Summary: Heads upBy Rich
Last week I talked about learning to grind it out. Whether it’s a new race distance, or plowing through a paper or code that isn’t really flowing, sometimes you need to just put your head down, set a pace, and keep moving.
And sometimes that’s the absolute worst thing to do.
I have always been a natural sprinter; attracted both to sports and other achievements I could rocket through with sheer speed and power. I was horrible at endurance endeavors (physical and mental) as a kid and into my early 20’s. I mean, not “pretending to be humble horrible” but “never got the Presidential Physical Fitness thing because I couldn’t run a mile worth a crap” horrible.
And procrastinating? Oh my. I had, I shit you not, a note in my file at the University of Colorado not to “cut him any breaks” because I so thoroughly manipulated the system for so long. (8 years of continuous undergrad… you make a few enemies on the way). It was handwritten on a Post-It, right on my official folder.
It was in my mid-20’s that I gained the mental capacity for endurance. Mountain rescue was the biggest motivator because only a small percentage of patients fell near roads. I learned to carry extremely heavy loads over long distances, and then take care of a patient at the end. You can’t rely on endurance – we used to joke that our patients were stable or dead, since it isn’t like we could just scoop them off the road (mostly).
Grinding is essential, but can be incredibly unproductive if you don’t pop your head up every now and then. Like the time we were on a physically grueling rescue, at about 11,000’, at night, in freezing rain, over rough terrain. Those of us hauling the patient out were turning into zombies, but someone realized we were hitting the kind of zone where mistakes are made, people get hurt, and it was time to stop.
Like I said before: “stable or dead”, and this guy was relatively stable. So we stopped, a couple team members bunkered in with him for the night, and we managed to get a military helicopter for him in the morning. (It may have almost crashed, but we won’t talk about that.)
It hadn’t occurred to me to stop; I was too deep in my inner grind, but it was the right decision. Just like the problem I was having with some code last year. It wouldn’t work, no matter what I did, and I kept trying variation after variation. I hit help forums, chat rooms, you name it.
Then I realized it wasn’t me, it was a bug (this time) in the SDK I was using. Only when I tried to solve the problem from an entirely new angle, instead of trying to fix the syntax, did I figure it out. The cloud, especially, is funny that way. Function diverges from documentation (if there is any) much more than you’d think. Just ask Adrian about AWS SNS and undocumented, mandatory, account IDs.
In security we can be particularly prone to grinding it out. Force those logs into the SIEM, update all the vulnerable servers before the auditor comes back, clear all the IDS alerts.
But I think we are at the early edge of a massive transition, where popping our heads up to look for alternatives might be the best approach. ArcSight doesn’t have an AWS CloudTrail connector? Check out a hybrid ELK stack or cloud-native SIEM. Tired of crash patching for the next insert pseudo-cool name here vulnerability? Talk to your developers about autoscaling and continuous deployment.
Every year I try to block out a week, or at least a few half-days, to sit back, focus on research, and see which of my current assumptions and work patterns are wrong or no longer productive. Call it “active resting”. I think I have come up with some cool stuff for this year, both in my work habits and security controls. Now I just need time to play with the code and configurations, to see if any of it actually works.
But unlike my old patients, my code and writing seem to be both unstable and dead, so I won’t get my hopes too high.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich gave a webcast on the SaaS security lifecycle for SkyHigh Networks.
- Rich quoted on IoT security. Mostly about the hype.
- Dave Lewis on DDoS Attacks Continue To Rise in Forbes.
Favorite Securosis Posts
- Rich: There’s a lot of hype on threat intel. Mike is doing a great job showing how to actually use the stuff, as in Applied Threat Intelligence: Use Case #2, Incident Response/Management.
- Mike: New Paper: Monitoring the Hybrid Cloud. Adrian and I are ahead of the general market, but if you aren’t thinking about how you will monitor cloud stuff you will be behind the curve (and the 8-ball) before long.
Other Securosis Posts
- Incite 1/28/2015: Shedding Your Skin.
- Applied Threat Intelligence: Use Case #1, Security Monitoring.
- Firestarter: 2015 Trends.
- New Paper: Monitoring the Hybrid Cloud.
- Applied Threat Intelligence: Defining TI.
Favorite Outside Posts
- Mortman: A complete guide to Puppy Bowl XI. Editor’s note: we need to pay more attention to how Mort spends his free time.
- Rich: Glenn Fleishman on the risk and problems posed by Internet connected devices. Yep, major DDoS attacks now rely on thousands of home routers. It’s an interesting (and real) scenario.
- Mike: Security Should Be the Top Driver for DevOps – Stormy makes a great point here: if security is going to be relevant moving forward, we had better grok and integrate these DevOps principles. Period.
Research Reports and Presentations
- Monitoring the Hybrid Cloud: Evolving to the CloudSOC.
- Security Best Practices for Amazon Web Services.
- Securing Enterprise Applications.
- Secure Agile Development.
- Trends in Data Centric Security White Paper.
- Leveraging Threat Intelligence in Incident Response/Management.
- Pragmatic WAF Management: Giving Web Apps a Fighting Chance.
- The Security Pro’s Guide to Cloud File Storage and Collaboration.
- The 2015 Endpoint and Mobile Security Buyer’s Guide.
- Analysis of the 2014 Open Source Development and Application Security Survey.
Top News and Posts
- Matasano overview of the GHOST Glib vulnerability.
- Is The Internet of Things IPv6 Ready?
- What’s In Your Security Logging Solution?
- Sutter Health California Pacific Medical Center audit uncovers data breach.
- Firms may face new $16,500 privacy fines under White House bill.
- iTunes Connect bug logs developers in to other developers’ accounts at random. Off by one errors + cloud services = bad.
- Gitrob – Scan Github For Sensitive Files. The bad guys are – you might as well too.
- Bughunter cracks “absolute privacy” Blackphone – by sending it a text message.