We value your feedback! Please contact us through social media or email, or leave a comment. Thank you for visiting.
We value your feedback! Please contact us through social media or email, or leave a comment. Thank you for visiting.
Know Thyself (or, Better SOC Metrics)
Understanding security operations capabilities and performance
Infosec operations teams, and their organizations, need to understand their capabilities (what they can do) and performance (what they have done) to justify investment and maintain team satisfaction. We provide 8 examples of operations metrics that address both.
Capabilities are the tools, data, and expertise used perform assigned cybersecurity functions. Capabilities metrics should show coverage (which risks are addressed) and availability (over what assets and when). Performance covers real-world security outcomes, value, and cost. Performance metrics show impact (actual results) and efficiency (their cost).
14 Feb 2021Choosing capabilities to use, assets to cover, and threats to target.
Threat hunting can speed detection and reduce the cost of a breach, as well as reduce the chance of future compromise. Hunting isn’t free, though: it takes time, tools, and trained staff. To maximize the return, hunters need to prioritize three sets: 1) capabilities (people, tools, and info used), 2) assets (systems, services, data, users, and accounts covered), and 3) threats (actors, tactics, and techniques targeted).
This approach helps you prioritize and integrate these for the most hunting impact, and it can be extended to other infosec activities.
6 Oct 2020Responding to Ransomware (a Playbook)
An open-source template for ransomware response planning
Ransomware attacks are skyrocketing and they can devastate your organization if not handled well. We’ve released a new open-source ransomware playbook to fit with our high-quality free incident response plan. This playbook adds details for all response phases, and has clear customization instructions to tailor it to your environment.
Better plans and playbooks can greatly reduce ransomware’s impact and help you get back to business as quickly as possible. You’ll sleep better having put one together — we hope this helps.
5 Oct 2019An open-source shipper for Office 365 logs
We’re happy to announce the production release of o365beat, an open source log shipper used to fetch Office 365 audit logs from the Office 365 Management Activity API and forward them with all the flexibility and capability provided by the beats platform (specifically, libbeat).
With business email compromise on the rise and more teams moving to the convenience of hosted productivity services, we want our friends to have a free, open source, and convenient tool to gather facts and help secure their Office 365 tenancies.
1 Sep 2019A case (and method) for impact-driven infosec based on asset value
Security teams spend vast amounts assessing and addressing the likelihood of incidents through threat intelligence, vulnerability management, and more. But if this is done to protect assets that don’t really matter, those investments become waste.
Teams struggle to know what systems would matter most if they were to go down, and what data would be most damaging if it were taken or corrupted. Using access and insight to determine the value of systems, data, and users helps build a truly risk-informed, rational security program.
1 May 2019Custom Incident Response Plans for Everyone
Expanding our efforts to bring quality plans to every organization
Starting with a high-quality incident response plan template is good, but we can do better with a convenient tool to customize that template for your organization. We’ve released an easy-to-use app that lets you enter simple information about your organization and download a customized plan. The output is ready to use immediately, and contains instructions for how to improve the plan over time.
Incident response planning is a cornerstone of information security and a required component of many compliance regimes - get started with a free custom plan ASAP.
1 Apr 2019An IR Plan You Will Actually Use
Concise, directive, specific, flexible, and free
Incident response planning is a cornerstone of information security programs, but too many plans end up on a shelf gathering dust until the next audit.
A stale, unused plan is almost worse than having no plan: it can lull the organization into a false sense of security, without any meaningful preparedness.
We can definitely do better, with plans that are more concise, directive, specific, flexible, and free. We’ve created a high-quality incident response plan template to get everyone started.
1 Sep 2017A model for clarity of purpose in information security
Existing information security (infosec) frameworks ignore or presuppose why we invest and participate in infosec—the purpose. Moreover, stakeholders have different motivations, which leads to equivocation, miscommunication, and ineffectiveness.
A model for why infosec improves communication, priorities, and impact: