METRICON 9 - Storified

By Bob Rudis (@hrbrmstr)
Sun 02 March 2014 | tags: metricon, storify, -- (permalink)

Jay & I will be doing a podcast on RSA + METRICON 9 soon, but over the weekend I managed to make a “Storify-ed” recap of it from tweets that went throughout the day. While I already posted a direct link to Storify on Twitter, here’s a re-post of it on DDS.

Our sponsors – Risk I/O, Tripwire & CXOWare (+ RSA) - and our #spiffy speakers truly made the day something to remember.

METRICON 9 Recap

This past Friday (Feb 28, 2014) over 60 infosec/risk management practitioners came together for the 9th "maxi" METRICON, the official gathering of the securitymetrics.org mailing list. The proceedings will be up soon but there was much live-tweeting going on during the event.

  1. Even the torrential downpours of the early morning couldn't keep folks away #dedication.
  2. BART delays, heavy rain and a long line at Starbucks can’t keep me away from Metricon. #m9
  3. We also had more than a few folks going against the tendency of vendor dashboards to to mean red == bad.
  4. Pete Lindstrom & Bob Rudis opened with a recap of #M8, a challenge to think differently and a "speed-networking" session to give folks a chance to meet new faces and possibly find collaborators for projects they are working on.
  5. Kymberlee Price officially kicked things off with an outstanding deep-dive into data-driven resource planning and some truly #spiffy insights into vulnerability data. (@spiresec & @hrbrmstr were lightweights…well at least their introductory talks were :-)
  6. RT #m9 “the data is a mess” (way too true) at METRICON pic.twitter.com/Qzgza5Q7RQ < @Kym_Possible is brilliant at getting results w/ metrics
  7. Loving this talk by kimberlee price, very data-driven! #m9
  8. @Kym_Possible “When you have 300 vulns, and everything is a priority, then nothing is a priority” #m9
  9. Hey @quine you were called out (in a good way) by @Kym_Possible in her presentation at Metricon #M9
  10. The data is ALWAYS a mess. “@MrMeritology: RT #m9 “the data is a mess” (way too true) at METRICON pic.twitter.com/M8imzOy1t8 < @Kym_Possible
  11. @Kym_Possible Thanks for a great presentation - really learned a lot. We do need a anti-malware ecosystem but who’s going to start it? #m9
  12. Great discussion around @Kym_Possible‘s #metricon #m9 Expecting the Unexpected talk. Now, let me go calculate my security debt!
  13. I *knew* it. @Kym_Possible is a Magician. Explains a lot. Need to add “Metrics Magic 101” to the LMS. #m9
  14. @mroytman burst the big data bubble dreams of the vendors on the #RSAC floor in his talk about what it takes to make Risk I/O work behind the scenes (hint: a smart diverse team and modern, critical-thinking analytics).
  15. At Metricon listening to @mroytman of @RiskIO talk about less being more. Less [tools|data scientists|data|model complexity]. #m9
  16. Great example of ‘MacGyver security,’ more people need to think this way MT@Kym_Possible: @mroytman #m9 pic.twitter.com/UgP2J6fnwC
  17. At noon, CXOWare delved into the inner-working of FAIR and Bob & Jay lightened up lunch a bit with a tour of visualizations of the activity on the securitymetrics.org mailing list.
  18. (some of the rest is a bit out of order here since Storify editing on a 13" screen is not exactly optimal).

