Mike Rothman's blog

The Pope Visits Security Incite + Securosis

Mike Rothman — Mon, 04 Jan 2010 09:17:13 -0600

When I joined eIQ, I did a "POPE" analysis on the opportunity, to provide a detailed perspective on why I made the move. The structure of that analysis was pretty well received, so as I make another huge move, I may as well dust off the POPE and use that metaphor to explain why I'm merging Security Incite with Securosis.

People

Analyzing every “job” starts with the people. I liked the freedom of working solo, but ultimately I knew that model was inherently limiting. So thinking about the kind of folks I'd want to work with, a couple of attributes bubbled to the top. First, they need to be smart. Smart enough to know when I'm full of crap. They also need to be credible. Meaning I respect their positions and their ability to defend them, so when they tell me I'm full of crap - I'm likely to believe them. Any productive research environment must be built on mutual respect.

Most importantly, they need to stay on an even keel. Being a pretty excitable type (really!), when around other excitable types the worst part of my personality surfaces. Yet, when I'm around guys that go with the flow, I'm able to regulate my emotions more effectively. As I've been working long and hard on personal development, I didn't want to set myself back by working with the wrong folks.

For those of you that know Rich and Adrian, you know they are smart and credible. They build things and they break them. They’ve both forgotten more about security than most folks have ever known. Both have been around the block, screwed up a bunch of stuff and lived to tell the story.

And best of all, they are great guys. Guys you can sit around and drink beer with. Guys you looking forward to rolling your sleeves up with and getting some stuff done. Exactly the kind of guys I wanted to work with.

Opportunity

Securosis will be rolling out a set of information products targeted at accelerating the success of mid-market security and IT professionals. Let's just say the security guy/gal in a mid-market company may be the worst job in IT. They have many of the same problems as larger enterprises, but no resources or budget. Yeah, this presents a huge opportunity.

We also plan to give a lot back to the community. Securosis publishes all its primary research for free on the blog. We'll continue to do that. So we have an opportunity to make a difference in the industry as well.

To be clear, the objective isn't to displace Gartner or Forrester. We aren't going to build a huge sales force. We will focus on adding value and helping to make our clients better at their jobs. If we can do that, everything else works itself out.

Product

To date, no one has really successfully introduced a syndicated research product targeted to the mid-market, certainly not in security. That fact would scare some folks, but for me it's a huge challenge. I know hundreds of thousands of companies struggle on a daily basis and need our help. So I'm excited to start figuring out how to get the products to them.

In terms of research capabilities, all you have to do is check out the Securosis Research Library to see the unbelievable productivity of Rich and Adrian. The library holds a tremendous amount of content and it's top notch. As with every business trying something new, we'll run into our share of difficulties - but generating useful content won't be one of them.

Exit

Honestly, I don't care about an exit. I've proven I can provide a very nice lifestyle for my family as an independent. That's liberating, especially in this kind of economic environment. That doesn't mean I question the size of the opportunity. Clearly we have a great opportunity to knock the cover off the ball and build a substantial company. But I'm not worried about that. I want to have fun, work with great guys and help our clients do their jobs better. If we do this correctly, there are no lack of research and media companies that will come knocking.

Final thoughts

On the first working day of a new decade, I'm putting the experiences (and road rash) gained over last 10 years to use. Whether starting a business, screwing up all sorts of things, embracing my skills as an analyst or understanding the importance of balance in my life, this is the next logical step for me.

Looking back, the past 10 years have been very humbling. It started with me losing a fortune during the Internet bubble. I've sold the company I founded for the cash on our balance sheet because we couldn't find enough customers. I tried to start two other companies - to no avail. I've gotten fired (or laid off) three times. Quite a decade, eh?

Yet, I persevere. I lived through that and had lots of successes as well. Each of those experiences helped me get to this place and become ready to do this. And I'm ready. So hold on, it's going to be a great ride.

Note: I'll be writing over at Securosis moving forward. The blog is http://securosis.com/blog, and you can sign up to get our writing via email the link is on the blog web page. See you there.

Photo credit: "Pope" originally uploaded by bayat

Security Incite Contracts a Case of Securosis

Mike Rothman — Mon, 04 Jan 2010 08:59:57 -0600

In what is a surprise to probably no one, as of today I'm joining Securosis as Analyst/President. For all intents and purposes, Security Incite and Securosis are merging operations.

The old adage goes that when one door closes, another opens. In this case, it's absolutely true, though not necessarily in that order. Some back-story will clarify why this makes sense. During the summer of 2008, Rich and I had decided to start a new research company. We were moving towards launching around Labor Day 2008.

Then I got the call, from the only guy I would consider working for, about joining eIQ. It was a truly agonizing decision for me. I thought I had something left to prove on the vendor side, and this was an opportunity that I thought had all the pieces for success. I told Rich this just delayed our plans, but I knew he needed to keep moving forward, and that he would.

Over the past 18 months, Rich and Adrian have done a really great job building the brand of Securosis and establishing a very real and credible voice on security topics. Best of all, their research philosophy of Totally Transparent Research totally aligns with my own research philosophy. Truth be told, I have to admit to being jealous when they launched the new Securosis site because it was everything I thought IT research should be.

For me, eIQ didn't work as I had hoped. So when I got laid off, the second call I made was to Rich. Yes, I called the Boss first. Rich, Adrian and I decided to move forward as one entity. We plan to build the next great IT research firm.

Yes, I could have stayed solo. In just the few weeks I've been back on the research side, I have lots of activity in the works. But that limits my ability to deliver pragmatic and actionable information to the grossly underserved market of mid-market IT and security professionals. This strategy will become clear in the coming weeks as we unveil our research products strategy and our individual research agendas.

Equally important, I’m surrounding myself with guys I respect enough to push me, but also guys that I really enjoy hanging out with. In retrospect, I really missed the collegial and challenging environment I experienced as a META Group analyst. Working by myself was great, but I know I want to really make a difference in this space. That means I've got to partner with like-minded individuals who will hold me accountable and tell me when my stuff sucks.

Rest assured, one of the reasons I am following this path is because Rich, Adrian and I have similar philosophies on pretty much everything. We've decided to keep the Securosis "brand" as the company name, but many aspects of Security Incite will integrate with the Securosis offerings. So you'll see a "Securosis Incite" blog post every week and all of our research will be "Pragmatic" in nature.

I'm really excited for the next stage in my personal journey as part of Securosis. Later today I'll be doing a POPE analysis of the move and we've posted a FAQ up on the Securosis blog. If you haven’t already, you'll want to add the Securosis blog (http://securosis.com/feeds/blog) to your RSS reader or get our stuff via email to keep current. The links for email newsletter signup are on the blog page.

Though this ends Security Incite as a stand-alone research entity, it's really the beginning of something with far more potential. Thanks for supporting me over the past few years. Really truly thanks.

The Daily Incite - 12/28/09 - Meyer's Choice

Mike Rothman — Mon, 28 Dec 2009 09:15:18 -0600

December 27, 2009 - Volume 4, #42

Good Morning:

What would you do if a Doctor told you that your job may kill you? And I'm not talking about those brave souls that paint suspension bridges. Or wash skyscraper windows. Or jump over Snake River Canyon in a rocket ship. Or are Siegfried and Roy. But if you had a great job like being a big time college football coach, and your doctor told you the job could kill you, what to do?

That's the choice faced by Urban Meyer, the coach of the University of Florida, who's Doctors advised him that the stress of his job caused him tightness in his chest and other problematic health issues. He's reached the pinnacle of success. He's won two national championships over the past 3 years. He makes $4 million a year. He's also 45 years old and a husband and parent of three children.

Do you just walk away? Or do you try to change your stressful ways? That's the choice. Can you just walk away? What about the expectations of the recruits? Of the boosters? Of yourself? Could you take the risk, knowing that the stress could cause an express ride to a casket?

Meyer almost did the right thing. He had decided to walk away. And then the sharks and other folks that "care" about him convinced him to back off on retirement. He's taking an "indefinite leave of absence" from coaching. Initially he said he wouldn't coach again. Now he's saying he plans to return, presumably after he works through his stress issues. Basically, says he's choosing to live or at least give himself the best chance to not drop dead from stress. But we'll see how it works out.

The one thing I can't stand is inconsistency. This must have been an agonizing decision. Meyer really loves what he does and he cares about the kids. But really, the decision shouldn't have been that hard. This is a guy who has nothing left to prove. He never needs to work again. Not for money anyway. The only fact that matters is that you can't walk your daughter down the aisle if you are dead. That's the first and only thought I'd have.

I guess it's easy for me to say, but I truly believe this would be an easy decision for me. Maybe that's why I'm not a big time football coach or a captain of industry. I'm not willing to sacrifice my life or my health anymore for another digit on my net worth or another ostentatious ring that I wouldn't wear anyway. I've made it a point to work really hard to reduce my stress. I find I get stressed out over stupid stuff now. Which is progress. With a lot more work, I hope to not get stressed over stupid stuff either. That's the goal. And I plan to get there.

This will be my last Incite of the year. Have a great holiday.

PS: In my first draft of this post, I called it "Choose Life," which honestly I thought was a much better title (and would have resulted in much better open rates). But obviously that term has connotations I'm not going to touch. Not in the Incite, not in a one on one conversation either. As a general practice, I don't engage in conversation about religion, politics, or abortion. I have my opinions on all of those matters, and you probably do too. You may agree with mine or you may not. But I'm not going to change your mind, so I don't even try.

