Open in app

Sign in

Write

Sign in

Ryan McGeehan
Ryan McGeehan

2.7K Followers

Home

About

Published in

Starting Up Security

·Nov 9

Follow-Up: SolarWinds Response to SEC Lawsuit

SolarWinds has responded on their blog regarding the SEC’s lawsuit against them following their breach. Here is some analysis: I wrote about lessons drawn from the SEC’s complaint a few days ago, and this essay discusses SolarWind’s response. 1. The blog post makes no mention of SDL, which is an…

SEC

2 min read

SEC

2 min read


Published in

Starting Up Security

·Nov 6

Lessons from the SEC’s Lawsuit against SolarWinds and Tim Brown

A few days ago, the SEC filed a lawsuit against SolarWinds and their CISO that shares some similarities with the blameless post-mortem of the case against Joe Sullivan I wrote around this time last year. I took the time to give the complaint a thorough read. As usual, I am…

Security

10 min read

Lessons from the SEC’s Lawsuit against SolarWinds and Tim Brown
Lessons from the SEC’s Lawsuit against SolarWinds and Tim Brown
Security

10 min read


Published in

Starting Up Security

·Oct 9

Vulnerability Management: You should know about EPSS

The Exploit Prediction Scoring system (EPSS) is great. You might like it, too, if you deal with large amounts of vulnerabilities. The Hand-Wavy Explanation The EPSS model spits out a probability of a CVE being exploited in the wild within 30 days. Give the model a CVE, and we return the probability of…

Risk Management

7 min read

Vulnerability Management: You should know about EPSS
Vulnerability Management: You should know about EPSS
Risk Management

7 min read


Aug 24

Beyond Controls: The Power of Risk Scenarios

Scenarios are an underappreciated way to model infosec risk. A scenario is simply a future, consequential event you write to express a risk you’re concerned about. I’ve found that scenarios are flexible, creative, powerful, and rich with neat features. …

Security

6 min read

Beyond Controls: The Power of Risk Scenarios
Beyond Controls: The Power of Risk Scenarios
Security

6 min read


Published in

Starting Up Security

·Mar 20

Talking about risk with thresholds 🔥

Imagine you encounter a fire in the woods. You’d instinctively decide to do one of two things: Kick dirt on the fire. or… Call for help! Of course, this depends on the size of the fire. What size threshold changes how you’ll act? This essay is about openly acknowledging these…

Security

3 min read

Talking about risk with thresholds 🔥
Talking about risk with thresholds 🔥
Security

3 min read


Published in

Starting Up Security

·Dec 8, 2022

A blameless post-mortem of USA v. Joseph Sullivan

Our industry deserves a complete retrospective into the incidents behind the criminal case against Uber’s former Chief Security Officer. We need more than opinions about an individual’s guilt. Those who have been around long enough know that positive change is most efficient with a clear and blameless retrospective (1, 2)…

Security

32 min read

A blameless post-mortem of USA v. Joseph Sullivan
A blameless post-mortem of USA v. Joseph Sullivan
Security

32 min read


Published in

Starting Up Security

·Aug 24, 2022

Endpoint Security: Intuition around the Mudge Disclosures

The Mudge disclosures bring up specific pain points around how endpoint security is measured and communicated and what baselines are acceptable. This is a valuable launching point for discussing the intuition behind endpoint security overall for those of us growing security programs. The first is endpoint coverage. At issue for…

Mudge

7 min read

Endpoint Security: Intuition around the Mudge Disclosures
Endpoint Security: Intuition around the Mudge Disclosures
Mudge

7 min read


Nov 15, 2021

How to estimate legal costs from a data breach.

We need budget and headcount to mitigate risks. Larger risks should encourage more resources towards mitigation efforts. Legal costs are wild area of costs… along with costs to the business and regulatory risks. A better understanding of legal uncertainties will help encourage mitigations that avoid them. The legal costs following…

Security

10 min read

How to estimate legal costs from a data breach.
How to estimate legal costs from a data breach.
Security

10 min read


May 31, 2021

Troubles with quantified risk

Risk quantification can be confusing and derailing to groups and decision makers. The following points are areas of pain when working with quantitative models with others. These areas of friction cause bad experiences, and bad experiences change our approaches in the future. We’ll talk about the following topics: Security return-on-investment…

Risk

10 min read

Troubles with quantified risk
Troubles with quantified risk
Risk

10 min read


Nov 20, 2020

A risk decomposition walkthrough

This is a method I’ve used to help frame and model cybersecurity risks over the past few years. It helps organize a lot of complexity when dealing with a large organization. This method uses forecasts, scenarios, multiplication and addition. As all risk modeling goes, this has more to do with…

7 min read

A risk decomposition walkthrough
A risk decomposition walkthrough

7 min read

Ryan McGeehan

Ryan McGeehan

2.7K Followers

Writing about risk, security, and startups at scrty.io

Following
  • Chris Gaines

    Chris Gaines

  • Sarah Fluchs

    Sarah Fluchs

  • Cassie Kozyrkov

    Cassie Kozyrkov

  • Marcel Laverdet

    Marcel Laverdet

  • Scott Winicour

    Scott Winicour

See all (187)

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams