
Attack trend alert: REvil ransomware
Expel’s SOC spotted a new trend in REvil campaigns and they’re sounding the alarm. Find out what’s new about this type of attack, how our analysts spotted it and what you can do to protect your org.

Behind the scenes: Building Azure integrations for ASC alerts
Find out how Expel’s internal teams built an integration on top of Azure signal – creating a new detection strategy for ASC that provides more context around alerts and improves customer visibility.

Got workloads in Microsoft Azure? Read this
Got Microsoft Azure? Running Microsoft products in your org? Then you might want to get a free copy of our all-new Azure guidebook.

Plotting booby traps like in Home Alone: Our approach to detection writing
Find out how Expel’s D&R engineers think about detection writing, and how this process helps our SOC analysts make smart decisions and gain a deeper understanding of our customers’ environments.

Improving the phishing triage process: Keeping our analysts (and our customers) sane
Here’s how Expel created a phishing triage process that keeps our analysts’ heads above water while also ensuring that a trained pair of eyes is on every email submitted by our customers.

The SolarWinds Orion breach: 6 ideas on what to do next and why
Here are some of our early observations on the SolarWinds Orion breach, plus our ideas on what to do next to detect related activity and better protect your org.

How to investigate like an Expel analyst: The Expel Workbench managed alert process
Ever wonder about how Expel’s analysts investigate alerts? Our SOC team created a workflow called the Expel Workbench managed alert process. Read on to find out how it works and how it can help you.

Evilginx-ing into the cloud: How we detected a red team attack in AWS
Red team sneak attack? Bring it on. Find out how we tackled a red team attack using open source offensive security tools in AWS and what you can do to protect your org from similar attacks.

The CISO in 2020 (and beyond): A chat with Bruce Potter
It’s impossible to sum up a year that felt like 1000 in a single blog post. But we did gather some topline takeaways on security trends and the evolving role of the CISO from Expel’s Bruce Potter.

Introducing a mind map for AWS investigations
We’ve been doing a lot of investigations in AWS using CloudTrail logs and have been noticing some interesting things along the way. So we created an AWS mind map for our team (and you). Check it out!

Performance metrics, part 2: Keeping things under control
In this second post in our three-part series on all things metrics and SOC leadership, our team dives into details of what metrics and techniques are used to protect the SOC against volatility.

Why don’t you integrate with [foo]?
You’ve heard that Expel integrates with your tech. But not YOUR tech. What gives? Well, sometimes it doesn’t always make sense. Expel’s COO explains why and what this means when working with us.

Performance metrics, part 1: Measuring SOC efficiency
How do you establish metrics for SOC efficiency? This first post in a three-part series shares our team’s approach to setting SOC goals, creating a strategy and measuring success.

Is Windows Defender for Endpoint any good? Here’s our two cents
Expel recently integrated Microsoft Defender for Endpoint into our platform and we gotta say, we’re impressed! Our SOC analysts share why they love it and show us how they use it to triage alerts.

The myth of co-managed SIEMs
Think you can get a co-managed SIEM and then step away to let the magic happen? Not so fast. Our CISO shares some common myths and the realities you should consider before making a decision.

Terraforming a better engineering experience with Atlantis
To build something useful you must first understand your users. Find out how Expel used Terraform and Atlantis to build a platform that makes self-service provisioning in cloud infrastructure easy.

Behind the scenes in the Expel SOC: Alert-to-fix in AWS
Wonder what real-life investigation and response looks like in the cloud? Buckle up! Our team walks you through a coin-mining attack in AWS that they recently foiled – all the way from alert to fix.

Spotting suspicious logins at scale: (Alert) pathways to success
Find out how our SOC analysts used automation to reduce the time it takes to investigate and report a suspicious login by 75%. The team outlines the process and shares a case study of it in action.

Obfuscation, reflective injection and domain fronting; oh my!
During a recent red team engagement, the CrowdStrike EDR Platform alerted our SOC team on the execution of a suspicious VBScript file. This is what they learned from untangling the malware code.

Finding evil in AWS: A key pair to remember
Our analysts had to think fast when they recently encountered an incident involving compromised AWS access keys. Find out how they identified the attack and then kicked the bad guy out.

Thinking about Zoom and risk
For many of us, Zoom is the app that’s keeping us connected. But recent news about security concerns has a lot of us wondering if it’s too risky. So... is it? Our CISO shares his thoughts.

