Lies, Fables and Security Metrics

•

0 likes•96 views

This talk is meant to highlight some of the important things security professionals need to know, when creating security metrics.

Technology

Connect | Protect | Optimize
Lies
Fables
and Security Metrics

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
Biography
Vice President, Security Strategy
• 23 years in cyber security
• Expertise in program development, strategy,
measurement
• Podcaster: Down the Security Rabbithole Podcast
• Writer and public speaker

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
The Services Platform
Core
Remote
Virtual
Connect people,
business-critical
processes, and
assets to data and
customers
Protect what
matters to your
business, decrease
cyber risk and
meet compliance
requirements
Optimize your strategy
and operations to
continually evolve

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
Data Needs Meaning
Why your metrics presentations fail to deliver your point

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
cybersecurity is not absolute

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
there is always some risk

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
but…so what?

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
critical | high | medium | low

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
“arbitrary critical statistics”

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
consider the statement:

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
“we have 25mi range left”

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
what’s the rest of the story?

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
urgency without context

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
without context it’s arbitrary

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
examples of this…

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
200 new critical vulns
(a) (b) (c)

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
50% decrease in malware
(b)
(a)

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
without context – audience
makes up their own narrative

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
the lesson:

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
the board cares

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
you’re failing to communicate

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
you’re missing the
denominator

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
my 2 main types of metrics

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
trend (better/worse)

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
how is risk trending and why

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
impact (a -> b)

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
result of one or more actions

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
both are composite metrics

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
start with a goal

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
what do you want to show?

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
you may be missing data

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
don’t draw conclusions your
data doesn’t support

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
Storytelling
How to build impactful metrics that deliver the point

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
develop a narrative

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
pre-set the conclusion

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
be ready to be wrong

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
identify the denominator

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
pick the right tool
trend or impact metric

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
define your strategy

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
understand key influencers

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
identify data sources

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
collect data

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
rationalize narrative

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
is your narrative supported?

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
present your outcome

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
maintain your data set

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
refine your approach

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
Painting Masterpieces
Impactful metrics that deliver outcomes

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
tips to impactful metrics

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
reasonable

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
call to action

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
rational and explainable

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
repeatable

Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved.
stay away from BSNs

Complexity Averted.
Possibilities Realized.
www.lightstream.tech

The DoD is adopting cloud computing to improve mission effectiveness and reduce costs by consolidating duplicative IT infrastructure. The strategy establishes a phased approach to transition to a DoD Enterprise Cloud Environment including optimizing data center consolidation, establishing a cloud infrastructure, and delivering cloud services both within and outside the Department. Challenges include security, operations, and overcoming limitations for disconnected users.

Lew Short emergency response & recovery conference

Blackash Bushfire Consulting

This document discusses using information sharing and social media to build community resilience during emergencies. It notes that communities now expect immediate information and previous responses have created expectations of immediacy. Building resilience involves engaging communities through stakeholder participation, new ideas, informed decisions, empowerment, connectedness and showing how contributions make a difference. Data from surveys on bushfire responses show people rely on information from authorities to decide whether to stay or leave. The document discusses using tools like social media, mobile apps, maps and weather data to improve situational awareness and interoperability between emergency response agencies. It argues for providing information through open standards and being part of online conversations to share safety messages where communities access information.

The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf

Rafal Los

Cybersecurity Strategies for Effective Attack Surface Reduction

SecPod

An attack surface comprises of numerous vulnerable points through which an unauthorized user can gain access to the whole IT infrastructure. Minimizing the attack surface is the fundamental security strategy essential for preventing cyber attacks. To identify and remediate the potentials risks present in the organization IT assets, crucial attack surface reduction processes like vulnerability assessment, risk assessment, and risk priorization must be continuously implemented in the network. Automating these processes and managing them all from a centralized console will further reduce delays and speed up the risk mitigation process. In this webinar, you will learn - - About Attack surfaces and risks - Strategies to minimize the attack surface - Methods to speed up risk mitigation

Cybersecurity Strategies for Effective Attack Surface Reduction

SecPod

SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)

Rafal Los

The document discusses the history and evolution of vulnerability management over the decades from the 1990s to present. It outlines some unfortunate trends like overreliance on spreadsheets and a focus only on missing patches. The talk recommends taking a lifecycle approach to vulnerability management including identifying vulnerabilities across the entire attack surface, triaging findings, advising on mitigation or deferral, tracking to resolution, and reporting on progress and accountability. Prioritizing this lifecycle approach and moving beyond only patching is key to effectively managing increasing IT complexity.

Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework

Outpost24

MITRE ATT&CKcon Power Hour - November

MITRE - ATT&CKcon

1. MITRE ATT&CK provides a taxonomy of techniques used by cyber adversaries to help organizations understand the threats they face, improve detection, and increase response capabilities. 2. The presenters demonstrated how ATT&CK can be used to focus logging efforts, build a balanced security monitoring program, and evaluate new security tools based on their coverage of real-world attack techniques. 3. Tracking security program maturity against the ATT&CK framework over time can help reduce gaps, ensure priorities remain risk-based, and demonstrate progress to stakeholders.

The document discusses Ivanti's integrated IT management solutions for the "Everywhere Workplace". It introduces key Ivanti executives and solutions architects. It outlines challenges of IT complexity, security vulnerabilities, and the need for visibility, experience, responsiveness. Ivanti's approach is presented as providing discovery, management, security and service capabilities on endpoints and networks through its Neurons platform to enable these. Specific Ivanti products are also listed that address challenges across endpoint management, security, service management and more.

Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf

Craig Saunders

As Software Engineers we pride ourselves to build high-quality software using the best industry practices and principles. But what happens when you’re asked to deliver a project with impossible timescales where a quick hacky solution is all that time allows. This presentation talks about such a scenario where and how we managed to achieve the right solution but also met the business deadline. In addition, it talks briefly about the key principles we followed to achieve this feat.

CHAPTER 1Risk Management FundamentalsCopyright © 202

EstelaJeffery653

CHAPTER 1 Risk Management Fundamentals Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com. Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Learning Objective(s) and Key Concepts Describe the components of and approaches to effective risk management in an organization. Risk and its relationship to threat, vulnerability, and asset loss Classifying business risk in relation to the seven domains of a typical IT infrastructure Risk identification techniques Risk management process Strategies for handling risk Learning Objective(s) Key Concepts Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com What Is Risk? Risk: The likelihood that a loss will occur; losses occur when a threat exposes a vulnerability that could harm an asset Threat: Any activity that represents a possible danger Vulnerability: A weakness Asset: A thing of value worth protecting Loss: A loss results in a compromise to business functions or assets. Tangible Intangible Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Risk-Related Concerns for Business Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Compromise of business functions Compromise of business assets Driver of business costs Profitability versus survivability Threats, Vulnerabilities, Assets, and Impact Threats can be thought of as attempts to exploit vulnerabilities that result in the loss of confidentiality, integrity, or availability of a business asset: Confidentiality: Preventing unauthorized disclosure of information Integrity: Ensuring data or an IT system is not modified or destroyed Availability: Ensuring data and services are available when needed Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Vulnerabilities Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com A vulnerability is a weakness A loss to an asset occurs only when an attacker is able to exploit the vulnerability Vulnerabilities may exist because they’ve never been corrected Vulnerabilities can also exist if security is weakened either intentionally or unintentionally Assets Tangible value is the actual cost of the asset: Computer systems—Servers, desktop PCs, and mobile computers Network components—Routers, switches, firewalls, and any other components necessary to keep the network running Software applications—Any application that can be installed on a computer system Data—Includes large-scale databases and the data used and manipulated by each employee or customer The intangible value cannot be measured by cost, such as client confidence or company reputation: Future lost revenue—Any purchases customers make with another company are a loss to the company Cost of gaining th ...

How Adopting the Cloud Can Improve Your Security.

martin_lee1969

The document discusses how adopting cloud computing can improve security for organizations. Some key security benefits of the cloud include providers having greater expertise and resources dedicated to security, the ability to automatically scale security capabilities with demand, and incentives for providers to maintain strong security given their business model relies on customers trusting the security of their systems. However, security concerns remain a top adoption barrier, though targeted attacks are still relatively rare. The document provides guidance on how to evaluate cloud providers and ensure they can meet an organization's security requirements.

Optimizing Security Velocity in Your DevSecOps Pipeline at Scale

Denim Group

Businesses are driving development teams to build, test and deliver app innovations faster and faster, while attackers continue to grow in sophistication and complexity. To protect the business, dev and security teams are deploying multiple app/network/OSS security testing tools, internal & 3rd party manual assessments, and other processes which in turn drives an exponential spike in volume of issues to analyze, correlate, triage, route and repair. Facing this data deluge, DevSecOps teams are turning to automation of mobile app security testing and orchestration of vulnerability management for speed and scale. Join Brian Reed, Chief Mobility Officer of NowSecure and Dan Cornell, Co-Founder and CTO of Denim Group in this best practices session to learn how to drive efficiencies in team and pipeline performance at scale.

