April 22, 2013
by Andrew Hay
0 comments
I’ve always known that CloudPassage Halo could help facilitate forensic acquisition in cloud environments but we’ve been missing the ability to acquire disk images from target servers in a reliable, repeatable, and free manner.
After reading Ken Pryor’s excellent NBDServer blog post on Wednesday, April 10th, and while preparing for my SOURCE Boston 2013 talk entitled Facilitating Fluffy Forensics, I found myself wondering if the tool might help with investigations in public cloud environments.
March 28, 2013
by Andrew Hay
1 Comment
InfoSec, like many professions, has a known echo chamber. The same people that joke about it are the same people that contribute to it the most.
The repetition appears in tweets, blog posts, podcasts, and at conferences.
While the InfoSec space has a fairly large echo chamber, it is also a rather harsh space in which to work. Someone makes a mistake – tweets goes out, blogs are written, podcasts analyze it, and a TV reporter might conduct interviews about it. How often do people in the InfoSec space praise each other? While it might be difficult to recognize successes in InfoSec, there are far more companies that don’t make the news for negative reasons. I would like to think that the people securing the companies are doing something right or well. People that read this are probably thinking that any company not exposed for a compromise must be hiding or not sharing information. If a company is compromised and immediately takes the necessary steps to fix the problem without the company making headlines or killing a twitter feed, is that a bad thing?
The echo chamber makes me laugh at least once a day with the over use of acronyms and repeated “this doesn’t work, we need to change” mentality. As I watch my twitter feed roll by with a fair amount of negativity, I wonder where the leaders are with ideas on how to change and improve the InfoSec space. I believe that many of them are working quietly and implementing controls to keep their company or business safe. I would love hear from them, but suspect they feel safer keeping quiet.
The preceding blog post was originally posted by my lovely wife Keli Hay on her shiny new blog. Though new to blogging, she’s not new to critical opinions. You can read more of her posts at OutsideLookInfoSec and follow her on Twitter using twitter.com/kelihay.
March 4, 2013
by Andrew Hay
1 Comment
Yesterday, I watched a pretty incredible documentary, which you’ve undoubtedly heard of, called Jiro Dreams of Sushi. To sum it up, the documentary is about an 85-year-old sushi master Jiro Ono, his business in the basement of a Tokyo office building, and his relationship with his son and eventual heir, Yoshikazu.
In the movie, the concept of shokunin is introduced to the viewer. I couldn’t remember how the term was defined in the documentary so I took to the Internet. The best definition of shokunin I was able to find was by Tasio Odate:
“The Japanese word shokunin is defined by both Japanese and Japanese-English dictionaries as ‘craftsman’ or ‘artisan,’ but such a literal description does not fully express the deeper meaning. The Japanese apprentice is taught that shokunin means not only having technical skills, but also implies an attitude and social consciousness. … The shokunin has a social obligation to work his/her best for the general welfare of the people. This obligation is both spiritual and material, in that no matter what it is, the shokunin’s responsibility is to fulfill the requirement.” – Tasio Odate
Now how does this relate to security? Well think about this, how many of us can say that we’ve become ‘craftsmen’, ‘artisans’, or ‘shokunin’ in a single aspect of information security? I cannot think of a single friend, colleague, or acquaintance that I would consider shokunin. Please, don’t be offended by the previous statement. I know quite a few people who I consider very good at what they do, but none of them have the dedication to be shokunin.
I argue that the information security field does not have shokunin, nor will we ever if we keep flip-flopping between requiring individuals to be specialized one minute and have a wide breadth of skill the next. In the documentary, Jiro (or maybe it was Yoshikazu) mentions that an apprenticeship lasts for a minimum of 10 years. I, for one, have not worked a single job for more than 3.5 years, let alone 10. The dedication to become shokunin simply does not exist in our field.
When I posed the question to Twitter this morning, Andrew (@azwilsong) suggested that our field was simply not as mature as that of sushi. Kevin Johnson (@secureideas) agreed, but wondered what we could do to change it:
So which is it? Serious passion to perfect a single skill or a wide variety of knowledge across various disciplines? Do we even need security shokunin? I’d be curious to hear what you think.
While you ponder your response, I’ll leave you with this. The documentary includes quite a bit of commentary from Japanese food critic Yamamoto, who lists “the five attributes of a great chef” – all of which, he asserts, Jiro possesses in spades. These attributes are:
How many of us strive to live by the above attributes…ALL of the above attributes? Time to look inward, methinks 
January 23, 2013
by Andrew Hay
2 Comments
My mother always told me that if I “didn’t have anything nice to say” that it was better to say nothing at all. The same can be said about outlandish and unintelligent claims.
