Author: Perry Payne

Sept 10

39,000 feet over the Russian/Mongolian border

“A good traveler has no fixed plans and is not intent on arriving.” – Lao Tzu

Cruising on a tailwind at just over 600 mph and near the end of my 10-hour flight from Rome to Beijing, I’ve had ample time to reflect on my journey thus far. In between moments of reflection and not being able to sleep much, I watched one of my favorite movies, Moneyball about Billy Beane and 2002 Oakland A’s – more on that later.

I also finally got a chance to catch up on emails. Most were typical read-and-delete but one was from a cyber security buddy who gave me a little good-natured ribbing as my recent posts have been light on that topic. He was in fact correct, but I have learned when one is on safari there are more important things than re-tweeting and heaping shame on the latest breach victims or how this vendor or that could have prevented it. That said, in my conversations with security experts along the way, a few classic woes continue to frame our discussions around the current state of enterprise cyber security:

1. People – The shortage of skilled personnel at all levels in our profession
2. Process – The continuing lack of basic security hygiene (vendors as well as practitioners)
3. Technology – The emergence of artificial intelligence (AI) as a critical arrow in our cyber-quiver

Security Resources

As my UK friend and RAF veteran Simon Wilkinson put it, “It’s first about people – there are simply not enough security resources to go around.” A recent ISC2 report states that in Europe alone, the skills shortfall forecast is estimated to be over 350K by 2022. A Cisco report from 2016 put the figure of unfilled cybersecurity jobs at one million worldwide. This problem has created a significant gap between the haves and have-nots – organizations that are able to outbid for those scarce resources and those who simply cannot afford to. Companies struggling to fill jobs are turning to managed services to fill the gap. In the past, I’ve been a big proponent of managed security services where they make sense but I’m also acutely aware Cyber is not a one-size-fits-all problem. There are tangible benefits beyond staffing, such as reducing security infrastructure and software maintenance and avoiding vendor lock-in. But in turning over that function to a partner you also may trade off agility to respond to the speed of business changes, acquisitions, new systems, etc. Regardless, the skills shortfall problem is not something that can be fixed in the near term and will likely be solved through a combination of more people, better processes and advances in technology.

Security Hygiene

A recent report in Computer Business Review states 90% of business are vulnerable to hacks due to unpatched vulnerabilities dating back three years or more. Lack of basic security hygiene has been a problem for quite some time and regardless of how much technology or policy we throw at it, vulnerabilities exploited via code, architecture or lack of awareness continue to be the number one way adversaries gain access to systems. In the CBR article, Phil Quade, Fortinet CISO says, “Cybercriminals aren’t breaking into systems using new zero-day attacks; they are primarily exploiting already discovered vulnerabilities. The technology innovation that powers our digital economy creates opportunity for good and bad in cyber security. Yet, something we don’t talk about often enough is the opportunity everyone has to limit bad consequences by employing consistent and effective cyber security hygiene.” Enterprises can’t keep pace with patches and the hackers know it.

Unpatched vulnerabilities are still the “Easy Button” into our systems.

Emergence of AI

Just as artificial intelligence, specialized algorithms and the rise of Quants disrupted the trading markets, many start-ups are looking to leverage machine learning and AI to identify trends and anomalous patterns to help practitioners detect and stop unauthorized access to systems before damage is done. In addition to faster time to detection and remediation, there is promise that this approach could reduce the number of “eyes on screens” needed to appropriately staff a Security Operations Center (SOC) and thereby alleviate some pressure created by the shortage of qualified personnel. Unfortunately, the same AI technology is also being weaponized by the bad guys (namely, nation-states) in the cyber arms race.

The first two problems I think we all agree on – Mom & apple pie, right? We simply can’t mint enough qualified security experts to fill the current need any time soon. And with 2016 being a record breaking year for the number of vulnerabilities reported, this isn’t a problem that’s going away quickly either. So what about the adoption of AI and other new, cutting-edge technologies?

