J. 🧢 Profile picture
'You've been making the wrong mistakes' - Thelonious Monk
May 23, 2020 27 tweets 5 min read
Prior to this tweet, @nickdothutton makes the excellent point that working exercises are a great way to hire and establish team dynamic.

Of course, it depends how those are set up. Ahh the memories... Many moons ago, before I was hired into a particularly challenging social engineering job (aka cold calling Heads of Security to convince them to part with training budget), I interviewed at a large media org.
May 5, 2020 50 tweets 7 min read
There are a lot of layoffs happening at the moment.

Sometimes when stuff hits fan like this, you can't control what door you have to walk through next. But, you may be able to control what you know about the challenges behind it, and who you'll be facing them with.

Thread... Here are some questions that I've found helpful to ask / think about, which are broadly in the following categories:

- The role

- Leadership

- Current resources

- Culture
Feb 25, 2020 10 tweets 5 min read
Great talk from @rmogull on Cloud Kill Chains happening now at #RSAC2020 @rmogull
Dec 21, 2018 11 tweets 3 min read
It's 100% true that you need technical expertise in a security team. There are also other things that need to come together for a team to improve how well protected their business is. One of those can be winning the opportunity to do the technical stuff that's needed. In fact I think there are 8 key applied abilities that are vital in security

1. Systems thinking
2. Politic
3. Architecture / engineering mindset
4. Team creation and evolution
5. Product management
6. Project management
7. Data science
8. Coding
Nov 12, 2018 9 tweets 5 min read
@xaprb Some quick thoughts...

There are different scenarios for exec comms:
- Cyclical (e.g. annual reporting where format doesn't change)
- Periodic (e.g. on an issue that will last a few committee meetings)
- Ad hoc (e.g. random requests on key things)
- Crisis (new, short cycle) @xaprb For each there are different formulas you can use. E.g. cyclical reporting may be
- what's our status on something pre-defined as important?
- is status good or bad?
- if bad do we have enough information to act or do we need more?
- if we act what is best cost decision?
Nov 7, 2018 13 tweets 6 min read
@sachafaust One of the things that I find helpful is to use product management frameworks to look at effort and impact over time. Lots of things you 'should have' can take a lot of time to roll out and then don't give you the agility you want (e.g. in detection over custom data sets)... @sachafaust ... which means the team needs to think about what will move the needle quickly in the short term while also laying the foundation to go from 1.0 to 2.0 of capability (vs waiting for 5.0 and never getting there).
Nov 2, 2018 18 tweets 4 min read
A SOC that deals in Alerts is doomed. If it deals in 'high fidelity detection analytics' + can show ...
1) what's possible to detect that your tech teams + business MDs care about
2) by implication what gaps exist with existing tech (coverage / config)
... then in with a chance. In practice what that means is defining 5 things that are highly interesting from a blue/red perspective, and where you would tolerate high false positives because if you see 'an activity' it's worth some precious analyst time to investigate ... for 2 reasons ...
Aug 8, 2018 13 tweets 5 min read
Great talk by @ram_ssk : most talks are only about what worked in machine learning, but what about the experiments that failed? Problem 1 : on lateral movement, once lateral movement goal is attained, hard to identify attackers as they are under the radar. Lots of data to start with...