July 29, 2009 - Volume 4, #32

Good Morning:
It sucks getting old. I know, I'm not that old but things that I used to be able to do, now cause bruises, strains and other maladies. This year I decided to start playing softball. It's pretty much an old guys league, but I haven't played any kind of team sport for many many years, and I figured it was time.

Yet, someone should have told my legs that there isn't much of a difference between an hour on the treadmill and sprinting around the bases. Last Sunday's hammy pull was just the latest in a series of leg injuries. I've strained both quads multiple times. I'll be the one at Black Hat hobbling around like an 80 year old guy.

Clearly I've got to rethink my off-season training regimen. Cardio is good, but I also need to add some leg strength training. I need to do sprints, outside on the dirt - since sprinting on my front lawn doesn't approximate the texture of the field, and I think has contributed a bit to my strains.

This kind of training will be as fun as a root canal. I've been lifting weights for over 20 years now and I've always hated legs. Squats make me puke (literally) and I'd rather have a pencil jammed into my ear repeatedly than do leg extensions and curls. But it's embarrassing to have guys bigger, older and in far worse shape getting around the bases with no problems.

I guess I could just stop playing. That's always an option. I could go back to my comfy old man workouts alternating elliptical, stationary bike and stair machine. I'd still be in decent shape and hopefully I'll never have to chase anyone or sprint to do anything. That is certainly an option.

Then I think about the example I'd be setting for my kids. If I gave up, they'd see that if something is hard, you can opt out. If it takes a bit of work, especially work you don't like to do, then move on to the next thing. As you can see, this isn't really an option - especially since my kids are the age where they are going to want to give up on their activities because it's getting harder.

Nope, their old man is going to man up, train the right way, and get back on the field next season. And leg out a few triples and maybe even homers for good measure. 

Have a great day.

Photo: "tendinitis sucks ice - yo & dude" originally uploaded by erichews
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Follow me on Twitter: @securityincite I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

I'm actually writing the week's Incite on my way to Vegas for Black Hat. This show is fun for me. I don't have to present or even take any vendor meetings, so I can go to the sessions that interest me. I'll also show up for the hallway track to catch up with friends and colleagues. Though my overlords are cool about letting me go to shows to expand my brain, for anyone in a strategy role - you've got to get out into the world and see what's happening.

At Black Hat, I'll see a lot of cutting edge stuff and a lot of it will be irrelevant to what my customers are focused on right now. This year. But next year and the year after that, a lot of these emerging attacks will be common place and defensive strategies must evolve. And if guys like me (and everyone else attending the show) don't spend some time thinking about that, we don't have much of a chance to keep pace.

Of course, most could debate (rather successfully) that we don't have much of a chance to keep pace regardless of what we do, and they may be right. But I'm not willing to give in to defeatism. That's not productive for anyone, which brings me to the first snippet of the week...

