Research

Every year Mike, Adrian, and I get together for a couple days to review our goals and financials, and to make plans for the next year. This year we scheduled it in Denver, and by an amazing coincidence Jimmy Buffett was in town playing. Really. I promise. Total coincidence. I have been to more than my fair share of shows (and have to write this Summary on Wednesday because I will be at another show Thursday in Phoenix), but it was Mike’s first and Adrian’s second. Needless to say, a good time was had by everyone except Mike’s stomach. I warned him about the rum-infused gummy bears. 2013 was kind of a strange year for us. It looks like we grew, again, but a lot of it was shoveled into Q4. All three of us are running all over the place and cramming on projects and papers, hoping our children and pets don’t forget what we look like. I even thought about skipping our planning, but setting the corporate strategy is even more important than our other projects. I went into this trip with an open mind. I knew I wanted to change things up a bit next year, but not exactly how. In part to do more direct end-user engagement, but also to allow me to continue my more in-depth and technical cloud and Software Defined Security work, which isn’t necessarily easily dropped into licensed papers and webcasts. We actually came up with some killer ideas that are pretty exciting. I don’t know if they will work, but I think they hit a sweet spot in the market, and fit our skills and focus. It’s definitely too early to talk about them, and they aren’t as insane as building a new software platform, so launching won’t be a problem at all. We are going to hold back until January to start releasing because we need to finish the current workload and do the prep for the new shiny endeavors before we can talk about them. And this is a great situation to be in. I just spent two days hanging with two of my closest friends and my business partners, catching a Buffett show and planning out new tricks for our collective future. I’m tired, and my brain is fried, but as I go back to the grindstone of the road and writing, I not only get to finish my year with some cool research, but I get to start planning some even more exciting things for next year. Not bad. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich presenting on changes in the crypto landscape, October 30th. Favorite Securosis Posts Mike Rothman: The Great Securosis GitHub Experiment. That Mogull guy. Always pushing the envelope on openness and transparency. Interesting idea to use Github to manage feedback on our papers. Will be interesting to see if it works… Rich: Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust. I spent last week in crypto training and this paper is darn interesting. Adrian: Incite 10/23/2013: What goes up…. David Mortman: Don’t Cry Over Spilt Metrics Other Securosis Posts Security Awareness Training Evolution: Quick Wins. Favorite Outside Posts Mike Rothman: Dan Geer’s Tradeoffs in Cyber Security talk. Dan Geer spoke. Dan Geer is awesome. Read. It. Now. And that’s all I have to say about that. Adrian Lane: iMessage Privacy. Regardless of whether you agree with Apple’s strategy, the post is a very educational look at security and how attackers approach interception. David Mortman: How to lose $172,222 a second for 45 minutes. Gal Shpantzer: Why the Sistrunk ICS/SCADA vulns are a big deal. Research Reports and Presentations Firewall Management Essentials. A Practical Example of Software Defined Security. Continuous Security Monitoring. API Gateways: Where Security Enables Innovation. Identity and Access Management for Cloud Services. Dealing with Database Denial of Service. The 2014 Endpoint Security Buyer’s Guide. The CISO’s Guide to Advanced Attackers. Defending Cloud Data with Infrastructure Encryption. Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment. Top News and Posts Apple and Adobe sandbox Flash in Safari on OS X 10.9. Google%20launches%20new%20anti-DDoS%20service%20called%20’Project%20Shield’ Apple iMessage Open to Man in the Middle, Spoofing Attacks. Yes and no, and I wish I wasn’t traveling so much and could clarify how this appears to be overstated. Technically Apple could man in the middle, but it isn’t something random employees can do, nor do I think Apple would do it without a massive legal threat from the NSA or equivalent, which they would probably fight. Not that it couldn’t happen… Blog Comment of the Week This week’s best comment goes to DS, in response to Incite 10/23/2013: What goes up…. We’ve known for years (or should have known if we read the research) that security breaches don’t impact stock value. This is a trap many security folks find themselves in because they don’t understand their business, or business at all, so they use the most obvious and coarse metric of business impact. … The impact from a breach is complex and cannot be measured by one factor. There are fines and penalties. There are negative perceptions which can be leveraged against you (I can’t say how many sales calls I got from RSA competitors after their breach), there is lost productivity from having to divert resources to deal with customer complaints, there is lost focus on strategy while execs try to deal with the press requests and client enquires. RSA’s breach cost around 100M if you believe the press. This is 100M not spent on developing new products or landing new customers, but instead spent preserving their base and protecting SecureID. This is not 100M well spent. Share:

