The Journey to Modern Security Operations

Posted by Andrew Maloney on Sep 23, 2021 1:48:09 PM

Security operations is not a new concept. In fact, it’s earned quite a few gray hairs in its roughly three-decade history, which got its start around the mid-1990’s with Log and Search. Each maturation of security operations has become more complex than the last, over time incorporating compliance, detection and response, intelligence, real-time threat hunting, and leaning towards fusion centers, as well as a whole host of other continuously developing capabilities.



The progression had been ongoing, but somewhat measured and predictable. Its evolution had been closely aligned with new technology innovations and new methods of adopting those innovations to deliver business outcomes.

Then COVID-19 suddenly hit, and we saw a mass acceleration of what many called the “digital transformation.” Memes by the dozens found their way into our social feeds, talking about how it wasn’t the CEO, the CIO, or even business strategy and foresight that led this transformation. It was COVID.

Businesses went into pandemonium and the adversaries took advantage, using the chaos to advance their nefarious agendas. In the shifting of the workforce from offices to remote, literally overnight, attack surfaces were not just increased, but expanded to a point they were hard to discern, and with the expanded attack surface we saw a corresponding increase in business risk.

For several reasons, all predominantly related to the power of human resilience in some way, shape, or form, we adapted to the new normal. Companies sped up their plans to move to the cloud. They started exploring the concepts of a perimeter-free world and zero trust models and making years’ worth of digital transformation progress in a matter of months. In fact, according to the CyberRes 2021 State of Security Operations report, 85% of organizations increased their adoption of cloud-based security solutions in the past year, with at least 99% or organizations now having at least some part of their security operations solutions now deployed in the cloud.

Yet somehow, in all this modernization and embracing of new technologies and capabilities, the methods upon which the foundation of security operations are built have been completely overlooked, and the status quo has prevailed.

It is time for companies to rethink how they bring efficient security operations into the post- pandemic world. Most security operations centers are still living in metaphorical houses built on traditional on-premises foundations. From SOC floor layouts, to governing processes, to daily standups and basic communication flows, organizations are spending too much time trying to figure out how to extend legacy methodologies into the cloud, resulting in a Frankenstein approach with neck bolts and stitches largely based on the concept of universal data centralization. Perhaps, organizations should be thinking about new ways to realize the potential of their full cybersecurity ecosystems, embracing the data silos that extend across multiple environments.

I’ve got a lot more to say on this topic. Check back next week to learn about how companies can move past the traditional barriers of centralized data strategies and embrace the new world of modern security operations.

Read More

Topics: cybersecurity, Security Operations, Digital Transformation

Same Cybersecurity Obstacles, Different Day

Posted by Andrew Maloney on Sep 2, 2021 10:10:29 AM

Dark Reading published an interesting story earlier this week entitled Ten Obstacles that Prevent Security Pros from Doing their Jobs. None of the obstacles is particularly surprising – mostly the same ones we’ve been dealing with for years, such as lack of budget, etc. What is striking about the list is that six of the 10 obstacles are directly related to security investigations. And, even for “lack of budget,” threat hunting is cited as a prime area where investment is lacking. 

Read More

Topics: cybersecurity, Security Investigations, Cybersecurity Obstacles, Visibility, CISO

Cybersecurity Investigations and M&A: How to Accelerate Integration

Posted by Andrew Maloney on Aug 24, 2021 9:29:07 AM

In a recent conversation, a friend was pondering if she’d been impacted by the recent T-Mobile breach. “I know my personally identifiable information has been included in several big breaches in the past, and I’m sure it’s been sold a million times over. I’ve never been a T-Mobile customer, yet T-Mobile acquired Sprint, and I was a Sprint customer for years. Do you think my data has been compromised as a result?”

Read More

Topics: cybersecurity, Mergers and Acquisitions, M&A

Making the 1-10-60 Rule a Reality

Posted by Query.AI on Aug 4, 2021 12:30:00 AM

In today’s digitally-transformed world, developers can spin workloads up and down in a matter of minutes. Despite the fleeting nature of these resources, threat actors can still use misconfigurations to exploit these as part of an attack. With time of the essence, the security operations center (SOC) needs to respond to new alerts quickly. Yet, the volume becomes overwhelming.

Read More

Topics: threat hunting, 1-10-60 Rule, Investigate

XDR: What Does Extended Detection and Response Really Mean?

Posted by Andrew Maloney on Jul 26, 2021 10:33:53 AM

If you do a search for “extended detection and response,” you will find several different definitions. In general, Extended Detection and Response (XDR) focuses on either a single vendor being utilized to cover all the different areas of security or an open model that incorporates multiple vendors. However, by looking at analyst definitions and finding the commonalities, you can get a better sense of what XDR really means. 

Read More

Topics: XDR, Hybrid XDR, Open XDR

A New Paradigm to Meet the Executive Order Incident Response Mandate

Posted by Query.AI on Jul 18, 2021 11:25:04 PM

The Executive Order on Improving the Nation’s Cybersecurity (Executive Order) sets out an ambitious plan for enhancing federal agency and supply chain security. Covering everything from cloud-first initiatives to zero trust architecture, the Executive Order covers many topics. It will likely have a wider reach than just Federal Civilian Executive Branch (FCEB) agencies. For security operations center (SOC) teams, Section 6, “Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents,” has the most significant impact on their day-to-day activities. 

Read More

Topics: cybersecurity, SOC, NIST, data, National Institute of Standards and Technologies

Will XDR Help the Future of Modern SOC?

Posted by Andrew Maloney on Jul 8, 2021 12:15:00 AM

We’re all seeing the market buzz

Extended Detection and Response(XDR) is getting a lot of attention these days. Given two, leading endpoint detection and response (EDR) vendors, SentinelOne and Crowdstrike, recently announced acquisitions of Scaylr and Humio, respectively, it seems more vendors are making the daily pivot to enter the XDR market.

Read More

Topics: SOC, NDR, XDR, EDR, SIEM, NTA, UEBA, Hybrid XDR, Open XDR

Query.AI Named a 2021 Cool Vendor in the Gartner Cool Vendors in Security Operations

Posted by Dhiraj Sharan on Jun 30, 2021 12:00:00 PM

Today we are ecstatic to share that we have been recognized by Gartner as a Cool Vendor in Security Operations! [1] 

Read More

Topics: Gartner Cool Vendor, Security Operations

Attempting to Understand how Colonial Pipeline Attack was perpetrated

Posted by Sourav Ravish on Jun 7, 2021 12:06:23 PM

We, cybersecurity professionals, need to understand what happened in the Colonial Pipeline ransomware attack. Though internal details are not public, based upon what little we know from the media, let’s try to put ourselves in the shoes of the cybersecurity professionals who had to respond to this attack.

Read More

Topics: Cyber Security, cybersecurity, Cyber attack

What is threat hunting?

Posted by Craig Jorgensen on May 7, 2021 12:01:41 AM

The term threat hunting spawns different ideas and has different meanings for seemingly everyone you talk to. Understanding what threat hunting is will help you better equip your security teams to respond to alerts and mitigate risk. But is it basic triage of known indicators of compromise (IOC) in a proactive manner or some magical Jedi skill that only masters can summon and execute?

Read More

Topics: Cyber Security, cybersecurity, threat hunting, threat hunter