Anton on Security

New Paper: “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance” (Paper 3 of…

Anton on Security

New Paper: “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance” (Paper 3 of 4) Sorry, it took us a year (long story), but paper #3 in Deloitte/Google collaboration on SOC is finally out. Enjoy “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance” [PDF].

Stealing More SRE Ideas for Your SOC

Anton on Security

As we discussed in “Achieving Autonomic Security Operations: Reducing toil” (or it’s early version “Kill SOC Toil, Do SOC Eng” ), your Security Operations Center (SOC) can learn a lot from what IT operations learned during the SRE revolution.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Left of SIEM? Right of SIEM? Get It Right!

Anton on Security

This post is perhaps a little basic for true SIEM literati, but it covers an interesting idea about SIEM’s role in today’s security. I suspect that this topic will become even more fascinating in light of the appearance of XDR ?—?but

20 Years of SIEM Webinar Q&A

Anton on Security

I recently did this fun SANS webinar titled “Anton Chuvakin Discusses “20 Years of SIEM?—?What’s What’s Next?”” (the seemingly self-centered title was suggested by CardinalOps who organized the webinar). As it is common for SANS webinars , we got a lot of great questions that I feel like re-answering here for posterity. Q: When do you think the industry will understand what XDR entails?

How Preparation and Strategy Can Be Used to Fight and Defeat Any Ransomware Attack

Speaker: Karl Camilleri, Cloud Services Product Manager at phoenixNAP

Through a detailed analysis of major attacks and their consequences, Karl Camilleri, Cloud Services Product Manager at phoenixNAP, will discuss the state of ransomware and future predictions, as well as provide best practices for attack prevention and recovery.

Anton and The Great XDR Debate, Part 3

Anton on Security

TLDR: no, this post still does not contain the Ultimate Answer for XDR, Life and Everything Question. Moreover, I don’t think anything ever will. While we discuss XDR , the market forces change the definitions, vendors pivot away, analysts ponder, customers cry… well, the cyber-usual.

20 Years of SIEM: Celebrating My Dubious Anniversary

Anton on Security

20 years of SIEM? On Jan 20, 2002 , exactly 20 years ago, I joined a “SIM” vendor that shall remain nameless, but is easy to figure out. That windy winter day in northern New Jersey definitely set my security career on a new course.

SOC is Not Dead Yet It May Be Reborn As Security Operations Center of Excellence

Anton on Security

For many years, security practitioners imagined a security operations center (SOC) as a big room, full of expensive monitors and chairs. In these minds, rows of analysts sitting in those chairs and watching those monitors for blinking alerts made SOC, well, a SOC. This vision of the security operations center is derived from the original vision of the network operation center (NOC) that predates SOC by perhaps another decade or two.

Cloud Security Podcast by Google?—?Popular Episodes by Topic

Anton on Security

Cloud Security Podcast by Google?—?Popular Popular Episodes by Topic This is simply a post that categorizes our podcast episodes by topic and then by download/listen count.

Kill SOC Toil, Do SOC Eng

Anton on Security

As you are reading our recent paper “Autonomic Security Operations?—?10X 10X Transformation of the Security Operations Center” , some of you may think “Hey, marketing inserted that 10X thing in there.” Well, 10X thinking is, in fact, an ancient tradition here at Google. We think that it is definitely possible to apply “10X thinking” to many areas of security (at the same link , they say that sometimes it is “easier to make something 10 times better than it is to make it 10 percent better” ).

How to Measure Threat Detection Quality for an Organization?

Anton on Security

Sometimes I write blog posts with answers. In other cases, I write blog posts with questions. This particular blog post covers a topic where I feel I am in the “discovering questions” phase. In other words, don’t expect answers?—?but but also don’t expect questions… So, in recent weeks, I had a few simultaneous conversations with various people that focused on the quality of threat detection. Here I’m talking about the quality of the entire detection capability of an organization.

Cover Your SaaS: How to Overcome Security Challenges and Risks For Your Organization

Speaker: Ronald Eddings, Cybersecurity Expert and Podcaster

In this webinar, Ronald Eddings, Cybersecurity Expert, will outline the relationship between SaaS apps and IT & security teams, along with several actionable solutions to overcome the new difficulties facing your organization.

