How to Improve Security Operations

𝗗𝗮𝘆 𝟭𝟬: 𝗣𝗿𝗲𝗽𝗮𝗿𝗲𝗱𝗻𝗲𝘀𝘀 𝗮𝗻𝗱 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗲 We know the cost of response can be 100 times the cost of prevention, but when unprepared, the consequences are astronomical. A key prevention measure is a 𝗽𝗿𝗼𝗮𝗰𝘁𝗶𝘃𝗲 𝗱𝗲𝗳𝗲𝗻𝘀𝗲 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝘆 to anticipate and neutralize threats before they cause harm. Many enterprises struggled during crises like 𝗟𝗼𝗴𝟰𝗷 or 𝗠𝗢𝗩𝗘𝗶𝘁 due to limited visibility into their IT estate. Proactive threat management combines 𝗮𝘀𝘀𝗲𝘁 𝘃𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆, 𝘁𝗵𝗿𝗲𝗮𝘁 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻, 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲, and 𝗿𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝘁 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲. Here are few practices to address proactively: 1. 𝗔𝘀𝘀𝗲𝘁 𝗩𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆 Having a strong understanding of your assets and dependencies is foundational to security. Maintain 𝗦𝗕𝗢𝗠𝘀 to track software components and vulnerabilities. Use an updated 𝗖𝗠𝗗𝗕 for hardware, software, and cloud assets. 2. 𝗣𝗿𝗼𝗮𝗰𝘁𝗶𝘃𝗲 𝗧𝗵𝗿𝗲𝗮𝘁 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 Identify vulnerabilities and threats before escalation. • Leverage 𝗦𝗜𝗘𝗠/𝗫𝗗𝗥 for real-time monitoring and log analysis. • Use AI/ML tools to detect anomalies indicative of lateral movement, insider threat, privilege escalations or unusual traffic. • Regularly hunt for unpatched systems leveraging SBOM and threat intel. 3. 𝗕𝘂𝗴 𝗕𝗼𝘂𝗻𝘁𝘆 𝗮𝗻𝗱 𝗥𝗲𝗱 𝗧𝗲𝗮𝗺𝗶𝗻𝗴 Uncover vulnerabilities before attackers do. • Implement bug bounty programs to identify and remediate exploitable vulnerabilities. • Use red teams to simulate adversary tactics and test defensive responses. • Conduct 𝗽𝘂𝗿𝗽𝗹𝗲 𝘁𝗲𝗮𝗺 exercises to share insights and enhance security controls. 4. 𝗜𝗺𝗺𝘂𝘁𝗮𝗯𝗹𝗲 𝗕𝗮𝗰𝗸𝘂𝗽𝘀 Protect data from ransomware and disruptions with robust backups. • Use immutable storage to prevent tampering (e.g., WORM storage). • Maintain offline immutable backups to guard against ransomware. • Regularly test backup restoration for reliability. 5. 𝗧𝗵𝗿𝗲𝗮𝘁 𝗜𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 𝗣𝗿𝗼𝗴𝗿𝗮𝗺𝘀 Stay ahead of adversaries with robust intelligence. • Simulate attack techniques based on known adversaries like Scatter Spider • Share intelligence within industry groups like FS-ISAC to track emerging threats. 6. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆-𝗙𝗶𝗿𝘀𝘁 𝗖𝘂𝗹𝘁𝘂𝗿𝗲 Employees are the first line of defense. • Train employees to identify phishing and social engineering. • Adopt a “𝗦𝗲𝗲 𝗦𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴, 𝗦𝗮𝘆 𝗦𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴” approach to foster vigilance. • Provide clear channels for reporting incidents or suspicious activity. Effectively managing 𝗰𝘆𝗯𝗲𝗿 𝗿𝗶𝘀𝗸 requires a 𝗰𝘂𝗹𝘁𝘂𝗿𝗲 𝗼𝗳 𝗽𝗲𝘀𝘀𝗶𝗺𝗶𝘀𝗺 𝗮𝗻𝗱 𝘃𝗶𝗴𝗶𝗹𝗮𝗻𝗰𝗲, investment in tools and talent, and alignment with a defense-in-depth strategy. Regular testing, automation, and a culture of continuous improvement are essential to maintaining a strong security posture. #VISA #Cybersecurity #IncidentResponse #PaymentSecurity #12DaysOfCybersecurityChristmas