Edgescan 2022 Vulnerability Statistics Report

Eoin Keary

2022 Vulnerability Statistics Report.pdf

ssuserc3d7ec1

This document provides statistics on vulnerabilities from assessments performed in 2021 using the Edgescan platform. It finds that 20.4% of full stack vulnerabilities were high or critical risk. Web applications had more critical vulnerabilities but also more low risk issues than the network layer. The average time to remediate vulnerabilities across the full stack was 57.5 days, with critical issues taking longer to fix on the web application/API layer (47.6 days) than the device/host layer (61.4 days). Industries like healthcare had shorter remediation times than public administration and manufacturing. The report aims to demonstrate the state of security based on Edgescan's vulnerability assessments and identify trends.

Digital Cyber Risk Security Malaysia.pptx

Philip Irode; CISA,CRISC,CISM, CBCI & ITIL v3.

This document discusses cybersecurity initiatives in Malaysia. It outlines Malaysia's strategy to enhance cybersecurity through five pillars: effective governance; strengthening legal frameworks; catalyzing innovation; capacity and capability building; and global collaboration. It also summarizes the vision and mission of CyberSecurity Malaysia and the Digital Forensics Research and Services center to develop a safer cyber ecosystem through research, education, and public awareness programs. Finally, it stresses the need for innovative, adaptive cybersecurity approaches and public-private partnerships to address evolving cyber threats.

CyberDen 2020

Fahad Al-Hasan

One afternoon. Nine pitches. Who will get your 'investment'? Enter the CyberDen and take your place in the dragon's seat. We're sending in eight leading cyber security vendors who will pitch their solutions to try and pique your interest. We've rounded up some of the biggest names in the industry and exciting new players to provide you with an informative and relaxed afternoon. The RSA Vaults act as the perfect setting to make you feel like you're stepping in the den. You can then vote to 'invest' in the pitches that impress you or excite your interest.

One login enemy at the gates

Eoin Keary

This document discusses the failure of traditional vulnerability management and proposes a more effective approach. It argues that vulnerability management needs to be continuous, accurate, integrated across the full technology stack, and augmented with human expertise. Traditional approaches relying solely on automated scans are not keeping pace with rapid technology changes and the sophisticated techniques used by attackers. An effective vulnerability management program requires continuous visibility, automated patching of known issues, secure development practices, and vigilance in detecting new vulnerabilities through a combination of tools and human review.

Edgescan vulnerability stats report 2020

Eoin Keary

neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?

Leonard Lee

Journey to the Perfect Application: Digital Transformation During a Crisis

Aggregage

In most cases, the COVID-19 crisis has sped up the desire to engage in digital transformation for medium-to-large scale enterprises. Roadmaps are rarely implemented without challenges. During this session, MK Palmore, the Field CSO (Americas) for Palo Alto Networks and a former public-sector executive, will walk through the difficulties of crisis planning execution in the midst of an organization's digital changes. He will use a combination of industry insights through statistical observations and direct customer feedback to emphasize the importance of adopting new technologies to battle an ever changing threat landscape.

Bhagvan Kommadi [Value Momentum] | TeleHealth Platform: DevOps-Based Progress...

InfluxData

TeleHealth Platform: DevOps-Based Progressive Delivery The talk covers a real-life experience related to building a DevOps Delivery-powered AI platform for doctors’ community and telehealth support for patients during COVID-19 lockdown. The doctors’ community interacts related to cases and triage for different patient cases. They can extend telehealth support using medical practice management solutions. Patients can order medicines online through integrated pharmacies on the platform. AI Platform has digital, voice, and knowledge assistants to provide information to the doctor. DevOps is enabled using Jenkins on AWS which helps in continuous integration and progressive delivery of features to Mobile and web apps (Apple & Google app stores). Historical data is used for predictive analytics by the machine learning platform. The platform helps healthcare enterprises: 1. Deploy voice tech to facilitate clinical documentation 2. Reduce physicians’ administrative burden 3. Increase patient volume and billable revenue 4. Eliminate transcription costs 5. Use voice to increase touchpoints and increase patient engagement.

The 2018 Threatscape

Peter Wood

Cyber Security at CTX15, London

John Palfreyman

The document discusses cyber security, cyber crime, and the rise of smartphones and social media. It covers topics such as the changing technology and business landscape including cloud, mobile, big data/analytics, and social business. It also discusses the challenges posed by smartphones, social media, and the "bring your own device" trend in enterprises. The document advocates for a smarter approach to cyber security that balances technical and people mitigations and emphasizes risk management. It also discusses the future of contextual, adaptive security.

