Many moons ago, before I was hired into a particularly challenging social engineering job (aka cold calling Heads of Security to convince them to part with training budget), I interviewed at a large media org.
May 5, 2020 • 50 tweets • 7 min read
There are a lot of layoffs happening at the moment.
Sometimes when stuff hits fan like this, you can't control what door you have to walk through next. But, you may be able to control what you know about the challenges behind it, and who you'll be facing them with.
Here are some questions that I've found helpful to ask / think about, which are broadly in the following categories:
It's 100% true that you need technical expertise in a security team. There are also other things that need to come together for a team to improve how well protected their business is. One of those can be winning the opportunity to do the technical stuff that's needed.
There are different scenarios for exec comms:
- Cyclical (e.g. annual reporting where format doesn't change)
- Periodic (e.g. on an issue that will last a few committee meetings)
- Ad hoc (e.g. random requests on key things)
- Crisis (new, short cycle)
@xaprb For each there are different formulas you can use. E.g. cyclical reporting may be
- what's our status on something pre-defined as important?
- is status good or bad?
- if bad do we have enough information to act or do we need more?
- if we act what is best cost decision?
Nov 7, 2018 • 13 tweets • 6 min read
@sachafaust One of the things that I find helpful is to use product management frameworks to look at effort and impact over time. Lots of things you 'should have' can take a lot of time to roll out and then don't give you the agility you want (e.g. in detection over custom data sets)...
@sachafaust ... which means the team needs to think about what will move the needle quickly in the short term while also laying the foundation to go from 1.0 to 2.0 of capability (vs waiting for 5.0 and never getting there).
Nov 2, 2018 • 18 tweets • 4 min read
A SOC that deals in Alerts is doomed. If it deals in 'high fidelity detection analytics' + can show ... 1) what's possible to detect that your tech teams + business MDs care about 2) by implication what gaps exist with existing tech (coverage / config)
... then in with a chance.
In practice what that means is defining 5 things that are highly interesting from a blue/red perspective, and where you would tolerate high false positives because if you see 'an activity' it's worth some precious analyst time to investigate ... for 2 reasons ...
Aug 8, 2018 • 13 tweets • 5 min read
Great talk by @ram_ssk : most talks are only about what worked in machine learning, but what about the experiments that failed?
Problem 1 : on lateral movement, once lateral movement goal is attained, hard to identify attackers as they are under the radar. Lots of data to start with...