Skip navigation

Category Archives: RSA

The basic technique of cybercrime statistics—measuring the incidence of a given phenomenon (DDoS, trojan, APT) as a percentage of overall population size—had entered the mainstream of cybersecurity thought only in the previous decade. Cybersecurity as a science was still in its infancy, as many of its basic principles had yet to be established.

At the same time, the scientific method rarely intersected with the development and testing of new detection & prevention regimens. When you read through that endless stream of quack cybercures published daily on the Internet and at conferences like RSA, what strikes you most is not that they are all, almost without exception, based on anecdotal or woefully inadequately small evidence. What’s striking is that they never apologize for the shortcoming. They never pause to say, “Of course, this is all based on anecdotal evidence, but hear me out.” There’s no shame in these claims, no awareness of the imperfection of the methods, precisely because it seems to eminently reasonable that the local observation of a handful of minuscule cases might serve the silver bullet for cybercrime, if you look hard enough.


But, cybercrime couldn’t be studied in isolation. It was as much a product of the internet expansion as news and social media, where it was so uselessly anatomized. To understand the beast, you needed to think on the scale of the enterprise, from the hacker’s-eye view. You needed to look at the problem from the perspective of Henry Mayhew’s balloon. And you needed a way to persuade others to join you there.

Sadly, that’s not a modern story. It’s an adapted quote from chapter 4 (pp. 97-98, paperback) of The Ghost Map, by Steven Johnson, a book on the cholera epidemic of 1854.

I won’t ruin the book nor continue my attempt at analogy any further. Suffice it to say, you should read the book—if you haven’t already—and join me in calling out for the need for the John Snow of our cyber-time to arrive.

Come join us for a PhöCon good time at 18:30 (6:30PM) Thursday! The neighborhood is…interesting…but it’s close to Moscone and has had good food for the past couple years. I’ll be heading up there from the Expo area at ~1815. Hit me up on Twitter if you want to head out together.

[Miss Saigon](http://misssaigonsf.com‎) @ 100 6th Street


View Larger Map

Just joining in the fray of “where I’m speaking/where I’ll be the week of @RSAConference” posts…

SEM-003 – Information Security Leadership Development: Surviving as a Security Leader (Half Day – Delegates only)

WHEN: Monday : 0830-1130

I’m very pleased to be able to join:

– Derek Brink, Vice President & Research Fellow for IT Security & IT GRC, Aberdeen Group, a Harte-Hanks Company
– Justin Peavey, SVP Information Services & Security, CISO, Omgeo
– Dave Notch, President, Intensity Analytics
– Evan Wheeler, Director, Information Security, Omgeo
– James Burrell, Deputy Assistant Director, Federal Bureau of Investigation
– John Iatonna, SVP, Information Security, Edelman, Inc.

In this session. I’ll be covering “Are you fighting the wrong battles” and participating in a panel discussion.

GRC-T18 – Data Analysis and Visualization for Security Professionals

WHEN: Tuesday : 1430-1530

@JayJacobs & I will be delving into the dark arts & science of conducting & communicating data analyses through data visualization with a plethora of background material and two case studies.

SPO1-R33 – Achievement Unlocked: Designing a Compelling Security Awareness Program

WHEN: Thursday : 1040-1140

@csoandy & I will be entertaining and educating folks on how to kick your security awareness program up notch. Should be great fun and animated interaction is greatly encouraged.

☛ PhöCon

WHEN: Thursday : 1800+

Third year in a row where a bunch of us go out for Vietnamese food. Ping me on Twitter (@hrbrmstr) for more details.

Metricon 8

Friday : All Day!

A day of facilitated working sessions designed to radically transform critical areas of security metrics across the industry.

When not speaking, I’ll be attending many sessions, will have the “shield” on most of the time and would love to meet as many folks as possible during my time in SFO.

Earlier this week, @jayjacobs & I both received our acceptance notice for the talk we submitted to the RSA CFP! [W00t!] Now the hard part: crank out a compelling presentation in the next six weeks! If you’re interested at all in doing more with your security data, this talk is for you. Full track/number & details below:

Session Track: Governance, Risk & Compliance
Session Code: GRC-T18
Scheduled Date: 02/26/2013
Scheduled Time: 2:30 PM – 3:30 PM
Session Length: 1 hr
Session Title: Data Analysis and Visualization for Security Professionals
Session Classification: Intermediate
Session Keywords: metrics, visualization, risk management, research
Short Abstract: You have a deluge of security-related data coming from all directions and may even have a fancy dashboard full of pretty charts. However, unless you know the right questions to ask and how to ask them, all you really have are compliance artifacts. Move beyond the checkbox and learn techniques for collecting, exploring and visualizing the stories within our security data.