last year. Yes, it takes me a conscious effort to look in the rearview mirror.

But I need to take some time to smell the roses, or something like that. I hate to say it (for fear of some weird karmic jinx), but it’s been a good year. The kids are doing great, the Boss is in a good place, and so am I. The business is growing nicely (thank you very much), our side projects look very promising (yes, we’ll be unveiling our research product next week), and I can’t speak for Rich and Adrian, but I really enjoy being part of Securosis.

I’m excited about the coming year. Mostly because I’m not sure what will happen. I’ve got a bunch of pretty cool research projects lined up. Stuff I’m looking forward to learning about and documenting. I’ll be getting my fitness regimen back on track and my eating plan has me feeling pretty good. What’s not to be excited about?

I’ll spend Thursday and Friday getting my fill of dogma (that goes with the territory), spending time with friends and family, and taking a step back to enjoy what I’ve done the past 12 months. Then I’ll be back at it on Monday, renewed and focused. There is a lot to do, and some of it will actually get done. As one of my mentors always said, “It’s not a sprint, it’s a marathon.” He was right, but he missed an important nuance of that idea. If you don’t stop and check out the scenery every couple of miles, you miss out on most of the fun.


Photo credits: “Renewal” originally uploaded by Auntie P

Incite 4 U

  1. It’s all about expectations: Failure to manage expectations leads to unhappiness and angst. I’ve probably only written that about a zillion times. Augusto hits this point again, and reminds us that if your control set depends on a perfect scenario, there is a giant FAIL in your future. We can’t depend on executives to be rational (not from a security perspective, anyway), nor can we depend on projects to actually get to the finish line. These are bad assumptions. His points are right on the money. “It’s not just “design for failure”. It’s design around failure. Your network is a mess and it will always be like that, deal with it.” Yup. I’m looking forward to part 2, where he deflates policy and standards stupidity. – MR
  2. Selling security is doing it wrong: I’ve been on a couple vendor calls already this week where I had to explain that if you sell security to security, you can only grow so far, so fast. The real customer is never security, but development, operations, and plain old employees and executives. Cloudflare is an example of a company doing this right. Do they have security? Sure… but they also have analytics and, heck, now they have wiped some of your IPv6 problems off the table. They don’t care if something is security or not, so long as it brings value to their customers and fits their message. It’s a heck of a story and I think we’ll see a lot more of this approach: security as a byproduct – especially in SMB. – RM
  3. Trust at your own risk: I have gotten a couple email requests in the last couple days with dodgy looking PDF files attached. Given the recent OS X trojan, sending me a PDF file makes you suspect. Which is kind of funny, if you think about it, what with it being a universal document format. Supposedly the threat is considered low risk, but it’s really hard to tell what else it leaves behind that might open avenues for future attacks. What has really been worrying me is the Trojan Flash Player. You need to be careful where you get upgrades, and hope the big trusted site you get software from has not been hacked. Supposedly OS X will only install trusted and signed objects, but I don’t think there is any protection from having a pop-up ask for your administrator credentials – all with a nifty flash logo. Be careful what you click on, and be even more careful when you enter administrator credentials. – AL
  4. Wait. What? Security folks are pessimists? Shimmy tries to get us to think a bit more positively about security. He thinks because we have reasonably assured employment and challenging jobs, we should be happy. You know, more half full, less half empty. What if your glass is half full of piss? I guess it’s still half full, right? He’s not wrong. But he’s forgetting that the type of person who can get smacked upside the head all day, every day, probably isn’t the eternal optimist. Folks that get very little positive feedback (congrats, our customer DB didn’t end up in Chechnya today!), and come front and center when the house is burning, may not be able to “take our small wins and build on them.” I’m pleased that Alan has found his inner optimist, and I do think security folks should become less attached to specific outcomes because they are usually bad. But what do you expect abused security pros to do when they get together? Do a River Dance because things are going swimmingly? – MR
  5. Segmentation 101: Database view: With database security everything comes down to compartmentalization. That’s the thrust of Ericka Chickowski’s Dark Reading article Sound Database Security Starts With Segmentation. I am not sure if I should say “Well, duh!”, or reinforce that this is the second concept they teach database students. Honestly, every database security facility is about segmentation, be it views, groups, roles, labels, queries, or schemas. For example, I segment database users from non-database users. I segment database users into specific groups and roles that define what they can do, what they can access/update, and what they get to view. I segment IT administrators from database administrators, and segment DBA job functions into sub-categories as well. I segment schemas to specific applications, and then again with tables and columns only being available to subsets of users of those applications. The freakin’ WHERE clause is an example of segmentation. Yes, of course, database security planning is about segmentation, because database security models are based on segmentation. All database security is based on this principle! Databases serve content. Their first mission is to provide an accurate representation of data. Security is nothing more than deciding who gets to what, and that’s a binary decision process with varying degrees of granularity. But notice that every security decision is based on identity – segmentation only works in combination with identity. – AL
  6. Great minds think alike: Remember when I proposed an SSL early warning system? Well, the EFF went out and built the darn thing. They were clearly working on this before I ever put my post up (or maybe their time machine is operational), and I think it’s awesome to see someone execute some public altruism. I know this won’t solve the SSL problem, but it can surely help us gain a much better understanding of how bad the problem might be. At least if we use the tool, so please go install the HTTPS Everywhere plugin, if you want to participate. – RM
  7. Nothing ever dies, including bush league marketing: Ever since Stiennon gained infamy by pointing out that IDS was dead (even though it wasn’t), every so often you get some half-cocked dimwit trying to say this is dead or that is dead. The latest guilty party is my former employer eIQ, who says 65% of security professionals think SIEM is dead, proven by inviting 10,000 people to fill out a survey. How many responded? Who knows. 5? 10? Does it matter? You can make a spreadsheet say almost everything, so let’s get back to facts. SIEM is not dead, not based on the number of calls I get on it. That’s like saying AV is dead. I guess maybe the relational DB based SIEM of 10 years ago is dying, as every vendor either already has rebuilt or is in the process of rebuilding their back end to deal with more than logs/events. And plenty of folks are frustrated with SIEM, but dead? No shot. But, discouragingly, the echo chamber actually debated this crap. Check out Bill Brenner’s good overview questioning eIQ’s motivations. He’s right on the money. SIEM is changing but it’s not dead and it’s certainly not changing into Unified Situational Awareness. What the hell is that anyway? Guess the buzzword generator has been working overtime… – MR