Our man Gunnar starts a recent post with: Security Metrics crying need is for metrics that serve others, outside of info sec. Then he proceeds to talk about the need to develop appropriate metrics for constituencies outside of security – including developers, DBAs, Q/A folks, and Operations. Given his application-centric view of the world, those folks clearly need to understand security and have metrics to evaluate effectiveness, posture, etc. I have lots of conversation with senior security folks who are similarly perplexed about how to communicate value via metrics to another reasonably important set of influencers: Senior Management. It’s not an easy problem to solve, and there are no generic answers. I can’t just give you a list of metrics and send you on your way, because the metrics need to be meaningful to your business. Not another person’s business, but yours. And that means you need to understand your business and its critical success factors, and communicate your value through the PRISM (no pun intended…) of that view. Photo credit: “don’t cry over spilled milk” originally uploaded by Joel Montes Share:

  Every so often I realize how spoiled I am. Sure, I am more aware of my good fortune than many, but I definitely take way too much stuff for granted. My health is good. I do what I like (most days). My family still seems to like me. I provide enough to live a pretty good lifestyle. It’s all good. I don’t have much to complain about. The fact that one of my biggest problems is that my favorite NFL teams are a combined 3-10 is a good thing, right? You get spoiled when your favorite teams are competitive at the end of the season and usually make the playoffs. New England fans know what I mean. So do Pittsburgh and Baltimore fans. When the team doesn’t perform up to expectations (like this year’s Falcons), it’s jarring. You dream of Super Bowl fairies in August, then lose half your starting team to injuries, and by October you are making alternative plans for Divisional weekend. So when the NY football Giants got their first win on Monday night, I heaved a major sigh of relief. Having watched a bunch of their games, I had legitimate concerns that they wouldn’t win a game all season. Seeing them beat up hapless Minnesota didn’t really allay my fears too much. The G-men aren’t a very good football team right now, and face a significant rebuild over the next few years. Oh well, that’s the way it goes in the NFL. In baseball and basketball, the soft salary cap just means owners have to pay a tax to buy a competitive team. And that’s what some owners do year in and year out. But that’s not an option in the NFL. The cap is the cap, and that means tough decisions are made. Great players are let go. And what goes up for a little while (usually on the shoulders of a franchise QB) inevitably comes down. Parity is great, until your team is on the wrong side. It will be interesting to see how teams with younger QBs – like the 49ers, Seahawks, Redskins, and Colts – manage their salary caps once their QBs start getting $20MM a year and eating up 15-20% of the cap. These teams can stock up now on expensive players while their QBs are cheap, but won’t be able to in 2-3 years. They will need to make tough decisions. What goes up, eventually comes down. At least in the NFL. Then there are teams that don’t seem to ever come up. Jacksonville hasn’t been competitive for a decade. Detroit has been to the playoffs once in like 20 years. St. Louis is in the same boat. And I won’t even mention Cleveland. These long-suffering fans should be applauded for showing up and being passionate, even where there isn’t much to cheer about. So I’ll keep the faith. I know all NFL teams have off years, and my teams do things the right way to produce winning seasons more often than losing ones. I’ll let go of the Super Bowl fairy this year, and I’ll be able to enjoy the rest of the season with reasonable expectations. Which is probably how I should be treating each new season anyway. Nah, forget that. Without chasing the Super Bowl fairy, what fun is it? –Mike Photo credit: “IZ NOT AKKCIDENT” originally uploaded by Aaron Muszalski Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Security Awareness Training Evolution Quick Wins Focus on Great Content Why Bother? Defending Against Application Denial of Service Introduction Newly Published Papers Firewall Management Essentials Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U If business users don’t care… We are screwed as an industry. Daniel Miessler works through a thought experiment, wondering what