In another article on use cases, I spoke about the unanswered question. In this article, I will speak about identifying the attack surface and therefore indirectly about identifying possible use cases.
If you ask a business person what the thing is they are most worried about in terms of security, you hear terms like phishing, ransomware, Denial of Service attacks, etc. On their own, these represent some pretty serious risks. But let’s take away the marketing buzz words, what do you hear then? Silence? A big uhh? Heavy breathing?
Use cases remain a valuable weapon in the ongoing battle against security threats. In most corporate environments I have seen, the use case is describing the threat including to a certain extent the technical details.
If I was lucky there was a reference to a generic security incident response playbook. In my opinion, this is a recipe for disaster. Generic incident response playbook.
If no response was described, then the company was at the mercy of the knowledge and skills of the analyst of the day.
And still, we ponder why we have an analyst fatigue issue.
But don’t get…
The National Cybersecurity Center of Excellence (NCCoE, part of NIST) defines Zero Trust Architecture as ‘A zero trust architecture treats all users as potential threats and prevents access to data and resources until the users can be properly authenticated and their access authorized. In essence, a zero trust architecture allows a user full access but only to the bare minimum they need to perform their job. If a device is compromised, zero trust can ensure that the damage is contained.’. One might think that just user authentication and authorization are enough to conform to this standard.
But Zero Trust Architecture…
A day in the life of a SIEM specialist is never boring, because of the variety of responsibilities and tasks. Obviously making sure the SIEM solution is up-and-running is the most critical and prime responsibility and task. But what does this imply? Let’s zoom in. I will divide this into three parts. Input, processing, and output. These terms should sound familiar as I already used these terms also in the article ‘Creating the foundation for the SIEM solution’.
The critical task in input is making sure the SIEM solution can handle the ingress volume and is able to convert all…
In earlier articles, I talked about developing your own SIEM solution and what kind of user stories you can expect when developing the SIEM solution. Now let’s talk about architecture because these decisions can have a considerable influence on the design. And if not thought well thru, they can negatively influence the end product. Let’s divide this article into three parts: Input, Processing, Output.
Many organizations nowadays are moving or have moved away from the traditional on-premise data center hosted application and are currently using cloud applications. From a financial and scalability point of view, it makes sense. A lot of sense. But what about security?
As the company’s CISO, you are responsible for the company’s digital security. And it does not matter where the data resides. You need to make sure the data and company’s assets are secured and protected against current and future methods of attack.
With the move to cloud applications, this responsibility has just become more problematic. With on-premise applications…
We all heard about the SolarWinds supply-chain hack which started in early 2020. Was this the first time such an attack was executed? The answer is no. Some of the earlier similar attacks are ASUS (2019) and Python PIP (2019). But these supply-chain attacks can also be more sophisticated and more disguised. It is not the first time a malicious library has been discovered in the software ecosystem. And still, we trust the automatic updates and 3rd party ecosystems without much or any validation.
But what is a supply-chain hack? How dangerous can it be? Is it possible to defend…
Yes, cybercrime is a constant battle and the aim of the game is ‘The good guys want to protect the safe, while the bad guys want to break the safe.’. And this battle is no different when compared with crime in the real world. But there is only one enormous difference. In the real world, you have a limited number of attackers and a limited number of ways to attack the safe, while you have in the digital world an unlimited number of attacks and way too many ways to attacks the digital safe.
So yes, this is a battle…
The Security Operation Center (SOC) Level 1 Analyst starts the investigation when an alert is generated by the SIEM solution based upon First Detected, First Analyzed (golden rule for the SOC Level 1 analyst). The SOC Level 1 analyst is only looking at the alert itself and is following the SOC investigation playbook, connected to the alert. So let’s follow a security alert from cradle to grave.
Over a time span of 24 hours, the SOC Level 1 Analyst will see multiple times the rule ‘Unusual process execution — Temp’ and one-time the rule ‘Persistence via Kernel Module modification’ firing.
A comparison between a Swiss army knife and a Security Operation Center (SOC) can clearly be made. Both are highly versatile. But there is also something like being too versatile. In this article, I will describe the three blades every SOC should have, as well as how to optimize these and how to have the right approach when somebody asked the question ‘Is your army knife not overrated?’.
A passion-ed security professional who shares his knowledge and experiences on several security-related topics and architecture.