Anton on Security

DECEMBER 8, 2023

In recent weeks, coincidentally, I’ve had several conversations that reminded me about the confusion related to “modern SOC.” Some of them were public ( example and example ), while others private. One particular person went on a quest through several “leading” companies’ security operations to see how they have implemented a “modern” SOC. However, what she found was a lot of companies improving on the classic model, with visible elements of NOC and help desk “DNA” showing (bye-bye 1990s, hi 198

Engineering 130

Engineering Phishing 130

Anton on Security

DECEMBER 1, 2023

This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. In this blog (#6 in the series), we will covers some DOs and DON’Ts regarding TI/CTI and DE interaction and continue building the TI -> DE process machinery Detection Engineering is Painful — and It Shouldn’t Be (Part 1) Detection Engineering and SOC Scalability Challenges (Part 2) Build for Detection Engineering, and Alerting Will Improve (Part 3) Focu

Engineering 130

Engineering Unstructured Data Cybersecurity Architecture 130

Anton on Security

NOVEMBER 6, 2023

Frankly, not sure why I am writing this, I get a sense that this esoteric topic is of interest to a very small number of people. But hey … LinkedIn made me do it :-) And many of those few people are my friends or at least close industry peers. So, the topic is so-called “decoupled SIEM” (I probably made up the term, but …hey… at least this is not an acronym like EDR so YMMV).

Engineering 245

Engineering Data collection Threat Detection Technology 245

Anton on Security

NOVEMBER 2, 2023

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our eighth Threat Horizons Report ( full version ) that we just released ( the official blog for #1 report , my unofficial blogs for #2 , #3 , #4 , #5 , #6 and #7 ). My favorite quotes from the report follow below: “The cloud compromise factors and outcomes observed in Q2 2023 were largely similar to previous quarters and consistent with the last 12 months of reporting. […]

Cybersecurity 130

Cybersecurity Healthcare Account Security Accountability 130

Anton on Security

NOVEMBER 1, 2023

This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. In this blog (#5 in the series), we will build a quick “framework-lite” for making CTI to DE flows better. Detection Engineering is Painful — and It Shouldn’t Be (Part 1) Detection Engineering and SOC Scalability Challenges (Part 2) Build for Detection Engineering, and Alerting Will Improve (Part 3) Focus Threat Intel Capabilities at Detection Engineering (

Engineering 147

Engineering Architecture Cyber threats Threat Detection 147

Anton on Security

OCTOBER 18, 2023

This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. In this blog (#4 in the series), we will start to talk about the elephant in the room: how intel becomes detections (and, no, it is not trivial) Detection Engineering is Painful — and It Shouldn’t Be (Part 1) Detection Engineering and SOC Scalability Challenges (Part 2) Build for Detection Engineering, and Alerting Will Improve (Part 3) Detection Engineers

Engineering 130

Engineering Threat Detection Threat Reports Passwords 130

Anton on Security

OCTOBER 12, 2023

This blog was born from two parents: my never-finished blog on why relying on heroism in a Security Operations Center (SOC) is bad and Phil Venables “superb+” blog titles “Delivering Security at Scale: From Artisanal to Industrial.” BTW, what is heroism? Isn’t that a good thing ? Well, an ancient SRE deck defines “IT heroism” as relying on “individuals taking upon themselves to make up for a systemic problem.

Engineering 130

Engineering 130

Anton on Security

SEPTEMBER 28, 2023

This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. In this blog (#3 in the series), we will start to define and refine our detection engineering machinery to avoid the problems covered in Parts 1 and 2. Detection Engineering is Painful — and It Shouldn’t Be (Part 1) Detection Engineering and SOC Scalability Challenges (Part 2) Adopting detection engineering practices should have a roadmap and eventually bec

Engineering 246

Engineering Education Government Threat Detection 246

Anton on Security

SEPTEMBER 21, 2023

This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. This post is our second installment in the “Threats into Detections — The DNA of Detection Engineering” series, where we explore the challenges of detection engineering in more detail — and where threat intelligence plays (and where some hope appears … but you need to wait for Part 3 for this!

Engineering 221

Engineering Threat Detection Marketing Internet 221

Anton on Security

SEPTEMBER 13, 2023

As you may have noticed, we have released a new paper on securing AI. I want to share a few additional things here on top our official launch blog. src: [link] For a few years (so, yes, I did start before the ChatGPT launch, if you have to ask…), I’ve been a little obsessed about the differences between securing AI systems and securing any other complex enterprise data-intensive systems (please see this blog and podcasts that are mentioned there).

