business model, business model canvas, mission model, mission model canvas, customer development, hacking for defense, H4D, lean launchpad, lean startup, stanford, startup, steve blank, pete newell, bmnt, entrepreneurship, I-Corps, Security, NSIN, NSA, cybersecurity, Joe Felter
business model, business model canvas, mission model, mission model canvas, customer development, hacking for defense, H4D, lean launchpad, lean startup, stanford, startup, steve blank, pete newell, bmnt, entrepreneurship, I-Corps, Security, NSIN, NSA, disposable infrastructure, cyber, Joe Felter, DOD
business model, business model canvas, mission model, mission model canvas, customer development, lean launchpad, lean startup, stanford, startup, steve blank, entrepreneurship, I-Corps, Stanford
business model, business model canvas, mission model, mission model canvas, customer development, hacking for defense, H4D, lean launchpad, lean startup, stanford, startup, steve blank, pete newell, bmnt, entrepreneurship, I-Corps, Security, NSIN, NSA, cybersecurity, Joe Felter, ATO, DOD
Team Climate Change - 2022 Technology, Innovation & Great Power Competition Stanford University
Technology Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, climate
Team Quantum - 2022 Technology, Innovation & Great Power CompetitionStanford University
Technology Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, Quantum
This document summarizes a webinar on mitigating insider threats. The webinar discussed research findings that malicious insiders often exhibit concerning behaviors and personal issues prior to attacks. It emphasized establishing capable guardianship, protecting critical assets, and reducing motivations for malicious acts. The webinar also covered different types of insider crimes, profiles of attackers, mitigation strategies like access controls and monitoring, and building a formal insider threat program with cross-functional participation.
business model, business model canvas, mission model, mission model canvas, customer development, hacking for defense, H4D, lean launchpad, lean startup, stanford, startup, steve blank, pete newell, bmnt, entrepreneurship, I-Corps, Security, NSIN, NSA, disposable infrastructure, cyber, Joe Felter, DOD
business model, business model canvas, mission model, mission model canvas, customer development, lean launchpad, lean startup, stanford, startup, steve blank, entrepreneurship, I-Corps, Stanford
business model, business model canvas, mission model, mission model canvas, customer development, hacking for defense, H4D, lean launchpad, lean startup, stanford, startup, steve blank, pete newell, bmnt, entrepreneurship, I-Corps, Security, NSIN, NSA, cybersecurity, Joe Felter, ATO, DOD
Team Climate Change - 2022 Technology, Innovation & Great Power Competition Stanford University
Technology Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, climate
Team Quantum - 2022 Technology, Innovation & Great Power CompetitionStanford University
Technology Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, Quantum
This document summarizes a webinar on mitigating insider threats. The webinar discussed research findings that malicious insiders often exhibit concerning behaviors and personal issues prior to attacks. It emphasized establishing capable guardianship, protecting critical assets, and reducing motivations for malicious acts. The webinar also covered different types of insider crimes, profiles of attackers, mitigation strategies like access controls and monitoring, and building a formal insider threat program with cross-functional participation.
Lecture 7 - Technology, Innovation and Great Power Competition - SpaceStanford University
Technology, Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, hacking for defense, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, unmanned, autonomy, space, space force, general Raymond, space command
Case Study: How The Home Depot Built Quality Into Software DevelopmentCA Technologies
This session will cover how The Home Depot built quality into its software development as it migrated from waterfall to agile delivery.
For more information on DevOps: Continuous Delivery, please visit: http://cainc.to/CAW17-CD
Stream based mobile and web event tracking backed by aws kinesisSebastian Schleicher
In these slides I introduce our open source ETL framework for stream-based mobile and web event tracking "Alchemist". You'll also learn how to easily and with little cost in-house all your event tracking thanks to some AWS tools.
A short history of Agile software developmentKane Mar
My 'Short History of Agile Software Development' presentation at the Innovation Campus, University of Wollongong.
I only had 20 minutes to speak, so I did an overview of the origins of 'Software Engineering' ('68 NATO conference) through to some new and different approaches to software. Along the way I talked about the 'New New Product Development Game', Scrum, Extreme Programming, the Agile Manifesto and some thoughts about what the future holds.
One Poll survey of 250 IT professionals on the state of application programming interface (API) security, which highlights growing concern for cybersecurity risk related to API use.
Scaling Agile with JIRA Software and Portfolio for JIRAAtlassian
ABN AMRO transitioned from traditional waterfall projects to agile working over two years, growing from 1 to 400 agile teams. They implemented JIRA to manage issues but initially struggled with scaling. They restructured teams into grids and blocks, created portfolio levels in JIRA, and implemented portfolio management in JIRA to improve alignment across teams and gain insights. Key learnings included making an agile transition, creating a vision for JIRA configuration, providing training, and using portfolio features for cross-team work.
To help organizations charged with providing the nation's financial, energy, health care and other critical systems better protect their information and physical assets from cyber attack, the Commerce Department's National Institute of Standards and Technology (NIST) today released a Framework for Improving Critical Infrastructure Cybersecurity. The framework provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.
Henrik Kniberg: Lean from the Trenches keynote @ AgileEEAgileee
This document summarizes a presentation about applying lean and agile principles to a large government project in Sweden called PUST. It describes how the project team used techniques like slicing work into small customer-focused stories, daily stand-ups, iterative planning and releases, continuous improvement retrospectives, and tracking metrics to successfully deliver the project on time and on budget while continuously improving their process.
Building a Cyber Threat Intelligence Knowledge GraphVaticle
Knowledge of cyber threats is a key focus in cyber security. In this talk, we present TypeDB CTI, which is an open source threat intelligence platform to store and manage such knowledge. It enables Cyber Security Intelligence (CTI) professionals to bring together their disparate CTI information into one platform, enabling them to more easily manage such data and discover new insights about cyber threats.
We will describe how we use TypeDB to represent STIX 2.1, the most widely used language and serialization format used to exchange cyber threat intelligence. We cover how we leverage TypeDB's modelling constructs such as type hierarchies, nested relations, hyper relations, unique attributes, and logical inference to build this threat intelligence platform.
Speaker: Tomás Sabat
Tomás is the Chief Operating Officer at Vaticle. He works closely with TypeDB's open source and enterprise users who use TypeDB to build applications in a wide number of industries including financial services, life sciences, cyber security and supply chain management. A graduate of the University of Cambridge, Tomás has spent the last seven years founding and building businesses in the technology industry.
Battery Ventures State of the OpenCloud Report 2022Battery Ventures
Battery Ventures' 2022 State of the OpenCloud report, compiled by General Partner Dharmesh Thakker and his team Danel Dayan, Jason Mendel and Patrick Hsu. The report analyzes the macro technology and economic trends impacting the cloud market, and provides advice for cloud-native entrepreneurs who are navigating these trends to build large, enduring businesses.
This document provides an overview of building an MVP (minimum viable product). It defines MVPs as the smallest product that can be built to test assumptions and quickly learn through the build-measure-learn process. The document discusses types of MVPs and why they are useful for starting the learning process quickly without investing a lot of time and money. It poses questions to help identify the core customer segment, their main problem, and essential product features to include in an MVP. Finally, it provides exercises for workshopping ways to test and validate an MVP.
