It is 6:44pm as I write this.
Adrian just left after we recorded our first extended Firestarter/Happy Hour.
The idea was that he would drive down, we would dial Mike in from Atlanta, talk about RSA stuff, Adrian would leave, and I would finish off work.
It was a pretty sweet plan. Right up until some semi rolled over at a major intersection near my house, shutting down both a highway and an arterial surface street. Adrian’s ride was delayed, but the beer wasn’t. My wife was also delayed because she handles daycare pickups (I do dropoffs), but the beer wasn’t.
You see where this is headed?
I had some wonderful pre-RSA things to talk about today. Mostly how I’m finding that in my hands-on research I am pushing beyond the capabilities of some products I am working with. I am asking for API calls that don’t exist and features that aren’t exposed.
And yet. So far I have been mostly able to work around these issues. Oh, your API can’t identify XYZ in AWS? No worries, I can code that up pretty quickly.
To be honest, this is really new territory for me as an analyst and as a developer. In my dev days I mostly stuck to one platform and one database, and learned the lines pretty quickly. As analysts we mostly talk to users and vendors to understand how things work – we don’t really have the resources to get hands-on with products, and even if we did, that wouldn’t reflect operational realities (which is why most magazine/whatever writeups are garbage).
But now with cloud and DevOps I can dig in and explore tools and technologies to an unprecedented degree. I am learning that some of what I’m trying is pushing the limits, and I get to figure out alternative ways of solving the random problem I picked. I won’t lie – this is a blast. Sure, it’s frustrating to hit a technical issue beyond my capabilities, but it is incredibly satisfying when I learn a significant percentage of them aren’t due to personal failures, but instead limitations of what I am working with.
As an analyst that is awesome. There is no better validation that I am on the right track than breaking things, at a fundamental level. And to be honest this is the kind of intellectual curiosity I think defines a security professional. My advantage is that I figured out how to make a living out of writing about stuff, and producing crappy code that could never withstand a production environment. No accountability? Sign me up, baby!
At this pint I should probably mention that I am 5 craft brews in, so… er…. I am not responsible for this Summary. That is all.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Adrian Lane: Deep Dive on Data Security.
- Mike Rothman: Deep Dive on Cloud Security. Rich kills it in his RSA Conference Guide piece on Cloud Security. He understands how all the pieces fit together. Read it – it will be pretty pertinent over the next couple years.
- Dave Lewis: After-School Special: It’s Time We Talked – about Big Data Security.
- David Mortman: RSA Conference Guide 2014 Watch List: DevOps.
- Rich: The (Full) 2014 Securosis RSA Conference Guide. Sure, we write the pieces, but for the past couple years Mike has pulled it together and added some serious awesome with his mad meme skills. He is really the driver who adds the awesome. Even if you already read the posts, you need to check out the PDF. Especially the IDM section – that’s all I will say.
Other Securosis Posts
- Security Analytics with Big Data Research Paper.
- Incite 2/19/2014: Outwit, Outlast, OutRSA.
- Join the Securosis Firestarter Happy Hour: RSA Edition.
- Firestarter: Payment Madness.
- RSA Conference Guide 2014 Deep Dive: Endpoint Security.
- RSA Conference Guide 2014 Deep Dive: Identity and Access Management.
- RSA Conference Guide 2014 Deep Dive: Security Management and Compliance.
- RSA Conference Guide 2014 Deep Dive: Application Security.
Favorite Outside Posts
- Mike Rothman: Wealth Logic founder shares his insights. Pretty much everyone has money pressures one way or another. I really liked this guy’s perspective. This is the money quote: “In other words, the portfolio’s purpose isn’t to produce income, but to be consumed to fuel your life. The goal isn’t to be the richest guy in the graveyard.” Man, that’s good advice.
- Rich: Target hack cost banks and credit unions more than $200 million. These are the kinds of numbers that move the meter.
- Gal: Swiss fighters grounded during hijacking as outside office hours. One of those stories that defies commentary.
- Rich (yup, another one): My hope for the new Cosmos. The original had a profound affect on how I see the world. My kids are probably too young but I will try to force this on them anyway.
Research Reports and Presentations
- Security Analytics with Big Data.
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7.
- Eliminate Surprises with Security Assurance and Testing.
- What CISOs Need to Know about Cloud Computing.
- Defending Against Application Denial of Service Attacks.
- Executive Guide to Pragmatic Network Security Management.
- Security Awareness Training Evolution.
- Firewall Management Essentials.
- A Practical Example of Software Defined Security.
Top News and Posts
- Fix it tool available to block Internet Explorer attacks leveraging CVE-2014-0322
- Shostack’s got a new book on Threat Modeling
- Forbes, Kickstarter breached
- New Whitepaper: Security at Scale: Logging in AWS.
- Iranian hack of US Navy network was more extensive and invasive than previously reported.
- RSA Exhibitor Guidelines that Make You Think…. Behind every line item, there is a story.
- Emergency Adobe Flash Update Handles Zero Day Under Attack.