As I walked the floor at RSA conferences in years past, I’ve talked to plenty of security vendors hawking the next “shiny new object”. Perhaps some could actually help if we could get them fully implemented. In a 2016 survey conducted by the ISSA and the Enterprise Security Group, respondents were asked about the implications of the global cybersecurity skills shortage on their organizations. Not surprisingly, 35 percent said the skills shortage has created a situation where the staff doesn’t have time to learn the nuances of the security products they purchase, meaning these technologies are never used to their full potential. Hmm…not enough people to make our security technology work effectively…is it the chicken or the egg?

If what we’ve been doing isn’t working, do we need to start thinking about this in a different way? Is predictive analytics coupled with automated response the baby step toward autonomous, self-healing security? Can AI algorithms that mimic the human immune system be the next evolution in defending enterprise networks? Rather than bolting on more software and hardware to already vulnerable systems, should capability of this type be built into the very fabric of our networks and computing platforms? Is blockchain technology possibly the answer for finally securing transactions, especially in the IoT and even more critically, the IIoT world?

To quote my former HP colleague and friend Art Gilliland, now CEO at Skyport Systems, “There is not enough time, skill or capability for organizations to protect themselves from focused attackers. Security needs to be built in by design, not bolted on after.”

So the answer to thinking about this in a different way is certainly “yes” – and many of us already are. We may come to different conclusions on how to close our specific organizational gaps, but we know can’t continue to do the “same old thing”. Perhaps the bigger challenge for security leaders today will be getting the rest of our executive team up-to-speed and on board as well.

As I was watching Moneyball after dinner, it got me thinking about these issues. In 2002, Billy Beane was the GM of the Oakland A’s baseball team. Defying conventional wisdom, he led a completely low budget, under-staffed squad that year to the AL West Division title relying on a new, cutting-edge analytical scouting system called sabermetrics. Prior to the start of that season, he and his head scout argued over how Beane’s new approach disregarded the experience and intuition of his lifelong “baseball men” and how he would ultimately fail. Billy, given the circumstances and understanding the need to think about the problem in an entirely different way resisted, and famously responded “Adapt or die”. He then fired the scout and ultimately went on to win the division. Today, sabermetrics is the foundational scouting tool for all MLB teams.

Like Billy Beane and the A’s organization in 2002, our game is changing, as well. In order to survive in this climate of rapid business transformation coupled with the evolving nature of cyber-attacks, our collective thinking on security must mature and adapt – and quickly.

I prefer to call it “Adapt and win”.

---

So despite the whirlwind of planes and trains, I have managed to keep up somewhat with recent news in the security space. More importantly, I’ve been following the stories about the very devastating earthquakes in Mexico and the parade of hurricanes moving across the Caribbean and US – life changing events that will have an impact for years to come.

When it comes to security news and breaches, every-day folks I’ve talked to throughout Europe don’t seem to pay much attention. For example, most Italians I’ve met are fully aware of the earthquakes and hurricanes half a world away with many concerned enough to ask if my home or family were affected. However those not in the security profession, when asked what they knew about the Equifax breach or even recent local cyber-events, just shrugged. My observation is it’s not lack of intellectual curiosity but rather a different set of priorities that guide their day-to-day lives. Rather than being relentless slaves to the 24-hour news cycle, the people here tend to focus more on what they call the good life or “il Buona Vita”.

To paraphrase my chatty but savvy cabdriver on the way to Leonardo da Vinci airport, “I am happy you’re on a good, long holiday. Most Americans, all they do is work, work, work. Here in Italy, a person works to provide the life – family, food, a day at the beach, maybe a dance on Friday night. The life we lead, family and friends – it’s what defines us, not our job or how much money we make…”

As my Alitalia Airbus 330 slowly descends into a hazy Beijing, I am curious if I’ll encounter a similar attitude. And for my security friends, fear not – I’ll continue to share what I learn along the way but I’ll also ask for a little indulgence. Considering my next stint of “work, work, work” is likely just over the horizon, I’ve decided to heed the cabbie’s words for now and focus a little more on il Buona Vita. Cheers! -p

Next up – A Tale of Two Walls

If you’re joining in progress and curious about my trip, start here.

 

September 8, 2017

Isle di Ponza – 21 miles off the coast in the Tyrrhenian Sea

Even the most intrepid Safari master needs a day off and today was the day. Don’t get me wrong – the museums, the antiquities, the history – I love it. But even too much of a good thing can be exhausting so before my 10 hour plane ride scheduled the following day, I decided Friday was the perfect day to escape the city and crowds. So it was off to Ponza.