would happen if business users realized that getting hacked doesn’t necessarily affect company value. Wouldn’t it be logical from a shareholder perspective to minimize security spend and maximize profit? To be clear, lots of organizations already do this, but I doubt it as a conscious decision not to be secure. Daniel evaluates Apple, Adobe, and the granddaddy of high-profile breaches, TJX – and finds no negative impact from those breaches. Awesome, but we already knew that in a recession people choose cheap underwear over security. It is an interesting concept, and over the long term I believe the impact of breaches is far overblown. But what about in the short term? I’m not sure market value is the best determinant of short-term value – it’s a long-term metric. Instead I would rather try to understand the impact on short-term revenue. Do customers defer deals or reduce spending in the immediate aftermath of a breach? That would be a much more interesting analysis. And I guess we should say a few thank-yous to China and compliance, which are still the engines driving security. – MR Techno two-fer: I have taken to calling big data the new normal for databases. One architectural theme I see over and over again for security analysis is the two-headed cluster: Hadoop for analytics and Cassandra/Splunk/Mongo for fast references or lookup. Consider this today’s take on normalization and correlation. Rajat Jain has a very good illustration of this concept with Lambda Architecture for batch data, which balances fast lookup against historic views of data. A batch layer – often Hadoop – computes views on your data as it comes in, and a second parallel high-speed processing layer – in this case Storm – constantly processes the most recent data in near-real-time. This enables the system to

In the first two posts of this series we suggested that any security awareness training program needs to be focused on the proper outcomes and driven by great content. Let’s not forget the unassailable truth that the success of any security initiative is based on building momentum and making demonstrable progress early in the deployment cycle. This is not only the case for projects that involve implementing shiny boxes to block things. With a program as visible as security awareness training, with success criteria not necessarily directly attributed to training efforts, the need for a Quick Win is more acute. Especially given the likely pushback from employees duped by attack simulations. But let’s not put the cart before the horse. Buy in You don’t get to roll out new and updated content without getting the organization to buy into the need to revamp any security awareness training initiatives. Selling the training program internally involves making a case for the payback of the investment in training curriculum, services, and employee time. The best way we have found to make this case involves leveraging attack and breach data that is reasonably plentiful. Start with data on the types of attacks that result in compromised devices (available from the myriad of breach reports hitting the wires weekly), and position the value of the training around the reality that the majority of delivery methods for weaponized exploits involve social engineering. From there you can look at the potential economic impact of those attacks – in terms of lost data, compliance fines, and direct incident response and/or disclosure costs. Compare to the costs of improving training, and the case for investing in training should come clear. Don’t stop justifying with direct cost savings from reducing successful attacks – point to operational benefits as well. These include an improved malware detection as well as accelerated incident response from having employees versed in security and attack vernacular. Security-savvy employees can tell you what they clicked on, which websites they visited, and why they believe they have been compromised – facilitating triage and root cause analysis. And don’t be bashful about using information from your own organization. If any of your employees have been compromised due to tactics directly taught in the awareness training (such as phishing messages), you can make the case that the impact of attacks (including clean-up costs) could be reduced by more effectively training employees. Baseline Once the organization is on board you should be able to demonstrate the ongoing value of the program. So you need to figure out where you are right now. You should run a relevant sample of your employees through the qualification tests and/or simulations to gauge where they are before the training starts. This will provide a baseline for comparing future results and tracking metrics against. Of course there is always the fortuitous happenstance that your sample of employees could perform exceptionally well in the baseline tests, reducing the urgency for better security awareness training content. This would be a good problem to have. But we have been doing this a long time, and we cannot pinpoint many (or any) examples of being pleasantly surprised by employee security knowledge, but there is always a first time, right? More likely you will see the seriousness of your situation, and get a renewed understanding of the importance of moving the training program forward decisively and quickly. Low Hanging Fruit The good news is that in the absence of a formal (or effective) security awareness training program, initial improvement is likely to be obvious and significant. You can pretty much count on employees starting with very little security knowledge, so a little training normally makes a big difference. Getting the quick win is about making sure you take the baseline and improve upon it right away. That’s not a particularly high bar, by the way. But it builds momentum and gives you some leeway to expand the program and try new techniques. Be careful not to squander that momentum, or leave ongoing improvement up to chance. You know the old adage: failing to plan means you are planning to fail. So you should think about a broader and more strategic program to deliver on your security awareness training program. The Virtuous Cycle of Training Success Your program needs to acknowledge and address the fact that most students (of anything) rarely understand and retain key concepts during initial training. Don’t simply assume that security awareness will be any different. So let’s consider a logical process which provides a number of opportunities to expose employees to the material, to increase the likelihood of retention. Initial Training: As we described in the last post on content you are looking for great content that will be current, compelling, comprehensive and fun, while providing a catalyst for behavior modification. Competition: A good way to get the most value from the initial training and ongoing efforts is to establish contests and other means to get your employees’ competitive juices flowing. Awarding prizes, using incentives to reward employees for doing the right thing and competing effectively, gives them a reason to practice their new security skills and awareness. Reinforcement: Whether it is a matter of additional training based on the results of a periodic simulation or test, re-qualification required every quarter or bi-annually forcing re-engagement with the content, a monthly newsletter, or all of the above, you want security to be top-of-mind (at least not out-of-mind), which requires a number of opportunities to reinforce the training content with employees. Updates: The dynamic nature of security, with its constantly changing attack vectors, isn’t normally viewed as a positive, but when looking for opportunities to reinforce the messages of security training that dynamism provides an important opportunity. You need to retrain employees on new attack vectors as they develop. This provides another opportunity to go back to the fundamentals and hammer again on security basics. Lather, rinse, repeat: We pointed out in the Introduction that the only way to fail

Hey everyone, As you know, we try to make our research process as open and transparent as possible. We know any research that ends up with a vendor logo on it somewhere is viewed with justified skepticism, so our goal is to combat that perception of bias with radical transparency. For the past 6 years or so, since I started the company, we have handled that with blog comments, and by requiring even vendors who license the content to submit feedback via the site. That has worked well but the world keeps evolving beyond blogs. As an experiment I just posted my latest draft paper on GitHub. You can view the Executive Guide to Pragmatic Network Security Management on GitHub. It helps that we write all our papers in Markdown, and GitHub is very Markdown friendly. I will try to use this to both collect comments and keep everyone up to date as we edit the paper. This is also a much better mechanism than blog comments for people to suggest exact changes, although that does require becoming a bit familiar with GitHub. This is truly an experiment and I could definitely use your feedback. I will still post the paper in pieces as we normally do, but if you are up for checking it out, please give GitHub a shot. Share:

I have been taking a lot of end-user calls on compliance lately. PCI, GLBA, Sarbanes-Oxley, state privacy laws, and the like. Today I was struck by how consistently these calls are more challenging than security discussions. With security users want to address a fairly well-defined problem. For example “How do we stop our IP from leaving the organization?” or “How can we protect users from phishing?” or “How do we verify administrator activity?” These discussions are far easier because of their much narrower scope, both in terms of technical approach and user perception of how they want to deal with the problem. With compliance I often feel like someone dropped a dead cow at my feet. I don’t even know where to start the conversation – it is not clear what the customer even wants. What can or should I do with this giant steaming