Artificial Intelligence 130

Artificial Intelligence CISO Software Government 130

Anton on Security

SEPTEMBER 7, 2023

Detection Engineering is Painful — and It Shouldn’t Be (Part 1) This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. This post is our first installment in the “Threats into Detections — The DNA of Detection Engineering” series, where we explore opportunities and shortcomings in the brand new world of Detection Engineering.

Engineering 113

Engineering Software Malware 113

Anton on Security

SEPTEMBER 6, 2023

“Threat-informed Defense Is Hard …” Cross-post for Safekeeping Medium frowns at re-/cross-posting, so this should work: Threat-informed Defense Is Hard, So We Are Still Not Doing It! Enjoy! “Threat-informed Defense Is Hard …” Cross-post for Safekeeping was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

Cybersecurity 113

Cybersecurity 113

Anton on Security

AUGUST 30, 2023

So, if you are too busy to read our amazing (duh!) new blog “Revisiting Traditional Security Advice for Modern Threats” , here are the key ideas from it. At some point, a “pre-owned” (compromised before you ever saw it) email security appliance , firewall, or a piece of software will show up in your environment (you no longer need to be this elite for it; it ain’t 2013).

Firewall 130

Firewall Software Threat Detection Cybersecurity 130

Anton on Security

AUGUST 9, 2023

Great blog posts are sometimes hard to find (especially on Medium ), so I decided to do a periodic list blog with my favorite posts of the past quarter or so. Here is the next one. The posts below are ranked by lifetime views. This covers both Anton on Security and my posts from Google Cloud blog , and our Cloud Security Podcast too ( subscribe ). Top 6 most popular posts of all times (these ended up being the same as last quarter, and a few quarters before) : “Security Correlation Then and Now:

Threat Detection 130

Threat Detection Cloud Migration Encryption CISO 130

Anton on Security

AUGUST 8, 2023

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our seventh Threat Horizons Report ( full version ) that we just released ( the official blog for #1 report , my unofficial blogs for #2 , #3 , #4 , #5 and #6 ). My favorite quotes from the report follow below: Src: Google Cloud Threat Horizons #7 “Credential issues continue to be a consistent challenge, accounting for over 60% of compromise factors” [A.C. — again, file und

Cybersecurity 130

Cybersecurity Accountability Mobile Ransomware 130

Anton on Security

JUNE 29, 2023

So I woke up the other day [A.C. — well, the other year as this blog has lingered ] with the scary thought: what if we will run out of the opportunities to centralize logs for security (and compliance) purposes at some point in the future. Or, as I pithily put it on Twitter: ( source ) So I wrote some of this and kinda forgot about it for a few months.

Media 130

Media Technology 130

Anton on Security

JUNE 2, 2023

Using Cloud Securely — The Config Doom Question First, “Use Cloud Securely? What Does This Even Mean?!” and “How to Solve the Mystery of Cloud Defense in Depth?” (and “Where Does Shared Responsibility Model for Security Breaks in the Real World?” too) would make for good “recommended reading” here. Use Cloud Securely? What Does This Even Mean?! At this point, it is clear that most discussions on using cloud securely or secure use of cloud computing include the dreaded configuration question — or

Cloud Migration 113

Cloud Migration Data breaches Social Engineering CISO 113

Anton on Security

MAY 24, 2023

I am not an AI security expert (I hear there are very few of those around ). I am essentially a motivated amateur learner in AI security … and I would even trust Bard advice on Artificial Intelligence security (well, that’s a joke — still, you can see what it says anyhow) (Bard, 5/2023) However I was a pretty good analyst , and some say that this is kinda a minor superpower :-) So, in this post, I will share some things that puzzle me in this emerging domain, and I will use the 3 podcast episode

Artificial Intelligence 130

Artificial Intelligence CISO Risk Marketing 130

Anton on Security

MAY 15, 2023

Great blog posts are sometimes hard to find (especially on Medium ), so I decided to do a periodic list blog with my favorite posts of the past quarter or so. Here is the next one. The posts below are ranked by lifetime views. This covers both Anton on Security and my posts from Google Cloud blog , and our Cloud Security Podcast too ( subscribe ). Top 5 most popular posts of all times (these ended up being the same as last quarter, and the quarter before) : “Security Correlation Then and Now: A