It wasn’t a typical “day off” as I had to be up and out before dawn. A journey to Isle di Ponza requires a 90-minute bus trip from Rome to the western Italian port of Anzio, then a little over an hour ferry ride to Ponza, the largest of the Pontine island chain.

Bus and ferry made on time, my early start was rewarded as the boat throttled back and the Porto di Ponza came into view. I was treated to a picturesque seaside village bathed in the early morning sun, cheerily painted houses and shops in faded raspberry, pink and lemon rising steeply from the waterfront. Just down the hill curling around the harbor was a small promenade dotted with restaurants, cafes and boutiques facing the Tyrrhenian Sea.

But I didn’t come to shop or wile the day away in a seaside cafe. I came to see the rest of the island, too – to visit the Pilato caves and swim and snorkel in the coves and through grottos which can only be reached by boat.

Once off the ferry and onto a smaller excursion boat we were treated to the history and beauty of the island by our local Ponzan captain. As we passed by the Pilato caves he explained how they were excavated by hand in the 1st century BC to connect Roman villas to the rest of the island. Many of the grottos were Roman-made as well for eel farming. Occasionally to this day, statues and household objects dating back 2000 years are found by local fishermen and scuba divers around these caves and grottos.

As we motored at a leisurely pace around the island we made brief stops to swim and snorkel in water that was refreshingly cool and surprisingly salty. On two stops, the more adventurous in our small band of fellow travelers was given the opportunity to swim through grottos carved through the cliffs. We dove off the boat and swam together through these long narrow grottos as the boat made its way around to the other side of the rocky point to collect us. One of the grottos was well over 50 meters long! The scenery inside the water-caves was otherworldly and breathtaking as sunlight poked through holes under the water and turned the rocky passage into a mélange of greens, blues and turquois.

We dropped anchor around noon and enjoyed a simple, traditional Ponzan fisherman lunch of pasta with a red fish sauce cooked onboard and washed down with plenty of vino and espresso. We were even graced by a visit from the Ice Cream Boat after lunch!

As we neared the end of our circuit around the island we dropped anchor once more, this time at Moon Rock beach next to the Arco Naturale (Natural Arch). There is a tradition that suggests if you swim through the arch and make a wish, it will be granted by Neptune, Roman god of the sea. And so we did.

Ancient mythology is deeply entrenched in Ponzan culture and traditions. It is believed Homer sung of the seductive power of supernatural women who inhabited these sacred atolls. I learned Ponza is where Greek hero Odysseus, on his way back home from burning Troy, was bewitched by the sorceress Circe where she made him her slave. A silhouette of a black heart ingrained on white cliffs of the “Grotto della Maga Circe” is the prima facia evidence the islanders point to as they retell the story. Also from the Homer’s epic we know that when Odysseus passed through the Pontine islands at Ventotene, he had to plug his ears against the Sirens’ songs. Local fishermen still talk of strange fish found in their nets and drowning sailors rescued by beautiful women. Regardless of what you believe, Ponza is a mythical place, indeed!

After the return ferry (where I made another new friend named Anthony)

and then the 90-minute bus trip back into the city, a merry band of two other solo travelers and I headed to my favorite casual dinner spot a few blocks from the Colosseum to enjoy one more fine Italian meal and recount our amazing shared experience that day.

During dessert, I mentioned to Andrea (from Australia) and Vern (from Canada) that I had yet to visit the Fontana di Trevi, or Trevi Fountain and make my wish. Travel-weary after an 18-hour day but fortified by a bit of homemade limoncello we made our way through the quiet streets of Rome at midnight to the 5^th century landmark modernly made famous by the film La Dolce Vita. When we turned onto the square we found a lively little crowd much like us – not quite ready for the night to end. We counted to three, made one more wish and tossed our one-euro coins in unison.

Eighteen hours prior we were three strangers from different countries, continents and hemispheres. Yet by midnight we had become friends, laughing, sharing and creating memories in a very special place in the heart of ancient Rome.

