search menu icon-carat-right cmu-wordmark

Get the Latest Research in Software Engineering, Cybersecurity,
and AI Engineering

Get email notifications of new blog posts from the SEI Blog.

SEI Insigts

Recent Posts

Situational Awareness for Cybersecurity: Assets and Risk

Situational Awareness for Cybersecurity: Assets and Risk

• SEI Blog
Angela Horneman

This post was co-written by Lauren Cooper. When key business assets are not adequately protected from cybersecurity breaches, organizations can experience dire consequences. Lumin PDF, a PDF editing tool, recently had confidential data for its base of 24.3 million users published in an online forum. The personal data of almost every citizen of Ecuador was also recently leaked online. Data breaches exposed 4.1 billion records in the first six months of 2019, and data breaches in the healthcare industry in 2019 have already doubled all of those last year. The purpose of situational awareness (SA) is to protect organizations from...

Read More
Don't Play Developer Testing Roulette: How to Use Test Coverage

Don't Play Developer Testing Roulette: How to Use Test Coverage

• SEI Blog
Robert V. Binder

Suppose someone asked you to play Russian Roulette. Although your odds of surviving are 5 to 1 (83 percent), it is hard to imagine how anyone would take that risk. But taking comparable risk owing to incomplete software testing is a common practice. Releasing systems whose tests achieve only partial code coverage—the percentage of certain elements of a software item that have been exercised during its testing—is like spinning the barrel and hoping for the best, or worse, believing there is no risk. This post is partly a response to questions I'm frequently asked when working with development teams looking...

Read More
Managing the Risks of Ransomware

Managing the Risks of Ransomware

• Insider Threat Blog
David Tobar

This blog post was co-authored by Jason Fricke. Ransomware poses a growing threat to both businesses and government agencies. Though no strategy can fully eliminate these risks, this post provides recommendations, and links to additional best practices, on better managing ransomware risks....

Read More
Artificial Intelligence in Practice: Securing Your Code Using Natural Language Processing

Artificial Intelligence in Practice: Securing Your Code Using Natural Language Processing

• SEI Blog
Eliezer Kanal

Many techniques are available to help developers find bugs in their code, but none are perfect: an adversary needs only one to cause problems. In this post, I'll discuss how a branch of artificial intelligence called natural language processing, or NLP, is being applied to computer code and cybersecurity. NLP is how machines extract information from naturally occurring language, such as written prose or transcribed speech. Using NLP, we can gain insight into the code we generate, and can find bugs that aren't visible to existing techniques. While this field is still young, advances are coming rapidly, and I will...

Read More
Bolstering Security with Cyber Intelligence

Bolstering Security with Cyber Intelligence

• SEI Blog
Jared Ettinger

Stephen Beck coauthored this blog post. A maxim for intelligence operators and military and special operations communities is "get off the X." The expression, once reserved for combat situations in reference to getting out of "the kill zone, point of attack, minefield, sniper crosshairs or other danger zone" has been adopted by the intelligence communities to convey the danger of a static approach to organizational security. As Michele Rigby Assad, a former intelligence officer in the CIA, explains, "the X refers to the site of an attack. This is the location in which the attackers have the greatest advantage because...

Read More
Insider Threat Incident Analysis: Court Outcome Observations

Insider Threat Incident Analysis: Court Outcome Observations

• Insider Threat Blog
Nick Miller

In the United States, legal cases may be tried in criminal court or civil court. According to data in the CERT National Insider Threat Center (NITC) incident corpus, the type of court makes a big difference in the legal outcomes of insider attack cases. This blog post analyzes these differences, specifically sentencing and restitution in criminal cases and findings of liability in civil cases. This blog post does not, and is not intended to, constitute legal advice. Please consult legal counsel on any specific matter....

Read More
Helping the Federal Government Achieve the Cyber Advantage

Helping the Federal Government Achieve the Cyber Advantage

• SEI Blog
Bobbie Stempfley

The world we live in is increasingly digital, synthetic, and fueled by data. The software it is built on is developed with such speed and automation that we must think about security in a new way. And in today's age of artificial intelligence (AI), cyber adversaries operate with speed and dexterity in a world of ever-changing attack surfaces. In light of this constantly evolving cyber landscape, our researchers work to secure our infrastructure and resources and gain a cyber advantage over our adversaries. As this blog post will detail, this challenge requires that we transcend the capabilities of our adversaries...

Read More
Impacts and Recommendations for Achieving Modular Open Systems Architectures --Fifth Post in a Series

Impacts and Recommendations for Achieving Modular Open Systems Architectures --Fifth Post in a Series

• SEI Blog
Nickolas Guertin

This post was co-authored by Douglas Schmidt and William Scherlis. In this series of blog posts, adapted from a recently published paper, we sought to demonstrate how layered business and technical architectures can leverage modular component design practices to establish new approaches for capability acquisition that are more effective for the Department of Defense (DoD) than existing system of systems (SoS) strategies. The aim of these posts is to help the DoD establish an acquisition environment that is more efficient and capable of delivering higher quality, with far greater innovation, in a fraction of the time. Our first post proposed...

Read More
Improving Insider Threat Detection Methods Through Software Engineering Principles

Improving Insider Threat Detection Methods Through Software Engineering Principles

• Insider Threat Blog
Daniel Costa

Tuning detective controls is a key component of implementing and operating an insider threat program, and one we have seen many organizations struggle with. Our work helping organizations with their insider threat programs has revealed common challenges with any tool that generates alerts of potential insider risk, such as user activity monitoring (UAM), security information event management (SIEM), or user and entity behavioral analytics (UEBA) tools. In this blog post, we will discuss some of the challenges and best practices for tuning detective controls....

Read More
7 Guidelines for Being a TRUSTED Penetration Tester

7 Guidelines for Being a TRUSTED Penetration Tester

• Insider Threat Blog
Karen Miller

The best way to learn is by doing. But when it comes to penetration testing, learners risk legal implications and bad habits if they don't follow ethical, safe procedures. Those wishing to develop penetration testing skills are often unaware of the number of resources available for legally and safely testing penetration tools and techniques. In this blog post, I'll describe seven general practices, outlined in the acrostic "TRUSTED," that pen testing learners and professionals should follow to avoid legal consequences and earn trust. I'll also provide resources for learning how to pen test....

