While this is most certainly a time to enjoy family and be together, I want to take a brief moment to express gratitude for the good things that have befallen our company in the past year.

Harkening back to a weekly sports column I wrote in 2008, I offer you MeThinks. The official definition of the word is “it occurred to me”, so today MeThinks I am thankful for:

1. Every single one of the 500+ customers who have bought Network Emulators and Net Tool Optimizers from Anue Systems in our seven years of existence.
2. Our outstanding group of channel partners who are out there in the field spreading the word about Monitoring Optimization and Pre-Deployment Testing
3. Erin Jacobs, Mike Pennacchi, and Branden Williams, the three thought leaders in packet analysis, security, and PCI compliance who are presenting their outstanding knowledge at the Eye on Security webinar series.
4. Every out of band monitoring tool vendor, without whom Monitoring Optimization would be merely words on a page.
5. Our competitors, for pushing us to make our Monitoring Optimization solution better and better with each passing month.
6. The good folks who offer outstanding and free social media tools such as Twitter, LinkedIn, Facebook, PitchEngine, and WordPress. Social media is here to stay, and we are glad to have the opportunity to take part in the community itself.
7. The City of Austin for providing us such a beautiful city and highly educated population with whom we can interact, work, and thrive. We can’t say how important it is to operate in such a progressive, innovative, and open-minded culture.
8. All of our hard-working employees who have helped poise us for continued growth heading into next year.

And finally, we are thankful for you, the readers of this blog. Without you, these words are just words, but with your gracious attention and feedback, we can enjoy a continuous and rewarding conversation.

MeThinks 2010 will be a great year to know Anue Systems. Join with us for this exciting ride.

Couldn't have said it better myself!

Earlier this week I came across a very intriguing commentary on this very topic, Lifestyle Hackers, which appears on CSO Online. This insightful article talked about what is being referred to as the “Net Generation“, the younger subset of our population that has never known life without the Internet and other communication technologies (as opposed to Baby Boomers who were raised with television as the primary technology/communications breakthrough early in life).

Connectivity: A threat or a productivity tool?

Technology exposure has upsides and downsides, and we won’t go into all of the social implications of being connected and interacting virtually rather than face-to-face. However, twenty-somethings, the first true group of working adults among the Net Generation, seem to have a knack for finding their way around security measures. The ever-present Insider Threat is no longer solely a problem of user ignorance or malicious intent; it is now a problem of technical competence and motivation. How can that be you ask?

You see, the Net Generation views life, business, and productivity through different glasses than previous generations. While your security team is blocking access to social media, instant messaging, and other “high risk” applications, NetGeners (as we’ll refer to them from here forward) find those media to be crucial to their productivity. But your leadership team likely sees these tools as hindrances to productivity, hence the desire to block access. In the end, we’re all chasing the same goal – to get more done and to do it as efficiently as possible.

How do YOU define productivity?

Basically, the problem all comes down to perspective. Baby Boomers are more likely to focus on a specific task, much like watching a show or channel on TV. NetGeners, on the other hand, prefer the connectivity of the internet and have come to embrace multitasking as a fact of daily life. The article elaborates on this point, “As Internet-facing technology became ubiquitous and leaped from the home to the mobile device, the Net Generation adapted by incorporating new technology into its very social fabric.” Heck, NetGeners even have their own slang these days.

So who is right? Everyone is in some way. NetGeners see Facebook as a tool for collaboration to more quickly solve problems. They use Text Messaging (SMS) much like Baby Boomers have come to embrace email, but NetGeners prefer the instant gratification of knowing the message delivers now and the answer will come quickly, rather than a day or two later. For these reasons, many NetGeners actually refer to themselves as “Generation Now”. [Editor's Note: It's curious that most NetGeners somehow fail to grasp the value of Twitter, but that's another discussion altogether.]

The bottom line is this – media changes and evolves, as does technology. Different generations work in different ways. This has been true for hundreds of years now, through the Industrial revolution, which first made the term “economies of scale” relevant, to today, where micro-anything and real-time is deemed superior to the old way of doing things. First there was snail mail, then the telephone, then the facsimile (“fax” to all you NetGeners), then the Internet, then email, and then finally, widespread acceptance of cell phones. Cell phones naturally forced the whole equation to evolve again, and now, real-time is key.

So what’s a security professional to do? As a technologist, the smart approach is to embrace and enable safe usage of these new technologies. Revisit your Security Policy. If it’s too restrictive, expect problems if/when you hire twenty-somethings. They will find a way around it, and your policy won’t work. Ultimately, you risk failing to enforce the very security that you aim to establish.