Photo: "Urban" originally uploaded by killmylandlord
Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Follow me on Twitter:

@securityincite

I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

Make a difference in 2010 - As I railed a few weeks ago, the end of the year is always predictions season. And yes Shimmy, I've made my share of useless prognostications, some of which have been decent, others have sucked pretty bad. Leave it to the Hoff to shake things up a bit and decide that getting back into BayWatch shape is critical to be well positioned for yet another Knight Rider sequel. Chris has an interesting list of resolutions and most focus on a single theme and that is to make a difference. Man, that is insightful. We spend a lot of time (me included) in the echo chamber focused on what is fs*cked and not on taking action to make it better. I've got a bunch of resolutions on my end as well (now that I've been given another chance to contribute with no agenda). So take a few minutes, take Chris' lead and think to yourself how can you make a difference in 2010.
We're taking advice from this guy? - I have to constantly remind myself how big the world is "out there." That the list of security movers and shakers that I hang with is really a self-selecting bunch and that it doesn't really represent what is happening in the broader market. So I always check out the business press coverage of security, like this Forbes interview with EMC/RSA's Art Coviello about cloud security. There is nothing outright offensive in the interview, since it's the same standard party line. But that's not the point, it's that we need to make a concerted effort to think more broadly and empathize with the IT manager who doesn't eat, sleep and breath this stuff. Basically, what Shrdlu said.
Lessons from the "Great Recession" - What have you learned over the past 18 months? About doing more with less, or maybe doing something with nothing? This piece on SearchCIO-midmarket isolates a few tips that two end users learned. My take aways from the piece are that automation is great, but of course doesn't create new jobs (duh!). And that it always gets back to talking business to business people. Trying to talk tech isn't going to go over very well. Finally, I like the idea of someone to watch the watchers. One of the users in the piece contracts with a 3rd party to oversee their service providers. Given the complexity of a lot of environments, it seems like a good idea.
Revisiting your backup strategy for 2010 - Yes, at the end of the year you should be doing some housecleaning, but more importantly making sure that your processes are buttoned up and you've got the critical Plan B for everything. This post on NetworkWorld asks a legitimate question about whether online backup is safe. I use it and a lot of my security focused pals use a service as well. Is there risk in having your data out there? Yes. Is it manageable? I think so. But more importantly, the online backup is really the contingency plan. I replicate all my critical data between three separate machines via Windows Live Sync, both to make sure I keep everything in sync, but also that in the event I lose a drive I'm protected. If I have to rely on my online backup, a number of things have gone terribly wrong. What's your disaster recovery (or hardware failure) plan? Is it Tailgate Tested? Tailgate Approved!
Response rates drive fraud - Sometimes (though not too often) it's helpful to have some experience in marketing and to understand the underlying math on response rates. This piece on eWeek points to some Trusteer research that says although phishing is a very low response rate effort, the successes are so lucrative the bad guys are still making a good living. And that's really the point. The incremental cost of sending phishing emails is close to zero, so if anyone responds - that is profit. And as long as these guys make a profit, they are going to keep doing it - A LOT.
Just test the web apps - Some security folks still are clinging to this idea of having to do all the work themselves. Yes, that mentality is going away, but you still have resistance to some security services and especially security testing for systems and applications. I've always said that you can't outsource thinking, which means the strategy and oversight of the security program, but everything else should be fair game. And now there are lots of options for external parties to test web apps. In a perfect world, we'd have all the staffing we need to test everything that is at risk. This ain't Kansas Dorothy, so get help where you can. Not only do these folks bring resources, they also bring expertise you may not have on your internal team.
Do you want to know what your DLP system tells you? - The Mogull has been all over this for years, but a lot of folks don't realize the impact and issues of trying to get on top of leak prevention. First off, it's a process, which means if you think you'll write a check and make the problem go away - forget it. You need to understand what you need to protect and where it is - BEFORE you install a product. More to the point, you need to be willing to deal with what you find. This piece on Dark Reading summarizes the process to think about DLP and then LonerVamp comes to terms with the fact that DLP is not necessarily a security thing - it's a way to identify faulty business processes (that put sensitive data at risk) and to keep employees from inadvertently compromising data.

The Daily Incite - 12/22/09 - Are we there Yeti?

Mike Rothman — Tue, 22 Dec 2009 09:21:16 -0600

December 22, 2009 - Volume 4, #41

Good Morning:

Another of my holiday rituals is the annual pilgrimage up North to spend the winter break with my in-laws. This involves first packing up the family truckster, which includes the optional roof rack just to ensure we can fill the car to the gills with crap we don't need for a 10 day journey. But I gave up trying to get the Boss to pack the stuff we actually "need," so I just dutifully load up the car and get ready to go.

The drive takes between 10-11 hours depending on traffic. Most of my friends send their condolences a day or two ahead of the trip, knowing what it would be like to spend 11 hours in a car with their kids. But I have to give thanks to Moore's Law, which has enabled us modern conveniences like the portable DVD player and the car stereo with the AUX jack, so my kids can watch movies for 10 hours, while I drive.

Truth be told, the trip is a lot harder on the Boss than it is on me. She's actually got to deal with them for 10 hours. Between the elbowing (it's amazing how even in a 7 person van, the kids have to poke and prod each other for a majority of the trip), the constant hunger pangs, the "are we there yet?" questions and the arguments about who gets to pick the next movie, I'm just glad to be the designated driver.

After 6 years of making this drive, everyone knows my process already. I get pretty grumpy when packing the car, since I know we don't need half the stuff we are taking. I get even grumpier when we are trying to get out of the house, since it takes an hour to do the last 5% of stuff to finally get on the road. And about 2 hours in, I get into the zone. I've got my iPod cranking music, the kids have settled in, and I just drive.

This year the Boss got a lot smarter about movie selection. Part of her agony was having to watch the kids movies/shows for 10 hours. I mean, who wouldn't be homicidal after listening to 4 hours of the Wiggles, and have another 6 hours to go? But this year, she hit the bargain basement DVD bin and came back with gems like Groundhog Day and Back to the Future. Amazingly enough, the kids enjoyed those classics and my wife was reasonably sane.

But this trip was a bit different in that we were trying to beat a pretty severe winter storm. The original plan was to leave around noon, but we called an audible at the line and decided to take off around 9 AM, and a good thing we did. We were literally on the front end of the storm that dumped almost 2 feet of snow on the Mid-Atlantic region. There were times we got ahead of the storm and were able to motor, but during the next potty or gas stop, the weather seemed to catch up and drop snow on us. If we hadn't left early, we may still be on the road.

On the last gas stop as the snow was really starting to fall, I could have sworn I saw the Yeti saunter in and buy a case of Bud. He was about 8 feet tall, had white hair all over, and was wearing a Lynyrd Skynyrd shirt. Who knew that the abominable snowman loved Southern Rock? I asked if he needed a lift further North, but he politely said a couple of feet of snow and a case of Bud was all he needed. Now that is a guy that understands his definition of happiness.

Have a great day.

Photo: "Happy Fun Yeti!" originally uploaded by spitecho
Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Follow me on Twitter:

@securityincite

I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

All hail Czar Howard - Just as many of the pundits didn't think there would a US Cyber Czar appointed, it looks like Howard Schmidt will be under the White House Xmas tree this year. And all I can do is shake my head a bit and wish him good luck. Howard knows the folks that need to be known both in industry and within the Beltway, but part of me just figures this is moving more deck chairs around the Titanic. Will he be empowered? What is his metric of success? Maybe the public announcement will clarify these things, but most likely not. I suspect the best gift you can get Howard is a Redskins helmet. He'll need it as he bangs his head against the wall in DC for the next couple of years.
Playing both sides of the cyber-ball - Given that a new Cyber-Czar has been named, it's interesting to check out John Pescatore's post here about playing cyber-offense and defense, and his point that the guys that play offense (hackers, et al) are not the right guys to be protecting the flanks. He speaks the truth because any senior security position is more political than technical now. It's about persuasion and operations, not about IPS Kung Fu. To be clear, John makes the point that the flow of information from the offensive minded is important (to know what you are defending against), but the skill sets are different. Yes, pragmatic fellow that Pescatore.
FIRE burning on the dance floor - It's always interesting to see how other constituencies view security companies. This piece on Seeking Alpha about an investor's analysis of SourceFire is interesting. The guy makes interesting points about the seasonality of the business, and also has valuation concerns (what's the issue with a 60x earnings multiple?). But ultimately the stock right now is a mo-mo play. High valuation, but good growth and the Street pays a premium for that. But it also means that what the Street giveth, it will taketh away - at the first indication of slowing growth.
Who's that router talking to? - A lot of us have spent years in the trenches and take a lot of good security practice for granted, which is always a dangerous thing. This piece by Joel Snyder on SearchSecurity is a good reminder that we need to be well aware of who and what our edge devices are doing. Joel's point here is to make sure outside access on promiscuous protocols like SNMP is turned off, which is good advice. It gets back to my opinion of Network Security 101. Lock down the traffic that is allowed to enter (yes, default deny), make sure you understand the traffic flows on your networks and look for what is different. Given we are dealing with an infinite attack surface, looking for anomalies is one of the only ways to keep pace.
Amen to Risk Adjectives - Great post and point by Gunnar about the need to lose the generic "risk" term from our vernacular. Without some means to describe what risk we are talking about (the aforementioned adjective), the term is meaningless. And that's always been my big problem with anything risk-centric. The term can mean something different to everyone, and therefore it means nothing. So if you hear the "R" word come out of your mouth, make sure it's qualified so there is no uncertainty about what kind of risk you are talking about.
Cisco's non-existent Security Strategy - Kudos to Jon Oltsik for beating me to the punch in questioning what Cisco is doing in security nowadays. My sentiments exactly. Since Jayshree Ullal left, it seems there is no one driving Cisco's security strategy. The STBU is really IronPort with new business cards. I mean, how old is the frackin Self-Defending Network? Cisco is making announcements around the fringe and not really evolving their strategy to deal with the evolution of the attack surface. As Oltsik points out, Cisco is still moving a lot of equipment, but that's because they are Cisco - not because the products are reflecting the market reality. You don't think of Cisco as a follower, but in security that's exactly what they've become.
Facing your own demons - Many of us know Bill Brenner of CSO. You've probably spoken to him or at a minimum read his stuff at TechTarget or his current gig. But you didn't really "know" Bill. I certainly didn't. But through his new personal blog, The OCD Diaries, I am getting to know Bill a lot better. I knew he was funny and a bit quirky (who in security isn't?), but in reading about his battles to address his mental health issues and deal with loss, you gain a real appreciation for the man and for his courageous journey. Not many have the stones to bare their soul in a public forum, but those that do can teach all of us a lot. Keep up the good work Bill, both on the blog and on yourself.

The Daily Incite - 12/17/09 - Changing my Xmas Tune

Mike Rothman — Thu, 17 Dec 2009 08:01:51 -0600

December 17, 2009 - Volume 4, #40

Good Morning:

I tend to be fairly grumpy, but no time more than during the holidays. I'm not a fan of the cold weather. And I've been a Xmas hater. That's right, I was Scrooge personified. Bah humbug was a mantra of mine from the time lights go up in my neighborhood Thanksgiving weekend to the day after New Year's when (thankfully) most folks pull them down.

You know, this classic South Park song says it all. But this year is different. I'm not sure whether it's the fact that the stress of my old job is now gone. Or whether I've just mellowed out, but all the same - I'm not as grumpy. And I can appreciate the lights and the even some of the pomp and circumstance of the holiday season. I didn't instantly hush one of the kids that spontaneously broke into a Xmas song.

Yet, I'm still human and there are the little annoyances. Like the guy whose lights burn up more power than an Eastern European village (hackers and all). I'm still not digging the constant sound of the Xmas Muzak pretty much wherever I am. A week ago I was having sushi with the Boss and the joint was playing Xmas tunes. Just can't see Santa digging on a Spicy Tuna roll, but maybe he does. Right after the big pull off the hookah.