Do You Trust Your SIEM?

Anton on Security

My admittedly epic (but dated) post “Security Correlation Then and Now: A Sad Truth About SIEM” mentioned the issue of TRUST as it applies to SIEM. Specifically, as a bit of a throwaway comment, I said “people write stupid string-matching and regex-based content because they trust it. They do not?—?en en masse?—?trust trust the event taxonomies if their lives and breach detections depend on it.” This post is an exploration of that theme.

How to SLO Your SOC Right? More SRE Wisdom for Your SOC!

Anton on Security

As we discussed in “Achieving Autonomic Security Operations: Reducing toil” (or it’s early version “Kill SOC Toil, Do SOC Eng” ) and “Stealing More SRE Ideas for Your SOC” , your Security Operations Center (SOC) can learn a lot from what IT operations learned during the SRE revolution. In this post of the series, we plan to extract the lessons for your SOC centered on another SRE principle?—?Service Service Level Objectives (SLOs). In brief, this is about metrics.

SOC Technology Failures?—?Do They Matter?

Anton on Security

SOC Technology Failures?—?Do Do They Matter? img src: [link] Most failed Security Operations Centers (SOCs) that I’ve seen have not failed due to a technology failure.

Anton’s Security Blog Quarterly Q1 2022

Anton on Security

Great old blog posts are sometimes hard to find (especially on Medium) , so I decided to do a periodic list blog with my favorite posts of the past quarter or so. Here is the next one. The posts below are ranked by lifetime views. This covers both Anton on Security and my posts from Google Cloud blog , and our Cloud Security Podcast too ( subscribe ). Top 5 most popular posts of all times: “Security Correlation Then and Now: A Sad Truth About SIEM” “Can We Have “Detection as Code”?” “New

Google Cybersecurity Action Team Threat Horizons Report #2 Is Out!

Anton on Security

This is my completely informal, uncertified, unreviewed and otherwise unofficial blog inspired by my reading of our second Threat Horizons Report ( full version , short version ) that we just released ( the official blog for #1 is here ). Google Cybersecurity Action Team My favorite quotes follow below: “Threat actors have been known to use tools native to the Cloud environment rather than downloading custom malware or scripts to avoid detection.

How to Avoid the Pain and Cost of PCI Compliance While Optimizing Payments

Speaker: P. Andrew Sjogren, Sr. Product Marketing Manager at Very Good Security, Matt Doka, Co-Founder and CTO of Fivestars, and Steve Andrews, President & CEO of the Western Bankers Association 

In this webinar, we have a great set of panelists who will take you through how Zero Data strategies can be used as part of a well-rounded compliance and security approach, and get you to market much sooner by also allowing for payment optimization. They’ll share how to grow your business faster and minimize costs for both security and compliance

Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait…

Anton on Security

Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait… This is about the Security Operations Center (SOC). And automation. And of course SOC automation. Let’s start from a dead-obvious point: you cannot and should not automate away all people from your SOC today.

2021 Threat Intelligence Use Cases

Anton on Security

For a reason that shall remain nameless, I’ve run this quick poll focused on the use cases for threat intelligence in 2021. The question and the results are below. Antons Threat Intel Poll 2021 Here are some thoughts and learnings based on the poll and the discussion , as well as other things.

New Paper: “Future of the SOC: SOC People?—?Skills, Not Tiers”

Anton on Security

New Paper: “Future of the SOC: SOC People?—?Skills, Skills, Not Tiers” Back in August , we released our first Google/Chronicle?—?Deloitte

Anton and The Great XDR Debate, Part 2

Anton on Security

As you recall from “Anton and The Great XDR Debate, Part 1” , there are several conflicting definitions of XDR today. As you also recall, I never really voted for any of the choices in the post. While some of you dismiss XDR as the work of excessively excitable marketing people (hey … some vendor launched “XDR prevention ”, no way, right?), perhaps there is a way to think about it from a different perspective.

