Ask Security Leaders how secure their company is and many will tell you all about the tools, controls and runbooks they have in place. Now ask them if those things actually work and you may get a laugh and confirmation. Then ask if they have tested them against a third party that is determined to get in and has no rules of engagement, you’ll likely get an uncomfortable look.

At Sigma Computing we hired hackers and gave them no rules of engagement.

Credit: Movie “Hackers”

We did a blind red team and social engineering engagement meaning the security team (and rest of the…


At Sigma Computing we love using our own product to visualize security and infrastructure data. If you haven’t checked out our other posts in this series please do so.

One of the issues that we struggle with is, how do you know what is happening across all the AWS services you consume in your account? There is no single pane of glass today that will tell you, so we started creating one around a few common AWS services. Visualized here (in order) we have AWS Cloudtrail, Guard Duty, S3 Access Logs and Cloudfront. …


For a lot of companies, especially startups, security isn’t the first role they hire for and their security program isn’t a focus in the beginning. That isn’t to say they aren’t secure or that the product they built isn’t secure but usually security programs and security hiring come later on in their journey.

I have been fortunate enough to work on a few security programs for large enterprises and have also built a few security programs from the ground up. I have also interviewed countless startups around their security as part of a vendor risk management program. …


If we look at the past 10 years technology has been shifting pretty dramatically. Our development, ops and data teams have all made pretty drastic shifts in how they work to improve velocity, reduce friction and increase output of their product. Your development teams had to evolve to stay competitive in your industry or your team / product is at a disadvantage.

We have seen the CI/CD pipeline become the enabler where everything can integrate to form a seamless experience from development all the way to production. Developers can write code and push it into the pipeline, where automated tests…


Check out the previous posts in our security analytics journey: Adding Security Analytics to your Cloud Security Program with Sigma and Lacework and Building Devops / Secops Dashboards with Sigma Computing and Snowflake.

Passwords passwords passwords, there has been so much talk about passwords out there that I have password discussion fatigue. How long do they have to be, how complex, make sure they are alphanumeric, add special characters, uppercase / lowercase, can’t include your name, can’t have repeating or sequential characters. Then the ever fun discussion around password rotation. …


If you haven’t checked out the first part of this series please check it out where we show how to create Devops / Secops dashboards for your Cloudflare data.

Security organizations must become data driven organizations. To accomplish that goal we need detailed data around our environments’ and from our security tools. Luckily our friends at Lacework share our cloud data with us via a Snowflake data share. You can request your Lacework data through the Snowflake Data Exchange, Omer Singer has a good article on it. …


Analyzing and visualizing security data has always been difficult for security teams. Often times you are trying to do this in your SIEM which may have limited capacity so you can only look at data for the past 60 or 90 days. You need a specialist who knows how to build charts in your SIEM. You may not have all of the sources you want due to the cost of licensing and you have indexing limits. All in all it is an expensive and time consuming process and you never really feel great about it. …


When I moved to Colorado I learned that there was an amazing concert venue on the outskirts of Denver. Red Rocks is an open air concert venue built into the side of the mountains, it is arguably the most beautiful and acoustically pleasing venue in the world. For my first concert I went there to see New Politics, Fall Out Boy and Paramore. What I saw that night has stuck with me for years.

Credit: denver.org — https://www.denver.org/things-to-do/music-nightlife/red-rocks/

That night during the song “Misery Business” the lead singer of the band Paramore Hayley Williams stopped singing and told everyone it…

Ross Hosman

Web Hosting Fanatic! Cloud Builder, Security Geek!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store