Security is here to ensure safe operation of the network, but not here to handcuff workers from being able to be productive. We’re not there yet, but a balance must be struck, and it’s up to CSOs and Security Management to determine the optimal approach.

Have you managed to figure out the balance? Please share your thoughts, tips, or even any criticisms of this viewpoint. This is a topic that must be discussed, and we’re happy to take the lead on drumming up the discussion.

ALIST: Jay Botelho of WildPackets

We hope you greatly enjoyed the first ALIST posting last week focused on Rob Andrews of Sonicwall. This week, we turn to a Product Management professional at WildPackets, Mr. Jay Botelho.  Enjoy!

Name: Jay Botelho
Title/Role: Director of Product Management
Company: WildPackets, Inc.
Product Focus:
Distributed network monitoring
Analysis and troubleshooting
Twitter Handle: @wildpackets

1. What is your company’s flagship product, and why is it important for security purposes?
WildPackets flagship product is the OmniPeek Distributed Analysis Suite, a combination of network probes and visualization software that provides real-time visibility into every part of the network simultaneously from a single console. OmniPeek provides the capability of capturing, analyzing and storing every packet on the network, providing both real-time monitoring for a broad range of security issues as well as providing the record of every network event, providing the very best data for true root cause analysis of security issues.You never have to “reproduce” a problem, or wait for it to happen again – all the proof you need is in the captured packets.

2. What areas of security are most important to you professionally, and which do you enjoy working with most?
Network forensics, using stored packet data to drill down and determine the root cause of a security issue, is what we enjoy speaking about the most. Personally I also enjoy and have a background in wireless security.

3. What is the most common security challenge you are brought in on to help fix on behalf of customers?
It isn’t so much a specific security challenge as it is the overall challenge of identifying exactly how a security breach or attack happened in the first place.  That’s what we’re most often called in to do.

4. How do you see Cloud Computing, virtualization, and Social Media affecting security in the coming months?
Both Cloud Computing and Virtualization can be thought of as enterprise security issues, and as such, I believe both are fairly well understood as to their security implications. Cloud computing will likely make tunneling protocols ever more popular, driving the need for better support for tunneling protocols in security solutions. Virtualization is already driving a new niche market for security products, like virtual firewalls, and this trend will continue for the next several years. Social media scares me far more than the other two, not because of the underlying network technology itself, but because of the way it is used. I already see a trend where corporate data is being shared by users of these systems, mostly with good intentions, but sometimes with bad. I see tremendous difficulty staying on top of such communication. It’s analogous to the market that sprung up in the last 2-to-3 years for monitoring corporate content through firewalls, like email content, email attachments, etc. to ensure the sensitive corporate data is adequately protected and contained. Now extend that to personal devices that are typically off the corporate network, and to communications that are often transmitted during non-work hours. Though sensitive corporate documents may not be as much at risk, musings about corporate strategy, trends, acquistions, layoffs, product plans, etc. make for interesting Twitter and Facebook posts. I’m not sure that enterprises have yet realized the risk, and once they do, they will be hard-pressed to find solutions in the short-term to address this type of security “breach”.

5. Tell me what your most pressing security concern is over the next 1-2 years.
I see increased network speed as being a real security concern, especially since the move to 10Gig seems to be in full swing now. Increased network speeds will not in and of themselves create security issues, but the increased data on 10Gig networks will significantly tax existing security solutions in terms of analyzing, reporting and addressing security issues. 10Gig networks will most likely cause a realignment of what is currently addressed in “real-time” analysis.

6. How do you stay abreast of the latest market developments in your space? Shows, social media, RSS, etc.
Web seminars (a.k.a. webinars) currently seem to be the best way to stay on top of market developments. Every company and every analyst seems quite willing to share their knowledge and insights on an extremely broad range of topics via web seminars. They are easy to attend and also make it very easy to multitask.

One outstanding golden egg could make them all turn to gold

7. In closing, give us one idea you have about security that everyone should consider. Your “Golden Egg”, so to say.
Most of the industry seems satisfied with security solutions that identify problems and alert administrators of their existence. The proliferation of IDS/IPS solutions seems to support this, but security solutions need to provide much more, including the discovery of the source of attacks, identification of ways to prevent similar attacks, and even the identification of the specific perpetrators. Network forensics based on packet capture, analysis, and storage provides the information needed to address all of these issues.

