Anton on Security

JANUARY 22, 2025

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our next Threat Horizons Report, #11 ( full version ) that we just released ( the official blog for #1 report , my unofficial blogs for #2 , #3 , #4 , #5 , #6 , #7 , #8 , #9 and #10 ). My favorite quotes from the report followbelow: Nearly half (46.4%) of the observed security alerts were due to overprivileged service accounts.

Passwords 130

Passwords Social Engineering Accountability Cybersecurity 130

Anton on Security

JANUARY 10, 2025

After a long, long, long writing effort eh break, we are ready with our 5th Deloitte and Google Cloud Future of the SOC paper Future of SOC: Transform theHow. As a reminder (and I promise you do need it; it has been years), the previous 4 papersare: New Paper: Future of the SOC: Evolution or OptimizationChoose Your Path (Paper 4 of 4.5) [please consider rereading this before reading the newone!

Cloud Migration 130

Cloud Migration Technology Risk 130

Anton on Security

DECEMBER 10, 2024

Amazingly, Medium has fixed the stats so my blog/podcast quarterly is back to life. As before , this covers both Anton on Security and my posts from Google Cloud blog , and our Cloud Security Podcast ( subscribe ). Meta AI creation, steampunk theme Top 10 posts with the most lifetime views (excluding paper announcement blogs): Security Correlation Then and Now: A Sad Truth AboutSIEM Can We Have Detection asCode?

Cloud Migration 130

Cloud Migration Threat Detection CISO Digital transformation 130

Anton on Security

DECEMBER 3, 2024

[link] A few weeks ago, our podcast turned 200 ! In this case, we are talking about episodes, not years. We (that is, Tim Peacock and myself) definitely feel like we have to say something humorous, pithy, and uniquely insightful about this! Contrary to our previous commemorative blogs , we decided to focus on our favorite episodes. We’ve always published the top rankings and tops by category , and you can see our most popular episodes below, but we also wanted to cover our informal favorites.

Cloud Migration 130

Cloud Migration Threat Detection 130

Anton on Security

NOVEMBER 6, 2024

Mention “alert fatigue” to a SOC analyst. They would immediately recognize what you are talking about. Now, take your time machine to 2002. Find a SOC analyst (much fewer of those around, to be sure, but there are some!) and ask him about alert fatigue — he would definitely understand what the concern is. Now, crank up your time machine all the way to 11 and fly to the 1970s where you can talk to some of the original NOC analysts.

Engineering 130

Engineering Firewall Risk Marketing 130

Anton on Security

OCTOBER 18, 2024

Many organizations are looking for trusted advisors , and this applies to our beloved domain of cyber/information security. If you look at LinkedIn, many consultants present themselves as trusted advisors to CISOs or their teams. Untrusted Advisor by Dall-E via Copilot This perhaps implies that nobody wants to hire an untrusted advisor. But if you think about it, modern LLM-powered chatbots and other GenAI applications are essentially untrusted advisors (RAG and fine-tuning notwithstanding).

Architecture 130

Architecture Risk CISO Cybersecurity 130

Anton on Security

SEPTEMBER 27, 2024

Amazingly, Medium has fixed the stats so my blog/podcast quarterly is back to life. As before , this covers both Anton on Security and my posts from Google Cloud blog , and our Cloud Security Podcast ( subscribe ). Dall-E via Copilot, prompt “security blog quarterly, steampunk” Top 7 posts with the most lifetime views (excluding paper announcement blogs): Security Correlation Then and Now: A Sad Truth About SIEM (2019!

Cloud Migration 130

Cloud Migration Threat Detection Digital transformation CISO 130

Anton on Security

SEPTEMBER 13, 2024

So some of you are thinking “ewwww … another security transformation paper” and this is understandable. A lot of people (and now … a lot of robots too) have written vague, hand-wavy “leadership” papers on how to transform security, include security into digital transformation or move to the cloud (now with GenAI!) the “right” way, while reaping all the benefits and suffering none of the costs.

Digital transformation 130

Digital transformation CISO Technology Cybersecurity 130

Anton on Security

AUGUST 21, 2024

Do I go to my Cloud Service Provider (CSP) for cloud security tooling or to a third party vendor? Who will secure my cloud use, a CSP or a focused specialty vendor? Who is my primary cloud security tools provider? This question asked in many ways has haunted me since my analyst days , and I’ve been itching for a good, fiery debate on this. So, we did this on our Cloud Security Podcast by Google where the co-hosts divided the positions, researched the arguments in advance of the debate and then j

CISO 100

CISO Risk Media 100

Anton on Security

MAY 21, 2024

This is not a blog about the recent upheaval in the magical realm of SIEM. We have a perfectly good podcast / video about it (complete with hi-la-ri-ous XDR jokes, both human and AI created). This is about something that bothered me for a long time (since my Gartner days ) and I finally figured out how to solve this complicated problem. Of course, the answer is … A TWITTER POLL!

