Security Analytics Beyond Cyber

I presented at 44con 2014 on moving security analytics on from network defense and rapid response towards supporting data-driven and evidence-driven security management, my presentation is on slideshare below:

Read the rest of this entry »

Security Analysis for Humans

Following a highly enjoyable and usefully challenging conversation with Eric Leandri from I was inspired to consider some guiding principles for conducting security analysis.

With an obvious hat tip to the Zen of Python the following is what I am aspiring to meet in the increasingly data-driven security consulting work I am engaged in:


If it’s hard to explain, it’s probably bad analysis.

If you’re not making a decision easier what’s the point?

Hypotheses without goals are pointless.

Measurement without hypothesis is not analysis.

Explicit and transparent analysis matters.

Beautifully designed output matters.

Readability matters.



I’d love feedback from anyone else working in the field.

Protecting Information About Networks, The Organisation and Its Systems

I recently wrote a report with a number of colleagues for the Centre for the Protection of National Infrastructure (CPNI) on the Network Reconnaissance phase of a targeted attack following initial exploitation. The report covers what is targeted, how the attackers operate and what controls help. Below is a summary infographic and below the cut is the briefing presentation I delivered and the full report.


Read the rest of this entry »

Big Data Security Analytics Paper

I wrote this paper with a colleague recently. A practical guide for getting started in Big Data Security Analytics. This should be the first of a series of posts on the application of big data technologies and data science approaches to cyber security.

I understand the impact of pervasive mobile, I get the risks of ‘consumerisation’ and I can see the challenges of cloud but it’s the opportunities of big data that have me excited about the future of security, both cyber security and traditional information security.

Cross-Domain Gateway Functions

Cross-Domain Gateways are a concept from multi-level government and military networks that are increasingly being deployed into traditionally flat commercial networks. I’ve spoken before about ‘trust zones‘ and the concept of choke-points between trust zones concept combined with a view of the threat exposure for each trust zone underlies the need for cross-domain gateways. (Domain is the historical term commonly used in government and military settings for zones of trust.)

There are a wide variety of applications to which cross domain gateways can be applied and a wide variety of gateway patterns and designs. However there is a common set of possible gateway functions that such patterns and designs can commonly call upon.
Read the rest of this entry »

Twitter RSS