ALIST: Rob Andrews of Sonicwall

So let’s get this ALIST party started…

Name: Rob Andrews
Title/Role: System Engineer
Company: Sonicwall
Product Focus:
UTM Firewall
SSL VPN appliances
Email Security
Secure wireless

1. What is your company’s flagship product, and why is it important for security purposes?
The Sonicwall NSA E7500 is our enterprise class UTM (Unified Threat Management) Firewall.  It combines firewall, routing, IPS/IDS, gateway anti-virus, gateway anti-spyware, content filtering, IPSEC, and SSL VPN capabilities into one slim 1u chassis.  It’s the only appliance on the market that can deliver nearly 2 Gbps of UTM scanning at its price point.

2. What areas of security are most important to you professionally, and which do you enjoy working with most?
I suppose I am a bit biased, but I really enjoy working with my company’s products, but more specifically the Sonicwall NSA firewalls and SSL-VPN.  Building a secure network requires the basic building blocks – firewall and secure remote access.  Essentially, these devices are the gateway to your “kingdom,” and the network admin holds the “key”.

I find it gratifying in knowing that I control and safeguard access to my resources including where, when, and how; and I think a lot of other IT admins do as well.  Keeping undesirables off my network, whether it is due to access controls or threat prevention mechanisms (i.e. IPS), helps me sleep at night.  Sonicwall’s browser based management of the NSA line makes it super simple to configure firewall rules, intrusion prevention/detection policies, content filtering, and routing.  I find anyone that used to have to manage a PIX  falls in love with the simplicity and power of our GUI.

3. What is the most common security challenge you are brought in on to help fix on behalf of customers?

I have two common scenarios I’m engaged with.  Almost everyone knows they need a firewall to build a secure network, but how to decide on correct model, features, capacity, and functionality is where I assist.  There are a lot of 5+ year old firewalls installed out there that don’t meet the demands of today’s requirements, i.e. throughput, IPS, etc.

The other is when customers need to deploy a VPN solution.  Many folks are using an IPSEC solution for VPN access, and they’ve discovered that it doesn’t meet their evolving business needs for things like granular access control, end point interrogation, and browser-based access.  I find many customers have an idea of what they’d like for VPN access but aren’t entirely sure how to meet their requirements.

4. How do you see Cloud Computing, virtualization, and Social Media affecting security in the coming months?
I just had this debate internally with some colleagues.  Some are on the side that cloud infrastructures have more sophisticated individuals maintaining and looking at the security stack, while companies that house data internally have limited IT staff, so the “cloud” is therefore it is more secure.  On the other side of the fence, some argue that you are entrusting your data to a third party who may promise the world in security, but in the end, you have no real way of auditing what they are doing.  For most folks, it’s a balancing act.  If you have no idea what you are doing or how to properly secure your data (and possibly want someone else to blame when things go wrong), using cloud services is something you should consider.  If you’re on the opposite end of the spectrum…you have the tools and skill set…my recommendation is to approach cloud services with caution.

When it comes to virtualization, I’ve seen some folks take an interest in virtual firewalling.  I’d have to say this market is still relatively young and fits a certain niche of customers.  The issue with running a VM firewall is its overall performance.  If you are only using the VM firewall to do stateful inspection, it may not be such a big deal for you.  However, we know that most attacks are buried in the payload of allowed traffic. To do DPI (deep packet inspection) effectively, you need a dedicated UTM appliance so you can see reasonable levels of network performance.  We discovered long ago that x86 processors don’t scale well for UTM scanning.

With regard to Social Media, it is and will continue to be a source of malicious attacks and other threats.  I’m seeing more and more organizations restrict access to Web 2.0 sites with highly positive results, such as reclaiming network bandwidth and employee productivity.  We’ve already seen numerous issues with threats being propagated through Facebook, Myspace, and Twitter.  Anytime you have a place where you get a lot of traffic and information is easily and quickly distributed, there is room for the unscrupulous to take advantage.  This is part of the reason I limit my social networking consumption.  There are others, but that’s another story for another day.

5. Tell me what your most pressing security concern is over the next 1-2 years.
I have two concerns for your consideration.

The first how to get customers off old insecure technology.  I find far too many customers relying on antiquated, insecure, or (even worse) technologies that they believe are secure which, in fact, are not.  Unfortunately a lot of organizations are resistant to change, whether that be due to lack of expertise, laziness, budget, etc.  In the end, technology and threats evolve. You either keep pace, or you find yourself a victim or a target of attack.  For example, I recently worked with an organization that insisted on using WEP to secure their wireless infrastructure for hundreds of users.  Never mind the fact that WEP can be cracked in seconds by almost anyone.

