• It’s not about the technology

    Excluding phones or tablets, I have four video cameras in total. A flip cam, a DSLR, a mirrorless camera and an action camera, the Drift HD Ghost.

    Surprisingly, despite having a ton of really cool features in my other camera’s, particularly the DSLR, I most frequently find myself reaching for my Drift.

    It’s a rugged, but basic camera, has a fish-eye lens and that’s pretty much it. Aperture, shutter speed, ISO… none of that matters.

    For all intents and purposes, one could say it’s a useless camera for making any video of significance. Unless you’re one of those crazy kids who likes to strap a camera to your forehead and then illegally climb cranes to hang from them with no safety harness. In which case it makes a pretty good case study on the reckless arrogance of youth.

    In this short video I highlight a few of the memories I’ve been able to capture with this little camera, ranging from cycling, driving, days out with the family, holidays, conferences and a bunch of other activities.

    The long-winded point that I’m trying to make is that, the camera itself means very little when it comes to making a short video or telling a story. That’s all done by making sure you capture the shots to begin with and then stitching a narrative together in the edit.

    You could give the best camera in the market to someone, but if they don’t have the mindset of capturing the right shots to edit later, then they’ll give you something that may as well have been shot on a potato.

    A fact that rings true when you compare this to what happens in information security. There is an almost blind race to go and buy the latest and greatest bit of security kit with little or no thought put to how it will be used or whether it is indeed appropriate for needs.

    The ugly underbelly of this means that there are lots of people who are very good at using or even creating tools or technologies that mistakenly believe the tool itself will solve all problems.

    For example, you have certain tools that will keep you private or anonymous on the internet. Encryption, TOR, Tails, etc. all come up when speaking of maintaining online security. However, these tools are just that – tools. The user themselves need to be educated in how to think and act in a more secure manner. What information is actually good to share, and what should never be shared even with the protection of tools.

    Many enterprises experience buyers remorse for this very reason. It’s not that enterprises shouldn’t invest in tools. But why invest in a SIEM when all you really need is a log management system?

    Before investing in any tool or equipment, it makes sense to evaluate whether the lack of desired results really is down to the lack of tools, or does it lie elsewhere? I know that if I had spent some time attending a video editing course, I would have probably avoided making some software purchases. Or bought fewer cameras.

    This checklist of questions to ask yourself before investing in a tool may help:

    1. Why
    Are you clear on the reason why a particular product is being purchased? Does it align to your business needs? Is it actually a technology problem, or can it be solved by simply changing some internal processes.

    2. Stakeholder support
    Stakeholders should be engaged early and often. C-level acceptance should be as wide as possible and there should be a mutual acknowledgement of the security value that the product will provide.

    3. Deployment plan
    Do you have a detailed deployment plan prior to acquiring the product? Better results are often achieved via a phased approach that enables only a subset of features to begin with. Once it’s tested and proven, the scope and capabilities can be extended.

    4. Out with the old
    If you’re buying something to replace older / ageing technology. You should have a plan to retire old technology and its associated business processes.

    5. Verify product capabilities
    Undertake a proof of concept or trial within your own environment to evaluate product capabilities outside of a test lab. Only then will you truly understand whether the product is an appropriate fit.

    6. Negotiate
    Do negotiate with your provider. Not only for cost, but also with regards to training or support provided. Jeremiah Grossman recently wrote a good post  on getting good deals from your security vendor.

    7. Do your homework
    This is a point that cannot be stated enough. Don’t just listen to one point of view to form your opinion. There are many hidden costs and challenges associated with acquiring, deploying and using any security product. Additional staffing requirements or training are often overlooked amongst other things.

    Network with peers at conferences or online forums. Read independently written reports, reviews and blogs. Make sure you’re fully aware of what you’re committing to.

    There you have it, what started out as a nostalgic look at my 3 year-old Drift HD Ghost has turned into 7 tips to ask yourself before buying a security tool.

  • How to have an epic RMISC experience

    I made a short video on how to make the most of your time if you ever find yourself in Denver, CO for the Rocky Mountain Information Security Conference.

    Of course, any conference experience is a lot more fun if you have some friends.

    Which reminds me about a simple tip my friend Scot Thomas gave me when at Defcon about 3 years ago.

    I was walking down the corridor and saw Scott sat on a bench, so I stopped to say hello and sat down next to him. I asked how things were going and he let out a slight sigh and motioned to people walking past. He said how a lot of people seemed to be in a competition to quickly say hello to as many people as possible. Literally a quick handshake and exchange of pleasantries before going off to repeat the 30 second ritual with someone else.

    Those Jerry Maguire words stuck with me and I’ve found that simply stopping to have a 10-15 minute conversation with one person. Or grabbing coffee with 2 or 3 people can lead to a far better interaction. You get to understand what others work on, their experience, knowledge etc.

    Ultimately, it boils down to what your objective is when attending a conference. For some people, attending talks or workshops is all they require. Myself, I value the networking opportunities and getting to meet and know other people. Others just want to attend the parties and collect swag… I guess there’s something for everyone.