🚨2024 Replay: Advancing Zero Trust Maturity Through Visibility & Analytics 🔍 Released by the NSA, this Cybersecurity Information Sheet emphasizes the pivotal role of visibility and analytics in the Zero Trust framework. These principles form a cornerstone of proactive cybersecurity—delivering actionable insights to strengthen detection and response capabilities. Key Takeaways: 📊 Logging: Focus on collecting pertinent activity logs across networks and user systems; indiscriminate data collection isn’t practical. 🛠️ Centralized SIEM: Leverage Security Information and Event Management tools to aggregate and analyze data for enhanced threat detection. 🔐 Risk Analytics: Use dynamic scoring systems enriched by CVEs and real-time vulnerabilities to stay ahead of threats. 🧠 UEBA (User and Entity Behavior Analytics): Harness AI/ML to spot anomalous behaviors that may signal insider threats. 🌐 Threat Intelligence Integration: Enrich internal data with external threat feeds for comprehensive situational awareness. 🚦 Automated Policies: Implement dynamic access controls and configurations to adapt to an evolving threat landscape in real time. 📜 Quote from the CSI: "Detecting and identifying potential threats requires both human and technological elements to understand the entirety of the network, to detect anomalous changes, and to react to an incident expediently and properly." 📅 This post is part of my year-end review of 2024’s most impactful cybersecurity documents. Critical guidance—like this one from May 2024—often fades after its initial promotion. Revisiting these documents allows us to refocus on foundational recommendations for enhancing security postures. 💬 Link to the document in the comments. #cybersecurity #threathunting #analytics #data #visibility #cloudsecurity #technology #informationsecurity #artificialintelligence #zerotrust #computersecurity

Is your security team stuck in firefighting mode? Use this Cybersecurity Strategy Matrix to build a balanced security roadmap: 𝟭. 𝗘𝗺𝗯𝗲𝗱𝗱𝗲𝗱 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 (Existing Systems + Existing Controls) → Strengthen password policies and access management → Enhance patch management processes → Conduct deeper security awareness training → Low risk, focuses on security fundamentals 𝗢𝘂𝘁𝗰𝗼𝗺𝗲: Strong foundation with minimal disruption 𝟮. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗜𝗻𝗻𝗼𝘃𝗮𝘁𝗶𝗼𝗻 (Existing Systems + New Controls) → Implement EDR/XDR solutions over traditional antivirus → Deploy AI-based threat hunting capabilities → Adopt zero-trust architecture frameworks → Moderate risk, leverages advanced protections 𝗢𝘂𝘁𝗰𝗼𝗺𝗲: Significantly improved protection without system overhaul 𝟯. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗘𝘅𝗽𝗮𝗻𝘀𝗶𝗼𝗻 (New Systems + Existing Controls) → Extend current security monitoring to cloud workloads → Apply existing controls to newly acquired systems (M&A) → Secure shadow IT with established security baselines → Moderate risk, focuses on consistent security coverage 𝗢𝘂𝘁𝗰𝗼𝗺𝗲: Unified security posture across your growing environment 𝟰. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗧𝗿𝗮𝗻𝘀𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 (New Systems + New Controls) → Build security for containerized environments → Implement quantum-resistant encryption → Develop custom security for IoT/OT environments → Highest risk, prepares for emerging threat landscapes 𝗢𝘂𝘁𝗰𝗼𝗺𝗲: Future-proofed security ready for emerging threats Effective cybersecurity requires balancing immediate needs with long-term resilience. Where is your security program investing today?

