Security operations | 2 min read2023 Great eXpeltations report: top six findings
Our second annual Great eXpeltations report details the major trends our security operations center (SOC) team saw in customer environments last year. It also offers insights and advice to help you avoid these threats.
Security operations | 4 min readDr. Strangelog or: How I learned to stop worrying and love alert
What if your data were higher in fidelity and context? We afford more refined alerts and embed more context and stability, assuming the tech is advanced enough to generate rich security signal.
Expel insider | 3 min readTouring the modern SOC: where are the dials and blinking lights?
SOC tours at Expel aren’t about showing off blinking lights and racks of equipment. Instead it's a discussion about mission, mindset, operations management, results, and demos that make our SOC “go”
Security operations | 4 min readAttacker-in-the-middle phishing: how attackers bypass MFA
A new credential phishing tactic–called “attacker-in-the-middle”–can be effective at end-running MFA defenses. This analysis describes AitM and provides helpful advice for defending against it.
Security operations | 2 min readSecurity alert: high-severity vulnerability affecting OpenSSL V3 and higher
The OpenSSL Project has identified two security vulnerabilities affecting OpenSSL v3.0 and later. Potentially affected users of versions 3.0.0-3.0.6 should upgrade to v3.0.7 as soon as it is reasonable to do so.
Security operations | 4 min readWho ya gonna call (to make the most of your SIEM data)?
Customers who import their SIEM to a tool like Workbench can translate all the hours invested in development into customized rules. In other cases, they may realize they no longer need a SIEM.
Security operations | 5 min readUnderstanding role-based access control in Kubernetes
Understanding authorization is critical to knowing how role-based access control (RBAC) works for securing Kubernetes. No matter your skill level, you must understand the rules that govern Kubernetes.
Security operations | 2 min readEmerging Threats: Microsoft Exchange On-Prem Zero-Days
Until a patch is issued for the Microsoft Exchange Server zero-day vulnerabilities, there are a few things security teams can do to temporarily mitigate risk. Here’s what we recommend.
Security operations | 12 min readDetection and response in action: an end-to-end coverage story
This dramatized case study illustrates how our MDR, phishing, and threat hunting services work, and most importantly, how they work together.
Security operations | 6 min readIncident report: how a phishing campaign revealed BEC before exploitation
By the time the 89th phishing alert sounded, we knew a large-scale campaign had successfully hit a customer. This case walks you through what happened, what we did, and how it played out.
Engineering | 3 min readConnect Hashicorp Vault and Google’s CloudSQL databases: new plugin!
Expel is excited to open source a new Hashicorp Vault plugin that brokers database credentials between Hashicorp Vault and Google’s CloudSQL DBs.
Security operations | 2 min readA defender’s MITRE ATT&CK cheat sheet for Google Cloud Platform (GCP)
In this new handy guide, we mapped the patterns we’ve seen throughout our GCP incident investigations to the MITRE ATT&CK Framework to help give you a head start protecting your organization.
Security operations | 4 min readHow Expel’s Alert Similarity feature helps our customers
We process millions of alerts each day, and many look similar to one another. We asked ourselves: is it possible to teach our bots to compare similar “documents” and suggest or recommend a next step? (Spoiler alert: YES!)
Security operations | 2 min readCutting Through the Noise: RIOT Enrichment Drives SOC Clarity
Cutting Through the Noise: RIOT Enrichment Drives SOC Clarity
Security operations | 5 min readDetecting Coin Miners with Palo Alto Networks NGFW
With cryptojacking on the rise, we walk through why we’ve found Palo Alto Networks next-generation firewall is great at detecting it, and some actions we’ve integrated into our detection bot to help.
Security operations | 6 min readIncident report: From CLI to console, chasing an attacker in AWS
Our SOC detected and stopped unauthorized access in one of our customer’s AWS environments. Here’s how we spotted it, the steps we took to understand what they did, lessons learned and key takeaways.
Security operations | 5 min readAttack trend alert: Email scams targeting donations to Ukraine
As more people look to donate to Ukrainian relief efforts, bad actors are taking advantage. Lookout for these phishing scams to ensure your donations are actually going to help those in need.
Security operations | 2 min readTop 7 recs for responding to the Lapsus$ breach claims
While the situation surrounding the reported breach of Okta by Lapsus$ is still developing, here are our top 7 recommendations you can take to protect yourself and your org.
Security operations | 5 min readEvaluating MDR providers? Ask these questions about their onboarding process
Looking for an MDR provider? Make sure you understand their onboarding process. Here are the questions you should ask when you’re evaluating MDRs. Bonus: learn how we do onboarding here at Expel.
