Charleston ISSA Chapter Forming

issa_logo_smallI know that I have several readers who are local to Charleston. I was recently thrilled to find out that a few people were getting together to form a Charleston chapter of the Information Systems Security Association (ISSA). If you aren’t familiar with the ISSA, it is an organization for information security professionals that is designed to provide both educational and networking opportunities. I was a member of the Kentucky chapter of the ISSA when I lived there, and I really enjoyed the opportunities it provided.

In addition, I was really excited to be asked to serve as the education director for the chapter. In this role I will be responsible for organizing presenters for our monthly meetings and setting up other learning opportunities. If you are local to Charleston or you want to come down and see what all the excitement is about (re: Shrimp and Grits), then drop me a line. If you might be interested in presenting or teaching a class, all the better!

You can read more at:

Raspberry Pi Donations for Public Schools

RTF-Logo-For-Web_smallI’m donating 100 Raspberry Pi’s to public schools through my charitable foundation, the Rural Technology Fund. Better yet, I’ve setup a portal that allows you to donate Raspberry Pi devices to a school of your choice. While the RTF typically focuses on schools in rural areas, this initiative is not limited to those schools, and you can donate to any school of your choosing. If you want to learn about the Raspberry Pi device, why we need to get them into public schools, and how you can help, check out the project page here:

My Testimony

blurry-sky-crossWe didn’t have much growing up in rural western Kentucky. Not many people who lived in Mayfield did, really. Those who did have means, the few doctors we had in town or the occasional lawyer or pharmacist who had managed to do well for themselves, still lived their lives with modest sensibilities. It was a slower way of life than I suspect most are familiar with.


Looking back on the first fifteen years of my life, I can say that if there were a parent lottery, I was undoubtedly the winner. Although we didn’t have much, I never remember doing without. I always had presents under the tree at Christmas and I was never without supper on the table, although dessert after supper was a foreign concept to me until college. Most importantly, although my family was small, I always felt loved.


My Dad was a trucker who was known to take odd jobs around town. I can’t count the number of fence posts I helped him set or the number of pole barns I helped erect. He was a tough man, but he was also the kind of person who could start a conversation with anybody and make them feel like they had known him for years.


My Mom was no stranger to a hard days work either. She spent most of my young life working as a machine operator in a few different textile factories around town. Miss Judy, as my friends typically grew to call her, was one of the strongest willed women you would ever meet. Most people would call her fiery or opinionated, and some who got on her bad side might have some other creative ways of expressing the same sentiment. Regardless, nobody could ever accuse Mom of being anything less than one of the most caring people you would ever meet. As a proper southern woman, it was typical for her to greet a visitor to our home by asking them if they’d eaten yet, and subsequently forcing a few bites of something down their throat regardless of their answer.


She was fiercely protective of those she loved, especially me. It was something that frustrated me to no end. My dim and narrow view on the world frequently led me to believe that she was holding me back, or that her protection was driven by something other than her simply wanting what was best for me. She had gone through a falling out with my much older sister Kim that had led Kim to leave town and become a very fleeting part of our lives. I suspected that Mom was simply trying to make sure that she didn’t repeat those same mistakes with me. I generally preferred to spend my time indoors reading or tinkering with anything that I could take apart and rebuild. I specifically remember how she would come into my room on weekends and demand that I go outside and find something constructive to do in the fresh air. “Go Play!” she would say as she shooed me out the back door, making sure I was wearing the appropriate shoes. I despised being forced to do it.


I figured out at an early age that my Mom wasn’t in the best of health. She smoked a couple of packs of cigarettes a day and had a regiment of pills prescribed for everything from high blood pressure to diabetes. Mom was prone to get sick enough to be stricken to the couch on a regular basis. While most people tend to relegate themselves to their bed when struck by illness, Mom preferred the couch. I think it was because she felt more accessible in the living room. She particularly liked it when I would sit with her when she wasn’t feeling well, even if it were just to watch TV.


It wasn’t until I approached my teens that things started getting more serious than I knew they were. Around this time Mom’s bouts with illness went from periodic stays on the couch to periodic stays in the hospital. These trips were never too long or too serious; an overnight stint for a really bad flu here, a three-day stay for pneumonia there.  I started to become more familiar with the local hospitals than I realized.


