When something has happened, one of the aspects that are being investigated is which account(s) is/(are) affected? But can you truly connect each account to a human person? With a well-organized, implemented, tested, and documented Identity and Access Management (IAM) program it should be a piece of cake. But why is it that most Security Operation Center are struggling with connecting the dots together?

Is Identity and Access Management really that difficult to implement?
Is Identity and Access Management really that difficult to implement?

One of the concerns for the Security Operation Center is they need to prove without any doubt that the account specified entry in the log belongs really to a user and that the log entry has not been tampered with (non-repudiation). The last part is a technical exercise and can easily be done (signed logging, encrypted data transfer, and key verification during data ingestion and usage). The trouble is the first part. Connecting the username in the log entry to a human person.

Every time a person is starting to work for a company; an account is created, and the…


The primary role of the Security Operation Center is to defend the company from becoming compromised by an attacker. Similar to in the Army. And the comparison doesn’t stop here. Behind every army there is an intelligence division, providing the generals with the right intelligence at the right time. A Security Operation Center is also depending on high-valuable cyber threat intelligence (CTI) to be able to protect the business. But what is a high-valuable CTI?

If I continue the comparison with the army, the army threat intelligence reports first about possible hostile activity close by, before widening the circle. An enemy close by is more likely to attack than an enemy far away.

With the highly interconnected world, it doesn’t really matter anymore where the digital attacker is. He/she can be in the same country, but also he/she can be in Asia or Africa. The sole difference is the IP address and perhaps the speed of the attack. Low network bandwidth is more an issue for the attacker than for the environment that is being…


Corporate IT, OT, and (I)IoT networks are constantly evolving to support the ever-changing needs of the business. The architectural team plays a vital to support this change. Depending upon the size of the company, the architectural team is not a one-man team but is a multi-person team. And the diverse architectural roles are spread over the entire team. For example roles like application architecture, network architecture, and enterprise architecture. Frequently forgotten, but security architect plays a vital role in keeping the company secured. And this may cause conflict with the other architects from time to time. Not everything the other architects desire is secure.

Enterprise architecture plays a vital role in today’s modern IT-driven organizations.
Enterprise architecture plays a vital role in today’s modern IT-driven organizations.
Enterprise architecture plays a vital role in today's modern IT-driven organizations.

First, let’s clarify the various architectural roles. Then let’s talk about education and career paths. I understand and recognize the list of architectural roles is not complete. I merely talk about those roles that I find the most significant ones.

The enterprise architect is busy with long-term architecture (strategy-minded). Therefore, it is necessary to stay up-to-date with the latest technology in both hard- and software. The enterprise architect is one of the first ones to know about the hard- and software lifecycle. And if required the enterprise can initiate a life-cycle replacement or upgrade program, but the enterprise architect is…


Language represents the means to deliver a story, influence a decision, or get things done. And despite all the language courses (there are more than 7.000 languages in the world), we still have communication issues. Jargon is translated and a part of these languages, but how do we know the understanding is the same and it wasn’t lost in translation? The security language is no exception. And this is actually hurting the business.

No matter how mature your Security Department is if you cannot communicate you have an issue. Businesses suffer no problems with understanding their core business processes. But as long as security is not their core business, the business will have issues with understanding the Security Department.

If you overhear the comment ‘The security department is just a cost center.’, you know you are in trouble. Notably when you are responsible for the Security Department. Absolutely, running a Security Department will cost the company money. Similar to HR, Legal, and Finance. But these departments have already established and demonstrated their value…


Before diving into this question, let’s introduce the Lockheed Martin Cyber Kill Chain framework. Because based upon this framework, it is possible to create a strong security posture to defend yourself against a ransomware attack. However, with a word of caution, this security posture may not defend you against all ransomware attacks. So stay vigilant.

By mapping a ransomware attack to this framework, it is possible to see an attack throughout its lifespan. All the way from Reconnasaince to Exfiltration/Action on objectives.

The Cyber Kill Chain®: A LOCKHEED MARTIN OVERVIEW
Cyber Kill Chain by © Lockheed Martin
Cyber Kill Chain by © Lockheed Martin
Cyber Kill Chain by © Lockheed Martin

I will examine each step of the Cyber Kill Chain and describe what you can undertake to establish a strong defensive security posture. However, as important as creating a strong defensive posture, is the ability to act when (bad) things do happen. I will come back to this after I have explained the Cyber Kill Chain.

We, humans, are lazy when it comes down to…


Most if not all Security Operation Centers are primarily focused on detection. And responding to a detection comes only second or third. ‘The Security Operation Center Level 1 Analyst will pick up any generated alert.’ is what most Security Operation Center managers are thinking. But is this thinking still the best way forward given the sheer amount of alert, analyst/alert fatigue issues? Or is there a more practical way?

Incident response is a vital service from the Service Operation Center
Incident response is a vital service from the Service Operation Center
Incident response is a vital service from the Service Operation Center

Let’s rewind a little bit. If you have read this article, you know and/or realize an incident starts with an event. The event is transmitted to the centralized detection environment (usually the SIEM environment). Once it has reached this environment, the event will be compared with all configured detection rules (detection rules are the result of implemented use cases.). Once there is a complete match with a use case, the action part of the use case kicks in. By default and still applicable for most Security Operation Centers this action is to generate an alert in the tool.

