We’ve been doing a lot of investigations in AWS using CloudTrail logs and have been noticing some interesting things along the way. So we created an AWS mind map for our team (and you). Check it out!
Curious how attackers are prompting victims to engage with phishing campaigns? Check out the top keywords from the malicious emails our SOC investigated and our top resilience recommendations.
First we showed you how to spot an Okta compromise in this two-part blog series. Now we’ll walk you through our investigation and share five tips on how you can strengthen your security defense.
Building detections in Google Cloud Platform (GCP) but not sure where to start? Time to get strategic. Our detection and response engineers demystify the process for building detections in the cloud.
A red team recently swooped in and showed off some new tactics. What started as a PowerShell download cradle quickly turned into a custom rootkit download. Find out how we spotted the crafty red team.
Our SOC stopped a ransomware attack that compromised WordPress CMS to trigger a drive-by RAT download. Find out what happened, how we caught it, and our recommendations to secure your WordPress CMS.
Need to ensure your tech, privacy and security policies are compliant? Find out what compliance means in practice and how your MDR provider can support your compliance program, not become a liability.
Crafty attackers are finding new ways to bypass multiple-factor authentication. Find out how our SOC detected an attack and get some tips on how your org can prevent credentials phishing.
Want a tour of Expel’s Phishing dashboard? Get a behind-the-scenes look at how one of our senior UX designers developed the Phishing dashboard for Expel’s managed phishing service customers.
We’re noticing a trend in ransomware attacks. But that doesn’t mean it’s time to go into panic mode. Find out what you need to know and get some tips on how you can keep your org safe.
We shared the top attack trend spotted during the pandemic and what to keep an eye out for looking ahead. But how do you remediate and stay resilient against these attacks? Our crew shares some tips.
Check out our newest infographic to learn about the top attack trend during the COVID-19 pandemic, how our SOC’s data reinforces these recent findings and how you should be looking ahead.
Engineering|12 min read
Find out how Expel’s internal teams collaborated to migrate our core infrastructure from a legacy environment to GCP, with no downtime (while also making sure they were prepared for a little chaos).
Engineering|6 min read
Flying blind when it comes to running Hashicorp Vault in Kubernetes? We’ve got you covered. Accelerate your path to production without compromising on security with these tips and best practices.
Establishing metrics is vital. But how do you report progress and have a conversation about what you’re seeing? Are you even looking at the right things? Here are some tips on measuring cybersecurity.
Engineering|12 min read
Find out how Expel’s internal teams built an integration on top of Azure signal – creating a new detection strategy for ASC that provides more context around alerts and improves customer visibility.
We’re excited to announce the launch of our first SaaS product! It automates the investigation of AWS alerts and logs – allowing your team to spend less time finding and fixing security issues.
Engineering|7 min read
Find out how Expel’s D&R engineers think about detection writing, and how this process helps our SOC analysts make smart decisions and gain a deeper understanding of our customers’ environments.
What do you do when you can’t trust the internet? Supply chain attacks like the SolarWinds Orion breach are not new. Here are some things you can do to help prepare and guard against similar attacks.
Here’s how Expel created a phishing triage process that keeps our analysts’ heads above water while also ensuring that a trained pair of eyes is on every email submitted by our customers.
Here are some of our early observations on the SolarWinds Orion breach, plus our ideas on what to do next to detect related activity and better protect your org.
Ever wonder about how Expel’s analysts investigate alerts? Our SOC team created a workflow called the Expel Workbench managed alert process. Read on to find out how it works and how it can help you.
Red team sneak attack? Bring it on. Find out how we tackled a red team attack using open source offensive security tools in AWS and what you can do to protect your org from similar attacks.
It’s impossible to sum up a year that felt like 1000 in a single blog post. But we did gather some topline takeaways on security trends and the evolving role of the CISO from Expel’s Bruce Potter.
Engineering|2 min read
We’re open sourcing a python client in the Expel Workbench! This labor of love will allow our customers to take advantage of our APIs. Find out what the release of the pyexclient project includes.
In this second post in our three-part series on all things metrics and SOC leadership, our team dives into details of what metrics and techniques are used to protect the SOC against volatility.
How do you establish metrics for SOC efficiency? This first post in a three-part series shares our team’s approach to setting SOC goals, creating a strategy and measuring success.
How can a SIEM help you address your business needs? Do you even need a SIEM? Finding the right answer isn’t easy. Here are some tips to help you make a decision that works best for you.
Automation is key when it comes to helping analysts focus on doing what they do best – investigating legitimate threats. Find out how we use orchestration to automate enrichments for AWS alerts.