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

A SOC Tried To Detect Threats in the Cloud … Your Won’t Believe What Happened Next

Anton on Security

A SOC Tried To Detect Threats in the Cloud … Your Won’t Believe What Happened Next Now, we all agree that various cloud technologies such as SaaS SIEM help your Security Operations Center (SOC). However, there’s also a need to talk about how traditional SOCs are challenged by the need to monitor cloud computing environments for threats. In this post, I wanted to quickly touch on this very topic and refresh some past analysis of this (and perhaps reminisce on how sad things were in 2012 ).

How to Make Threat Detection Better?

Anton on Security

I keep coming to the same topic over and over? —?why why are we still bad at detecting threats? I’ve lamented on this a few times, either touching on general difficulties with detection , its uncertainty or highlighting the fragile detections people write.

Today, You Really Want a SaaS SIEM!

Anton on Security

One thing I did not expect to see in 2021 is a lot of people complaining about how difficult their SIEM is to operate. Let’s explore this topic for the (n+1)-th time. And let me tell you … that “n” is pretty damn large since my first involvement with SIEM in January 2002 (!)?—?

Not the Final Answer on NDR in the Cloud …

Anton on Security

Not the Final Answer on NDR in the Cloud … Back in my analyst years, I rather liked the concept of NDR or Network Detection and Response. And, despite having invented the acronym EDR , I was raised on with NSM and tcpdump way before that. Hence, even though we may still live in an endpoint security era , the need for network data analysis has not vanished.

What Are You NOT Detecting?

Anton on Security

What are you not detecting? OK, what threats are you NOT detecting? Still didn’t help? What I mean here is: are you thinking about these: Threats that you don’t need to detect due to your risk profile, your threat assessment, etc. Threats that you do need to detect, but don’t know how. Threats that you do need to detect and know how, but cannot operationally (e.g. your SIEM will crash if you inject all the cloud logs). Threats that you do need to detect and know how, but do not (yet?)

Risk 115

On Threat Detection Uncertainty

Anton on Security

My post “Why is Threat Detection Hard?” proved to be one of the most popular in recent history of my new blog. In this post, I wanted to explore a seemingly obvious, while surprisingly fascinating aspect of detection: uncertainty. Uncertainty? Are you sure, Anton? :-) Well, maybe !

Why is Threat Detection Hard?

Anton on Security

While creating a recent presentation, I needed a slide on “threat detection is hard.” And it got me thinking, why is threat detection so hard for so many organizations today?

Anton and The Great XDR Debate, Part 1

Anton on Security

I know you may hate me for this, but I‘ve been finally tempted into the Great XDR Debate. Here, if you want TL;DR, my position on XDR today is “wait and see” (boring, huh?). Unlike some of my esteemed former colleagues , I don’t really have a horse in the race. First, a very brief bit of history. The origin of the term XDR (Extended Detection and Response) is disputed. Wikipedia ( entry, reviewed 8/6/2021 ) has us believe that Palo Alto invented the term “in 2018.”

New Paper: “Autonomic Security Operations?—?10X Transformation of the Security Operations Center”

Anton on Security

New Paper: “Autonomic Security Operations?—?10X 10X Transformation of the Security Operations Center” It is with much excitement that we announce a new paper about transforming your security operations ; it is published under the Office of the CISO at Google Cloud. This work is focused on our vision as well as our lessons in building effective security operations for the future. We spent a lot of time thinking about what to call the new model.

CISO 100

Anton’s Security Blog Quarterly Q2 2021

Anton on Security

Sometimes great old blog posts are hard to find (especially on Medium …), so I decided to do a periodic list blog with my favorite posts of the past quarter or so. Here is my third. The posts below are ranked by lifetime views. This covers both Anton on Security and my posts from Google Cloud blog , and now our Cloud Security Podcast too! Top 3 most popular posts of all times : “Security Correlation Then and Now: A Sad Truth About SIEM” “Can We Have “Detection as Code”?” “New

Is Your Fate In the Cloud?

