Security operations

Top takeaways from our first quarterly report, filled with patterns and trends we identified from Q1 2022. Our goal? Help translate the events we detect into a security strategy for your organization.

Our SOC detected and stopped unauthorized access in one of our customer’s AWS environments. Here’s how we spotted it, the steps we took to understand what they did, lessons learned and key takeaways.

As more people look to donate to Ukrainian relief efforts, bad actors are taking advantage. Lookout for these phishing scams to ensure your donations are actually going to help those in need.

While the situation surrounding the reported breach of Okta by Lapsus$ is still developing, here are our top 7 recommendations you can take to protect yourself and your org.

This report dives into the top attack vectors and trends among the incidents our SOC investigated in February 2022. Learn our key recommendations to protect your org from these types of attacks.

Looking for an MDR provider? Make sure you understand their onboarding process. Here are the questions you should ask when you’re evaluating MDRs. Bonus: learn how we do onboarding here at Expel.

This report dives into the top attack vectors and trends among the incidents our SOC investigated in January 2022. Learn our key recommendations to protect your org from these types of attacks.

They’re at it again. This time attackers are phishing for credentials by sending fake AWS log-in pages to unsuspecting users. Find out how our crew identified and triaged a phishing email.

This report dives into the top attack vectors and trends among the incidents our SOC investigated in December 2021. Learn our key recommendations to protect your org from these types of attacks.

Heard about hunting but are unclear on whether it’s something you should invest in? You’re not alone. Find out what it is and the value it brings to your org’s detection and response capabilities.

This report dives into the top attack vectors and trends among the incidents our SOC investigated in November 2021. Learn our key recommendations to protect your org from these types of attacks.

As the holidays approach, cyber Grinches are targeting phishing campaigns to steal data, credentials and more. Look out for these email scams while online shopping and checking your inbox this season.

This report dives into the top attack vectors and trends among the incidents our SOC investigated in October 2021. Learn our key recommendations to protect your org from these types of attacks.

In this blog post, we’ll share how we’re using the Expel Phishing team and its simple, narrow focus, to achieve two goals -- Protect managed detection and response (MDR) service continuity, and Increase diversity in cybersecurity

Curious how Expel does remediation? Learn how our process works, what you can expect from our analysts during an investigation and what we’re adding next on our remediation roadmap.

This report dives into the top attack vectors and trends among the incidents our SOC investigated in September 2021. Learn our key recommendations to protect your org from these types of attacks.

How does Expel tackle phishing? Smart people and great tech. Learn how VMRay helps our analysts triage and analyze potentially malicious emails submitted by our managed phishing service customers.

This report dives into the top attack vectors and trends among the incidents our SOC investigated in August 2021. Learn our key recommendations to protect your org from these types of attacks.

Curious how attackers are prompting victims to engage with phishing campaigns? Check out the top keywords from the malicious emails our SOC investigated and our top resilience recommendations.

First we showed you how to spot an Okta compromise in this two-part blog series. Now we’ll walk you through our investigation and share five tips on how you can strengthen your security defense.

This report dives into the top attack vectors and trends among the incidents our SOC investigated in July 2021. Learn our key recommendations to protect your org from these types of attacks.

Building detections in Google Cloud Platform (GCP) but not sure where to start? Time to get strategic. Our detection and response engineers demystify the process for building detections in the cloud.

A red team recently swooped in and showed off some new tactics. What started as a PowerShell download cradle quickly turned into a custom rootkit download. Find out how we spotted the crafty red team.

Our SOC stopped a ransomware attack that compromised WordPress CMS to trigger a drive-by RAT download. Find out what happened, how we caught it, and our recommendations to secure your WordPress CMS.

Need to ensure your tech, privacy and security policies are compliant? Find out what compliance means in practice and how your MDR provider can support your compliance program, not become a liability.

Crafty attackers are finding new ways to bypass multiple-factor authentication. Find out how our SOC detected an attack and get some tips on how your org can prevent credentials phishing.

A new ransomware attack upheaved the beginning of Fourth of July weekend. Fortunately, there are steps you can take right now to stay safe. Find out what’s happening and how Expel is looking ahead.

Want a tour of Expel’s Phishing dashboard? Get a behind-the-scenes look at how one of our senior UX designers developed the Phishing dashboard for Expel’s managed phishing service customers.

We’re noticing a trend in ransomware attacks. But that doesn’t mean it’s time to go into panic mode. Find out what you need to know and get some tips on how you can keep your org safe.

You can scale your SOC and improve quality. Seems impossible? Not if you know how and what to measure. The crew that helped build Expel’s SOC explain how they pulled it off – and how you can too.

We shared the top attack trend spotted during the pandemic and what to keep an eye out for looking ahead. But how do you remediate and stay resilient against these attacks? Our crew shares some tips.

Our team shares some success stories in creating efficiency and reducing analyst burnout. They end this three-part series with a gift from our SOC – a downloadable resource to measure performance.

We’ve added something new to Expel Hunting: cloud hunts. Find out how our crew’s newly developed hunting techniques can help you spot visibility gaps in your cloud (and give you some peace of mind).

Check out our newest infographic to learn about the top attack trend during the COVID-19 pandemic, how our SOC’s data reinforces these recent findings and how you should be looking ahead.

Take our short quiz to find out how your approach to AWS security compares to similar orgs. Based on your responses, we’ll also share some resources to help you level up your AWS security game.

Expel used to give prospects an in-person tour of our SOC. Then 2020 happened. Enter Expel’s virtual SOC tour. Find out what’s included and how you can take full advantage of your time “in” our SOC.

Expel’s SOC spotted a new trend in REvil campaigns and they’re sounding the alarm. Find out what’s new about this type of attack, how our analysts spotted it and what you can do to protect your org.

Got Microsoft Azure? Running Microsoft products in your org? Then you might want to get a free copy of our all-new Azure guidebook.

Here’s how Expel created a phishing triage process that keeps our analysts’ heads above water while also ensuring that a trained pair of eyes is on every email submitted by our customers.

Here are some of our early observations on the SolarWinds Orion breach, plus our ideas on what to do next to detect related activity and better protect your org.

Ever wonder about how Expel’s analysts investigate alerts? Our SOC team created a workflow called the Expel Workbench managed alert process. Read on to find out how it works and how it can help you.

Red team sneak attack? Bring it on. Find out how we tackled a red team attack using open source offensive security tools in AWS and what you can do to protect your org from similar attacks.

It’s impossible to sum up a year that felt like 1000 in a single blog post. But we did gather some topline takeaways on security trends and the evolving role of the CISO from Expel’s Bruce Potter.

We’ve been doing a lot of investigations in AWS using CloudTrail logs and have been noticing some interesting things along the way. So we created an AWS mind map for our team (and you). Check it out!

In this second post in our three-part series on all things metrics and SOC leadership, our team dives into details of what metrics and techniques are used to protect the SOC against volatility.

You’ve heard that Expel integrates with your tech. But not YOUR tech. What gives? Well, sometimes it doesn’t always make sense. Expel’s COO explains why and what this means when working with us.

How do you establish metrics for SOC efficiency? This first post in a three-part series shares our team’s approach to setting SOC goals, creating a strategy and measuring success.

Expel recently integrated Microsoft Defender for Endpoint into our platform and we gotta say, we’re impressed! Our SOC analysts share why they love it and show us how they use it to triage alerts.

Think you can get a co-managed SIEM and then step away to let the magic happen? Not so fast. Our CISO shares some common myths and the realities you should consider before making a decision.

Wonder what real-life investigation and response looks like in the cloud? Buckle up! Our team walks you through a coin-mining attack in AWS that they recently foiled – all the way from alert to fix.

Find out how our SOC analysts used automation to reduce the time it takes to investigate and report a suspicious login by 75%. The team outlines the process and shares a case study of it in action.

During a recent red team engagement, the CrowdStrike EDR Platform alerted our SOC team on the execution of a suspicious VBScript file. This is what they learned from untangling the malware code.

Our analysts had to think fast when they recently encountered an incident involving compromised AWS access keys. Find out how they identified the attack and then kicked the bad guy out.

For many of us, Zoom is the app that’s keeping us connected. But recent news about security concerns has a lot of us wondering if it’s too risky. So... is it? Our CISO shares his thoughts.

Whether you work in security or are an informed voter (or both!), the security of our election ecosystem is everybody’s business. Here are the challenges our system faces and what we can do about them.

When we founded Expel nearly four years ago, we set out to provide our customers with greater peace of mind about security – whether they’re operating “business as usual” or facing more challenging circumstances.

Security ops is a team sport … but how do you “play” together when your company’s working 100% remotely? Jon’s got some advice.

There’s lots to like about the NIST CSF. Here are our practical tips for how to use it, plus a preview of a new NIST feature we introduced in Expel Workbench™.

Creating alert thresholds is critical to *not* driving your SOC analysts batty, but what’s the “right” number? Here are some tips, tricks and favorite tools we use to determine alert thresholds for customer environments.

We love EDR tools too, but here are our best tips and tricks for combining EDR data with other (equally) important security signals.

What’s this new framework and how should you use it? Our CISO’s got all the details plus a FREE downloadable self-scoring tool to help you assess where your org’s at when it comes to privacy.

Is your data really safer in the server room next door? Probably not. Here are five reasons why the cloud offers better security than your on-prem environment.

If you’re running workloads on AWS, then you’ll want to know all about the latest and greatest AWS-native security tools. We’ve got you covered in our latest post.

Jupyter Notebook gave us the freedom to rethink the way we analyzed hunting data. Here are some tips and tricks you can use in your own analysis.

If you’re running workloads on AWS, then you’d better be running GuardDuty. But what is it and how can you make sense of all the signals? Here are our pro tips.

Is Signal Sciences WAF part of your tech stack? Then you’ve got an amazing webshell detection method right at your fingertips.

Think MFA will be your web mail’s knight in shining armor when a crafty attacker strikes? Think again, and do these four things to make sure your org’s protected.

NIST isn’t only useful for corporations -- it’s helpful for guiding security activities around processes like our national elections. Our CISO’s got some thoughts on exactly how to apply NIST to election security.

Looking to get more or better security signals out of AWS? Then you’ll wanna read our pro tips on making the most of Amazon CloudTrail.

Relativity CSO Amanda Fennell shares the top five, easy-to-get-started things she sees forward-thinking law firms doing to improve their security.

If you use or are considering trying JupyterHub, it’s your lucky day -- we’re sharing configuration tips and tricks, how we’re using it to make technical research easier, and much more.

So you decided you want to build a threat hunting program ... but where do you start? Here are our three must-dos when you’re planning your hunt.

How often does a business email compromise actually happen? And what should you do about it? Our infographic answers those questions and more.

Got Macs in your org? Here are a few recent Mac OS attack trends and how you can become more resilient to ‘em.

SOAR isn’t really about “orchestration and response.” It’s an engineering problem at its core. Here’s why.

Finding anomalous process relationships -- commands that don’t belong together -- might indicate a problem within your environment. Here’s how to spot ‘em.

Your IT team isn’t racking and stacking servers like they used to, but cracking the cloud security code is easier than you think. Get our pro tips for doing just that.

How do you decide which tech to use to carry out your hunt? This post’s got some pro tips for when and how to use different technology for your threat hunting mission.

If you’ve got a blank canvas with the opportunity to build a security program from scratch, here’s how to get started and make the most of your new program

The NIST Privacy Framework will revolutionize how we think about privacy. Here’s how your org might use it.

Practice these habits consistently and you’ll have an engaged, talented and all-around awesome security team.

Need to expand your security tool chest? Our CISO’s got some tips to consider when thinking about what tech to keep or buy.

How well is your MSSP or MDR going to manage your fleet of security signals over time? Here’s how to figure out whether they’re up for the challenge.

Want to test your analysts’ detection skills in the cloud? Here are our tips and tricks for building your own threat emulation exercise in AWS.

How can you figure out if the quality of the service you’re about to sign up for will improve over time? Our COO Yanek Korff’s got some tips for making sure you choose a service that’ll last.

If you're left holding the hot potato of a legacy lackluster security program, or are suddenly forced to protect your org and its data with less, here are a few quick steps to take to get cybersecurity efforts back on track.

If you're feeling like your SaaS security knowledge is a bit cloudy, these three pro tips will get you started on the right path.

Figuring out how to protect your SaaS infrastructure like Office 365 -- especially if you’re newer to cloud -- can feel overwhelming. So here are five Office 365 security best practices to check out right now.

Close common compliance gaps, without building a SOC, for NIST 800-171 security requirements. And a bit about how we can help.

Understanding how to think about cloud security differently is half the battle. We've thought a lot about it, and we’ve identified three key points that should inform your cloud strategy.

Let us walk you through our third-party assessment process. We think it's lightweight but still achieves the objective - determining if a vendor can be trusted.

In this guest post, Amanda Fennell, CSO at Relativity reflects on what she’s learned.

See if these four telltale warning signs get your head nodding. If so, learn how to get started on regaining control.

In case doing a “stare-and-compare” of the original and updated frameworks isn’t your idea of fun, I’ve highlighted three important changes here.

We want to demystify what hunting is and what it’s not. So here goes nothin’ ...

We give you a quick tour of the NIST Cybersecurity framework and describe how you can baseline your efforts in a couple of hours. So check it out.

A little nerdy (and a lot math-y) post to help you better understand your SOC's systems, so you know how changes will impact its operation. If you’re wondering what “I Love Lucy” has to do with this then read on.

Not all 24x7 SOCs are created equal. To figure out how much it costs to go 24x7, you have to first figure out what kind of SOC you’re trying to build. We outline four possible security operations centers and an estimate of your costs.

An uncommonly clear review of what managed detection and response (MDR) is, where it came from and what it can/can't do for you.

NIST has polished up their Cybersecurity Framework based on thousands of organizations implementing it over the past three years. Our CISO, Bruce Potter, highlights three of the most significant (and practical) changes.