Energy Industry Organizational Strategies to Increase Cyber Resiliency

EnergySec

Presented by: Julie Soutuyo, Tennessee Valley Authority Abstract: Over the past 40 years, the energy industry has evolved to a position of dependence upon information technology to accomplish its mission. Cyber attacks have become a “way of life”; as the Nation, industry, organizations, and individuals strive to operate safely and securely in cyberspace. Most rely on a compliance-based “whack-a-mole”; approach to cyber defense which presents multiple barriers to hackers, based on the last attack, with efforts to “hit” any that get inside the organization’s defenses. While still valid, this compliance-based approach has significant challenges: stopping intruders, mitigating the problems they create, and positioning an organization to achieve its mission under a cyber attack. Cyber experts across the Nation are increasingly turning to resiliency as a means for fighting through these attacks with the objective of meeting operational and mission requirements in spite of the attacks. This shift is driving organizations to rethink their organizational structures to achieve unity of effort and streamlined decision-making in the face of a fast paced set of operational demands. This presentation will highlight the strategies to promote a cyber resilient organization.

cyberready-solutions

Noah Kline

Booz Allen has developed a comprehensive approach to help clients address the challenge of increasingly sophisticated cyber threats from a variety of actors. Their approach provides real-time, actionable insight about threats to clients' enterprises internally, externally, globally, and socially so they can take action to manage risks and protect assets. Booz Allen's integrated intelligence to operations lifecycle combines anticipatory threat intelligence with security resources and risk mitigation to proactively protect clients inside and outside the firewall across their enterprises.

edgescan vulnerability stats report (2019)

Eoin Keary

w-cyber-risk-modeling Owasp cyber risk quantification 2018

Open Security Summit

This document describes Focal Point's cyber risk quantification services for insurance underwriting. It outlines a four-step roadmap for measuring an organization's cyber risk profile to inform insurance strategies. The first step leverages an organization's existing NIST Cybersecurity Framework assessment. The second step involves further evaluating cyber risks through an online self-assessment or deeper evaluation. The third step uses Monte Carlo modeling to measure potential cyber loss scenarios. The fourth step provides insights to define an appropriate risk strategy and optimize insurance coverage, limits, and deductibles. The document argues this approach helps organizations better understand cyber risks, prioritize mitigation options, and make informed decisions about cyber insurance.

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Irrational But Effective - Applying Parenthood Lessons to Cyber Security

Rafal Los

Similar to Lies, Fables and Security Metrics

Noi siamo Ivanti: più forti insieme!

Ivanti

Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf

Craig Saunders

EstelaJeffery653

How Adopting the Cloud Can Improve Your Security.

martin_lee1969

Optimizing Security Velocity in Your DevSecOps Pipeline at Scale

Denim Group

Edgescan 2022 Vulnerability Statistics Report

Eoin Keary

2022 Vulnerability Statistics Report.pdf

ssuserc3d7ec1

Digital Cyber Risk Security Malaysia.pptx

Philip Irode; CISA,CRISC,CISM, CBCI & ITIL v3.

CyberDen 2020

Fahad Al-Hasan

One login enemy at the gates

Eoin Keary

Edgescan vulnerability stats report 2020

Eoin Keary

neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?

Leonard Lee

Journey to the Perfect Application: Digital Transformation During a Crisis

Aggregage

Bhagvan Kommadi [Value Momentum] | TeleHealth Platform: DevOps-Based Progress...

InfluxData

The 2018 Threatscape

Peter Wood

Cyber Security at CTX15, London

John Palfreyman

Energy Industry Organizational Strategies to Increase Cyber Resiliency

EnergySec

cyberready-solutions

Noah Kline

edgescan vulnerability stats report (2019)

Eoin Keary

w-cyber-risk-modeling Owasp cyber risk quantification 2018

Open Security Summit

Similar to Lies, Fables and Security Metrics (20)

Noi siamo Ivanti: più forti insieme!

Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf

How Adopting the Cloud Can Improve Your Security.

Optimizing Security Velocity in Your DevSecOps Pipeline at Scale

Edgescan 2022 Vulnerability Statistics Report

2022 Vulnerability Statistics Report.pdf

Digital Cyber Risk Security Malaysia.pptx

CyberDen 2020

One login enemy at the gates

Edgescan vulnerability stats report 2020

neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?