Garyvee's content model involves taking a single "pillar" piece of content, like a keynote speech, and repurposing it into over 30 other pieces of short-form "micro content" targeted to different social media platforms. This includes extracting quotes, short video clips, and images from the pillar content and distributing them on platforms like Facebook, Instagram, Twitter, and Snapchat. The content is analyzed and community feedback is gathered to identify popular moments to create additional micro content from. This allows one piece of original content to be optimized for many platforms and drive continued engagement.
ANI | Agile Kolkata | PI Planning in Action | Anand Pandey | 19th Oct 2019AgileNetwork
Abstract
The primary purpose of PI planning in SAFe is to gain alignment between business owners and program teams on a common, committed set of Program Objectives and Team Objectives for the next release (PI) time-box. This workshop is to experience PI planning in action.
Key Takeaways
1. Understanding of the importance of PI planning
2. Good practices for an effective PI planning
3. Preparatory work required for a PI planning
COVID-19 Fact Base and Potential Implications for Brazil - CompletoBain & Company Brasil
Nova versão do estudo que vem sendo publicado pela nossa Task Force local sobre #Covid19 confirma o cenário de platô para o Brasil e mostra os estados brasileiros continuando o movimento de concentração na zona de “risco controlado”, com ocupação das UTIs em torno de ~70% e com níveis de contaminação mais constantes.
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...apidays
Apidays Paris 2023 - Software and APIs for Smart, Sustainable and Sovereign Societies
December 6, 7 & 8, 2023
7 Mistakes When Putting In Place An API Program
Francois Lasne, Senior API Manager at Murex
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
The document provides an overview of the GovTech sector including key facts and figures about investment trends, notable companies, and subsectors. It summarizes that GovTech focuses on digital solutions for government and includes $4.6B in total funding for 1,050 companies. The US, Europe, and Israel are top regions for investment, while public safety management, emergency management, and open data publishing are leading subsectors. Notable companies mentioned include Palantir, Esri, LexisNexis, Tyler Tech, Everbridge, and ShotSpotter.
Organizational culture includes values, norms, systems, symbols, language, assumptions, beliefs, and habits that influence employee behaviors and how people interpret those behaviors. It is important because culture can help or hinder a company's success. Some key aspects of Netflix's culture that help it achieve results include hiring smartly so every position has stars, focusing on attitude over just aptitude, and having a strict policy against peacocks, whiners, and jerks.
Team LiOn Batteries - 2022 Technology, Innovation & Great Power CompetitionStanford University
Technology Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, LiOn Batteries
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This document provides an overview of a presentation on chaos engineering and security chaos engineering. The presentation covers United Health Group's journey to rugged DevOps, combating complexity in software, and approaches to chaos engineering and security chaos engineering. Specific topics discussed include automated security configuration and validation using Chef and Inspec, using Gauntlt for automated vulnerability scanning, lessons learned from DevOps transformations, and examples of chaos engineering experiments and game days.
How to Monitor Digital Dependencies Across Your Modern IT StackThousandEyes
The document discusses how to monitor digital dependencies across a modern IT stack. It notes the challenges of enabling digital services across hybrid work locations, networks, cloud infrastructure and more. When issues arise, outages can significantly impact organizations through lost revenue, customer churn and more. The presentation recommends taking a modern operations approach by collecting data across all infrastructure to identify problems, correlating alerts to prioritize issues, and defining workflows to quickly resolve problems. It demonstrates Cisco's ThousandEyes solution for enhancing operations with expanded visibility.
Lecture 7 - Technology, Innovation and Great Power Competition - SpaceStanford University
Technology, Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, hacking for defense, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, unmanned, autonomy, space, space force, general Raymond, space command
Case Study: How The Home Depot Built Quality Into Software DevelopmentCA Technologies
This session will cover how The Home Depot built quality into its software development as it migrated from waterfall to agile delivery.
For more information on DevOps: Continuous Delivery, please visit: http://cainc.to/CAW17-CD
Stream based mobile and web event tracking backed by aws kinesisSebastian Schleicher
In these slides I introduce our open source ETL framework for stream-based mobile and web event tracking "Alchemist". You'll also learn how to easily and with little cost in-house all your event tracking thanks to some AWS tools.
A short history of Agile software developmentKane Mar
My 'Short History of Agile Software Development' presentation at the Innovation Campus, University of Wollongong.
I only had 20 minutes to speak, so I did an overview of the origins of 'Software Engineering' ('68 NATO conference) through to some new and different approaches to software. Along the way I talked about the 'New New Product Development Game', Scrum, Extreme Programming, the Agile Manifesto and some thoughts about what the future holds.
One Poll survey of 250 IT professionals on the state of application programming interface (API) security, which highlights growing concern for cybersecurity risk related to API use.
Scaling Agile with JIRA Software and Portfolio for JIRAAtlassian
ABN AMRO transitioned from traditional waterfall projects to agile working over two years, growing from 1 to 400 agile teams. They implemented JIRA to manage issues but initially struggled with scaling. They restructured teams into grids and blocks, created portfolio levels in JIRA, and implemented portfolio management in JIRA to improve alignment across teams and gain insights. Key learnings included making an agile transition, creating a vision for JIRA configuration, providing training, and using portfolio features for cross-team work.
To help organizations charged with providing the nation's financial, energy, health care and other critical systems better protect their information and physical assets from cyber attack, the Commerce Department's National Institute of Standards and Technology (NIST) today released a Framework for Improving Critical Infrastructure Cybersecurity. The framework provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.
Henrik Kniberg: Lean from the Trenches keynote @ AgileEEAgileee
This document summarizes a presentation about applying lean and agile principles to a large government project in Sweden called PUST. It describes how the project team used techniques like slicing work into small customer-focused stories, daily stand-ups, iterative planning and releases, continuous improvement retrospectives, and tracking metrics to successfully deliver the project on time and on budget while continuously improving their process.
Building a Cyber Threat Intelligence Knowledge GraphVaticle
Knowledge of cyber threats is a key focus in cyber security. In this talk, we present TypeDB CTI, which is an open source threat intelligence platform to store and manage such knowledge. It enables Cyber Security Intelligence (CTI) professionals to bring together their disparate CTI information into one platform, enabling them to more easily manage such data and discover new insights about cyber threats.
We will describe how we use TypeDB to represent STIX 2.1, the most widely used language and serialization format used to exchange cyber threat intelligence. We cover how we leverage TypeDB's modelling constructs such as type hierarchies, nested relations, hyper relations, unique attributes, and logical inference to build this threat intelligence platform.
Speaker: Tomás Sabat
Tomás is the Chief Operating Officer at Vaticle. He works closely with TypeDB's open source and enterprise users who use TypeDB to build applications in a wide number of industries including financial services, life sciences, cyber security and supply chain management. A graduate of the University of Cambridge, Tomás has spent the last seven years founding and building businesses in the technology industry.
Battery Ventures State of the OpenCloud Report 2022Battery Ventures
Battery Ventures' 2022 State of the OpenCloud report, compiled by General Partner Dharmesh Thakker and his team Danel Dayan, Jason Mendel and Patrick Hsu. The report analyzes the macro technology and economic trends impacting the cloud market, and provides advice for cloud-native entrepreneurs who are navigating these trends to build large, enduring businesses.