Read More
What Engineers Need to Know About Artificial Intelligence

What Engineers Need to Know About Artificial Intelligence

• SEI Blog
Thomas Longstaff

Artificial intelligence (AI) systems by their nature are software-intensive. To create viable and trusted AI systems, engineers need technologies and standards, similar to those in software engineering. At the Software Engineering Institute (SEI)—a federally funded research and development center tasked with advancing the field of software engineering and cybersecurity—we are leading a movement to establish a professional AI Engineering discipline. As we begin a national conversation on AI Engineering, we have identified several key aspects and elements of AI that engineers must understand to work with emerging systems....

Read More
Update on the CERT Guide to Coordinated Vulnerability Disclosure

Update on the CERT Guide to Coordinated Vulnerability Disclosure

• CERT/CC Blog
Allen Householder

It's been two years since we originally published the CERT Guide to Coordinated Vulnerability Disclosure. In that time, it's influenced both the US Congress and EU Parliament in their approaches to vulnerability disclosure. I wanted to provide an update on how the Guide is evolving in response to all the feedback we received....

Read More
Situational Awareness for Cybersecurity: An Introduction

Situational Awareness for Cybersecurity: An Introduction

• SEI Blog
Angela Horneman

Situational awareness (SA) helps decision makers throughout an organization have the information and understanding available to make good decisions in the course of their work. It can be focused specifically on helping people and organizations protect their assets in the cyber realm or it can be more far reaching. SA makes it possible to get relevant information from across an organization, to integrate that information, and to disseminate it to help people make better decisions. This blog post is the first in a series that explores the concepts of cyber SA as they apply to the enterprise....

Read More
The Dangers of VHD and VHDX Files

The Dangers of VHD and VHDX Files

• CERT/CC Blog
Will Dormann

Recently, I gave a presentation at BSidesPGH 2019 called Death By Thumb Drive: File System Fuzzing with CERT BFF. (The slides from my presentation are available in the SEI Digital Library.) Although my primary goal was to find bugs in kernel file-system-parsing code, a notable part of my research was investigating attack vectors. In particular, I focused on VHD and VHDX files on Windows systems. In this post, I describe some of the risks associated with these two file types....

Read More
September Is National Insider Threat Awareness Month

September Is National Insider Threat Awareness Month

• Insider Threat Blog
Daniel Costa

September 2019 has been declared National Insider Threat Awareness Month by the National Insider Threat Task Force, the National Counterintelligence and Security Center, the Federal Bureau of Investigation, the Office of the Under Secretary of Defense (Intelligence), the Department of Homeland Security, and the Defense Counterintelligence and Security Agency. This blog post outlines the CERT National Insider Threat Center's activities in support of this effort....

Read More
The Latest Work from the SEI: AI, Deepfakes, Automated Alert Handling, and Cyber Intelligence

The Latest Work from the SEI: AI, Deepfakes, Automated Alert Handling, and Cyber Intelligence

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, and presentations highlighting our work in artificial intelligence, STEM careers, deepfakes, automated alert handling (here and here), systems and software engineering, and cyber intelligence. These publications highlight the latest work of SEI technologists in these areas. The SEI also made available an online version of the 2018 Year in Review, which highlights the recent work of the institute. This post includes a listing of each publication, author(s), and links where they can be accessed on the...

Read More
Cybersecurity Engineering for Legacy Systems: 6 Recommendations

Cybersecurity Engineering for Legacy Systems: 6 Recommendations

• SEI Blog
Susan Crozier Cox

Harry Levinson co-authored this blog post. Legacy systems continue to play a key role across many organizations. Engineering cybersecurity into these legacy systems presents some unique challenges. In many cases, the original design team is no longer available, leaving the current team with the challenge of changing poorly- and/or un-documented designs and software. Over the years, these systems can become so outdated that they are unable to keep up with new software patterns and development technologies, including the ability to patch known security or design flaws. This blog contains six recommendations to help keep legacy software secure....

Read More
Patterns and Trends in Insider Threats Across Industry Sectors (Part 9 of 9: Insider Threats Across Industry Sectors)

Patterns and Trends in Insider Threats Across Industry Sectors (Part 9 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Daniel Costa

In previous posts of our series analyzing and summarizing insider incidents across multiple sectors, we presented up-to-date statistics from the CERT National Insider Threat Center (NITC) Incident Corpus and looked closely at which types of insider incidents are prevalent within certain types of organizations. From there, we presented statistics on what types of assets those insider attacks target, the time frames associated with those attacks, and the tactics, techniques, and procedures the insiders used to carry them out. In this final post of the series, we summarize what we have learned or reinforced in these recent explorations of insider incidents...

Read More
Mission Thread Analysis Using End-to-End Data Flows - Part 2

Mission Thread Analysis Using End-to-End Data Flows - Part 2

• SEI Blog
Donald Firesmith

The first blog post in this series provided an overview of the E2E Mission Thread Data Flow Analysis (EMDA) method, an approach that analyzes the flow of data as they traverse end-to-end mission threads through the architecture components of a system of systems. That post addressed relevant challenges that EMDA helps system and software architects face and outlined the work products produced by the method. This second blog post discusses the process used to create and verify the method's work products, the benefits of the method, the challenges must be addressed while implementing the method, and lessons learned during the...

Read More
Why Software Architects Must Be Involved in the Earliest Systems Engineering Activities

Why Software Architects Must Be Involved in the Earliest Systems Engineering Activities

• SEI Blog
Sarah Sheard

Suzanne Miller, Bill Nichols, Don Firesmith, and Mike Phillips contributed to this post. Today's major defense systems rely heavily on software-enabled capabilities. However, many defense programs acquiring new systems first determine the physical items to develop, assuming the contractors for those items will provide all needed software for the capability. But software by its nature spans physical items: it provides the inter-system communications that have a direct influence on most capabilities, and thus must be architected intelligently, especially when pieces are built by different contractors. If this architecture step is not done properly, a software-reliant project can be set up...

Read More
Mission Thread Analysis Using End-to-End Data Flows  - Part 1

Mission Thread Analysis Using End-to-End Data Flows - Part 1

• SEI Blog
Donald Firesmith

Although the vast majority of military missions require the successful collaboration of multiple cyber-physical systems within an overall system of systems (SoS), almost all system and software architects work on programs developing or sustaining individual systems and subsystems. Often, they do not sufficiently understand the ramifications of how their system interoperates with these other systems to accomplish the overall mission. The lack of an end-to-end (E2E) mission thread analysis leads to numerous difficulties, such as integration problems that are not identifiable if one merely looks at one's own system and the specifications of its individual interfaces. This is the first...

