Research

A while back I got the weird idea that Database Activity Monitoring is useful enough that it would make sense to do the same thing for file repositories. I’m not talking about full DLP – but about granular tracking of user access to major file servers and document management solutions. I added “File Activity Monitoring” to the Data Security Lifecycle and figured someone would develop it eventually. And that day is finally here, and the tech is way cooler than I expected – tying in tightly (in most cases) to entitlement management for some nifty real-time security scenarios. This is pretty practical stuff, with uses such as detecting a user snagging an entire directory and catching service accounts poking around inappropriate files. I am excited to launch our white paper on the topic, Understanding and Selecting a File Activity Monitoring Solution. That’s the landing page, or you can download the PDF directly. Special thanks to Imperva for licensing the report, and I hope you like it. Share:

Queue up the Alice Cooper and get ready. Last Friday was the last day of school for the kids. That means school’s out for summer, and it’s time to get ready for the heat in all its glory. Rich and Adrian live in the desert (literally), so I’m not going to complain about temperatures in the 90s, but thankfully there is no lack of air conditioning and pools to dissipate this global warming thing. There are plenty of things about summer I enjoy, but probably best of all is being able to let my kids be kids. During the school year there is always a homework assignment to finish, skills to drill, and activities to get to. We are always in a rush to get somewhere to do something. But over the summer they can just enjoy the time without the pressure of deadlines. They spend days at camp, then head to the pool, and finish up with a cook-out and/or sleep-over. Wash, rinse, repeat. It’s not a bad gig, especially when you factor in the various trips we take over the summer. Not a bad gig at all. But enough about them – one of my favorite aspects of summer is the fruit. I know that sounds strange, but there is nothing like a fresh, cheap melon to nosh on. Or my favorite desert, cherries. Most of the year, the cherries are crap. Not only are they expensive (they need to fly them in from Chile or somewhere like that) – they just don’t taste great. Over the 3-4 months of summer, I can get cherries cheap and tasty. There is nothing like sinking my teeth into a bowl of cherries at the end of a long, sweaty day. Nom. It’s been said that life is like a bowl of cherries. I’ve certainly found that to be the case, and not because some days are the pits. It’s also that some folks always chase the easy path. You know, getting pre-pitted cherries. Or buying one of those pitting devices to remove the pits. In my opinion that basically defeats the purpose. Over the summer I enjoy moving a little more slowly (though not too slowly, Rich, settle down). And that means I like to enjoy my dessert. It’s not like grabbing a handful of M&Ms and inhaling them as quickly as possible to get to the next thing. It’s about taking my time, without anywhere specific to go. Really just taking a step back and enjoying my cherries. Hmmm. If I think a little broader, that’s a pretty good metaphor for everything. We spend most of our lives snacking on M&Ms. Yes, they are sweet and tasty, but ultimately unsatisfying. Unless you are very disciplined, you eat a whole bag quickly with nothing to show for it. Except a few more pounds on your ass. But I’d rather my life be more like a bowl of cherries. I have to work a little harder to get it done and I’ve learned to enjoy each pit for making me slow down. Although in the summer, my dessert takes a bit longer, in the end I can savor each moment. Not a bad gig at all. There is some food for thought. – Mike Photo credits: “Cherry Abduction” originally uploaded by The Rocketeer Incite 4 U Thinking about what “cyberwar” really means: Professor Gene Spafford wrote a pretty compelling and intriguing thought piece over the weekend about cyber war, whatever that means. One of his main points is that our definition is very fuzzy, and we are looking at it from the rear view mirror rather than through the windshield. Many folks joke about the security industry “solving yesterday’s problems tomorrow,” but Gene makes a pretty compelling point that these issues can impact the global standing of the US within a generation. One of Gene’s answers is to start sharing data about every intrusion right now, and I know that would make lots of us data monkeys very happy. There is a lot in this piece to chew on. I suggest you belly up to the table and start chewing. We all have a lot to think about. – MR Battle for the cloud: So you’ve heard of OpenStack, right? That amazing open source cloud alternative that’s going to kick VMware’s ass and finally bring us some portability and interoperability? Well I’ve spent a few weeks working with it, and have to say it’s a loooonnnnng way from being enterprise ready (long in Internet years, which might be a couple weeks for all I know). It’s rough around the edges, relies too much on VLANs for my taste, and the documentation is crap. On the other hand… it’s insanely cool once you get it working, and the base architecture looks solid. And heck, Citrix is going to use it for their cloud offering, and has already contributed code to support VMware’s hypervisor. Kyle Hilgendorf has a good post over on his Gartner blog about the battle for enterprise cloud dominance. Like Kyle, I’m “optimistically skeptical”, but I do think Citrix has way too much at stake to not offer a viable and compatible alternative to VMWare. – RM Payment pirates: A popular refrain from CEOs I have worked for was they did not want to spend money on training because employees would just leave and take new knowledge with them. They know they don’t own what’s in their employee’s brains, so they view educational investment as risky. Gunnar Peterson pointed out last week that it could be worse – you could not train employees, and have them stay! There is no loyalty between businesses and their employees. Companies replace employees like they were changing a car’s oil filter, paying for new skill sets because they prefer to or because they can’t retain good people. Employees are always looking for a better opportunity, taking their skills to another firm when they feel they can do better. That’s the modern reality. Last time

We get lots of questions about tokenization – particularly about substituting tokens for sensitive data. Many questions from would-be customers are based on misunderstandings about the technology, or the way the technology should be applied. Even more troublesome is the misleading way the technology is marketed as a replacement for data encryption. In most cases it’s not an either/or proposition. If you have sensitive information you will be using encryption somewhere in your organization. If you want to use tokenization, the question becomes how much to supplant encrypted data with tokens, and how to go about it. A few months back I posted a rebuttal to Larry Ponemon’s comments about the Ponemon survey “What auditors think about Crypto”. To me, the survey focused on the wrong question. Auditor opinions on encryption are basically irrelevant. For securing data at rest and motion, encryption is the backbone technology in the IT arsenal and an essential data security control for compliance. It’s not like you could avoid using encryption even if you and your auditor both suddenly decided this would be a great thing. The real question they should have asked is, “What do auditors think of tokenization and when is it appropriate to substitute for encryption?” That’s a subjective debate where auditor opinions are important. Tokenization technology is getting a ton of press lately, and it’s fair to ask why – particularly as its value is not always clear. After all, tokenization is not specified by any data privacy regulations as a way to comply with state or federal laws. Tokenization is not officially endorsed in the PCI Data Security Standard, but it’s most often used to secure credit card data. Actually, tokenization is just now being discussed by the task forces under the purview of the PCI Security Standards Council, while PCI assessors are accepting it as a viable solution. Vendors are even saying it helps with HIPAA; but practical considerations raise real concerns about whether it’s an appropriate solution at all. It’s time to examine the practical questions about how tokenization is being used for compliance. With this post I am launching a short series on the tradeoffs between encryption and tokenization for compliance initiatives. About a year ago we performed an extensive research project on Understanding and Selecting Tokenization, focusing on the nuts and bolts of how token systems are constructed, with common use cases and buying criteria. If you want detailed technical information, use that paper. If you are looking to understand how tokenization fits within different compliance scenarios, this research will provide a less technical examination of how to solve data security problems with tokenization. I will focus less on describing the technology and buying criteria, and more on contrasting the application of encryption against tokenization. Before we delve into the specifics, it’s worth revisiting a couple of key definitions to frame our discussion: Tokenization is a method of replacing sensitive data with non-sensitive placeholders called tokens. These tokens are swapped with data stored in relational databases and files. The tokens are commonly random numbers that take the form of the original data but have no intrinsic value. A tokenized credit card number cannot be used (for example) as a credit card for financial transactions. Its only value is as a reference to the original value stored in the token server that created and issued the token. Note that we are not talking about identity tokens such as the SecurID tokens involved in RSA’s recent data breach. Encryption is a method of protecting data by scrambling it into an unreadable form. It’s a systematic encoding process which is only reversible if you have the right key. Correctly implemented, encryption is nearly impossible to break, and the original data cannot be recovered without the key. The problem is that attackers are