I discussed my love of exploring in the last Incite, and I have been fortunate to have time this summer to actually explore a bit. The first exploration was a family vacation to NYC. Well, kind of NYC. My Dad has a place on the Jersey shore, so we headed up there for a couple days and took day trips to New York City to do the tourist thing.
For a guy who grew up in the NY metro area, it’s a bit weird that I had never been to the Statue of Liberty. The twins studied the history of the Statue and Ellis Island this year in school, so I figured it was time. That was the first day trip, and we were fortunate to be accompanied by Dad and his wife, who spent a bunch of time in the archives trying to find our relatives who came to the US in the early 1900s. We got to tour the base of Lady Liberty’s pedestal, but I wasn’t on the ball enough to get tickets to climb up to the crown. There is always next time.
A few days later we went to the new World Trade Center. I hadn’t been to the new building yet and hadn’t seen the 9/11 memorial. The memorial was very well done, a powerful reminder of the resilience of NYC and its people. I made it a point to find the name of a fraternity brother who passed away in the attacks, and it gave me an opportunity to personalize the story for the kids. Then we headed up to the WTC observation deck. That really did put us on top of the world. It was a clear day and we could see for miles and miles and miles. The elevators were awesome, showing the skyline from 1850 to the present day as we rose 104 stories. It was an incredible effect, and the rest of the observation deck was well done. I highly recommend it for visitors to NY (and locals playing hooky for a day).
Then the kids went off to camp and I hit the road again. Rich was kind enough to invite me to spend the July 4th weekend in Boulder, where he was spending a few weeks over the summer with family. We ran a 4K race on July 4th, and drank what seemed to be our weight in beer (Avery Brewing FTW) afterwards. It was hot and I burned a lot of calories running, so the beer was OK for my waistline. That’s my story and I’m sticking to it.
The next day Rich took me on a ‘hike’. I had no idea what he meant until it was too late to turn back. We did a 2,600’ elevation change (or something like that) and summited Bear Peak. We ended up hiking about 8.5 miles in a bit over 5 hours. At one point I told Rich I was good, about 150’ from the summit (facing a challenging climb). He let me know I wasn’t good, and I needed to keep going. I’m glad he did because it was both awesome and inspiring to get to the top.
I’ve never really been the outdoorsy type, so this was way outside my comfort zone. But I pushed through. I got to the top, and as Rich told me would happen before the hike, everything became crystal clear. It was so peaceful. The climb made me appreciate how far I’ve come. I had a similar feeling when I crossed the starting line during my last half marathon. I reflected on how unlikely it was that I would be right there, right then. Unlikely according to both who I thought I was and what I thought I could achieve.
It turns out those limitations were in my own mind. Of my own making. And not real. So now I have been to the top of two different worlds, exploring and getting there via totally different paths. Those experiences provided totally different perspectives. All I know right now is that I don’t know. I don’t know what the future holds. I don’t know how many more hills I’ll climb or races I’ll run or businesses I’ll start or places I’ll live, or anything for that matter. But I do know it’s going to be very exciting and cool to find out.
Photo credit: “One World Trade Center Observatory (5)” originally uploaded by Kai Brinker and Mike Selfie on top of Bear Peak.
The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.
Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.
- July 13 – 
- May 26 – We Don’t Know Sh–. You Don’t Know Sh–
- May 4 – RSAC wrap-up. Same as it ever was.
- March 31 – Using RSA
- March 16 – Cyber Cash Cow
- March 2 – Cyber vs. Terror (yeah, we went there)
- February 16 – Cyber!!!
- February 9 – It’s Not My Fault!
- January 26 – 2015 Trends
- January 15 – Toddler
- December 18 – Predicting the Past
- November 25 – Numbness
- October 27 – It’s All in the Cloud
- October 6 – Hulk Bash
- September 16 – Apple Pay
- August 18 – You Can’t Handle the Gartner
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.