It’s important to explain at this point that religion in my family was a bit like that weird cousin everybody has, or an odd haircut: it was always there, but was not spoken about often. It was just something that we accepted. Dad was a traditional southern man who didn’t tend to talk a lot about things like religion or his emotions.  Mom, who had been a Sunday school teacher in her younger years, took her religion very seriously. Like Dad though, she didn’t talk about it too much. Both of my parents explained the bible to me when I was younger and made sure I had the resources to educate myself on topics of faith and religion, but they both lived their lives in such a way as to show faith rather than speak about it.


Although I believe my parents were well intentioned, it’s hard for a young person to read between the lines and derive faith by example. Because of the nature of my parent’s work, and the later state of Mom’s health, we didn’t attend church regularly. As a result, I lacked a lot of the core knowledge that helps in the understanding of faith and religion. Don’t get me wrong, there was a healthy amount of God fearing in our household, but I suppose faith was something that I was just expected to learn about on my own, rather than being taught.



This story really picks up when I was fifteen. This was in 2001, just after my birthday, which unfortunately, was the same day as the infamous 9/11 attacks. At this point in my life I was a typical high school sophomore who tended to get lost in the crowd. I didn’t really have any particular hobbies other than fiddling with the computer on occasion, and I wasn’t anything more than a B- student. I was a good kid, but simply put, I wasn’t living for anything. I was more or less floating through life.


Not long after my birthday, Mom was admitted to our local hospital for a bout of pneumonia. This wasn’t anything out of the ordinary. I remember visiting her on a Sunday night with my Dad. Although Mom wasn’t feeling great by any means, she was still herself, and we weren’t expecting anything different than the normal two to three day visit.


The Mayfield hospital was right across the highway from my high school. The spot where I would catch the bus home in the afternoon faced the west side of the hospital, which just happened to be where Mom’s room was this time. She had noticed this and made me promise to wave to her when I was getting on the bus the next afternoon. The distance between the school and the hospital was great enough that I couldn’t see whether or not she saw me waving, but I did just as I had promised her I would. There was no doubt that this action probably looked a bit strange to any of my peers who happened to witness it.


Dad had spent part of that Monday with Mom, but I didn’t go visit her that day. Even though the hospital was only a few miles away from my house, the routine nature of these hospital stays and the low severity of the pneumonia she had acquired warranted that Dad would only shuttle me to and from the hospital every other day or so as to not disrupt my routine too much. Nothing in particular stood out about that Monday, until later that night.


“Chris, wake up.”  Dad said, as he grabbed my arm and gently shook me.


I tossed and turned, not showing too many signs of life.


“Chris, get up.” Dad’s grasp tightened, his shaking intensified. This was very unusual.


“Dad?” The only word I could muster in my only partially awaken state.


“Get your shoes on.” Dad said. “Something happened with Mom, we’ve got to go to the hospital.”


I don’t honestly remember a whole lot about the ride to the hospital. The combination of being awoken from my deep sleep at 3AM and the general shock of the situation left me in a state where I wasn’t sure if what was happening was real, or only a dream.


I do remember that Dad didn’t say a word on the short trip. By the time we had arrived at the hospital I knew nothing more than what he had told me when he woke me up a few short minutes earlier.


We were met in the ICU by our family practitioner, Dr. Jones. Being a small town, Dr. Jones had been our family doctor for my entire life. He was a friend to the family, and we had close ties to other members of his family. His son was one of the few town veterinarians, and cared for the variety of animals we kept over the years. His oldest daughter was a banker and helped provide the financing for my first home many years later. I went to high school with his youngest daughter, although I didn’t know her too well at this point in my life.


Dr. Jones explained to us that Mom had become unresponsive at some point during the night, and her vital stats had dropped dangerously low. They had no idea what happened, and at this point they were still working to stabilize her. My memory of this night is still very fuzzy. We remained at the hospital for several hours until they were eventually able to stabilize her condition, although she remained unconscious. Nobody was able to provide any insight into why she had crashed. Dad wouldn’t let me see her that night, no doubt attempting to shield me from seeing her in that state.


At the urging of Dr. Jones, Dad and I returned home to get a few hours of sleep. We got home just as the sun was rising. I don’t know if Dad actually went to sleep at this point. I’d guess not. I think that the only reason he agreed to go home was for my sake. I was tired and confused, and he knew that I needed to be well rested in order to be able to process the events that had occurred. I woke up a few hours later, realizing that I wouldn’t be going to school that day. We headed back to the hospital.