And what's the deal with the emergence of Rudolf as a pitch reindeer? Come on now, if Santa uses AT&T's wireless network everyone is screwed. I can just imagine it, the dude is traipsing around the world at almost light speed, he calls Mrs. Claus to make sure she's got the hot coco ready when he gets home and the call drops. Maybe Steve Jobs can get Santa one of those new iPhones that runs on the Verizon network...

I'm even kind of looking forward to Xmas day this year. I'll spend it as most of my ilk do every year. I'll go see a movie (maybe Up in the Air) and eat a Chinese food feast with my family. And I'll get to do some of those tasks that always get lost in the haze that is my to-do list. Like updating my web site.

So it's all good. I don't think I'll go caroling this year, but you never know about next year. But before you get any big ideas, don't be sending my any of those fruit cakes. You have to draw the line somewhere.

Have a great weekend.

Photo: "Santa has a side job" originally uploaded by ktylerconk
Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Follow me on Twitter:

@securityincite

I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

More "shortcuts" to PCI compliance - Arghhh. Just as I was in a happy mood, I see yet another "shortcut" story for compliance. NetworkWorld's Cisco blogger has a nugget of wisdom "By now we all know that the key to becoming PCI compliant is all about how well you can control the number of in-scope devices." Ah, not so much. A merchant with only 10 in-scope devices that gets pwned because they read this kind of crap is still pwned, right? What we all better know by now is that PCI compliance is NOT the goal. It's protecting the private data, right? So then there are 5 tips in the post about things like segmentation and tunneling and other stuff. Not sure I get the one about client certificates vs. tokens, but all the same. I kind of shut down when the first sentence shows this guy got hit with the security no-clue bat.
Great, now we are all accountants - Santa takes a bit of time away from getting his house on wheels ready for the adventure (good luck man, I tend to like to know my house is in the same place every day, but whatever floats your boat) to try to draw the parallel between IT folks and finance folks. You see, evidently finance folks understand that all of their actions will be audited and therefore they act accordingly. Us IT Yahoos have no idea, so we do crazy stuff. He suggests we build a "culture of compliance," so everyone knows their actions will be audited and they'll do the right thing. How about building a CULTURE OF SECURITY? You know, where we protect data first and fill out reports second. I hope that's what Santa means, but the idea of a culture of compliance irks me. It's bad enough compliance funds everything we do, now everyone wants to make that the end goal. Which is just wrong.
Attack of the Prediction Stories 1 - Now I'm starting to remember why I hated the holidays. All these freakin' 2010 prediction stories that say the same damn thing. More hackers. More breaches. We're screwed. Enjoy the Yule log and maybe OD on egg nog. It'll make the pain go away. Imperva is calling for "industrialized hacking," as if that hasn't been the case for years. We all know there are warehouses full of folks in 3rd world nations banging away on netbooks hacking your stuff. And a move from "reactive to pro-active security." Man, the bile that just rose from my gut didn't taste too good. Come on guys. Mediocre attempt here.
Attack of the Prediction Stories 2 - Next up on the prediction hit list is Russ Cooper from Verizon Business. He's got some gems in there like the social network sites will protect themselves. Ah, do you think Facebook wants to be a cesspool of malware? Miraculously they'll figure it out in 2010? Looks like Russ bypassed the egg nog and went right for the heroin. How about consumers getting smarter? Evidently he hasn't left his lake house in rural Canada in YEARS. If what I see in coffee shops or hear at holiday parties is any indication, consumers are on the express train to Dumbville. But he does pinpoint two predictions I'm digging. The first being China will be blamed for everything (shouldn't they be) and the other is that nothing of note happens to "non-PC's."
Attack of the Prediction Stories 3 - Finally, let me call out a piece in CSOOnline getting predictions from security luminaries, including Mark Weatherford (CISO of CA) and Dan Kaminsky. There is stuff here from Weatherford on hiring and maintaining talent (good call) and moving some security functions into the cloud (ho hum). Kaminsky talks about how prosecution for cyber-crime will accelerate (that would be great) and some ineffective security techniques will be called out (much to the chagrin of Big AV). This one isn't bad as far as prediction stories, but the only prediction I have is that the electricity required to power Kaminsky's ego causes a Xmas brownout in Seattle. Put that in your stocking. Yeah, I couldn't help it. It was right there calling to me. Like Russ Cooper's heroine.
NSS kicks some IPS vendors in the nuggets - I tend to disregard most reviews and "certification" programs because well, folks have this nasty habit of not biting the hand that feeds them. Except me maybe (remember the NetworkWorld debacle?) So kudos to the NSS folks that call some crappy IPS products to the carpet and actually print effectiveness results. Of course, in the press release they don't say which vendor got 17% effectiveness (it was Juniper) and which was 89% (yay for SourceFire), but I'm sure the happy vendors plunked down their $1800 to buy the report and will be happy to share it with you. The sad vendors are well, sad and trying to figure out how to poke holes in the methodology. Here's a hint: Kevin Tolly is waiting by the phone for your call. For $50K, he'll run at test that shows 100% catch rate and make the problem go away.
Hi, I'm Mike and I'm a... - In today's personal development selection, let's look at a post on the 37Signals blog called "Step one is admitting you have a problem." The point here is about work addiction and that the start-up world tends to breed many work addicts. They ask the right questions about time vs. effectiveness and the impact of that to your health. Is that work done between 10 PM and 2 AM productive? Is it good work? I guess during the holiday season the message is that we should be questioning everything and potentially acknowledging our problems and building 2010 plans to address them. And maybe relaxing a bit for the slog that is 2010.

The Daily Incite - 12/15/09 - Finding the Path

Mike Rothman — Tue, 15 Dec 2009 08:18:01 -0600

December 15, 2009 - Volume 4, #39

Good Morning:
When I announced that I was getting back into the analyst game, the post was surprisingly well received. There were a number of aspects that seemed to resonate with you folks (at least that's how it seemed from all the well wishes and emails I received). But no statement got as much feedback as this one:

You see, life is a journey and I'm finally starting to realize that there is no right path or wrong path. There is only the path.

Lots of folks are trying to find that path. Maybe they are not happy in their current gig. Maybe they think they should be doing more. Maybe they just went through a job transition and it's not everything they thought it would be. It could be anything, but the only thing everyone seemed to have in common was that they thought they were on the wrong path and wanted to know how to get onto the right path.

The short answer is that I have NO idea. Zero, zilch, not a clue. The direction I'm going feels right. I think it's right. Remember that I'm an analyst, so I'm trained to critical look at every plan and poke holes in it. I can certainly find holes in my current plans, but I'm comfortable with those holes and the risks they entail.

But at the end of the day, I don't know if this is the right move for me. Truth be told, I don't think it matters. That's the entire point of the statement above. Regardless of the outcome, it's really the process that matters. To use a trite self-help moniker: It really is about the journey.

The Boss got me a shirt from Life is Good for my birthday. It says "The Journey IS the Destination." And I think that's right. We are all very focused on achieving something. From the time we were little, we've been focused on following that yellow brick road to get to Emerald City. It's a programmed response. Yet when we get there, inevitably you wonder if it was worth the blood, the sweat, the tears. And if you don't get there, you wonder what's the matter with you? Why can't you get there?

Gosh, just writing the post is making me tired. Tired of trying to live up to my unrealistic expectations. Tired of being dissatisfied with all I've accomplished. Tired of applying some one else's definition of success to my situation. So I'm doing my best to stop that. And I'm also doing my best to counsel other folks of the dangers of that mentality. I spent most of my 30's fat and angry. All the stress took a real physical toll on me, and if you identify with my sentiments, then it's taking a toll on you too.

It's not easy to turn off a lifetime of programming, especially when your management, mentors, family, and most everyone else expects you to do something. To achieve something. To make them proud. That's why blazing my own trail makes the most sense right now. I'm only gated by my own expectations, not everyone else's. I know that not an option for everyone, but beating to your own drum certainly is.

And to be honest, I like the sound of my own drum. Have a great day.

Photo: "follow the yellow brick road" originally uploaded by ittybittiesforyou
Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Follow me on Twitter:

@securityincite

I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

WAF hits the clouds - Akamai introduced the first of the "cloud-based" WAF offerings yesterday. OK, maybe the first. Basically it's a managed web application firewall (WAF) service. I suspect there are other service providers that will provision and manage a WAF for customers. But this is the first that is pushing the "cloud" halo and thus will get the press benefits of announcing a shiny object. The service is based on ModSecurity and it's interesting how Akamai is talking about "instantaneous scaling of defenses," which is good for whatever hardware vendor they are using to build out the service.
FISMA metrics, vendors start your engines - Looks like the Feds are getting more serious about cyber-security. That is, if you think spending a bunch of money on a bunch of products that likely will have little impact on true security is getting more serious. There is a set of "FISMA metrics" in process include mostly yes/no answers and then some level of detail on things like asset management, connection management, incident management, etc. Most interesting is the need to provide "real time security status and management," which is basically SIEM. But here's the rub: There is a difference between having data and USING DATA. I guess you can't really use data until you have it, but I just worry a lot of agencies will spend a lot of money and be in exactly the same spot 3 years from now. But at least a bunch of security vendors will make a lot of money.
Know what you're looking for... - David Mortman has an interesting post on the New School site pushing us to realize that Less is More. In this case, he's talking about IPS signatures, in that if you have a good understanding of your network, then you should be able to put rules in place to focus on abnormal activity (as opposed to checking for everything). I've always been a big fan of anomaly-based security techniques and positive security models (like default deny on perimeter defenses) because it forces you to really understand how the network and technology assets are being used. Not just letting everything happen and hoping that you figure it out before the card brands inform you of the breach.
Learning from someone else's pain - The folks that screwed up the FAA network a few weeks ago are in a world of hurt. Yeah, when you knock down the network that controls flights for half the country, that is a bad day. But what can we learn to make sure this kind of thing doesn't happen to you. That's what the SearchSecurity folks did in this post and the tips are useful. Remember, usually it's the physical layer, but a lot goes back to change management as well. Ultimately, things are going to happen (Murphy's Law guarantees that), so you need to have better fault isolation and response mechanisms in place. If the system goes down for 15 minutes, that is bad. When it goes down for 5 hours, heads roll. Make sure it's not your head.
Monitoring the cloud is not up to us - Get ready for a lot of folks talking about how they will provide "visibility in the cloud." The folks at LogLogic are talking about this, but I'm not specifically picking on them since they aren't the only one. Here's the issue, the cloud provider doesn't want you to know what is going on. They don't want you monitoring networks or systems and will make it hard, if not impossible for you to do that. So the idea of visibility at the lower levels of the cloud-resident stack is a load of crap. It's really about understanding and monitoring the stuff you DO control, and that's the application stack. So we are going to need to see some instrumentation and interesting correlation happening with application information (logs, performance, etc.) to have any chance of seeing into the cloud.
Network Security getting smarter? - McAfee just made a series of announcements upgrading their network security devices with the underlying theme being increased intelligence. The idea is that Little Red sees a lot of stuff at the endpoint, device and network layer and can make sense of it to make each of their products "smarter." In concept it's interesting, but realistically my jury is still out until there are demonstrable results that show protection is enhanced. More tactically, they've finally rebranded the Securify stuff as the T-series to provide some level of flow-based analysis and security. To be clear, folks like Sourcefire have had these pieces for quite a while. But the trend is the trend, intelligence is definitely making it's way into all parts of the security stack.
Life Management, Drucker-style - As you may have noticed, I've tried to find one interesting personal development post to add to each Incite. Today's comes courtesy of WebWorkerDaily, who highlight a new book that delves into the great Peter Drucker's thoughts on life management. We all knew he was a corporate management guru, but evidently has some good stuff to say about managing your live as well. In a nutshell it's about finding balance. That balance involves understanding your strengths, but also diversifying a bit. So the idea of having a parallel "career" or serious hobby is a good one. All work and no play makes Mikey a dull boy. I also like the idea of giving back and teaching/mentoring. If you are anything like me, you've screwed up a whole bunch of stuff through the years and other can benefit from that "experience."