Fallacy: Linux and Mac OS are inherently more secure than Windows

The other is what I would consider the “head buried in the sand” syndrome.  Too many individuals believe Linux and Mac operating systems are secure by default and don’t require any safeguarding.  Unfortunately, this myth is also further perpetuated by the media i.e. the Mac/PC commercials on TV. The worst part about this is the false sense of security it brings. Attacks and vulnerabilities have already been demonstrated against these systems.  While these platforms may not have as many vulnerabilities as Windows, they still have their own issues. As Mac continues to gain popularity, I’m confident we will be seeing more and more security issues for it.

6. How do you stay abreast of the latest market developments in your space? Shows, social media, RSS, etc.
For more “mainstream” type news, I use iGoogle and have about a dozen different gadgets that provide news feeds.  I also visit slashdot.org and hackaday.com on a daily basis, and  Sonicwall has an internal daily news bulletin with information from various sources that goes out to all employees. The folks over at insecure.org have a few different RSS feeds I subscribe to as well.

It’s almost alarming to see the rate at which vulnerabilities are discovered. If I want to read something on the plane, I’ll pick up a copy of Hakin9 or 2600.  Finally, I occasionally frequent sites like securitytube.net or the forums at remote-exploit.org.

7. In closing, give us one idea you have about security that everyone should consider. Your “Golden Egg”, so to say.
UTM should be on everyone’s checklist when it comes to firewall security.  There are far too many threats that are being propagated out there, because regular stateful firewalls are letting them through.  Securing your network is much more than closing ports, it’s also inspecting the allowed traffic through.  The best analogy I can use is a trip to the airport.  Would you let everyone that holds a boarding pass through security?  Or would you want to scan the payload of the passengers to ensure nothing malicious was brought on board?  Of course, we all know the answer there. This same approach needs to be taken for your network.

___________________________________________________________________

The Anue Systems Team wants to thank Mr. Andrews for jumping in as the first ALIST-er. We are still accepting requests to take part in this program from qualified technical sales / SE professionals at leading security tool vendors. If you wish to be considered for inclusion, please contact Tommy Landry at tlandry (at) anuesystems (dot) com.

SPoT: David Mortman / @mortman

Today we focus on a gentleman who we have followed since our very early days on Twitter: David Mortman. According to his bio, Mr. Mortman is a CSO who is currently seeking his new adventure, so if you like what you read here, perhaps you can explore working together.

Together with Alex Hutton and other leading security experts, David is one of the masterminds behind The New School of Information Security. Take a look at David’s most recent post titled Meta-Data? for a good read about the appropriate level of information that is required to have important strategic discussions about security. The post has already spawned a conversation within it’s comments.

Real Name: David Mortman
Twitter Handle: @mortman
Top 3 Social Media/Networking Sites:
Twitter is the main one I use, although I have accounts on Facebook and LinkedIn as well

1. In which area(s) of security are you most involved?
These days I’m largely involved in management, risk, privacy and compliance, although I still do some technical security work as well.

2. What security topics will be the most important in the next 18 months? Why?
Compliance by a long shot, there are lots of new regulations on the horizon, plus PCI and the new changes to HIPAA, all of which will keep lots of folks busy.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
One of my personal long term goals is for business stakeholders to better understand what security can and can’t do for them.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
Twitter started out as just an convenient way for me to keep in touch with peers in a more interactive way than  email. It quickly became a great medium to launch discussions about security and privacy issues.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name 2 if you can’t decide on only one)
Jeremiah Grossman (@JeremiahG), Alex Hutton (@AlexHutton), and Shrdlu (@shrdlu) [EDITOR'S NOTE: Does anyone actually know @shrdlu's real name?].

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
I think that having security concerns with social media and cloud services is important, but that they are often over-hyped in the media. My biggest concerns are around reliability with regards to uptime / data recovery and compliance. Largely going to the cloud isn’t significantly different than other forms of outsourcing, provided you can get the appropriate protections for your business. This does mean that you can’t just use any cloud service “willy-nilly”, but that’s not any different then any other outsourcing agreement. As for social media, this is largely an education issue, similar to what companies have had to deal with in  public IM services that have been around for over a decade now. We just need to remind employees what is and is not appropriate to discuss, and remind them that social media is, in fact, a public forum.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
RSA, Blackhat/Defcon and any conference I am at .

