Determining an Acceptable False Positive Rate for Your SOC
Acceptable FPR isn't a vibes problem, it's a math problem. Plug your environment into the calculator and find the actual number your program can tolerate.
SecOps
Why a Decade of Writing Detection Logic Makes the Mythos Exploit Numbers Less Scary
Mythos is finding thousands of vulnerabilities. Defenders aren't doomed. Detection has never been 1:1 with exploits, and why I think the numbers are a little* less scary than being made out to be.
What Framing Security Alerts as a Binary True or False Positive is Costing You
Ask anyone who’s worked in a SOC long enough and they’ll tell you: debates over “true positive” versus “false positive” happen a lot. Usually, the conversation goes in circles—one person insists an alert was a false positive, another argues it was technically a true positive,
Announcing CelesTLSH CLI: A Lightweight Tool for TLSH Hash Analysis
I'm excited to announce the release of CelesTLSH CLI, a lightweight CLI interface tool for calculating, comparing, and analyzing TLSH hashes. This tool is designed to help security professionals quickly identify potentially malicious files by comparing them against a database of known attack tools.
Vintage Detection: Applying RADAR Research from 1953 to Detect Modern Cyber Threats
A 1953 mathematical framework reveals how military RADAR research can revolutionize cybersecurity. By transforming threat detection from gut feeling to probabilistic science, signal detection theory offers a powerful approach to distinguishing genuine threats from routine noise.
Falling in love with NSM again
When I started in cybersecurity, most web traffic wasn’t encrypted, which meant Firewalls and Network Intrusion Detection Systems played a critical role in detecting malicious activity. Endpoint visibility was limited—most organizations still relied on traditional Anti-Virus
UFOs and Mobile Malware - How Retaliation Against a Source Led Me to iVerify
For the past year and a half, I’ve been on one of the wildest adventures of my life, writing a book on UFOs and UAP. It has taken me through a painstaking process of finding and connecting with people who may hold valuable information for my work.
The Power of Proactive Cybersecurity with Domain and TLS Monitoring
It is often mistakenly believed that defenders cannot gain visibility into the early stages of the Cyber Kill Chain before the delivery phase.
A Five Year Retrospective on Detection as Code
Five years ago, I co-authored the first public paper on the concept of Detection as Code. While having some technical peers review this paper, we found that a few more advanced security programs were already utilizing this sort of method, just not publicly talking about it.
Five Insights From My Time Building 3 SOCs and Consulting For Over 40 Fortune 500 Companies and Federal Agencies
Throughout my cybersecurity career, I’ve had the opportunity to build three Cyber Security Operation Centers (SOCs) from scratch, including two for Managed Detection and Response (MDR) providers.
Detecting RegreSSHion - CVE-2024-6387 a Guide
Recently, the killer vulnerability research team at Qualys discovered a Remote Code Execution (RCE) vulnerability in OpenSSH that exploits a race condition within SSH. This vulnerability is particularly concerning because SSH is commonly exposed to the internet for remote system management.
Commonly Abused Linux Initial Access Techniques and Detection Strategies
The volume and quality of Threat Intelligence for Linux attacks have traditionally lagged behind that for Windows, despite Linux's significant cloud presence. Most reports have focused on reverse engineering Linux-based malware and attack tools.