Posts by Trey Ford

1 min

Farewell and Thank You

Surrounding yourself with excellence is a key strategy for success in both one's personal and professional lives. As some may have heard, last week was my last at Rapid7. Leaving my team was a difficult decision to make. Over the last two years, I've had the privilege of serving as Global Security Strategist at a firm in hyper growth that executed a successful IPO in a very tough business & financial climate. I had the opportunity to play to my strengths and contribute in many ways: CISO advis

5 min CISOs

CISO Guidance on Building the Team

If I had a nickel for every time I read about the “security skills shortage”…well, suffice to say that everyone seems to lament the lack of strong talent in this industry, and the low number of eager young graduates seeking to start a security career. So what better topic to explore by way of follow-up to the 2-part blog [/2015/11/12/security-budget-tips-part-2-from-cisos-for-cisos]: Security Budget Tips from CISOs, for CISOs? (To recap: I'm interviewing CISOs for their guidance on select infos

2 min Vulnerability Disclosure

Trey's InfoSec SitRep [16 Nov 2015]

First, if you aren't listening to the Risky Business [] podcast, fix that. Patrick Gray [] is my go-to source for infosec news. In the News: The insight we get into breaches is sparse, so be armed with these stories. * JPMorgan's 2014 Hack Tied to Largest Cyber Breach Ever | Bloomberg [] * Arrests in JP Morgan, eTrade, Scottrade Hack

5 min CISOs

Security Budget Tips [PART 2], from CISOs, for CISOs

CISO Series: Budgeting Part II Hopefully you've read (and maybe even benefitted from) Part I of my CISO Budgeting blog [/2015/11/02/security-budget-tips-from-cisos-for-cisos]. To recap, I interviewed a group of CISOs about how they use budgetary discussions for career growth, and what advice they'd give to others looking to set a budget plan. There were five key takeaways that came out of these interviews; here were the first three: 1. Whatever you do, don't under deliver. 2. Budgets are abou

3 min Exploits

What is SQL Injection?

The SQL Injection [] is one of the oldest and most embarrassing vulnerabilities web enabled code faces. It is so old that there really is no excuse for only a niche of people (namely web security professionals) to understand how it works. Every time I think we've beat this topic to death, SQL Injection finds its way back into the news. This post is my attempt to help anyone and everyone understand how it works and why it's such a persist

2 min Verizon DBIR

Getting Started with VERIS

We did a webcast with @hrbrmstr [] @gdbassett [] from the Verizon team last week, discussing how to get started VERIS, the Vocabulary for Event Recording and Incident Sharing. If you missed that webcast- check it out! [] If you joined us, thanks for coming out. We've attached an Excel spreadsheet with a couple of examples to help you get started at

1 min

Trey's InfoSec SitRep [09 Nov 2015]

In the News Man Who Tried to Hire Hacker to Wipe Out Court Fines Sentenced to 2-4 Years in Prison| SoftPedia [] Hackers Claim Million-Dollar Bounty for iOS Zero Day Attack | Wired [] (Just in case you missed this publicity stunt...) The cost of immaturity | The Economist [http://www.econ

7 min CISOs

Security Budget Tips, from CISOs, for CISOs

CISO Series: Budgeting I have provided a brief overview of the genesis of the CISO series [/2015/10/27/introducing-the-ciso-blog-series], and now it is time to tackle our first topic: security budgets. Whether you're the CISO of a large public company or leading security at an early-stage startup, rich in headcount or forced to be tight with the purse strings, reporting into the CIO, COO, or elsewhere in the organization, the fact remains that budget conversations are among the most critical and

2 min Verizon DBIR

What is VERIS?

Data driven security is all the rage, and laughably few of us encode and analyze our programs… and for good reason. It isn't easy. This post will talk about VERIS, a framework for describing security incidents in a precise way. We all have a plan, a security program, compliance regulations, and super busy calendars—but what is working? The answer is hidden in plain sight, it just needs to be analyzed. And this is why we all love the DBIR. If you aren't familiar with Verizon's DBIR (Data Breach

1 min CISOs

Introducing the CISO Blog Series

Since joining Rapid7 [/2014/01/27/supporting-the-security-community-why-i-joined-rapid7] I've gotten to work on some pretty cool projects, the most recent of which is capturing a body of knowledge for the community… by CISOs, for CISOs. The evolution of the CISO role, of course, is nothing new, and there's plenty of analysis on it for anyone who's interested (for example, Forrester has a great report called Evolve To Become The CISO Of 2018 Or Face Extinction [

1 min

Trey's InfoSec SitRep [26 Oct 2015]

I keep getting asked about what's happening in the news. Because I'm so efficient—and that's hacker-speak for lazy—I go to a couple key sources for news. One of my absolute favorites is Patrick Gray's [] Since I'm often sharing links of note and important news, I thought I'd share this information with a broader audience in case it helps you out, too. So for this week, here's a small selection of some recent news: Breaches you should know about: * Hack Brief: Hacker

1 min

Building an Effective Security Team

Concluding our National Cyber Security Awareness Month webcast series [] , next week I'll be joining a discussion around how to develop, nurture, and retain good security staff: Building an Effective Security Team [] Wednesday, October 28th at 11am E

4 min Events

The Black Hat Attendee Guide Part 5a - The Magic of People

Joining us for the first time? This post is part of a series that starts right here [/2015/07/13/the-black-hat-attendee-guide-part-1]. So this post is a bit of a bonus. I've asked my dear friend Quinton Jones [] to share some wisdom and inspiration on how he injects passion and energy into his introductions. He's simply unforgettable, one of the greatest customer champions and business development folks I know, thanks to his passion for people. Please enj

4 min Events

The Black Hat Attendee Guide Part 8: Trip Reporting

This is the eighth and final post in our Black Hat Attendee Guide series—you can start from the beginning right here [/2015/07/13/the-black-hat-attendee-guide-part-1]. Big gulps, if you've made it this far in the guide—you've arrived, this is the last post. When you get back from Vegas, you'll probably have a couple of reports you're staring in the face. First is the expense report. (Pro-Tip: Take cell phone pictures of everything you spend a dime on!) Before you leave, double check the mini

5 min Events

The Black Hat Attendee Guide Part 7: Your Survival Kit

Joining us for the first time? This post is part seven of a series that starts right here [/2015/07/13/the-black-hat-attendee-guide-part-1]. Hacker Summer Camp is no joke, and you've got to have a game plan when you head for Vegas. If you don't travel frequently, this is for you. Ignoring sartorial conundrums and basic hygiene, this post is focused on keeping your body operating at peak… or at least somewhat operational. Vegas: It's nothing like home for most of us. Desert allergens, low humi