Journey to the Perfect Application: Digital Transformation During a Crisis

Bhagvan Kommadi [Value Momentum] | TeleHealth Platform: DevOps-Based Progress...

The 2018 Threatscape

Cyber Security at CTX15, London

Energy Industry Organizational Strategies to Increase Cyber Resiliency

cyberready-solutions

edgescan vulnerability stats report (2019)

w-cyber-risk-modeling Owasp cyber risk quantification 2018

More from Rafal Los

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Irrational But Effective - Applying Parenthood Lessons to Cyber Security

Rafal Los

Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...

Rafal Los

Losing battles, winning wars

Rafal Los

When it comes to intrusions and breaches, most security teams take a short-game view. This means that they look at events as discrete and individual and focus efforts on short-term goals. While not universally detrimental, this view does harm the overall security of an organization in the "long game”. Additionally, “active defense” has been hopelessly confused by marketing hype even though its meaning is powerful to security’s operational goals. This talk focuses on how enterprise security defenders can adjust their mindset, refocus, and beat adversaries by leveraging active defense over the long game. The basis of this talk is the extensive research done in support of the threat intelligence solution blueprint, a comprehensive guide to understanding, architecting, operationalizing and maturing a threat intelligence program.

5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013

Rafal Los

Operationalizing Security Intelligence [ InfoSec World 2014 ]

Rafal Los

Operationalizing security intelligence for the mid market - Rafal Los - RSA C...

Rafal Los

The document discusses operationalizing security intelligence for mid-market companies. It defines security intelligence as the collective activities and artifacts that enable intelligence-driven security decisions. It outlines the key requirements for security intelligence as high-quality internal and external data, well-defined internal processes, qualified personnel, and integrated technology solutions. The goal is to help mid-market companies develop the capabilities to more effectively detect, respond to, and resolve security incidents.

Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...

Rafal Los

Cloud Security Alliance- Challanges of an elastic environment v8a [public]

Rafal Los

This document discusses cloud security from the perspectives of both cloud service consumers and providers. For consumers, it examines questions around the security of the cloud provider, assurances and transparency, resilience of services, and compliance. For providers, it considers how to deliver security across infrastructure, platform and software as a service models, provide assurance to customers, determine appropriate security measures, manage liabilities and risks, and address compliance needs. The document also notes challenges that are keeping some enterprises from fully adopting cloud services such as immature security models, migration difficulties, lack of transparency, absence of compliance mechanisms, and fear of vendor lock-in.

Threat modeling the security of the enterprise

Rafal Los

Making Measurable Gains - Contextualizing 'Secure' in Business

Rafal Los

What does ‘secure’ mean? Many security professionals work in information security for a large portion of their careers without ever being able to contextualize what they contribute to the businesses they work for - a crying shame. Being able to make sense of all the security-related process changes, widgets, technology and testing is critical to not only being successful at changing the mindset and culture of your business - but to actually making a lasting long-term impression. The only way to do this is to find ways to add business-context to security metrics - creating pseudo-business/security KPIs. This talk focuses not on how to ‘hack’ but how to effectively protect… and to make it relevant to your business so that it matters.

Security BSides Atlanta - "The Business Doesn't Care..."

Rafal Los

Software Security Assurance - Program Building (You're going to need a bigger...

Rafal Los

This document outlines a 5-step approach to establishing a Software Security Assurance program: 1) Conduct an assessment of capabilities, resources, assets, and organization. 2) Develop a resource strategy and plan based on assessment. 3) Build intelligent processes that leverage existing processes and accommodate business needs. 4) Implement processes strategically and augment with automation technologies. 5) Continuously measure business impact and reassess goals as business priorities change.

The Future of Software Security Assurance

Rafal Los

Defying Logic - Business Logic Testing with Automation

Rafal Los

It proposes a 3-phase framework: 1) Model valid business processes by monitoring normal user behavior. 2) Manipulate workflows by modifying states and transactions. 3) Analyze results to detect deviations from expected behavior, indicating potential logic defects. The goal is to overcome challenges of testing application logic, which is hard to define, domain-specific, and lacks consistent patterns. A demo is provided as a proof of concept for how such a framework could work. Contributions to further the research are welcomed.

Ultimate Hack! Layers 8 & 9 of the OSI Model

Rafal Los

Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)

Rafal Los

Oh No They Didn't! 7 Web App Security Stories (v1.0)

Rafal Los

The QA Analyst's Hacker's Landmark Tour v3.0

Rafal Los

Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2

Rafal Los

More from Rafal Los (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Irrational But Effective - Applying Parenthood Lessons to Cyber Security

Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...

