Innovative ideas on the ends and means of modern information security

We value your feedback! Please contact us through social media or email, or leave a comment. Thank you for visiting.

Know Thyself (or, Better SOC Metrics)

Understanding security operations capabilities and performance

Infosec operations teams, and their organizations, need to understand their capabilities (what they can do) and performance (what they have done) to justify investment and maintain team satisfaction. We provide 8 examples of operations metrics that address both.

Capabilities are the tools, data, and expertise used perform assigned cybersecurity functions. Capabilities metrics should show coverage (which risks are addressed) and availability (over what assets and when). Performance covers real-world security outcomes, value, and cost. Performance metrics show impact (actual results) and efficiency (their cost).

Read more ...

14 Feb 2021

Threat hunting priorities

Choosing capabilities to use, assets to cover, and threats to target.

Threat hunting can speed detection and reduce the cost of a breach, as well as reduce the chance of future compromise. Hunting isn’t free, though: it takes time, tools, and trained staff. To maximize the return, hunters need to prioritize three sets: 1) capabilities (people, tools, and info used), 2) assets (systems, services, data, users, and accounts covered), and 3) threats (actors, tactics, and techniques targeted).

This approach helps you prioritize and integrate these for the most hunting impact, and it can be extended to other infosec activities.

Read more ...

6 Oct 2020

Responding to Ransomware (a Playbook)

An open-source template for ransomware response planning

Ransomware attacks are skyrocketing and they can devastate your organization if not handled well. We’ve released a new open-source ransomware playbook to fit with our high-quality free incident response plan. This playbook adds details for all response phases, and has clear customization instructions to tailor it to your environment.

Better plans and playbooks can greatly reduce ransomware’s impact and help you get back to business as quickly as possible. You’ll sleep better having put one together — we hope this helps.

Read more ...

5 Oct 2019

O365beat Released

An open-source shipper for Office 365 logs

We’re happy to announce the production release of o365beat, an open source log shipper used to fetch Office 365 audit logs from the Office 365 Management Activity API and forward them with all the flexibility and capability provided by the beats platform (specifically, libbeat).

With business email compromise on the rise and more teams moving to the convenience of hosted productivity services, we want our friends to have a free, open source, and convenient tool to gather facts and help secure their Office 365 tenancies.

Read more ...

1 Sep 2019

Secure What Matters

A case (and method) for impact-driven infosec based on asset value

Security teams spend vast amounts assessing and addressing the likelihood of incidents through threat intelligence, vulnerability management, and more. But if this is done to protect assets that don’t really matter, those investments become waste.

Teams struggle to know what systems would matter most if they were to go down, and what data would be most damaging if it were taken or corrupted. Using access and insight to determine the value of systems, data, and users helps build a truly risk-informed, rational security program.

Read more ...

1 May 2019

Custom Incident Response Plans for Everyone

Expanding our efforts to bring quality plans to every organization

Starting with a high-quality incident response plan template is good, but we can do better with a convenient tool to customize that template for your organization. We’ve released an easy-to-use app that lets you enter simple information about your organization and download a customized plan. The output is ready to use immediately, and contains instructions for how to improve the plan over time.

Incident response planning is a cornerstone of information security and a required component of many compliance regimes - get started with a free custom plan ASAP.

Read more ...

1 Apr 2019

An IR Plan You Will Actually Use

Concise, directive, specific, flexible, and free

Incident response planning is a cornerstone of information security programs, but too many plans end up on a shelf gathering dust until the next audit.

A stale, unused plan is almost worse than having no plan: it can lull the organization into a false sense of security, without any meaningful preparedness.

We can definitely do better, with plans that are more concise, directive, specific, flexible, and free. We’ve created a high-quality incident response plan template to get everyone started.

Read more ...

1 Sep 2017

Why Infosec?

A model for clarity of purpose in information security

Existing information security (infosec) frameworks ignore or presuppose why we invest and participate in infosec—the purpose. Moreover, stakeholders have different motivations, which leads to equivocation, miscommunication, and ineffectiveness.

A model for why infosec improves communication, priorities, and impact:

  • Infosec motivations fall into four categories: economics, edicts, ethics, and excitement (E4)
  • These categories fall along two axes: focus (protector vs. protectee) and discretion (flexible vs. rigid)

Read more ...

1 Aug 2017