I distinctly remember the moment I walked into the ICU and laid eyes on Mom. I had seen her in the hospital dozens of times, but I had never seen her like this. She had several lines and tubes entering her body. A variety of machinery lined the walls of the very carefully designed room. The thing I remember most was the heart monitor. I had seen these on TV, but had never seen one in real life. It beeped with regularity just like I had seen on “ER”, a show Mom and I watched every Thursday night.




The beeps corresponded to the spikes on the machines display, coming at regular intervals. I didn’t know anything about medicine, but I knew that this machine measured the frequency of her heartbeat, and that it was of critical importance.


Mom remained in this state for several days, which were mostly uneventful. Dad thought that it was important that I not miss too much school, so I alternated my days between school and the hospital.  Although I was incredibly worried, I surprised myself in my ability to continue through the school day as though everything was normal. It was a strength whose source I didn’t know.


Towards the end of the first week, no news quickly turned into devastating news. Although Dad had tried to shield me from a lot of things throughout my life, when Dr. Jones came in with updates, Dad wanted me to hear it at the same time he did. Looking back, I think it helped him as much as it did me. I don’t have children, but I can’t imagine it’s easy to deliver bad news to them.


Dr. Jones had come to tell us that Mom’s organs were starting to shut down. Her lungs weren’t in the best shape as it was, and now her liver was showing signs of trouble and her kidneys were starting to fail to produce urine. It was clear that this discussion wasn’t easy for Dr. Jones. He was a life long friend of the family, and he was trying to tell a Father and his fifteen year-old son that their wife and mother was dying. I remember the steady sound of the heart monitor drowning out the doctors words.




A few more days passed and Mom’s condition worsened. It wasn’t long until word got out that things had gotten very serious, and visitors started to arrive. Although our family was small, those that existed showed up to see Mom and give Dad and I their support. This included my sister Kim, and my Aunt Sandy, who was also Mom’s best friend. Word had also gotten to my school as my absence became noticeable, and several of my teachers showed up to show their support as well. One of the best things about rural communities like Mayfield is how they rally around people in their time of need.


The number of people around us became a bit smothering. Within a couple of days however, Dr. Jones brought more news that made me forget that anyone else was around. The doctors treating Mom now believed that an infection in the fluid that surrounds her heart was to blame for her current condition. Her already frail state and the years of abuse her body had already taken continued to take a toll, and now her kidneys were barely functioning at all. She wasn’t able to breathe on her own, and she now required a feeding tube.


Dr. Jones chose his next words very carefully. It was clear he had given this speech before, and despite his best efforts to give it in the caring, understanding tone you would expect from a friend, his words came across as somewhat robotic. I can’t say I blame him. I’m not sure a normal human could get through it without detaching themselves from the words they were speaking to some extent.


He explained to us that he and the other treating doctors believed that Mom was dying, and that the machines that she was connected to were now the only things sustaining her life. Very carefully, but very clearly, I listened as Dr. Jones explained to my Dad that he had to make a decision on whether or not measures should be taken to prolong my Mom’s life. It was the very same speech I had seen doctors give to fictitious patients on “ER”. He insisted that Dad shouldn’t make the decision immediately, and that he should take some time to talk to the family about it.


The rest of that day I witnessed a range of emotions I had never seen from my Dad. A man that wasn’t used to showing emotion whatsoever was attempting to deal with what I can only imagine was sadness, confusion, and anger all at once.


At one point, I remember Dad speaking to me angrily as we sat next to Mom’s hospital bed. He wasn’t mad at me, but mad at the situation he found himself in. “Son” he said, “I don’t wish this on anybody. Not my worst enemy. If they ever try to hook me up to any of these machines, I want you to let me die right then and there. This isn’t right.”


It was hard to hear Dad talk like this. He had never been so candid with me about his own mortality. I wasn’t prepared to handle it. I had tried for so long to stay strong for Dad, but this was too much. I broke down crying as Dad tried to comfort me. The only thing louder than my sobbing was the rhythmic beeping of the heart monitor.




Several hours later, something truly remarkable happened. Dad, Kim, Sandy and I were staying in a nearby empty room the hospital staff had provided for us. Dr. Jones came into the room hastily without knocking. Mom was awake.


We wanted to rush to her side, but Dr. Jones stopped us before we could exit the room. He spoke quickly but concisely. This was another speech he had given before. He explained to us that although Mom was lucid and communicating, that this didn’t mean that she was getting better. In fact, these moments of lucidity were often an indicator that things were about to get much worse.


As Dad, Kim, Sandy and I went into her room, my eyes made contact with hers. Her eyes grew wider and the rhythm of the heart monitor increased. It was the first time its rhythm had changed since this whole event had started. She tried to talk, but the breathing tube in her throat prevented it. Not more than a moment later, a nurse came into the room with a special card that was used for situations like these. The card had all of the letters of the alphabet on it, as well as numbers, a few common conversational phrases, and thumbs up and down symbols.


Mom attempted to point at letters on the card, but to no avail. She didn’t have her glasses, and we weren’t able to find them immediately. She improvised quickly, and pulled my Dad close to her. She started writing letters with her finger on his chest.


Her first question was simple.


“What happened?”


Dad explained the gravity of the situation and the events that had taken place as best he could. Eventually, Dad began to explain to her the seriousness of her condition, and that the doctors believed she was dying. Mom reacted to Dad’s words as he delivered the news to her. She winced on a few occasions, and at one point tears began to roll from her eyes and down the side of her face.


Once Dad was finished, he asked her if she understood how serious the situation was.


She nodded.


Next, Dad explained to her that her new state of consciousness could be a sign that she was about to get much worse.


She nodded.


Finally, Dad told her that the doctors caring for her didn’t believe she was going to survive her current state. He explained, almost word for word, what Dr. Jones had told him regarding the use of extraordinary measures. Then, without wasting any words, my Dad asked his wife of thirty years if she wanted the life support machines to be turned off, and if she was ready to die.


Her gaze went around the room as she made eye contact with each one of us independently. She paused for a few seconds as she looked at each of us before moving on to the next. First Dad, then me, then Kim, then Sandy, and back at Dad again. It was though she was trying to gauge our reactions. That she was trying to comfort us in some way, knowing that she couldn’t speak to us or reach out and hold us.


One more time, she nodded.


Seeing her awake helped me to hold back any tears that might have otherwise poured out of me. I felt like I needed to be strong for her and my Dad. As much pain as I was feeling, I knew Dads had to be exponentially worse.


A few minutes later, as the gravity of the situation set in further, Mom motioned for me to come closer to her and take her hand. She looked at me and then to my Dad, and began writing letters on his chest with her finger.


She wrote a capital G, followed by a small O. She paused briefly, and then wrote a capital P, and a straight line indicating a lowercase L. She paused once again, noticeably wincing. I wasn’t sure if the wince was a result of the physical pain she must have been in or an emotional response to the current situation. She began writing again, making the lowercase letters A and Y.


“Go Play.”


Mom didn’t want me to see her like this. It wasn’t fair that I had to see her die; that I had to watch her slowly dying for the majority of my childhood.  Just as her and Dad had been so protective of me in all situations of life, she wanted to protect me from having to experience the pain that was growing inside me. She was literally dying in front of me, and her only concern was protecting me from that pain.


It was too much.


I left the room before my tears had the chance to overtake me and collapsed into a chair positioned just outside of the ICU room. I stayed in that chair for several minutes as the others continued to communicate with Mom. Although I could audibly hear their voices, I didn’t retain a single word of their conversation. I couldn’t take it. I had to escape. Once again I found myself focusing on the beeping heart monitor.




It wasn’t long after that before Mom drifted back into unconsciousness. Two more days passed and she continued to worsen. Honoring Moms wishes, Dad signed the paperwork to end life support on a Tuesday morning. It just so happened that day was their 30th wedding anniversary.


The doctors explained to us that once the life support was removed, it might take quite some time before anything happens. We remained vigil throughout most of that day. Towards late afternoon, Mom became conscious once again.


In the hour or so that followed, we all spent some time with her individually. She was able to talk, although it was very laboring for her, so her words were kept to a minimum.


My dad went first. I’ve thought about what might have been said between them many times, but I’ve never asked, and I never will. I can’t imagine what words a husband tells his dying wife, or how a dying mother ensures her husband knows that he is capable of raising their son by himself. I truly hope that when my time comes, it happens quickly, and that I go before my wife. It must have been agony for both of them.


