I speak and write about information security topics, with an emphasis on cryptography and distributed denial-of-service (DDoS) attacks. I've written for DarkReading, SC Magazine, and Network World. But most people know me from my monthly column at SecurityWeek.
Click the selectors in the Content pane to filter the content.
Here's the second edition of the TLS Telemetry report. This is my ongoing research into worldwide cryptographic trends, covering such topics as protocol preference, forward secrecy adoption, SSL security headers and more. Really like the tasteful cover on this one. Beautiful!
I'd like to take credit for this one, I really would. We had a fascinating email discussion at work and our primary SSL/TLS engineer wrote this great email about the nuances of the asymmetric algorithm, RSA, and how it might be affected by computing advances in the future. I told him it would make a nice little article, and we tried to put his name on it but he didn't want the attention, and he asked me to put my name on it. So we did. Sometimes that happens.
After a conversation with a chip-maker, I did a bunch of research into Quantum Computing, and collected my notes into this pretty cool report.
Took me three years to compile the data for this report. It started out as a personal project that I wrote in a hotel room in Cologne Germany over a weekend. But hundreds of hours and millions of computer scans later... this report. It's all about global encryption trends over a three year period, with some analysis about why each trend is going the way it is. Warning: usual doses of Holmes humor contained within.
Here's an awesome whitepaper I wrote in the fall of 2016. I embedded eight references to Huey Lewis and the News. Can you find them all?
F5 commissioned the analyst firm IDC to survey hundreds of infosec professionals. The goal was to find out exactly how much enterprise traffic is encrypted. Their answers? Between 25-50% in 2016. That's a lot! Read the survey to find out how infosec is dealing with all the encrypted traffic, and the malware that hides within.
Cryptography has been a passion of mine since I was 9. NINE. I used to write code books to encrypt messages as a kid. So of course I gravitated to internet encryption, and spent a lot of time working with the Secure Sockets Library (SSL), which is now TLS. Here's a 50+ page magnum opus I wrote about the proper ways to use F5's SSL capabilities. Great stuff in here.
This may be the most significant document I've ever written. Customers used to ask me if we a a Best Practices document around DDoS and I got tired of telling them we didn't. So I wrote it. It took my close to 9 months to birth this baby. It documents every single kind of DDoS we've ever seen and how to combat them. My magnum opens for DDoS.
Here's a whitepaper I did on the expectation of SSL everywhere and what it means for business today. Topics covered include Forward Secrecy, Privacy, advanced key management and how to protect everything with an "always on" architecture.
Here is one of the most important papers I ever wrote. The description of a proper DDoS-resistant network architecture. The real meat of the knowledge lies with the recommended practices document, but this whitepaper outlines it pretty well and makes its case.
The reputation of IP addresses is can be used to create intelligent security controls. Here's a white paper for how to leverage that control.
Caught between high-profile security breaches, APTs, and “millennial” employees who expect 24/7 Internet access, forward-looking IT organizations can consolidate web access and security into a highperformance, strategic point of control: F5 Secure Web Gateway Services.
After many discussions with some of the most high profile brands in the world, I've consolidated their feedback into this single playbook. These are the ten steps you need to do when you get attacked with a distributed denial-of-service. It's basically vendor agnostic, with just the F5 logo on it.
Here's a great paper I wrote about how to categorize different DDoS attacks by type and by threat. Not a lot of discussion about mitigation, just classification and examination of the different attacks.
Written in 2012, this was a new way to think about Data Center Firewalls. Written with the amazing Lori MacVittie.