A perfect ending to a perfect day (off)! -p

Next up: Somewhere over China

September 8, 2017

Rome. The Vatican, Forum, Colosseum and Palantine Hill.

My first full day in Rome was a marathon. I showed up 7:30 am at the Vatican to ensure I could see all the amazing art, sculpture and architecture before it was packed with humanity. A little thinking ahead armed me with a pass that permits just a limited number of people in one hour before the public opening. During the early quiet moments in the Sistine Chapel the small number of us looking up and around in awe created a very unique spiritual vibe. There was a priest who said a quick prayer and offered blessings. This was in sharp contrast to the Disney-like grumpiness I witnessed as I made my way out around noon and was stunned at the entrance line wrapped all the way around Saint Peter’s Square. On a Thursday. In September.

Back to the Chapel. Once inside, I was truly amazed. Don’t get me wrong as I’m a big fan of God but when I saw up close the paintings, sculptures and architecture of Michelangelo, merely a mortal, it’s hard not to walk away with a different sense of awe and wonder.

At age 24, he finished the Pietà. He has been quoted saying “Every block of stone has a statue inside it and it is the task of the sculptor to discover it”. At age 33 he painted the ceiling of the Sistine Chapel, in four years – by himself. Then he came back at age 61 and painted the The Last Judgment on the alter wall, again in exactly 4 years. At age 74 he designed the dome for the Basilica. What’s amazing about his art in the Sistine Chapel is it’s not just painting, but fresco paining which requires that you first apply fresh plaster, then paint on that before it dries. Imagine for over 5000 square feet looking up from a scaffolding:

Step 1: Trowel on some plaster

Step 2: Paint a masterpiece

Rinse & repeat for four straight years.

As Michelangelo was already quite busy designing a tomb for a former Pope and really didn’t have time (and as a sculptor, he truly detested painting) he struck a bargain with Pope Julius – pay me the equivalent of 1.2 million dollars (in today’s money) and give me complete artistic freedom, or in his own words, “to do as I liked”. The Pope conceded.

So as humble as he was about his sculptures, he also understood the Art of the Deal 😊

It should also be noted for the record no one has painted more naked bodies in a church before or since and there have been critics including Popes. But back in the day if you happened to be a vocal critic of Michelangelo’s work, he made sure to capture your likeness in the face of a demon of other unsavory character for all to see for hundreds of years. And we think today’s media is tough?

After the Chapel, the Vatican Museum and Saint Peter’s Basilica & Square, I was off for a traditional Roman lunch

and then on to the true Roman antiquities – the Colosseum, Palantine Hill and the Forum. As I mentioned in a previous post, the Romans were phenomenal architects, engineers and builders. But you have to see the immense size and scale of their buildings in person to truly appreciate their accomplishments. Can you see the little people under the massive free-standing arches top right? This was no McDonald’s!

I marvel how many of these structures have survived plundering, earthquakes, wars and the simple ravages of time. And again, I wonder about the course of human history if the Romans could have avoided The Fall?

Here’s the funny thing, actually on the way back from the Forum. While pondering all of this over dinner I was fortunate enough to meet a very fine barkeep/manager/energetic do-all at Le Bar in the old Colosseo district. Over conversation about our respective days, mine filled with museums, churches and antiquities, she suggested if I had the time I should get out of Rome for a day to do something different  – a true Roman holiday. I’m pretty sure she took note of my Hawaiian shirt and deftly recommended Isola di Ponza, a tiny volcanic island just off the coast in the Tyrrhenian Sea.

Good barkeeps can make a good drink. Great barkeeps, like great sales people know their customers. I would bet within a year or so she could make a million dollars selling software in Silicon Valley. But perhaps she’s already enjoying il Buona Vita, the Good Life in Rome.

Enjoy a few snaps of my day out in Rome!

 

Next up: A fine day out

If you’re joining in progress and curious about my trip, start here.