Read More
Expectations of Windows RDP Session Locking Behavior

Expectations of Windows RDP Session Locking Behavior

• CERT/CC Blog
Will Dormann

This post was co-written by Will Dormann and Joe Tammariello. Recently, CERT researchers published a vulnerability note (VU#576688 - Microsoft Windows RDP can bypass the Windows lock screen). In this blog post, we provide a little more insight into how the vulnerability was discovered and what it may mean to people who use Microsoft Windows RDP. The following steps reproduce VU#576688: Use a Microsoft Windows RDP client to connect to Windows Server 2019 or Windows 10 build 1803 or newer. Manually lock the remote Windows session. Disconnect the network on the RDP client system. Reconnect the network. After performing these...

Read More
The Promise of Deep Learning on Graphs

The Promise of Deep Learning on Graphs

• SEI Blog
Oren Wright

A growing number of Department of Defense (DoD) data problems are graph problems: the data from sources such as sensor feeds, web traffic, and supply chains are full of irregular relationships that require graphs to represent explicitly and mathematically. For example, modern test and evaluation produces massive, heterogeneous datasets, and analysts can use graphs to reveal otherwise hidden patterns in these data, affording the DoD a far more complete understanding of a system's effectiveness, survivability, and safety. But such datasets are growing increasingly large and increasingly complex, demanding new approaches for proper analysis. Machine learning seems to recommend itself to...

Read More
Cybersecurity Governance, Part 1: 5 Fundamental Challenges

Cybersecurity Governance, Part 1: 5 Fundamental Challenges

• Insider Threat Blog
Seth Swinton

This post was co-authored by Stephanie Hedges. Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. This blog post examines five fundamental challenges of cybersecurity governance that, while not exhaustive, are essential to establishing and maintaining an effective cybersecurity governance program....

Read More
An Application Programming Interface for Classifying and Prioritizing Static Analysis Alerts

An Application Programming Interface for Classifying and Prioritizing Static Analysis Alerts

• SEI Blog
Lori Flynn

This post was co-written by Ebonie McNeil and Aubrie Woods. In this post, we describe the Source Code Analysis Integrated Framework Environment (SCAIFE) application programming interface (API). SCAIFE is an architecture for classifying and prioritizing static analysis alerts. It is designed so that a wide variety of static analysis tools can integrate with the SCAIFE system using the API. The API is pertinent to organizations that develop or research static analysis alert auditing tools, aggregators, and frameworks....

Read More
Using OOAnalyzer to Reverse Engineer Object Oriented Code with Ghidra

Using OOAnalyzer to Reverse Engineer Object Oriented Code with Ghidra

• SEI Blog
Jeffrey Gennari

Object-oriented programs continue to pose many challenges for reverse engineers and malware analysts. C++ classes tend to result in complex arrangements of assembly instructions and sophisticated data structures that are hard to analyze at the machine code level. We've long sought to simplify the process of reverse engineering object-oriented code by creating tools, such as OOAnalyzer, which automatically recovers C++-style classes from executables. OOAnalyzer includes utilities to import OOAnalyzer results into other reverse engineering frameworks, such as the IDA Pro Disassembler. I'm pleased to announce that we've updated our Pharos Binary Analysis Framework in Github to include a new plugin...

Read More
Selecting Measurement Data for Software Assurance Practices

Selecting Measurement Data for Software Assurance Practices

• SEI Blog
Carol Woody

Measuring the software assurance of a product as it is developed and delivered to function in a specific system context involves assembling carefully chosen metrics. These metrics should demonstrate a range of behaviors to confirm confidence that the product functions as intended and is free of vulnerabilities. The Software Assurance Framework (SAF) is a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain to promote the desired assurance behaviors. The SAF can be used to assess an acquisition program's current cybersecurity practices and chart a course for improvement, ultimately reducing the cybersecurity risk of...

Read More
Three Architecture Recommendations for Sustainment Organizations

Three Architecture Recommendations for Sustainment Organizations

• SEI Blog
Susan Crozier Cox

In a March 2019 report, the Defense Innovation Board (DIB)--a group of advisors focused on bringing the technical advantages employed by Silicon Valley to the Department of Defense (DoD)--noted that the United States faces threats that are evolving at an ever-increasing pace. The DIB also noted that the DoD's ability to adapt and respond to these threats is now determined by its ability to develop and deploy software to the field rapidly. As the DIB and other reports have noted, the DoD's current approach to software development is broken and a leading source of risk: "it takes too long, is...

Read More
Keeping an Eye Out for Positive Risk

Keeping an Eye Out for Positive Risk

• Insider Threat Blog
Mary Beth Chrissis

We commonly think about risks having negative consequences. With each month bringing new cybersecurity threats, breaches, and vulnerabilities, sound risk management practices are necessary to protect your organization. However, when performing risk management, do organizations unnecessarily limit themselves by only thinking about risks as negative effects and not looking at positive effects, too?...

Read More
Testing Concurrent Systems: Concurrency Defects, Testing Techniques, and Recommendations

Testing Concurrent Systems: Concurrency Defects, Testing Techniques, and Recommendations

• SEI Blog
Donald Firesmith

Concurrency, which exists whenever multiple entities execute simultaneously, is a ubiquitous and an unavoidable fact of life in systems and software engineering. It greatly increases system and software complexity, which directly impacts testing. Concurrency leads to nondeterministic behavior and numerous types of concurrency defects that require specialized approaches to uncover. At the SEI, we are often called upon to review development planning documents including Test and Evaluation Master Plans (TEMPs) and Software Test Plans (STPs). We are also frequently tasked to evaluate developmental testing including software and system integration laboratories (SILs) and other test environments. One common observation is that...

Read More
Model-Based Analysis of Agile Development Practices

Model-Based Analysis of Agile Development Practices

• SEI Blog
Andrew Moore

Bill Nichols, Bill Novak, and David Zubrow helped to write this blog post. Applications of Agile development practices in government are providing experience that decision makers can use to improve policy, procedure, and practice. Behavioral modeling and simulation (BModSim) techniques (such as agent-based modeling, computational game theory, and System Dynamics) provide a way to construct valid, coherent, and executable characterizations of Agile software development. These techniques can help answer key questions about Agile concepts and Agile application. BModSim complements data-analytic approaches, such as machine learning, by describing the larger landscape of organizations' application of Agile, putting in context diverse results...

Read More
Comments on Voluntary Voting System Guidelines 2.0 Principles and Guidelines

Comments on Voluntary Voting System Guidelines 2.0 Principles and Guidelines

• CERT/CC Blog
Allen Householder

The U.S. Election Assistance Commission recently held a public comment period on their Voluntary Voting System Guidelines 2.0 Principles and Guidelines. At the CERT/CC, we focus our attention on sectors that are new to (or perhaps slow to adopt) common vendor security practices like Coordinated Vulnerability Disclosure (CVD). To that end, Deana Shick, Jonathan Spring, Art Manion, and I collaborated to provide our feedback to the EAC. The remainder of this post contains the comments we submitted, lightly edited for blog publication....

Read More
The Vectors of Code: On Machine Learning for Software

The Vectors of Code: On Machine Learning for Software

• SEI Blog
Zachary Kurtz

This blog post provides a light technical introduction on machine learning (ML) for problems of computer code, such as detecting malicious executables or vulnerabilities in source code. Code vectors enable ML practitioners to tackle code problems that were previously approachable only with highly-specialized software engineering knowledge. Conversely, code vectors can help software analysts to leverage general, off-the-shelf ML tools without needing to become ML experts. In this post, I introduce some use cases for ML for code. I also explain why code vectors are necessary and how to construct them. Finally, I touch on current and future challenges in code...

Read More
After the Cyber Resilience Review: A Targeted Improvement Plan for Service Continuity

After the Cyber Resilience Review: A Targeted Improvement Plan for Service Continuity

• SEI Blog
Robert Vrtis

Jeff Pinckard co-wrote this blog post. In 2011, the SEI's CERT Division developed and published the Cyber Resilience Review (CRR) on behalf of the Department of Homeland Security. Since then, hundreds of CRRs have been conducted across all critical-infrastructure sectors, including financial services, healthcare and public health, energy, and water and wastewater systems. Each CRR provides an organization with a comprehensive report that can provide a seemingly overwhelming number of options for improving the resilience of the organization. In this post, we describe steps that organizations can take to use the results of a CRR to develop an actionable improvement...

Read More
High-Level Technique for Insider Threat Program's Data Source Selection

High-Level Technique for Insider Threat Program's Data Source Selection

• Insider Threat Blog
Robert M. Ditmore

This blog discusses an approach that the CERT Division's National Insider Threat Center developed to assist insider threat programs develop, validate, implement, and share potential insider threat risk indicators (PRIs). The motivation behind our approach is to provide a broad, tool-agnostic framework to promote sharing indicator details. You might share these details among your insider threat team personnel and other key stakeholders, such as Human Resources, Legal, and Information Technology, before the direct dive into implementation or tool acquisition....

Read More
The Latest Research from the SEI in DevSecOps, Threat Modeling, and Insider Threat

The Latest Research from the SEI in DevSecOps, Threat Modeling, and Insider Threat

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, and presentations highlighting our work in DevSecOps, insider threat, cyber risk and resilience, software assurance, infrastructure as code, software architecture, and threat modeling. These publications highlight the latest work of SEI technologists in these areas. This blog post also presents the latest episode in our podcast series highlighting the work of women in software and cybersecurity. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website....

Read More
Windows Event Logging for Insider Threat Detection

Windows Event Logging for Insider Threat Detection

• Insider Threat Blog
Derrick Spooner

In this post, I continue my discussion on potential low-cost solutions to mitigate insider threats for smaller organizations or new insider threat programs. I describe a few simple insider threat use cases that may have been detected using Windows Event logging, and I suggest a low-effort solution for collecting and aggregating logs from Windows hosts....

Read More
The AADL Error Library: 4 Families of System Errors

The AADL Error Library: 4 Families of System Errors

• SEI Blog
Sam Procter

Classifying the way that things can go wrong in a component-based system is a hard challenge since components--and the systems that rely on them--can fail in myriad, unpredictable ways. It is nonetheless a challenge that should be addressed because component-based, software-driven systems are increasingly used for safety-critical applications. Unfortunately, many well-established classifications and taxonomies of system errors are not what we would term operationalized (i.e., directly usable in modern, model-based system engineering efforts). Instead, they are specified and described in natural language instead of any formal or semiformal specification language. In this blog post, which is adapted from a recently...

Read More
Managing the Consequences of Technical Debt: 5 Stories from the Field

Managing the Consequences of Technical Debt: 5 Stories from the Field

• SEI Blog
Ipek Ozkaya

Rod Nord coauthored this post. If you participate in the development of software, the chances are good that you have experienced the consequences of technical debt, which communicates additional cost and rework over the software lifecycle when a short-term, easy solution is chosen instead of a better solution. Understanding and managing technical debt is an important goal for many organizations. Proactively managing technical debt promises to give organizations the ability to control the cost of change in a way that integrates technical decision making and software economics seamlessly with software engineering delivery. In this post, we provide real-world examples that...

Read More
The Technical Architecture for Product Line Acquisition in the DoD - Fourth in a Series

The Technical Architecture for Product Line Acquisition in the DoD - Fourth in a Series

• SEI Blog
Nickolas Guertin

This post is co-authored by Douglas C. Schmidt and William Scherlis. DoD technologies have traditionally relied on cyber-physical/software-intensive systems that are now widely available to all nations and non-state actors. The DoD's past practice of incorporating commercial-off-the-shelf (COTS) technologies on a system-by-system basis are insufficient to stay ahead of its adversaries and increase its pace of change for delivering innovation. The DoD thus needs new acquisition approaches that can achieve rapid delivery, flexibility, and capacity to provide continuous improvement to fielded capability. This series of blog posts, adapted from a recently published paper, addresses these issues by establishing a DoD...