I honestly didn’t believe I would ever be able to talk to Mom again, so I wasn’t prepared when it became my turn to say goodbye. I won’t go into the details of everything that we discussed, but there were a couple of really important things. First of all, I felt that it was important that she knew that I would take care of Dad as much as he would take care of me. I told her that we would never be whole without her, but that we would make it because of her impact on our lives.


Mom lay there and patiently waited for me to say everything that I felt I needed to say. Then, she spoke to me. She made sure I knew how proud she was of me and that I knew how much she loved me. She told me how important education was, her herself not having graduated from high school. She obviously regretted that. She also told me that I should pursue my interest in computers, and that I was bound for great things if I did. These things didn’t catch me too much by surprise as they were recurring themes she continually reinforced to me when she had been in better health.


Then, she brought up something that caught me entirely off guard. Something that we had never really talked about in great detail, and that was her faith. Speaking with more clarity than I could have imagined was possible in her debilitated state, she spoke about God, religion, heaven, and hell. She wanted me to know that I knew where she was going when she died; that her soul transcended her physical being because of her relationship with Christ, and that there was no relationship more important than a person’s relationship with God.


She continued, and told me that she greatly regretted never discussing this with me, before now. She told me that she wasn’t afraid of dying, because she was going to walk with God in all of his glory, and that there would be no more pain where she was going. She spoke about heaven in the same way a young child speaks about Christmas or Disney World, with childlike wonder, and amazement. She made sure that I knew that I would see her again some day. She told me that God needed her more than I did now, and that this wasn’t goodbye, it was just merely “See you later.”


Finally, she told me that there was nothing more important to her than my establishing a relationship with Christ. She pronounced that if I was to put faith in Him that all things would be possible, and that alone I am nothing but flesh and bones, but through Him I would gain eternal life. Mom and I prayed together, and it was in that moment that I accepted Jesus Christ as my savior.


Not much longer after that, Mom drifted back to sleep. I was lying down in the extra room we were staying in several hours later. It was just past one in the morning and although my mind had been racing, I managed to fall asleep from pure exhaustion. Then, I was abruptly awoken by my sister’s voice.


“Chris, wake up. It’s happening.”


I rushed into the Mom’s ICU room. Dad was at her side rubbing her forehead. I looked to the heart monitor. The beeping had slowed and the numbers displayed on the screen were dropping lower.




Sandy placed herself at the foot of the bed. Kim moved to the far side of the bed. I positioned myself next to Dad. He took my hand and placed it into my Mom’s left hand at her side. I grasped it tightly.




The numbers on the heart monitor continued to drop. Both Kim and Dad’s gaze were locked on Mom. Her last moments we growing nearer.




As the numbers inched lower, Mom’s eyes opened slightly. She looked intently into Dad’s eyes while he looked back at her. Then her eyes slowly moved to the right and made contact with mine.




Her hand squeezed mine ever so slightly. Her mouth moved very faintly. As it started to move we all leaned in closer as she said two words to me…“Go Play.” I managed to hold my tears back. I had to remain strong for everyone else.




She looked back at Dad. He spoke to her, “It’s happening.” He said. Then he asked her, “Are you ready?”


She nodded, and then she faintly said to Dad, “I love you”.


We all remained silent. Dad stared intently into Mom’s eyes as her eyelids closed for the last time. Kim held her right hand, as I grasped her left. Dad gently stroked her hair back from her forehead as she took her last breath.




The numbers on the heart monitor were no longer visible. The nurse who had been in the room turned and switched the machine off. We lingered for a few more moments, and then we left the room together.


Mom had gone to be with the Lord, and she was no longer in pain.



Losing my Mom was without a doubt the hardest thing I’ve ever been through in my life. It was difficult to see at the time, but those last few days with her changed my life. I entered that experience as an empty shell; a person who was living for nothing. I had no future in life or in death. I was simply going through the motions.


After Mom’s passing, something very unexpected happened. My family started looking to me for the same strength they used to rely upon her for. This was especially evident a couple of years later when we lost my Aunt Sandy and my sister Kim.


Romans 1:19-21 tells us that God makes himself apparent to everyone at some point. Further, Romans 10 tells that we learn that everyone has the chance to be saved by the grace of God; they must only be prepared to accept it.


Romans 10:9 says:


“Because, if you confess with your mouth that Jesus is Lord and believe in your heart that God raised him from the dead, you will be saved.”