smart enough to go after the encryption keys, which is much easier than breaking good encryption. Anyone with access to the key and the encrypted data can recreate the original data. Tokens, in contrast, are not reversible. There is a common misconception that tokenization and format preserving tokens – or more correctly Format Preserving Encryption – are the same thing, but they are not. The easiest way to understand the differences is to consider the differences between the two. Format Preserving Encryption is a method of creating tokens out from sensitive data. But format preserving encryption is still encryption – not tokenization. Format preserving encryption is a way to avoid re-coding applications or re-structuring databases to accommodate encrypted (binary) data. Both tokenization and FPE offer this advantage. But encryption obfuscates sensitive information, while tokenization removes it entirely (to another location). And you can’t steal data that’s not there. You don’t worry about encryption keys when there is no encrypted data. In followup posts I will discuss the how to employ the two technologies – specifically for payment, privacy, and health related information. I’ll cover the high-profile compliance mandates most commonly cited as reference examples for both, and look at tradeoffs between them. My goal is to provide enough information to determine if one or both of these technologies is a good fit to address your compliance requirements. Share:

In the 4 years since I started Securosis, this is absolutely the most bat-sh** crazy time I have experienced. Between cramming for the cloud security training class, managing a software development project, keeping our infrastructure up and running, hitting writing deadlines, and keeping up with prospects and clients, I barely have time to breathe. Add in a couple young kids who have done their best to ensure I don’t get a good night’s sleep at home for the past 6 months… and it’s no wonder I finished last week alternating between passing out and participating in commode-based religion. But I’m loving it. Right now I have the exact same feeling as when I hit the last couple miles in a triathlon. It’s painful. Oh so painful. But the endorphins kick in and you start thinking about life after the race. But now isn’t the time to lose focus. So time to bang this out and move on to the next item on the list. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich contributed Mac Defender: Pay attention but don’t panic to Macworld. Oracle 11G Available On Amazon AWS: Adrian’s Dark Reading post. Favorite Securosis Posts Mike Rothman: Cloud Security Training: June 8-9 in San Jose. If you need to know about cloud security, we’ll teach you. A few spots remain. The curriculum kicks ass. Adrian Lane: Planning vs. Acting. Rich: Sowing the Seeds of Token Panic. Other Securosis Posts End Users, Fill out Our Security Marketing Content Survey. Incite 5/25/2011: Rapturing the Middle Ground. Favorite Outside Posts Mike Rothman: Mac Defender: Pay attention but don’t panic. Love it when a post Rich writes is highlighted on Techmeme and Daring Fireball. Especially when it’s posted on MacWorld. 🙁 But the traffic is well deserved – great perspectives on the next wave of Mac attacks. Adrian Lane: Siemens Downplaying Serious SCADA Holes. Thought they would have taken a lesson from Oracle and Microsoft – I guess not. Chris Pepper: Dilbert deals with [firewall] managment. “Keep me informed.” Research Reports and Presentations React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Network Security Operations Quant Metrics Model. Network Security Operations Quant Report. Understanding and Selecting a DLP Solution. Top News and Posts New version of Mac malware doesn’t require password. Siemens Working On Fix For ‘Security Gaps’ In Logic Controllers. Keys to the cloud castle. The rise of the chaotic actor: Understanding Anonymous and ourselves. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Shack, in response to Planning vs. Acting. Except that i’m not. I’ve been there, and appreciate the whole “water cooler” thing. However, i see way too many security managers who wrap themselves in “governance” and rhetoric. C’mon. I’m not ignorant to understanding the risk and threat landscape. But all talk, and reciting the latest incedible “news story” does … What? Ours is a discipline technical in nature, and relies on technical acumen to fully understand and articulate risk. If your career is built on “water cooler” topics, i’ll likely be reading about your organization in the news in the future. I for one have had enough of the “strategists” with no tactical knowledge or understanding. Share:

It was just a matter of time. After the EMC/RSA breach in March, the clock started ticking relative to the seeds being used to gain access to something important. According to Bob Cringely, that has now happened with a very large US defense contractor having their remote access network compromised. Since it had been a pretty slow news week (how long can we talk about the LinkedIn IPO?), now every beat reporter will write 10 articles on the impact of this new attack. It’s just a matter of time before we see picketing at RSA HQ, demanding new tokens for all. We’ll see the old timers talk about the good old days to time sharing. Security folks will be called before the executive team to discuss the exposure and whether the tokens are still worth a damn. Wash, rinse, repeat. We’ve seen this movie before. Now I don’t have any inside information about this new attack. But the reality of two factor authentication means you need both something you have and something you know. If 2FA is based on an RSA token (and the seeds were stolen), then the attackers have the token. But they don’t have the code (something you have) required to gain access. Unless the device was compromised separately using a different attack, mostly likely a key logger to capture the passcode. The loss of the seed does not compromise your network. But the loss of the seed and the passcode will. That’s an important distinction. Is the inevitable panic justified? Of course not. We are presumably dealing with APT, which means they will get into a network by whatever means necessary. Advanced or not. They got the seeds, and then compromised a device with remote access. Game over. They are in. Let’s just say a company tossed all their RSA tokens and brought in someone else. Guess what? Then the attackers would compromise a device already on the network, taking the 2FA out of play. And that’s really the point. Remember the words by any means necessary. Sure, RSA will likely have to stamp out millions of new tokens. Customers will demand no less. Yes, it will cost them money, but it’s a drop in the bucket for a company like EMC. Yes, issuing new tokens will stop this specific attack vector. But it will not stop this specific attacker. So panic all you want. They are still going to get in. Which underlines the key point in Cringely’s article. “The good news here is that the contractor was able to detect an intrusion then did the right things to deal with it.” We’ve been talking about reacting faster and better for years. Significant network and system monitoring, and if you are specifically a targeted organization, network full packet captures are not options anymore. What should you do? Use the panic to your advantage. These are some pretty good data points to push through the funding for that full packet capture gear or a new network/systems monitoring service, eh? Or maybe the application white listing technology for those devices with access to critical stuff. Whatever the specific controls you need to add, strike while panic is cresting. Now that’s what I call making lemonade out of a bunch of lemons. Photo credits: “Panic!” originally uploaded by Memphis CVB Share:

The sun rose today. As it has every day for a couple billion years. Though plenty of people thought they would not be around on Sunday for the sunrise. Yes, I’m talking about the Rapture. Either it didn’t happen or we all got left behind, which is fine by me – I still have stuff to do. You may think the whole concept is wacky, but I’m the last guy to criticize someone else’s beliefs. What you believe is your business. I’m certainly not going to try to convince you I’m right. Especially about matters of faith. But the Rapture preacher didn’t consider that he could be wrong. He dug in and didn’t leave any wiggle room. That didn’t work out very well. His followers awoke Sunday, confused and flabbergasted. Some haven’t paid their bills. Others took fancy vacations with money they didn’t have, figuring it would be the bank’s problem and they’d be laughing from heaven. These folks didn’t have a contingency plan. But you have to hand it to the preacher. He’s a true believer with a flexible and robust calendar. Some may snicker about the lunacy of the whole thing, but that misses the point. The real lesson is that even if you are a true believer you need to leave your options open. Even if you know you are right, it’s probably a good idea to think through the unfathomable scenario that you could be wrong. I know, it’s hard. None of us want to believe we are wrong, especially folks of conviction and passion. But in the face of overwhelming evidence (like waking up on Sunday) that you are indeed wrong, you need to be able to move forward. This remains a challenge for me too, by the way. I think in a pretty binary fashion. Right and wrong. Good and evil. Black and white, with very little gray. Though the gray area is increasing, which is kind of predictable. When you are young, you haven’t screwed up enough things to believe you could be wrong. Over time, you gradually realize not only your own limitations, but also that right/wrong is an interpretation. Now do a little homework to start using this lesson in practice. Look back to your last 2-3 arguments. Did you leave yourself an out? Did you respond poorly because you had no choice but to defend your position to the bitter end? Did you need to fall on your sword to save face? I’m all for taking a position and defending it passionately, but 20+ years in the salt mines have taught me to find the middle ground. Because most likely the sun will rise tomorrow, and you need to move forward. – Mike Photo credits: “Caught up in the rapture” originally uploaded by Analogick Incite 4 U Target Practice: Life is about