As I speak with our customers and many friends’ companies about their 2025 IT and cybersecurity plans, I’m surprised at how average most approaches are. While everyone recognizes the blazing pace of technological change and how bad actors are weaponizing advanced AI, surprisingly, few organizations have taken critical steps to protect themselves or keep up with innovation. As CEO of ATSG, a Managed Services Provider (MSP), I see too many companies relying on various legacy systems and doing the bare minimum to ward off AI-enabled threats and capture fantastic opportunities. I’d love to see every organization elevate its game by focusing on: - Advanced Threat Detection – Beyond simple signature-based tools, leverage behavioral analysis and machine learning for proactive defenses. - Comprehensive Endpoint Security for every device, especially in a work-from-anywhere world, include continuous patch management and endpoint detection & response (EDR/XDR). - AI-driven SOC (Security Operations Center) – Use real-time threat intelligence to focus on the most critical risks while reducing noise. - Dark Web Monitoring for Early Warning – Spot leaked credentials or potential brand impersonation quickly, then respond decisively. - Proper Compliance – More than just ticking boxes; integrate governance, risk, and compliance (GRC) into daily operations. - Network Observability & Management – Implement zero–trust architectures, micro-segmentation, and real-time monitoring for proactive fixes and near-100% uptime. - Virtual Desktops (DaaS) – Enable employees to securely access their workspace from any device, anywhere, while centralizing data protection. - Modern Call Center Solutions (CCaaS) – Integrate AI for training, real-time coaching, and tier-one automation to improve CX and efficiency. - Upgraded Unified Communications (UCaaS) – Provide a seamless, integrated experience for employees and customers, regardless of location. - Cloud Architecture & Security Reviews – Continuously optimize for cost, scalability, redundancy, and compliance with solutions like CSPM (Cloud Security Posture Management). - Strategic Use of AI – Identify where AI can help your organization be more productive and achieve higher quality results with fewer resources. - Holistic Identity & Access Management – Adopt strong multi-factor authentication (MFA) and consider passwordless or zero trust frameworks to limit lateral movement. - Security Training & Incident Response – Regularly train staff on phishing, social engineering, and AI-based scams. Maintain an up-to-date incident response plan and test it often. I’m curious to hear your thoughts on where companies can improve to keep pace with this new era. Onward and upward, Russ #futureproof #AItech #Cybersecurity #MSP #deliveringservice

You can't buy the best cybersecurity tool ever, and you need it. Culture, a security culture. Cybersecurity needs a strong culture to drive it. It’s about leadership, intentional programs, and turning security into a shared mission. Learn how to engage employees, get leadership buy-in, measure meaningful KPIs, and make security a true business differentiator. 🧙🏼♂️In this episode of The Keyboard Samurai Podcast , Mike Williams President of Appalachia Technologies, LLC sat down with me to discuss how he builds a culture of cybersecurity. ⏯️ Full episode link in the comments. Here's the TLDR 👇 1. Culture Starts with Leadership ↳ Leaders set the tone for security ↳ Model the behavior you expect ↳ Fund programs, not just policies 2. Make Security Intentional ↳ Run phishing drills regularly ↳ Host monthly lunch and learns ↳ Do real tabletop exercises 3. People Are the Front Line ↳ Train users on real-world threats ↳ Reward good security behavior ↳ Turn mistakes into learning 4. Training is Not Culture ↳ Avoid one-and-done modules ↳ Use gamified, role-based content ↳ Train early, often, and in context 5. Security is a Noble Mission ↳ Frame security as protection ↳ Connect actions to real impact ↳ Inspire a sense of purpose 6. Customize by Role or Team ↳ Tailor training to each function ↳ Map risks to daily workflows ↳ Speak their language, not yours 7. Measure What Matters ↳ Track phishing data ↳ Prioritize for your business ↳ Report on IR response times 8. Security is a Client Differentiator ↳ Promote your security posture ↳ Show real effort, not just badges ↳ Use cyber strength to win deals 9. Educate, Don’t Lecture ↳ Share breach case studies ↳ Explain how attacks actually work ↳ Keep stories short and sticky 10. Build the Case with Data ↳ Use risk registers to guide asks ↳ Show the cost of inaction ↳ Bring metrics to the boardroom 11. Security Never Stands Still ↳ Update practices as threats evolve ↳ Watch trends like AI and quantum ↳ Build a learning-first culture This episode will change how you think about security daily. How do you build cyber culture? ⬇️ 🔄 Share to build strong cybersecurity cultures 📲 Follow Wil Klusovsky for wisdom on cyber & tech business