Threat Detection 147

Threat Detection Cloud Migration Encryption CISO 147

Anton on Security

MAY 5, 2023

Security business is booming! Reportedly 38K people showed up for RSA 2023, and 600+ vendors did too. It is very clear from observing the large booths of many vendors (including some that are doing well unexpectedly ) that “there is lots of money in cyberland.” As somebody cynically pointed out to me, a huge booth at the RSA conference doesn’t indicate that the company is doing well — it only indicates that it was doing well 6–8 months ago when they paid for the booth … This aside, it is very cl

Artificial Intelligence 130

Artificial Intelligence Threat Detection Marketing Cybersecurity 130

Anton on Security

MAY 4, 2023

As we learned , SIEM still matters in 2023. Debating SIEM in 2023, Part 1 Debating SIEM in 2023, Part 2 But since one winter day in 2002, when I wrote my first correlation rule for a now-defunct “SIM” product (probably “if 10 auth_failures, followed by 1 auth_success on the same destination, alert” or perhaps “ exploit followed by outbound connection from the same system, alert ” , but I truly don’t remember which one was first), I have been bothered with a question of what I am actually doing w

Engineering 130

Engineering Threat Detection Education Software 130

Anton on Security

APRIL 20, 2023

The famous Mandiant 2023 M-Trends (NOT G-Trends, mind you…) report is out, and here are some of the things that I found to be surprising and NOT surprising :-) Mandiant M-Trends 2023 Detection by Source SURPRISING “Mandiant experts note a decrease in the percentage of global intrusions involving ransomware between 2021 and 2022. In 2022, 18% of intrusions involved ransomware compared to 23% in 2021” [A.C. — wow, ransomware is finally declining!

Social Engineering 130

Social Engineering Ransomware Cybercrime Cybersecurity 130

Anton on Security

APRIL 13, 2023

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our sixth Threat Horizons Report ( full version ) that we just released ( the official blog for #1 report , my unofficial blogs for #2 , #3 , #4 and #5 ). My favorite quotes from the report follow below: “Our research has shown that the most common vector used to compromise any network, including cloud instances is to take over an account’s credentials directly : either bec

Cybersecurity 221

Cybersecurity Passwords Accountability Ransomware 221

Anton on Security

MARCH 28, 2023

So, we went through “Debating SIEM in 2023, Part 1” , now let’s debate a bit more. At this point, everybody who didn’t “rage stop” reading it should be convinced that yes, SIEM does matter in 2023. Debating SIEM in 2023, Part 1 But why? I bet the views on why SIEM matters differ a lot. So let’s dive into this! Let’s start with this: why should anyone buy an SIEM tool in 2023?

Threat Detection 100

Threat Detection Banking Technology Risk 100

Anton on Security

MARCH 6, 2023

Cloud D&R Report (2023) One of the mysteries of detection and response (D&R) is about how companies really approach D&R in the public cloud. So we did a survey focused on this, and we actually polled both leaders and technologists. “Our State of Cloud Threat Detection and Response report summarizes the survey responses of 400 security leaders and SecOps practitioners in North America regarding the capabilities, practices, and behaviors of protecting against, identifying, and remediat

Threat Detection 246

Threat Detection Risk 246

Anton on Security

MARCH 1, 2023

Hey, it is 2023, let’s debate SIEM again! Debate SIEM? In 2023? This is so 1997! Or perhaps 2017. Anyhow, Security Information and Event Management (SIEM) is a growing $4+B market that is proving remarkably resilient, and, actually, interesting again. Let’s start with an obligatory AI response: (source: Bard ) Let’s proceed with a just-as-obligatory Gartner quote: “The SIEM market is maturing at a rapid pace and continues to be extremely competitive.

Marketing 233

Marketing Technology 233

Anton on Security

FEBRUARY 14, 2023

This post continues the discussion started in “Use Cloud Securely? What Does This Even Mean?!” and focuses on an area that should be easy for every purported security professional —  defense in depth. So, before reading further, ask yourself two questions: Do you understand the concept of “defense in depth” (DiD) in security? Do you understand how DiD applies in public cloud environments?

