Published inStarting Up SecurityPrioritizing Detection EngineeringDetection Engineering is a concept that has emerged in the detection space. It acknowledges the complexity of a detection stack and the…Sep 101Sep 101
Published inStarting Up SecurityManaging a quarterly security reviewI like an approach that combines my favorite quarterly review practices I’ve been exposed to. Here’s the general meeting structure:Aug 14Aug 14
Published inStarting Up SecurityFollow-Up: SolarWinds Response to SEC LawsuitSolarWinds has responded on their blog regarding the SEC’s lawsuit against them following their breach. Here is some analysis:Nov 9, 2023Nov 9, 2023
Published inStarting Up SecurityLessons from the SEC’s Lawsuit against SolarWinds and Tim BrownA few days ago, the SEC filed a lawsuit against SolarWinds and their CISO that shares some similarities with the blameless post-mortem of…Nov 6, 2023Nov 6, 2023
Published inStarting Up SecurityVulnerability Management: You should know about EPSSThe Exploit Prediction Scoring system (EPSS) is great. You might like it, too, if you deal with large amounts of vulnerabilities.Oct 9, 20231Oct 9, 20231
Beyond Controls: The Power of Risk ScenariosScenarios are an underappreciated way to model infosec risk. A scenario is simply a future, consequential event you write to express a risk…Aug 24, 20231Aug 24, 20231
Published inStarting Up SecurityTalking about risk with thresholds 🔥Imagine you encounter a fire in the woods. You’d instinctively decide to do one of two things:Mar 20, 20231Mar 20, 20231
Published inStarting Up SecurityA blameless post-mortem of USA v. Joseph SullivanOur industry deserves a complete retrospective into the incidents behind the criminal case against Uber’s former Chief Security Officer.Dec 8, 20221Dec 8, 20221
Published inStarting Up SecurityEndpoint Security: Intuition around the Mudge DisclosuresThe Mudge disclosures bring up specific pain points around how endpoint security is measured and communicated and what baselines are…Aug 24, 2022Aug 24, 2022
How to estimate legal costs from a data breach.We need budget and headcount to mitigate risks. Larger risks should encourage more resources towards mitigation efforts.Nov 15, 2021Nov 15, 2021