Posts by Category


Search or subscribe to SEC 8-K Material Cybersecurity Incident filings

1 minute read

In 2023, the Securities and Exchange Commission (SEC) published rule 33-11216 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, where the operative requirement is that companies disclose material cybersecurity incidents. The summary disclosure requirement is as follows:

Improving CISA KEV data integrity

3 minute read

tl;dr - Sometimes CISA removes Known Exploited Vulnerabilities catalog records. It would be awesome if they marked them as withdrawn and/or superseded instead.

When your product becomes a feature

3 minute read

Having spent a few years using, maintaining, and building security products of every conceivable shape and size, it’s become apparent how uniquely risky it is to invest in building cloud[1] security products.

Not all attack surface is created equal: Why protecting security controls is critical

less than 1 minute read

Any exposed attack surface can be used by an adversary to gain or maintain access to your environment. Security controls are a uniquely high-risk part of your attack surface, because compromising a security control often provides an adversary with privileged and/or uniquely positioned access to the environment. And evidence shows that adversaries are capitalizing on exposed, vulnerable attack surface.

CISA Known Exploited Vulnerabilities (KEV) affecting security controls

3 minute read

Since its inception, I’ve been bullish on the value of the CISA Known Exploited Vulnerabilities (KEV) catalog, along with their periodic analysis of the top exploited vulnerabilities based on the same. The KEV catalog contains a concrete set of trailing indicators that tell you which vulnerabilities should be prioritized for patching or other forms of remediation.

Breaking down exposure management

2 minute read

While participating in some industry analyst research, I was asked how I’d walk someone through and connect these concepts. This is a paraphrased version of the talk track (with some visuals based on prior work).

Incidents as a measure of cybersecurity progress

3 minute read

Phil Venables published a helpful collection of ways that risk and cybersecurity leaders can share their successes, ideally on an ongoing basis. His working theory, which I believe is correct, is that we’re not great at this. And as a result, many of our peers only hear from us when things go sideways, which leads to a variety of problems.

Roundup of security conference and CFP trackers

less than 1 minute read

A collection of websites and projects that I’ve used in an attempt to track upcoming information security (infosec) or cybersecurity conferences, including call for papers (CFP) deadlines.

Threat modeling templates

less than 1 minute read

In the course of reviewing a number of published threat models, it became apparent that there is not (nor does there need to be) any standard output format, even given the same methodology (e.g., STRIDE).

Roundup of threat modeling resources

5 minute read

I don’t know much about threat modeling, except that as long as I’ve been working in cybersecurity, we’ve been asking people about their threat model, telling them to do threat modeling, and in the worst cases using greedy threat models to convince folks that they should prioritize things that they probably should not.

The top initial access vectors in 2022, mapped to ATT&CK

1 minute read

In reviewing security firms’ 2022 threat data, a subset of these include insight into the initial access vectors leveraged most frequently in successful intrusions. This is a summarization of findings based on their reporting.

Observability as a function of your threat model

2 minute read

This model attempts to explain the relationship between visibility, observability, detection, and mitigation, which are closely related and important to understand when implementing any information security or cybersecurity program.

The future of cybersecurity might be insurance

3 minute read

For some time now, I’ve been considering a hypothesis that the future of cybersecurity is some form of vertically integrated set of products, services, and insurance. This won’t represent emerging or niche cybersecurity products and services, but will bring actuarial rigor to identification and measurement of the outcomes that cybersecurity vendors claim to provide, and so it will represent the subset of offerings that provide consistent, provable value (i.e., things that reliably mitigate high impact threats). The primary consumer benefit will be a faster path to implementation of a plenty good enough cybersecurity portfolio for a large percentage of organizations.

Incidents: An organizational Swiss Army knife

2 minute read

Incidents may be one of the best measures of maturity, effectiveness, and progress in any highly operational environment, including but not limited to security operations and technology operations (including site reliability engineering, or SRE). However, incident management done right can be an invaluable tool that you can point at virtually any problem- or failure-prone system to make it better.

Visibility, observability, detection, and mitigation in cybersecurity

2 minute read

The concepts of visibility, observability, detection, and mitigation are foundational to cybersecurity–security architecture and detection engineering in particular–and technology operations in general. They’re useful for communicating at almost every level, within technical teams but also to organizational peers and leadership.

Back to Top ↑