Seriously though, I hear great things about Shmoocon, Toorcon, and SecTor.

Security Pros on Twitter (SPoT) Series Wrap Up

We have greatly enjoyed networking with all of these impressive SPoTs, and we hope you have also found the content enjoyable and informative.  Our next series will profile some key technical sales personnel at security tool companies, and we hope you are looking forward to it as much as we are.

As always, we want your feedback. Got a hot topic you want to see discussed on here? Want to contribute a guest post? Have an idea for an interesting additional series on any topic in network monitoring or security? Bring ‘em on; we’re all ears.

SPoT: Michael R. Farnum / @m1a1vet

Welcome to today’s entry in the ongoing SPoT series. Today, we are covering someone who serves a different role in security, Michael R. Farnum, who is a Pre-Sales Security Engineer for a VAR / Consulting company. Most of our SPoTs to date have been client-side practitioners, but that is most certainly not a requirement to be considered a “Security Pro”. Mr. Farnum is also known for his role in An Information Security Place, a blog which offers insightful security podcasts a minimum of once each month. The podcast discusses a range of topics, including hacking, security breaches, PCI, vulnerabilities, security/compliance audits, and cybersecurity.

Real Name: Michael Farnum
Twitter Handle: @m1a1vet
Top 3 Social Media/Networking Sites:
Twitter, LinkedIn, YouTube

1. In which area(s) of security are you most involved?
Because I am a pre-sales security engineer for a security consultant / VAR, I tend to have my fingers in a lot of pies.  I talk to clients about risk, compliance, and security assessments.  I also talk to them about security technologies to fill the gaps found when doing a gap analysis or assessment.  I have to keep pretty current in those areas as best I can [to] find opportunities to help my clients.  I also podcast about security quite a bit (since Twitter and work has pushed down my blogging volume).

2. What security topics will be the most important in the next 18 months? Why?
I think more and more disillusionment with PCI will really begin to cause the PCI Security Standards Council headaches.  I believe you are going to see some big push back on PCI DSS by companies of all sizes, as more and more money has to be spent on keeping “compliant”.  Though I have had major issues with Robert Carr, CEO of Heartland Payment Systems, in his recent interviews, I believe the auditing process has really come under fire lately and will continue to do so.  It is a broken model.

Of course, cloud computing will continue to move up and up in everyone’s mind, in both infrastructure and, necessarily, security.  Even if the economy improves, I believe this is a train [on which] more and more companies will jump, to varying degrees.  And specific to compliance, if cloud providers can start showing that compliance headaches can at least be eased by the Cloud, then it will grow even more.  I know that is a huge question, but if they can at least make CEOs and CIOs believe it, the Cloud will grow.  I don’t like it, but there it is.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
Let me change the focus of this question.  I think the failure to secure one’s business infrastructure is a failure of basic responsibility.  This is not just a business stakeholder issue, because security is not just about the ability of the business to turn a profit.  Of course, security is a driver for profit if done right and applied correctly.  But if the economy as a whole has major issues, then that business and every other business will begin to feel pain.

Here is what I mean.  Good security measures contribute to the whole economy.  Just like businesses often become a part of their neighborhood or the community as a whole by contributing money and resources for good causes, those businesses should also contribute resources to the security of the Internet as good Internet citizens.  They must look at how their security posture affects the whole of the Internet.  The Internet is, obviously, a huge part of the economy.  When a company becomes a cesspool of malware, they become a hindrance and a detriment to that economy.  Business over the Internet is not going to stop, but I wonder how much better it could be if even one third of businesses would clean themselves up.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
Twitter started out simply an outlet for my way of thinking.  I am a “snippet” thinker.  I am a quipper, if that is a word.  I used to blog a lot, and I felt that I always needed to expand on my thoughts when I blogged.  But I often simply wanted to kick out a thought and just forget about it, or at least save it for later.  Twitter gave me a way to do that without feeling “guilty” for not expounding.  I sometimes get into trouble via Twitter, but that is because I sometimes quip without thinking first.  There are a lot of people doing research on various subjects and products via Twitter, so I have to be careful.

That same dimension of Twitter is what makes it so valuable.  So many people are giving their “two-cent’s worth,” that I can literally come up with ideas on security which would never have naturally occurred to me without the inspiration from some Infosec Twit.  It gives me options to take to clients.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name two if you can’t decide on only one)
Without a doubt, Chris Hoff (@beaker) is on of the top on my list.  His insights into security continue to astound me.  He is always on the forefront of security ideas, and his spectacular imagination makes his method of dispersal of those ideas entertaining.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.