🔬 Comparing 2023 vs 2024 CVE numbers. Total CVE count grew 14.1% from 29084 in 2023 to 33201 in 2024. Microsoft CVEs grew 13.6% from 11575 in 2023 to 13150 in 2024. Linux  + RedHat CVEs grew 142.3% 🤯 from 3,650 in 2023 to 8,847 in 2024. Apple  CVEs decreased 6.1% from 1589 in 2023 to 1492 in 2024. Given the significant increase in CVE numbers, particularly the dramatic rise in Linux + RedHat vulnerabilities, it's crucial for organizations to enhance their cybersecurity measures. Here are some steps to take going into 2025: 🔎Vulnerability Assessment: Conduct comprehensive vulnerability assessments across all systems, with a special focus on Linux and RedHat environments. Utilize tools that can scan for both known and zero-day vulnerabilities. 🩹Patch Management: Prioritize the patching of vulnerabilities, especially those listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Ensure that all patches for Microsoft, Linux, and RedHat systems are applied promptly. 👨💻Update Software and Systems: Regularly update all software, particularly operating systems and applications from Microsoft, Linux, and RedHat, to the latest secure versions. Consider automating updates where possible to reduce human error. 🧑🎓Security Training and Awareness: Increase staff awareness through training sessions about the latest threats, particularly those related to the increased CVEs. Focus on the importance of timely updates and secure practices. 🚨Incident Response Planning: Review and update your incident response plan to include specific procedures for dealing with exploits related to new CVEs. Conduct drills to ensure preparedness. 📊Monitor and Analyze: Implement or improve systems for continuous monitoring of your network and systems for anomalous behavior or signs of exploitation. Use threat intelligence to stay ahead of potential attackers. Engage with Security Communities: Stay engaged with cybersecurity communities, subscribe to security bulletins from vendors like Microsoft, RedHat, and Apple, and participate in forums or groups where vulnerabilities are discussed to keep abreast of emerging threats. 🔎Review Vendor Security Practices: For organizations using Microsoft or Linux/RedHat products, review the security practices of these vendors. Understand how they handle vulnerability disclosures and patching processes to align internal policies accordingly. 🦺Consider Cybersecurity Insurance: Evaluate whether your organization could benefit from cybersecurity insurance, especially given the rise in vulnerabilities which might increase the risk of a security incident. By taking these actions, organizations can better protect themselves against the growing number of vulnerabilities, ensuring that their systems remain secure even as threats evolve. #infosec #cyber #security

DIB: The DoD’s Implementation Plan Brings CMMC Level 3 Requirements Before Phase 4 (Full Implementation). While much of the focus has been on CMMC Level 2, it’s equally important to prepare for the significant lift required for Level 3. The transition to L3 will depend on your existing CUI Program, leadership support, and your technical team’s skill set. Key elements to consider: 1. Access Control for only organization-owned/managed devices, no Personal devices (BYOD). Also, apply Golden Images to Level 3 assets, ensuring consistency and security, followed by conditional access controls or systems posture checks. 2. Must protect the integrity of Secure Baseline Configuration/Golden Images. 3. Encryption In Transit and At Rest with Transport Layer Security (TLS), IEEE 802.1X, or IPsec. 4. Bidirectional/Mutual Authentication technology that ensures both parties in a communication session authenticate each other (see encryption). 