The Daily Incite - 12/11/09 - Starbucks Seat Lottery

Mike Rothman — Fri, 11 Dec 2009 10:19:56 -0600

December 11, 2009 - Volume 4, #38

Good Morning:
Nowadays I face very tough decision on a daily basis. You know, when should I work out? Do I get the Veggie Patty at Subway or is it the one day a week I indulge with a burrito? Should I shave? You know I shave once a week, whether I need to or not. These are serious, tough decisions. And I'm the kind of guy that can face these decisions.

But no decision is more important than where I work in the afternoon. You see, being a work at home vagabond, I need to get out of the house. Every day. Personal hygiene is an issue to begin with, so without the excuse that I have to primp up to get my Venti Pike - it wouldn't be pretty.

So around my house I have the choice of maybe 4-6 different coffee shops. To minimize my impact on the environment, I try to select a shop in proximity to my lunch spot. I'm thinking of buying some carbon offsets to make up for those indecisive days when I drive the extra 10 minutes to a different coffee shop.

I also go to different coffee shops in no set pattern. I wouldn't want the folks tailing me to be able to profile my habits. You know, when the assassins come, I want to make it at least challenging to find me.

Yet lately I've been choosing wrong. I liken the coffee shop decision to playing the lottery. It's the Starbuck's seating lottery. If you don't get a good seat, you may as well just write off the entire day. Have you ever tried writing snark from one of those cushy purple chairs? This ain't Passover folks, I can't be inciteful when I'm reclining. I need to be focused. I need to have a hard wooden chair.

Yesterday I got to my selected shop and there were no seats. Crap. It was like 40 degrees outside, so it's not like I could sit on the patio and pound away at my trusty MBP and snark. The nerve of these folks. First of all, don't they know it's my friggin' office. I pay rent. At the rate of about $2.25 per day. Of course it's a good deal, and some folks pay more rent than me (they splurge on the $4.50 pumpkin latte), but all the same, these folks have to go.

So what to do? I guess I could ask someone if I could share the table, but man that's weird. I saw some guy do that a few weeks ago. He just plops down and then starts some inane conversation about what he does, and where he lives and all sorts of other things. Surprisingly enough, the kind woman who let this interloper sit down actually engaged him in conversation. I guess maybe that is what humans do. I wouldn't know much about that.

So basically I did what most other vagabonds do. I went to the struggling cafe down the street, and hoped they haven't gone out of business already.

Have a great weekend.

Photo: "Second (office) Cup" originally uploaded by sylvaincarle
Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Follow me on Twitter:

@securityincite

I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

Data is cool, analysis is better - The folks at Verizon Business released their DBIR supplemental report this week and it's got some good stuff in there. Read. It. Now. I like the report because it's not just a listing of data designed to generate PR clips. Most of the data out there is used to ensure that lazy tech writers always have something they can crank out on deadline. Survey this, survey that. 85% of hackers take cream in their coffee. 42% use an pwned netbook in a crowded coffee shop to social engineer 17% of the grandmothers in a local old age community. You know, data. But what the VZ guys do with the data is very cool. Mort highlights a few things, but I think we are getting to the point where this data is not only statistically reliable, but it's also representative of the broader market. And that means we are pretty much screwed, but at least we can quantify the screw.
Redefining security success - Bejtlich does an interesting thought experiment in his "Let a Hundred Flowers Blossom" post. Basically, the idea is to stop worrying about controls and start focusing on outcomes. Meaning, an organization can do as much or as little security as they want, as long as it takes longer than X for an attack team to successfully penetrate the defenses, it's all good. It's an interesting idea, but is counter to the childish way we do security today. Basically it's like nursery school. You get a check list and you do the checklist. No one cares about success or even outcomes, as long as the check list is filled out. This will create issues of documenting compliance, but from a philosophy standpoint I think this could work in a company. But probably not for every company.
Budget time, yay! - It's that time of year, budget time. This is when we all fight for our share of a declining pie and the grumble about what an ass the CFO is and how does he/she expect us to be able to do anything with that amount of money. And then you get calls from analysts that want to know how big your budget is. And we get surveys that say 70% of companies will boost tech spending and security is a priority. Maybe it's 1 or 2 on the wish lists of people buying things. But to be clear, no one has any idea how budgets will shake out. You see, there is a pot of money and through 2010 that pot may be smaller or it may get bigger. It may be used for Project A or maybe be reallocated to Project B. The folks that answer these surveys have no idea. Overall it feels like things are getting a bit better, but who knows. I'm still saving for a rainy day because there is a good likelihood it'll keep raining in 2010.
Actually buying something with that budget - Pretty entertaining post on Cassandra Security about the real process of buying and selling security stuff. Part of this is the black magic that you never learn until you work for a vendor. Things like the unnatural acts to get a deal closed in a quarter (as opposed to when the customer needs to buy). But also from the customer's perspective, how to play the game, not only to squeeze the vendor, but to make sure the deal gets done. There are checklists for sales folks and also for the end users. As Brian says, a lot of this is common sense, but we all know that common sense is in short supply.
Are there any security "software" companies left? - Yes, that title was a bit of a red herring, but it underscores the realization that customers tend to be right, and the vendors need to adapt to meet the needs of the customer. So the idea of a pure-play security software company probably doesn't make a lot of sense moving forward. Maybe not today, but by 2011 I'd say any security company of size will have to have a hybrid model. Where their software is PACKAGED as something a customer can implement, can run in someone's data center or probably can run in a private or public cloud. If you look at a company like Fortify, they are moving in this direction by rolling their own services capability, but also by partnering with a services shop like White Hat to fill the gaps. Of course, the underlying life blood of any of these companies is still software, but it won't necessarily be sold as software.
Microsoft, the silent but deadly security competitor - Given I talked about plungers last time, I had to throw some flatulence references into today's piece. But that's the thing about Microsoft. They don't really talk too much about their security products, since most of the PR effort is spent spinning the issues around Patch Tuesday and their SDL efforts. But to be clear, Microsoft keeps clicking along, targeting their markets and rolling products. Like their recent announcements of enhanced security gateway functionality. Sure looks like a UTM type thing to me, which is perfect for their sweet spot in the mid-market. And they also acquired Sentillion, which does IAM and single-sign on for healthcare companies. So although most of the big security companies don't say Microsoft is a competitor, it's always dangerous to disregard them.
The Happiness Genie - Very interesting thought experiment from Scott Adams on the Dilbert blog. Man, it must be a good gig to write comics because he seems to have plenty of time to think of weird scenarios and post them to his blog. The general idea is whether you would be happier if a happiness genie gave you $10 million, but a lot of folks you know would get $20 million. Or if you get (only) $5 million, but no one else gets anything. Hmmm. I'd like to think $10 big is enough for me, even if my friends get double that. But if I'm being honest, who knows? And that's really the key, be honest. The answer is OK, even if you are a greedy bastard that would be happier keeping their friends in a life of squalor.

The Daily Incite - 12/09/09 - Plunger Tales

Mike Rothman — Wed, 09 Dec 2009 10:27:27 -0600

December 9, 2009 - Volume 4, #37

Good Morning:
Like many of you, I've got some friends that are pretty hardcore geeks. They measure not just aggregate number of computers in their house, but also the ratio of computers to people. Some are in the 1.5-2 range, and others have embraced personal virtualization, so their ratio is off the charts.

But that isn't a relevant measure for me. I've got my share of devices and I'll be building a lab over the next few months, so my ratio will dramatically "improve," in the eyes of my geeky friends anyway. But I was reading an interview with Tom Petty in Rolling Stone last night, and he made a statement like "it's really was better back then."

Now, to be clear, lots of things are better today then they were. Connectivity, computing power, content have all improved. One place where we've taken a huge step back in flushing power. That's right, I've got angst this morning about the current state of toilets. Don't laugh, this is a serious problem.

You see, I eat a lot of roughage. Being a vegetarian, there isn't much else for me to eat, but it's also good for my digestive system and helps keep my mass in control. But there is a downside to all that roughage. I don't just drop the kids off at the pool, I drop a village.

Today's low flow toilets are not built for guys like me, who are not small and eat a mostly green diet. With a clog rate hovering around 75-80%, which means I need to have plungers. EVERYWHERE. I basically have close to a 1.5x plunger to bathroom ratio in my house. Well, for most clogs the mini-plunger will do and each bathroom is outfitted with one as standard equipment. But sometimes you need specialized tools, like the plunger with flanges. Or maybe the orange plastic one that looks like an accordion. I've also got 2 different snakes when plunging doesn't get it done.

Yet, sometimes even a toilet snake doesn't work. About once a year (usually corresponding to one of the kids trying to "hide" an entire roll of toilet paper in the toilet) I have to get out the heavy artillery. I have a device that uses compressed air to pretty much blow anything stuck in my toilet clear to the treatment plant. Now that is cool, but I have to remember to wear my Intel bunny suit to keep clean.

Thankfully my kids haven't figured out the meanest thing they can do to me is to hide the plungers. And I'm counting on all of you to keep my secret. I guess that's kind of like my Kryponite.

I think maybe the Europeans have this one right. They don't worry about low or high flow. They just figure if it can be solved with a toilet brush, it's not really a problem.

Have a great day, and may the force be with your alimentary canal.

