Part One:

Part Two:

Detection & Validation

Detection is the third part of this series and for a very important reason. Not because I saved the best for last (this post might not even be the last part!), but because the first two parts frequently get skipped over in favor of the question “what SIEM rules are available?” Detection helps describe what exists in the expansive grey area between alerts and general telemetry. Detection is incredibly powerful but requires a number of building blocks to even happen…some obvious and some less so.

Detection can potentially occur in a lot of different parts of your environment, such as creating behavior rules within EDR products, but those findings should generally roll up to a centralized data store such as a SIEM. As a general rule of thumb, it’s best to focus on the SIEM’s detective capabilities, rule language, and nuances only to expand and fill in gaps that might arise from performing that analysis. For example, it might not be reasonable to send all process execution logs from your EDR to your SIEM, so detection would necessitate utilizing EDR detection capabilities and sending the subset of alerts to a SIEM. …

Part One:


Now visibility of your network (covered in part one) is great, but at the end of the day, the prevention of attacks should be always taking place in your environment. It is easy to overlook prevention and to focus on visibility and detection far too much. Visibility and detection won’t help when you have an understaffed team, a taxing on-call schedule, and/or the attacker is already advanced far into your network.

Once you have an understanding of what your products and services cover from the visibility phase, utilize the prevention phase to review best practices to stop top attacks. …

MITRE ATT&CK is perhaps a cyber security industry buzzword at this point, becoming just another feature included in RFPs as a prerequisite for products to have some mention of it included prior to purchase. The status of being overused is at least well deserved because of its usefulness that can be applied in many different situations when working between assessment teams and defenders.

Over the past years, I’ve been able to introduce and help a number of blue teams with MITRE ATT&CK. A common response when I ask people if they have any experience working with the ATT&CK framework is that they are aware of it, but have limited knowledge working with it and wouldn’t know where to begin utilizing it. …

The EDR market has proven itself to be incredibly valuable over the past 5–6 years. I think many security practitioners would agree there is no larger return on investment than buying an EDR. It has even become such a large and wide market that 1. marketing has taken the entire segment over and 2. the vendors have started really competing against each other for dominance from a features perspective (both probably very related). One feature I key in on is the ability to make your endpoint telemetry (the data you own!) accessible outside of the vendor provided platforms.

The most intriguing aspect to me in EDR realm is the telemetry that all EDR platforms are able to capture. From CrowdStrike to Sysmon, there are varying levels of effort to capture and stipulations tied to each in order to gather that telemetry. One new and incredibly promising vendor that makes telemetry available now is SentinelOne! I can’t get enough of the progress they are making in this space with their expanded “Deep Visibility” features turning the corner from a traditional EPP platform into a telemetry rockstar. It is a solution that can help provide the data needed for detection from nearly anywhere at the speed in which attacks occur. …



Focusing on infosec writing, many other hobbies here:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store