Read More
The Organizational Impact of a Modular Product Line Architecture in DoD Acquisition - Third in a Series

The Organizational Impact of a Modular Product Line Architecture in DoD Acquisition - Third in a Series

• SEI Blog
Nickolas Guertin

This post was co-authored by Douglas Schmidt and William Scherlis. To maintain a strategic advantage over its adversaries, the Department of Defense (DoD) must field new technologies rapidly. "It is not about speed of discovery, it is about speed of delivery to the field," Michael D. Griffin, undersecretary of defense for research and engineering, told a Senate Armed Services subcommittee in April 2018. The architecture of Department of Defenses (DoD) acquisition organizations is based on a big-bang/spiral development for systems of systems (SoS). This strategy has proved too slow and negates the opportunity to make small changes rapidly and deliver...

Read More
The CERT Division's National Insider Threat Center (NITC) Symposium

The CERT Division's National Insider Threat Center (NITC) Symposium

• Insider Threat Blog
Randy Trzeciak

Addressing the Challenges of Maturing an Insider Threat (Risk) Program On May 10, 2019, the Software Engineering Institute's National Insider Threat Center (NITC) will host the 6th Annual Insider Threat Symposium, with this year's theme, "Maturing Your Insider Threat (Risk) Program." The purpose of the symposium is to bring together practitioners on the front lines of insider threat mitigation to discuss the challenges and successes of maturing their insider threat (risk) programs. You will have opportunity to learn from others how to move beyond the initial operating capacity of your program....

Read More
A 5-Step Process for Release Planning

A 5-Step Process for Release Planning

• SEI Blog
Robert Ferguson

Software products are often used for two decades or more. Several researchers have shown the cost of maintenance and sustainment ranges between 40- and 80 percent of the total lifecycle cost with a median estimate near 70 percent. Sometimes executives have asked, Why does software sustainment cost so much? This blog turns the question around to ask, Can we get better value from our continuing software investment? Of course, the answer is affirmative. We can examine changes in mission objectives, technology and environment to see how to position our product for the best use and value just as we do...

Read More
Six Free Tools for Creating a Cyber Simulator

Six Free Tools for Creating a Cyber Simulator

• SEI Blog
Joseph Mayes

It can be hard for developers of cybersecurity training to create realistic simulations and training exercises when trainees are operating in closed (often classified) environments with no ability to connect to the Internet. To address this challenge, the CERT Workforce Development (CWD) Team recently released a suite of open-source and freely available tools for use in creating realistic Internet simulations for cybersecurity training and other purposes. The tools improve the realism, efficiency, and cost effectiveness of cybersecurity training. In this blog post, I will describe these tools and provide information about how to download, learn more about, and use them....

Read More
A New Scientifically Supported Best Practice That Can Enhance Every Insider Threat Program!

A New Scientifically Supported Best Practice That Can Enhance Every Insider Threat Program!

• Insider Threat Blog
Michael C. Theis

(Or..."How This One Weird Thing Can Take Your Program to the Next Level!") The CERT National Insider Threat Center (NITC) continues to transition its insider threat research to the public through its publications of the Common Sense Guide to Mitigating Insider Threats (CSG), blog posts, and other research papers. We recently released an updated version of the CSG: the Common Sense Guide to Mitigating Insider Threats, Sixth Edition. In this post, I'll highlight the new additions and updates: best-practice mappings to standards and more attention to workplace violence, monitoring, and privacy. I'll also walk you through the new best practice,...

Read More
Establishing the Pre-assessment DevOps Posture of an SDLC in a Highly Regulated Environment: Third in a Series

Establishing the Pre-assessment DevOps Posture of an SDLC in a Highly Regulated Environment: Third in a Series

• DevOps Blog
Jose Morales

This third installment in our blog series on implementing DevOps in highly regulated environments (HREs), which is based upon a recently published paper, discusses the second step in a DevOps assessment: establishing the pre-assessment DevOps posture of an HRE. (Read the first and second post in the series.) The posture is the current DevOps implementation, if any, in an HRE's software development lifecycle (SDLC). Recall that the ultimate goal of the DevOps assessment is to improve an SDLC. In this case, the tool set being used to achieve that goal is DevOps. It is important to understand the maturity level...

Read More
Business Email Compromise: Operation Wire Wire and New Attack Vectors

Business Email Compromise: Operation Wire Wire and New Attack Vectors

• SEI Blog
Anne Connell

In June 2018, Federal authorities announced a significant coordinated effort to disrupt business email compromise (BEC) schemes that are designed to intercept and hijack wire transfers from businesses and individuals. Operation Wire Wire, a coordinated law enforcement effort by the U.S. Department of Justice, U.S. Department of Homeland Security, U.S. Department of the Treasury, and the U.S. Postal Inspection Service, was conducted over a six-month period and resulted in 74 arrests in the United States and overseas, including 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and...

Read More
How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications

How to Use Static Analysis to Enforce SEI CERT Coding Standards for IoT Applications

• SEI Blog
David Svoboda

The Jeep hack, methods to hack ATMs, and even hacks to a casino's fish tank provide stark evidence of the risks associated with the Internet of Things (IoT). High-end automobiles today have more than 100 million lines of code, and connectivity between cars and the outside world through, for example, infotainment systems and the Global Positioning System (GPS) expose a number of interfaces that can be attacked to communicate with an automobile in unintended and potentially dangerous ways. In Part 1 of this two-part blog post on the use of SEI CERT Coding Standards to improve the security of...

Read More
Securely Connecting Africa

Securely Connecting Africa

• SEI Blog
Vijay Sarvepalli

While the Internet has enabled modernization in parts of the developing world, it has also introduced new cybersecurity challenges. Many developing countries are unprepared for large-scale cyber attacks and ongoing threats posed by hackers. A July 2017 New York Times article notes that developing countries have become an ideal testing ground for hackers. These attacks caught the attention of the Cote d'Ivoire (Ivory Coast) computer security incident response (CSIRT) team, who reached out to the SEI through the U.S. Department of State Office of the Coordinator for Cyber Issues (S/CCI) to request a collaborative workshop to help Cote d'Ivoire address...

Read More
API Hashing Tool, Imagine That

API Hashing Tool, Imagine That

• CERT/CC Blog
Kyle O'Meara

In the fall of 2018, the CERT Coordination Center (CERT/CC) Reverse Engineering (RE) Team received a tip from a trusted source about a YARA rule that triggered an alert in VirusTotal. This YARA rule was found in the Department of Homeland Security (DHS) Alert TA17-293A, which describes nation state threat activity associated with Russian activity. I believed this information warranted further analysis....

Read More
Are You Providing Cybersecurity Awareness, Training, or Education?

Are You Providing Cybersecurity Awareness, Training, or Education?

• Insider Threat Blog
Mike Petock

When I attend trainings, conferences, or briefings, I usually end up listening to someone reading slides about a problem. Rarely am I provided with any solutions or actions to remediate the problem. As a cybersecurity trainer with 17+ years of experience and a degree in education, I understand that developing a good presentation is a challenge in any domain. Fortunately for cybersecurity professionals, the National Institute of Standards and Technology (NIST) can help you choose which kind of presentation to give. This blog post will review the three types of presentations defined by NIST: awareness, training, and education....

Read More
Enabling Shift-Left Testing from Small Teams to Large Systems

Enabling Shift-Left Testing from Small Teams to Large Systems

• SEI Blog
Nanette Brown

Shift left is a familiar exhortation to teams and organizations engaged in Agile and Lean software development. It most commonly refers to incorporating test practices and an overall test sensibility early in the software development process (although it may also be applied in a DevOps context to the need to pull forward operations practices). Shift left sounds reasonably straightforward: just take the tasks that are on the right-hand side of your timeline and pull them forward (i.e., shift them to the left). As this post describes, however, there are some subtleties and qualifications you should consider in order to realize...

Read More
Insider Threats in Entertainment (Part 8 of 9: Insider Threats Across Industry Sectors)

Insider Threats in Entertainment (Part 8 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Mark Dandrea

This post was co-authored by Carrie Gardner. The Entertainment Industry is the next spotlight blog in the Industry Sector series. Movie and television producers have long entertained the public with insider threat dramas such as Jurassic Park, Office Space, or the more recent Mr. Robot. These dramas showcase the magnitude of damage that can occur from incidents involving our assumed good, trusted employees. Yet as we discuss in this post, movie producers and the entertainment industry are not immune from experiencing such incidents....

Read More
Towards a New Model of Acquisition: Product-Line Architectures for the DoD - Second in a Series

Towards a New Model of Acquisition: Product-Line Architectures for the DoD - Second in a Series

• SEI Blog
Nickolas Guertin

This post was co-authored by Douglas Schmidt and William Scherlis. It is widely recognized that the Department of Defense (DoD) needs to have a nimble response to nimble adversaries. However, the inflexibility of many DoD development and acquisition practices begets inflexible architectures that often slow progress and increase risk to operational forces. This rejection of modern development methods actually increases program risk and extends development timelines, effectively reducing the value of the DoD's acquisition portfolio. As a result, the current lack of capacity for breadth and pace of change impedes our ability to evolve capability quickly and robustly enough to...

Read More
Operation Cloud Hopper Case Study

Operation Cloud Hopper Case Study

• SEI Blog
Nathaniel Richmond

In December, a grand jury indicted members of the APT10 group for a tactical campaign known as Operation Cloud Hopper, a global series of sustained attacks against managed service providers and, subsequently, their clients. These attacks aimed to gain access to sensitive intellectual and customer data. US-CERT noted that a defining characteristic of Operation Cloud Hopper was that upon gaining access to a cloud service provider (CSP) the attackers used the cloud infrastructure to hop from one target to another, gaining access to sensitive data in a wide range of government and industrial entities in healthcare, manufacturing, finance, and biotech...

Read More
The Modern Software Factory and Independent V&V for Machine Learning: Two Key Recommendations for Improving Software in Defense Systems

The Modern Software Factory and Independent V&V for Machine Learning: Two Key Recommendations for Improving Software in Defense Systems

• SEI Blog
Paul Nielsen

Software-enabled capabilities are essential for our nation's defense systems. I recently served on a Defense Science Board (DSB) Task Force whose purpose was to determine whether iterative development practices such as Agile are applicable to the development and sustainment of software for the Department of Defense (DoD). The resulting report, Design and Acquisition of Software for Defense Systems, made seven recommendations on how to improve software acquisition in defense systems: A key evaluation criterion in the source selection process should be the efficacy of the offeror's software factory. The DoD and its defense-industrial-base partners should adopt continuous iterative development best...

Read More
Insider Threats in Healthcare (Part 7 of 9: Insider Threats Across Industry Sectors)

Insider Threats in Healthcare (Part 7 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Josh Vasko

This post was co-authored by Carrie Gardner. Next in the Insider Threats Across Industry Sectors series is Healthcare. As Healthcare-related information security conversations are predominantly driven by security and privacy concerns related to patient care and data, it's important to recognize the magnitude of security lapses in this sector. Patients can face severe, permanent consequences from medical record misuse, alteration, or destruction. And medical record fraud vis-a-vis identify theft, otherwise known simply as Fraud in our incident corpus, is one of the primary types of security instances observed in this sector....

Read More
An Appraisal of the Systems Engineering Journal's Treatment of Software Over the Last Two Decades

An Appraisal of the Systems Engineering Journal's Treatment of Software Over the Last Two Decades

• SEI Blog
Sarah Sheard

Systems engineers working today face many challenges, both in building the complex systems of systems of the future and in building the complex systems of which they are composed. Systems engineers need to be able to design around stable requirements when there are long-lead manufactured items required, and they also need to evolve the design along with changing requirements for larger systems. Software plays an integral role in helping systems engineers accomplish these goals. The importance of software engineering to systems engineering, and vice-versa, cannot be overstated. As I stated in an earlier blog post Systems engineers are responsible for...

Read More
Top 5 Incident Management Issues

Top 5 Incident Management Issues

• Insider Threat Blog
Mike Fritz

The CERT Division of the SEI has a history of helping organizations develop, improve, and assess their incident management functions. Frequently we discover that an organization's primary focus is on security incident response, rather than the broader effort of security incident management. Incident response is just one step in the incident management lifecycle. In this blog post, we look at five recurring issues we regularly encounter in organizations' Incident Management programs, along with recommended solutions. By discovering and resolving these issues, organizations can attain a better cybersecurity posture....