Engineering 130

Engineering Cybersecurity 130

Anton on Security

APRIL 11, 2024

Moderately relevant AI made image about AI papers :-) steampunk ofc! Recently our team has written several papers and blogs focused on securing AI. What you will not see in these papers is anything to do with robot rebellion or some such long-term potential threats. We also don’t touch on responsible AI and AI ethics because frankly there are many (and I mean … MANY!

Artificial Intelligence 130

Artificial Intelligence Government Risk Technology 130

Anton on Security

MARCH 7, 2024

Pondering ?DR This is the blog where I really (briefly ) miss my analyst life and my “awesome+” peers like Augusto and Anna. It relies on ideas and comments from my past collaborators … and my current ones. And, yes, this blog was inspired by a hallways conversation at a conference that took place more than a year ago :-( So, the question: When and where do you need “<domain>DR” tool for its own technology domain?

Threat Detection 130

Threat Detection Technology IoT Marketing 130

Anton on Security

FEBRUARY 12, 2024

This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. In this blog (#7 in the series), we will cover more details on the TI to detectin flow, and stop (for Part 8) at testing. Detection Engineering is Painful — and It Shouldn’t Be (Part 1) Detection Engineering and SOC Scalability Challenges (Part 2) Build for Detection Engineering, and Alerting Will Improve (Part 3) Focus Threat Intel Capabilities at Detectio

Engineering 100

Engineering Threat Detection Ransomware Accountability 100

Anton on Security

FEBRUARY 7, 2024

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our seventh Threat Horizons Report ( full version ) that we just released ( the official blog for #1 report , my unofficial blogs for #2 , #3 , #4 , #5 , #6 , #7 and #8 ). My favorite quotes from the report follow below: “ Credential abuse resulting in cryptomining remains a persistent issue , with threat actors continuing to exploit weak or nonexistent passwords to gain un

Cybersecurity 246

Cybersecurity Ransomware Passwords Cryptocurrency 246

Anton on Security

FEBRUARY 5, 2024

This is cross-posted from Google Cloud Community site , and written jointly with Dave Herrald. If you are like us, you may be surprised that, in 2024, traditional security information and event management (SIEM) systems are still the backbone of most security operations centers (SOC). SIEMs are used for collecting and analyzing security data from across your organization to help you identify and respond to threats quickly and effectively.

Threat Detection 100

Threat Detection Engineering Artificial Intelligence Risk 100

Anton on Security

JANUARY 18, 2024

New Paper: “Future of the SOC: Evolution or Optimization — Choose Your Path” (Paper 4 of 4.5) After a long, long, long writing effort break, we are ready with our 4th Deloitte / Google Future of the SOC paper “Future of the SOC: Evolution or Optimization — Choose Your Path” ( alternative URL ) As a reminder (and I promise you do need it; it has been years), the previous 3 papers are: “New Paper: “Future of the SOC: Forces shaping modern security operations” (Paper 1 of 4)” “New Paper: “Future of

Technology 130

Technology Risk Architecture 130

Anton on Security

JANUARY 10, 2024

So, we ( Tim and Anton , the crew behind the podcast ) wanted to post another reflections blog based on our Cloud Security Podcast by Google being almost 3 (we will be 3 years old on Feb 11, 2024, to be precise), kind of similar to this one. But we realized we don’t have enough new profound reflections…. We do have a few fun new things! So, what did we do differently in 2023?

