Securosis Blog

I’m pretty lucky – my most recent memories of a long commute were back in 1988, when I worked in NYC during my engineering co-op in college. It was miserable. Car to bus to train, and then walk a couple blocks through midtown to the office. It made me old when I was young. I only did it for 6 months, and I can’t imagine the toll it takes on folks who do it every day for decades.

One of our esteemed colleagues to the North, Dave Lewis, summed up a danger in almost everything in his recent CSO post, We need to be uncomfortable. Dave talks about realizing he could check out of a job and no one would notice, and how he knew it was time to find the next challenge. He’s right.

My friend Shimmy must have taken his nostalgia pills over the long weekend – on Monday he tweeted:

Doesn’t it suck getting older I didn’t realize how truly carefree life was All is good here thinking about some new stuff

The methods by which applications and supporting infrastructure are developed and deployed are undergoing fundamental change. Avoiding the predictable hyperbole, new methods including DevOps and Cloud Computing promise to disrupt most of IT over the next 5-10 years. But embedded infrastructure and legacy applications are not going away. IT professionals need to walk a fine line between delivering critical services at the lowest price for acceptable performance, and doing it quickly and reliably.

They say it is better to be lucky than good. I seem to test that theory on a daily basis. Just yesterday I ranted about the need for multi-layer DoS defenses, mostly by poking at a Prolexic white paper advocating the opposite. I alluded to the reality that most customers wouldn’t run all their traffic through a scrubbing center, so they need on-premise defenses as well (so a multi-layer system).

I guess I shouldn’t be surprised by highly biased marketing campaigns providing bad advice to customers. Normally I let it go (yes, Zen Mike is usually in the house), but not today. I saw Prolexic’s Why a Multi-Layered Security Strategy is Not Ideal for DDoS Mitigation campaign and was a bit perplexed, especially by one statement:

Actually, things mostly don’t change. We talk a lot about the dynamic threatscape, advanced attacks, and all sorts of other things that make us feel special. But most of the same tactics that have been owning people and technology for decades are still in play. The mass market doesn’t learn, so they repeat history – over and over and over again.

This should be no surprise because I just pounded through all the posts and put the paper up on GitHub for open review.

Dell SecureWorks CTU published a cool research report published today. Joe Stewart and David Shear dug into the marketplace of attackers and found that the market for attack products, tools, and services is thriving. Here are a couple of their more interesting findings:

Ah, the holidays. That wonderful time of year when I struggle to attempt to explain to my children why the Christmas decorations are up before Thanksgiving. They are very adamant that Thanksgiving is first, and there really shouldn’t be Xmas decorations yet. Because I agree, and struggle to keep “Burn their houses down!” in my head rather than out loud when I drive past certain neighbors, I really can’t explain.