Photo: "Poopy the Plunger" originally uploaded by zoomar
Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Follow me on Twitter:

@securityincite

I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

Cloud security is overblown - Sometimes I just have to laugh at some of the stuff I see in the trade rags. I dug this InformationWeek blog post from Alexander Wolfe out of the archives because after baring my soul about my plunger issues, I figured I needed to take someone else to task for a good dose of idiocy. This guy's position is that cloud security may be overblown because we already have an answer - encryption. That's the answer to everything. We've already got the architecture, and if we'd just encrypt everything it doesn't matter where it resides, right? Uh huh. I guess Hoff needs to find something else to do now, since all the thinking he's been doing about cloud security isn't relevant. Having barely survived the PKI wars in the late 90's, I can't say much besides that encryption isn't a panacea to anything.
Next year's PCI emerges - Many in the security industry are looking for what's next. What's going to be the next attack, regulation, widget, etc to spur sales of products that no one needs. I think I found it, it's the HiTrust CSF. Neil Roiter does a bit of work to describe the opportunity to security resellers. Now to be clear, the concept of a framework to protect healthcare information is valuable. I've got no issue with that, but I'm already playing out the fiesta driven by the industry parasites to make whatever widget they are selling today a "key" part of the HiTrust CSF. Of course, healthcare organizations will be able to be "certified" through a HiTrust certification program. Which will likely mean as much as PCI compliance or a SAS70 audit. But I guess I shouldn't complain, I'm just another one of those parasites, feeding off the fat of the land, calling everyone else a parasite.
Time to start looking for the BBD? - Over the past 18 months, many security folks have basically kept their head low and tried to make sure they weren't on the list to be downsized. But now with the economy (seemingly) improving, does that mean it's time to start looking for the bigger, better deal (BBD)? It depends. In this CSO article, Jack Phillips from IANS voices the concerns of large company CISOs that are worried their employees might look for greener pastures elsewhere. If you are staff level, I think how your company treated you during the downturn is instructive. If you felt abused and like a piece of meat, I suspect it won't get better during the upturn because that is a cultural issue. The words may change, but the behaviors likely won't. For managers, unfortunately now is the wrong time to try to make it right for team members. If you treated (or were forced to treat) your people like crap, blaming the economy and just letting it happen, you will reap what you have sown. When those employees find something better, don't wonder what happened. And build a culture where people want to work there, regardless of the economy.
Quant comes to the database - I'm a fan of the work Rich and Adrian do in their "Project Quant" initiatives. Every security person struggles with understanding the relevant metrics to track both security and operational efficiency. So spending time to decompose the actual process behind a function and look to quantify those functions (by having folks in the community share their own data) is valuable. The Securosis guys started with the patch management front and are now focusing on database security. This post represents early work on establishing the process model for database security. I suspect the goal is to build Quant models for all the major aspects of security, which will be a great thing for all of us that still can't answer the questions about whether we suck at security or not. At least from an operational perspective.
How deep is the moat? - Many of us security talking heads spend a lot of time focusing on what's next. So things like application security and database security are big issues. Unfortunately most of the world is still trying to figure out how an IPS works. Far too many may have spent some time building a moat (in terms of a perimeter security strategy), but really have no idea whether it works and if they are protected from the badness "out there." This piece by Joel Snyder on SearchSecurity reminds us about how and why to validate those perimeter defenses. Now to be clear, the cutting edge stuff represents real attack vectors and I'm not minimizing the importance of those aspects. I'm just reminding myself (and maybe all of you) that most organizations have no idea how to test their defenses, and they really need to learn.
Security and Business Strategy, huh? - I'm constantly reminded that most security professionals still think it's about the bad guys. They are our foils and provide us with innovative attacks to keep us on our toes, but we always need to remember security is a means to an end, in that ultimately we have to contribute to helping the company either make money or save money. Here is a link to Part 1 of an interview with SANS Stephen Northcutt talking about some of these issues. I also like to ask security folks whether they know their companies mission statement and how often they get face time with business leaders. For those that don't understand their business, they've got a very small shot at being successful.
Finding the impact of what we do - The always entertaining Shrdlu goes in a bit of a tirade here about the "meaning of metrics" and before Thanksgiving did a far better job than I have to isolate the issues with how we count things. The reality is we tend to focus on things we do, not the IMPACT of what we do. I've long held the belief that security folks have to really manage two sets of "metrics." There are operational metrics that indicate how well we do security. And there are other metrics that need to quantify the real business impact (either positive or negative) of what we do. Business folks don't care about operational metrics, but they sure do care if they can't take orders because some hacker group has poked huge holes in the e-commerce application. Operational metrics should be reasonably consistent regardless of what business or size of company you are in. Impact metrics will be very specific to your company and depending on culture may or may not be consistent even within your vertical. For better or worse, the success of most CISOs is directly correlated to how well they understand the impact metrics.

The Daily Incite - 12/07/09 - Happy, Sad, Repeat

Mike Rothman — Mon, 07 Dec 2009 10:44:44 -0600

December 7, 2009 - Volume 4, #36

Good Morning {!firstname}:
Life is a roller coaster. Pure and simple. During a particularly difficult time about 15 years ago, my Dad sent me Seinfeld's book, with this specific passage highlighted:

"Life is truly a ride. We're all strapped in and no one can stop it. When the doctor slaps your behind, he's ripping your ticket and away you go. As you make each passage from youth to adulthood to maturity, sometimes you put your arms up and scream, sometimes you just hang on to that bar in front of you. But the ride is the thing. I think the most you can hope for at the end of life is that your hair's messed, you're out of breath, and you didn't throw up."

It's hard to keep that in context during the day to day grind. One minute you are up and then in what seems like the next second you are down. It's also a bit more challenging for security folks, because in general we tend to be somewhat cynical (OK, very cynical) and borderline paranoid. It's take me a long time to get in tune with my own peaks and troughs, and some days that presents a pretty significant battle.

Take yesterday, for example. I was excited to go see the hometown Falcons play the Eagles. Yeah, I hate the Eagles. Growing up in NY and being a Giants fan means you pretty much hate the Eagles. I know hate is a strong word, but actually it may not be strong enough. I hate^2 the Eagles, so I was hoping the dirty birds would put a hurting on visitors.

Of course, my optimism lasted about 10 minutes and the reality of the impact of having 40% of the offense inactive set in. It was ugly, and totally compounded by the number of Eagles fans there to gloat. OK, they didn't gloat, they were pretty cool (especially for Eagles fans), but still. It hurt, and I was grumpy.

So I get back to Chez Incite and settle in to watch the Giants play the hated^2 Cowboys. Things started slowly for the G-men, and my mood was descending into dark places. The Boss was going to vacate the premises, but then at the end of the first half the Giants got going and held on for the victory. Elation personified. I'm not sure why football gets me so fired up, but it does. And given how the Giants have played over the past two months, getting a big win was awesome.

But then I need to take a step back. There were pretty low lows and pretty high highs all in the course of about 6 hours. And this was about football, not anything really important. I think part of finding balance and happiness is to acknowledge that there are some things that you CHOOSE to get excited about. That means you also need to accept that those very things will make you miserable at times.

Then the misery will pass. Just as the happiness will pass. This is the cycle we call life. Some can't deal with it and think there is something wrong with them because they get whiplash swinging back and forth between pessimism and optimism. There is nothing wrong with that. There is nothing wrong with them. It's called being human.

Have a great day.

Photo: "Ms. Happy, meet Mr. Sad 111/365" originally uploaded by SashaW
Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Follow me on Twitter:

@securityincite

I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

Liberation and Thought Leadership - RockyD rocks the house on FUDSEC last week with a post about getting out of the rut many of us are in. There is a lot of good stuff in here (especially about focusing on R&D and better information sharing) and like most of the FUDSEC posts, it's about spurring discussion. Mort takes issues with some of the stuff on the Securosis blog, and I agree with his positions, so I'm not going to rehash. What I'm going to pick on is the part where Rocky advocates a "vendor thought leadership" approach to the more strategic problem set. Sorry dude, it's not going to happen. Unless you count having every vendor (or consultant) apply what's in their bag and position it as a "strategic" solution. The profit motive ensures that the job of the vendor (and in many cases, consultant) is to convince the customer the strategic problem-set is addressed by the products. I know you are advocating the exact opposite approach, but I can't see it happening because a quarterly mind-set ensures short cuts are taken at every opportunity.
Noise level at an all-time high - The results of the annual CSI survey are out. The Help-Net Security folks did a nice job summarizing the findings. Basically we are dealing with a lot more incidents, but the average loss per incident is coming down. Hmmm. That wouldn't have to do with the fact that losses are not growing as fast as the number of incidents, eh? But the point is this is all noise. These surveys are interesting to look at in five year cycles to see where we've been, but not very instructive to understand where we are going. Fact is, we need to focus on blocking and tackling - STILL. And given that cyber-crime is a growth market, I don't expect these surveys to show anything remarkably different for years to come. The point is for you to not end up as one of the statistics.
More noise about data breaches - The folks at Imperva were also kind enough to point out the fact that even though the number of reported data breaches is going down, the number of records compromised has exponentially increased. Which again is predictable. With some exceptions, the amount of work to steal a million identities is similar to stealing 50 million. So why wouldn't the bad guys go after bigger targets? And they have - successfully. Good for them. The point is the noise can be used for FUD purposes (yes, there is a time and place for fear, uncertainty, and doubt in every security practitioners bag), but it shouldn't be impacting our plans, strategies or processes AT ALL. Incidents and breaches happen, we know that. Blocking and tackling will help make sure you aren't low hanging fruit - but you will still likely be pwned. Then it's about making sure your incident response plan is where it needs to be.
Santa in camo comes early for ARST - ArcSight announced their fiscal 2Q results last week, and the numbers were good. Here is the release and the earnings call transcript. 39% year of year growth and another quarter of strong cash flow. Lots of activity in the federal space, which is expected - given the focus on cyber-X that most of the defense and civilian agencies have. In fact, government revenues accounted for 49% of their quarter. As the federal markets figure out which end is up for FY 2010, it'll be interesting to see if/how the commercial markets continue to adopt security management technology. Given compliance mandates, everyone needs it - but there are cheap ways to check the box and there are expensive ways to overhaul operations. Which path commercial organizations take is still an open question (in my mind anyway).
Rebranding SIEM - Speaking of SIEM, Independent Anton (did you check out his new consulting site?) has an interesting analysis of the SIEM market, bringing in some Ries marketing mojo and really trying to tackle the issue of perception vs. reality. Given that I know a thing or two about how to (or more likely, how NOT to) market a SIEM platform, the reality is that SIEM is not a must-have. I know about 10 vendors that will be jumping up and down telling me I'm wrong. But they are missing the point. Compliance is a must have, and that means some of the aspects of most modern SIEMs (like log management) must be highlighted because that's where the funding is. Once the funding is found, then it's about highlighting difference - such as with capabilities like SIEM or NBA or configuration audit. Anton is right that the focus must be on solving problems, not on flashing lights or even scalability. Until a customer is convinced a SIEM can solve a problem, how fast it is (or how many other capabilities it has) is really besides the point.
Andreas' love note to 2009 - The analyst I now dub "Double A" for Andreas Antonopoulos does a little revisiting of his 2009 predictions in one of his last NetworkWorld columns for 2009. As you can see, there wasn't anything too controversial here and for the most part he was right. It turns out that if you keep your head off the chopping block, it usually is still attached at the end of the year. I'd take some issue with his "correct" prediction about mobile security, given the iPhone worm was only applicable to those with jail broken phones, but it's good to see someone holding themselves accountable for the things said. Perhaps Big Research will get into the act as well (0% probability).
Cloud-based security services unite - I loved the Wonder Twins cartoon when I was growing up. And when I saw this announcement about RSA leveraging some of Trend Micro's threat intelligence in their own fraud detection services, the Wonder Twins popped into my head. The reality is this kind of information sharing is a good thing. Will it make a difference? Who knows, but it makes for good marketing since when trying to differentiate "cloud intelligence" it's all about how much data you have. What you use, on the other hand, is very likely a different story. Obviously Art (playing the role of Zan) transforms into a cloud. But what about Eva (playing Jayna)? What animal form makes the most sense for her? Leave your thoughts in the comments...
Pretty good rules to live by - It's great to see other folks sharing their own life philosophies, and I'll point the interesting one's out as appropriate. I want to give Michael Dahn some props on a set of three "rules" that he lives by, that I think are applicable to most of us. The first is "nothing is impossible, the impossible just takes longer." Perseverance is a key to success, check. "Learn the good, avoid the bad" seems obvious, but is VERY hard to actually do. I've found that most folks have to learn the hard way what is good and what is bad. It's a rare bird that can actually learn from someone else's pain. And finally "never stop improving" which is actually a double edged sword. One of my problems is that I am never satisfied and that creates some real issues in knowing how good you need to be in any aspect of anything.

