this is why u shld have been at Metricon and not at yet-another cloud preso<\/em><\/p>\n“why group servers with apps instead of network devices?” – natural grouping since apps run on servers; often folks use “app” when it was really “server” – i.e. “my app got attacked” is more likely your “server got hacked”.<\/p>\n
[side-talk: scenarios impacting assets; discussion about nuances between avail & util]<\/p>\n
Can use this detailed analysis to map back to controls that would be relevant to this scenario (and potentially which ones failed or were missing completely)<\/p>\n
Enables mapping of action types to identified vulnerabilities which can help prioritize actions to mitigate<\/p>\n
[side-talk: how VZ constructs event chains for each attack]<\/p>\n
\u00a0<\/p>\n
A vision of EBRM Metrics<\/strong><\/p>\n@alexhutton – baseball metrics view for exec dashboard. sample: frequency of incidents; peer comparison & gauge of impact :: can learn much from Jack Jones’ threat descriptions (\/me: and I would argue the impact $ banding)<\/p>\n
at the very least this will give us the ability to mature how we estimate loss value;<\/p>\n
awesome point how this is really not like baseball: we don’t have comprehensive data like batter stats.<\/p>\n","protected":false},"excerpt":{"rendered":"
Better management through better measurementSpeakers: Wade Baker and Alex Hutton and Chris Porter State of the industry: are we a science or pseudoscience? random fact gathering morass of interesting, trivial, irrelevant obs variety of theories that provide little guidance to data gathering \u00a0 Sources of knowledge under “risk” aggregate: asset landscape impact landscape threat landscape […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[3,47,4],"tags":[200,202,201,204,203],"class_list":["post-123","post","type-post","status-publish","format-standard","hentry","category-information-security","category-metrics","category-risk","tag-alex-hutton","tag-chris-porter","tag-jack-jones","tag-player","tag-wade-baker"],"yoast_head":"\n
Metricon: Evidence Based Risk Management - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Metricon: Evidence Based Risk Management - rud.is\" \/>\n<meta property=\"og:description\" content=\"Better management through better measurementSpeakers: Wade Baker and Alex Hutton and Chris Porter State of the industry: are we a science or pseudoscience? random fact gathering morass of interesting, trivial, irrelevant obs variety of theories that provide little guidance to data gathering \u00a0 Sources of knowledge under “risk” aggregate: asset landscape impact landscape threat landscape […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2011-02-14T17:51:21+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2011-02-14T17:51:47+00:00\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"Metricon: Evidence Based Risk Management\",\"datePublished\":\"2011-02-14T17:51:21+00:00\",\"dateModified\":\"2011-02-14T17:51:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/\"},\"wordCount\":446,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"keywords\":[\"Alex Hutton\",\"Chris Porter\",\"Jack Jones\",\"player\",\"Wade Baker\"],\"articleSection\":[\"Information Security\",\"Metrics\",\"Risk\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/\",\"url\":\"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/\",\"name\":\"Metricon: Evidence Based Risk Management - rud.is\",\"isPartOf\":{\"@id\":\"https:\/\/rud.is\/b\/#website\"},\"datePublished\":\"2011-02-14T17:51:21+00:00\",\"dateModified\":\"2011-02-14T17:51:47+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/rud.is\/b\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Metricon: Evidence Based Risk Management\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/rud.is\/b\/#website\",\"url\":\"https:\/\/rud.is\/b\/\",\"name\":\"rud.is\",\"description\":\""In God we trust. All others must bring data"\",\"publisher\":{\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/rud.is\/b\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\/\/rud.is\"],\"url\":\"https:\/\/rud.is\/b\/author\/hrbrmstr\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Metricon: Evidence Based Risk Management - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/","og_locale":"en_US","og_type":"article","og_title":"Metricon: Evidence Based Risk Management - rud.is","og_description":"Better management through better measurementSpeakers: Wade Baker and Alex Hutton and Chris Porter State of the industry: are we a science or pseudoscience? random fact gathering morass of interesting, trivial, irrelevant obs variety of theories that provide little guidance to data gathering \u00a0 Sources of knowledge under “risk” aggregate: asset landscape impact landscape threat landscape […]","og_url":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/","og_site_name":"rud.is","article_published_time":"2011-02-14T17:51:21+00:00","article_modified_time":"2011-02-14T17:51:47+00:00","author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"Metricon: Evidence Based Risk