Election security: Why to care and what to do about it
Whether you work in security or are an informed voter (or both!), the security of our election ecosystem is everybody’s business. Here are the challenges our system faces and what we can do about them.

Month-to-month pricing in uncertain times
When we founded Expel nearly four years ago, we set out to provide our customers with greater peace of mind about security – whether they’re operating “business as usual” or facing more challenging circumstances.

7 habits of highly effective (remote) SOCs
Security ops is a team sport … but how do you “play” together when your company’s working 100% remotely? Jon’s got some advice.

NIST CSF: A new interactive tool to track your progress
There’s lots to like about the NIST CSF. Here are our practical tips for how to use it, plus a preview of a new NIST feature we introduced in Expel Workbench™.

Creating data-driven detections with DataDog and JupyterHub
Creating alert thresholds is critical to *not* driving your SOC analysts batty, but what’s the “right” number? Here are some tips, tricks and favorite tools we use to determine alert thresholds for customer environments.

Exabeam: an incident investigator’s cheat code
We love EDR tools too, but here are our best tips and tricks for combining EDR data with other (equally) important security signals.

How to get started with the NIST Privacy Framework
What’s this new framework and how should you use it? Our CISO’s got all the details plus a FREE downloadable self-scoring tool to help you assess where your org’s at when it comes to privacy.

Why the cloud is probably more secure than your on-prem environment
Is your data really safer in the server room next door? Probably not. Here are five reasons why the cloud offers better security than your on-prem environment.

Where does Amazon Detective fit in your AWS security landscape?
If you’re running workloads on AWS, then you’ll want to know all about the latest and greatest AWS-native security tools. We’ve got you covered in our latest post.

Using JupyterHub for threat hunting? Then you should know these 8 tricks.
Jupyter Notebook gave us the freedom to rethink the way we analyzed hunting data. Here are some tips and tricks you can use in your own analysis.

Making sense of Amazon GuardDuty alerts
If you’re running workloads on AWS, then you’d better be running GuardDuty. But what is it and how can you make sense of all the signals? Here are our pro tips.

Better web shell detections with Signal Sciences WAF
Is Signal Sciences WAF part of your tech stack? Then you’ve got an amazing webshell detection method right at your fingertips.

MFA is not a silver bullet to secure your cloud email
Think MFA will be your web mail’s knight in shining armor when a crafty attacker strikes? Think again, and do these four things to make sure your org’s protected.

Applying the NIST CSF to U.S. election security
NIST isn’t only useful for corporations -- it’s helpful for guiding security activities around processes like our national elections. Our CISO’s got some thoughts on exactly how to apply NIST to election security.

Following the CloudTrail: Generating strong AWS security signals with Sumo Logic
Looking to get more or better security signals out of AWS? Then you’ll wanna read our pro tips on making the most of Amazon CloudTrail.

Five things law firms can do now to improve their security for tomorrow
Relativity CSO Amanda Fennell shares the top five, easy-to-get-started things she sees forward-thinking law firms doing to improve their security.

Our journey to JupyterHub and beyond
If you use or are considering trying JupyterHub, it’s your lucky day -- we’re sharing configuration tips and tricks, how we’re using it to make technical research easier, and much more.

3 must-dos when you’re starting a threat hunting program
So you decided you want to build a threat hunting program ... but where do you start? Here are our three must-dos when you’re planning your hunt.

Here’s what you need to know about business email compromise (BEC)
How often does a business email compromise actually happen? And what should you do about it? Our infographic answers those questions and more.

How to make your org more resilient to common Mac OS attacks
Got Macs in your org? Here are a few recent Mac OS attack trends and how you can become more resilient to ‘em.

The top five pitfalls to avoid when implementing SOAR
SOAR isn’t really about “orchestration and response.” It’s an engineering problem at its core. Here’s why.

How to find anomalous process relationships in threat hunting
Finding anomalous process relationships -- commands that don’t belong together -- might indicate a problem within your environment. Here’s how to spot ‘em.

This is how you should be thinking about cloud security
Your IT team isn’t racking and stacking servers like they used to, but cracking the cloud security code is easier than you think. Get our pro tips for doing just that.

How to choose the right security tech for threat hunting
How do you decide which tech to use to carry out your hunt? This post’s got some pro tips for when and how to use different technology for your threat hunting mission.