7 September, 2017 (1600 years after the Fall)

Rome, Italy

It seems Romans knew a thing or two about how to build a modern civilization and government over two thousand years ago. On the rare occasion my friends and I are having hi-brow Jeffersonian type conversation, I’ve been known to postulate the Romans would have made it to the moon before the year 1000 AD if not for a couple of circumstances:

1. They consolidated all knowledge of the Western World and most of Persia in the Library of Alexandria, Egypt. Science, medicine, literature, mathematics. Most of it was captured on papyrus. It burned to the ground in 48 BC, collateral damage of the Caesar’s siege of the city.
2. They underestimated their key adversaries – the loose confederation to the North primarily consisting of Goths, Visigoths, Vandals and other Germanic tribes – which played a key role in the fall of the empire.

Granted the Romans were some of the greatest engineers of their time and the aforementioned buildings still standing bear witness their genius and prowess. And apologies to my scholarly friends for my over simplification but what I’m suggesting is a couple of strategic mistakes put Neil Armstrong into the history books rather than someone named Claudius.

A couple of check boxes should have been part of the Caesar’s runbook:

#1 – Is our strategy sound? Do we have realistic business/government continuity plan? Have we done a proper risk assessment? What if the Library burns? Can we recover? Have we tested our plan?

#2 – Are our defenses enough to hold off adversaries? Do we understand them – is our intelligence up-to-date, accurate and actionable or do we need to think in a different way? Have we become complacent?

As I sat in the Colosseum and watched the sun set I pondered: What would Caesar think of our modern software design methodologies where mission critical programs are forced into service before they’re ready and then within a year or two they become obsolete?

My IT friends – what do you think?

Next up: A funny thing happened on the way to the Forum…

If you’re joining in progress and curious about my trip, start here.

September 6, 2017

Somewhere over the Swiss Alps

On the way from France to Rome I was introduced to a very fascinating historical tidbit regarding the French origin of the toast by Bridgette, our superb Air France flight attendant.

It seems in the 1600’s during the reign of Louis XIV, The Sun King, the toast was not just a way of celebrating but also insurance you were not getting poisoned! Apparently, you looked each other in the eye and clinked your glasses together in such a way that a little bit of wine sloshed into the goblets of your fellow celebrants thereby ensuring that if someone was trying to poison another, they would all suffer the same fate. So next time you raise a glass, remember it wasn’t just a toast at one time but also a clever life-or-death risk mitigation technique!

À Votre Santé! (and for my close friends, Tchin Tchin!)

A few pics from my last night in Paris including views from the top and bottom (and my political view, as well…) Enjoy!

 

Zero Kilometer – The center of Paris and all things in France (and the world) measured from this point

View from the top of the Eiffel Tower

Back to the Future in Paris

View of the Seine from the Tower

He went to Paris, too!

Next up: First Roman on the Moon?

If you’re joining in progress and curious about my trip, start here.

My first afternoon in Paris was spent wandering about looking for a barkeep that could give me the ins and outs of my new neighborhood. Having no luck with that idea I headed back to my flat to regroup and plan my next move. It would have been far easier to find that proverbial lost shaker of salt!

I was still hungry and went out for a bite around 7 when I came upon a sign on Rive Gauche subtly hawking a 3 hour tour on the River Seine including a three-course French meal and a bottle of Bordeaux. What’s not to like? After slogging through airports and train stations over the past few days, the hook was set and it seemed like a grand way to spend my first evening in Paris. I’ll let the pictures tell the rest of the story. Enjoy!

Next up: View from the top

If you’re joining in progress and curious about my trip, start here.

“I have never met Napoleon, but I plan to find the time.” -Steely Dan, Pretzel Logic

It’s amazing that one can hop on a train and get from London to Paris in little over two hours. It would be like going from Philadelphia to Boston or LA to Monterrey in two hours. The Eurostar is quiet, electric, comfortable and goes 200 mph. We could use a few of these in the States.

I’m staying for the next couple of days in a small flat in the 15^th arrondissment that boasts a view of the Eiffel Tower. I can now confirm with a bit of Parisienne-inspired sarcasm that everywhere in Paris is within sight of the famous landmark. As expected my windows face some direction other than Gustave Eiffel’s famous landmark. However, what I discovered upon arrival is if I walk about a block, this is the view.

I don’t know anyone in Paris (yet) but hope to do my usual bit and find a local barkeep whose English is better than my French (which I’ve been warned will be a challenge) and can give me some good advice.