Management","datePublished":"2011-02-14T17:51:21+00:00","dateModified":"2011-02-14T17:51:47+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/"},"wordCount":446,"commentCount":2,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"keywords":["Alex Hutton","Chris Porter","Jack Jones","player","Wade Baker"],"articleSection":["Information Security","Metrics","Risk"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/","url":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/","name":"Metricon: Evidence Based Risk Management - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"datePublished":"2011-02-14T17:51:21+00:00","dateModified":"2011-02-14T17:51:47+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-evidence-based-risk-management\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"Metricon: Evidence Based Risk Management"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":""In God we trust. All others must bring data"","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p23idr-1Z","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":391,"url":"https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/","url_meta":{"origin":123,"position":0},"title":"Crossroad of ERM and the Parallels to IRM","author":"hrbrmstr","date":"2011-03-19","format":false,"excerpt":"Had to modify the latimes URL in the post due to a notice from Wordfence\/Google I was reviewing the - er - highlights? - from the ninth ERM Symposium in Chicago over at Riskviews this morning and was intrigued by some of the parallels to the current situation in enterprise\u2026","rel":"","context":"In "Compliance"","block_context":{"text":"Compliance","link":"https:\/\/rud.is\/b\/category\/compliance\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2986,"url":"https:\/\/rud.is\/b\/2014\/05\/17\/new-gig\/","url_meta":{"origin":123,"position":1},"title":"New Gig!","author":"hrbrmstr","date":"2014-05-17","format":false,"excerpt":"Well, the proverbial cat is definitely out of the bag now. I'm moving on from the current gig to take a security data scientist position at Verizon Enterprise. The esteemed Wade Baker will be my new benevolent overlord and it probably isn't a shocker that I went to the place\u2026","rel":"","context":"In "Personal"","block_context":{"text":"Personal","link":"https:\/\/rud.is\/b\/category\/personal\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1018,"url":"https:\/\/rud.is\/b\/2012\/05\/08\/is-your-organization-ready-for-a-risk-management-program\/","url_meta":{"origin":123,"position":2},"title":"Is Your Organization Ready For a Risk Management Program?","author":"hrbrmstr","date":"2012-05-08","format":false,"excerpt":"While the slides will be officially available from SIRA web site in the not-too-distant future\u2014complete with video (for all the talks)\u2014I figured it wouldn't hurt to put them up here as well. Keynote version PDF version My sincere thanks, again, to @jayjacobs and the SIRA board for allowing me to\u2026","rel":"","context":"In "Information Security"","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":125,"url":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-critical-consumption-of-infosec-statistics\/","url_meta":{"origin":123,"position":3},"title":"Metricon: Critical Consumption Of Infosec Statistics","author":"hrbrmstr","date":"2011-02-14","format":false,"excerpt":"Speaker: Chris Eng \/ Veracode Every major infosec company publishes quarterly\/yearly summary reports. Some based on survey, some based on real captured data. Recognizing the Narrative Every fancy looking infosec metrics report is a marketing vehicle; each has different perspectives; no consistency, but you can figure out the framing by\u2026","rel":"","context":"In "Information Security"","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":131,"url":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-software-securitys-futures-plural\/","url_meta":{"origin":123,"position":4},"title":"Metricon: Software Security’s Futures Plural","author":"hrbrmstr","date":"2011-02-14","format":false,"excerpt":"UPDATE - 2011-02-26: Alphonso has posted his slides and BeeWise is open! Speaker: Alfonso\u00a0De Gregorio How do we build a future in software security? \u00a0 \/me: the slides that will be posted have a ton of detail that Alfonso sped through. you'll get a very good feel from them \u00a0\u2026","rel":"","context":"In "Information Security"","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1786,"url":"https:\/\/rud.is\/b\/2012\/11\/18\/speaking-at-rsa-conference-2013\/","url_meta":{"origin":123,"position":5},"title":"Speaking At RSA Conference 2013!","author":"hrbrmstr","date":"2012-11-18","format":false,"excerpt":"Earlier this week, @jayjacobs & I both received our acceptance notice for the talk we submitted to the RSA CFP! [W00t!] Now the hard part: crank out a compelling presentation in the next six weeks! If you're interested at all in doing more with your security data, this talk is\u2026","rel":"","context":"In "Charts & Graphs"","block_context":{"text":"Charts & Graphs","link":"https:\/\/rud.is\/b\/category\/charts-graphs\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=123"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/123\/revisions"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}