pile of stuff that just landed on me? What matters to you? Which compliance mandates are in play, what are your internal policies, and what security do you have that actually work for you and what do not. I always ask whether the customer just wants to get compliant, or whether they are actually looking to improve security – because it matters, and you cannot assume either way. Even then, there are dozens of avenues of discussion – such as data-at-rest protection, data-in-motion, application security, user issues, and network security issues. There are many possible approaches such as prevention vs. detection, monitoring vs. blocking, and so on. How much staff and budget can you dedicate to the problem? Even if the focus is on something specific like GLBA, often the customer has not even decided what GLBA compliance means, because they are not sure whether the auditor who flagged them for a violation is even asking for the right controls. It is a soupy mess, and very difficult to have constructive conversations until you set ground rules – which usually involves focusing on a few critical tasks and then setting the strategy. So I guess what I learned this week is to approach these conversations more like threat modeling in the future. Break down the problem down to specific areas, identify the threats and/or requirements, and then discuss two or three relevant approaches. Walk them through one scenario and then repeat. After a few iterations a clear trend of what is right for the specific firm emerges. Perhaps start with how to secure archives, then move on to how to secure disk files, how to secure database files, how to secure document server/sharepoint archives, and so on. In many cases the best solution is suddenly apparent, and provides a consistent approach across the enterprise which works in 90% or better of cases. It becomes much easier when you examine the task in smaller pieces, looking at threats, and providing the customer with the proper threat responses. Trying to “eat the elephant” is not just a bad idea during execution – it can be fatal during planning too. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich presents changes in the crypto landscape October 30th. Mike quoted by George Hulme in CIO on security spending. Mortman on a podcast about security and privacy, and the Internet of Things. Mike’s presentation on Vulnerability Management. Rich quoted on hacking car computers. Adrian’s recorded Cloud IAM webcast series. Adrian Quoted on Big Data Security Analytics, liking it. Adrian Quoted on Big Data Security Analytics, not liking it. Favorite Securosis Posts Mike Rothman: The Week in Webcasts. We have been a bit of the suck on blogging lately. But it’s because a bunch of work is going on which you don’t necessarily see. Like webcasts and working with our retainer clients. So I pulled a copout to highlight a fraction of our recent speaking activity. You missed these events, but check out the recordings. We pontificate well. Rich: Mike’s post on millennial in security.. I hate that term, and this isn’t about that particular generation, it’s about anyone younger than you. Those damn kids. Adrian Lane: Building Strengths. Fan of this methodology, and no surprise mine are similar to Mike’s: Relator, Activator, Maximizer, Strategic, Analytical. David Mortman: Reality Check for Millennials Looking at Security. Other Securosis Posts Security Awareness Training Evolution: Focus on Great Content. Why a vBulletin Exploit Matters to Enterprise Security. Summary: Age is wasted on the… middle aged. Firewall Management Essentials [New Paper]. Friday Summary: October 4, 2013. Favorite Outside Posts Mike Rothman: Spy-shy: Mugger thwarted by ‘NSA intern’ on Capitol Hill. Talk about quick thinking and having a security mindset. A lady in the process of being mugged told the assailant she worked for the NSA and her phone is bugged and tracked. That was enough to get the perpetrator to make haste away from her. Who thinks of that? Totally awesome. Rich: Wade Baker on the kind of data we need in breach disclosures. Yup. Adrian Lane: Adrian Cockcroft on High Availability. It is the opposite of normal – each time I read a blog post by or interview with Adrian Cockcroft, I learn something new. David Mortman: Making Systems Operable. Research Reports and Presentations Firewall Management Essentials. A Practical Example of Software Defined Security. Continuous Security Monitoring. API Gateways: Where Security Enables Innovation. Identity and Access Management for Cloud Services. Dealing with Database Denial of Service. The 2014 Endpoint Security Buyer’s Guide. The CISO’s Guide to Advanced Attackers. Defending Cloud Data with Infrastructure Encryption. Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment. Top News and Posts NSA Director Alexander Admits He Lied about Phone Surveillance Stopping 54 Terror Plots. If secrecy, misdirection and counter-intelligence is part of your job description, isn’t lying a given? Attackers in Asia compromise data for nearly 150k in California. Software Firm Breached, 60k records stolen. Freedom Of The Press SecureDrop. Could also be an interesting NSA honeypot. How To Defend Against Backdoor Access. Schneier’s history lesson is interesting. Oracle Releases Critical Java Patches Breach at PR