relationships. Pretty deep but true. Whether you are talking about family, friends, colleagues, even people you don’t like, your reality is based upon the relationships you have with these folks. That’s true in security as well, as Chris Hayes points out. There is a good quote here: “IT and business executives are craving value-add from information risk management functions.” Which is true, so how can you add this value? By defining success and then delivering it. It’s not your definition of success – you need to agree with other folks on what security can do to further business objectives. Find the target. Hit the target. Then tell folks you hit the target. Easy as pie. – MR Hostage Situation: A Venafi study finds admins could hold data hostage from their employers if they chose to withhold encryption keys and passwords. To which I have to say “Well, duh!” Not everyone in an organization will have control over pieces of critical infrastructure, but you have to trust someone, so place control in the hands of a select few. This variety of insider threat rarely materializes, but is especially damaging when companies over-leverage key management solutions (so, for example, every key in the organization is stored in a single key server) or fail to implement separations of duties for key management. If you are worried about this type of scenario there are several things you can do: keep a master key stored off-premises so you can regenerate and rotate the working keys if an admin goes rogue. Think about separating duties for key management, so no single admin can take control of the key manager functions. Use different key servers for different applications or functions, minimizing the scope of potential damage. Do better background checks on your admins prior to employment, and have better employee departure processes to make sure all credentials and access points are changed as part of the termination process. Or maybe treat your employees better so they don’t get too pissed off – yeah, that last one’s probably not going to happen. – AL There is no control for stupid: A fact that is mostly glossed over by security folks is that all the technical controls in the world can’t protect a stupid user with access. That’s the point of George Hulme’s story, and it’s a good one. Yes, we have to make it hard for user stupidity to bring down valuable systems – hat’s what technical controls are for. But we also need to anticipate some number of self-inflicted wounds, and be able to quickly respond and recover. That’s what Reacting Faster and Better is all about. So whether it’s a human FAIL, technical FAIL, or an attacker that kicks your butt, it’s all the same in the end. You need to handle the issue. – MR Unless you are the lead dog, the scenery never changes: I love that concept. Most folks spend their life looking at someone else’s backside. Which is fine – not everyone can lead. But what does it mean? We all have our own ideas, but Bejtlich’s post defining Five Qualities of Real Leadership clarified a lot of the stuff

We got great response to our Categorizing FUD post. Obviously many of you are as frustrated with marketing idiocy as we are. So let’s band together to prove to the vendor community that some of their security marketing tactics hurt them more than they help. We put together a little survey to get your opinions on the value of a number of different kinds of marketing content, to help understand how you use these tools and whether these tactics negatively impact your perception of the vendors using them. With this analysis, we can go back to the vendors and poke them in the eye about the stupid stuff they do. If you want your opinion heard, and are an end user, please head over the survey and fill it out. It should take less than 10 minutes. Although we have no way to enforce this, we’d prefer only folks directly involved in buying security products for end user organizations respond to the survey. The questions are structured to help understand how these different content types impact perception of vendors, which is why the survey is more appropriate for end users. Direct link: http://www.surveymonkey.com/s/SecurityMarketingContent Thanks for your help. Share:

You might have noticed I haven’t been blogging much for a couple months. That’s because I’m spending nearly every waking hour on our training class for the Cloud Security Alliance. This is a pretty big deal for us and I’m psyched it’s almost finished. The class is the Cloud Computing Security Knowledge course, tied to the CCSK certification. I just checked, and we have about 10 slots left for the first full class we’ll be giving June 8-9 at the eBay North campus. You can sign up online. This version is evolved and seriously revised from our February test class at RSA. Actually, it is now three classes: CCSK Basic: A one-day lecture to cover the core material and prepare you for the CCSK exam. This is close to what we delivered at RSA, a firehose of material on all things cloud security – from defining the cloud, to encryption models, to IAM. CCSK Plus: This includes the first day, then adds a day of additional lecture and hands-on activities. This is what’s killing my time, and where we get into