Starting Up Security
Guides for the growing security team
Managing a quarterly security review
Managing a quarterly security review
I like an approach that combines my favorite quarterly review practices I’ve been exposed to. Here’s the general meeting structure:
Lessons from the SEC’s Lawsuit against SolarWinds and Tim Brown
Lessons from the SEC’s Lawsuit against SolarWinds and Tim Brown
A few days ago, the SEC filed a lawsuit against SolarWinds and their CISO that shares some similarities with the blameless post-mortem of…
Vulnerability Management: You should know about EPSS
Vulnerability Management: You should know about EPSS
The Exploit Prediction Scoring system (EPSS) is great. You might like it, too, if you deal with large amounts of vulnerabilities.
Talking about risk with thresholds 🔥
Talking about risk with thresholds 🔥
Imagine you encounter a fire in the woods. You’d instinctively decide to do one of two things:
A blameless post-mortem of USA v. Joseph Sullivan
A blameless post-mortem of USA v. Joseph Sullivan
Our industry deserves a complete retrospective into the incidents behind the criminal case against Uber’s former Chief Security Officer.
Endpoint Security: Intuition around the Mudge Disclosures
Endpoint Security: Intuition around the Mudge Disclosures
The Mudge disclosures bring up specific pain points around how endpoint security is measured and communicated and what baselines are…
Classifying types of “Security Work”
Classifying types of “Security Work”
Applying the types of work from The Phoenix Project to security
A key performance indicator for infosec organizations
A key performance indicator for infosec organizations
Using probabilistic risk KPIs to direct complex risk engineering efforts.
Measuring “In the Wild” Exploitation
Measuring “In the Wild” Exploitation
Exploring our security expectations across browsers.
Forecasting NPM Advisories
Forecasting NPM Advisories
This forecasting essay describes the likelihood of a malicious NPM package being introduced into a javascript development environment.
Forecasting a headline risk: NetSpectre
Forecasting a headline risk: NetSpectre
Understanding short term likelihood of an in-the-wild attack.
How to measure risk with a better OKR.
How to measure risk with a better OKR.
I’ve become a big fan of the Objective and Key Result (OKR) at companies that take them seriously. I’ll describe an opinionated method that…
On Attribution: Avoiding “We Got ‘Em”
On Attribution: Avoiding “We Got ‘Em”
Consensus and quantitative rigor for complex intelligence efforts.
Measuring a red team or penetration test.
Measuring a red team or penetration test.
Quantifying “success” after an “unsuccessful” red team.
Learning from California’s Data Breaches
Learning from California’s Data Breaches
Trends found within every CA breach notification in 2017.
Learning From Security Breaches in 2017
Learning From Security Breaches in 2017
Read last year’s summary here for 2016.
Killing “Chicken Little”: Measure and eliminate risk through forecasting.
Killing “Chicken Little”: Measure and eliminate risk through forecasting.
View the “Risk Forecasting” presentation on GitHub.
The “five factors” used to secure systems.
The “five factors” used to secure systems.
Common patterns that security teams use to mitigate risk.
Communicating risk across complex teams
Communicating risk across complex teams
Using threat modeling techniques for organizational risk planning.
An Infrastructure Guide for Founders
An Infrastructure Guide for Founders
How to avoid security debt with early AWS design patterns.
Understanding the Security Questionnaire
Understanding the Security Questionnaire
A customer wants to know about your startup’s security practices