The Daily Incite - 12/03/09 - Not so GRRRRREEEEAAAAATTTTT!!!!

Mike Rothman — Thu, 03 Dec 2009 08:30:04 -0600

December 3, 2009 - Volume 4, #35

Good Morning:
With the holiday season coming up, I know it's hard to get presents for me. I want for nothing and if I do want something, more often than not I just go and buy it. Within reason, of course. So I know it's a challenge for folks in my family to get me anything. But I can only imagine how hard it is to buy a present for a guy like Tiger Woods.

Yes, that Tiger Woods. The one who makes over a hundred million a year. And who married the Swedish model. If you were to ask almost everyone, if they could pick a perfect life - I'd say most would say Tiger's got it pretty good.

Evidently not. I was pretty disturbed when the news of his "transgressions" hit the major media yesterday. First of all, this story has outweighed little issues like sending 30,000 more troops to Afghanistan over the past week. But I shouldn't be surprised. Our celebrity-centric US media engine means they'll sell a lot more page views by talking about Tiger's dick than the tens of thousands now in harm's way. Got to let that one go.

At least Tiger didn't pull a Steve Phillips. The stripper or whatever is pretty decent looking. But still, he married a SWEDISH MODEL. Really seriously I just don't get it. Is this guy's life so good that he has to go and screw it up because he can? Because a dream for 99.999999% of the population has just become commonplace. Please, help me understand it.

Is it the need to exercise power? Is it the feeling of being invincible? I guess all the psychologists out there are having a field day trying to figure it out. I guess now that I'm writing, I'm just sad. Sad that what seems like the perfect life I guess isn't so perfect. Sad that this guy has to face his failings in such a public way. But ultimately sad that once again, human nature has trumped any sense of logic.

That old adage about money doesn't buy happiness, I guess is true. It seems a Swedish model doesn't make you happy either. I guess for Tiger being the best golfer ever is not enough. Having untold riches is not enough. Having a beautiful family isn't enough either. After all, in Tiger-land I guess things aren't really that GRRRRREEEEEAAAATTTTT!!!!.

Have a great weekend.

Photo: "The world's saddest tiger, part deux" originally uploaded by peppergrasss
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Follow me on Twitter:

@securityincite

I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

It's nice to be flexing the analytical muscles again. I can say I've gotten a bit soft over the past 15 months. But like all muscle memory, the cynicism, skepticism, and general venom will be back before you know it. Alan and Mitchell invited me to participate in their podcast yesterday, which was great fun. We laughed, we cried, we made fun of people, but mostly we laughed. Enjoy.

It's not just a job, it's an adventure - Happiness is a fleeting concept. It's here for a few minutes, then it's gone, then it's back. Hopefully it's not gone for too long. I wanted to send a shout out to AndyITGuy for doing some good analysis of where his head was at after he got laid off recently. It was a heartfelt and candid post. We all have days where we feel like that. The reality is security is a hard job - on a good day. And if we are going to find any measure of happiness, you have to be able to understand you can do only what you can do. Sometimes you just need to move on, especially if the organization isn't going to give you the opportunity to be successful. But many of us thrive on challenge and don't believe anything is impossible. That's why you do security.
If you aren't breaking your stuff... - Someone else is. That's right, it seems driven by the recent Rapid7/Metasploit deal, pen testing software is back in the spotlight. The folks over at Dark Reading did an analysis of the market, and Nick Selby also weighed in on what he expects in that market over the next year. I'm glad folks are starting to see the importance of what I call "security assurance." If you are a company of size, you should have someone on your staff breaking things every day. And they should be using live ammo. Vuln scanners are important too (if only to see the depth of your issues), you really need to take it to the next level and see what can really be exploited. It's also good to see higher level application attacks starting to show up in the app scanners as well.
Ramping up the "cyberwar" hype cycle - Here is the reality: technology is an intrinsic part of everything today. Why do I need to state some an obvious truism? Because folks continue to want to convince us that there is something new here. Take McAfee, for instance - they recently did a report on "cyberwar," making the point that an increasing number of attacks seem politically motivated. And what's new about that? If you want to sabotage a competitor, why not break into their systems? Or rob a bank? Or bring down critical infrastructure? Or get intel on an enemy's defenses? Of course, a technology attack is the first, best path. You only bring in the Black Ops guys when you really need to. I'm not challenging the findings, I'm just wonder why this is news?
SMBs like SaaS - Directly from the Duh! files, the folks at Dark Reading are hyping a report they wrote about how SMB organizations should be protecting their stuff. One of the conclusions is that Security as a Service (SaaS) is an attractive alternative. Really? And then they start throwing the numbers out. $38K for a web gateway software vs. $15K for a managed service. If you know how to use Excel, you can make the numbers say anything you want. But the reality is not really about cost savings, it's about expertise and leverage. A lot of these security devices need daily tuning, care and feeding and that just doesn't work for an overworked IT guy in a smaller company. So to me the interesting part of SaaS isn't how much money you can save, which may or may not materialize. It's the leverage that can be gained by having someone else manage the crap you don't have time to manage.
If Big J says I'm doing it wrong... - We are still very early in the evolution of application security, and that means we are still subjected to religious battles like white box vs. black box testing. Thankfully Jeremiah Grossman provides some much needed perspective here, in terms of making the point that BOTH is the right answer. There are some things that code review are better at finding, and you cannot minimize the need to automate using scanners and other tools. As with everything else in security, there is no one silver bullet for application security. It's about minimizing the risk that you've missed something and using every tool, technique and process at your disposal is just the right thing to do.
Whitelisting good - Normally reviews don't interest me that much, unless it's really indicative of a changing market. So this piece by Roger Grimes for XWorld (all the IDG properties seem to share content now) testing a bunch of white listing products is really indicative a market that is mature enough to disappear. Huh? That's right, once a large set of products actually work and solve the problem, then the capabilities can and should be subsumed into a bigger category and that's exactly what is happening. First of all, I'm a big believer in white listing. The old way to find malware (checking against signatures) isn't getting it done. And over time, we'll see all of the big AV vendors move to a hybrid "cloud" (meaning the extended sig database is in the cloud) and white list driven approach. And it still won't work, but that's another story for another day.
Think dummy, think - Adam says it all. We don't do enough of this.
Damage control, the 30,000 foot view - Sometimes I like to check out "security tips" targeted towards a mass market audience to see how closely some of this stuff maps to reality. The good news from this post on how to respond to an incident from VentureBeat is pretty good. To be clear, it's VERY high level, but for this audience that's fine. They don't want to hear about chain of custody, enCase or BackTrack. They need to understand the general process, not the details. The very high priced forensic guys can worry about the details. But as I've said countless times, it's not about being perfect (you can't), it's about making sure an incident doesn't become a catastrophe.

The Daily Incite - 11/30/09 - Giving Thanks

Mike Rothman — Mon, 30 Nov 2009 10:10:36 -0600

November 30, 2009 - Volume 4, #34

Good Morning:
Oh yeah. I'm back and it feels great. Just getting done with the long holiday weekend here in the States got me thinking about how thankful I am. So I'm going to go through the list in an "Inciteful" way. Then it's back to some pithy and totally subjective opinion of some recent security stuff. IN MY VOICE. The past 15 months I've had to speak (again) in someone else's voice and well... that ain't me. So it's nice to exercise the sonorous baritone a bit and though I'm no Barry White, the voice is definitely mine.

First and foremost, I'm thankful for The Boss. Yes, she is still my boss and no one provides more support for what I do than my wife. She was the first one to suggest that I really needed to get back to Incite and that it's the thing that makes me happiest. She's ridden shotgun through the highs and lows and back again. And hardly puked on my shoes through the turbulence.

Next up are my kids and family. The kids provide a ton of entertainment on a daily basis. When I'm not gnashing my teeth that is. But I need to continue working on my patience and there is no better way to do that than to have 3 kids running around. My family is well...my family. Yes, I love them. Yes, at times they make me crazy. And yes, I need to accept them and their idiosyncrasies. Just as they accept me and my nuttiness.

I'm thankful for all of the friends I've made in the industry. Many of which wrote to tell me how sorry they were I got laid off. It's great to have so many folks that "have my back," and are supportive of what I do. Of course, I'm not sorry about the way things worked out and I couldn't be more excited to be blazing my own trail again. But for every one of you that Tweeted or emailed or called, thank you. Really really thank you.

I'm thankful for the folks that have better things to do than secure their stuff. For one, a small percentage of them will be statistics which allow the vendors to keep spewing FUD at an unbelievable pace. That FUD keeps guys like me busy. I'm also thankful that these folks need a much more Pragmatic way to think about securing their stuff. They don't care about being "secure," they want to make the auditor go away and they don't want to get pwned. Of course, we all know those objectives are at odds with each other, but that evangelization process is what I love, so I don't want to change a thing.

I'm thankful for Big Research. They continue to well be Big, and that means pretty much lumbering around in their fat, dumb and lazy way. Using the same presentations year in and year out, and being a great backwards looking indicator. There are some great analysts in Big Research land, and I'm happy to call many of them my friends. There are also a whole lot of not so great analysts, and that creates opportunity for guys like me. But ultimately these are the folks that invented the IT research industry and I continue to ride their coat tails on a daily basis.

