Anton on Security

Kill SOC Toil, Do SOC Eng

Anton on Security

As you are reading our recent paper “Autonomic Security Operations?—?10X 10X Transformation of the Security Operations Center” , some of you may think “Hey, marketing inserted that 10X thing in there.” Well, 10X thinking is, in fact, an ancient tradition here at Google. We think that it is definitely possible to apply “10X thinking” to many areas of security (at the same link , they say that sometimes it is “easier to make something 10 times better than it is to make it 10 percent better” ).

Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait…

Anton on Security

Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait… This is about the Security Operations Center (SOC). And automation. And of course SOC automation. Let’s start from a dead-obvious point: you cannot and should not automate away all people from your SOC today.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

2021 Threat Intelligence Use Cases

Anton on Security

For a reason that shall remain nameless, I’ve run this quick poll focused on the use cases for threat intelligence in 2021. The question and the results are below. Antons Threat Intel Poll 2021 Here are some thoughts and learnings based on the poll and the discussion , as well as other things.

New Paper: “Future of the SOC: SOC People?—?Skills, Not Tiers”

Anton on Security

New Paper: “Future of the SOC: SOC People?—?Skills, Skills, Not Tiers” Back in August , we released our first Google/Chronicle?—?Deloitte

How to Avoid the Pain and Cost of PCI Compliance While Optimizing Payments

Speaker: P. Andrew Sjogren, Sr. Product Marketing Manager at Very Good Security, Matt Doka, Co-Founder and CTO of Fivestars, and Steve Andrews, President & CEO of the Western Bankers Association 

In this webinar, we have a great set of panelists who will take you through how Zero Data strategies can be used as part of a well-rounded compliance and security approach, and get you to market much sooner by also allowing for payment optimization. They’ll share how to grow your business faster and minimize costs for both security and compliance

Anton and The Great XDR Debate, Part 2

Anton on Security

As you recall from “Anton and The Great XDR Debate, Part 1” , there are several conflicting definitions of XDR today. As you also recall, I never really voted for any of the choices in the post. While some of you dismiss XDR as the work of excessively excitable marketing people (hey … some vendor launched “XDR prevention ”, no way, right?), perhaps there is a way to think about it from a different perspective.

How to Make Threat Detection Better?

Anton on Security

I keep coming to the same topic over and over? —?why why are we still bad at detecting threats? I’ve lamented on this a few times, either touching on general difficulties with detection , its uncertainty or highlighting the fragile detections people write.

Not the Final Answer on NDR in the Cloud …

Anton on Security

Not the Final Answer on NDR in the Cloud … Back in my analyst years, I rather liked the concept of NDR or Network Detection and Response. And, despite having invented the acronym EDR , I was raised on with NSM and tcpdump way before that. Hence, even though we may still live in an endpoint security era , the need for network data analysis has not vanished.

Today, You Really Want a SaaS SIEM!

Anton on Security

One thing I did not expect to see in 2021 is a lot of people complaining about how difficult their SIEM is to operate. Let’s explore this topic for the (n+1)-th time. And let me tell you … that “n” is pretty damn large since my first involvement with SIEM in January 2002 (!)?—?

Anton and The Great XDR Debate, Part 1

Anton on Security

I know you may hate me for this, but I‘ve been finally tempted into the Great XDR Debate. Here, if you want TL;DR, my position on XDR today is “wait and see” (boring, huh?). Unlike some of my esteemed former colleagues , I don’t really have a horse in the race. First, a very brief bit of history. The origin of the term XDR (Extended Detection and Response) is disputed. Wikipedia ( entry, reviewed 8/6/2021 ) has us believe that Palo Alto invented the term “in 2018.”

New Paper: “Autonomic Security Operations?—?10X Transformation of the Security Operations Center”

Anton on Security

New Paper: “Autonomic Security Operations?—?10X 10X Transformation of the Security Operations Center” It is with much excitement that we announce a new paper about transforming your security operations ; it is published under the Office of the CISO at Google Cloud. This work is focused on our vision as well as our lessons in building effective security operations for the future. We spent a lot of time thinking about what to call the new model.

CISO 100

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2021 and Beyond

Speaker: Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies

Now that companies are slowly allowing employees to return to work at the office, it's time to re-evaluate your company’s posture towards privacy and security. Join Mike Cramer, Director of HIPAA & Data Security at The Word & Brown Companies, for a discussion that will focus on compliance and the types of privacy and security measures your company should be aware of, as well as tips and methods for implementing these measures.

What Are You NOT Detecting?

Anton on Security

What are you not detecting? OK, what threats are you NOT detecting? Still didn’t help? What I mean here is: are you thinking about these: Threats that you don’t need to detect due to your risk profile, your threat assessment, etc. Threats that you do need to detect, but don’t know how. Threats that you do need to detect and know how, but cannot operationally (e.g. your SIEM will crash if you inject all the cloud logs). Threats that you do need to detect and know how, but do not (yet?)

Risk 116

Anton’s Security Blog Quarterly Q2 2021

Anton on Security

Sometimes great old blog posts are hard to find (especially on Medium …), so I decided to do a periodic list blog with my favorite posts of the past quarter or so. Here is my third. The posts below are ranked by lifetime views. This covers both Anton on Security and my posts from Google Cloud blog , and now our Cloud Security Podcast too! Top 3 most popular posts of all times : “Security Correlation Then and Now: A Sad Truth About SIEM” “Can We Have “Detection as Code”?” “New

On Threat Detection Uncertainty

Anton on Security

My post “Why is Threat Detection Hard?” proved to be one of the most popular in recent history of my new blog. In this post, I wanted to explore a seemingly obvious, while surprisingly fascinating aspect of detection: uncertainty. Uncertainty? Are you sure, Anton? :-) Well, maybe !

Why is Threat Detection Hard?

Anton on Security

While creating a recent presentation, I needed a slide on “threat detection is hard.” And it got me thinking, why is threat detection so hard for so many organizations today?

SOC Trends ISACA Webinar Q&A

Anton on Security

A few days ago we did a very well-attended webinar focused on the modern Security Operations Center (SOC) approach (see “Trend for the Modern SOC” for a replay link). We got a lot of great questions, and just like in the good old times , I am writing a blog where I cover some of the answers. Q: You mentioned that SOC is first a team: which skills are expected to distinguish the “basic” SOC from the modern SOC?

Risk 100

SOC Threat Coverage Analysis?—?Why/How?

Anton on Security

SOC Threat Coverage Analysis?—?Why/How? Why/How? As I mentioned in Detection Coverage and Detection-in-Depth , the topic of threat detection coverage has long fascinated me. Back in my analyst days, we looked at it as a part of a security use case lifecycle process. For example, we focused on things like number and quality of alerts per SIEM use case, false/useless alert (“false positive”) numbers and ratios (to useful alerts), escalations to incident response, tuning, etc.

From Google Cloud Blog: “New whitepaper: Designing and deploying a data security strategy with…

Anton on Security

From Google Cloud Blog: “New whitepaper: Designing and deploying a data security strategy with Google Cloud” Here is another very fun resource we created (jointly with Andrew Lance from Sidechain ), a paper on designing and running data security strategy on Google Cloud. Read our launch blog here ?—?a a long excerpt is quoted below. Read Sidechain blog here ?—?look look for a useful data security migration checklist.

Anton’s Security Blog Quarterly Q1 2021

Anton on Security

Sometimes great old blog posts are hard to find (especially on Medium …), so I decided to do a periodic list blog with my favorite posts of the past quarter or so. Here is my second. The posts below are ranked by lifetime views and topic. It covers both Anton on Security and my posts from Google Cloud blog [and now our Cloud Security Podcast too!]

Is Your Fate In the Cloud?

Anton on Security

This is a quick “let’s think about it together” post focused on the future of cloud security. Our logical starting point is: “Through 2025, 99% of cloud security failures will be the customer’s fault.” ( source: Gartner ) My experience in my analyst days and perhaps today mostly confirms it. I’d say that “it feels right.” So, let’s agree that it describes today’s reality correctly.

From Google Cloud Blog: “New Cloud Security Podcast by Google is here”

Anton on Security

Those who follow me on social media already knows this, but we have launched THE Cloud Security Podcast. TL;DR: Find this on Google Podcasts , Apple Podcasts , Spotify , Stitcher and wherever else podcasts can be found. You can also download the episodes directly here. Follow @CloudSecPodcast. The whole story from our GCP blog is cross-posted below: Security continues to be top of mind for large enterprises as well as smaller organizations and businesses.

Role of Context in Threat Detection

Anton on Security

I got into a very insightful debate with somebody who will remain nameless in the beginning of this post, but will perhaps be revealed later. The debate focused on the role of context in threat detection. Specifically, it is about the role of local context (environment knowledge, organization context, site details, etc) in threat detection. Can threat detection work well without such local context? Now, some of you will say “yes, of course!”

Cloud Migration Security Woes

Anton on Security

As I hear of organizations dealing with security when migrating to the cloud, I occasionally observe cases of “ extreme lift and shift.” I use this label to describe a case when an organization wants to keep every single security technology that they use on-premise after they move to the public cloud. The list can be very long and tedious; it may include such staples as firewalls, anti-malware, SIEM, EDR , NIDS, and even network forensics and NDR. Let’s ponder this situation without judgement.

Usage Scenarios for Externalized Trust

Anton on Security

As we discussed in “The Cloud trust paradox: To trust cloud computing more, you need the ability to trust it less” , there are situations where the encryption key really does belong off the cloud and so trust is externalized. While we argue that these are rarer than some assume, they absolutely do exist. Moreover, when these situations materialize, the data in question or the problem being solved is typically hugely important for an organization.

Anton’s Security Blog Quarterly Q3.5 2020

Anton on Security

Sometimes great old blog posts are hard to find (especially on Medium ), so I decided to do a periodic (who am I kidding, occasional?—?not not periodic ) list blog with my favorite posts of the past quarter or so. Here is my first. The posts below are ranked by lifetime views and topic. It covers both Anton on Security and my posts from Google Cloud blog.