To build something useful you must first understand your users. Find out how Expel used Terraform and Atlantis to build a platform that makes self-service provisioning in cloud infrastructure easy.
Security operations|11 min read
Wonder what real-life investigation and response looks like in the cloud? Buckle up! Our team walks you through a coin-mining attack in AWS that they recently foiled – all the way from alert to fix.
Attackers love to look to PowerShell to enact their evil plans. Expel’s senior data scientist tells us how she used machine learning to help analysts spot malicious activity in PowerShell quickly.
Tips|5 min read
Switching to a multi-cloud solution? Easy! Just kidding. Expel’s senior detection & response engineer shares some things you need to think about when going multi-cloud – and how to stay sane.
Expel insider|1 min read
Running a Google Cloud Platform (GCP) workload or thinking about integrating it into your security portfolio? Expel can help! We’ve officially launched our GCP 24x7 monitoring and response services.
We got a lot of questions about configuring Jupyter notebooks after presenting at Infosec Jupyterthon 2020. See our response along with some tips for incorporating this tech into infosec processes.
Find out how our SOC analysts used automation to reduce the time it takes to investigate and report a suspicious login by 75%. The team outlines the process and shares a case study of it in action.
Security operations|13 min read
During a recent red team engagement, the CrowdStrike EDR Platform alerted our SOC team on the execution of a suspicious VBScript file. This is what they learned from untangling the malware code.
Tips|7 min read
Many of us recently became remote workers. Now, more than ever, it’s important for us to understand how to keep our at home networks safe. Here are 10 tips to stay secure at home.
Whether you work in security or are an informed voter (or both!), the security of our election ecosystem is everybody’s business. Here are the challenges our system faces and what we can do about them.
Security operations|2 min read
There’s lots to like about the NIST CSF. Here are our practical tips for how to use it, plus a preview of a new NIST feature we introduced in Expel Workbench™.
Creating alert thresholds is critical to *not* driving your SOC analysts batty, but what’s the “right” number? Here are some tips, tricks and favorite tools we use to determine alert thresholds for customer environments.
What’s this new framework and how should you use it? Our CISO’s got all the details plus a FREE downloadable self-scoring tool to help you assess where your org’s at when it comes to privacy.
Is your data really safer in the server room next door? Probably not. Here are five reasons why the cloud offers better security than your on-prem environment.
If you’re running workloads on AWS, then you’ll want to know all about the latest and greatest AWS-native security tools. We’ve got you covered in our latest post.
Jupyter Notebook gave us the freedom to rethink the way we analyzed hunting data. Here are some tips and tricks you can use in your own analysis.
TLNT|6 min read
How do you interview a company who’s interviewing you? One of our account executives, Jeremy Furniss, shares how he evaluated Expel during the hiring process.
Is Signal Sciences WAF part of your tech stack? Then you’ve got an amazing webshell detection method right at your fingertips.
Think MFA will be your web mail’s knight in shining armor when a crafty attacker strikes? Think again, and do these four things to make sure your org’s protected.
All good cybersecurity policies share some similar traits. Here are our pro tips for creating a solid policy for your own org.
Looking to get more or better security signals out of AWS? Then you’ll wanna read our pro tips on making the most of Amazon CloudTrail.
Relativity CSO Amanda Fennell shares the top five, easy-to-get-started things she sees forward-thinking law firms doing to improve their security.
So you decided you want to build a threat hunting program ... but where do you start? Here are our three must-dos when you’re planning your hunt.
TLNT|5 min read
I returned from my vacation with more than a tan. Here are 7 not-so-obvious things I learned by stepping away and unplugging from the office.
How often does a business email compromise actually happen? And what should you do about it? Our infographic answers those questions and more.
Got Macs in your org? Here are a few recent Mac OS attack trends and how you can become more resilient to ‘em.
SOAR isn’t really about “orchestration and response.” It’s an engineering problem at its core. Here’s why.
Finding anomalous process relationships -- commands that don’t belong together -- might indicate a problem within your environment. Here’s how to spot ‘em.
Your IT team isn’t racking and stacking servers like they used to, but cracking the cloud security code is easier than you think. Get our pro tips for doing just that.
How do you decide which tech to use to carry out your hunt? This post’s got some pro tips for when and how to use different technology for your threat hunting mission.
If you’ve got a blank canvas with the opportunity to build a security program from scratch, here’s how to get started and make the most of your new program
The NIST Privacy Framework will revolutionize how we think about privacy. Here’s how your org might use it.