This document provides an overview of building an MVP (minimum viable product). It defines MVPs as the smallest product that can be built to test assumptions and quickly learn through the build-measure-learn process. The document discusses types of MVPs and why they are useful for starting the learning process quickly without investing a lot of time and money. It poses questions to help identify the core customer segment, their main problem, and essential product features to include in an MVP. Finally, it provides exercises for workshopping ways to test and validate an MVP.
Garyvee's content model involves taking a single "pillar" piece of content, like a keynote speech, and repurposing it into over 30 other pieces of short-form "micro content" targeted to different social media platforms. This includes extracting quotes, short video clips, and images from the pillar content and distributing them on platforms like Facebook, Instagram, Twitter, and Snapchat. The content is analyzed and community feedback is gathered to identify popular moments to create additional micro content from. This allows one piece of original content to be optimized for many platforms and drive continued engagement.
ANI | Agile Kolkata | PI Planning in Action | Anand Pandey | 19th Oct 2019AgileNetwork
Abstract
The primary purpose of PI planning in SAFe is to gain alignment between business owners and program teams on a common, committed set of Program Objectives and Team Objectives for the next release (PI) time-box. This workshop is to experience PI planning in action.
Key Takeaways
1. Understanding of the importance of PI planning
2. Good practices for an effective PI planning
3. Preparatory work required for a PI planning
COVID-19 Fact Base and Potential Implications for Brazil - CompletoBain & Company Brasil
Nova versão do estudo que vem sendo publicado pela nossa Task Force local sobre #Covid19 confirma o cenário de platô para o Brasil e mostra os estados brasileiros continuando o movimento de concentração na zona de “risco controlado”, com ocupação das UTIs em torno de ~70% e com níveis de contaminação mais constantes.
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...apidays
Apidays Paris 2023 - Software and APIs for Smart, Sustainable and Sovereign Societies
December 6, 7 & 8, 2023
7 Mistakes When Putting In Place An API Program
Francois Lasne, Senior API Manager at Murex
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
The document provides an overview of the GovTech sector including key facts and figures about investment trends, notable companies, and subsectors. It summarizes that GovTech focuses on digital solutions for government and includes $4.6B in total funding for 1,050 companies. The US, Europe, and Israel are top regions for investment, while public safety management, emergency management, and open data publishing are leading subsectors. Notable companies mentioned include Palantir, Esri, LexisNexis, Tyler Tech, Everbridge, and ShotSpotter.
Organizational culture includes values, norms, systems, symbols, language, assumptions, beliefs, and habits that influence employee behaviors and how people interpret those behaviors. It is important because culture can help or hinder a company's success. Some key aspects of Netflix's culture that help it achieve results include hiring smartly so every position has stars, focusing on attitude over just aptitude, and having a strict policy against peacocks, whiners, and jerks.
Team LiOn Batteries - 2022 Technology, Innovation & Great Power CompetitionStanford University
Technology Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, LiOn Batteries
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This document provides an overview of a presentation on chaos engineering and security chaos engineering. The presentation covers United Health Group's journey to rugged DevOps, combating complexity in software, and approaches to chaos engineering and security chaos engineering. Specific topics discussed include automated security configuration and validation using Chef and Inspec, using Gauntlt for automated vulnerability scanning, lessons learned from DevOps transformations, and examples of chaos engineering experiments and game days.
How to Monitor Digital Dependencies Across Your Modern IT StackThousandEyes
The document discusses how to monitor digital dependencies across a modern IT stack. It notes the challenges of enabling digital services across hybrid work locations, networks, cloud infrastructure and more. When issues arise, outages can significantly impact organizations through lost revenue, customer churn and more. The presentation recommends taking a modern operations approach by collecting data across all infrastructure to identify problems, correlating alerts to prioritize issues, and defining workflows to quickly resolve problems. It demonstrates Cisco's ThousandEyes solution for enhancing operations with expanded visibility.
How to Monitor Digital Dependencies Across Your Modern IT StackThousandEyes
The document discusses how to monitor digital dependencies across a modern IT stack. It notes the challenges of enabling digital services across hybrid work locations, networks, cloud infrastructure and more. When issues arise, outages can significantly impact organizations through lost revenue, customer churn and productivity losses. The presentation recommends taking a modern operations approach by collecting data across all infrastructure to identify problems, correlating alerts to prioritize issues, and defining workflows to quickly resolve problems. It demonstrates Cisco's ThousandEyes solution for enhancing operations through expanded visibility across networks and applications.
DevSecOps: Security at the Speed of DevOpVMware Tanzu
This document discusses adopting a DevSecOps culture and practices through a 3-part framework. The framework involves: 1) Winning developers' trust by emphasizing building security in from the start rather than adding it on later, 2) Making security practices easy for developers to understand and implement through a self-assessment tool, and 3) Providing transparency to management on rollout progress through visualization of an organization's DevSecOps maturity. The overall aim is to achieve collaboration between development, operations, and security teams through a culture of shared responsibility for security.
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...Aaron Rinehart
The complex ordeal of delivering secure and reliable software in Healthcare will continue to become exponentially more difficult unless we begin approaching the craft differently.
Enter Chaos Engineering, but now also for security. Instead of a focus on resilience against service disruptions, the focus is to identify the truth behind our current state security and determine what “normal” operations actually look like when it's put to the test.
The speed, scale, and complex operations within modern systems make them tremendously difficult for humans to mentally model their behavior. Security Chaos Engineering is an emerging practice that is helping engineers and security professionals realign the actual state of operational security and build confidence that it works the way it was intended to.
Join Aaron Rinehart to learn how he implemented Security Chaos Engineering as a practice at the world’s largest healthcare company to proactively discover system weakness before they were taken advantage of by malicious adversaries. In this session Aaron will share his experience of applying Security Chaos Engineering to create highly secure, performant, and resilient distributed systems.
This document provides 12 steps to get started with AWS cloud. It begins with establishing principles for the cloud migration such as choosing AWS as the primary cloud partner and agreeing on security objectives. It recommends forming small "2 pizza" engineering teams and establishing a questions parking lot. It emphasizes establishing clear objectives for costs, security, availability and compliance. It outlines that AWS is responsible for security of the cloud while customers are responsible for security in the cloud. The document provides an overview of AWS security services.
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
The document provides an overview of cybersecurity frameworks, fundamentals, and foundations. It discusses common cybersecurity terms like frameworks, controls, and standards. It also examines drivers for cybersecurity like laws, compliance, audits and data privacy. Key areas covered include asset inventory, risk assessment, threat modeling, security controls, frameworks like NIST CSF, and the importance of people/human factors. The document aims to help organizations strengthen their cybersecurity posture and navigation the complex landscape of improving security.
Executive Perspective Building an OT Security Program from the Top Downaccenture
Designed for executives, this non-technical track addresses key components of a successful OT security program. The discussions are intended to spark conversation and this guide highlights key takeaways on what works, what doesn’t and what’s next. https://accntu.re/3N7KmiZ
Estimation is critical to IT demand management as today's senior IT executives deal with a familiar challenge - how to balance the size of the development team with the company's software wish list. Modern estimation techniques offer critical insight into this challenge. In this presentation, you will learn the ins and outs of estimation and how to effectively utilize estimation to ensure project success.
