The attack surface represents the initial point where an attack could attack, but it might be more extensive than we genuinely think it is. Allow me to explain this in more detail.

The attack surface from above.
The attack surface from above.
The attack surface from above.

In another article on use cases, I spoke about the unanswered question. In this article, I will speak about identifying the attack surface and therefore indirectly about identifying possible use cases.

Educate

If you ask a business person what the thing is they are most worried about in terms of security, you hear terms like phishing, ransomware, Denial of Service attacks, etc. On their own, these represent some pretty serious risks. But let’s take away the marketing buzz words, what do you hear then? Silence? A big uhh? Heavy breathing?


Security Use cases are primarily focused on detection. But all too often the question ‘now what’ is forgotten. Let’s deep-dive on this and focus upon what is missing.

Put one´s finger on the sore spot

Use cases remain a valuable weapon in the ongoing battle against security threats. In most corporate environments I have seen, the use case is describing the threat including to a certain extent the technical details.

If I was lucky there was a reference to a generic security incident response playbook. In my opinion, this is a recipe for disaster. Generic incident response playbook.

If no response was described, then the company was at the mercy of the knowledge and skills of the analyst of the day.

And still, we ponder why we have an analyst fatigue issue.

But don’t get…


How can you successfully implement Zero Trust Architecture?

Network architecture
Network architecture
Network Architecture

The National Cybersecurity Center of Excellence (NCCoE, part of NIST) defines Zero Trust Architecture as ‘A zero trust architecture treats all users as potential threats and prevents access to data and resources until the users can be properly authenticated and their access authorized. In essence, a zero trust architecture allows a user full access but only to the bare minimum they need to perform their job. If a device is compromised, zero trust can ensure that the damage is contained.’. One might think that just user authentication and authorization are enough to conform to this standard.

But Zero Trust Architecture…


Which tasks and responsibilities do a SIEM specialist have?

A SIEM Specialist looking at various systems simultaniously.
A SIEM Specialist looking at various systems simultaniously.
A SIEM Specialist looking at various systems simultaneously.

A day in the life of a SIEM specialist is never boring, because of the variety of responsibilities and tasks. Obviously making sure the SIEM solution is up-and-running is the most critical and prime responsibility and task. But what does this imply? Let’s zoom in. I will divide this into three parts. Input, processing, and output. These terms should sound familiar as I already used these terms also in the articleCreating the foundation for the SIEM solution’.

Input

The critical task in input is making sure the SIEM solution can handle the ingress volume and is able to convert all…


A solid SIEM solution requires a strong base. Where do you start?

Low level design architecture
Low level design architecture
Low level design architecture

In earlier articles, I talked about developing your own SIEM solution and what kind of user stories you can expect when developing the SIEM solution. Now let’s talk about architecture because these decisions can have a considerable influence on the design. And if not thought well thru, they can negatively influence the end product. Let’s divide this article into three parts: Input, Processing, Output.


A SIEM solution requires use cases, but is the logic updated when you move from on-premise towards the Cloud?

Many organizations nowadays are moving or have moved away from the traditional on-premise data center hosted application and are currently using cloud applications. From a financial and scalability point of view, it makes sense. A lot of sense. But what about security?

On-Premises, IaaS, PaaS, SaaS. Who is managing which layer?
On-Premises, IaaS, PaaS, SaaS. Who is managing which layer?
On-Premises, IaaS, PaaS, SaaS. Who is managing which layer?

As the company’s CISO, you are responsible for the company’s digital security. And it does not matter where the data resides. You need to make sure the data and company’s assets are secured and protected against current and future methods of attack.

With the move to cloud applications, this responsibility has just become more problematic. With on-premise applications…


The supply-chain attack is a modern implementation of an old Greek methodology (Trojan Horse). Can you protect yourself against it?

A supply chain consists of many elements.
A supply chain consists of many elements.
A supply chain consists of many elements.

We all heard about the SolarWinds supply-chain hack which started in early 2020. Was this the first time such an attack was executed? The answer is no. Some of the earlier similar attacks are ASUS (2019) and Python PIP (2019). But these supply-chain attacks can also be more sophisticated and more disguised. It is not the first time a malicious library has been discovered in the software ecosystem. And still, we trust the automatic updates and 3rd party ecosystems without much or any validation.

But what is a supply-chain hack? How dangerous can it be? Is it possible to defend…


Cybercrime is a constant battle/war. Fighting this battle requires a solid and strong plan. What are some of the elements you need to think of when creating this plan?

Cybercrime
Cybercrime
Cybercrime

Yes, cybercrime is a constant battle and the aim of the game is ‘The good guys want to protect the safe, while the bad guys want to break the safe.’. And this battle is no different when compared with crime in the real world. But there is only one enormous difference. In the real world, you have a limited number of attackers and a limited number of ways to attack the safe, while you have in the digital world an unlimited number of attacks and way too many ways to attacks the digital safe.

So yes, this is a battle…


Which tasks and responsibilities do a Security Operation Center have?

The Security Operation Center (SOC) Level 1 Analyst starts the investigation when an alert is generated by the SIEM solution based upon First Detected, First Analyzed (golden rule for the SOC Level 1 analyst). The SOC Level 1 analyst is only looking at the alert itself and is following the SOC investigation playbook, connected to the alert. So let’s follow a security alert from cradle to grave.

SOC Level 1 Analyst

Detected security alerts (graph)
Detected security alerts (graph)
Detected security alerts (graph)

Over a time span of 24 hours, the SOC Level 1 Analyst will see multiple times the rule ‘Unusual process execution — Temp’ and one-time the rule ‘Persistence via Kernel Module modification’ firing.


A Security Operation Center is a versatile department. Similar to a Swiss army knife, or isn’t it?

Swiss army knife
Swiss army knife
Swiss army knife

A comparison between a Swiss army knife and a Security Operation Center (SOC) can clearly be made. Both are highly versatile. But there is also something like being too versatile. In this article, I will describe the three blades every SOC should have, as well as how to optimize these and how to have the right approach when somebody asked the question ‘Is your army knife not overrated?’.

Like a genuine knife, the SOC army two sides. One side will solely act once something has been detected. I will refer to this in this article as SOC-Run. And the other…

Richard de Vries

A passion-ed security professional who shares his knowledge and experiences on several security-related topics and architecture.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store