Threat Detection Evolution
Network-based Threat Detection
- Operationalizing Detection
- Prioritizing with Context
- Looking for Indicators
- Overcoming the Limits of Prevention
Network Security Gateway Evolution
Recently Published Papers
- Endpoint Defense: Essential Practices
- Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications
- Security and Privacy on the Encrypted Network
- Monitoring the Hybrid Cloud
- Best Practices for AWS Security
- Securing Enterprise Applications
- Secure Agile Development
- Trends in Data Centric Security
- Leveraging Threat Intelligence in Incident Response/Management
- The Future of Security
Incite 4 U
It takes a data scientist to know one: Data science is hot, hot, hot. Especially in security, where the new hotness is analytics to detect space alien attackers. And the data scientists have the keys to find them. Of course, then you actually have to hire these folks. And it’s not like when I ran marketing teams, and knew the jobs of my team as well as they did. So if you’re not a math person, how do you hire a math person? The good news is that one of my favorite math people, Jay Jacobs (now of BitSight) has listed 5 things to think about when hiring a data scientist. His first suggestion is to give them data and let them do their stuff. Which makes a huge amount of sense. That’s what I did for every job I interviewed for. I either prepared a research report or presentation, or built a marketing plan. You also need to ask questions (even if you think they are dumb questions), understand what they’ve done, and see if they can communicate the value of their efforts in business terms. Jay’s last point is the most critical. Data scientists are kind of like unicorns. If you hold out for the perfect one, you will be looking for a long time. As in every emerging field, you need to balance substance and experience with intelligence and drive, because the function will change and you will need your hires to grow along with it. – MR
Tortoise and Hare: Our own Dave Lewis’ recent post on Forbes – The Opportunity Presented By Shadow IT – mirrors a trend I am seeing with CISOs. Several CISOs I heard from during a recent panel said much the same thing. They had come to view rogue IT as an opportunity to learn. It showed them their users’ (their real customers’) pain points, and where resources should be allocated to address these issues. It showed the delta between IT-governed rollouts and rogue IT, and made very clear the cost differential between the two. Shadow IT showed where security controls went unnoticed, and which users fought or ignored/avoided ‘real’ IT altogether. Dave’s point that the rogue project put the company at risk is on the mark, but it should be clear that a lack of agility within IT – across all industries – is an issue which IT and operations teams need to work on. The status quo is not working. But that’s not news – the status quo has been broken for a long time. – AL
Sucking less at security operations: When I’m doing a talk, I usually get big laughs when I state the obvious: most organizations suck at security ops. Of course the laughs are a bit forced: “Is he talking about me?” Odds are I am, because security ops, like consistent patch and configuration management, is hard. Hygiene is not sexy, but neither is flossing your teeth. Until you lose all your teeth, as my dentist constantly reminds me. SecurityWeek ran a good reminder of the challenges of patching consistently a while ago. But it’s worth revisiting, especially given that almost every major software company has some kind of patching process for their stuff. Of course, as we enter cloud-based reality, patching and ops take on different connotations (and we have a lot to say about that), but for now you need to continue paying attention to the security ops side of the house. Which is a reminder that never gets old, mostly because we as an industry still can’t seem to figure it out. – MR
Bit Split Reduce: Homomorphic encryption is essentially encrypted data that you can still do real work with, including sorting and summing values. A recent Wired article, MIT’s Bitcoin-Inspired ‘Enigma’ Lets Computers Mine Encrypted Data discusses a new take. We have seen many of these claims in the past, including many variants which force cryptographic compromises to enable computation. And we’ve seen the real thing too, but only in laboratory experiments – the processing overhead is about 100k times higher than normal data processing, so not feasible for normal usage. The MIT team’s approach sounds like a combination of the ‘bitsplitting’ storage strategies used by some cloud providers to obfuscate customer data, and big data style distributed processing. With a big data MapReduce function, they use the reduce part to arrange or filter data, protecting its integrity by assigning each node tiny data elements that – on their own – are meaningless. In the aggregate they can produce real results. But the real question is “Is this secure?” Unfortunately I have no clue from the white paper, because security issues are more likely to pop up in practical application, rather than in general concepts. That said, statements like “Thanks to some mathematical tricks the Enigma creators implemented” make me very nervous… so the jury is still out, and will remain so until we have something we can test. – AL
It’s bad. Trust me. Ever the contrarian, Shack goes after the valuation in the wake of a breach bogeyman. A key message in most security vendor pitches is that breaches are bad for market cap. But what if that’s not really the case? What if the data shows that over time a breach can actually be good for business, if only to shine a spotlight on broken processes and force the business to be much more strategic and effective about how they do things? Like most transformation catalysts, it really sucks at the time. Anyone who has lived through a breach response and the associated public black eye knows it sucks. But if that results in positive change and a stronger company at the end of the process, maybe it’s not the worst thing. Nah, never mind. That’s crazy talk. What would all the vendors talk about if they couldn’t scare you with FUD? They’d actually have to address the fact their products don’t help (for the most part). Oh, did I actually write that down? Oops. – MR