The document discusses the importance of demand estimation for balancing IT capacity and planning. It outlines challenges in demand management and capacity planning, including unrealistic demand estimation and ineffective resource optimization. The key points are:
1) Accurate demand estimation and matching capacity to demand is difficult due to changing business needs, technologies and unpredictable project pipelines.
2) Top-down scope-based estimation is considered a best practice for identifying unrealistic stakeholder expectations early and providing alternative estimates.
3) Early estimates will necessarily have more uncertainty but can still help identify unreasonable cost and schedule proposals.
End-to-End OT SecOps Transforming from Good to Greataccenture
Building and growing an OT SecOps program takes vision, buy-in and budget. This track explores how to take your program to the next level. The discussions are intended to spark conversation and this guide highlights key takeaways on what works, what doesn’t and what’s next. https://accntu.re/3tz7wGY
This talk will demo one threat modeling methodology and how an engineering team is appending it to their Secure Software Development Life Cycle. The goal is to create a single platform for communicating architectural risk and planning mitigations within sprints. This will not only address security concerns sooner in a product's lifecycle but establish a trusting relationship between engineering and security teams. As an ever-evolving space, to reduce risk and deploy products to market, this is one additional step any software-focused team can quickly adapt to their practices.
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
PLAY TO WIN
In Business, As In Chess, Forethought Wins
Showcasing exemplary stories of success where channel partners have gone to great lengths to implement innovative solutions. Acclaiming those partners who have risen to the challenges of the digital era and transformed their business to a solutions offering. Inspiring channel businesses to become value-added providers and trusted allies to their customers. Stories that made a Difference.
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
Ulf Mattsson presented on cyber risk management challenges and recommendations in 2017. He discussed trends like the increasing involvement of boards in cybersecurity oversight. Mattsson also covered topics such as talking to boards about cyber risk, data security blind spots within organizations, and how the Payment Card Industry Data Security Standard is evolving to incorporate concepts like data discovery and integrating security into the development process. He emphasized the importance of generating security metrics and adopting a DevSecOps approach to strengthen an organization's security posture and compliance.
MGT3342BUS - Architecting Data Protection with Rubrik - VMworld 2017Andrew Miller
This document provides an overview of architecting data protection with Rubrik presented by Andrew Miller and Rebecca Fitzhugh. It discusses key considerations for disaster recovery planning like business impact analyses, service level agreements, recovery point and recovery time objectives. It introduces Rubrik's approach to data management which aims to simplify architectures using a software-defined fabric. The presentation demonstrates Rubrik's capabilities for rapid data ingestion, intelligent SLA policies, instant recovery of VMs and files, and integration with public clouds.
SecDevOps is a set of business methodologies, operational procedures, & cultural practices proven to increase security, improve software quality, improve release frequency, & provide immediate insight into organizational exposures.
This presentation was accepted to the ASIA 2018 conference, authored by Thomas Cappetta.
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
This document provides an overview of Vishal Kalro's presentation on an adaptive and unified approach to risk management and compliance via a Common Controls Framework (CCF). The presentation discusses how the risk landscape has changed with technology shifts like cloud, IoT, and third parties. It argues that compliance should enable and motivate security practices. The presentation then outlines a roadmap for implementing a CCF, including scoping, gap assessments, remediation, audits and certification. Continuous monitoring is identified as key to making CCF an ongoing journey. Potential benefits of a mature CCF program include a secure environment, risk management and reasonable assurance, and cost savings.
Customer Story: Scaling Security With Detections-as-CodePanther Labs
Learn how Cedar is leveraging Detections-as-Code with Panther to build high-signal alerts to gain visibility into user activity, suspicious behaviors, and unauthorized data sharing.
AppSphere 15 - Smoke Jumping with AppDynamicsAppDynamics
IHS experienced the raw power of AppDynamics upon their first installation by immediately gaining insight into their applications problems in production. With the help of AppDynamics, IHS was about to increase collaboration between the operations and development teams in an effort to fix performance issues. The various IHS teams were able to benefit from having tangible evidence and metrics to pinpoint the exact root cause for clearer communication on performance problems.
In this talk, you'll learn how IHS:
- Built a bridge between the operations and development workflows
- Used custom dashboards for multiple teams throughout their organization
- Reduced confusion across teams on performance root cause
- Monitors multiple environments to filter potential problems early
This deck was originally presented at AppSphere 2015.
Team Networks - 2022 Technology, Innovation & Great Power CompetitionStanford University
Technology Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, networks
Team Disinformation - 2022 Technology, Innovation & Great Power CompetitionStanford University
Technology Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, Disinformation
Team Wargames - 2022 Technology, Innovation & Great Power CompetitionStanford University
Technology Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, Wargames
Team Acquistion - 2022 Technology, Innovation & Great Power Competition Stanford University
Technology Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, Acquistion
The document describes a team's efforts to commercialize a new protein quantification technology called PLA-Seq. After initially thinking the technology's value propositions of lower cost, faster throughput, and lower sample volume would appeal to pharmaceutical and personalized health companies, the team conducted customer interviews and learned accuracy was more important than cost to most customers. They also found their target markets should be preclinical biotech and academia rather than personalized health or CROs. The team incorporated their business and pivoted their marketing strategy and funding plans accordingly based on learnings outside of the building.
The document summarizes the development of Invisa Bio over 10 weeks as they pivoted between different medical applications and solutions for their self-assembling medical device technology. They initially focused on manufacturing and delivery but shifted to leveraging drug delivery mechanisms. They considered applications in cardiology, neurology, and orthopedics before focusing on brain aneurysms based on feedback from physicians. The company incorporated, raised funding, and began shadowing doctors to further develop their technology to address unmet needs in difficult to reach areas.
(1) The document describes the journey of a team developing a saffron supplement product to address mental health issues like anxiety and depression.
(2) It started with the goal of targeting adults aged 18-40, but through customer interviews and testing, they learned that teenagers were more interested in an anti-anxiety gummy product.
(3) Key lessons included the challenges of building the right team, navigating advice, knowing when enough customer feedback has been received, and setting individual and project milestones. The team is now continuing work over the summer to further develop the product.