TLNT|5 min read
Want the hiring manager here (or anywhere) to notice you? These resume pro tips will help you stand out from the pack.
Need to expand your security tool chest? Our CISO’s got some tips to consider when thinking about what tech to keep or buy.
There are four missteps we see happen often that open fast-growing companies up to unnecessary legal risks -- here’s how to course correct.
Need to get the security train back on the tracks? Our CEO’s got some pro tips on improving your org’s security ASAP.
How well is your MSSP or MDR going to manage your fleet of security signals over time? Here’s how to figure out whether they’re up for the challenge.
Want to test your analysts’ detection skills in the cloud? Here are our tips and tricks for building your own threat emulation exercise in AWS.
You’re processing loads of data every day...but are you catching it all? Here are tips from our pros for rocking your data auditing.
How can you figure out if the quality of the service you’re about to sign up for will improve over time? Our COO Yanek Korff’s got some tips for making sure you choose a service that’ll last.
Election security measures (or lack thereof) are making headlines. How can private sector orgs contribute to public sector security? Our CISO Bruce Potter’s got some ideas.
Why do Amazon S3 bucket breaches happen and how can you protect your own org from making this mistake? We’ve got all the AWS pro tips for you in our latest post.
We use technologies behind the scenes to make Expel Workbench and our analysts more efficient. GreyNoise is one of those -- here's how we use it and why you might find it useful too.
We’ve heard lots of interesting Qs as prospective customers evaluate which solution's right for them... here are the 12 you should be asking.
As attackers behind BEC attacks find ever more clever tactics to use, it’s getting trickier for businesses to protect themselves. But here are some telltale signs you can look for that are tip-offs that something’s amiss.
If your team doesn’t have lots of incident response practice under their belt (yet!), a threat emulation exercise is the perfect way to help them flex those response muscles and improve your collective skills.
If you're left holding the hot potato of a legacy lackluster security program, or are suddenly forced to protect your org and its data with less, here are a few quick steps to take to get cybersecurity efforts back on track.
If you're feeling like your SaaS security knowledge is a bit cloudy, these three pro tips will get you started on the right path.
Figuring out how to protect your SaaS infrastructure like Office 365 -- especially if you’re newer to cloud -- can feel overwhelming. So here are five Office 365 security best practices to check out right now.
Close common compliance gaps, without building a SOC, for NIST 800-171 security requirements. And a bit about how we can help.
Seven smart ways to prepare for a tour of a security operations center (SOC) and five clues to watch out for during your visit.
Here are some of the most frequent ways attackers can use your website and your web presence to harm your company, your users and the public at large.
Security operations|12 min read
Let us walk you through our third-party assessment process. We think it's lightweight but still achieves the objective - determining if a vendor can be trusted.
Dive into a typical investigation and see how our analysts triage a Darktrace alert. Plus! We share some of our favorite Darktrace features.
TLNT|9 min read
Our list of five things you can do to take the first steps to an entry-level technical cybersecurity career.
See if these four telltale warning signs get your head nodding. If so, learn how to get started on regaining control.
In case doing a “stare-and-compare” of the original and updated frameworks isn’t your idea of fun, I’ve highlighted three important changes here.
We want to demystify what hunting is and what it’s not. So here goes nothin’ ...
We give you a quick tour of the NIST Cybersecurity framework and describe how you can baseline your efforts in a couple of hours. So check it out.
A little nerdy (and a lot math-y) post to help you better understand your SOC's systems, so you know how changes will impact its operation. If you’re wondering what “I Love Lucy” has to do with this then read on.
Not all 24x7 SOCs are created equal. To figure out how much it costs to go 24x7, you have to first figure out what kind of SOC you’re trying to build. We outline four possible security operations centers and an estimate of your costs.
Tips|3 min read
So… what is resilience? We’ll cover that and also how it works in this post. We’ve even thrown in a couple examples to get you started.
An uncommonly clear review of what managed detection and response (MDR) is, where it came from and what it can/can't do for you.
NIST has polished up their Cybersecurity Framework based on thousands of organizations implementing it over the past three years. Our CISO, Bruce Potter, highlights three of the most significant (and practical) changes.
We cut through the hype to explain what EDR products can do for you.
Walk through a practical example of how you can make a weak signal actionable by combining events from your endpoint and network security technologies into one meaningful alert.
Do you have the equipment and material needed to get your work right? Here are seven things to keep in mind to bring harmony to your toolchain. Part 1 of keep your security nerds happy series
The three parts of the investigative mindset and how to apply them when you triage endpoint alerts.
Tactical advice on how to survive a security incident when you don’t have an incident response plan.