Sitting next to my Mom, as I felt the life leaving her body, I had been saved. I had been transformed, and as time went on my life quickly gained clarity and focus. I began to find immense joy in the things and people around me, I turned my computer hobby into a career, and I began to study His word and live through it. I started loving others more than myself. I gained patience, kindness, and strength. These things had been inside me all along, but God had now provided me with the ability to recognize it. I had been reborn in Christ’s love. I was living for something bigger than myself. I was living for Him.


When tragedy occurs in our lives, it is very hard to see that it is all a part of His plan for us. There is no verse that states it more beautifully than Jeremiah 29:11-13:


“’For I know the plans I have for you,’ declares the Lord, ‘plans to prosper you and not to harm you, plans to give you hope and a future. Then you will call on me and come and pray to me, and I will listen to you.  You will seek me and find me when you seek me with all your heart.’”


Although she is no longer with me in body, I feel her spirit with me every day. Everything God does has a purpose. Everything He does is part of the plan he has for me. He took my Mom on that cold October day because He needed her more than I did.  He used my Mom to bring me into the body of Christ and to radically change my life. I don’t think Mom would have had it any other way. I can’t wait to talk to her about it some day, and I can’t wait to see what He has planned for me next.


Applied Network Security Monitoring, the book!

I’m thrilled to announce my newest project, Applied Network Security Monitoring, the book, along with my co-authors Liam Randall and Jason Smith.

Better yet, I’m excited to say that 100% of the royalties from this book will be going to support some great charities, including the Rural Technology Fund, Hackers for Charity, Hope for the Warriors, and Lighthouse Youth Services.

You can read more about the book, including a full table of contents at its companion site, here:

Information Security Incident Morbidity and Mortality (M&M)

It may be a bit cliché, but encouraging the team dynamic within an information security group ensures mutual success over individual success. There are a lot of ways to do this, including items I’ve discussed before such as fostering the development of infosec superstars or encouraging servant leadership. Beyond these things, there is no better way to ensure team success within your group than to create a culture of learning. Creating this type of culture goes well beyond sending analysts to formalized courses or paying for certifications. It relies upon adopting the mindset that in every action an analyst takes, they should either be teaching or learning, with no exceptions. Once every analyst begins seeing every part of their daily job as an opportunity to learn something new or teach something new to their peers, then a culture of learning is flourishing.

A part of this type of organizational culture is learning from both successes and failures. The practice of Network Security Monitoring (NSM) and Incident Response (IR) are ones that are centered on technical investigations and cases, and when something bad eventually happens, incidents. This is not unlike medicine, which is also focused on medical investigations and patient cases, and when something bad eventually happens, death.

Medical M&M

When death occurs in medicine, it can usually be classified as something that was either avoidable or inevitable from both a patient standpoint and also as it related to the medical care that was provided. Whenever a death is seen as something that may have been prevented or delayed with modifications to the medical care that was provided, the treating physician will often be asked to participate in something called a Morbidity and Mortality Conference, or M&M as they are often referred to casually. In an M&M, the treating physician will present the case from the initial visit, including the presenting symptoms and the patients initial history and physical assessment. This presentation will continue through the diagnostic and treatment steps that were taken all the way through the patient’s eventual death.

The M&M presentation is given to an audience of peers, to include any other physicians who may have participated in the care of the patient in question, as well as physicians who had nothing to do with the patient. The general premise is that these peers will question the treatment process in order to uncover any mistakes that may have been made or processes that could be improved upon.

The ultimate goal of the medical M&M as a team is to learn from any complications or errors, to modify behavior and judgment based upon experiences gained, and to prevent repetition of errors leading to complications. This is something that has occurred within medicine for over one hundred years and has proven to be wildly successful.

Information Security M&M

I’ve written about how information security can learn from the medical field on multiple occasions, including recently discussing the use of Differential Diagnosis for Network Security Monitoring. The concept of M&M is also something that I think transitions very well to information security.

As information security professionals, it is very easy to miss things. I’m a firm believer that prevention eventually fails, and as a result, we can’t be expected to live in a world free from compromise. Rather, we must be positioned so that when an incident does occur, it can be detected and responded to quickly. Once that is done, we can learn from whatever mistakes occurred that allowed the intrusion, and be better prepared the next time.