    Unlike Michael, Christophe Huygens' team does delve into big data as they analyze vulnerabilities across the entire internet. Will link to their research soon (they showed embargoed research results during #M9 that I can't put up here just yet).
  19. #m9 Christophe Huygens sharing analyses of attacks against file sharing svcs & lg scale inet vuln analyses @ METRICON pic.twitter.com/Cn7nhcJbC0
  20. “Misconfigurations are a much bigger problem on the web than vulnerabilities.” -Christophe Huygens #m9
  21. #m9 “you are what you include” // attack surface dramatically > & confidentiality dramatically < w/each rsrc pic.twitter.com/5mmNwSb42W
  22. “You are what you include.” -Christophe Huygens <= On remote JavaScript includes, mixed content #m9
  23. Geoffrey Hill dove into the details of managing your appsec programs efficiently and securely with data.
  24. #m9 Geoffrey Hill from Artis-Secure talking how to use data to influence your appsec program pic.twitter.com/c0aE5BTho4
  25. Whereas Jay Jacobs and Wade Baker talked data cleaning, data organization, partner roundups and managing the message by managing marketing in their DBIR talk.
  26. #m9 @jayjacobs & the Godfather of the DBIR - @wadebaker - going behind the scenes of the DBIR at METRICON pic.twitter.com/S7YmefkI1z
  27. “The criteria for contributing to the DBIR is that you contribute to the DBIR”. 50+ partners and growing. @wadebaker & @jayjacobs #m9
  28. @ktneely: Fantastic behind-the-scenes of the DBIR talk at #m9 by @jayjacobs and @wadebaker. Some great stories for that epic report” <thx!
  29. Wade and Jay walked through covers for Verizon DBIR reports that didn’t make the cut. This was my favorite. #m9 pic.twitter.com/CISoz9bftx
  30. Stephen Boyer cranked up Terminal.app to literally (heh) dig into analyzing public company weakenesses via DNS & SPF records (plus a WHOLE lot more on what they do behind the scenes at bitsight). Great, interactive talk with solid takeaways you can implement at home (but you should just subscribe to their service :-)
  31. #m9 Stephen Boyer, CTO of @BitSight, delving into the data & methodology of how to measure 3rd party risk at METRICON pic.twitter.com/ZcCEVIjQmC
  32. Stephen Boyer of @BitSight : Third party risk “We think execs suffer from ‘optimism bias’” <— NO ONE EXPECTS THE SPANISH INQUISITION! #m9
  33. Because no one thinks they will be the next TJX, or RSA, or Sony, or Target, or… @BitSight #m9
  34. Lots and lots of questions for Stephen Boyer, CTO of @BitSight at #m9. Good stuff!
  35. Katherine Brocklehurst from Tripwire showed how the sausage is made iterating over old visualizations and giving folks a peek at how the give-and-take vis process works.
  36. #m9 Katherine Brocklehurst from @TripwireInc talking and showing security visualisation at METRICON pic.twitter.com/aoY78nWlHf
  37. Finally, Russ & Patrick closed out the day giving us all a peek at their current research.
  38. @jack_daniel @attritionorg @alexhutton yup, I’m further convinced that the best choice was to attend only #bsidessf and #m9
  39. HUGE #ty to our #m9 METRICON sponsors @RiskIO @cxoware & @TripwireInc. You truly helped make today AWESOME!
  40. Sincere thanks to @jayjacobs @hrbrmstr for coordinating a great Metricon #m9 in SFO!
  41. RT @hrbrmstr: HUGE #ty to our #m9 METRICON sponsors @RiskIO @cxoware & @TripwireInc. You truly helped make today AWESOME! < Yes!
  42. RT @hrbrmstr: HUGE #ty to our #m9 METRICON sponsors @RiskIO @cxoware & @TripwireInc. You truly helped make today AWESOME! < Yes!
  43. No Optimism Bias here. Metricon #m9 A bright spot in an otherwise chaotic space.  http://campl.us/qZKg 
  44. Nice job @Kym_Possible at #m9 - using vulnerability metrics to plan dev impact and security debt.
  45. I am admittedly biased, but the speakers and interaction has been awesome at METRICON #m9
  46. Thanks again to the sponsors (Risk I/O, Tripwire & CXOWare, + RSA), the speakers and the attendees for a great, interactive day. It has me looking forward to METRICON 10 already!

comments powered by Disqus