Read More
Using the SEI CERT Coding Standards to Improve Security of the Internet of Things

Using the SEI CERT Coding Standards to Improve Security of the Internet of Things

• SEI Blog
David Svoboda

The Internet of Things (IoT) is insecure. The Jeep hack received a lot of publicity, and there are various ways to hack ATMs, with incidents occurring with increasing regularity. Printers in secure facilities have been used to exfiltrate data from the systems to which they were connected, and even a thermometer in a casino's fish tank was used to gain access to the casino's infrastructure and extract data about customers, gamblers, etc. In this blog post, I describe how the SEI CERT Coding Standards work and how they can reduce risk in Internet-connected systems. This is the first installment in...

Read More
Expectations for Implementing DevOps in a Highly Regulated Environment: Second in a Series

Expectations for Implementing DevOps in a Highly Regulated Environment: Second in a Series

• DevOps Blog
Jose Morales

This second installment in the blog post series on implementing DevOps in highly regulated environments (HREs), which is excerpted from a recently published paper, discusses the first step in a DevOps assessment: setting expectations with the organization. This step is a critical task in an assessment because it sets the boundaries of what will be performed and delivered....

Read More
Insider Threats in Information Technology (Part 6 of 9: Insider Threats Across Industry Sectors)

Insider Threats in Information Technology (Part 6 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Michaela Webster

This blog post was co-authored by Carrie Gardner. As Carrie Gardner wrote in the second blog post in this series, which introduced the Industry Sector Taxonomy, information technology (IT) organizations fall in the NAICS Code category professional, scientific, and technology. IT organizations develop products and perform services advancing the state of the art in technology applications. In many cases, these services directly impact the supply chain since many organizations rely on products and services from other organizations to perform and carry out their own business goals. This post covers insider incidents in the IT sector and focuses mainly on malicious,...

Read More
SATURN Blog Merging with SEI Blog

SATURN Blog Merging with SEI Blog

• Insider Threat Blog
Tamara Marshall-Keim

Changes are coming in how we communicate with the SEI Architecture User Network (SATURN) beginning February 18. Technical content of interest to software architecture practitioners will be folded into the SEI Blog. No further announcements will be posted to this page. But this doesn't mean the SATURN Conference is changing. The SATURN Conference will continue to be held annually and will celebrate its 15th year in Pittsburgh from May 6 to 9. Registration is open. For updates on SATURN 2019 and future SATURN Conferences, follow @SATURN_News on Twitter and join SATURN - A Software Architecture Community on LinkedIn. You can...

Read More
Evaluating Threat-Modeling Methods for Cyber-Physical Systems

Evaluating Threat-Modeling Methods for Cyber-Physical Systems

• SEI Blog
Nataliya Shevchenko

Addressing cybersecurity for а complex system, especially for а cyber-physical system of systems (CPSoS), requires a strategic approach during the entire lifecycle of the system. Examples of CPSoS include rail transport systems, power plants, and integrated air-defense capability. All these systems consist of large physical, cyber-physical, and cyber-only subsystems with complex dynamics. In the first blog post in this series, I summarized 12 available threat-modeling methods (TMMs). In this post, I will identify criteria for choosing and evaluating a threat-modeling method (TMM) for a CPSoS....

Read More
Challenges to Implementing DevOps in Highly Regulated Environments: First in a Series

Challenges to Implementing DevOps in Highly Regulated Environments: First in a Series

• DevOps Blog
Jose Morales

In academia, government, and industry, DevOps has become a standard, straightforward option for streamlining efforts and increasing comprehensive participation by all stakeholders in the software development lifecycle (SDLC). In highly regulated environments (HREs) within these three sectors, however, applying DevOps can prove challenging. HREs are mandated by policies for various reasons, the most often being general security and protection of intellectual property thus making the sharing and open access principles of DevOps that much harder to apply. In this blog post series DevOps and HREs, which is based on a published paper, we will discuss the process, challenges, approaches, and...

Read More
Deep Learning and Satellite Imagery: DIUx Xview Challenge

Deep Learning and Satellite Imagery: DIUx Xview Challenge

• SEI Blog
Ritwik Gupta

In 2017 and 2018, the United States witnessed a milestone year of climate and weather-related disasters from droughts and wildfires to cyclones and hurricanes. Increasingly, satellites are playing an important role in helping emergency responders assess the damage of a weather event and find victims in its aftermath. Most recently satellites have tracked the devastation wrought by the California wildfires from space. The United States military, which is often the first on the scene of a natural disaster, is increasingly interested in the use of deep learning to automate the identification of victims and structures in satellite imagery to assist...

Read More
Improving Assessments for Cybersecurity Training

Improving Assessments for Cybersecurity Training

• SEI Blog
April Galyardt

The CERT Cyber Workforce Development Directorate conducts training in cyber operations for the DoD and other government customers as part of its commitment to strengthen the nation's cybersecurity workforce. A part of this work is to develop capabilities that better enable DoD cyber forces to "to train as you fight" such as setting up high-fidelity simulation environments for cyber forces to practice skills including network defense, incident response, digital forensics, etc. However, cybersecurity is a challenging domain in which to train, because it is a dynamic discipline that changes rapidly and requires those working in the field to regularly learn...

Read More
Governance of a Software Product Line: Complexities and Goals

Governance of a Software Product Line: Complexities and Goals

• SEI Blog
Robert Ferguson

My prior blog post on product lines in DoD sustainment described the complexity of contractual relationships in a DoD software product line. Recall that a software product line is a collection of related products with shared software artifacts and engineering services that has been developed by a single organization in support of multiple programs serving multiple missions and different customers. A product line can reduce cost of development and support. In exchange, it can be a cause of conflicting priorities between customers, much like the similar problem in joint program management. This blog post describes a set of guidelines and...

Read More
Deep Learning, Agile-DevOps, and Cloud Security: The Top 10 Blog Posts of 2018

Deep Learning, Agile-DevOps, and Cloud Security: The Top 10 Blog Posts of 2018

• SEI Blog
Douglas C. Schmidt

Every January on the SEI Blog, we present the 10 most-visited posts of the previous year. This year's top 10, which features posts published between January 1, 2018, and December 31, 2018, brought an ever-increasing number of visitors to the blog. 10. Why You Should Apply Agile-DevOps Earlier in the Lifecycle9. Best Practices and Considerations in Egress Filtering8. Deep Learning: Going Deeper toward Meaningful Patterns in Complex Data7. Why Does Software Cost So Much?6. Revealing True Emotions through Micro-Expressions: A Machine Learning Approach5. Translating Between Statistics and Machine Learning4. Best Practices for Cloud Security3. Security Begins at the Home Router...

