Securosis Blog

How cool would it be if LMFAO (or a reasonable proximity – Beaker, anyone?) did a security version of “Sorry for Party Rocking,” because evidently the security job market is rocking. But it offers a great perspective on the mind of the security professional. Check out the following quotes to get a feel for how things seem, which I can anecdotally validate based on the number of calls I get from CISO types looking to grow and retain their teams.

Every year there seems to be a new shiny object that works security marketeers into a frenzy. The Advanced Persistent Threat hype continues to run amok 3 years in, and doesn’t seem to be abating at all. Of course there is still lot of confusion about what the APT is, and Rich’s post from early 2010 does a good job explaining our view.

Security groups are the basic firewall rules associated with instances in various compute clouds. Different platforms may use different names but security group is the most common so that’s the term we will use. Basically, it is a way of defining hypervisor firewall rules. Of course this is a gross simplification – different cloud platforms enforce groups at other layers of the virtual or physical network, but you get the point. You assign instances to a security group and they inherit that…

Sometimes seeing what you have known for years in print is helpful, even comforting. So Gartner’s Paul Proctor writing about killing compliance in cold blood is good. Paul has a bigger megaphone than the rest of us, so maybe folks will start getting on board with doing security (or risk, depending on your vernacular) and stop worrying so much about the checklists.

Ever start a simple project – or perhaps ask for something simple to be done on your behalf – and get far more than you bargained for? Sometimes the seemingly simple things reach up and bite you. I was thinking about this two weeks ago, in the middle of some weekend gardening, expecting to tackle a small irrigation leak that popped up during the winter.

The hype cycle for Threat Intelligence is just getting going. It will soon join advanced malware, BYOD, and Big Data as terms that mean nothing because they have been poked, prodded, manipulated, and otherwise killed by vendor hyperbole. We have done a bunch of research into how to use threat intelligence (Early Warning, Network-based Threat Intelligence, and Email-based Threat Intelligence), so we get the value of benefiting from other folks’ misfortune and learning from how they were…

We have each probably worked for a CEO who we’d just as soon meet in a dark alley (without video surveillance), while carrying a nightstick and a taser. So when I saw Ed Moyle’s blog about Narcissistic CEOs, I was hoping it would end with “You’d better bring a mop. And a body bag.” Unfortunately Ed highlighted some research that these narcissistic douches adopt technology more aggressively (mostly due to their oversized egos) and are more likely to be successful. Humbug.

My paternal grandmother passed away last week at 103. No, that is not a typo. One hundred and three. Ciento tres for you Spanish speakers out there. She would have been 104 in June. That’s a long time. To give you some perspective, per the infoplease site, William Taft was president in 1909. Robert Peary and Matthew Henson reached the North Pole that year. And the big news in the medical community was finding a cure for syphilis. I’m sure that caused much rejoicing around the world. I guess…

I like to see stuff that challenges common wisdom. The inimitable professor Gene Spafford of Purdue goes far against the grain in calling out the excitement of hacking competitions and red teams as counterproductive to training the next generation of security folks.

We ve talked a bit about the need to “be careful what we wish for,” in terms of making security a higher profile issue with senior management. Well, it’s no longer just vendors throwing FUD balloons that can splat at any time. I was perusing the Seeking Alpha investor site over the weekend when I found an article called Pandemic Cyber Security Failures Open An Historic Opportunity For Investors. Yes, I threw up a bit in my mouth when I read that headline.