Assessment and prioritization of your SOC feeds can help reduce cost & ensure quality
Effective breach detection and threat hunting in the SOC depends on collecting many logs and alerts from a wide variety of infrastructure and applications, including clients and servers, networks, email and clouds, and the wide variety…
Within the recent weeks security professionals have been scrounging their infrastructures, and the internet, for any HAFNIUM-related indicator of compromise but this is all very retroactive work and tends to lead to more tedious efforts when you don’t have the right detection framework in place.
Let’s recap the sequence of…
SOC practitioners know that the threat landscape is as complex and fast-breaking as it has ever been, and attackers are increasingly more well-funded than ever, and therefore the best thing we, as protectors, have going for us is the concept of agility in our processes.
Specifically, what that means is…
The recent exposure of SolarWinds showed us how a determined adversary could leverage a trusted source in order to gain access to an organization. While there is still much to learn from SolarWinds, we should not ignore how other areas of trust could be used against an organization. …
Detecting the Exploitation of “Baron SamEdit” (CVE-2021–3156)
A recent heap-based buffer overflow vulnerability (CVE-2021–3156) in sudo was discovered with a high CVSS score of 7.8 dubbed “Baron SamEdit”. The proper exploitation of the Baron allows for any unprivileged local user to immediately escalate to root without additional authentication and affects the following sudo versions:
- Legacy versions of…
The cybersecurity world has been spinning with the suggested reports that APT29, Russia’s elite hacking intelligence arm, has been able to successfully infiltrate the software development lifecycle (SDLC) of SolarWinds, an IT management company, to distribute a malicious backdoor to over 18,000 of their customers. Impacted organizations include both public…
Enterprise security operations centers (SOC) have existed for the sole purpose of detecting and responding to threats to an enterprise — external or insider. In the cybersecurity realm, the protectors have never been ahead of the adversaries, and more often than not, have fallen significantly behind and have struggled to…
The traditional SOC is essentially controlled, in most cases, by a SIEM, e.g., Splunk. The language and inner workings of the SIEM are of paramount importance to the SOC team, and often, hiring decisions are made based on proficiency with the existing SIEM and other SOC tools. …
As a follow up to the part 1 posting of this topic, and the XDR topic posted by our CTO, let’s discuss how we must deal with the decentralization of security operations yet the need for a unified view of the state of security and ways to secure the enterprise.
…
The lifecycle of threat detection content not only involves landscape knowledge, threat analysis, prioritization, gathering the right data sets, parsing logs, writing threat detection logic, conforming to the required data models, testing, tuning and deploying, but also includes continuously monitoring the deployed content for performance and/or health related issues. Each…
