Wes Connell

The Stress and Joy of Security Jobs. A thread. A few months ago there was this whole thing about the stress of security roles, CISOs self-medicating, and a whole range of burn-out talk. Ok, yes, security is a tough job. A very tough job. 1/14

Stop measuring the value of Threat Detection by how many alerts are generated and how many incidents they catch. A mouse trap won't catch mice if there are no mice to catch. But you need a mouse trap to know if there are mice. Waiting until you find poop everywhere is too late.

Security Monitoring Wisdom: Realtime alerts do only make sense if you plan to also react in realtime. (e.g. fw block, disconnect systems) Otherwise the cost is too high. Better schedule a query that runs every 5 mins on the log data of the last 5 mins.

Please RT for visibility. Anyone doing 3rd party/vendor security work ever done a retro on vendors that you passed through review successfully and then discovered had suffered breaches? Curious as to numbers/rate correlated with efficacy of 3rd party risk management program.

Awhile ago @cnoanalysis and I wrote a paper on the four types of threat detection. I see discussions of IOCs and TTPs and want to note: all four types of threat detection have value. Some are better in use cases like detection but better != all use-cases. https://dragos.com/wp-content/uploads/The_Four_Types-of_Threat_Detection.pdf …

threat detection planning (the process of planning the tasks needed to properly operationalize threat intelligence) is hard and most orgs barely think about it. if i had to do this from scratch, here’s how i might approach it.

Soooooo our entire team got laid off with no notice, on a monday- and they didn't even reach out to let us know it was coming. So there are some great people today looking for pentesting work. I'm among them, and looking to work with a skilled team. Retweets are appreciated.

If you had a breach today, what data source would you want for the investigation that you don't have now? Follow up question, what's stopping you from adding it now?

GDPR took away email whois records which challenges investigation but why not: 1) provide one anonymized id per acct to allow correlation 2) implement transparency logs similar to cert stream 3) require SLA for abuse reports & publish common reporting api @nullcookies @SteveD3

Just heard about a customer service exploit where the person called up multiple times and corrected a single character "misspelling" until the entire account was in his name.

Sysmon update coming soon with DNS query logging and executable's original file name version field in process and image log entries...

v3 of the strelka gRPC beta was released this week, anticipating one more beta round before it takes over as master. grab it here if you’re interested: https://github.com/target/strelka/tree/experimental/grpc …