The Cloud: A Modern-day Jabba the Hut?

As stated above, cloud services make me nervous.  I used to trust that “blob” out there where all my lines seem to terminate in the Visio drawing.  But now that cloud providers want to get all my data floating out there, that trust has diminished quite a bit.  I just don’t see the same enterprise that is buying DLP letting all their data go into this mass that looks more and more like Jabba the Hutt everyday.

Social media is going to grow and grow and grow.  I can’t go a day without hearing about another social network.  I don’t think it is a fad.  But it will continue to cause great security fears for me.  I no longer have a Facebook account, because I just got sucked into it so quickly that I was not guarding my content very well.  Yes, I only allowed certain people to see my page,  but the temptation to let more and more people see it was getting out of control.  That is why it never ceases to amaze me how so many security folks have Facebook pages and are on other social media sites.  I don’t fault them.  if they weigh the risk and deem it appropriate, then more power to ‘em.  But I know my propensities, so I had to stop myself.  If you are an infosec professional, then you have to look very closely to see if those types of sites are good for you [or not].

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?

• I am more and more into local user groups and conferences.  I have attended TRISC here in Texas, and I attend local ISSA meetings.  I am also looking to start up a local Houston NAISG chapter.  That kind of event appeals to me.
• The RSA Conference is something I attend more for the socializing aspect (security bloggers gathering).
• BlackHat/Defcon are a must if you want to rub elbows with the geekier group.

SPoT: Alex Hutton / @AlexHutton

Welcome to our ninth installment of Security Pros on Twitter.  This week, we are featuring Alex Hutton, who “works in Risk Intelligence for a Fortune-something company”, according to his profile on The New School of Information Security blog, where Alex is one of the main contributors of content. The blog shares its name with a 2008 book authored by blog founders Adam Shostack and Andrew Stewart, and they are joined by some savvy security pros including Alex, David Mortman, and Brooke Paul. Mr. Hutton has been involved in security since the early ’90s, and we are very glad to profile him as a SPoT.

Real Name: Alex Hutton
Twitter Handle: @alexhutton
Top 3 Social Media/Networking Sites:
Twitter, Facebook, LinkedIn

1. In which area(s) of security are you most involved?
I love Risk, Management Science, & Security Metrics.

2. What security topics will be the most important in the next 18 months? Why?
Regulatory pressures & Business Intelligence.

I think we’re going to see Regulatory pressures (both government and private pressures) increase, because I believe that our industry will continue to see people outside our profession try to “solve” our problems for us.  The danger being that their good intentions will lead us towards an undesirable destination.

Business Intelligence for InfoSec, done right, could be a major catalyst towards solving significant problems in security.  If we’re lucky, it’ll destroy GRC as we know it.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
Wow, if you’ll forgive me for saying so, I think that question is backwards.  If you think about it, it’s rather egotistical to think that “they” need to “get” us.  Nope, my perspective is that they sign the paychecks, so “we” need to “get” them.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
I became active when I was developing Risk Analytical software using Ruby On Rails.  Twitter was just kind of experimental then, a neat RoR app to play with.  I was also very interested in how my application would provide security practitioners with a feeling of “Miryokuteki Hinshitsu“, and thought maybe Twitter (or rather twitter-like functionality) might be a piece of that.  The idea being rather than long, arduous web forms in Archer-like software for project management, security analysts could just “tweet” their processes and outcomes back to a central server using an IM-like interface (yeah, this was back when you could still use Jabber for Twitter).

The value I get is twofold.  First, I get to meet good people.  That’s important, as everyone has perspective that contributes to your world view, and I believe that your world view is only as good as it is broad.  Second, and related to that, I get to watch really smart people talk.  For example, I used to despise PCI-DSS, and now I don’t.  That’s largely because of conversations I’ve had with @sfoak and others on Twitter who desire that we stop whining and start solving problems.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name two if you can’t decide on only one)
Only two?!  Ed Bellis (@ebellis) and Dave Lewis (@gattaca) – both Security Management, both with massive amounts of “get it”ness.  Apologies to dozens of others I would have liked to have mentioned.  And everybody mentions @shrdlu, so he goes without saying.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
IMHO, social media represents more of a time-wasting threat than new attack vector threat.  With regards to the cloud, it’s going to be a mess. And I like that.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
I would break down real world events into two categories – local and non-local.  Pick any of the large non-local events to try to get travel budget for.  Networking with peers is super-important for your career on so many levels.  That said, I’d spend a ton of time getting to know the local environment, even if that means creating your own informal events (especially  if your ISSA/ISACA/Infraguard meetings are “Death by Powerpoint”, with little time for socialization).  The most successful professional events I’ve ever gone to was our Security MBA (Masters of Beer Appreciation) events in Columbus organized by Dan Houser.  We can put our professional guard down, not be over-exposed to some “speaker”, and really have meaningful conversations about our professional and personal lives.