Don’t blow it — 5 ways to make the most of the chance to revamp your security posture
If you’ve got a blank canvas with the opportunity to build a security program from scratch, here’s how to get started and make the most of your new program

NIST’s new framework: Riding the wave of re-imagining privacy
The NIST Privacy Framework will revolutionize how we think about privacy. Here’s how your org might use it.

Four habits of highly effective security teams
Practice these habits consistently and you’ll have an engaged, talented and all-around awesome security team.

How to get your security tool chest in order when you’re growing like crazy
Need to expand your security tool chest? Our CISO’s got some tips to consider when thinking about what tech to keep or buy.

Does your MSSP or MDR provider know how to manage your signals?
How well is your MSSP or MDR going to manage your fleet of security signals over time? Here’s how to figure out whether they’re up for the challenge.

How to build a useful (and entertaining) threat emulation exercise for AWS
Want to test your analysts’ detection skills in the cloud? Here are our tips and tricks for building your own threat emulation exercise in AWS.

12 ways to tell if your managed security provider won’t suck next year
How can you figure out if the quality of the service you’re about to sign up for will improve over time? Our COO Yanek Korff’s got some tips for making sure you choose a service that’ll last.

How to start a cybersecurity program (or restart one that lapsed)
If you're left holding the hot potato of a legacy lackluster security program, or are suddenly forced to protect your org and its data with less, here are a few quick steps to take to get cybersecurity efforts back on track.

Three tips for getting started with cloud application security
If you're feeling like your SaaS security knowledge is a bit cloudy, these three pro tips will get you started on the right path.

Office 365 security best practices: five things to do right now to keep attackers out
Figuring out how to protect your SaaS infrastructure like Office 365 -- especially if you’re newer to cloud -- can feel overwhelming. So here are five Office 365 security best practices to check out right now.

Reaching (all the way to) your NIST 800-171 compliance goals
Close common compliance gaps, without building a SOC, for NIST 800-171 security requirements. And a bit about how we can help.

Getting a grip on your cloud security strategy
Understanding how to think about cloud security differently is half the battle. We've thought a lot about it, and we’ve identified three key points that should inform your cloud strategy.

A common sense approach for assessing third-party risk
Let us walk you through our third-party assessment process. We think it's lightweight but still achieves the objective - determining if a vendor can be trusted.

Lessons learned from a CISO’s first 100 days
In this guest post, Amanda Fennell, CSO at Relativity reflects on what she’s learned.

How to identify when you’ve lost control of your SIEM (and how to rein it back in)
See if these four telltale warning signs get your head nodding. If so, learn how to get started on regaining control.

What’s new in the NIST Cybersecurity Framework (CSF) v1.1
In case doing a “stare-and-compare” of the original and updated frameworks isn’t your idea of fun, I’ve highlighted three important changes here.

What is (cyber) threat hunting and where do you start?
We want to demystify what hunting is and what it’s not. So here goes nothin’ ...

How to get started with the NIST Cybersecurity Framework (CSF)
We give you a quick tour of the NIST Cybersecurity framework and describe how you can baseline your efforts in a couple of hours. So check it out.

What “I Love Lucy” teaches us about SOC performance
A little nerdy (and a lot math-y) post to help you better understand your SOC's systems, so you know how changes will impact its operation. If you’re wondering what “I Love Lucy” has to do with this then read on.

How much does it cost to build a 24x7 SOC?
Not all 24x7 SOCs are created equal. To figure out how much it costs to go 24x7, you have to first figure out what kind of SOC you’re trying to build. We outline four possible security operations centers and an estimate of your costs.

Managed detection and response (MDR): symptom or solution?
An uncommonly clear review of what managed detection and response (MDR) is, where it came from and what it can/can't do for you.

Decoded: new changes to NIST’s Cybersecurity Framework
NIST has polished up their Cybersecurity Framework based on thousands of organizations implementing it over the past three years. Our CISO, Bruce Potter, highlights three of the most significant (and practical) changes.

What’s endpoint detection and response (EDR) and when should you care?
We cut through the hype to explain what EDR products can do for you.

Warning signs that your MSSP isn’t the right fit
Look out for these five indicators that it's probably time to start considering alternatives to your managed security services provider. Plus, questions to ask to avoid these traps.

Budget planning: determining your security spend
Guidance and a short list of things you can do to help you answer the common question "how much should I spend on cybersecurity?"

How to avoid shelfware
Set yourself up for success by asking these four questions before you purchase new security products.

Mistakes to avoid when measuring SOC performance
Discover the three most common mistakes companies make when developing their first set of operational metrics.