the meat of cloud security. We start with threat models, move into creating and securing EC2 instances (and understanding the EC2 security model), encrypting EBS volumes, building an application infrastructure with availability and security zones, building an OpenStack cloud, IAM, and so on. It’s designed so you don’t need to be a tech god, but there’s room to explore for those of you with stronger skills who don’t want to get bored. And be honest: how many of you have installed MySQL in an encrypted EBS volume? Train the Trainer: Yes, you can get certified to teach the class yourself (note that you’ll need to sign an agreement with the CSA). This is a third day to go into more depth, including walking through all the scripts and tech used in the class, how to set up your instructor system, and deeper Q&A on the material. The class is pretty broad, but we do get as in-depth as we can in the limited time. And not to worry, we’ll be hitting the road with it soon, and we know a bunch of training organizations will also be picking it up. Share:

I’m all for thought leadership. Folks driving our security thinking and activities forward benefit from it. Josh Corman is one of those leaders. He’s a big thinker – he can suspend disbelief and reality long enough to envision a different outcome, and make his points with passion. I’m also all for action. As a CEO I worked for once told me, “Nothing gets done until someone sells something to someone.” In security that means at some point the controls have to be implemented, the flanks monitored, and the attacks defended. Dave Shackleford gets things done. Quickly. He thinks fast. He talks fast. He’s always moving. He’s like the Tasmanian Devil. These two got into a Tweet ‘fight’ (whatever that means) last week over Josh’s CSO article The Rise of the Chaotic Actor, Understanding Anonymous and Ourselves. Dave sat down long enough to bang out a response, Less Talk, More Action. I had nothing better to do on a flight home, so why don’t we investigate the gray area between them. Some aspects of both their positions make sense to me. And some don’t – depending on agenda and perspective. Josh is an analyst. He’s not hands-on anymore. If he hacks anything, it’s in his spare time, which I know is limited. We analysts cannot spend 60% of our time fixing things like Dave. There is too much pontificating to do. We have to influence behavior by writing thought provoking pieces to shake folks out of their day-to-day misery, into thinking a bit more strategically and broadly. That’s what Josh’s piece was about. He makes the case that, once again, our adversaries’ motives are changing – to defend against them we need to understand the new reality. But Dave has a good point too. Time spent obsessing about how to defend against a collective like Anonymous is time not spent on more active work, such as patching systems, training users, and implementing new controls. Shack points out that if we could spend 10% more time doing things, we probably wouldn’t be quite so screwed. And we are screwed, as the fine folks at Verizon Business point out every year in their DBIR. As usual, the truth is somewhere in the middle, depending on who you are and what you are responsible for. You don’t always think strategically, and you can’t always be doing things. Dave did toss that into his post. Security architects need to understand the current threats and how to evolve defenses. Those folks need to pay attention to Josh. For them, the chaotic actor is important. But there are many more practitioners doing poor jobs on fundamentals. A lot more. No matter the size of their company, these folks suck at security. They can’t even walk, so asking them to ponder the dynamics of running a world class 200m race is stupid. That’s Dave’s point. These folks need to fix the steaming piles of their security programs before they worry about Anonymous, or anyone else for that matter. A script kiddie can take them down, so a nation state is off the radar. As usual, when you push a targeted message like Josh’s widely – such as through CSO Magazine – you are bound to annoy people. When Dave gets annoyed he tends to fire with both barrels, which I certainly appreciate. I know someone like that. To be clear, most folks working on security should spend more time letting Dave teach them the fundamentals, rather than having Josh expand their viewpoints. I think that was Dave’s point. My point is that it’s up to you to understand whether you should be thinking strategically or tactically at any given moment. There are times and places for both. Fail to recognize your situation and choose the right response, and you will become just another statistic on Kushner and Murray’s survey. You know, the one tracking the average tenure of security folks. Share:

I stumbled on my last employer’s shutdown plans while rummaging around my old email archives. Those messages were from today’s date 3 years ago – not coincidentally the day Rich and I began to discuss me joining Securosis. At milestones like this I tend to get all philosophical and look back at the change, and what I like and dislike about the move. How do I feel about this change in my career? Where are we as a company, and is it anywhere near what we planned? I had no idea what an analyst really did – I just wanted to help people understand security technologies and be involved much more broadly than just database security. I kinda thought I was getting out of the startup game, but Securosis has the feel of a startup – the freedom to follow our vision, the pressure to focus on what’s most important, the agility in decision making and long hours. But it also feels like people appreciate our take on what analysts can be, which makes me think we have a shot at making this little shop a success. Personally, leaving 20+ years of pure technology roles was a big leap. Actually I had no single role – any day it may include architecture, product strategy, development, design, evangelism, and team management. But being able to cover a dozen areas in security – and the independence to say whatever I think – gives me a lot of satisfaction. And I love doing research. Unfortunately the single biggest detriment of the job – and it’s a big one – is writing. It’s what I spend the majority of my day doing, and it’s quite possibly my worst skill. I find writing to be a slow and painful process. It’s common to go two days without writing anything substantive, followed by a single day where I get crank out 15 pages. That’s nerve-racking when you have deadlines – pretty much every day. I never had this problem coding – why the English language causes me problems that neither C nor Java ever did remains a mystery. Learning how to write better is one of the more painful processes I have been through. And for those of you who sent me hate mail early on – one of you called me ‘Hitler’ for atrocities against the English language – you are totally correct. A-holes, but still right. From a business standpoint, if there is one singularly important difference you learn when moving from technology to an analyst role, it is perspective. A vendor’s view of what a customer needs is usually off the mark. Vendors do a lot of searching for the ‘secret sauce’, and constructing very logical arguments for why their particular product is needed – even a ‘must have’. But logical vendor arguments are usually wrong and don’t resonate with customers because they fails to account for the limitations faced by businesses. Customers each work within a set of existing constraints – some mixture of perfectly logical and perfectly absurd – which binds them to a specific perspective and approach to problem solving. I constantly hear vendors say, “Everyone should do X because it makes sense,” to which customers say nothing at all. This is even harder for startups with innovative technologies. How do you know the difference between “Customers just don’t get it yet” and “This innovative product will never be adopted”? The evangelism to educate the market is tough, and it’s easy as a vendor to close your ears to negativity and bad press because they are just part of the evolutionary process. The ability to shine a light on these messaging and strategy issues, and realign companies with customer requirements, is a big part of the value we provide. Vendors are so busy spinning – and get so used hearing to ‘No’ for both good and bad reasons – that they lose perspective. I’ve been there. Several times, in fact. For whatever reason customers tell analysts stuff they would never tell a vendor. I get to see a lot of the inner workings of IT organizations, which has been very educational – and unexpected. Three years later I find I have two great business partners, I get to interact with extraordinary people, and I work on cool projects. I do really love this job. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on Database Security. LonerVamp expands on Adrian’s SIEM: Out with the Old. Adrian quoted on BeyondTrust acquisition of Lumigent. Adrian’s Dark Reading Post on Secure Access to Relational Data. Favorite Securosis Posts Mike Rothman: BeyondTrust Acquires Lumigent Assets. Hindsight is 20/20, and there are lots of lessons in the failure of Lumigent. Adrian Lane: VMware Buys Shavlik: One Stop Shop for Virtual Infrastructure? Especially the bit on patch consistency with VMs in storage. David Mortman: Defining Failure. Rich: SIEM: Out with the Old. Other Securosis Posts Incite 5/18/2011: Trophies. Defining Failure. Cybersecurity’s RICO Suave: Assessing the Proposed Legislation. Favorite Outside Posts Mike Rothman: What I Wish Someone Had Told Me 4 Years Ago. Great post on being an entrepreneur. Ultimately a large part of success is just doing something. This lesson applies to almost everything. Adrian Lane: Marcus Ranum and Gary McGraw talk about software security issues. Gary has deep experience so his perspective is interesting. David Mortman: Attacking webservers via .htaccess. Pure awesomeness Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. NSO Quant: Manage Metrics–Process Change Request and Test/Approve. Research Reports and Presentations React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DB Quant). Network Security in the Age of Any Computing. The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Top News and Posts More from Krebs on Point of Sale Skimmers Dropbox Fires Back. And I think they are