SPoT: Andy Willingham / @andywillingham

Real Name: Andy Willingham
Twitter Handle: @andywillingham
Top 3 Social Media/Networking Sites:
Linkedin, Twitter, Facebook

1. In which area(s) of security are you most involved?
I started out in Network Security but have focused mostly on program development, regulatory compliance, and architecture for the last few years.

2. What security topics will be the most important in the next 18 months? Why?
I think we really need to focus on user education, reclaiming the desktop, social media and “The Cloud”. The first two will give us the biggest bang for our buck, and the last two have to be tamed before they get too far out of hand. They are coming fast and furious, and we can’t stop them, so we’d better learn how to secure them.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
We have got to start involving security in the beginning stages of projects. I can’t tell you how many times I have found out about something in a Change Control meeting when the business was trying to get approval to go live with something. They had been working on it for months, and no one ever said “Hey, I wonder if Security would have any concerns about what we’re doing?”. It only hurts them in the long run, because they end up getting delayed on launch, or if someone with enough clout “insists” that it still go live, they end up spending lots of time and money fixing things that could have been prevented. It looks bad to their customers because of all the down time and bad features.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
I’ve spent much of my career in smaller companies with limited tech staff, and there have been lots of times when I needed someone to bounce an idea or question off of, but the only option that I had was an online forum. Not that there is anything wrong with that, but you are taking a chance that 1) someone will know the answer and 2) that person will actually check the forums and see your question, which can often take several days. With Twitter and other social media sites, I’ve got experts in all fields right there willing to help out. It also keeps me informed on up to the minute happenings in security, and it is lots of fun to banter with and trade ideas with others in near real-time.

5. Name one security peer whom everyone with an interest in Network Security should follow. (Okay to name two if you can’t decide on only one)
Michael Santarcangello, The Security Catalyst, @catalyst on Twitter. Santa thinks like no other security pro that I know. He is on to something that has the potential to set the security industry, and by default the companies we protect, on it’s ear. He not only realizes that we need a shift in how we think and how we practice security, but he has a plan and is actively getting the word out.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
First off, as I said earlier, they are here to stay, and we had better do something about it. We can’t just sit back and wait until our company adopts them, and then try to figure out how to secure them. Chances are there are people in your company who are already using them, and you just don’t know about it yet. As security pros, we have to know the issues, concerns, and threats to fix them before they become problems.  My first concern is that [this movement] is happening too fast and the industry is not keeping up. Businesses are adopting them without taking proper measures to ensure that they are being used in a secure manner. As for overstated issues, there are a few, but what makes them overstated is that lots of “experts” are talking about them and complaining about them withoutt offering any real solutions. It’s okay to talk about problems so that others become aware of them, but then you need to either quit talking or start offering something of value.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
Picking a specific three is hard because what you choose (especially if it costs money) needs to be based on what your area of focus is. RSA is a safe bet for most any aspect of security, but beyond that, it gets foggy. If you have the budget, I’d say do something like this: Go to RSA and one conference that is specific to your area of expertise. Then I’d say find local chapters such as NAISG, ISSA, InfraGard, DC 404, etc., and attend their meetings and events. If you can do those three things, then you will be able to build a network that will serve you well in solving problems, answering questions, and finding new positions when the time comes to move on.

SPoT: Jack Daniel / @Jack_Daniel

Welcome to this week’s installment of Security Pros on Twitter. Today’s SP is a very well known security expert, and one who brings an intriguing dose of personality to the table, Jack Daniel. Self-described on Twitter as “Sporadic blogger, Tech Community Activist, InfoSec Curmudgeon, Reluctant CISSP, Amateur Blacksmith, and stuff”, Mr Daniel is truly a man of many “hats.” In addition to serving as the Director of the National Information Security Group (NAISG), Jack shares his musings on Twitter and his blog, Uncommon Sense Security.