When an incident occurs we want it to be because of something out of our hands, such as a very sophisticated attacker or an attacker who is using an unknown zero day. The truth of the matter is that not all incidents are that complex and often times there are ways in which detection, analysis, and response could occur faster. The information security M&M is a way to collect that information and put it to work. In order to understand how we can improve from mistakes, we have to understand why they are made. Uzi Arad summarizes this very well in the book, “Managing Strategic Surprise”, a must read for information security professionals. In this book, he cites three problems that lead to failures in intelligence management, which also apply to information security:

  • The problem of misperception of the material, which stems from the difficulty of understanding the objective reality, or the reality as it is perceived by the opponent.
  • The problems stemming form the prevalence of pre-existing mindsets among the analysts that do not allow an objective professional interpretation of the reality that emerges from the intelligence material.
  • Group pressures, groupthink, or social-political considerations that bias professional assessment and analysis.

The information security M&M aims to provide a forum for overcoming these problems through strategic questioning of incidents that have occurred.

When to Convene an M&M

In an Information Security M&M, the conference should be initiated after an incident has occurred and been remediated. Selecting which incidents are appropriate for M&M is a task that is usually handled by a team lead or member of management who has the ability to recognize when an investigation could have been handled better. This should occur reasonably soon after the incident so important details are fresh on the minds of those involved, but far enough out from the incident that those involved have time to analyze the incident as a whole, post-mortem. An acceptable time frame can usually be about a week after the incident has occurred.

M&M Presenter(s)

The presentation of the investigation will often involve multiple individuals. In medicine, this may include an initial treating emergency room physician, an operating surgeon, and a primary care physician. In information security, this could include an NSM analyst who detected the incident, the incident responder who contained and remediated the incident, the forensic investigator who performed an analysis of a compromised machine, or the malware analyst who reverse engineered the malware associated with the incident.

M&M Peers

The peers involved with the M&M should include at least one counterpart from each particular specialty, at minimum. This means that for every NSM analyst directly involved with the case, there should be at least one other NSM analyst who had nothing to do with it. This aims to get fresh outside views that aren’t tainted by feeling the need to support any actions that were taken in relation to the specific investigation. In larger organizations and more ideal situations, it is nice to have at least two counterparts from each specialty, with one being of lesser experience than the presenting individual and one being of more experience.

The Presentation

The presenting individual or group of individuals should be given at least a few days notice before their presentation. Although the M&M isn’t considered a formal affair, a reasonable presentation is expected to include a timeline overview of the incident, along with any supporting data. The presenter should go through the detection, investigation, and remediation of the incident chronologically and present new findings only as they were discovered during this progression. Once this chronological presentation is given, the incident can then be examined holistically.

During the presentation, participating peers should be expected to ask questions as they arise. Of course, this should be done respectfully by raising your hand as the presenter is speaking, but questions should NOT be saved for after the presentation. This is in order to frame the questions to the presenter as a peer would arrive at them during the investigation process.

Strategic Questioning

Questions should be asked to presenters in such a way as to determine why something was handled in a particular manner, or why it wasn’t handled in an alternative manner. As you may expect, it is very easy to offend someone when providing these types of questions, therefore, it is critical that participants enter the M&M with an open mind and both presenters and peers ask and respond to questions in a professional manner and with due respect.

Initially, it may be difficult for peers to develop questions that are entirely constructive and helpful in overcoming the three problems identified earlier. There are several methods that can be used to stimulate the appropriate type of questioning.

Devils Advocate

One method that Uzi Arad mentions in his contribution to “Managing Strategic Surprise” is the Devils Advocate method. In this method, peers attempt to oppose most every analytical conclusion made by the presenter.  This is done by first determining which conclusions can be challenged, then collecting information from the incident that supports the alternative assertion. It is then up to the presenter to support their own conclusions and debunk competing thoughts.

Alternative Analysis (AA)

R.J. Heuer presents a several of these methods in his paper, “The Limits of Intelligence Analysis”. These methods are part of a set of analytic tools called Alternative Analysis (AA).

Group A / Group B

This analysis involves two groups of experts analyzing the incident separately, based upon the same information. This requires that the presenters (Group A) provide supporting data related to the incident prior to the M&M so that the peers (Group B) can work collaboratively to come up with their own analysis to be compared and contrasted during the M&M. The goal is to establish to individual centers of thought. Whenever points arise where the two groups reach a different conclusion, additional discussion is required to find out why the conclusions differ.