5. Conduct L3-specific End-User Training, including practical training for end-users, power users, and administrators on phishing, social engineering, and cyber threats and test readiness and response. 6. Continuous Monitoring (ConMon), Automation, and Alerting to remove non-compliant systems promptly. 7. Automated Asset Discovery & Inventory, ensuring full visibility of all assets. 8. Security Operations Center (SOC) and Incident Response (IR): Maintain a 24x7 SOC and IR team to handle security incidents promptly and efficiently. 9. HR Response Plans that include Blackmail Resilience to address scenarios like blackmail, insider threats, and other HR-related security issues. 10. Mandatory Threat Hunting to proactively identify and mitigate threats. 11. Automated Risk Identification and Analytics using Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), Extended Detection and Response (XDR), etc. 12. Risk-Informed Security Control Selection to ensure tailored and effective protection measures. 13. Supply Chain Risk Management (SCRM), Monitoring & Testing of Service Provider Agreements (SPAs): Regularly monitor and test SPAs to ensure compliance with security requirements and to mitigate risks associated with third-party vendors and suppliers. 14. Mandatory Penetration Testing to identify and rectify system vulnerabilities. 15. Secure Management of Operational Technology (OT)/Industrial Control Systems (ICS), including Government-Furnished Equipment (GFE) and other critical infrastructure. 16. Root and Trust Mechanisms to verify the authenticity and integrity of software. Ensure devices boot using only trusted software. Provide hardware-based security functions such as TPM. 17. Threat Intelligence and Indicator of Compromise (IOC) Monitoring to stay ahead of emerging threats and quickly respond. #CUI #hva #ProtectCUI

Recently worked on an issue where an account was taken over, even though the account had MFA enabled. Ultimately MFA fatigue caused a user to automatically approve an MFA request when it wasn't valid. Multi-Factor Authentication (MFA) fatigue is a security risk that arises when users are overwhelmed by frequent authentication prompts, potentially leading to carelessness or susceptibility to social engineering attacks. Here are several strategies to prevent MFA fatigue: 1. Implement Adaptive Authentication: Risk-Based Authentication: Use contextual information to assess the risk level of an authentication attempt. For example, consider the user's location, device, and behavior. Only prompt for additional authentication factors when the risk is high. 2. Optimize MFA Frequency Session Duration: Extend the duration of authenticated sessions where appropriate (based on location, app, and other controls), reducing the need for repeated MFA prompts within a short period. Device Trust: Allow users to mark personal devices as trusted, requiring MFA only on new or untrusted devices. 3. Enhance User Experience Single Sign-On (SSO): Implement SSO solutions to reduce the number of logins and MFA prompts by allowing users to authenticate once and gain access to multiple applications. Biometric Authentication: Integrate biometric factors (e.g., fingerprint, facial recognition) to make the authentication process quicker and more user-friendly. 4. Educate Users Security Awareness Training: Regularly educate users about the importance of MFA and the risks associated with MFA fatigue. Teach them how to recognize and respond to social engineering attacks. Clear Communication: Provide clear instructions and support for users experiencing MFA fatigue, ensuring they understand the security measures in place. 5. Continuous Monitoring and Improvement Monitor Authentication Logs: Regularly review authentication logs to identify patterns of MFA fatigue and adjust policies accordingly. User Feedback: Gather feedback from users on their MFA experiences and use this information to improve the process. 6. Leverage Push Notifications and Modern MFA Methods Push Notifications: Use push notifications through a secure app instead of traditional SMS or email-based MFA, reducing friction and improving security. These are just some controls and each environment should be analyzed and appropriate controls be used based on each security context and risks.