Case in point, Kim Schmitz (whom I refuse to refer to as Kim Dotcom because, frankly, it’s stupid) on his launch of “Mega”:
Really? It doesn’t use “existing technology”? There is “no way that they can be exploited”?
Sorry mom, I couldn’t help myself.
January 6, 2013
by Andrew Hay
0 comments
I was sent an advanced review copy of The The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win by co-author Gene Kim and I can honestly say that it was one of the most enjoyable books I’ve read in a long time. The novel, written by Gene Kim, Kevin Behr, and George Spafford, not only combines an interesting story with sound business practices, it also teaches the reader about risk evaluation, critical thinking, and how manufacturing processes can translate to IT operations, development, and, of course, DevOps.
The characters in the book were easy to relate to and I suspect that if you have not yet worked for or with an individual depicted in the book in your career, you likely will at some point. Both the heroes and protagonists were easy to spot and I found myself genuinely rooting for the heroes throughout the course of the book.
If I have one criticism about the combined work, it’s that throughout the book the characters had very negative views towards developers and the historic disconnect between IT ops, security, developers, and the senior decision makers. This was something that I had hopped would evolve into, at the very least, a sense of mutual respect and appreciation for their skills, talents, and issues by the end of the novel. Part of me would like to see a parallell sequel written that depicted the same story from the view of the software people.
I recommend that anyone involved in any line of business read this book. Similarly, any person working within an organization will be able to learn something new about how their business operates. It shows the inner workings of how business decisions are prioritized and will help people relate to the decisions made in their own company.
Business leaders will almost certainly find a gem or two to help them optimize their existing business practices and perhaps even streamline their IT operations and product deliverables. I wouldn’t be surprised to see this book as the basis for future MBA or executive education tracks as I think, though the individual concepts may currently be presented, the combined work presents itself as a seminal case study into optimizing business by automating IT.
December 19, 2012
by Andrew Hay
1 Comment
After quite a bit of work by Will Gragido, Daniel Molina, John Pirc, and Nick Selby the Blackhatonomics book is finally out. I was asked to serve as technical editor for this book though, I admit, the work required little editing.
About the book:
Blackhatonomics explains the basic economic truths of the underworld of hacking, and why people devote hours to develop malware around the world. The root cause analysis of the monetization of cybersecurity in the inner circle of cybercrime is analyzed from the impact of multiple. Written by an exceptional author team, they take practical academic principles back them up with use cases and extensive interviews, placing you right into the mindset of the cyber criminal.
Congrats to the authors and buy it here.
November 30, 2012
by Andrew Hay
1 Comment
After spending days and weeks poring over the results of the CloudPassage 2012 Security and the Cloud survey, we have finally released the most interesting findings in an easy to reference infographic. With over 200 respondents across 50 unique industries, this was our most successful and engaging survey to date.
It should be of no surprise to anyone involved in IT or security operations and architecture that companies have big plans for public cloud. What may surprise you, however, is how quickly organizations plan to embrace public cloud for critical application deployment by this time next year. Based on the results of our survey, 4 out of 5 respondents claim to be using public cloud servers within their organization for a variety of critical business functions such as temporary workload, big data, hosting of e-commerce applications, media, internal development and testing and the deploying of both internal and external applications.
We also noticed that some concerns about public cloud security are beginning to fade. The multi-tenancy of infrastructure or applications, provider access to guest servers, and the lack of perimeter defenses or network controls have all significantly decreased since our 2011 survey.
Though concerns about security and compliance (or the perceived lack thereof) in addition to the loss of control remain high, concerns about technology maturity, deployment complexity, cost, and expertise required fall on the low side of the concern spectrum.
Perhaps the most reassuring result from the survey is that nearly 80% of respondents understand where the demarcation between end user and service provider security responsibility lies.
Without any further ado, please enjoy the infographic below that helps communicate the highlights of our findings. If you would like to talk to us about our methodology or findings, please reach out to Jennefer Traeger at press@cloudpassage.com to schedule a briefing.
October 6, 2012
by Andrew Hay
0 comments
Well, not all this week but at least some blog posts that I’ve had in my hopper to read.
August 20, 2012
by Andrew Hay
1 Comment
Taking a page of Chris Hoff’s method of posting incomplete thoughts, I found myself wondering why there is so little talk in security circles about performing forensics and incident response in public cloud environments. Do people just not care? Is it just easier to kill the image and spin up a new ‘clean’ image? Is it just too hard? Is there not enough guidance?
What’s up with that?
July 8, 2012
by Andrew Hay
3 Comments
My lovely wife, Keli Hay, is now a free agent and is available for all of your instructional design, training and technical writing needs. You can read all about her on her about.me page but here are some highlights:
Feel free to reach out to her directly via her about.me page, Twitter (@klhay) or LinkedIn.