Security operations | 4 min readAttack trend alert: AWS-themed credential phishing technique
They’re at it again. This time attackers are phishing for credentials by sending fake AWS log-in pages to unsuspecting users. Find out how our crew identified and triaged a phishing email.
Security operations | 9 min readThe Grinchy email scams to watch out for this holiday season
As the holidays approach, cyber Grinches are targeting phishing campaigns to steal data, credentials and more. Look out for these email scams while online shopping and checking your inbox this season.
Security operations | 8 min readA new way to recruit: Our approach to building Expel’s Phishing team
In this blog post, we’ll share how we’re using the Expel Phishing team and its simple, narrow focus, to achieve two goals -- Protect managed detection and response (MDR) service continuity, and Increase diversity in cybersecurity
Security operations | 5 min readThe top phishing keywords in the last 10k+ malicious emails we investigated
Curious how attackers are prompting victims to engage with phishing campaigns? Check out the top keywords from the malicious emails our SOC investigated and our top resilience recommendations.
Security operations | 6 min readSwimming past 2FA, part 2: How to investigate Okta compromise
First we showed you how to spot an Okta compromise in this two-part blog series. Now we’ll walk you through our investigation and share five tips on how you can strengthen your security defense.
Security operations | 6 min readHow Expel goes detection sprinting in Google Cloud
Building detections in Google Cloud Platform (GCP) but not sure where to start? Time to get strategic. Our detection and response engineers demystify the process for building detections in the cloud.
Security operations | 9 min readWell that escalated quickly: How a red team went from domain user to kernel memory
A red team recently swooped in and showed off some new tactics. What started as a PowerShell download cradle quickly turned into a custom rootkit download. Find out how we spotted the crafty red team.
Security operations | 5 min readIncident report: Spotting SocGholish WordPress injection
Our SOC stopped a ransomware attack that compromised WordPress CMS to trigger a drive-by RAT download. Find out what happened, how we caught it, and our recommendations to secure your WordPress CMS.
Security operations | 4 min readHow should my MDR provider support my compliance goals?
Need to ensure your tech, privacy and security policies are compliant? Find out what compliance means in practice and how your MDR provider can support your compliance program, not become a liability.
Security operations | 4 min readSwimming past 2FA, part 1: How to spot an Okta MITM phishing attack
Crafty attackers are finding new ways to bypass multiple-factor authentication. Find out how our SOC detected an attack and get some tips on how your org can prevent credentials phishing.
Security operations | 7 min readCome sea how we tackle phishing: Expel’s Phishing dashboard
Want a tour of Expel’s Phishing dashboard? Get a behind-the-scenes look at how one of our senior UX designers developed the Phishing dashboard for Expel’s managed phishing service customers.
Security operations | 4 min readSomeone in your industry got hit with ransomware. What now?
We’re noticing a trend in ransomware attacks. But that doesn’t mean it’s time to go into panic mode. Find out what you need to know and get some tips on how you can keep your org safe.
Security operations | 7 min readCloud attack trends: What you need to know and how to stay resilient
We shared the top attack trend spotted during the pandemic and what to keep an eye out for looking ahead. But how do you remediate and stay resilient against these attacks? Our crew shares some tips.
Check out our newest infographic to learn about the top attack trend during the COVID-19 pandemic, how our SOC’s data reinforces these recent findings and how you should be looking ahead.
Security operations | 8 min readImproving the phishing triage process: Keeping our analysts (and our customers) sane
Here’s how Expel created a phishing triage process that keeps our analysts’ heads above water while also ensuring that a trained pair of eyes is on every email submitted by our customers.
Security operations | 3 min readThe SolarWinds Orion breach: 6 ideas on what to do next and why
Here are some of our early observations on the SolarWinds Orion breach, plus our ideas on what to do next to detect related activity and better protect your org.
Security operations | 8 min readHow to investigate like an Expel analyst: The Expel Workbench managed alert process
Ever wonder about how Expel’s analysts investigate alerts? Our SOC team created a workflow called the Expel Workbench managed alert process. Read on to find out how it works and how it can help you.
Security operations | 6 min readEvilginx-ing into the cloud: How we detected a red team attack in AWS
Red team sneak attack? Bring it on. Find out how we tackled a red team attack using open source offensive security tools in AWS and what you can do to protect your org from similar attacks.
Security operations | 4 min readThe CISO in 2020 (and beyond): A chat with Bruce Potter
It’s impossible to sum up a year that felt like 1000 in a single blog post. But we did gather some topline takeaways on security trends and the evolving role of the CISO from Expel’s Bruce Potter.