Team Army venture capital - 2021 Technology, Innovation & Great Power Competi...Stanford University
Technology, Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, unmanned, autonomy, Army venture capital
Team Army venture capital - 2021 Technology, Innovation & Great Power Competi...Stanford University
Technology, Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve Blank, Army Venture capital
Team Catena - 2021 Technology, Innovation & Great Power CompetitionStanford University
Technology, Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, unmanned, autonomy, economic coercion,
Team Apollo - 2021 Technology, Innovation & Great Power CompetitionStanford University
Technology, Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, unmanned, autonomy, space force
Team Drone - 2021 Technology, Innovation & Great Power CompetitionStanford University
Technology, Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, unmanned, autonomy, c3i, command and control
Team Short Circuit - 2021 Technology, Innovation & Great Power CompetitionStanford University
Technology, Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, unmanned, autonomy, semiconductors
Team Aurora - 2021 Technology, Innovation & Great Power CompetitionStanford University
Technology, Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, unmanned, autonomy, Army venture capital
Team Conflicted Capital Team - 2021 Technology, Innovation & Great Power Comp...Stanford University
Technology, Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, unmanned, autonomy, venture capital
Lecture 8 - Technology, Innovation and Great Power Competition - CyberStanford University
Technology, Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, hacking for defense, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, unmanned, autonomy, Michael Sulmeyer, cybercom,USCYBERCOM
Lecture 6 - Technology, Innovation and Great Power Competition - Autonomy and...Stanford University
Technology, Innovation and Great Power Competition,TIGPC, Gordian knot Center, DIME-FIL, department of defense, dod, hacking for defense, intlpol 340, joe felter, ms&e296, raj shah, stanford, Steve blank, AI, ML, AI/ML, china, unmanned, autonomy, ONR, Lorin Selby, Maynard Holliday, Bradley Garber,
Lecture 6- Technology, Innovation and Great Power Competition - Unmanned Syst...Stanford University
This document provides an agenda and speaker information for a lecture on unmanned platforms and autonomy. The lecture includes presentations from senior leaders in the Navy, Defense Innovation Unit, Boeing, and Anduril Industries. It discusses logistics for the class including a rescheduled date and assignment due dates. Student group projects are reviewed to provide feedback on problem statements. Questions from students are taken at the end.
Walmart Business+ and Spark Good for Nonprofits.pdfTechSoup
"Learn about all the ways Walmart supports nonprofit organizations.
You will hear from Liz Willett, the Head of Nonprofits, and hear about what Walmart is doing to help nonprofits, including Walmart Business and Spark Good. Walmart Business+ is a new offer for nonprofits that offers discounts and also streamlines nonprofits order and expense tracking, saving time and money.
The webinar may also give some examples on how nonprofits can best leverage Walmart Business+.
The event will cover the following::
Walmart Business + (https://business.walmart.com/plus) is a new shopping experience for nonprofits, schools, and local business customers that connects an exclusive online shopping experience to stores. Benefits include free delivery and shipping, a 'Spend Analytics” feature, special discounts, deals and tax-exempt shopping.
Special TechSoup offer for a free 180 days membership, and up to $150 in discounts on eligible orders.
Spark Good (walmart.com/sparkgood) is a charitable platform that enables nonprofits to receive donations directly from customers and associates.
Answers about how you can do more with Walmart!"
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPRAHUL
This Dissertation explores the particular circumstances of Mirzapur, a region located in the
core of India. Mirzapur, with its varied terrains and abundant biodiversity, offers an optimal
environment for investigating the changes in vegetation cover dynamics. Our study utilizes
advanced technologies such as GIS (Geographic Information Systems) and Remote sensing to
analyze the transformations that have taken place over the course of a decade.
The complex relationship between human activities and the environment has been the focus
of extensive research and worry. As the global community grapples with swift urbanization,
population expansion, and economic progress, the effects on natural ecosystems are becoming
more evident. A crucial element of this impact is the alteration of vegetation cover, which plays a
significant role in maintaining the ecological equilibrium of our planet.Land serves as the foundation for all human activities and provides the necessary materials for
these activities. As the most crucial natural resource, its utilization by humans results in different
'Land uses,' which are determined by both human activities and the physical characteristics of the
land.
The utilization of land is impacted by human needs and environmental factors. In countries
like India, rapid population growth and the emphasis on extensive resource exploitation can lead
to significant land degradation, adversely affecting the region's land cover.
Therefore, human intervention has significantly influenced land use patterns over many
centuries, evolving its structure over time and space. In the present era, these changes have
accelerated due to factors such as agriculture and urbanization. Information regarding land use and
cover is essential for various planning and management tasks related to the Earth's surface,
providing crucial environmental data for scientific, resource management, policy purposes, and
diverse human activities.
Accurate understanding of land use and cover is imperative for the development planning
of any area. Consequently, a wide range of professionals, including earth system scientists, land
and water managers, and urban planners, are interested in obtaining data on land use and cover
changes, conversion trends, and other related patterns. The spatial dimensions of land use and
cover support policymakers and scientists in making well-informed decisions, as alterations in
these patterns indicate shifts in economic and social conditions. Monitoring such changes with the
help of Advanced technologies like Remote Sensing and Geographic Information Systems is
crucial for coordinated efforts across different administrative levels. Advanced technologies like
Remote Sensing and Geographic Information Systems
9
Changes in vegetation cover refer to variations in the distribution, composition, and overall
structure of plant communities across different temporal and spatial scales. These changes can
occur natural.
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxEduSkills OECD
Iván Bornacelly, Policy Analyst at the OECD Centre for Skills, OECD, presents at the webinar 'Tackling job market gaps with a skills-first approach' on 12 June 2024
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
हिंदी वर्णमाला पीपीटी, hindi alphabet PPT presentation, hindi varnamala PPT, Hindi Varnamala pdf, हिंदी स्वर, हिंदी व्यंजन, sikhiye hindi varnmala, dr. mulla adam ali, hindi language and literature, hindi alphabet with drawing, hindi alphabet pdf, hindi varnamala for childrens, hindi language, hindi varnamala practice for kids, https://www.drmullaadamali.com
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
1. Current Problem Scope:
Sub-optimal maintenance window
scheduling delays the remediation of
vulnerabilities at the DLA, weakening the
agency’s cybersecurity. The tradeoff
between operational uptime
requirements and the security benefits
of frequent patching isn’t quantitatively
understood.
Original Problem Scope:
Cybersecurity analysts need a
tool to more quickly remediate
vulnerabilities in DLA systems
in order to keep their network
secure.
Team Salus
Support Team
Sponsor: Shane Williams, DLA Information
System Security Manager
Business Mentor: Richard Tippitt, Defense
Innovation Unit (DIU), Product Specialist
Defense Mentor: LTC Jim Wiese, Hoover
Institution, National Security Affairs Fellow
94
Total
Interviews
Noah Frick
MBA,
Strategy/Product
Shreyas Parab
BS Biocomputation,
Product
Kyla Guru
BS Compsci/IR,
Cyber Expert
Henry Person
MS MS&E,
Industry Expert
Michael Wornow
PhD Compsci,
AI Expert
Sponsor Organization
Defense Logistics Agency (DLA)
2. The Problem
2
The DLA provides critical logistics to
the Department of Defense and
across the federal government.
Cyber attacks present an existential
risk to a critical node that helps
maintain readiness
Example Vulnerability Breakdown:
● Critical 27,000
● High 22,000
● Medium 87,000
● Low 17,00
19 critical business applications running on
thousands of servers across several different
hosted environments
4. At first, we thought it was all about detecting...
4
“We need an AI-powered
malware detector based on
cutting-edge research.”
Team
Salus
DLA
Sponsor
“Taking a step back, a tool
that simply scanned and
ranked vulnerabilities
might be super helpful!”
5. “Vulnerability scanning actually does a
pretty good job at detecting known
vulnerabilities, but we have to know what
assets to scan.”
Enterprise Vulnerability Scanner
5
6. Then, we thought it was asset management!
6
“We need an AI-powered
malware detector based on
cutting-edge research.”
