December 15, 2009 – Volume 4, #39

Good Morning:
When I announced that I was getting back into the analyst game,
the post was surprisingly well received. There were a number of aspects
that seemed to resonate with you folks (at least that’s how it seemed
from all the well wishes and emails I received). But no statement got
as much feedback as this one:

Lots of folks are trying
to find that path. Maybe they are not happy in their current gig. Maybe
they think they should be doing more. Maybe they just went through a
job transition and it’s not everything they thought it would be. It
could be anything, but the only thing everyone seemed to have in common
was that they thought they were on the wrong path and wanted to know
how to get onto the right path.

The short answer is that I have NO idea. Zero, zilch, not a clue. The
direction I’m going feels right. I think it’s right. Remember
that I’m an analyst, so I’m trained to critical look at every plan and
poke holes in it. I can certainly find holes in my current plans, but
I’m comfortable with those holes and the risks they entail.

But at the end of the day, I don’t know if this is the right
move for me. Truth be told, I don’t think it matters. That’s the entire
point of the statement above. Regardless of the outcome, it’s really
the process that matters. To use a trite self-help moniker: It really
is about the journey.

The Boss got me a shirt from Life is Good for my birthday. It
says "The Journey IS the Destination." And I think that’s right. We are
all very focused on achieving something. From the time we were little,
we’ve been focused on following that yellow brick road to get to
Emerald City. It’s a programmed response. Yet when we get there,
inevitably you wonder if it was worth the blood, the sweat, the tears.
And if you don’t get there, you wonder what’s the matter with you? Why
can’t you get there?

Gosh, just writing the post is making me tired. Tired of trying to live
up to my unrealistic expectations. Tired of being dissatisfied with all
I’ve accomplished. Tired of applying some one else’s definition of
success to my situation. So I’m doing my best to stop that. And I’m
also doing my best to counsel other folks of the dangers of that
mentality. I spent most of my 30’s fat and angry. All the stress took a
real physical toll on me, and if you identify with my sentiments, then
it’s taking a toll on you too. 

It’s not easy to turn off a lifetime of programming,
especially when your management, mentors, family, and most everyone
else expects you to do something. To achieve something. To make them
proud. That’s why blazing my own trail makes the most sense right now.
I’m only gated by my own expectations, not everyone else’s. I know that
not an option for everyone, but beating to your own drum certainly is.

And to be honest, I like the sound of my own drum. Have a
great day.

Photo: "follow
the yellow brick road" originally uploaded
by ittybittiesforyou
Technorati: Information
Security, CSO,Security
Mike, Internet
Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Follow me on Twitter: @securityincite I’m not sure where I’m going, but I’ll get there in 140 characters – or less…

Incite 4 U

1. WAF hits the
   clouds – Akamai introduced the first of the "cloud-based" WAF offerings
   yesterday. OK, maybe the first. Basically it’s a managed web
   application firewall (WAF) service. I suspect there are other service
   providers that will provision and manage a WAF for customers. But this
   is the first that is pushing the "cloud" halo and thus will get the
   press benefits of announcing a shiny object. The service is based on
   ModSecurity and it’s interesting how Akamai is talking about
   "instantaneous scaling of defenses," which is good for whatever
   hardware vendor they are using to build out the service.
2. FISMA
   metrics, vendors start your engines – Looks like the Feds
   are getting more serious about cyber-security. That is, if you think
   spending a bunch of money on a bunch of products that likely will have
   little impact on true security is getting more serious. There is a set of "FISMA metrics" in process
   include mostly yes/no answers and then some level of detail on things
   like asset management, connection management, incident management, etc.
   Most interesting is the need to provide "real time security status and
   management," which is basically SIEM. But here’s the rub: There is a
   difference between having data and USING DATA. I guess you can’t really
   use data until you have it, but I just worry a lot of agencies will
   spend a lot of money and be in exactly the same spot 3 years from now.
   But at least a bunch of security vendors will make a lot of money.
3. Know what
   you’re looking for… – David Mortman has an interesting
   post on the New School site pushing us to realize that Less is More. In this case, he’s
   talking about IPS signatures, in that if you have a good understanding
   of your network, then you should be able to put rules in place to focus
   on abnormal activity (as opposed to checking for everything). I’ve
   always been a big fan of anomaly-based security techniques and positive
   security models (like default deny on perimeter defenses) because it
   forces you to really understand how the network and technology assets
   are being used. Not just letting everything happen and hoping that you
   figure it out before the card brands inform you of the breach.
4. Learning from
   someone else’s pain – The folks that screwed up the FAA
   network a few weeks ago are in a world of hurt. Yeah, when you knock
   down the network that controls flights for half the country, that is a
   bad day. But what can we learn to make sure this kind of thing doesn’t
   happen to you. That’s what the SearchSecurity folks did in this post
   and the tips are useful. Remember, usually it’s the physical layer, but
   a lot goes back to change management as well. Ultimately, things are
   going to happen (Murphy’s Law guarantees that), so you need to have
   better fault isolation and response mechanisms in place. If the system
   goes down for 15 minutes, that is bad. When it goes down for 5 hours,
   heads roll. Make sure it’s not your head.
5. Monitoring
   the cloud is not up to us – Get ready for a lot of folks
   talking about how they will provide "visibility in the cloud." The
   folks at LogLogic are talking about this, but I’m not
   specifically picking on them since they aren’t the only one. Here’s the
   issue, the cloud provider doesn’t want you to know what is going on.
   They don’t want you monitoring networks or systems and will make it
   hard, if not impossible for you to do that. So the idea of visibility
   at the lower levels of the cloud-resident stack is a load of crap. It’s
   really about understanding and monitoring the stuff you DO control, and
   that’s the application stack. So we are going to need to see some
   instrumentation and interesting correlation happening with application
   information (logs, performance, etc.) to have any chance of seeing into
   the cloud.
6. Network
   Security getting smarter? – McAfee just made a series of
   announcements upgrading their network security devices
   with the underlying theme being increased intelligence. The idea is
   that Little Red sees a lot of stuff at the endpoint, device and network
   layer and can make sense of it to make each of their products
   "smarter." In concept it’s interesting, but realistically my jury is
   still out until there are demonstrable results that show protection is
   enhanced. More tactically, they’ve finally rebranded the Securify stuff
   as the T-series to provide some level
   of flow-based analysis and security. To be clear, folks like Sourcefire
   have had these pieces for quite a while. But the trend is the trend,
   intelligence is definitely making it’s way into all parts of the
   security stack.
7. Life
   Management, Drucker-style – As you may have noticed, I’ve
   tried to find one interesting personal development post to add to each
   Incite. Today’s comes courtesy of WebWorkerDaily, who highlight a new book that delves into the great Peter
   Drucker’s thoughts on life management. We all knew he was a
   corporate management guru, but evidently has some good stuff to say
   about managing your live as well. In a nutshell it’s about finding
   balance. That balance involves understanding your strengths, but also
   diversifying a bit. So the idea of having a parallel "career" or
   serious hobby is a good one. All work and no play makes Mikey a dull
   boy. I also like the idea of giving back and teaching/mentoring. If you
   are anything like me, you’ve screwed up a whole bunch of stuff through
   the years and other can benefit from that "experience."