Security operations | 2 min readExpel Workbench History = unparalleled MDR transparency
Managed security services can often feel like a black box. Workbench's History shows every investigative action in a single thread, from the moment it was triaged through its closure.
Security operations | 7 min readHow to identify when you’ve lost control of your SIEM (and how to rein it back in)
See if these four telltale warning signs get your head nodding. If so, learn how to get started on regaining control.
Security operations | 8 min readHow to investigate like an Expel analyst: The Expel Workbench managed alert process
Ever wonder about how Expel’s analysts investigate alerts? Our SOC team created a workflow called the Expel Workbench managed alert process. Read on to find out how it works and how it can help you.
Security operations | 10 min readPerformance metrics, part 1: Measuring SOC efficiency
How do you establish metrics for SOC efficiency? This first post in a three-part series shares our team’s approach to setting SOC goals, creating a strategy and measuring success.
Security operations | 8 min readBehind the scenes in the Expel SOC: Alert-to-fix in AWS
Wonder what real-life investigation and response looks like in the cloud? Buckle up! Our team walks you through a coin-mining attack in AWS that they recently foiled – all the way from alert to fix.
Tips | 6 min readPrioritizing suspicious PowerShell activity with machine learning
Attackers love to look to PowerShell to enact their evil plans. Expel’s senior data scientist tells us how she used machine learning to help analysts spot malicious activity in PowerShell quickly.
Tips | 6 min readHow to create and maintain Jupyter threat hunting notebooks
We got a lot of questions about configuring Jupyter notebooks after presenting at Infosec Jupyterthon 2020. See our response along with some tips for incorporating this tech into infosec processes.
Security operations | 8 min readSpotting suspicious logins at scale: (Alert) pathways to success
Find out how our SOC analysts used automation to reduce the time it takes to investigate and report a suspicious login by 75%. The team outlines the process and shares a case study of it in action.
Security operations | 9 min readObfuscation, reflective injection and domain fronting; oh my!
During a recent red team engagement, the CrowdStrike EDR Platform alerted our SOC team on the execution of a suspicious VBScript file. This is what they learned from untangling the malware code.
Security operations | 5 min readCreating data-driven detections with DataDog and JupyterHub
Creating alert thresholds is critical to *not* driving your SOC analysts batty, but what’s the “right” number? Here are some tips, tricks and favorite tools we use to determine alert thresholds for customer environments.
Security operations | 8 min readWhy the cloud is probably more secure than your on-prem environment
Is your data really safer in the server room next door? Probably not. Here are five reasons why the cloud offers better security than your on-prem environment.
Security operations | 8 min readUsing JupyterHub for threat hunting? Then you should know these 8 tricks.
Jupyter Notebook gave us the freedom to rethink the way we analyzed hunting data. Here are some tips and tricks you can use in your own analysis.
Security operations | 5 min readBetter web shell detections with Signal Sciences WAF
Is Signal Sciences WAF part of your tech stack? Then you’ve got an amazing webshell detection method right at your fingertips.
Security operations | 5 min readMFA is not a silver bullet to secure your cloud email
Learn how dual or multi-factor authentication (MFA) are not an entirely secure solution for cloud email security on the Expel blog.
Security operations | 7 min readGenerate Strong Security Signals with Sumo Logic & AWS Cloudtrail
Looking to get more or better security signals from AWS Cloudtrail? Learn how with Expel.io. See how we use the Sumo Logic SIEM for actionable data.
Security operations | 4 min read3 must-dos when you’re starting a threat hunting program
So you decided you want to build a threat hunting program ... but where do you start? Here are our three must-dos when you’re planning your hunt.
How often does a business email compromise actually happen? And what should you do about it? Our infographic answers those questions and more.
Security operations | 6 min readHow to find anomalous process relationships in threat hunting
Finding anomalous process relationships -- commands that don’t belong together -- might indicate a problem within your environment. Here’s how to spot ‘em.
Security operations | 7 min readHow to choose the right security tech for threat hunting
How do you decide which tech to use to carry out your hunt? This post’s got some pro tips for when and how to use different technology for your threat hunting mission.
Security operations | 7 min readHow to build a useful (and entertaining) threat emulation exercise for AWS
Want to test your analysts’ detection skills in the cloud? Here are our tips and tricks for building your own threat emulation exercise in AWS.
Tips | 8 min readHow to find Amazon S3 bucket misconfigurations and fix them ASAP
Why do Amazon S3 bucket breaches happen and how can you protect your own org from making this mistake? We’ve got all the AWS pro tips for you in our latest post.
Tips | 6 min readEvaluating GreyNoise: what you need to know and how it can help you
We use technologies behind the scenes to make Expel Workbench and our analysts more efficient. GreyNoise is one of those -- here's how we use it and why you might find it useful too.
Tips | 10 min readSeven ways to spot a business email compromise in Office 365
Learn what business email compromise is, BEC scams categories, and how to prevent or identify these spam phishing attacks in Office 365 including mailbox rule examples and more.
Tips | 8 min readWhy we love threat emulation exercises (and how to get started with one of your own)
If your team doesn’t have lots of incident response practice under their belt (yet!), a threat emulation exercise is the perfect way to help them flex...
Security operations | 5 min readReaching (all the way to) your NIST 800-171 compliance goals
Close common compliance gaps, without building a SOC, for NIST 800-171 security requirements. And a bit about how we can help.
Tips | 6 min readHow to get the most out of your upcoming SOC tour: making your provider uncomfortable
If you’re in the market for an MSSP or looking to keep tabs on your existing provider, visiting their security operations center (SOC) can be a good way to get a sense for what you’re really buying. Let us walk you through how to prepare for your visit to get the most out of your visit.
Security operations | 8 min readWhat “I Love Lucy” teaches us about SOC performance
A little nerdy (and a lot math-y) post to help you better understand your SOC's systems, so you know how changes will impact its operation.