Team
Salus
DLA
Sponsor
“Taking a step back, a tool
that simply scanned and
ranked vulnerabilities
might be super helpful!”
Team
Salus
“Wait, the DLA doesn’t even
know what computers are
on their network; let’s fix
that!”
7. Then, we thought it was asset management!
7
“We need an AI-powered
malware detector based on
cutting-edge research.”
Team
Salus
DLA
Sponsor
“Taking a step back, a tool
that simply scanned and
ranked vulnerabilities
might be super helpful!”
Team
Salus
“Wait, the DLA doesn’t even
know what computers are
on their network; let’s fix
that!”
DLA Cyber
Tools Team
“Hold on, we already built an
internal tool that solves that
problem.”
8. So, we focused on learning about process
Scanning
Patch Testing
Patch Deployment
Patch Validation
9. And we learned...
Requires an initial
coordination
process to test the
patch...
...and then an
additional
coordination
process to deploy
the patch into
production!
11. We realized we needed to update our Beneficiaries
11
J61
J62
J64
J6
Vulnerability Managers and
Information System Security
Managers
Application Programs
Infrastructure Programs
Audit vulnerabilities, track
patching progress
Own the software and
hardware which are affected
by patches...Coordinate and
implement patches!
Information Technology Division
12. We realized we needed to update our Beneficiaries
12
J61
J62
J64
J6
Vulnerability Managers and
Information System Security
Managers
Application Programs
Infrastructure Programs and
System Administrators
“All I can do is ask nicely”
“I care about patching, but it’s
hard to coordinate with
[infrastructure programs]”
“We don’t want to annoy the
applications, all they care
about is uptime”
Information Technology Division
13. “The problem pretty much always
boils down to a lack of understanding
across all involved parties regarding
what will happen when we install this
patch.”
- @VA_Network_Nerd
“Imagine Stanford grad students coming to reddit for help...”
- @geezer1492
We found more validation in alternative
sources...
13
14. And challenged common sense...
14
“We only schedule our maintenance windows in the
middle of the payroll period ”
J62 Application
Program Manager
“Nope! We just rely on common sense”
“That makes sense. Do you look at any usage data
that validates that belief?”
J62 Application
Program Manager
15. How is scheduling currently conducted?
15
J62
J64
● Change Management Meetings
● Ticketing System or Emails
● Static Calendars
“We want to be patching more on
our terms. Our frustration is we
have no say in the matter”
J62 Application Program Manager
“I need to be a little gun-shy with
updates, because I’ve gotten
blowback from applications”
J64 Windows Patch Technician
16. Smart Maintenance Window Scheduler
Patch 1 Patch 2 Patch 3
Application 1 x x
Application 2 x x
Application 3 x
CCRI Exposur
e
Time
Unremediated
Patch 3 CRITICAL 2 5
Patch 2 MEDIUM 1 30
Patch 1 MEDIUM 2 10
1 2
3
2
Application 1&2 Patch 2
(Reason: Patch 2 has
longer un-remediated time)
1
Application 2 Patch 3&1
(Patch 3 is CRITICAL,
Optimal Time for Patch 1)
3
Application 3 Patch 3
(Reason: Optimal time for
Patch 3)
Click Here To
Schedule w/ CM
17. And found validation presenting our ideas
17
“I really like how you’re thinking about this
from a logistics point of view...right now,
we’re [patching] blindly” - DARPA Cyber
Researcher
“Determining when maintenance windows
should be, now THAT sounds helpful” -
Industry Cybersecurity Professional
21. Mixed feedback...
Refuting Validating
“I’m not sure if it is possible.” - DLA Enterprise
Infrastructure Director
“Scheduling is definitely something that needs to
be considered.” - DLA Enterprise Infrastructure
Director
21
22. Mixed feedback...
Refuting Validating
“I’m not sure if it is possible.” - DLA Enterprise
Infrastructure Director
“It needs to be optimized for the customer.” -
DLA Enterprise Infrastructure Director
“Scheduling is definitely something that needs to
be considered.” - DLA Enterprise Infrastructure
Director
22
23. Mixed feedback...
Refuting Validating
“I’m not sure if it is possible.” - DLA Enterprise
Infrastructure Director
“It needs to be optimized for the customer.” -
DLA Enterprise Infrastructure Director
“Scheduling is definitely something that needs to
be considered.” - DLA Enterprise Infrastructure
Director
“Maybe we need to be willing to accept impacts
to customers and business to improve our
security.” - DLA Enterprise Infrastructure Director
23
24. Mixed feedback...
Refuting Validating
“I’m not sure if it is possible.” - DLA Enterprise
Infrastructure Director
“It needs to be optimized for the customer.” -
DLA Enterprise Infrastructure Director
“This is too simplified.” - CSO, Cybersecurity
Vendor
“Scheduling is definitely something that needs to
be considered.” - DLA Enterprise Infrastructure
Director
“Maybe we need to be willing to accept impacts
to customers and business to improve our
security.” - DLA Enterprise Infrastructure Director
24
25. Mixed feedback...
Refuting Validating
“I’m not sure if it is possible.” - DLA Enterprise
Infrastructure Director
“It needs to be optimized for the customer.” -
DLA Enterprise Infrastructure Director
“This is too simplified.” - CSO, Cybersecurity
Vendor
“Scheduling is definitely something that needs to
be considered.” - DLA Enterprise Infrastructure
Director
“Maybe we need to be willing to accept impacts
to customers and business to improve our
security.” - DLA Enterprise Infrastructure Director
“I like your ideas of algorithm recommendations,
and patching more frequently is the right
mindset.” - CSO, Cybersecurity Vendor
25
26. We continued testing our MVP and receive mixed
feedback...
Refuting Validating
“I’m not sure if it is possible.” - DLA Enterprise
Infrastructure Director
“It needs to be optimized for the customer.” -
DLA Enterprise Infrastructure Director
“This is too simplified.” - CSO, Cybersecurity
Vendor
“We don’t have enough changes for
backlogs.” - Stanford ISO
“Scheduling is definitely something that needs to
be considered.” - DLA Enterprise Infrastructure
Director
“Maybe we need to be willing to accept impacts
to customers and business to improve our
security.” - DLA Enterprise Infrastructure Director
“I like your ideas of algorithm recommendations,
and patching more frequently is the right
mindset.” - CSO, Cybersecurity Vendor
26
27. Mixed feedback...
Refuting Validating
“I’m not sure if it is possible.” - DLA Enterprise
Infrastructure Director
“It needs to be optimized for the customer.” -
DLA Enterprise Infrastructure Director
“This is too simplified.” - CSO, Cybersecurity
Vendor
“We don’t have enough changes for
backlogs.” - Stanford ISO
“Scheduling is definitely something that needs to
be considered.” - DLA Enterprise Infrastructure
Director
“Maybe we need to be willing to accept impacts
to customers and business to improve our
security.” - DLA Enterprise Infrastructure Director
“I like your ideas of algorithm recommendations,
and patching more frequently is the right
mindset.” - CSO, Cybersecurity Vendor
“We sometimes have large patch backlogs that
are from patches not being implemented in
previous months.” - Stanford VM
27
28. And struggled to find a champion...
28
“I like your ideas, they seem very interesting!”