Red Cell Analysis

This method focuses on the adversarial viewpoint, in which peers assume the role of the adversary involved with the particular incident. In doing this, they will question the presenter as to how their investigative steps were completed in reaction to the attackers actions. For instance, a typical defender may solely be focused on finding out how to stop malware from communicating back to the attacker, but the attacker may be more concerned with whether or not the attacker was able to decipher the communication that was occurring. This could lead to a very positive line of questioning that results in new analytic methods that help to better assess the impact of the attacker to benefit containment.

What If Analysis

This method is focused on the potential causes and effects of events that may not have actually occurred. During detection, a peer may ask a question related to how the attack might have been detected if the mechanism that did detect it didn’t do so. In the response to the event, a peer might question what the presenter would have done had the attacker been caught during the data exfiltration process rather than after it had already occurred. These questions don’t always relate directly to the incident at hand, but provide incredibly valuable thought provoking discussion that will better prepare your team for future incidents.

Analysis of Competing Hypothesis

This method is similar to what occurs during a differential diagnosis, where peers crate an exhaustive list of alternative assessments of symptoms that may have been presented. This is most effectively done by utilizing a whiteboard to list every potential diagnosis and then ruling those out based upon testing and review of additional data. You can review my article on differential diagnosis of NSM events here for a more thorough discussion of this type of questioning.

Key Assumptions Check

Most all sciences tend to make assumptions based upon generally accepted facts. This method of questioning is designed to challenge key assumptions and how they affect the investigation of a scenario. This most often pairs with the What If analysis method. As an example, in the spread of malware, it’s been the assumption that when operating within a virtual machine, the malware doesn’t have the ability to escape to the host or other virtual machines residing on it. Given an incident being presented where a virtual machine has been infected with malware, a peer might pose the question of what action might be taken if this malware did indeed escape the virtual environment and infect other virtual machines on the host, or the host itself.


During the M&M, all participants should actively take notes. Once the M&M is completed, the presenting individuals should take their notes and combine them into a final report that accompanies their presentation materials and supporting data. This reporting should include a listing of any points which could have been handled differently, and any improvements that could be made to the organization as a whole, either technically or procedurally. This report should be attached the case file associated with the investigation of the incident.

Additional Tips

Having organized and participated in several of these conferences and reviews of similar scope, I have a few other pointers that help in ensuring they provide value.

  • M&M conferences should be held only sporadically, with no more than one per week and no more than three per month.
  • It should be stressed that the purpose of the M&M isn’t to grade or judge an individual, but rather, to encourage the culture of learning.
  • M&M conferences should be moderated by someone at a team lead or lower management level to ensure that the conversation doesn’t get too heated and to steer questions in the right direction.
  • If you make the decision to institute M&M conferences, it should be a requirement that everybody participates at some point, either as a presenter or a peer.
  • The final report that is generated from the M&M should be shared with all technical staff, as well as management.
  • Information security professionals, not unlike doctors, tend to have big egos. The first several conferences might introduce some contention and heated debates. This is to be expected initially, but will work itself out over time with proper direction and moderation.
  • The M&M should be seen as a casual event. It is a great opportunity to provide food and coordinate other activities before and after the conference to take the edge off.
  • Be wary of inviting upper management into these conferences. Their presence will often inhibit open questioning and response and they often don’t have the appropriate technical mindset to gain or provide value to the presentation.

It is absolutely critical that when initiating these conferences, it is done with care. The medical M&M was actually started in the early 1900s by a surgeon named Dr. Ernest Codman at Massachusetts General Hospital in Boston. MGH was so appalled that Dr. Codman suggested that the competence of surgeons should be evaluated that he eventually lost his staff privileges. Now, M&M is a mainstay in modern medicine and something that is done in some of the best hospitals in the world. I’ve seen instances where similar types of shunning occur in information security when these types of peer review opportunities are suggested. As information security practitioners it is crucial that we are accepting of this type of peer review and that we encourage group learning and the refinement of our skills.


  • Campbell, W. (1988). “Surgical morbidity and mortality meetings“. Annals of the Royal College of Surgeons of England 70 (6): 363–365. PMC 2498614.PMID 3207327.
  • Arad, Uzi (2008). Intelligence Management as Risk Management. Paul Bracken, Ian Bremmer, David Gordon (Eds.), Managing Strategic Surprise (43-77). Cambridge: Cambridge University Press.
  • Heuer, Richards J., Jr. “Limits of Intelligence Analysis.” Orbis 49, no. 1 (2005)