SANS endpoint survey

SANS Endpoint Survey: Too Many Tools and Alerts

Keith McCammon, Chief Security Officer

The SANS Institute recently published the results of its annual Endpoint Protection and Response survey through a report written by Lee Neely and advised by Alissa Torres. The report includes a number of statistics and a long list of takeaways, but the key findings it uncovered are: We have too many tools We have too many alerts Neither of these … Read More

MDR Buyer's Guidelines

3 Areas to Consider When Looking for a Managed Detection and Response Partner

Michael Haag

Gartner estimates that 15% of organizations will be using managed detection and response (MDR) services by 2020, up from less than 5% today. For many buyers (including myself), past bad experiences can make it difficult to consider outsourcing critical components of your security program. Whether the experience was caused by poor service, ineffective product, or a vendor who did not … Read More

Build vs Buy

Build vs. Buy: Not Mutually Exclusive

Keith McCammon, Chief Security Officer

The “build vs buy” debate in security technology has been argued so many times that there are few unique positions left to take. Builders prioritize flexibility and control, while buyers prioritize predictable performance, scale, cost, and results. The debate continues not because there are groundbreaking arguments in favor of one or the other. The build vs buy debate continues because … Read More

Cryptomining Native Windows Tools

Mining off the Land: Cryptomining Enabled by Native Windows Tools

Tony Lambert

A lesson I learned early in my career is that technology professionals often inherit older problems. This is especially true of administrators responsible for network services and security because they inherit the biggest snowball of problems: an enterprise network. Networks often grow in ways that make them harder to secure and maintain as they age, and admins often implement new … Read More

Behind the Scenes of an Active Breach (Part 1): Establishing Persistence

Keya Horiuchi

Preventing a breach is every security leader’s top priority. Stopping modern adversaries means having visibility and insight into their tactics, techniques, and behaviors. This two-part series takes readers behind the scenes of a compromised network environment in which multiple endpoints were infected with malware. Part 1 focuses on steps the malware took to establish persistence, while Part 2 will focus on … Read More

Atomic Red Team

Q&A from the “Automating Atomic Red Team” Webcast

Casey Smith, Michael Haag

There was a great turnout for the latest Atomic Red Team webcast! Thanks to all the people that attended. We had some outstanding audience questions on the new YAML structure, use cases, and CALDERA, MITRE’s automated adversary emulation system. We’ll use this post to go through some of the Q&A in case you couldn’t attend or had to jump off … Read More