Firewall 100

Firewall Architecture Security Awareness Network Security 100

Anton on Security

FEBRUARY 10, 2023

Great blog posts are sometimes hard to find (especially on Medium ), so I decided to do a periodic list blog with my favorite posts of the past quarter or so. Here is the next one. The posts below are ranked by lifetime views. This covers both Anton on Security and my posts from Google Cloud blog , and our Cloud Security Podcast too ( subscribe ). Top 5 most popular posts of all times (these ended up being the same as last quarter) : “Security Correlation Then and Now: A Sad Truth About SIEM” “C

Threat Detection 100

Threat Detection Cloud Migration Encryption CISO 100

Anton on Security

JANUARY 3, 2023

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our fifth Threat Horizons Report ( full version ) that we just released ( the official blog for #1 report , my unofficial blogs for #2 , #3 and #4 ). My favorite quotes from the report follow below: “ Identity and trust relationships in and between cloud environments will continue to get more complex, challenging visibility and enabling threat actors to have wider and deepe

Cybersecurity 185

Cybersecurity Backups DDOS Accountability 185

Anton on Security

DECEMBER 22, 2022

Cloud Security Podcast — Two Years Later or Our Year-End Reflections for 2022! We have been running our Cloud Security Podcast by Google for almost 2 years ( TWO YEARS! ) and since we are on a break now, I wanted to reflect a bit, while Tim is relaxing on a beach somewhere warm and “ hammy” ? So, we aired 102 episodes, but what was new in 2022? We explored a few new areas of cloud security.

Cloud Migration 26

Cloud Migration CISO Artificial Intelligence Architecture 26

Anton on Security

DECEMBER 15, 2022

In recent weeks, I did two fun webinars related to Security Operations, and there was a lot of fun Q&A. The questions below are sometimes slighting edited for clarity, typos, etc. For extra fun, I had ChatGPT answer some of them, to see if it can replace me :-) So, first, ISACA webinar “Modernize Your SOC for the Future” focused on our Autonomic Security Operations vision.

Engineering 312

Engineering Risk Technology Information Security 312

Anton on Security

NOVEMBER 21, 2022

This quick blog is essentially a summary of our (joint with Marshall from Mandiant ) Google Cloud Next 2022 conference presentation ( video ) and a pointer to a just-released podcast on the same topic?—?security incident response (IR) in public cloud. In our Next presentation , we only had 18.5 minutes to present a few fun and insightful things about security incident response in the cloud.

Data preservation 100

Data preservation Technology 100

Anton on Security

NOVEMBER 17, 2022

As we discussed in our blogs, “ Achieving Autonomic Security Operations: Reducing toil ”, “ Achieving Autonomic Security Operations: Automation as a Force Multiplier ,” “Achieving Autonomic Security Operations: Why metrics matter (but not how you think)” , and the latest “More SRE Lessons for SOC: Release Engineering Ideas” your Security Operations Center (SOC) can learn a lot from what IT ops discovered during the Site Reliability Engineering (SRE) and DevOps revolution.

Engineering 100

Engineering Software Data collection Architecture 100

Anton on Security

NOVEMBER 11, 2022

An influential Gartner paper stated many years ago that “Clouds Are Secure: Are You Using Them Securely?” So began the legend of cloud security vs secure clouds. When I was an analyst, we sometimes had to discuss with clients whether various providers of public cloud services are “secure.” Over time, these discussions dwindled to a small trickle as clients ultimately saw enough evidence that cloud infrastructure is indeed radically more secure than most data centers.

Risk 100

Risk Cybersecurity 100

Anton on Security

NOVEMBER 7, 2022

Great blog posts are sometimes hard to find (especially on Medium ), so I decided to do a periodic list blog with my favorite posts of the past quarter or so. Here is the next one. The posts below are ranked by lifetime views. This covers both Anton on Security and my posts from Google Cloud blog , and our Cloud Security Podcast too ( subscribe ). Top 5 most popular posts of all times (these ended up being the same as last quarter) : “Security Correlation Then and Now: A Sad Truth About SIEM” “C

Threat Detection 223

Threat Detection Cloud Migration Encryption CISO 223

Anton on Security

OCTOBER 20, 2022

Why Your Security Data Lake Project Will … Well, Actually … Long story why but I decided to revisit my 2018 blog titled “Why Your Security Data Lake Project Will FAIL!” That post was very fun to write and it continued to generate reactions over the years (like this one ). Just as I did when I revisited my 2015 SOC nuclear triad blog in 2020 , I wanted to check if my opinions, views and positions from that time are still correct (spoiler: not exactly…) As a reminder, the post stated that most org

Big data 202

Big data Threat Detection Software Technology 202

Anton on Security

OCTOBER 17, 2022

This blog is written jointly with Konrads Klints. TL;DR: Migration from one SIEM to another raises the question of what to do with all the data in the old SIEM. A traditional approach was to let the old SIEM hardware languish until its data was no longer required. When migrating from a cloud-based SIEM “A” to another cloud-based SIEM “B”, you have to contend that data is not easily transferable across SIEMs and/or that there will be significant data retention costs with the old SIEM (if you keep

Engineering 100

Engineering Technology Software Education 100