  As we come back to the Security Awareness Training Evolution series after our two-week hiatus, let’s revisit some of the key issues described in the introduction. We made the case that for liability, compliance, and even security reasons you can’t really decide not to train your users about security. Of course you could, but it would be counterproductive – you need to be realistic, and accept that you cannot reach every employee and employees do stupid things. But you can reach some, if not most, and reaching those folks will minimize the number of issues you have to clean up. Of course balancing how much to time and effort to spend on security awareness training is a company-specific decision which depends on the sophistication of your employee base, the kinds of adversaries you face, and your organizational culture. Regardless of how much time and effort you spend and which techniques you use, if your security awareness training content is poor it will be wasted effort. This post will tackle the issues around developing (or buying) great content – as they say, “Content is king!” Let’s start by defining great content. Here is a list of some key requirements: Behavioral modification: The training content needs to work. You should be managing to outcomes, and your desired outcome for training is that employees learn what not to do (and subsequently don’t do it), so if behavior doesn’t change for a reasonable percentage of employees, the content is ineffective. Current: Security is a dynamic environment, so the training materials need to be kept up to date. Yes, you still need to tell the employees about vintage 2009 attacks because you will still see those. But you also need to train them to defend against the latest and greatest attacks, because those are what they are most likely to see. Comprehensive: Captain Cliche reminds you that security is only as strong as the weakest link. Employees need to be prepared for most everything that will be thrown at them. It is neither realistic nor feasible to turn normal employees into security professionals, but they can understand the major attack vectors and develop a ‘Spider-Sense’ so they are aware of attacks as they happen. They won’t be able to defend against attacks you don’t train them on. Compelling: Most employees don’t really know what’s at stake, so they don’t take the training seriously. We are not fans of trying to scare employees or playing Chicken Little, but they need to understand the consequences of data breaches. It’s really just a matter of integrating a few stories and anecdotes into the training materials to make the attacks a bit more real, humanizing attacks and taking them from theory to reality. Fun: Boring content is boring. If employees don’t enjoy the training materials they will shut down and do just enough to pass whatever meaningless test you put them through. They will forget what they learned as soon as they leave the room. As corny as it may seem, no fun usually means no (or little) learning. Most folks have short attention spans. Optimize your content in small chunks, typically 3-5 minutes for some kind of lecture, or an exercise that can be completed in that kind of timeframe. The gluttons for punishment in your employee base may want to blast through 5-10 chunks at a time, but give folks the option to get through a lesson during a quick break. That way they don’t have to totally disrupt the flow of their day to get training. Weigh the effectiveness of video compared to a presentation deck with a talking head. Stories are more effectively told through video, and your training materials need to tell a story about the importance of security and how to defend against attacks. Gamification Two of the key requirements for better content are compelling and fun, so the shiny new concept of ‘gamification’ should come into play. Maybe it’s not actually new – many of your younger employees were probably taught to type by Mavis Beacon. Now academia is catching on, and a number of studies show that adding competition and gaming concepts to learning dramatically increases retention and value. One organization we have worked with pits its business units against each other for the fewest infections per quarter. The BU with the lowest number each quarter gets possession of a $100 trophy, and the company takes the contest very seriously. It turns out business leaders want to win, whatever the game is. To be clear, this isn’t really an educational ‘game,’ but it is competition to get the right outcome for the organization, thus minimizing infections. And nothing gets everyone on board faster than senior management making it clear they want to win. In terms of structuring content within the context of a game, here are a couple ideas to ponder: Levels: Humans love to achieve things and