1. We are a bunch of grumpy bastards - You need to have a slightly different outlook to be able to do security. When the success criteria is that nothing happens, it's a bit of a bizzaro reality. Many of the best security folks are borderline paranoid (OK, maybe not so borderline), cynical and angst-ridden. It seems those traits extend to the broad masses as well. Lee Kushner and Mike Murray did a survey and the numbers bear that out. 50% are unhappy, and we security folks make a pretty good living. I think we all need a time out. We've got to re-evaluate what success means and be much more realistic about what will make us happy. Yes, I have some ideas on that, and it seems it's time to write some of them down.
2. Why do we even bother? - I've been sitting on a post from Ounce Labs' Jack Danahy about how we as a practice are perhaps setting the bar too low. Of course, Jack's shop announced they are being acquired by IBM yesterday, so he's probably dusting off his Big Blue suit right about now. Jack's point is that even though it's hard and we may not be successful, we have to keep trying. We have to demand better from our vendors, partners, and ourselves. He's right, to a point. You see we have to strike that delicate balance between wanting to do better and accepting better is not always possible. Maybe because of politics. Maybe because of stupid decisions. Maybe because we suck. Whatever the reason, I do think we have to keep fighting, but more importantly we have to accept that sometimes we will lose.
3. When you are down, think different - In everything that we find very funny, there is usually more than a nugget of truth. So when I read Shrdlu's latest rant espousing a more "Zen" like approach to security, I was howling. I know she was joking about a lot of this stuff, but I actually think this is path to the answer. It's about accepting the ambiguity that dominates our profession. Are you compliant? What is compliance? Who is assessing you? Are you secure? What is secure? Does senior management even know what that means? Ambiguity everywhere we look. I can only tell you it's impermanent. One minute you are, the next minute you aren't. But ultimately the end of the post is most telling. The intern becomes secure when they have no servers, no users and no network. Brilliant.
4. Diary of an investigator - pickin' up the pieces - I'm digging into the archives now because I missed a lot of great stuff over the past few months. One of the things that continues to fascinate me is how investigators figure out what the hell happened. You look at a great, detailed post from Cutaway on how he found an executable and a database IN the registry [link] to get a feel for the creativity required to pick up the pieces under tremendous pressure and tight time lines. The CSO Online folks posted this "diary" a few months ago. It may be a real scenario, it may not, but it highlights the kind of analysis that is required and the deadlines, especially when dealing with a data breach that will require disclosure. As I mention in the P-CSO, you need to be friends with a number of investigators and buy them chocolates and stuff. Because when the stuff hits the fan, you need them to answer the phone when you call.  
5. Delusion is not an option - My ATL neighbor Martin Fisher posts a good, thought provoking piece on the Catalyst web site about understanding the truth of incident response. Martin knows his stuff, since he does IR for a Fortune class enterprise, and suffice it to say he's a busy guy. His "truths" are pretty straight forward, but we need to continually discuss to ensure we aren't deluding ourselves. First we need to accept that we are compromised. Any organization of scale has problems, you just may not know it yet. Then you need to have a plan and practice is (yes, very Pragmatic - I must say). Most importantly, you need to make sure senior management gets these realities. Because if they expect a different outcome, you cannot be successful. Good words to live by.
6. Tuning the BS detector - The inimitable Shack has some fine words about deciphering vendor bull, which is a key skill for anyone buying anything. Technology, security or anything else. Understand the business motivations of both parties. Right, though most folks only look at the deal through their own prism of needs, wants and desires (which usually involve making the pain stop). Then getting down to brass tacks on 3rd parties and service providers, it's really about asking the right questions relative to how they will adhere to your security policies and protect your date. By the way, you can never really know whether the provider will get it done, but you can certainly ask enough questions to make sure they've done a lot of thinking about the lies they are telling you.
7. The fleeting nature of compliance - Another day, another data breach. Captain Privacy himself does a little piece on the Network Solutions hack and makes the point that once ANYTHING changes in the environment, compliance is pretty much out the window. Yes, Network Solutions was compliant last October. But what does that even mean? Audits are a point in time, but changes and attacks are continuous. So maybe we need to stop thinking of compliance as the "answer" or the end goal and focus on the reality that something like PCI provides structure to an unstructured environment. To be clear, that structure doesn't mean your building will stand up when the Big Bad Wolf comes and tries to blow down your house. But if it's made of proverbial straw, you don't have a chance.
8. Yes, the SIEM even grows tomatoes - Another good one that passed me by was this post from Andrew Hay making the analogy between selecting a SIEM and planting a garden. I'm not a big gardener, so I don't know much about soil content or the amount of sun required for much of anything - but I do know a bit about implementing and deploying security management technology, and Andy makes a number of good points. And a lot of it gets back to understanding what problem you are trying to solve. It's horrifying how many folks start a project saying, I need "log management/SIEM/compliance reporting." Ah, OK, but for what? And they don't really know. So don't make that mistake. Know what you need, and then go out and find it, It's not that hard, unless you want to be lazy and just talk to folks in a certain quadrant or something.
9. Maybe we should call it SharePwnie - As much as we love to hate Microsoft (and we all love to hate them), their stuff is everywhere. Take SharePoint, for example. They have millions of customers using it. Maybe even zillions. And a hell of a lot of very sensitive information is stored there. And it's probably not all that secure, especially since SharePoint tends to be departmental and frequently deployed outside of IT's purview. Right, a recipe for disaster. The Gartner folks are doing a lot of research about how to secure SharePoint and make sure your data isn't pwned. As with everything else, it's striking a balance between being Dr. NO (hell no, you can't put that stuff in SharePoint) and supporting more collaborative business processes with a bit of security. Unfortunately, most of the good stuff is behind the wall, but they have a billion dollar revenue stream to protect.