This article highlights a St. Louis federal court indicted 14 North Korean nationals for allegedly using false identities to secure remote IT jobs at U.S. companies and nonprofits. Working through DPRK-controlled firms in China and Russia, the suspects are accused of violating U.S. sanctions and committing crimes such as wire fraud, money laundering, and identity theft. Their actions involved masking their true nationalities and locations to gain unauthorized access and financial benefits. To prevent similar schemes from affecting you businesses, we recommend a multi-layered approach to security, recruitment, and compliance practices. Below are key measures: 1. Enhanced Recruitment and Background Verification - Identity Verification: Implement strict verification procedures, including checking legal identification and performing background and reference checks. Geolocation Monitoring: Use tools to verify candidates’ actual geographic locations. Require in-person interviews for critical roles. - Portfolio Validation: Request verifiable references and cross-check submitted credentials or work samples with previous employers. - Deepfake Detection Tools: Analyze video interviews for signs of deepfake manipulation, such as unnatural facial movements, mismatched audio-visual syncing, or artifacts in the video. - Vendor Assessments: Conduct due diligence on contractors, especially in IT services, to ensure they comply with sanctions and security requirements. 2. Cybersecurity and Fraud Prevention - Access Control: Limit access to sensitive data and systems based on job roles and implement zero-trust security principles. - Network Monitoring: Monitor for suspicious activity, such as access from IPs associated with VPNs or high-risk countries. - Two-Factor Authentication (2FA): Enforce 2FA for all employee accounts to secure logins and prevent unauthorized access. - Device Management: Require company-issued devices with endpoint protection for remote work to prevent external control. - AI and Behavioral Analytics: Monitor employee behavior for anomalies such as unusual working hours, repeated access to restricted data, or large data downloads. 3. Employee Training and Incident Response - Cybersecurity Awareness: Regularly train employees on recognizing phishing, social engineering, and fraud attempts, using simulations to enhance awareness of emerging threats like deepfakes. - Incident Management and Reporting: Develop a clear plan to handle cybersecurity or fraud incidents, including internal investigations and containment protocols. - Cross-Functional Drills and Communication: Conduct company-wide simulations to test response plans and promote a culture of security through leadership-driven initiatives. #Cybersecurity #HumanResources #Deepfake #Recruiting #InsiderThreats

Security Shouldn’t Disrupt Business. It Should Enable It. The biggest complaint I hear from CIOs? Security is slowing things down. Security isn’t about building walls, it’s about keeping the business moving safely. Here’s how to reduce risk without disrupting operations: 1️⃣ Try and gain visibility is everything. This WON'T disrupt anything and gives you full visibility into your network traffic. • Monitor network traffic (Corelight works great) • Map assets & data flows • Track east-west movement • Watch cloud resource usage 2️⃣ Zero Trust, But Make It Simple • Start with privileged accounts • Remove standing privileges. • Enable just-in-time access • Microsegment critical assets 3️⃣ Lock Down Identity & Access • MFA everywhere (no excuses) • Monitor login patterns (my fav is CrowdStrike Falcon Identity) • Track login sources • Flag unusual access attempts 4️⃣ Fix Your Logs (Most skip this!) • Standardize log formats (Cribl). Hey, I did it for Vijilan Security and the engineers just fell in love with it. • Centralize logs (LogScale) • Set retention policies (1 year live, 7 years associated raw logs for each detection) • Enable real-time alerts This is how I would present the numbers to my superiors: ✅ 65% fewer exposed assets ✅ 45% faster threat detection ✅ Zero business disruption ✅ 30% fewer false positives 5️⃣ If you want quick and dirty way to gain quick wins, do this: ✔ Disable unused admin accounts (24h) ✔ Review external facing services (48h) ✔ Implement basic segmentation (1 week) ✔ Roll out MFA (2 weeks) Security isn’t about perfection, it’s about progress. Apply 80/20 rule and move your way up. Start small, build momentum, and integrate security without breaking what works. Want more insights like this? Follow me for practical security strategies. #CISO #CrowdStrike #falcon #cribl #ZeroTrust #AttackSurface #Corelight #ITEXPO2025