Losing battles, winning wars

5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013

Operationalizing Security Intelligence [ InfoSec World 2014 ]

Operationalizing security intelligence for the mid market - Rafal Los - RSA C...

Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...

Cloud Security Alliance- Challanges of an elastic environment v8a [public]

Threat modeling the security of the enterprise

Making Measurable Gains - Contextualizing 'Secure' in Business

Security BSides Atlanta - "The Business Doesn't Care..."

Software Security Assurance - Program Building (You're going to need a bigger...

The Future of Software Security Assurance

Defying Logic - Business Logic Testing with Automation

Ultimate Hack! Layers 8 & 9 of the OSI Model

Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)

Oh No They Didn't! 7 Web App Security Stories (v1.0)

The QA Analyst's Hacker's Landmark Tour v3.0

Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2

Recently uploaded

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Uni Systems S.M.S.A.

Columbus Data & Analytics Wednesdays - June 2024

Jason Packer

Serial Arm Control in Real Time Presentation

tolgahangng

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Safe Software

Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency. During the hour, we’ll take you through: Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board. Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes. Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI. We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI. This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!

National Security Agency - NSA mobile device best practices

Quotidiano Piemontese

UI5 Controls simplified - UI5con2024 presentation

Wouter Lemaire

Presentation of the OECD Artificial Intelligence Review of Germany

innovationoecd

Fueling AI with Great Data with Airbyte Webinar

Zilliz

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

akankshawande

June Patch Tuesday

Ivanti

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

“I’m still / I’m still / Chaining from the Block”

Claudio Di Ciccio

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Speck&Tech

ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune. Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile. BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).

Mind map of terminologies used in context of Generative AI

Kumud Singh

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/ DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen! Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell. Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten. Diese Themen werden behandelt - Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten - Wie funktionieren CCB- und CCX-Lizenzen wirklich? - Verstehen des DLAU-Tools und wie man es am besten nutzt - Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw. - Praxisbeispiele und Best Practices zum sofortigen Umsetzen

Building Production Ready Search Pipelines with Spark and Milvus

Zilliz

UiPath Test Automation using UiPath Test Suite series, part 6

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI. UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities. Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes. What will you get from this session? 1. Insights into integrating generative AI. 2. Understanding how this integration enhances test automation within the UiPath platform 3. Practical demonstrations 4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath Topics covered: What is generative AI Test Automation with generative AI and Open AI. UiPath integration with generative AI Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Best 20 SEO Techniques To Improve Website Visibility In SERP

Pixlogix Infotech

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

名前です男

Recently uploaded (20)

20240607 QFM018 Elixir Reading List May 2024

Artificial Intelligence for XMLDevelopment

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Columbus Data & Analytics Wednesdays - June 2024

Serial Arm Control in Real Time Presentation

Driving Business Innovation: Latest Generative AI Advancements & Success Story

National Security Agency - NSA mobile device best practices

UI5 Controls simplified - UI5con2024 presentation

Presentation of the OECD Artificial Intelligence Review of Germany

Fueling AI with Great Data with Airbyte Webinar

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

June Patch Tuesday

“I’m still / I’m still / Chaining from the Block”

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Mind map of terminologies used in context of Generative AI

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

Building Production Ready Search Pipelines with Spark and Milvus

UiPath Test Automation using UiPath Test Suite series, part 6

Best 20 SEO Techniques To Improve Website Visibility In SERP

Lies, Fables and Security Metrics

1. Connect | Protect | Optimize Lies Fables and Security Metrics

2. Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved. Biography Vice President, Security Strategy • 23 years in cyber security • Expertise in program development, strategy, measurement • Podcaster: Down the Security Rabbithole Podcast • Writer and public speaker

3. Complexity Averted. Possibilities Realized. © 2021 Lightstream Communications. All rights reserved. The Services Platform Core Remote Virtual Connect people, business-critical processes, and assets to data and customers Protect what matters to your business, decrease cyber risk and meet compliance requirements Optimize your strategy and operations to continually evolve

49.

57. Complexity Averted. Possibilities Realized. www.lightstream.tech

Lies, Fables and Security Metrics

Recommended

Recommended

More Related Content

Similar to Lies, Fables and Security Metrics

Similar to Lies, Fables and Security Metrics (20)

More from Rafal Los

More from Rafal Los (20)

Recently uploaded

Recently uploaded (20)

Lies, Fables and Security Metrics