Very nice, James. An additional obstacle may be regulatory in nature. As well as an opportunity, of course, if flows can be made to satisfy regulatory barriers and requirements. I'm thinking in terms of 'boundary' crossing when it comes to certain kinds of data in certain industries.

Photo by Satwinder Singh on Unsplash

Along with many, I’ve found David Bianco’s Pyramid of Pain to be a really useful rubric to understand breaches. It’s held up really well over the years (circa 2013!) and across a myriad of incidents. This is partially due to the simplicity of it: at a glance, defenders have an understanding of how their tooling and indicators align with the pyramid’s tranches, which correspond to the components of an attackers’ stack.

More importantly, it communicates how defenders can alter the calculus for attackers targeting their environment. By optimizing for detection of signatures and patterns at the top of the pyramid…

Time appreciation, asking the right questions, undigitize, scoping… a partial recipe for success

A Hackathon, maybe? :) Photo by Alex Kotliarskyi on Unsplash

I’ve had the chance to attend a few hackathons over the past few years either as a mentor, volunteer, or sponsor. This past weekend I was at UCLA for LAHACKS, a huge hackathon focused on social innovation held every year. Hackathons are gatherings of people who spend a short time solving problems in teams and are sometimes competitive. Typically, it means building something (hardware, software, anything really) that addresses a need. Hacks can be pretty broad with little guidance provided other than the assessment criteria organizers establish to determine the winning teams (if any, they aren’t always competitive and don’t…

This month’s House Oversight & Government Committee report about the Equifax data breach is worthwhile reading for cybersecurity practitioners. The ~100 page document is instructional with implications across the gamut of security functions: compliance and governance, crypto, DFIR, vulnerability management and remediation, and so on. While some of the shortcomings that led to the breach are highly contextual and specific to Equifax, one can still derive lessons that apply more broadly to organizations in any industry. To that end, I’ve made a few observations with red teaming, governance, and general sound practice in mind.

For Red Teamers

No one can say for certain…

I recently delivered a presentation to members of ISACA’s Toronto Chapter. I’ve taken the research and feedback from the talk to draft an article about the implementation and management of a risk register. Thank you to those who attended, and I look forward to readers’ views in the comments!


Risk has taken on new meaning in recent years. Additional sources of risk, threats, and changes in the regulatory landscape impact businesses (and their consumers) in a myriad of ways not thought possible just five years ago. For example, many businesses now recognize the significance of their digital and physical…

A recent GAO report examines the maturity of 24 US Government departments’ security regimes. While subject to different standards and regimes, enterprises face similar challenges as the agencies mentioned in the report. For example, “Twenty-three of the 24 agencies did not have effective processes for remediating information security weaknesses.”*

Remediation is hugely challenging as it tends to involve a cross-section of teams and multiple stakeholders. Remediation projects can have significant budgetary implications. It’s critical to maintain an integrated risk registry with ownership within the governance team to drive remediation in a deliberate manner. Remediation can be linked explicitly to personnel metrics of success to elevate its importance.

I’m drafting a longer article to provide guidance for risk registry implementation for an upcoming ISACA Toronto Chapter talk.

*The GAO full report is here.

Further reading from BankInfoSecurity.

Who are you, and what do you want?

A system is only as secure as the weakest security control deployed to protect it; typically, that starts with an identity and access management (IAM) system as the highest priority control: who can access a given object or resource, and how? The number objects that require access and authorization policies has increased with the growth in the volume of sensitive data stored digitally. Our users work remotely, on different devices, with external parties, and have a variety of means to identify themselves. The same goes for non-human users AKA entities. …

The Federal Risk and Authorization Management Program (FedRAMP) is a compliance regime to which cloud vendors (i.e. Cloud Service Providers) selling to government agencies are subject. Compliance with FedRAMP is a mandatory step for vendors with cloud-based SaaS/IaaS/PaaS/etc offerings to work with and support agencies. Once complete, a FedRAMP assessment can be referenced by other departments as long as it remains valid, shortening the timeline for procurement and enhancing the visibility of providers across a vast market. …

2017 marks the 10-year anniversary of Cisco’s declaration that “botnets are the primary security threat on the Internet today.” At the time, it was consumers’ access to broadband connections that gave botnets the ability to launch distributed denial of service (DDoS) attacks; today, unsecured Internet of Things (IoT) devices on even higher speed networks are (for now) the culprit. Despite advances in preventive and detective controls, bots remain a formidable and ever increasing threat to the integrity of business applications and information.

As 2016 came to a close, we learned from WhiteOps of the financial losses suffered by advertising agencies…

The business case for establishing a Cyber threat intelligence (CTI) capability is getting stronger in some sectors and verticals, and is becoming a focal point for corporate information security teams. In this brief article, I’d like to summarize some considerations and issues related to building capacity in this area.

CTI work stratifies a range of activities intended to deliver practical outputs — from the minutia of blocking a malicious host to assessing the impact of ransomware in the IOT space in 5 years. These activities are components of a methodology that is documented, practiced continuously, and refined as needed. …

Nick Deshpande


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store