DLA Chief of
Application Support
“It sounds interesting, and I’d love to help you in
your research.”
...in other words… No...
“Great! Would you be interested in writing a
requirement for us?”
DLA Chief of
Application Support
29. 29
“I think there’s an opportunity in the space you’re looking at, but
it has to do with how you’re pitching it. It’s a really tough sell to
ask decision makers to invest in security, which is a cost-sucker
and not a value-driver” - University of San Diego Cyber
Researcher
Decision-makers need to be convinced that patching more
frequently will BOTH minimally impact business AND tangibly
improve security TO more efficiently allocate limited
resources
A key learning!
30. 30
So we made an information sheet...
Salus monitors the vulnerability state of your
organization’s cyber assets and recommend
more dynamic, smarter, and less disruptive
maintenance windows
1) Decrease your risk exposure
2) Minimize impact to business operations
3) Allow for better allocation of limited IT
resources.
31. 31
“This sounds great, if you could prove to
me that it’s feasible.”
- DLA Deputy Director of Strategic Business Operations
32. How can we do this?
32
10
9
8
7
6
5
4
3
2
Week 1
Focus on Key Activities, Partners, Deployment Options
34. We searched for commercial proxies
Multinational Non-Tech
Companies
Large, Decentralized
Universities
Agile companies who have
modern tech stack, low technical
debt and mostly built
cybersecurity features within
past 5 years
34
35. Department of Defense Stanford + National Labs Enterprise Customers
And weighed several possible routes to deployment...
ITCR with DLA
SBIR / AFWERX
grant
DoD Integrator
SaaS vendor
(ServiceNow, SAP)
Proof-of-concept on
Stanford network
CRADA for data
Research collab
(LBNL, Sandia)
Open market
36. But finally learned that ServiceNOW is taking over the world!
36
“Your optimized scheduling idea
could likely be implemented on the
ServiceNOW development engine!”
DLA Program Manager overseeing ServiceNOW
implementation
37. What did we learn? What’s next?
37
10
9
8
7
6
5
4
3
2
Week 1
Reflection and Summer Plans
40. Final Recommendations for DLA
40
● Implement ServiceNOW for Change Management with top-
down emphasis
● Include ServiceNOW integration expectation in contracts
with service providers
● Recognize that ServiceNOW does not provide insights into
those tradeoffs with real data or risk analysis
1) Develop a NOW platform business application
internally
2) Team Salus
41. 41
Day 1:
We broadly wanted to help analysts
remediate cyber vulnerabilities.
Day 70:
We aim to help program managers,
infrastructure owners, and change
managers better schedule their
maintenance downtime for patching.
Main Lesson:
We often mistook curiosity and
interest as strong validation.
We didn’t ask “Would you buy?”
often enough.
Key Takeaway:
Patch management is a surprisingly time-
consuming, error-prone process, and
we’re confident there is significant room
for improvement in the space.
Our understanding of business impact
requires additional legwork.
Looking back, we learned a lot...
42. Team Salus
Noah Frick
MBA,
Strategy/Product
Shreyas Parab
BS Biocomputation,
Product
Kyla Guru
BS Compsci/IR,
Cyber Expert
Henry Person
MS MS&E,
Industry Expert
Michael Wornow
PhD Compsci,
AI Expert
Improving cyber security by optimizing the vulnerability patching process
Team Salus will continue to research and prove the feasibility of our optimization
ideas and use of data and risk analysis in scheduling maintenance.
If you or anyone you know would be interested in improving their organization’s
cyber security posture, reach out to us at teamsalus.h4d@gmail.com
Notes de l'éditeur
Hi everyone, my name is Noah, and I am happy to be presenting tonight on behalf of Team Salus. We were paired with the Defense Logistics Agency with a simple problem statement: to more quickly help cybersecurity analysts fix cyber vulnerabilities. Over the course of 10 weeks, we learned a lot, and I’m looking forward to walking you through our journey.
//
We are mixed team of varying backgrounds and study focuses - prior military service, concurrent part-time work at Google, computer science PhD, undergrads with startup and cybersecurity experience...but we came together early on because we all were interested in ACTUALLY DOING something to make a difference...given some of our backgrounds in the space and the virtual environment constrained by COVID, we decided cybersecurity was a great problem area to pursue.
We were paired with the Defense Logistics Agency with a simple problem statement: to more quickly help cybersecurity analysts remediate vulnerabilities in DLA systems. Cyber security analysts refers to those responsible for reporting on the security readiness of the organization and recommending action plans.
We’ve interviewed over 90 experts: DLA practitioners, industry practitioners, business focused managers, academics, and many more, and in doing so, learned a LOT about what the vulnerability remediation process looks like and how we may be able to help.
Over the next few minutes, we’ll walk through our journey and our learnings and how we arrived at our current problem statement.
The DLA provides critical logistics to the DOD and across the federal government, and provides most of its services through online web applications.
Every day, cyber vulnerabilities in underlying software and applications, are publicly identified. These vulnerabilities present malicious actors opportunities to conduct cyber attacks against the DLA and disrupt the flow of logistics that keeps our military running.
At any given time, there are over 100k KNOWN vulnerabilities present on DLA assets....a figure that seemed to us absolutely mindblowing.- leaving critical systems exposed to attack.
We were excited to take on this problem, and so we began our journey.
In the first two weeks, we drank from the fire hose
Our sponsor originally envisioned an AI-Powered solution, and we thought it sounded great!
However, we quickly learned that scanning actually does a pretty good job.
This was our first lesson in the complex process that is vulnerability management.
Many different stakeholders, most of them NOT “cybersecurity analysts”, have a say in the matter, all with different perspectives, and different understanding of the complex process outside their immediate bubble. As we would come to find out, parsing apart fact from perception would be a common theme of our discovery
We continued to interview, and discovered a new tangential problem: Asset management. It turns out, it’s really hard for organizations, and especially the DLA with over 190K assets, to know what servers, laptops, tablets, and other IT equipment is on their networks and what belongs to whom.
However, we quickly learned that an internal DLA was already working on a solution for this very problem.
We were excited that we had honed in on something important, but frankly, a little disappointed that it was already being fixed - we felt late to the party! Still, we suspected there were still other pain points where we could provide value, and we didn’t want to end our journey, so we kept on digging.
So, we build out our understanding of the vulnerability process and built a process flowchart this was a tool to help us and most people we had interviewed had never seen the process laid out like this before. It was a useful tool to talk off of to establish a common language. As we mapped out the key activities we realized this was about patching! It seemed like there was A LOT of process friction and bottlenecks surrounding patching
Patching, simply put, is simply upgrading software to fix vulnerabilities. Software upgrades on centralized servers can have unintended consequences and affect a wide-range of people, so patches need to be implemented at least twice, first to “test” and secondly to actually deploy it into what’s called “production”
With a better understanding of the process, we began an important ideation phase.
The focus on patching brought to light a change in our beneficiaries, and we identified the three primary beneficiary types within the J6 IT department:
We identified the application program managers who are responsible for the smooth running of the DLA’s web applications
The infrastructure owners who host these applications
And tthe vulnerability managers who track and report vulnerabilities.