to feel that sense of accomplishment. If your training involves multiple levels of content within the materials, and employees need to qualify to proceed to the more advanced lessons, they will be pushed to advance their skills to attain the next level. Points: Depending on the nature of the training you can award points for better or faster results/performance. Again, human nature is to collect an increasing amount of things for that sense of accomplishment. Scoreboard: If you will award points for proper outcomes, you might as well highlight the best performers to recognize employees doing exceptionally well, and to drive others to compete. Penalties: No one likes to lose what they have gained, so you could take points away from an employee if they don’t complete the next level (or at least go through the next lesson) within a certain amount of time. Knowledge erodes over time, so you want to have the employees complete the materials as quickly as possible and then reinforce the material soon after. And that’s just the tip of the iceberg. You could design (or license)

Evidently security as an industry does a crappy job at generating interest within kids today. How are we going to fill the massive skills gap we face, if we can’t get students interested in security from an early age. Right? RIGHT? No. Wrong. Incorrect. False. And every other negative word I can think of to describe how bad an idea it is to try to get kids excited about security early on. Not that we don’t have a massive skills gap. We do. Not that we shouldn’t be doing more to educate kids about security. We need to do that too. But I have seen far too many young people flock to security because of the sheer number of job opportunities. They aren’t with us long. In fact they hate it. They get seduced by the siren call of good vs. bad. Of fighting attackers and outsmarting adversaries. And then they learn what security is really about. How most of the time the bad guys are long gone by the time you find out and this happened. About the joys of making firewall changes and patching systems in the middle of the night. As they advance, maybe they learn the fandango you need to dance with senior management and the auditors. Selling young people an idealized vision of security doesn’t do anyone any good. It sets a false expectation and creates disappointment. That doesn’t mean I think we can just hope young people of the right personality type and talent magically end up in security. Hope is not a strategy. We should be espousing the cool things young people can do in technology. Especially young girls – the gender gap is obvious and needs to be addressed. In order to do security effectively, you need a deep understanding of technology anyway. Let them start there. And then, if they have the competence and personality to do security, grab them. I was facilitating a roundtable of CISOs earlier this week, and one of them talked about how much success he has had with interns. We all wondered where he found them and which program produced the most capable candidates. He said he doesn’t deal with the interns initially. He gets to know them once they start their internship. He spends time with the high potential folks and tells them the real deal about security. And a portion of them are interested and he hires them when he can. It works. But glamorizing an unglamorous job will not help us. It just puts you in a position where you have to train a bunch of folks, only to have them later realize security isn’t for them. Photo credit: “I hate my job” originally uploaded by Mike Monteiro Share:

Back when I managed people (and yes, it seems like a lifetime ago), I subscribed to the Gallup management concepts. Productivity is based on employee engagement, and employees are much more engaged when they are doing things they are good at. The book First, Break All the Rules was eye-opening – I have spent my entire career to date trying to make my weaknesses less weak, and not trying to improve my strengths. So I took Gallup’s original StrengthsFinder test and discovered back in 2002 that my top 5 strengths were Strategic, Input, Achiever, Command, and Focus. So my attempts to start a technology company at that point made a lot of sense. Those are the skills you’d like an early stage CEO to be strong int. But looking back at my subsequent experiences as VP Marketing for a number of companies, it is not surprising I wasn’t happy or particularly successful, given the different skills required for that position. The initial data gathering/learning phase of my VP Marketing jobs played to my ‘input’ strength. And building communications and product plans were great for my ‘strategic’ capabilities. But everything else about the job, including the day to day grind, the whac-a-mole of managing PR and lead generation programs, and the challenge of keeping high-strung sales folks happy, didn’t play to my strengths. Not at all. As I mentioned last week, recently hitting the likely halfway point of my life got me thinking. I believe I am a different person