Read More
Call for Papers: International Conference on Technical Debt (TechDebt 2019)

Call for Papers: International Conference on Technical Debt (TechDebt 2019)

• SEI Blog
Tamara Marshall-Keim

The Second International Conference on Technical Debt will be held in Montréal, QC, Canada, on May 26-27, 2019, collocated with ICSE 2019. The conference brings together leading software researchers, practitioners, and tool vendors to explore theoretical and practical approaches that manage technical debt. Technical debt describes a universal software development phenomenon: design or implementation constructs that are expedient in the short term, but set up a technical context that can make future change more costly or impossible. Developers and managers use the concept to communicate key tradeoffs related to release and quality issues. As the interest in technical debt from...

Read More
SCALe v. 3: Automated Classification and Advanced Prioritization of Static Analysis Alerts

SCALe v. 3: Automated Classification and Advanced Prioritization of Static Analysis Alerts

• SEI Blog
Lori Flynn

This post was co-authored by Ebonie McNeil. Static analysis tools analyze code without executing it, to identify potential flaws in source code. These tools produce a large number of alerts with high false-positive rates that an engineer must painstakingly examine to find legitimate flaws. As described in Lori's first blog post on this topic, we in the SEI's CERT Division have developed the SCALe (Source Code Analysis Laboratory) tool since 2010 as part of our research on new ways to help analysts be more efficient and effective at auditing static analysis alerts....

Read More
Deploying the CERT Microcosm DevSecOps Pipeline using Docker-Compose and Kubernetes

Deploying the CERT Microcosm DevSecOps Pipeline using Docker-Compose and Kubernetes

• DevOps Blog
Shane Ficorilli

According to DevSecOps: Early, Everywhere, at Scale, a survey published by Sonatype, "Mature DevOps organizations are able to perform automated security analysis on each phase (design, develop, test) more often than non-DevOps organizations." Since DevOps enables strong collaboration and automation of the process and enforces traceability, mature DevOps organizations are more likely to perform automated security analysis than non DevOps organizations. My previous blog post, Microcosm: A Secure DevOps Pipeline as Code, helped address the problem that most organizations do not have a complete deployment pipeline in place (and are therefore not considered to be DevOps mature) by automating penetration...

Read More
Path Finding in Malicious Binaries: First in a Series

Path Finding in Malicious Binaries: First in a Series

• SEI Blog
Jeffrey Gennari

In a previous post, I discussed the Pharos Binary Analysis Framework and tools to support reverse engineering of binaries with a focus on malicious code analysis. Recall that Pharos is a framework created by our CERT team that builds upon the ROSE compiler infrastructure developed by Lawrence Livermore National Laboratory. ROSE provides a number of facilities for binary analysis including disassembly, control flow analysis, instruction semantics, and more. Pharos uses these features to automate common reverse engineering tasks. Since our last post, we have developed new techniques and tools in the Pharos framework to solve a problem that may be...

Read More
DGA Domains with SSL Certificates?  Why?

DGA Domains with SSL Certificates? Why?

• CERT/CC Blog
Leigh Metcalf

CertStream is a free service for getting information from the Certificate Transparency Log Network. I decided to investigate the presence of domains generated by Domain Generation Algorithms (DGA) in this stream and I found some intersting phenomena....

Read More
Towards Improving CVSS

Towards Improving CVSS

• CERT/CC Blog
Deana Shick

If you are a software vendor, IT administrator, or CSIRT team, you are probably using the Common Vulnerability Scoring System (CVSS) in one way or another. The CERT/CC recently published a white paper entitled Towards Improving CVSS that outlines what we consider to be major challenges with the standard and discusses some ways forward. This post is a summary of that paper; if you are interested, please review the full paper for an elaboration of the concerns outlined below....

Read More
Insider Threats in Finance and Insurance (Part 4 of 9: Insider Threats Across Industry Sectors)

Insider Threats in Finance and Insurance (Part 4 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Sarah Miller

This post was co-authored by Jonathan Trotman. In the previous post of our series analyzing and summarizing insider incidents across multiple sectors, we discussed some of the mandates and requirements associated with federal government insider threat programs as well as documented insider threat incidents. In this post, we will discuss information security regulations and insider threat metrics based on Finance and Insurance incidents from our CERT National Insider Threat Center (NITC) Incident Corpus....

Read More
Submit Proposals for SATURN 2019!

Submit Proposals for SATURN 2019!

• Insider Threat Blog
Michele Falce

The deadline for submitting presentation proposals for SATURN 2019 is approaching quickly! As you probably know already, SATURN is a great opportunity to share and discover new advances around software architecture in industry. If you are new to the conference, it provides a great opportunity to get exposure for your work. If you are a repeat attendee, it is an excellent opportunity to give updates and receive feedback on work that was presented previously or to present new contributions. This year, we have three primary tracks: Data Analytics, Machine Learning, Big Data, and Artificial Intelligence (AI) Microservice, Event-Driven, and Serverless...

Read More
Threat Modeling: 12 Available Methods

Threat Modeling: 12 Available Methods

• SEI Blog
Nataliya Shevchenko

Almost all software systems today face a variety of threats, and the number of threats grows as technology changes. Malware that exploits software vulnerabilities grew 151 percent in the second quarter of 2018, and cyber-crime damage costs are estimated to reach $6 trillion annually by 2021. Threats can come from outside or within organizations, and they can have devastating consequences. Attacks can disable systems entirely or lead to the leaking of sensitive information, which would diminish consumer trust in the system provider. To prevent threats from taking advantage of system flaws, administrators can use threat-modeling methods to inform defensive measures....

Read More
Scoping IT & OT Together When Assessing an Organization's Resilience

Scoping IT & OT Together When Assessing an Organization's Resilience

• Insider Threat Blog
Alexander Petrilli

The SEI engages with many organizations of various sizes and industries about their resilience. Those responsible for their organization's cybersecurity often tell us that their information technology (IT) and operational technology (OT) are too different to be assessed together. However, not accounting for both technologies could have serious implications to an organization's resilience. In this post I'll say why, and I'll describe the technology-agnostic tools the SEI uses to scope both IT and OT in resilience assessments....

Read More