By Bob Rudis (@hrbrmstr)
Sun 02 March 2014
|
tags:
metricon,
storify,
-- (permalink)
Jay & I will be doing a podcast on RSA + METRICON 9 soon, but over the weekend I managed to make a “Storify-ed” recap of it from tweets that went throughout the day. While I already posted a direct link to Storify on Twitter, here’s a re-post of it on DDS.
Our sponsors – Risk I/O, Tripwire & CXOWare (+ RSA) - and our #spiffy speakers truly made the day something to remember.
METRICON 9 Recap
This past Friday (Feb 28, 2014) over 60 infosec/risk management practitioners came together for the 9th "maxi" METRICON, the official gathering of the securitymetrics.org mailing list. The proceedings will be up soon but there was much live-tweeting going on during the event.
- Even the torrential downpours of the early morning couldn't keep folks away #dedication.
@falconsview @mortman @JonesFAIRiq @alexhutton Meanwhile, ~60 folks doing deep dive into metrics & risk at Metricon 9 #m9 #RealChangeLeaders- We also had more than a few folks going against the tendency of vendor dashboards to to mean red == bad.
@Kym_Possible noted earlier that half the women at #m9 are red heads. Who knew #MetricsAttractRedheads- Pete Lindstrom & Bob Rudis opened with a recap of #M8, a challenge to think differently and a "speed-networking" session to give folks a chance to meet new faces and possibly find collaborators for projects they are working on.
So this is happening. #m9 pic.twitter.com/XBB3AA6MTd
RT #m9 “the data is a mess” (way too true) at METRICON pic.twitter.com/Qzgza5Q7RQ < @Kym_Possible is brilliant at getting results w/ metrics
Loving this talk by kimberlee price, very data-driven! #m9- @Kym_Possible “When you have 300 vulns, and everything is a priority, then nothing is a priority” #m9
- The data is ALWAYS a mess. “@MrMeritology: RT #m9 “the data is a mess” (way too true) at METRICON pic.twitter.com/M8imzOy1t8 < @Kym_Possible
I *knew* it. @Kym_Possible is a Magician. Explains a lot. Need to add “Metrics Magic 101” to the LMS. #m9
Great example of ‘MacGyver security,’ more people need to think this way MT “@Kym_Possible: @mroytman #m9 pic.twitter.com/UgP2J6fnwC”
Enjoyed @mroytman‘s #m9 talk? Check out his article w/ Dan Geer ( https://www.usenix.org/system/files/login/articles/14_geer-online_0.pdf …) & Risk I/O research paper ( https://www.risk.io/data-driven-security …)- At noon, CXOWare delved into the inner-working of FAIR and Bob & Jay lightened up lunch a bit with a tour of visualizations of the activity on the securitymetrics.org mailing list.
- (some of the rest is a bit out of order here since Storify editing on a 13" screen is not exactly optimal).Unlike Michael, Christophe Huygens' team does delve into big data as they analyze vulnerabilities across the entire internet. Will link to their research soon (they showed embargoed research results during #M9 that I can't put up here just yet).
#m9 Christophe Huygens sharing analyses of attacks against file sharing svcs & lg scale inet vuln analyses @ METRICON pic.twitter.com/Cn7nhcJbC0
“Misconfigurations are a much bigger problem on the web than vulnerabilities.” -Christophe Huygens #m9
#m9 “you are what you include” // attack surface dramatically > & confidentiality dramatically < w/each rsrc pic.twitter.com/5mmNwSb42W- Geoffrey Hill dove into the details of managing your appsec programs efficiently and securely with data.
#m9 Geoffrey Hill from Artis-Secure talking how to use data to influence your appsec program pic.twitter.com/c0aE5BTho4
Content rich talk today by @GHill_security covering topics ranging from #SDL to CAPEC https://bit.ly/1hx3uTb at #m9 #RSAC- Must read for InfoSec metrics/risk folks who are “Big Data-curious” #m9 https://markhuberty.github.io/files/huberty_etla_big_data.pdf …
- Whereas Jay Jacobs and Wade Baker talked data cleaning, data organization, partner roundups and managing the message by managing marketing in their DBIR talk.
#m9 @jayjacobs & the Godfather of the DBIR - @wadebaker - going behind the scenes of the DBIR at METRICON pic.twitter.com/S7YmefkI1z
“The criteria for contributing to the DBIR is that you contribute to the DBIR”. 50+ partners and growing. @wadebaker & @jayjacobs #m9
“@ktneely: Fantastic behind-the-scenes of the DBIR talk at #m9 by @jayjacobs and @wadebaker. Some great stories for that epic report” <thx!
Wade and Jay walked through covers for Verizon DBIR reports that didn’t make the cut. This was my favorite. #m9 pic.twitter.com/CISoz9bftx- Stephen Boyer cranked up Terminal.app to literally (heh) dig into analyzing public company weakenesses via DNS & SPF records (plus a WHOLE lot more on what they do behind the scenes at bitsight). Great, interactive talk with solid takeaways you can implement at home (but you should just subscribe to their service :-)
- Katherine Brocklehurst from Tripwire showed how the sausage is made iterating over old visualizations and giving folks a peek at how the give-and-take vis process works.
#m9 Katherine Brocklehurst from @TripwireInc talking and showing security visualisation at METRICON pic.twitter.com/aoY78nWlHf- Finally, Russ & Patrick closed out the day giving us all a peek at their current research.
RT @hrbrmstr: #m9 @MrMeritology lightning talk! pic.twitter.com/uto7fjBiSC <- in ur spreadsheets, crunching ur metrics
@jack_daniel @attritionorg @alexhutton yup, I’m further convinced that the best choice was to attend only #bsidessf and #m9
HUGE #ty to our #m9 METRICON sponsors @RiskIO @cxoware & @TripwireInc. You truly helped make today AWESOME!- No Optimism Bias here. Metricon #m9 A bright spot in an otherwise chaotic space. https://campl.us/qZKg
- Enjoyed @mroytman‘s #m9 talk? Check out his article w/ Dan Geer ( https://www.usenix.org/system/files/login/articles/14_geer-online_0.pdf …) & Risk I/O research paper ( https://www.risk.io/data-driven-security …)
- Thanks again to the sponsors (Risk I/O, Tripwire & CXOWare, + RSA), the speakers and the attendees for a great, interactive day. It has me looking forward to METRICON 10 already!
Tweet
