SEI Insights

Recent Posts

By Douglas Gray
Information Security Engineer
CERT Division

What differentiates cybersecurity from other domains in information technology (IT)? Cybersecurity must account for an adversary. It is the intentions, capabilities, prevailing attack patterns of these adversaries that form the basis of risk management and the development of requirements for cybersecurity programs. In this blog post, the first in a series, I present strategies for enabling resilience practitioners to organize and articulate their intelligence needs, as well as relevant organizational information, establish a collaborative relationship with their intelligence providers, organize and assess intelligence, and act upon intelligence via frameworks such as the CERT® Resilience Management Model (CERT-RMM), Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro methodology, the NIST Risk Management Framework, Agile, and the Project Management Body of Knowledge (PMBOK). Subsequent postings in this blog series, we discuss how these common resilience, risk, and project-management frameworks can be leveraged to integrate threat intelligence into improving the operational resilience of organizations.

Applying DevOps Principles in Incident Response

By on

By Todd Waits
Project Lead
CERT Division

DevOps principles focus on helping teams and organizations deliver business value as quickly and consistently as possible. While the principles advocate for improving the coordination between development and operational teams, they can be adapted for any number of domains. The key components of DevOps we want to emulate across other domains are:

  • collaboration between project team roles
  • infrastructure as code
  • automation of tasks, processes, and workflows
  • monitoring of applications and infrastructure

In this blog post, I explore how to apply DevOps to the incident response domain. In the same way that advances in methodologies surrounding software development were gleaned from Toyota's manufacturing processes, we can apply lessons learned from DevOps across domains.

CVSS and the Internet of Things

By on in

There has been a lot of press recently about security in Internet of Things (IoT) devices and other non-traditional computing environments. Many of the most talked about presentations at this year's Black Hat and DefCon events were about hacking IoT devices. At the CERT/CC, we coordinate information about and discover vulnerabilities in various devices, and the number of vulnerabilities keeps growing.

One thing that I've personally been researching is finding vulnerabilities in vehicles. In recent weeks, even non-technical friends and family have asked me about the Jeep vulnerability, the Mobile Devices C4, Rolljam, Tesla, and other recent car-related vulnerabilities. These attacks are novel not because of the technical details, but because of the attack vectors and impact, which differ dramatically from those in traditional IT resources.

Handling Threats from Disgruntled Employees

By on in

Disgruntled employees can be a significant risk to any organization because they can have administrative privileges and access to systems that are necessary for the daily operation of the organization. These disgruntled employees can be identified and monitored, but without knowing what types of outcomes disgruntled insiders might accomplish, monitoring can become strenuous and overbearing.

Hi, I'm Richard Bavis, Insider Threat Graduate Intern at the CERT Insider Threat Center. In this blog post, I will discuss the top three outcomes of an attack conducted by a disgruntled insider to provide you with better insight into situations that could lead to an attack. By looking at these situations and outcomes, you and your organization will be able to better handle the possible threats of a disgruntled employee.

New This Year at SATURN: DEV@SATURN Talks

By on in

A DEV(Design, Engineering, Vision)@SATURN talk is similar to a TED talk and concisely shares a single breakthrough technique, lesson, or experience in a passionate and inspiring way. We have a few slots available for these presentations at SATURN 2016.

DEV@SATURN talks will be particularly story based with lots of colorful images, simple charts, videos, and other visual props. They will be short: you have a maximum of 15 minutes, which will force you to focus on only what matters. Speaker delivery is critical; audiences will react equally to the message and the messenger. It will help to watch a couple of TED talks to get a sense of the style. Remember, there will be a select few of these sessions in the technical program, so submit a proposal for this session type only if you believe you have the right topic and delivery style to delight your SATURN community.

Your DEV@SATURN talk will really ignite your audience when you focus on using stories and pictures. The 4D outline is a great tool to help you think about your purpose for each point and how you want to convey that point. With this tool, you can create an exciting presentation that drives home what you want your audience to remember.

We look forward to seeing your proposals!

The 12th SEI Architecture Technology User Network (SATURN) Conference 2016 will be held at the Sheraton San Diego Hotel & Marina in San Diego, California, May 2-5, 2016.

The SATURN 2016 Call for Submissions is now open.



Timely insights about vulnerabilities, network situational awareness, and research in the security field offered by CERT Division researchers.


Technical Guidelines and practical advice for DevOps. Posts cover issues relating to understanding and achieving successful DevOps including cultural shifts, barriers to collaboration, continuous integration, continuous deployment, and automation.

Insider Threat

Advice and best practices for organizations wanting to help better deter, detect, and respond to evolving insider threats.


The SEI Architecture Technology User Network’s blog covers topics relating to software architecture and connects the professional network of software, systems, and enterprise architects from around the world, representing industry, academia, and government.

SEI Blog

Ongoing and exploratory research on topics that include secure coding, malware analysis, testing, organizational planning, agile software development, big data, quality assurance, cloud computing, and software sustainment across the lifecycle.