than I was back in 2002. Life and the inevitable road rash you acquire do that to you. I wondered how much my strengths had changed. So I took the new version of StrengthsFinder – and lo and behold, 3 out the 5 were different. Now my top 5 strengths are Strategic, Relator, Achiever, Activator, and Ideation. Keeping strategic and achiever weren’t surprising – I have always been like that. Nor was being an activator, which is someone who starts projects and gets things moving. Likewise ideation goes hand in hand with my strategic bent and allows me to come up with a number of different ideas for how to solve problems. All these fit well with my chosen occupation as an independent analyst. Without a firm grasp of strategy and a bunch of creative ideas, my value is limited. My activator and achiever talents make sure things get done, especially powered by a lot of coffee. But the relator talent surprised me. The description of this talent is: “People who are especially talented in the Relator theme enjoy close relationships with others. They find deep satisfaction in working hard with friends to achieve a goal.” Huh. Close relationships? Really? My internal perception of myself has always been as a standoffish introvert who doesn’t really care about people. In fact, I tell stories about how I shouldn’t be working with people, which is why having partners on the other side of the country is perfect. But now that I think about it, I enjoy nothing more than rolling up my sleeves and getting to work with people I respect and like. One of the key criteria for anyone wanting to become a Securosis contributor is whether we like to drink beer with them. These folks aren’t just my colleagues – they are my friends. I can see why this makes sense (for me) now, and how it makes me better at what I do. Best of all, I have a gig which allows me to play to my strengths. It’s not like I had an evil plan to find a career that highlights my talents. I stumbled into research when I was in my early 20’s. But 20+ years later, I can appreciate my good fortune. –Mike Photo credit: “Lifting heavy weight, I am the power man. originally uploaded by snow Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Security Awareness Training Evolution Why Bother? Defending Against Application Denial of Service Introduction Newly Published Papers Firewall Management Essentials Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U The limo job: If you can’t get in through the front door, you might as well come in through the limo service. At least that’s the tactic taken by the APT to get into Kevin Mandia’s stuff. It turns out they probably used real intelligence officers to discover Kevin’s preferred limo company, broke in, then sent him a fake receipt with a malicious payload. That’s some ingenious hacking and requires some boots on the ground. Obviously a guy as well-trained as Kevin will smell something fishy when he gets a receipt for a trip he didn’t take. But you have to wonder what else are they looking at? He knew becoming the public face of exposing Chinese hacking activity would have repercussions, and now I guess we are seeing them. – MR Not all leaks sink the boat: A while ago we did some work with a client who was worried about an impending source code leak (no, you don’t know about it – it’s not that one in the news). They were trying to figure out the best way to handle it from both a PR and IR standpoint. These guys had their stuff together, and went through an intense process to protect both customers and their brand. (No, it wasn’t Symantec – they flubbed it). Adobe is living that nightmare right now, and boy did the Wall Street Journal miss the mark in their trolling for clicks. Losing source code doesn’t necessarily correlate to increased customer risk. To

On Tuesday – that’s tomorrow for you working this Columbus day – Gunnar Peterson and I will be taking about API gateways with Intel’s Travis Broughton. We will run this webcast as an open discussion, and focus on the practical questions and issues of using API gateways. Our goal is to focus on end-user questions we have been getting, so bring your questions too – we plan to be very interactive. You can sign up here: API Gateways: Where Security Enables Innovation. On Wednesday at 9am Pacific, I will also be finishing up the series on Identity and Access Management for Cloud services. This segment will guide you on how to put the implementation strategy together with some vendor evaluation tips, helping you put together a process to help get what you need during selection. You can get the full research paper and the first two recorded webcasts on the Symplified site. And at 10am Pacific Wednesday, Mike Rothman will present on Taking a Hard Look at Your Vulnerability Management Program. In this webcast, Mike will revisit our “Vulnerability Management Evolution” research and discuss how to take a hard look at your VM environment. He will also touch on scenarios where you should consider moving to a new platform. As always, pragmatic and Incite-ful. Share: