This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. In this blog (#9 in the series), we will cover a few higher level elements for moving to detection engineering approaches Detection Engineering is Painful — and It Shouldn’t Be (Part 1) Detection Engineering and SOC Scalability Challenges (Part 2) Build for Detection Engineering, and Alerting Will Improve (Part 3) Focus Threat Intel Capabilities at Detection Engineering (Part 4) Frameworks for DE-Friendly CTI (Part 5) Cooking Intelligent Detections from ..read more

Learn Modern SOC and D&R practices for free from Google! Yes, really! That’s the message. Join *hundreds* of others who already signed up! Now, with full details…. After some ungodly amount of work, the original ASO crew (but really Iman!) put together an epic Modern Security Operations training, now launched at Coursera at no cost. “Today, Google Cloud is excited to announce the launch of the Modern SecOps (MSO) course, a six-week, platform-agnostic education program designed to equip security professionals with the latest skills and knowledge to help modernize their security op ..read more

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our next Threat Horizons Report (full version) that we just released (the official blog for #1 report, my unofficial blogs for #2, #3, #4, #5, #6, #7, #8 and #9). My favorite quotes from the report follow below: “Weak or no credentials remained a key driver of initial access, accounting for the most frequent successful vector and the second most commonly seen trigger for detection rules. Misconfiguration, however, jumped to over 30%, largely due to the high volu ..read more

Amazingly, Medium has fixed their stats (so not all is lost) so my blog quarterly is back to life. As before, this covers both Anton on Security and my posts from Google Cloud blog, and our Cloud Security Podcast (subscribe). Top 7 posts with the most lifetime views (excluding paper announcement blogs): Security Correlation Then and Now: A Sad Truth About SIEM Can We Have “Detection as Code”? Revisiting the Visibility Triad for 2020 (update for 2024 is coming soon BTW!) Beware: Clown-grade SOCs Still Abound Detection Engineering is Painful — and It Shouldn’t Be (Part  ..read more

We Love What’s Broken … Yes, This Of Course Means SIEM! SIEM challenges never stopped me from loving this technology, but I am very cognizant of YMMV. Anyhow, CardinalOps released their annual “state of SIEM” report, and here are some fun highlights. CardinalOps State of SIEM 2024 Report “Can potentially cover 87% of ATT&CK with existing data sources they’re already ingesting — but are currently only covering less than 19%.“ [A.C. — in my fairly informed opinion, the “security data lakers” are possibly making this particular one worse and definitely not better] ”Have m ..read more

Disclaimer: this blog is very obviously inspired by current events, but it is absolutely not about those events. Meoooow! Lawyercats, stay away! No mice here. Dall-E via Copilot Lawyer Cat, Steampunk Vibe So, I hear there was some kinda incident and so Mandiant is investigating, as they tend to do. Mandiant blog has these fact-based quotes about the situation (sanitization is mine to emphasize the point above): Somebody “is systematically compromising $cloud_database customer instances using stolen customer credentials” Some “organization’s $cloud_database instance had been compromi ..read more

This is not a blog about the recent upheaval in the magical realm of SIEM. We have a perfectly good podcast / video about it (complete with hi-la-ri-ous XDR jokes, both human and AI created). This is about something that bothered me for a long time (since my Gartner days) and I finally figured out how to solve this complicated problem. Of course, the answer is … A TWITTER POLL! (source) On a more serious note, pay attention to the wording “if you look at your SIEM, how many detections have you written.” By combining my Twitter and LinkedIn poll data (that displayed a similar trend ..read more

RSA (“RSAI”) Conference 2024 Powered by AI with AI on Top — AI Edition (Hey AI, Is This Enough AI?) Where do we have “41,000 attendees, 650 speakers, 600 exhibitors and 400 members of the media” who all care about cyber security? Ha, an easy question: RSA Conference 2024, of course! I started my post-RSA blog tradition in 2006 — most of the blogs of course didn’t age well (“NAC is cool?!? What Year is This!?!” — “Eh… that’s 2007, Anton!”) RSA 2024 Booth Photo Here is my latest (and here is our RSA 2024 recap podcast …). First, remember my bias: SecOps, cloud security a ..read more

This is my informal, unofficial, unapproved etc blog based on my reading of the just-released Mandiant M-Trends 2024 report (Happy 15th Birthday, M-Trends! May you live for many googley years…) Vaguely relevant AI visual with … cybernetic threats :-) “Shorter dwell times are likely driven by a larger proportion of ransomware incidents globally in 2023 (23%) versus 2022 (18%). The median dwell time for these ransomware cases dropped to 5 days compared to 9 days in the previous report.“ [A.C. — so your “detection” improved because .. the attacker helped a bit more] Att ..read more

Vaguely relevant but very cyber image from Dall-E One pattern I spotted after looking at the evolution of IT and security organizations over the years, including my time at Gartner is: change is hard, but transformation is harder. Perhaps it is an IT Axiom of some sort, with a Theorem I that follows: many who say they want to transform, really don’t. And Theorem II: many wish for purported results of a transformed operation, but cannot bear many (any?) of the costs. So when I hear that a certain security team or a security operations center (SOC) wants to transform to a new ..read more