Cloud Migration 130

Cloud Migration Government Network Security Risk 130

Anton on Security

DECEMBER 8, 2023

In recent weeks, coincidentally, I’ve had several conversations that reminded me about the confusion related to “modern SOC.” Some of them were public ( example and example ), while others private. One particular person went on a quest through several “leading” companies’ security operations to see how they have implemented a “modern” SOC. However, what she found was a lot of companies improving on the classic model, with visible elements of NOC and help desk “DNA” showing (bye-bye 1990s, hi 198

Engineering 130

Engineering Phishing 130

Anton on Security

DECEMBER 1, 2023

This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. In this blog (#6 in the series), we will covers some DOs and DON’Ts regarding TI/CTI and DE interaction and continue building the TI -> DE process machinery Detection Engineering is Painful — and It Shouldn’t Be (Part 1) Detection Engineering and SOC Scalability Challenges (Part 2) Build for Detection Engineering, and Alerting Will Improve (Part 3) Focu

Engineering 130

Engineering Unstructured Data Cybersecurity Architecture 130

Anton on Security

NOVEMBER 6, 2023

Frankly, not sure why I am writing this, I get a sense that this esoteric topic is of interest to a very small number of people. But hey … LinkedIn made me do it :-) And many of those few people are my friends or at least close industry peers. So, the topic is so-called “decoupled SIEM” (I probably made up the term, but …hey… at least this is not an acronym like EDR so YMMV).

Engineering 245

Engineering Data collection Threat Detection Technology 245

Anton on Security

NOVEMBER 2, 2023

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our eighth Threat Horizons Report ( full version ) that we just released ( the official blog for #1 report , my unofficial blogs for #2 , #3 , #4 , #5 , #6 and #7 ). My favorite quotes from the report follow below: “The cloud compromise factors and outcomes observed in Q2 2023 were largely similar to previous quarters and consistent with the last 12 months of reporting. […]

Cybersecurity 130

Cybersecurity Healthcare Account Security Ransomware 130

Anton on Security

NOVEMBER 1, 2023

This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. In this blog (#5 in the series), we will build a quick “framework-lite” for making CTI to DE flows better. Detection Engineering is Painful — and It Shouldn’t Be (Part 1) Detection Engineering and SOC Scalability Challenges (Part 2) Build for Detection Engineering, and Alerting Will Improve (Part 3) Focus Threat Intel Capabilities at Detection Engineering (

Engineering 147

Engineering Architecture Cyber threats Threat Detection 147

Anton on Security

OCTOBER 18, 2023

This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. In this blog (#4 in the series), we will start to talk about the elephant in the room: how intel becomes detections (and, no, it is not trivial) Detection Engineering is Painful — and It Shouldn’t Be (Part 1) Detection Engineering and SOC Scalability Challenges (Part 2) Build for Detection Engineering, and Alerting Will Improve (Part 3) Detection Engineers

Engineering 130

Engineering Threat Detection Threat Reports Passwords 130

Anton on Security

OCTOBER 12, 2023

This blog was born from two parents: my never-finished blog on why relying on heroism in a Security Operations Center (SOC) is bad and Phil Venables “superb+” blog titles “Delivering Security at Scale: From Artisanal to Industrial.” BTW, what is heroism? Isn’t that a good thing ? Well, an ancient SRE deck defines “IT heroism” as relying on “individuals taking upon themselves to make up for a systemic problem.

Engineering 130

Engineering 130

Anton on Security

SEPTEMBER 28, 2023

This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. In this blog (#3 in the series), we will start to define and refine our detection engineering machinery to avoid the problems covered in Parts 1 and 2. Detection Engineering is Painful — and It Shouldn’t Be (Part 1) Detection Engineering and SOC Scalability Challenges (Part 2) Adopting detection engineering practices should have a roadmap and eventually bec

Engineering 246

Engineering Education Government Threat Detection 246

Anton on Security

SEPTEMBER 21, 2023

This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. This post is our second installment in the “Threats into Detections — The DNA of Detection Engineering” series, where we explore the challenges of detection engineering in more detail — and where threat intelligence plays (and where some hope appears … but you need to wait for Part 3 for this!

Engineering 221

Engineering Threat Detection Marketing Internet 221

Anton on Security

SEPTEMBER 13, 2023

As you may have noticed, we have released a new paper on securing AI. I want to share a few additional things here on top our official launch blog. src: [link] For a few years (so, yes, I did start before the ChatGPT launch, if you have to ask…), I’ve been a little obsessed about the differences between securing AI systems and securing any other complex enterprise data-intensive systems (please see this blog and podcasts that are mentioned there).

Artificial Intelligence 130

Artificial Intelligence CISO Software Government 130

Anton on Security

SEPTEMBER 7, 2023

Detection Engineering is Painful — and It Shouldn’t Be (Part 1) This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. This post is our first installment in the “Threats into Detections — The DNA of Detection Engineering” series, where we explore opportunities and shortcomings in the brand new world of Detection Engineering.