Next up: Boat Drinks, part deux!

If you’re joining in progress and curious about my trip, start here.

Those of you who know me well can expect a few Jimmy Buffet song lyrics, Mark Twain-ish observations and maybe even an Oscar Wilde quote or two. It’s been a few days since I’ve had a chance to post something and maybe Twain knew a thing or two about blogging:

“If you wish to inflict a heartless and malignant punishment upon a young man, pledge him to keep a journal…” – The Innocents Abroad

For me, I just have to learn to squeeze it into my Safari-packed days!

Over the long weekend I attended two wedding parties in two different countries with both grooms named Tim – one I came to see and one I met along the way. What are the chances?

I escorted Tim (my friend in the UK) to his traditional Zambian ceremony just north of London on Saturday. One of my responsibilities was to show up in a navy-blue suit jacket – check. Well sort of…once I arrived at the ceremony I realized I left my jacket hanging on the back of a door where I was staying in Twickenham. The trip back to retrieve it was over an hour away so I had to come up with a suitable replacement quickly. I found a local TK Maxx (no misprint) found a jacket near my size and just out of my budget and the wedding was on! First stop was the men’s reception prior to the ceremony which consisted of fine drink and catering provided by Papa John’s (no misprint!)

I was deeply honored to escort him to the nuptials and there was a grand reception afterward in the traditional Zambian style.

My plan for Sunday was to go flying with my friend Wing Commander Wilkinson in his private plane (the cool part is it has a whole plane parachute if there’s a big “Houston we have a problem” problem – and it’s a single use deal at that). However, London weather was not in a cooperative mood and no parachutes were tested. Fortunately, Simon is an expert on cyber in the UK and we got time for an excellent chat with him and Tim about our shared interests with some great insights and I promise to take those notes and appropriately distill them in an upcoming post dedicated to cyber.

To round out the weekend I got to spend time with my good mate Michael in Twickenham on Sunday where he, I and his friend Martin (proud owner of a new navy blue suit jacket) shared pints, laughed and proceeded to solve the worlds problems into the wee hours of the morning.

With my weekend in Amsterdam and London concluded, rather than flying I opted for a more civilized mode of travel via the Eurostar train, under the English Channel and onto the City of Lights – Paris.

Next up – He went to Paris!

If you’re joining in progress and curious about my trip, start here.

No Safari is complete unless you do the Planes, Trains, Automobiles…and Boats!

One of the must-dos in Amsterdam is take a tour of the canals by boat. Most people don’t realize Amsterdam (meaning “Dam on the River Amstel”) is essentially a collection of 90 islands created by 165 man-made canals and linked by over 1500 bridges.

The city itself is lower than sea level and uses a system of locks to keep the water level consistent within the canal system. Viewed from the water it is one of the most scenic capital cities in all of Europe.

I got some great advice and booked a trip with Those Damn Boat Guys. These guys use small open electric powered boats holding no more than 10 passengers and encourage passengers to bring food, drink and enough to share on a 90-minute cruise through Amsterdam.

It was the highlight of my time in the city for a couple of reasons. First, I met new friends who invited me to hang out with them the rest of the evening. These guys converged in Amsterdam from points as close as a few blocks away to as far away as San Diego for their good friend Tim’s wedding in Belgium next week (Congrats, Tim!)

Oh, yeah…and I got to drive the boat!

Next up: Buffett, Twain & Wilde

If you’re joining in progress and curious about my trip, start here.

Before I forget, a few words about WOW airlines.

I was more than a little skeptical of a carrier that wanted to take me from DC to Amsterdam for $320. Long story short I was pleasantly surprised and pleased with the ride on their all purple jet. This Icelandic carrier flies brand new Airbuses sporting a cheerful, efficient crew

and got us to Reykevik for the requisite 1 hour layover and then on to Amsterdam on time. All are coach seats without much room (I couldn’t really open my laptop screen all the way) but it was a bargain all things considered and got the job done. United wanted $2400 for the same flight and would have burnt up a bunch of my FF miles in the process. I highly recommend WOW to cross the Atlantic. Just don’t plan to sleep much!

If you’re joining in progress and curious about my trip, start here.