The Daily Incite - 12/15/09 - Finding the Path
December 15, 2009 - Volume 4, #39Good Morning:
When I announced that I was getting back into the analyst game, the post was surprisingly well received. There were a number of aspects that seemed to resonate with you folks (at least that's how it seemed from all the well wishes and emails I received). But no statement got as much feedback as this one:
Lots of folks are trying to find that path. Maybe they are not happy in their current gig. Maybe they think they should be doing more. Maybe they just went through a job transition and it's not everything they thought it would be. It could be anything, but the only thing everyone seemed to have in common was that they thought they were on the wrong path and wanted to know how to get onto the right path.
The short answer is that I have NO idea. Zero, zilch, not a clue. The direction I'm going feels right. I think it's right. Remember that I'm an analyst, so I'm trained to critical look at every plan and poke holes in it. I can certainly find holes in my current plans, but I'm comfortable with those holes and the risks they entail.
But at the end of the day, I don't know if this is the right move for me. Truth be told, I don't think it matters. That's the entire point of the statement above. Regardless of the outcome, it's really the process that matters. To use a trite self-help moniker: It really is about the journey.
The Boss got me a shirt from Life is Good for my birthday. It
says "The Journey IS the Destination." And I think that's right. We are
all very focused on achieving something. From the time we were little,
we've been focused on following that yellow brick road to get to
Emerald City. It's a programmed response. Yet when we get there,
inevitably you wonder if it was worth the blood, the sweat, the tears.
And if you don't get there, you wonder what's the matter with you? Why
can't you get there?
Gosh, just writing the post is making me tired. Tired of trying to live up to my unrealistic expectations. Tired of being dissatisfied with all I've accomplished. Tired of applying some one else's definition of success to my situation. So I'm doing my best to stop that. And I'm also doing my best to counsel other folks of the dangers of that mentality. I spent most of my 30's fat and angry. All the stress took a real physical toll on me, and if you identify with my sentiments, then it's taking a toll on you too.
It's not easy to turn off a lifetime of programming,
especially when your management, mentors, family, and most everyone
else expects you to do something. To achieve something. To make them
proud. That's why blazing my own trail makes the most sense right now.
I'm only gated by my own expectations, not everyone else's. I know that
not an option for everyone, but beating to your own drum certainly is.
And to be honest, I like the sound of my own drum. Have a great day.
The Pragmatic CSO:
Read the Intro and Get
"5 Tips to be a Better CSO"
me on Twitter:
I'm not sure where I'm going, but I'll get there in 140 characters - or less...
Incite 4 U
- WAF hits the clouds - Akamai introduced the first of the "cloud-based" WAF offerings yesterday. OK, maybe the first. Basically it's a managed web application firewall (WAF) service. I suspect there are other service providers that will provision and manage a WAF for customers. But this is the first that is pushing the "cloud" halo and thus will get the press benefits of announcing a shiny object. The service is based on ModSecurity and it's interesting how Akamai is talking about "instantaneous scaling of defenses," which is good for whatever hardware vendor they are using to build out the service.
- FISMA metrics, vendors start your engines - Looks like the Feds are getting more serious about cyber-security. That is, if you think spending a bunch of money on a bunch of products that likely will have little impact on true security is getting more serious. There is a set of "FISMA metrics" in process include mostly yes/no answers and then some level of detail on things like asset management, connection management, incident management, etc. Most interesting is the need to provide "real time security status and management," which is basically SIEM. But here's the rub: There is a difference between having data and USING DATA. I guess you can't really use data until you have it, but I just worry a lot of agencies will spend a lot of money and be in exactly the same spot 3 years from now. But at least a bunch of security vendors will make a lot of money.
- Know what you're looking for... - David Mortman has an interesting post on the New School site pushing us to realize that Less is More. In this case, he's talking about IPS signatures, in that if you have a good understanding of your network, then you should be able to put rules in place to focus on abnormal activity (as opposed to checking for everything). I've always been a big fan of anomaly-based security techniques and positive security models (like default deny on perimeter defenses) because it forces you to really understand how the network and technology assets are being used. Not just letting everything happen and hoping that you figure it out before the card brands inform you of the breach.
- Learning from someone else's pain - The folks that screwed up the FAA network a few weeks ago are in a world of hurt. Yeah, when you knock down the network that controls flights for half the country, that is a bad day. But what can we learn to make sure this kind of thing doesn't happen to you. That's what the SearchSecurity folks did in this post and the tips are useful. Remember, usually it's the physical layer, but a lot goes back to change management as well. Ultimately, things are going to happen (Murphy's Law guarantees that), so you need to have better fault isolation and response mechanisms in place. If the system goes down for 15 minutes, that is bad. When it goes down for 5 hours, heads roll. Make sure it's not your head.
- Monitoring the cloud is not up to us - Get ready for a lot of folks talking about how they will provide "visibility in the cloud." The folks at LogLogic are talking about this, but I'm not specifically picking on them since they aren't the only one. Here's the issue, the cloud provider doesn't want you to know what is going on. They don't want you monitoring networks or systems and will make it hard, if not impossible for you to do that. So the idea of visibility at the lower levels of the cloud-resident stack is a load of crap. It's really about understanding and monitoring the stuff you DO control, and that's the application stack. So we are going to need to see some instrumentation and interesting correlation happening with application information (logs, performance, etc.) to have any chance of seeing into the cloud.
- Network Security getting smarter? - McAfee just made a series of announcements upgrading their network security devices with the underlying theme being increased intelligence. The idea is that Little Red sees a lot of stuff at the endpoint, device and network layer and can make sense of it to make each of their products "smarter." In concept it's interesting, but realistically my jury is still out until there are demonstrable results that show protection is enhanced. More tactically, they've finally rebranded the Securify stuff as the T-series to provide some level of flow-based analysis and security. To be clear, folks like Sourcefire have had these pieces for quite a while. But the trend is the trend, intelligence is definitely making it's way into all parts of the security stack.
- Life Management, Drucker-style - As you may have noticed, I've tried to find one interesting personal development post to add to each Incite. Today's comes courtesy of WebWorkerDaily, who highlight a new book that delves into the great Peter Drucker's thoughts on life management. We all knew he was a corporate management guru, but evidently has some good stuff to say about managing your live as well. In a nutshell it's about finding balance. That balance involves understanding your strengths, but also diversifying a bit. So the idea of having a parallel "career" or serious hobby is a good one. All work and no play makes Mikey a dull boy. I also like the idea of giving back and teaching/mentoring. If you are anything like me, you've screwed up a whole bunch of stuff through the years and other can benefit from that "experience."