RSA APJ Video: Security Outgunned - Measuring Software Defined Attack Surface

Posted by Rich Seiersen on July 27, 2020
Rich Seiersen
Find me on:

A few weeks ago, I presented for RSA APJ. This year, it was a free, virtual event. Thanks to all who attended, and to those who also came to the Q&A session afterward. For those of you who couldn't make it, click the below to see my talk, and read on to learn more about it.

Security Outgunned: Measuring Software Defined Attack Surface

Security is outgunned!  The typical engineer to security ratio is 100:1 in many enterprises.  Add cloud native development to the mix and security is left in the dust. It’s the emerging reality. And that reality is not waiting for security to play catchup.

This colossal mismatch is similar to the one between the New York Yankees and the Oakland A’s as described in the book and movie Moneyball.  The A’s had a budget in the low tens of millions of dollars while the Yankees budget was several hundred of millions.  The A’s were totally outgunned.  What did they do?  They optimized to win using data science. It was a type of modeling that used uncertain data to predict the best return on investment (ROI) on ball players in relation to winning games.

This talk takes a simplified approach to optimizing security. In this case, we consider technology investments as one of the best and most efficient ways to control software defined attack surface.  But there is a twist.  We view inefficient technology as a waste creating process that hinders security success.  We look to optimize for winning by building a model that gamifies security products one against another. Our goal is to see which product produces the least error at the least cost over time.  We look to do all that as quickly and as efficiently as possible.

We have included a lengthy blog post and code to go with this video.  Both can be found here: 

Topics: Kubernetes, Cloud Native, DevSecOps, Security Metrics, RSAC, Risk Metrics

Rich Seiersen

Written by Rich Seiersen

Rich is Cofounder and President for Soluble. Prior to Soluble, Rich spent 20 years deep in the salt mines of security operations and development. Along the way, he became a serial CISO with stints at LendingClub, Twilio and GE. But he got his start in security startups building vulnerability management products for companies like Qualys and Tripwire. He’s also the co-author of “How To Measure Anything In Cybersecurity Risk,” and the forthcoming “The Metrics Manifesto: Confronting Security With Data.”