Security operations | 9 min readPerformance metrics, part 2: Keeping things under control
In this second post in our three-part series on all things metrics and SOC leadership, our team dives into details of what metrics and techniques are used to protect the SOC against volatility.
Security operations | 10 min readPerformance metrics, part 1: Measuring SOC efficiency
How do you establish metrics for SOC efficiency? This first post in a three-part series shares our team’s approach to setting SOC goals, creating a strategy and measuring success.
Security operations | 8 min readBehind the scenes in the Expel SOC: Alert-to-fix in AWS
Wonder what real-life investigation and response looks like in the cloud? Buckle up! Our team walks you through a coin-mining attack in AWS that they recently foiled – all the way from alert to fix.
Security operations | 8 min readSpotting suspicious logins at scale: (Alert) pathways to success
Find out how our SOC analysts used automation to reduce the time it takes to investigate and report a suspicious login by 75%. The team outlines the process and shares a case study of it in action.
Security operations | 9 min readObfuscation, reflective injection and domain fronting; oh my!
During a recent red team engagement, the CrowdStrike EDR Platform alerted our SOC team on the execution of a suspicious VBScript file. This is what they learned from untangling the malware code.
Security operations | 3 min readElection security: Why to care and what to do about it
Whether you work in security or are an informed voter (or both!), the security of our election ecosystem is everybody’s business. Here are the challenges our system faces and what we can do about them.
Security operations | 2 min readNIST CSF: A new interactive tool to track your progress
There’s lots to like about the NIST CSF. Here are our practical tips for how to use it, plus a preview of a new NIST feature we introduced in Expel Workbench™.
Security operations | 5 min readCreating data-driven detections with DataDog and JupyterHub
Creating alert thresholds is critical to *not* driving your SOC analysts batty, but what’s the “right” number? Here are some tips, tricks and favorite tools we use to determine alert thresholds for customer environments.
Security operations | 3 min readHow to get started with the NIST Privacy Framework
What’s this new framework and how should you use it? Our CISO’s got all the details plus a FREE downloadable self-scoring tool to help you assess where your org’s at when it comes to privacy.
Security operations | 8 min readWhy the cloud is probably more secure than your on-prem environment
Is your data really safer in the server room next door? Probably not. Here are five reasons why the cloud offers better security than your on-prem environment.
Security operations | 3 min readWhere does Amazon Detective fit in your AWS security landscape?
If you’re running workloads on AWS, then you’ll want to know all about the latest and greatest AWS-native security tools. We’ve got you covered in our latest post.
Security operations | 8 min readUsing JupyterHub for threat hunting? Then you should know these 8 tricks.
Jupyter Notebook gave us the freedom to rethink the way we analyzed hunting data. Here are some tips and tricks you can use in your own analysis.
Security operations | 5 min readBetter web shell detections with Signal Sciences WAF
Is Signal Sciences WAF part of your tech stack? Then you’ve got an amazing webshell detection method right at your fingertips.
Security operations | 5 min readMFA is not a silver bullet to secure your cloud email
Learn how dual or multi-factor authentication (MFA) are not an entirely secure solution for cloud email security on the Expel blog.
Security operations | 7 min readGenerate Strong Security Signals with Sumo Logic & AWS Cloudtrail
Looking to get more or better security signals from AWS Cloudtrail? Learn how with Expel.io. See how we use the Sumo Logic SIEM for actionable data.
Security operations | 6 min readFive things law firms can do now to improve their security for tomorrow
Relativity CSO Amanda Fennell shares the top five, easy-to-get-started things she sees forward-thinking law firms doing to improve their security.
Security operations | 4 min read3 must-dos when you’re starting a threat hunting program
So you decided you want to build a threat hunting program ... but where do you start? Here are our three must-dos when you’re planning your hunt.
How often does a business email compromise actually happen? And what should you do about it? Our infographic answers those questions and more.
Security operations | 6 min readHow to make your org more resilient to common Mac OS attacks
Got Macs in your org? Here are a few recent Mac OS attack trends and how you can become more resilient to ‘em.
Security operations | 8 min readThe top five pitfalls to avoid when implementing SOAR
SOAR isn’t really about “orchestration and response.” It’s an engineering problem at its core. Here’s why.
Security operations | 6 min readHow to find anomalous process relationships in threat hunting
Finding anomalous process relationships -- commands that don’t belong together -- might indicate a problem within your environment. Here’s how to spot ‘em.
