First, the nature of evolution discards noise. Much like the concept in biology, only fit, useful facts survive the evolution process. When exposed to more complex systems, noise goes the way of the dodo bird. A “possible SQL injection attack on MySQL” event becomes irrelevant when vulnerability reports show the targeted server isn’t running MySQL. As data becomes a more mature, evolved object the irrelevant events fall away.

When I was leading the Network Security Group at the US Naval Postgraduate School, I was overwhelmed with the degree of failure we experienced. The amount of events, complexity of investigations and immature security infrastructure created an environment of perpetual failure. After gathering the basic business metrics I discussed in Metering Incident Response 101 I decided it was time to push the problem up the chain of command.

A core tenet to success in any endeavor is defining, collecting and analyzing core metrics. Incident Response teams can only develop plans that lead to success when it can be defined and metered. Understanding and collecting two key metrics can aid in defining, metering and reporting on success.

In 1995, I started my Navy training as an Aviation Electronics Technician. I spent more than a year learning electrical theory, how to use sophisticated tools (like time domain reflectors)  and the logic associated with troubleshooting avionics. I was ready to go to mano a mano against any aircraft that was daft enough to challenge my acumen.

My deck and resources from my Process talk at GrrCON 2015 can be found here.

My Secure360 2015 deck and Visio template can be found here.

While I don't like "vendor dogpiles" every time there is a mainstream cybersecurity breach, they do serve as good opportunities to change InfoSec paradigms. In this article discusses the value of monitoring with enforcement as well as repairing or creating response processes.

Deck and video of my GrrCON talk.

YouTube video recording of my "Looking for the Weird: Detecting Bad Traffic and Abnormal Network Behavior" webinar for Lancope. This was given on 9/24/2014.

My presentation deck from Converge Conference can be downloaded here.

Summary of the features in StealthWatch 6.5 that protect sensitive data from theft by insider threat or advanced attack.

Some organizations have chosen to adopt a "plausible deniability" strategy to InfoSec. This article outlines some methods of helping these organizations move to a safer security practice.

The final installment of the NBAD series covering relationship anomaly detection.

3 dangerous "lessons" that have come from Target Breach discussions that we need to quickly unlearn.

Part 4 of the NBAD series on  host anomaly detection.

Hospitals are under attack from cyber criminals and state sponsored attackers. This article reviews the cause and some remedies to the poor state of InfoSec in healthcare.

Third part of the network behavioral anomaly detection (NBAD) series on the role of behavioral detection.

In the second part of the NBAD series, signature detection methodologies are examined.

The first part in this series covers the history of Network Behavioral Anomaly Detection (NBAD.)

Vendors like to create an ocean of alarms in their products so they can dogpile after an event and claim that "they caught it." This article goes through the dangers of false positives in incident response and how to address them.

The most dangerous and difficult risk to detect to an organization is insider threat. When a trusted asset decides to betray the trust of his benefactor for the sake of ideology, greed or extortion the organization can suffer long lasting damage. This article outlines the nature and strategies of handling insider threat.

Threat data contained in Indicators of Compromise (IOC) can be applied against the data stored in StealthWatch to look for markers of historical breach. This entry outlines the steps in performing this analysis.

With Microsoft discontinuing support of Windows XP, organizations need guidance on how to protect the legacy machines they can't replace.

How to parse the claims vendors make in APT detection.