Hearing from CISOs at Google Cloud and Beyond

Anton on Security

Security continues to be a top concern for cloud customers, and therefore continues to be a driver of our business at Google Cloud. However, specific security priorities vary wildly by vertical, by organization size, and by many other factors. In fact, many “CISO priorities lists” are floating out there online and many people claim to know “what CISOs want.”

CISO 100

From Google Cloud Blog: “Improving security, compliance, and governance with cloud-based DLP data…

Anton on Security

From Google Cloud Blog: “Improving security, compliance, and governance with cloud-based DLP data discovery” So, I’ve been doing some blogging at Google Cloud blog with most posts connected to products, launches, etc. However, I am also doing a fun blog series on DLP in the cloud. Blog 1 is here , and blog 2 is here? —?you you can also see a long quote from the second one below.

Anton’s Security Blog Quarterly Q3 2021

Anton on Security

Sometimes great old blog posts are hard to find (especially on Medium ), so I decided to do a periodic list blog with my favorite posts over the past quarter. Here is the next one. The posts below are ranked by lifetime views. This covers both Anton on Security and my posts from Google Cloud blog , and now our Cloud Security Podcast too! Top 5 most popular posts of all times: “Security Correlation Then and Now: A Sad Truth About SIEM” “Can We Have “Detection as Code”?” “New

The European Parliament Voted to Ban Remote Biometric Surveillance

Schneier on Security

It’s not actually banned in the EU yet — the legislative process is much more complicated than that — but it’s a step: a total ban on biometric mass surveillance.

What Happened to Facebook, Instagram, & WhatsApp?

Krebs on Security

Facebook and its sister properties Instagram and WhatsApp are suffering from ongoing, global outages.

Missouri Governor Vows to Prosecute St. Louis Post-Dispatch for Reporting Security Vulnerability

Krebs on Security

On Wednesday, the St. Louis Post-Dispatch ran a story about how its staff discovered and reported a security vulnerability in a Missouri state education website that exposed the Social Security numbers of 100,000 elementary and secondary teachers. In a press conference this morning, Missouri Gov.

Airline Passenger Mistakes Vintage Camera for a Bomb

Schneier on Security

I feel sorry for the accused : The “security incident” that forced a New-York bound flight to make an emergency landing at LaGuardia Airport on Saturday turned out to be a misunderstanding — after an airline passenger mistook another traveler’s camera for a bomb, sources said Sunday.

221
221

Check What Information Your Browser Leaks

Schneier on Security

These two sites tell you what sorts of information you’re leaking from your browser. Uncategorized browsers leaks

255
255

Security Risks of Client-Side Scanning

Schneier on Security

Even before Apple made its announcement , law enforcement shifted their battle for backdoors to client-side scanning. The idea is that they wouldn’t touch the cryptography, but instead eavesdrop on communications and systems before encryption or after decryption.

Risk 182

A Death Due to Ransomware

Schneier on Security

The Wall Street Journal is reporting on a baby’s death at an Alabama hospital in 2019, which they argue was a direct result of the ransomware attack the hospital was undergoing.

FBI Had the REvil Decryption Key

Schneier on Security

The Washington Post reports that the FBI had a decryption key for the REvil ransomware, but didn’t pass it along to victims because it would have disrupted an ongoing operation. The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack.

More on Apple’s iPhone Backdoor

Schneier on Security

In this post, I’ll collect links on Apple’s iPhone backdoor for scanning CSAM images. Previous links are here and here. Apple says that hash collisions in its CSAM detection system were expected, and not a concern.

Zero-Click iMessage Exploit

Schneier on Security

Citizen Lab released a report on a zero-click iMessage exploit that is used in NSO Group’s Pegasus spyware. Apple patched the vulnerability; everyone needs to update their OS immediately. News articles on the exploit. Uncategorized Apple exploits patching spyware vulnerabilities

Apple’s NeuralHash Algorithm Has Been Reverse-Engineered

Schneier on Security

Apple’s NeuralHash algorithm — the one it’s using for client-side scanning on the iPhone — has been reverse-engineered. Turns out it was already in iOS 14.3,

Surveillance of the Internet Backbone

Schneier on Security

Vice has an article about how data brokers sell access to the Internet backbone. This is netflow data. It’s useful for cybersecurity forensics, but can also be used for things like tracing VPN activity. At a high level, netflow data creates a picture of traffic flow and volume across a network.

ProtonMail Now Keeps IP Logs

Schneier on Security

After being compelled by a Swiss court to monitor IP logs for a particular user, ProtonMail no longer claims that “we do not keep any IP logs.” ” Uncategorized anonymity courts data collection data protection e-mail privacy

Tracking Stolen Cryptocurrencies

Schneier on Security

Good article about the current state of cryptocurrency forensics. Uncategorized blockchain cryptocurrency forensics theft tracking