Once the…


In an earlier article, I wrote how you can detect a user/device/application heartbeat. Let’s continue with threat hunting and dive deeper into one type of data. Zeek logging. Zeek (or formally BRO) is an open-source network security monitoring tool. Just never connect it directly to your SIEM environment unless you have an unlimited license. Zeek can generate really, really fast an avalanche of data. Valuable data if you know how to read it. Send the output from Zeek to your data lake for analysis and only selectively forward Zeek data from the data lake to your SIEM environment if there is a specific need for certain data.

Zeek/BRO DNS log
Zeek/BRO DNS log
Zeek/BRO DNS log

In this article, I will be focussing on the DNS traffic that has been captured by Zeek. A screenshot of some of the captured data is shown above. The log entries generated by Zeek (shown below) are JSON formatted. And this is super convenient. You do not need to create special parsers. Python and R can easily read it.

{“ts”:1625677200.711907,”uid”:”C6p9Rh38eIHD9JZvFd”,”id.orig_h”:”192.168.86.78",”id.orig_p”:5353,”id.resp_h”:”224.0.0.251",”id.resp_p”:5353,”proto”:”udp”,”trans_id”:0,
“rtt”:0.006612062454223633,”query”:”_googlecast._tcp.local”,”qclass”:1,”qclass_name”:”C_INTERNET”,”qtype”:12,”qtype_name”:”PTR”,”rcode”:0,”rcode_name”:”NOERROR”,”AA”:
true,”TC”:false,”RD”:false,”RA”:false,”Z”:0,”answers”:[“google-nest-mini-b46882ecc19c0462de9e1422d5f4402a._googlecast._tcp.local”],”TTLs”:[120.0],”rejected”:false}

I’ve downloaded from a research environment 24 hours of DNS data and saved it as a Microsoft Excel file. I already did some data cleansing.


When you plot the OSI model on top of the TCP/IP model, you can basically also identify the two main categories of firewalls. Application-level firewall and transport/network-level firewall. Now I hear you already thinking ‘what about Next-Generation firewalls (NGFW)?’ and ‘What about Unified Threat Management (UTM)?’.

TCP/IP model vs OSI model © fiberbit

NGFW and UTM are just marketing terms. The only thing an NGFW/UTM device does is combining several security controls into one device. And you can think that is efficient, but it is not.

When you enable all features on the NGFW/UTM, the device will slow down considerably. And then you are forced to buy a bigger one to ensure you can handle the network traffic volume that is passing the device. But do you need all security controls to be enabled for each network packet that is passing a firewall? No.

What is not a marketing term, is a Web…


Threat Intelligence and Threat Hunting go hand in hand together. But they each serve a unique purpose. Threat Intelligence is externally focussed and is looking at various places to get valuable threat intelligence, while the threat hunting team is analyzing available data to identify if something malicious going on. In other words, the threat hunting team is looking for unknown and undiscovered threats. And to make it clear when the threat intelligence team is asking the threat hunter team to verify something, it is not threat hunting, but it is threat verification. Therefore let’s dig into what a threat hunter is in fact performing during a day.

ElasticSIEM alerts graphical overview
ElasticSIEM alerts graphical overview
ElasticSIEM alerts graphical overview

The primary job of a Security Operation Center Level 1 Analyst is to ensure each reported alert is addressed, analyzed and if required is pushed to a resolver team. Depending upon the structure and the load of the Security Operation Center the Level 1 Analyst might rotate between several roles. And this is where it might become interesting for the Level 1 Analyst because in the Security Operation Center there are many roles to be fulfilled. Just to name a few roles:

  • SIEM Administrator
  • Use case developer
  • Cyber Security Emergency Response Team
  • Threat Intelligence
  • Threat Hunter

Before blindly creating a…


We all appreciate, love, and hate patch Tuesday. Well, you should if you are using a Microsoft-based operating system. But if you think you are exempted against installing updates if you are running on a Linux-based system, you might be in for a surprise. This also applies to you. You also need to install updates. But you also need to apply patches if you are running network devices, servers.

Software update — you love it, or you hate it. But still, you need to apply them.
Software update — you love it, or you hate it. But still, you need to apply them.
Software update — you love it, or you hate it. But still, you need to apply them.

To ensure you did not miss any updates, it is crucial to implement a vulnerability management solution like the one from Tenable and run weekly vulnerability scans, daily if the asset is internet-facing.

However, the output of a vulnerability scan can be enormous especially when you just started the vulnerability and patch management programs. You might be dazzled by data. Therefore, I suggest adopting the following fundamental rules.

  1. Apply patches first on Internet-facing assets than on internal assets.
  2. Apply patches based upon their severity rating (CVSS-score). …

Richard de Vries

A passion-ed security professional who shares his knowledge and experiences while trying to achieve a more secure IT/OT/IIoT world.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store