The Daily Incite – 12/15/09 – Finding the Path

Today's Daily Incite

December 15, 2009 – Volume 4, #39

Good Morning:
When I announced that I was getting back into the analyst game,
the post was surprisingly well received. There were a number of aspects
that seemed to resonate with you folks (at least that’s how it seemed
from all the well wishes and emails I received). But no statement got
as much feedback as this one:

see, life is a journey and I’m finally starting to realize that there
is no right path or wrong path. There is only the path.

You are programmed to follow this path...
Lots of folks are trying
to find that path. Maybe they are not happy in their current gig. Maybe
they think they should be doing more. Maybe they just went through a
job transition and it’s not everything they thought it would be. It
could be anything, but the only thing everyone seemed to have in common
was that they thought they were on the wrong path and wanted to know
how to get onto the right path.

The short answer is that I have NO idea. Zero, zilch, not a clue. The
direction I’m going feels right. I think it’s right. Remember
that I’m an analyst, so I’m trained to critical look at every plan and
poke holes in it. I can certainly find holes in my current plans, but
I’m comfortable with those holes and the risks they entail.

But at the end of the day, I don’t know if this is the right
move for me. Truth be told, I don’t think it matters. That’s the entire
point of the statement above. Regardless of the outcome, it’s really
the process that matters. To use a trite self-help moniker: It really
is about the journey.

The Boss got me a shirt from Life is Good for my birthday. It
says "The Journey IS the Destination." And I think that’s right. We are
all very focused on achieving something. From the time we were little,
we’ve been focused on following that yellow brick road to get to
Emerald City. It’s a programmed response. Yet when we get there,
inevitably you wonder if it was worth the blood, the sweat, the tears.
And if you don’t get there, you wonder what’s the matter with you? Why
can’t you get there?

Gosh, just writing the post is making me tired. Tired of trying to live
up to my unrealistic expectations. Tired of being dissatisfied with all
I’ve accomplished. Tired of applying some one else’s definition of
success to my situation. So I’m doing my best to stop that. And I’m
also doing my best to counsel other folks of the dangers of that
mentality. I spent most of my 30’s fat and angry. All the stress took a
real physical toll on me, and if you identify with my sentiments, then
it’s taking a toll on you too. 

It’s not easy to turn off a lifetime of programming,
especially when your management, mentors, family, and most everyone
else expects you to do something. To achieve something. To make them
proud. That’s why blazing my own trail makes the most sense right now.
I’m only gated by my own expectations, not everyone else’s. I know that
not an option for everyone, but beating to your own drum certainly is.

And to be honest, I like the sound of my own drum. Have a
great day.

Photo: "follow
the yellow brick road
" originally uploaded
by ittybittiesforyou

Technorati: , ,,

The Pragmatic CSO

Pragmatic CSO:

Available Now!

Read the Intro and

"5 Tips to be a
Better CSO"

me on Twitter:



I’m not sure where I’m going, but I’ll get there in 140 characters – or

Incite 4 U

  1. WAF hits the
    – Akamai introduced the first of the "cloud-based" WAF offerings
    yesterday. OK, maybe the first. Basically it’s a managed web
    application firewall (WAF) service. I suspect there are other service
    providers that will provision and manage a WAF for customers. But this
    is the first that is pushing the "cloud" halo and thus will get the
    press benefits of announcing a shiny object. The service is based on
    ModSecurity and it’s interesting how Akamai is talking about
    "instantaneous scaling of defenses," which is good for whatever
    hardware vendor they are using to build out the service.
  2. FISMA
    metrics, vendors start your engines
    – Looks like the Feds
    are getting more serious about cyber-security. That is, if you think
    spending a bunch of money on a bunch of products that likely will have
    little impact on true security is getting more serious. There is a set of "FISMA metrics" in process
    include mostly yes/no answers and then some level of detail on things
    like asset management, connection management, incident management, etc.
    Most interesting is the need to provide "real time security status and
    management," which is basically SIEM. But here’s the rub: There is a
    difference between having data and USING DATA. I guess you can’t really
    use data until you have it, but I just worry a lot of agencies will
    spend a lot of money and be in exactly the same spot 3 years from now.
    But at least a bunch of security vendors will make a lot of money.
  3. Know what
    you’re looking for…
    – David Mortman has an interesting
    post on the New School site pushing us to realize that Less is More. In this case, he’s
    talking about IPS signatures, in that if you have a good understanding
    of your network, then you should be able to put rules in place to focus
    on abnormal activity (as opposed to checking for everything). I’ve
    always been a big fan of anomaly-based security techniques and positive
    security models (like default deny on perimeter defenses) because it
    forces you to really understand how the network and technology assets
    are being used. Not just letting everything happen and hoping that you
    figure it out before the card brands inform you of the breach.
  4. Learning from
    someone else’s pain
    – The folks that screwed up the FAA
    network a few weeks ago are in a world of hurt. Yeah, when you knock
    down the network that controls flights for half the country, that is a
    bad day. But what can we learn to make sure this kind of thing doesn’t
    happen to you. That’s what the SearchSecurity folks did in this post
    and the tips are useful. Remember, usually it’s the physical layer, but
    a lot goes back to change management as well. Ultimately, things are
    going to happen (Murphy’s Law guarantees that), so you need to have
    better fault isolation and response mechanisms in place. If the system
    goes down for 15 minutes, that is bad. When it goes down for 5 hours,
    heads roll. Make sure it’s not your head.
  5. Monitoring
    the cloud is not up to us
    – Get ready for a lot of folks
    talking about how they will provide "visibility in the cloud." The
    folks at LogLogic are talking about this
    , but I’m not
    specifically picking on them since they aren’t the only one. Here’s the
    issue, the cloud provider doesn’t want you to know what is going on.
    They don’t want you monitoring networks or systems and will make it
    hard, if not impossible for you to do that. So the idea of visibility
    at the lower levels of the cloud-resident stack is a load of crap. It’s
    really about understanding and monitoring the stuff you DO control, and
    that’s the application stack. So we are going to need to see some
    instrumentation and interesting correlation happening with application
    information (logs, performance, etc.) to have any chance of seeing into
    the cloud.
  6. Network
    Security getting smarter?
    – McAfee just made a series of
    announcements upgrading their network security devices
    with the underlying theme being increased intelligence. The idea is
    that Little Red sees a lot of stuff at the endpoint, device and network
    layer and can make sense of it to make each of their products
    "smarter." In concept it’s interesting, but realistically my jury is
    still out until there are demonstrable results that show protection is
    enhanced. More tactically, they’ve finally rebranded the Securify stuff
    as the T-series to provide some level
    of flow-based analysis and security. To be clear, folks like Sourcefire
    have had these pieces for quite a while. But the trend is the trend,
    intelligence is definitely making it’s way into all parts of the
    security stack.
  7. Life
    Management, Drucker-style
    – As you may have noticed, I’ve
    tried to find one interesting personal development post to add to each
    Incite. Today’s comes courtesy of WebWorkerDaily, who highlight a new book that delves into the great Peter
    Drucker’s thoughts on life management
    . We all knew he was a
    corporate management guru, but evidently has some good stuff to say
    about managing your live as well. In a nutshell it’s about finding
    balance. That balance involves understanding your strengths, but also
    diversifying a bit. So the idea of having a parallel "career" or
    serious hobby is a good one. All work and no play makes Mikey a dull
    boy. I also like the idea of giving back and teaching/mentoring. If you
    are anything like me, you’ve screwed up a whole bunch of stuff through
    the years and other can benefit from that "experience." 

*** This is a Security Bloggers Network syndicated blog from Mike Rothman's blog authored by Mike Rothman. Read the original post at:

Avatar photo

Mike Rothman

Mike is a 25+-year security veteran, specializing in the sexy aspects of security, such as protecting networks and endpoints, security management, compliance and helping clients navigate a secure evolution to the cloud.

mike-rothman has 38 posts and counting.See all posts by mike-rothman