I’ve had one conversation about 8 times this week:
“Ready for RSA?”
“Not even close.”
“Yeah, figured it would be better since they pushed it out an extra month, but not so much.”
For those who don’t know, the RSA conference is the biggest event in our industry. Usually it’s in February or March, but this year it’s in April. A full extra month to prep presentations, or marketing material for vendors (my end-user friends who aren’t presenting don’t worry about any of this). Plus there are all the community things, like the Security Blogger’s Meetup, our Disaster Recovery Breakfast, and so on.
Seems like we all just pushed everything back a month, and if anything are even further behind than usual. Or maybe that’s just me, a pathological procrastinator.
So I don’t have time for the usual Summary this week. Especially because we have a ton of projects going on concurrently, and I’m about to start bouncing around the country again for client projects. The travel itself isn’t exciting but the projects themselves are. Most of my trips are to help end-user orgs build out their cloud security strategy and tactics. It’s a big change from Gartner, when I never got to roll up my sleeves and dig in deep. The fascinating bit is the kinds of organizations who are moving to cloud (mostly AWS, because that’s where I’m deepest technically). Instead of being startups these are established companies, some quite large, and a few heavily regulated. I knew we’d get here someday, but I didn’t expect cloud adoption to hit these segments so soon.
Mike and Adrian are just as busy as I am, which is why the blog is so slow, but some new projects are about to hit. We’ve also been working on our annual RSA Guide, which you will start seeing pieces of soon. This year our Contributing Analysts wrote a lot of the content.
But hey, we’ve been around 8+ years and still put up multiple blog posts a week, even when things are ugly. So we have that going for us.
Which is nice.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Mike: Disaster Recovery Breakfast 2015 – It’s that time of the year. The best breakfast at RSA. RSVP (please) to rsvp (at) securosis (dot) com.
Other Securosis Posts
- Incite 3/18/2015: Pause.
- Firestarter: Cyber Cash Cow.
- Take Control of Security for Mac Users.
- Be Careful What You Wish For, It’s the SEVENTH Annual Disaster Recovery Breakfast.
- SecDevOps Learning Lab at RSA.
Favorite Outside Posts
- Mortman: Conway’s law revisited – Architectures for an effective IT
- Mike: NCAA Men’s Tournament Forecast: The Parity Is Over. It’s March Madness time. Check out Nate Silver’s thoughts. Because math.
- Mike: Richard Branson shares his 10 favorite quotes about embracing change. Change is constant, which is uncomfortable for many. There are some good tips here to help deal with it.
- Rich: Panda Antivirus Flags Itself As Malware. The title says it all. Can’t make this stuff up.
Research Reports and Presentations
- Security and Privacy on the Encrypted Network.
- Monitoring the Hybrid Cloud: Evolving to the CloudSOC.
- Security Best Practices for Amazon Web Services.
- Securing Enterprise Applications.
- Secure Agile Development.
- Trends in Data Centric Security White Paper.
- Leveraging Threat Intelligence in Incident Response/Management.
- Pragmatic WAF Management: Giving Web Apps a Fighting Chance.
- The Security Pro’s Guide to Cloud File Storage and Collaboration.
- The 2015 Endpoint and Mobile Security Buyer’s Guide.
Top News and Posts
- To prevent another Heartbleed, severe OpenSSL flaw to be patched
- Stealthy, Persistent DLL Hijacking Works Against OS X
- Android apps are now reviewed by Google before you can download them
- Yahoo Previews End-To-End Email Encryption Plug-In
- Responding to Sony Hack, Senate Advances Major Cybersecurity Bill
- Some notes on DRAM (#rowhammer)
Blog Comment of the Week
This week’s best comment goes to Tom, in response to My $500 Cloud Security Screwup–UPDATED.
Great writeup – being able to admit you made a mistake is very hard for some, but we all do, bravo for being up front about it.
AWS (Amazon, in general) has always been really super super reasonable about charges with me – I too have had them reverse a charge (in my case, for Amazon prime that I didn’t really use) that was totally on my own shoulders, without me asking – good on them, it makes me feel very, very comfortable with trusting them to do the right thing. I like to think a big part of it was you posting about this and owning the issue – this is an awesome example of how to handle this sort of situation with integrity and competence.
I suggest the VERY first thing you do with a new AWS account is turn on MFA, make an IAM account, and put the master credentials on a thumb drive in a desk drawer (locked, ideally). Then, use that IAM account to make less-privileged ones, and use those in practice. It is a pain, to be sure, but it is important to lay a good foundation. (I actually have gone further and worked out federated access for our team at work, and ALL credentials that could reasonably be exposed have a very short lifespan – accidentally checked-in creds in code are to our internal auth server, unusable to the real world. It was a pain, but it lets me sleep better.)
You inspire me; I should clean up the federation server and put it out there for others to use.