Engineering 113

Engineering Software Malware 113

Anton on Security

SEPTEMBER 6, 2023

“Threat-informed Defense Is Hard …” Cross-post for Safekeeping Medium frowns at re-/cross-posting, so this should work: Threat-informed Defense Is Hard, So We Are Still Not Doing It! Enjoy! “Threat-informed Defense Is Hard …” Cross-post for Safekeeping was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

Cybersecurity 113

Cybersecurity 113

Anton on Security

AUGUST 30, 2023

So, if you are too busy to read our amazing (duh!) new blog “Revisiting Traditional Security Advice for Modern Threats” , here are the key ideas from it. At some point, a “pre-owned” (compromised before you ever saw it) email security appliance , firewall, or a piece of software will show up in your environment (you no longer need to be this elite for it; it ain’t 2013).

Firewall 130

Firewall Software Threat Detection Cybersecurity 130

Anton on Security

AUGUST 9, 2023

Great blog posts are sometimes hard to find (especially on Medium ), so I decided to do a periodic list blog with my favorite posts of the past quarter or so. Here is the next one. The posts below are ranked by lifetime views. This covers both Anton on Security and my posts from Google Cloud blog , and our Cloud Security Podcast too ( subscribe ). Top 6 most popular posts of all times (these ended up being the same as last quarter, and a few quarters before) : “Security Correlation Then and Now:

Threat Detection 130

Threat Detection Cloud Migration Encryption CISO 130

Anton on Security

AUGUST 8, 2023

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our seventh Threat Horizons Report ( full version ) that we just released ( the official blog for #1 report , my unofficial blogs for #2 , #3 , #4 , #5 and #6 ). My favorite quotes from the report follow below: Src: Google Cloud Threat Horizons #7 “Credential issues continue to be a consistent challenge, accounting for over 60% of compromise factors” [A.C. — again, file und

Cybersecurity 130

Cybersecurity Accountability Mobile Ransomware 130

Anton on Security

JUNE 29, 2023

So I woke up the other day [A.C. — well, the other year as this blog has lingered ] with the scary thought: what if we will run out of the opportunities to centralize logs for security (and compliance) purposes at some point in the future. Or, as I pithily put it on Twitter: ( source ) So I wrote some of this and kinda forgot about it for a few months.

Media 130

Media Technology 130

Anton on Security

JUNE 2, 2023

Using Cloud Securely — The Config Doom Question First, “Use Cloud Securely? What Does This Even Mean?!” and “How to Solve the Mystery of Cloud Defense in Depth?” (and “Where Does Shared Responsibility Model for Security Breaks in the Real World?” too) would make for good “recommended reading” here. Use Cloud Securely? What Does This Even Mean?! At this point, it is clear that most discussions on using cloud securely or secure use of cloud computing include the dreaded configuration question — or

Cloud Migration 113

Cloud Migration Data breaches Social Engineering CISO 113

Anton on Security

MAY 24, 2023

I am not an AI security expert (I hear there are very few of those around ). I am essentially a motivated amateur learner in AI security … and I would even trust Bard advice on Artificial Intelligence security (well, that’s a joke — still, you can see what it says anyhow) (Bard, 5/2023) However I was a pretty good analyst , and some say that this is kinda a minor superpower :-) So, in this post, I will share some things that puzzle me in this emerging domain, and I will use the 3 podcast episode

Artificial Intelligence 130

Artificial Intelligence CISO Risk Marketing 130

Anton on Security

MAY 15, 2023

Great blog posts are sometimes hard to find (especially on Medium ), so I decided to do a periodic list blog with my favorite posts of the past quarter or so. Here is the next one. The posts below are ranked by lifetime views. This covers both Anton on Security and my posts from Google Cloud blog , and our Cloud Security Podcast too ( subscribe ). Top 5 most popular posts of all times (these ended up being the same as last quarter, and the quarter before) : “Security Correlation Then and Now: A

Threat Detection 147

Threat Detection Cloud Migration Encryption CISO 147

Anton on Security

MAY 5, 2023

Security business is booming! Reportedly 38K people showed up for RSA 2023, and 600+ vendors did too. It is very clear from observing the large booths of many vendors (including some that are doing well unexpectedly ) that “there is lots of money in cyberland.” As somebody cynically pointed out to me, a huge booth at the RSA conference doesn’t indicate that the company is doing well — it only indicates that it was doing well 6–8 months ago when they paid for the booth … This aside, it is very cl

Artificial Intelligence 130

Artificial Intelligence Threat Detection Marketing Cybersecurity 130