Security operations | 5 min readThis is how you should be thinking about cloud security
Your IT team isn’t racking and stacking servers like they used to, but cracking the cloud security code is easier than you think. Get our pro tips for doing just that.
Security operations | 7 min readHow to choose the right security tech for threat hunting
How do you decide which tech to use to carry out your hunt? This post’s got some pro tips for when and how to use different technology for your threat hunting mission.
Security operations | 4 min readDon’t blow it — 5 ways to make the most of the chance to revamp your security posture
If you’ve got a blank canvas with the opportunity to build a security program from scratch, here’s how to get started and make the most of your new program.
Security operations | 4 min readNIST’s new framework: Riding the wave of re-imagining privacy
The NIST Privacy Framework will revolutionize how we think about privacy. Here’s how your org might use it.
Security operations | 4 min readHow to get your security tool chest in order when you’re growing like crazy
Need to expand your security tool chest? Our CISO’s got some tips to consider when thinking about what tech to keep or buy.
Security operations | 4 min readDoes your MSSP or MDR provider know how to manage your signals?
How well is your MSSP or MDR going to manage your fleet of security signals over time? Here’s how to figure out whether they’re up for the challenge.
Security operations | 7 min readHow to build a useful (and entertaining) threat emulation exercise for AWS
Want to test your analysts’ detection skills in the cloud? Here are our tips and tricks for building your own threat emulation exercise in AWS.
Security operations | 9 min read12 ways to tell if your managed security provider won’t suck next year
How can you figure out if the quality of the service you’re about to sign up for will improve over time? Our COO Yanek Korff’s got some tips for making sure you choose a service that’ll last.
Security operations | 4 min readHow to start a cybersecurity program (or restart one that lapsed)
If you're left holding the hot potato of a legacy lackluster security program, or are suddenly forced to protect your org and its data with less, here are a few quick steps to take to get cybersecurity efforts back on track.
Security operations | 3 min readThree tips for getting started with cloud application security
If you're feeling like your SaaS security knowledge is a bit cloudy, these three pro tips will get you started on the right path.
Security operations | 3 min readOffice 365 security best practices: five things to do right now to keep attackers out
Here are five Office 365 security best practices to check out right now.
Security operations | 5 min readReaching (all the way to) your NIST 800-171 compliance goals
Close common compliance gaps, without building a SOC, for NIST 800-171 security requirements. And a bit about how we can help.
Security operations | 12 min readA common sense approach for assessing third-party risk
Let us walk you through our third-party assessment process. We think it's lightweight but still achieves the objective - determining if a vendor can be trusted. And, as a bonus, we're providing the third-party questionnaire and emails we use so you can download it and get going right away.
Security operations | 7 min readLessons learned from a CISO’s first 100 days
In this guest post, Amanda Fennell, CSO at Relativity reflects on what she’s learned -- I recently finished my first 100 days as Chief Security Officer (CSO) of Relativity. I’ve learned a lot. And while every new CSO faces unique challenges, I’ve come up with some recommendations to help new CSOs.
Security operations | 6 min readHow to identify when you’ve lost control of your SIEM (and how to rein it back in)
See if these four telltale warning signs get your head nodding. If so, learn how to get started on regaining control.
Security operations | 4 min readWhat’s new in the NIST Cybersecurity Framework (CSF) v1.1
In case doing a “stare-and-compare” of the original and updated NIST frameworks isn’t your idea of fun, I’ve highlighted three important changes here.
Security operations | 5 min readWhat is (cyber) threat hunting and where do you start?
We want to demystify what threat hunting is and what it’s not. So here goes nothin’ ...
Security operations | 8 min readHow to get started with the NIST Cybersecurity Framework (CSF)
We give you a quick tour of the NIST CSF and describe how you can baseline your efforts in a couple of hours. So check it out.
Security operations | 9 min readWhat “I Love Lucy” teaches us about SOC performance
A little nerdy (and a lot math-y) post to help you better understand your SOC's systems, so you know how changes will impact its operation.
Security operations | 5 min readManaged detection and response (MDR): symptom or solution?
An uncommonly clear review of what managed detection and response (MDR) is, where it came from and what it can/can't do for you.
Security operations | 3 min readDecoded: new changes to NIST’s Cybersecurity Framework
NIST has polished up their Cybersecurity Framework. Our CISO, Bruce Potter, highlights three of the most significant (and practical) changes. (3 min read)
Security operations | 3 min readWhat’s endpoint detection and response (EDR) and when should you care?
We cut through the hype to explain what Endpoint, Detection and Response (EDR) products can do for you. (3 min read)