Anton on Security

This is a quick “let’s think about it together” post focused on the future of cloud security. Our logical starting point is: “Through 2025, 99% of cloud security failures will be the customer’s fault.” ( source: Gartner ) My experience in my analyst days and perhaps today mostly confirms it. I’d say that “it feels right.” So, let’s agree that it describes today’s reality correctly.

SOC Threat Coverage Analysis?—?Why/How?

Anton on Security

SOC Threat Coverage Analysis?—?Why/How? Why/How? As I mentioned in Detection Coverage and Detection-in-Depth , the topic of threat detection coverage has long fascinated me. Back in my analyst days, we looked at it as a part of a security use case lifecycle process. For example, we focused on things like number and quality of alerts per SIEM use case, false/useless alert (“false positive”) numbers and ratios (to useful alerts), escalations to incident response, tuning, etc.

SOC Trends ISACA Webinar Q&A

Anton on Security

A few days ago we did a very well-attended webinar focused on the modern Security Operations Center (SOC) approach (see “Trend for the Modern SOC” for a replay link). We got a lot of great questions, and just like in the good old times , I am writing a blog where I cover some of the answers. Q: You mentioned that SOC is first a team: which skills are expected to distinguish the “basic” SOC from the modern SOC?

Risk 100

From Google Cloud Blog: “New whitepaper: Designing and deploying a data security strategy with…

Anton on Security

From Google Cloud Blog: “New whitepaper: Designing and deploying a data security strategy with Google Cloud” Here is another very fun resource we created (jointly with Andrew Lance from Sidechain ), a paper on designing and running data security strategy on Google Cloud. Read our launch blog here ?—?a a long excerpt is quoted below. Read Sidechain blog here ?—?look look for a useful data security migration checklist.

Anton’s Security Blog Quarterly Q1 2021

Anton on Security

Sometimes great old blog posts are hard to find (especially on Medium …), so I decided to do a periodic list blog with my favorite posts of the past quarter or so. Here is my second. The posts below are ranked by lifetime views and topic. It covers both Anton on Security and my posts from Google Cloud blog [and now our Cloud Security Podcast too!]

From Google Cloud Blog: “New Cloud Security Podcast by Google is here”

Anton on Security

Those who follow me on social media already knows this, but we have launched THE Cloud Security Podcast. TL;DR: Find this on Google Podcasts , Apple Podcasts , Spotify , Stitcher and wherever else podcasts can be found. You can also download the episodes directly here. Follow @CloudSecPodcast. The whole story from our GCP blog is cross-posted below: Security continues to be top of mind for large enterprises as well as smaller organizations and businesses.

Role of Context in Threat Detection

Anton on Security

I got into a very insightful debate with somebody who will remain nameless in the beginning of this post, but will perhaps be revealed later. The debate focused on the role of context in threat detection. Specifically, it is about the role of local context (environment knowledge, organization context, site details, etc) in threat detection. Can threat detection work well without such local context? Now, some of you will say “yes, of course!”

Cloud Migration Security Woes

Anton on Security

As I hear of organizations dealing with security when migrating to the cloud, I occasionally observe cases of “ extreme lift and shift.” I use this label to describe a case when an organization wants to keep every single security technology that they use on-premise after they move to the public cloud. The list can be very long and tedious; it may include such staples as firewalls, anti-malware, SIEM, EDR , NIDS, and even network forensics and NDR. Let’s ponder this situation without judgement.

Usage Scenarios for Externalized Trust

Anton on Security

As we discussed in “The Cloud trust paradox: To trust cloud computing more, you need the ability to trust it less” , there are situations where the encryption key really does belong off the cloud and so trust is externalized. While we argue that these are rarer than some assume, they absolutely do exist. Moreover, when these situations materialize, the data in question or the problem being solved is typically hugely important for an organization.

Anton’s Security Blog Quarterly Q3.5 2020

Anton on Security

Sometimes great old blog posts are hard to find (especially on Medium ), so I decided to do a periodic (who am I kidding, occasional?—?not not periodic ) list blog with my favorite posts of the past quarter or so. Here is my first. The posts below are ranked by lifetime views and topic. It covers both Anton on Security and my posts from Google Cloud blog.