I'm thankful for every single one of you that clicks on an email or opens up their RSS reader or even visits my web site to read what I write. Like everyone who gets a second (or third or fourth) chance, you appreciate it much more after it's been taken for a while.

Finally, I'm thankful for my time at eIQ. Every so often, a guy like me needs to be reminded that the grass is not greener on the other side. Statistically, you are probably as likely to win the lottery as you are to pick the right hot start-up and make a bunch of money. Ultimately the material spoils don't matter if you don't enjoy what you are doing. Especially when you can make a decent living doing what you like. So my latest trip back into corporate America reminded me of what I seem to have forgotten. That I need to be thankful for doing what I like, and that I should just do it. Which is what I plan to do.

Have a great day.

Photo: "Give Thanks" originally uploaded by Markus Rodder
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Follow me on Twitter:

@securityincite

I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

As you can imagine, quite a bunch of stuff has accumulated since the summer. So I'll pick some timely topics to cover, as well as some important stuff from my archives. The plan is to publish on Monday, Wednesday and Friday for a while and get back to a consistent drumbeat of Incite to make you laugh, cry, maybe learn something, but most importantly long for the days when I wasn't writing so frequently.

IBM (maybe) takes out Guardium - We all knew it was just a matter of time before someone acquired the bigger Database Activity Monitoring start-ups. Looks like Guardium is the first to take the money and run. And with a reported $225 million of IBM's cash, they can run for a while. Clearly protecting the database is a key part of any security program and the DAM folks have shown it can be done at enterprise scale. IBM likely paid a very healthy multiple (probably in the 7-8x bookings range) because Guardium was the first to cleanly support DAM for databases on the big iron. That is something IBM had to control. Adrian from Securosis provides his take on the deal as well.
Security success? Remember the Credibility Bank - I wrote the Pragmatic CSO in the latter part of 2006. It's hard to believe it's been 3 years, but I have to say the message continues to resonate and appear in places that I never expected. Not directly, but from a philosophy standpoint. Take this article in SC Mag about Seizing Management Power. You don't really "seize" power, rather you earn it. It's really about the need for security folks to talk business and persuade their peers that protecting information is good for their business. It all gets back to credibility. If you don't have it, you can't execute on any kind of security program. Pure and simple.
Maybe the CIO is your friend, but not mine... - Following up on the previous snippet about talking the language of business is a post from Mortman on the Securosis blog relative to the reality that most CIO level folks don't have a clue about how to be relevant to the business. The reality is, YOU as the security professional cannot be hindered by that. If your CIO get it, all the better. If not, you still have to build relationships with the business folks and still position security as good for the business. Mort's ideas on having someone to work with on messaging and making sure your stuff is professionally done is absolutely critical to building the credibility you know you need.
Valuing Assets, using Lindstrom's Razor - For a guy who shaves once a week, whether I need to or not, the idea of a Razor being wielded by Grumpy Pete is outright terrifying. Kind of like a slasher movie set in a data center. I can just see Pete hacking away at Jaquith's stilts (oh, I think those are his legs) or Hoff's halo (he is the almighty, isn't he?). But seriously, Andy does pose an interesting thought experiment based on Grumpy Pete's ideas on valuing assets using a floor value based on the amount of money you are willing to pay to secure it. Hmmm. Gunnar expands on this a bit as well. The reality is most folks have NO IDEA what they are paying to secure much of anything. They have a security rock and they hit pretty much anything they can with it. Very few organizations actually decide on an asset (or even a business system) basis what they are willing to spend to protect it. They should, but they don't. But it's a good though experiment anyway.
Profiling application traffic on a blade - Amazingly enough, the news that Check Point acquired FaceTime's application database didn't make the 11 o'clock news. They probably paid FaceTime in Starbucks cards. But the concept is interesting, in being able to deploy application profiling on a software blade on the gateway does open up a number of cool policies you can deploy, especially relative to egress filtering. This was clearly a cheaper way to get better application visibility than buying Palo Alto (which they should do anyway). Yes, the perimeter gateway is getting smarter, no the "secure network fabric" is nowhere close, and the reality is the action is what's happening inside the protocols and we security folks need to get a lot smarter on application attacks - stat!
Security "scorecards" - love and mostly hate - I've had a love/hate relationship with the concept of metrics for a long time. On one hand (love), I realize the importance of measurement and counting and all that other good stuff that creates pie charts for the CFO. But my pragmatic gene kicks in (hate) and I realize the effort required to really quantify the impact of security doesn't leave a lot of time or resources to actually secure much. I look at a post like Russell's diatribe on building an InfoSec Risk Scorecard, with a sort of numb bemusement. The post is great and the tips are right on. But it's just hard for me to see most security folks going through the effort. One of the tips really hits home: "If your bosses really need a good InfoSec Risk Scorecard, then they should be prepared to pay for it." Therein lies the rub, most bosses don't care about a security scorecard (they just want to be secure) and they are certainly not going to pay a lot for it. Thus, they ongoing futility of security metrics.
Tao votes for Leadership - It's funny, but the political hype machine is already talking about the mid-term elections happening next November. Solving the "cyber-security" problem continues to be a hot topic in the Fed space. Lots of folks think more efficient buying in an answer, or throwing a few more products at the problem. Richard is clearly voting here for leadership, not any of these other shiny objects (many espoused by the self-proclaimed cyber-war research czar Stiennon). And he's exactly right. We have to get sick of losing and then we'll devote the resources necessary to win. On an aside, is anyone else starting to puke every time I see the term "cyber-X." I know the Feds are spending money on security products, but a horrifying number of vendors are repositioning their stuff to address the "cyber" issue and in reality it's just another marketing shiny object and too many dim-wits can't tell the ruse for what it is.
Writing the LRD - This isn't really security-oriented, but I wanted to point to a great post on the Pragmatic Marketing site about writing a "life requirements document." So of you call them goals, others a set of guiding principles, but all the same - you can't be good at your job or particularly happy unless you've given some thought to what makes you happy and what you like to do. Too many of us just meander through our lives getting through each day and looking forward to watching a football game, drinking a brew with buddies, or playing catch with the kids. So that is an awful lot of time spent waiting for something else. So read the post and give the approach some thought. Personally, I set goals, but an LRD structure may work for some of you.

Incite Rides Again

Mike Rothman — Tue, 17 Nov 2009 07:14:05 -0600

I was laid off from eIQ yesterday. I know it was a tough decision for the folks up there. Business decisions can be that way. I feel for them that they feel bad. They shouldn't.

Am I disappointed? Yes. But not for the reasons you'd think. I really enjoyed working with some members of the team, and I'll miss that. Some parts of the job were fun and interesting. I'll miss that too.

But most of the stuff I won't miss. At all.

As I was thinking back, it turns out the tenure of my last 3 vendor jobs has been exactly 15 months. I know, kind of strange, eh? Don't think they have an actuarial table to predict that. Yet this last experience has finally brought me to the realization that working for a vendor isn't the best use of my skills. Sometimes I'm a little slow on the uptake.

There are lots of reasons a vendor job isn't the best fit, but three really stick out like a sore thumb. The first is competition. I used to be very very competitive growing up. Life was a zero sum game and I wanted to win - everything. I used to joke that I wanted to be king of all I survey. As I've gotten older, my need to win is much less acute. So the hand to hand combat of working for a vendor in a competitive market space is not only tiring, it's soul crushing.

After my experience at CipherTrust, I figured that I didn't like the competition because I was on the losing team. But that's not it. I'm not interested in tracking the time it takes the competition to copy my messaging anymore. Win or lose, I'm tired of the competition. And if you don't want to compete every day for every deal, you shouldn't be working for a vendor in a competitive space.

I also don't like breaking things that aren't broken. So the first 6 months with a vendor are fine. Things are broken and I fix them. The positioning. The web site. The product marketing and sales toolkits. The product strategy. But after about 12 months, everyone thinks things are broken again. Shiny objects start flashing that "need" attention. And that takes focus away from what is really important. You are forced to go through this dance of trying to figure out what is broken and what isn't. And the answer "I did it right the first time" doesn't really fly (I tried that the first time, it didn't go very well). These gyrations are so much fun, I'd rather give myself an enema with a branding iron than reposition the company around the latest hot buzzword.

But neither of these are the real kicker, there are parts of every job you don't like. For me, it's all about the passion. The best performers I know are really passionate about what they are doing. They just love what they do and would do it whether they were getting paid or not. I can tell you I was not passionate about my last 3 vendor gigs.

And to do something all day, every day that you are not passionate about is tiring and soul crushing. So I did my best each day and would anxiously await the day when they would pay me to not do marketing, which happens to be about 15 months after I start.

But ultimately this gets back to me. When I left TruSecure, it was them. At least that's what I convinced myself. 17 months later (2 months to get the CipherTrust job and then 15 months there) I left CipherTrust and it was still them, but I was tired of working for someone else. So I started Security Incite.

I joined eIQ because it seemed the stars were aligning and it was going to be different this time. 15 months later, it's not different. And it's not them. It's me. And I'm OK with that. Really, truly OK.

You see, life is a journey and I'm finally starting to realize that there is no right path or wrong path. There is only the path. eIQ and my other vendor experiences were part of that path. But as I look ahead, my path doesn't involve working for a vendor.

Given that Thanksgiving is next week, I'm going to lay low for the next few weeks. Get back into a routine of taking care of myself first. Writing the manifesto that accompanies my new Happyness content (Bill Brenner of CSO did a piece on the talk). Talking to old friends and plotting my next move.

So that was a long winded way of saying: INCITE RIDES AGAIN on November 30.

It's good to be home.

Photo credit: "Hi-Yo, Silver!" originally uploaded by arellis49

Pragmatic CSO Bootcamp #2 (and book discount offer)

Mike Rothman — Wed, 07 Oct 2009 15:34:11 -0500

October 7, 2009 - Bootcamp #2

Mike's Pep Talk:

"It would be better if you begin to teach others only after you yourself have learned something."
-- Albert Einstein

I am a fortunate guy. The journey I'm on continues to amaze and astound me. I viewed The Pragmatic CSO as my opportunity to give a little back based on all of the great people that have taught me the ropes through the years. Though I've been pretty much silent over the past year on P-CSO activities, I still like to give back and when the opportunity presents itself to give folks that haven't been exposed another chance to get Pragmatic.

Once again, I'm happy to partner with the folks at the Business of Security site to run a series of webcasts and virtual peer group sessions to run folks through the boot camp I put together a few years ago. In this kind of economic environment, it's all the more critical that every security professional be focused on adding value and selling the benefits of security. Being Pragmatic is certainly a time-proven method to doing that.

The first session doesn't cost anything and will be held this Tuesday via webcast. I'll run through the P-CSO process and then dive into the first section of the P-CSO - "Plan to be Pragmatic." I'll also go into the beginning of Section 2 - "Building Your Pragmatic Security Environment."

Even better, through the generosity of the Business of Security folks (and my employer, eIQ) I'm able to offer attendees to the session a 50% discount on the book and/or PDF. But to get the discount, you'll need a special discount code that will be provided during the session.

SO, if you've been waiting to for the price of the P-CSO to come down - this is your chance.

There will also be a special discount for folks that want to participate in the follow-on sessions when I present the rest of the boot camp. More details will be available during the session.

Here is the link to the registration page. I hope to see you on Tuesday.

Photo credit: Army.mil

The Daily Incite - 8/24/09 - Difficult People

Mike Rothman — Mon, 24 Aug 2009 08:36:15 -0500

August 24, 2009 - Volume 4, #33

Good Morning:
We start school pretty early in the South. Today is the beginning of the third week of school for the rats. They are getting into the schedule a bit, though getting up at 6:30 AM is probably something they'll never get used to. By Thursday, the boy is complaining about wanting to get back in bed. After telling him about 20 times that it's not an option, he'll begrudgingly put on his clothes and sulk through the rest of the morning ritual. Thank the heavens for GoGurt, since that seems to be something the kids like in the AM. We freeze them, and it keep them occupied and not bitching.

But as with everything else, life would be a lot easier if we didn't have to deal with people. That's a big part of the reason I work remotely, and how in a perfect world, I wouldn't have to deal with people much at all. Between ATMs and Pay at the Pump, I don't really have to interact with anyone. Which is a good thing for all involved. Yet, for the kids, being as anti-social as their old man is not an option. Nor should it be.

The big lesson this year is how to deal with difficult people. We all know them, we all try to avoid them, but sometimes that isn't an option and it creates angst. Especially for a high-strung Dad, who doesn't like anyone giving his kids a hard time. But it's a teaching opportunity, but the real question is what to teach.

Of course, my first instinct is to teach them how to wield a bat most effectively to create the most pain, while leaving the fewest marks. That is a time-tested means in dealing with difficult people, and they usually cause very few problems after a date with Mr. Easton. But that's probably not the best approach for kids today, especially given the litigious nature of most folks. So I guess we need to scratch that approach off the list.

Next is what I'll call the "biting sarcasm" approach. Basically, slice the difficult person into little pieces verbally and make them question their value in society. Yep, I've used that one before pretty effectively, but it does require some verbal sparring skill, a quick wit and an adversary that understands you are calling them an idiot. Again, this may not be the best approach for my young kids. As they get older, we'll have more success with this method, but not quite yet.

Of course, neither of these will win me a Parent of the Year award. The point is really to teach the kids to be better than that. To face down the difficulty and handle it with elegance and grace. To call out the person, make it clear to them they are not being nice, and then ignore them. And do that time and time again because difficult people rarely stop until they get a rise out of you. So we have to constantly reinforce and coach the kids to not take the bait. Don't let them see their words bother you. Don't give them the satisfaction.

Though I still have a lot of work to do in my own right, this is what we work on with the kids almost daily. Not only with external folks, but this skill is important for inter-family dynamics. At any given time, one of the kids is being difficult. So these are skills they need and trying to raise kids better than myself is certainly a goal.

Of course, I still maintain my "people to kill today" list and am sure to put these difficult kids on it. I guess old habits are hard to break. Have a great day.

Photo: "How to Cope with DIFFICULT PEOPLE" originally uploaded by benterrett
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Follow me on Twitter:

@securityincite

I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

Candidly, it's been a slow summer for security news. I guess it usually is, but this summer seems even slower. There is a lot of activity on Twitter, at least in terms of good productive dialog, but I can't get confused between discussions on Twitter and what is happening in the real world. Sometimes we get myopic and think that because you have a good discussion with some smart people, the rest of the world is following along. They are not.

So we've seem some news about the retailer breaches, and per usual, it was an unsophisticated attack executed well. Fortinet filed papers for an IPO, so there is hope a number of companies can gain exit velocity and show security is a thriving industry. Yet, the conversations I'm having with most folks is still about relevance. Everyone knows they are being attacked and breaches are happening. But we are still fighting to overcome the reality that senior management wants to spend the least amount possible on security.

Right, just like insurance. I've mentioned this before, but in reality we've got to sell security like we sell insurance. A candid assessment of what can kill you, and then a set of options for how much an organization will pay to mitigate those risks. All the while, understanding that there is no panacea and you can still get hit by a truck (or a SQL injection attack) regardless of how much you spend. OK, off soapbox and onto what (little) I'm seeing out there.

Living with Awareness - No I'm not going on a Buddha-tinged rampage (irony intentional), I'm pointing to a post from Bejtlich regarding Digital Situational Awareness. At my day job, there are a lot of cycles focused on protecting against cyber-attacks and of course, the term de jour for that is "situational awareness," which my pea brain interprets as security posture. Anyhow, Richard describes a number of levels of how aware you are of your security posture - ranging from waiting until your credit brand informs you of a breach to proactive intelligence gathering to determine who is targeting you and how. Most are within the first three buckets (external notification, vulnerability assessment, penetration testing) and that may be OK, depending on what you are protecting. But knowing where your not is always an important thing to realize.
The User Frustration Metric - Security is a trade-off, it's a simple as that. We all know that, but we forget because we are mired in the day to day battles and the politics and the futility. The safest device is one not connected to anything. Alex, whose rural existence is giving him lots of time to think, comes up with something that is pretty interesting. The user frustration metric. Yup, a lot of folks go around security controls because it frustrates them, so if we measure that frustration and then use it as an input into our cost-benefit analysis, we'd get some interesting results, no? Of course, really measuring this is hard (and probably not worth the effort), BUT it is a good line of thinking to understand if any new security controls we're implementing is worth the effort or whether it will cause more misery and suffering.
ConSentry buh bye - Yup, another start-up goes down. Actually I'm surprised we don't see more investors pulling the plug on companies going nowhere fast. Of course, knowing folks at ConSentry, it's always sad. But all the same, statistics are statistics. Not all companies work. Here is the NWW coverage of ConSentry's demise. But more interestingly Shimmy does a good obit for Inline NAC, and also a bit more analysis of NAC pointing to a piece from John Pescatore on some of the more compelling use cases for the technology. As I've long said, NAC is a feature and really should be embedded within the network. That's happening slowly and provides a short term opportunity for the out-of-band flavor of NAC, until switches go through another generational update.
Fighting the AppSec fight - Big J continues to try to help security folks understand how to position an application security program within their own organizations. Of course, many of us know why it's important to write code securely, but when you have compliance mandates and years of conditioning that putting a widget in front of whatever you want to protect will work - there is precious little incentive to do the hard work of secure coding. Jeremiah does a nice role play in surfacing and then discussing many of the objections developers bring forward, mostly around not my problem, it's the security guys issue. Which it is, but selling the benefits of doing it right the first time is still way too hard.
MSS hits the tipping point - Andreas from Nemertes uses his NetworkWorld column to highlight some research showing security services gaining adoption. I can say my overlords are seeing a similar trend. As the economy has tightened, a lot more folks are suspending their disbelief about who should be monitoring what and looking to outsource things not core to their operations. To be clear, managed security services are not always cheaper (especially in the long run), but there is a cost to staffing and buying the tools for a SOC, so it's certainly something every organization should consider. A real concern is that 40% of the benchmark claim their outsourcing engagement is NOT a success. The key is to scope effectively and manage the crap out of the service provider.
You're auditor hates you too - One of my favorite posts is from Jeff Kirsch, who unabashedly lets you know that auditors are onto your game, know you are lying to them, and don't like you too much either. Seriously, part of the P-CSO process is to treat an auditor like a peer. Lying to them and making things hard for them to do their job is not the path to success. Read the post, laugh a bit and then take the message to heart: "Having a good relationship with your auditor does not mean you have to be friends, but it does mean you need to find common ground to share trust." Amen to that.
The impact of the social networked generation - Pescatore, who's been busy blogging, brings up a good point that we in the protection game need to stay focused on. Namely, the impact of this new generation of socially networked kids that will be entering the workforce over the next 4 years or so. These are kids that don't think twice about posting pictures of them (or their friends) hurling into a bucket or passed out by the porcelain god or doing other similar stuff that is funny at the time, but doesn't bode well for your security clearance. These folks think differently than us old timers, and that means our protection strategies need to evolve. Just like trying to gain the "attacker's mindset," we also need to understand the mindset of the next generation to understand how they are going to undermine our security best laid plans.
Measurement gets back to managing expectations - I guess we'll always be doing this push and pull between doing things, measuring them, and then telling someone else what we are up to. AndyITGuy riffs off a Grumpy Pete concept of whether we can even measure security. Andy believes we can, but it gets back to communicating not just what the senior folks want to see (you know, the things that impact their bonus) rather all the stuff we do. In concept, that is nice, but in reality they don't care. So WE measure operational stuff, not because the senior folks care, but because we need that data to improve our own house. The things they care about (incident response, loss numbers, attack trends) are about THEM (and their bonus), so we have to understand (and not take personally) the reality that they don't care about our metrics.

Appearance on the Ranting Roundtable, PCI Edition

Mike Rothman — Fri, 21 Aug 2009 09:37:04 -0500

I was flattered to be invited by Rich Mogull of Securosis for the maiden voyage of the Ranting Roundtable. Basically this is a bunch of loudmouths, who need to yell and now we finally have an outlet. We didn't yell at each other (too much), use profanity (too much), abuse goats (too much) or delve into various circle jerks about the futility of our chosen profession (too much). OK, we did do the latter quite a bit, but that goes with the territory.

Amazingly enough, we kept the pace moving for 50 minutes or so and actually were more constructive than I hoped, since I figured with the topic of PCI, we'd just decend into useless chatter, Heartland hating, and get mired in a cesspool of futility.

But we didn't, so enjoy. Here is Rich's write-up and the link.

The Ranting Roundtable, PCI Edition

Sometimes you just need to let it all out.

With all the recent events around breaches and PCI, I thought it might be cathartic to pull together a few of our favorite loudmouths and spend a little time in a no-rules roundtable. There's a little bad language, a bit of ranting, and a little more productive discussion than I intended.

Joining me were Mike Rothman, Alex Hutton, Nick Selby, and Josh Corman. It runs about 50 minutes, and we mostly focus on PCI.

The Ranting Roundtable, PCI.

Odds are we'll do more of these in the future. Even if you don't like them, they're fun for us.

No goats were harmed in the making of this podcast.

—Rich

Photo credit: "Big Mouth" originally uploaded by upchuck_Norris.
Any likeliness of the picture to anyone on the panel is purely coincidental. OK, not really.