I have always been pretty transparent about my life in the Incite. I figured maybe readers could learn something that helps them in life through my trials and tribulations, and if not perhaps they’d be entertained a bit. I also write Incites as a journal of sorts for myself. A couple times a year I search through some old Incites and remember where I was at that point in my life. There really wasn’t much I wouldn’t share, but I wondered if at some point I’d find a line I wouldn’t cross in writing about my life publicly.

It turns out I did find that line. I have alluded to significant changes in my life a few times over the past two years, but I never really got into specifics. I just couldn’t. It was too painful. Too raw. But time heals, and over the past weekend I realized it was time to tell more of the story. Mostly because I could see that my kids had gone through the transition along with me, and we are all doing great.

So in a nutshell, my marriage ended. There aren’t a lot of decisions that are harder to make, especially for someone like me. I lived through a pretty contentious divorce as a child and I didn’t want that for me, my former wife, or our kids. So I focused for the past three years on treating her with dignity and kindness, being present for my kids, and keeping the long-term future of those I care about most at the forefront of every action I took.

I’m happy to say my children are thriving. The first few months after we told them of the imminent split were tough. There were lots of tears and many questions I couldn’t or wouldn’t answer. But they came to outward acceptance quickly. They helped me pick out my new home, and embraced the time they had with me. They didn’t act out with me, their Mom, or their friends, didn’t get into trouble, and did very well in school. They have ridden through a difficult situation well and they still love me. Which was all I could have hoped for.

Holidays are hard. They were with their Mom for Memorial Day and Thanksgiving last year, which was weird for me. Thankfully I have some very special people in my life who welcomed me and let me celebrate those holidays with them, so I wasn’t alone. We’ve adapted and are starting to form new rituals in our new life. We took a great trip to Florida for winter break last December, and last summer we started a new tradition, an annual summer beach trip to the Jersey Shore to spend Father’s Day with my Dad.

To be clear, this isn’t what they wanted. But it’s what happened, and they have made the best of it. They accepted my decision and accept me as I am right now. I’ve found a new love, who has helped me be the best version of myself, and brought happiness and fulfillment to my life that I didn’t know was possible. My kids have welcomed her and her children into our lives. They say kids adapt to their situation, and I’m happy to say mine have. I believe you see what people are made of during difficult times. A lot of those times happen to be inevitable transitions in life. Based on how they have handled this transition, my kids are incredible, and I couldn’t be more proud of them.

And I’m proud of myself for navigating the last couple years the best I could. With kindness and grace.

–Mike

Photo credit: “Transitions from Arjan Almekinders

Security is changing. So is Securosis. Check out Rich’s post on how we are evolving our business.

We’ve published this year’s Securosis Guide to the RSA Conference. It’s our take on the key themes of this year’s conference (which is really a proxy for the industry), as well as deep dives on cloud security, threat protection, and data security. And there is a ton of meme goodness… Check out the blog post or download the guide directly (PDF).

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

• May 2 – What the hell is a cloud anyway?
• Mar 16 – The Rugged vs. SecDevOps Smackdown
• Feb 17 – RSA Conference – The Good, Bad and Ugly
• Dec 8 – 2015 Wrap Up and 2016 Non-Predictions
• Nov 16 – The Blame Game
• Nov 3 – Get Your Marshmallows
• Oct 19 – re:Invent Yourself (or else)
• Aug 12 – Karma
• July 13 – Living with the OPM Hack
• May 26 – We Don’t Know Sh–. You Don’t Know Sh–
• May 4 – RSAC wrap-up. Same as it ever was.
• March 31 – Using RSA
• March 16 – Cyber Cash Cow
• March 2 – Cyber vs. Terror (yeah, we went there)
• February 16 – Cyber!!!
• February 9 – It’s Not My Fault!

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Evolving Encryption Key Management Best Practices

• Introduction

Incident Response in the Cloud Age

• Shifting Foundations

Understanding and Selecting RASP

• Technology Overview
• Introduction

Maximizing WAF Value

• Management
• Deployment
• Introduction

Resilient Cloud Network Architectures

• Design Patterns
• Fundamentals

Shadow Devices

• Seeing into the Shadows
• Attacks
• The Exponentially Expanding Attack Surface

Building a Vendor IT Risk Management Program

• Ongoing Management and Communication
• Evaluating Vendor Risk
• Program Structure
• Understanding Vendor IT Risk

Recently Published Papers

• SIEM Kung Fu
• Securing Hadoop
• Threat Detection Evolution
• Building Security into DevOps
• Pragmatic Security for Cloud and Hybrid Networks
• EMV Migration and the Changing Payments Landscape
• Applied Threat Intelligence
• Endpoint Defense: Essential Practices
• Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications
• Monitoring the Hybrid Cloud
• Best Practices for AWS Security
• The Future of Security

Incite 4 U

1. Embrace and Extend: AWS is this generation’s version of Windows. Sure, there are other cloud providers like Microsoft Azure and Google, but right now AWS is king of the hill. And there are some similarities to how Microsoft behaved in the early 90s. Do you remember when Microsoft would roll new functions into Windows, and a handful of third-party utility vendors would go away? Yeah, that’s AWS today. but faster. Amazon rolls out new features and services monthly, and inevitably those new capabilities step on third parties. How did folks compete with Microsoft back in the day? Rich reminded me a few months about that these vendors needed their own version of embrace and extend. They have to understand that the gorilla is going to do what they do, so to survive smaller vendors must continually push functionality forward and extend their offerings. Ben Kepes at NetworkWorld asked whether a third-party vendor was really necessary, and then that vendor approached him to tell him their plans to stay relevant. Maybe the small fry makes it. Maybe they don’t. But that dynamic is driving the public cloud. Innovation happens within third parties, and at some point, if it’s a universal requirement, cloud providers will either buy the technology or build it themselves. That’s the way it has always been, and it won’t be different this time. – MR
2. Signatures, exposed: Dan Guido offers a scathing review of the 2016 Verizon Data Breach Report (DBIR here). It’s a bit long but worth the read, as he walks through flaws in the report. In a nutshell, it’s a classic case in overweighting the data you have: signatures. And ignoring data you don’t have: actual exploit vectors! Worse, some of the vulnerability data is based on false positives, which further skew the results. As in years past, we think the DBIR does provide some valuable insights, and we still encourage you to look through the data and come to your own conclusions. In the meantime, the security PR hype machine will be taking sound bites and trumpeting them as the reason you must hurry up and buy their product, because the DBIR says so! – AL
3. Jacking up your vendors… You realize that buying security products, and any products for that matter, is a game, right? Those who play the game can get better pricing or additional services or both. Vendors don’t like you to know about the game, but experienced procurement people do. Those who have been on the other side of a slick salesperson learned the game the hard way. Back in my Security Incite days I wrote a companion piece to the Pragmatic CSO about 10 years ago, focused on how to buy security products. Jeremiah Grossman, now that he doesn’t work for a vendor any more, has given you his perspective on how to play the game. His tips are on the money, although I look at multi-year deals as the absolute last tactic to use for price concessions. With the rate of change in security, the last thing I want to do is lock into a multi-year deal on technology that is certain to change. The other issue is being a customer reference. You can dangle that, and maybe the vendor will believe you. But ultimately your general counsel makes that decision. – MR
4. Of dinosaurs and elephants: Peter Bailis over at Stanford had a wonderful post on How To Make Fossils Productive Again. With cheap compute resources and virtually free big data systems available to anyone with an Internet connection, we are seeing a huge uptake in data analytics. Left behind are the folks who cling tightly to relational databases, doing their best mainframe hugger impersonations. With such a dearth of big data managers (also known as data scientists) available, it’s silly that many people from the relational camp have been unwilling to embrace the new technologies. They seem to forget that these new technologies create new benchmarks for architectural ideals and propel us into the future. Peter’s advice to those relational folks? Don’t be afraid to rethink your definition of what a database is, and embrace the fact that these new platforms are designed to solve whole classes of problems outside the design scope of the relational model. You are likely to have fun doing so. – AL
5. You can fool some of them, but not Rob: The good thing about the Internet and security in general is that there are very smart people out there who both test your contentions and call you out when you are full of crap. Some are trolls, but many are conscientious individuals focused on getting to the truth. Rob Graham is one of the good ones. He test things people say, and calls them out when they are not true. If you don’t read his blog, Errata Security, you are missing out. One of his latest missives is a pretty brutal takedown of the guy claiming to have started BitCoin. Rob actually proves, with code and all, that the guy isn’t who he says he is. Or maybe he is, but he hasn’t adequately proven it. Anyhow, without getting into arcane technology, read that post to see a master at work. – MR
6. When I say it’s you, I really mean me: The folks who work on MongoDB, under fire in the press for some hacked databases, implied that MongoDB is secure, but some users are idiots. Maybe I missed the section in my business management class on the logic and long-term value of calling your customers idiots – they might be right, but that does not mean this will end well. In the big data and NoSQL market, I give the MongoDB team a lot of credit for going from zero security to a halfway decent mix of identity and platform security measures. That said, they have a ways to go. MongoDB is well behind the commercial Hadoop variants like Cloudera, Hortonworks, and MapR, and they lack the steady stream of security contributions the open source community is building for Hadoop. If the Mongo team would like to protect their idiots users in the future, they could write a vulnerability scanner to show users where they have misconfigured the database! It would be easy, and show people (including any idiots) their simple configuration errors. – AL