Real Name: Jack Daniel
Twitter Handle: @jack_daniel
Top 3 Social Media/Networking Sites:
Twitter, Linkedin, and Facebook as a distant third

1. In which area(s) of security are you most involved?
I live and work in the UTM space, covering all the fundamentals of network security, firewall/content filtering/proxies/VPNs, etc.

2. What security topics will be the most important in the next 18 months? Why?
It kills me to admit it, but “cloud” computing (whatever that means) will be very important.  Not because of the hype, but because, like virtualization, it will let us make old mistakes in new and creative ways while also offering exciting and original ways to get security wrong.

I also think that “antivirus” is of renewed importance.  Microsoft’s venture into free antivirus and the impact that will have on the AV industry, combined with the increasing irrelevance of traditional AV in defending against many modern attacks, means that it is time to step back and challenge what works, what doesn’t, and what to do about it.  We may not have many conversations about this, but we should.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
A failure to grasp and act on the fundamentals.  In network security, this often manifests itself as an unhealthy push for needless complexity, which dramatically increases the likelihood of misconfiguration and failure.  (I’m not blaming anyone, but if I did, I would look toward San Jose, CA)  All the blinky-light boxes in the world will not overcome basic misconfiguration issues.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
My adoption of Twitter was pretty slow, and has grown gradually over time.  It started as a way to stay in touch with friends and has expanded into a powerful (and still wonderfully inane) way to communicate.  I have gotten more out of Twitter than I can list in a short space, from friendships and information to Twitter being the starting point for the Security B-Sides events.

5. Name one security peer whom everyone with an interest in Network Security should follow. (OK to name 2 if you can’t decide on only one)
That’s hard; I follow too many people for too many different reasons to pick one or two.  I’ll cop out and recommend following @SecurityTwits, that is a good way to find out who is saying or asking what, which leads to finding good people to follow.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
The fundamental insecurity of social media is also why people use it.  Platforms designed for openness and sharing of content are perfect for exploitation, but if you lock them down, you lose their value.  User education is the only solution, and that will only reach a limited number of people (and they don’t have to listen).  I have more hope for the security of cloud services in general; I think it will eventually be possible to do an acceptable job of securing the infrastructure, but as with everything else, the client implementation is where I see ongoing insecurity.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
RSA and BlackHat are giant events with many opportunities for socializing and networking.  SOURCE Boston is a much smaller event – you could almost call it intimate – and it really encourages the feel of community.  I’ll cheat and add a fourth – Shmoocon is a great and affordable event.

SPoT: Branden Williams / @BrandenWilliams

Welcome to this week’s installment of Security Pros on Twitter. Today we turn our attention to an expert in a very important area of compliance, PCI DSS – the Payment Card Industry Data Security Standard – in addition to his other areas of security expertise. Branden Williams is the Director of the PCI Practice for Verisign, a global security consulting firm. He also maintains a Verisign blog focused on a range of security topics: Branden Williams’ Security Convergence.

Real Name: Branden Williams
Twitter Handle: @BrandenWilliams
Top 3 Social Media/Networking Sites:
Linkedin, Twitter, Facebook

1. In which area(s) of security are you most involved?
My primary focus is payment security, however, my background is fairly technical and includes application development.

2. What security topics will be the most important in the next 18 months? Why?
Application Security, Data Discovery and Loss Prevention, and Wireless.  The first two are inter-related as we continue to amass more data on more individuals, and need more ways to crunch the data.  Today, we have a myopic view of where our data lives, which unfortunately becomes focused when we lose it.  The latter is a catch-all.  More applications are going mobile, thanks to improvements in networks and devices like the iPhone.  Watch for attackers to flock to those platforms.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
I’m not sure I have one particular one, but the future of security lies in the hands of those individuals that can speak to the business about quantitative risk in a way they can understand.  Security is a business issue, and they need to be on-board with it.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
I became active on Twitter to keep up with colleagues in the industry and to stay on top of the deluge of information available to netizens.  I’m getting a ton of value as it helps me promote my blog and allows me to learn more about emerging trends.

5. Name one security peer whom everyone with an interest in Network Security should follow. (OK to name 2 if you can’t decide on only one)
@DavidNavetta – Legal professionals need to have an open dialogue with Security pros.  This guy gets it, bigtime.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
The top concerns around this type of media really should be the content, not the method.  PR departments have to embrace this more real-time method of information dissemination, but moreover, employees have to realize that what they post leaves a permanent record.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
RSA Conference, a long staple even though its attendance in recent years seems to have dwindled a bit.  Blackhat, the best of the best are here.  Information Security Forum, the global community is well represented here.