We honed in on something that seemed important: coordination issues and misaligned incentives
To put it simply : there is a tradeoff between security and operational uptime because patching require server reboots. Different stakeholders have different ideas of what this tradeoff should look like because of different incentives and focus areas.
We even found validation in alternative sources, with one of are more social-media-minded teammates crowdsourcing insight from Reddit.
Another thing we we noticed in our interviews is that many ideas about uptime requirements were based in perception and not validated facts - given that this H4D course was all about validating assumptions, we thought this was important!
As we focused on coordination In our interviews, we dug into how exactly patch scheduling was currently conducted. We learned that there was a constant back and forth between the application programs and the infrastructure owners.
The communication methods seemed antiquated, and as evidenced by the quotes on the right, communication breakdown was real. it didn’t seem like it was working as best it could!
With these two ideas in mind, we iterated and landed on our best MVP yet, a Smart Maintenance Window Scheduler. Our idea was simple: let’s overlay different types of usage data, constraint data, and vulnerability state data, and recommend smarter maintenance windows to optimize security while minimizing impact normal business operations.
We quickly received 10+ validating interviews on the idea with DLA employees We felt good!
We even received feedback from outside the DLA, demonstrating to us that this idea may have some broader applicability. We were riding high!
Just as we were getting excited, reality hit. After peaking early, we began what became a long bumpy road to the end.
As the FireEye CSO pointed out, we weren’t appreciating the complexity of the process
As we updated our ideas, we continued to receive mixed messages
We heard questions about the feasibility of our ideas
But then we also heard that scheduling could definitely be improved upon
We heard that operational-impact was the only factor that mattered
But moments later, a questioning of that very statement, and the fact that in a post-SolarWinds world, leaders needed to be willing to accept operational impacts in light of security
We heard it was too Simplified
But, despite the simplicity, our approach of doing it smarter resonated with people
We heard that there may not be an issue at all
But then those very same organizations contradicted themselves
And while this was a little disheartening, we felt a little validation that the space was ripe for opportunity because there was SO MUCH misunderstanding and disagreement about the process: no one ACTUALLY KNEW what their uptime requirements were, or IF patching could be optimized, or WHAT the tradeoffs were, no one could definitively say it didn’t make sense.
Unfortunately, during this time, despite the positive feedback on our ideas, we weren’t able to get the type of buy in necessary to support us initiate any sort of deployment process, which led to some of the lowest points in our discovery process
But, we had only been thinking about the bottom-up ground-users that we envisioned (ie, the application program managers, infrastructure owners)
This was more of an economic problem than anything - decision makers were the ones that needed to buy in and realized we might need to make a top-down approach
So, we created an informational sheet that explained our ideas in terms that we thought would resonate with organizational leaders such as the Chief Information Officer
As we tried to make our way up to a CIO interviewe, we received a challenge from the Deputy Director at DLA which set us on the next stage of our journey: we needed to prove it was possible, and unfortunately interviews weren’t going to help us too much this regards
So, we hit a stasis...unfortunately, in the next few weeks, we struggled to find a way to prove this. DLA beneficiaries were hesitant to share information with us
We initiated several tasks that we thought would propel us further along to prove feasibility.
We began developing a model that could demonstrate the security benefits of increasing patch frequency
We dug into literature about optimization of patching and valuing cyber risk to translate tradeoffs
We solicited usage data from DLA applications, hoping to be able to test our hypothesis
While we learned a lot, looking back at this period, we didn’t have enough time to further validate our ideas...instead of continuing to focus on finding that “champion”, we thought we we needed to prove some degree of feasibility. We still have mixed feelings about this - if we had been able to pull this all together, would someone have jumped? It’s a question we ask ourselves, and we’re not sure
During this time, we also ramped up our search for commercial proxies. We learned that newer “tech” native companies are too sophisticated enough for our approach
But that there is likely a sizeable number older, decentralized organizations who would benefit from our value proposition.
It felt good that we may have identified a more niche market, and felt even better when we had some interest from Rocket Mortgage (although still no “we’ll buy” leaps) and were even granted access to some Stanford vulnerability management meetings
And while we considered different routes to deployment, without a clear champion, we never fully pursued any one path
In our final week of discovery we finally learned about a enterprise platform solution called ServiceNOW . Both the DLA, their hosting provider the Defense Information Systems Agency, or DISA, and Stanford are transitioning to ServiceNOW, and after a demo from Stanford, we saw that ServiceNOW offers a feature that caters to the scheduling and coordination issue pretty well.
Just like Week 2 when we had learned about an area ripe for improvement only to learn of projects already being implemented, we were once again confronted a similar scenario. However, this time, late in Week 9, we felt a little better. There was some validation in the fact that ServiceNOW, a highly hyped platform, is catering to an area that is less well understood.
We also learned that we could scope our Value Proposition more - while ServiceNOW addresses many of areas we had identified that have to do with scheduling, it does NOT explain or recommend HOW to schedule more frequently using data and risk analysis. Therefore, we believe there is still potential to improve on the platform, perhaps on the ServiceNOW development platform.
So, as we entered Week 10, we reflected on our journey
And here’s where we ended up. To highlight some of the most important learnings:
Under beneficiaries, we learned about the many different stakeholders across organizations
We identified value propositions and impact factors and honed in on the key tradeoff in security
We identified possible partners and supporters, both as commercial integrators in ServiceNOW and SAP, government research at DARPA, and institutional proxies at Stanford that could assist with further deployment
So, what are we doing with our learnings?
In the end, settled on a few recommendations that we will be presenting to the CIO tomorrow.
We will share our learnings and highlight the fact that ServiceNOW is important, but does not provide insights to help make scheduling decisions. To address this, we offer the ideas to develop a tool internally, or, if interested, to continue work with Team Salus as we develop a prototype to prove feasibility.
ServiceNOW provides a scheduling tool that reduces friction and prompts thoughts about business-impact tradeoff, and we believe it will likely address coordination pain-points between change managers, business owners, and infrastructure owners. However, it will likely need top-down emphasis since we’ve learned there are many different processes that vary across teams, different teams do it differently and just because a tool exists, doesn’t mean everyone will use it.
Additionally, it’s unclear how well integrated ServiceNOW will be with DISA and contractors who manage the cloud hosting servers. We also recommend to write into contracting documents the need to integrate ServiceNOW with change managers on those sides
However, ServiceNOW does not provide insights into those tradeoffs.
To improve the DLA’s understanding of these tradeoffs, two options:
Develop a business application internally in ServiceNOW’s low-code development environment. The Logistics Application who provided us usage data or the Accenture Team who works with the Enterprise Business Center application would likely be a good teams to undertake
Team Salus plans to continue to develop our ideas to prove feasibility. If interested, our efforts could be accelerated with a SBIR
ServiceNOW provides a low-code development environment for customers and independent developers to create their own business applications.
Looking back, we learned a lot, both about vulnerability management and about the process of trying to innovate in the national security ecosystem, lessons we hope to take forward with us as part of Team Salus and in our other future endeavors
We plan on continuing our research to prove the feasibility of our ideas, and look forward to what the future holds. Thank you for your time