Skip to main content

Why is Critical Infrastructure So Vulnerable to Insider Threats?

Why is Critical Infrastructure so Vulnerable to Insider Threats?

A recent article in the Washington Post “Russia has developed a cyberweapon that can disrupt power grids, according to new research” came as a real reminder of the constant risk critical infrastructure operators face. The malware, which researchers have dubbed CrashOverride, is known to have disrupted only one energy system in Ukraine but could be deployed against U.S. electric transmission and distribution systems. The consequences of insider threats to critical infrastructure operators are much greater[…]

Read more


User Behavior Anomaly Detection Meets Distributed Computing

User Entity Behavior Analytics (UEBA) analyzes log data from different sources in order to find anomalies in users’ or entities’ behaviors. Depending on enterprise sizes and available log sources, data feeds can range from tens of gigabytes to terabytes a day. Typically, we need 30 days, if not more, to build proper behavior profiles. This calls for an analytics platform that is capable of ingesting and processing this volume of data. In this blog, I[…]

Read more

Topics: data science

Too Many Alerts… Just Give Me the Interesting Ones!

Security analysts often wrestle with the high volume of alerts generated from security systems and much like the protagonist in The Boy Who Cried Wolf, many alerts tend to be ignored. Human analysts quickly learn to ignore repeated alerts in order to focus on the interesting ones.  Learning to screen out repeated alerts as false positives allows analysts to focus their finite time where it matters most. A natural question, then, is whether we can[…]

Read more

Topics: data science, SECURITY

Ransomworm: Don’t Cry – Act.


In July last year, we released our research report on the Anatomy of a Ransomware attack in which we looked into both the financial model of ransomware and then detection as it unfolds. Due to the recent WannaCry ransomware craze, we think it’s time to revisit. When we addressed ransomware last year, we made a significant comment about the ever-evolving nature of malicious software. We predicted that in the near future (evidently now) ransomware will move[…]

Read more

Topics: data science, ransomware, SECURITY, SIEM, Uncategorized

5 Aspects to Consider When Evaluating SIEM Solutions

Considering SIEM Solutions

The SIEM category is quite mature; all Magic-Quadrant-Leader products are more than a decade old. In fact, the youngest product is 14 years old. When these products were in their prime, design requirements were different: an enterprise-class product might be expected to store 50 TB of logs; correlation rules were considered a major advance over signatures for detection; searches were judged on speed and it was acceptable to require complex search syntax; finally, the hard[…]

Read more

Topics: SIEM

A Machine Learning Study on Phishing URL Detection

Many network attack vectors start with a link to a phishing URL. A carefully crafted email containing the malicious link is sent to an unsuspecting employee. Once he or she clicks on or responds to the phishing URL, the cycle of information loss and damage begins. It would then seem highly desirable to nip the problem early by identifying and alerting on these malicious links. In this blog, I’ll share some research notes here on[…]

Read more

Topics: data science, SECURITY

Flipping the SIEM Value Equation

If you operate a SIEM, you probably deeply sympathize with what I’m about to say. SIEMs are over priced. More accurately, SIEMs are overpriced compared to the value they actually provide to their customers. Not only are these systems responsible for draining security budgets, they aren’t effective in helping customers to effectively manage security incidents. The Economics of SIEMs (and Razors) All legacy SIEMs have at least one thing in common, some form of data[…]

Read more


Breaking Down Barriers To Effective Cyber Defense with UEBA

Recently, the CyberEdge Group released its 2017 Cyberthreat Defense Report, a survey of 1,100 IT security professionals on topics ranging from cyber-attack trends and security investment, to tool effectiveness and security best practices. Of course there were a lot of interesting findings in this year’s report, however the part that really caught my eye was the chart on “top barriers to establishing an effective cyber threat defense”. As part of the report, respondents were asked[…]

Read more

Topics: Uncategorized

On True Positives and Security Incidents

The Potential POS Breach Exabeam recently discovered unusual behavior at one of our retail customers. On some of the most sensitive point of sale (POS) devices, a local account was added to a privileged active directory group. Some of the audit functionalities on these machines were then disabled and a few minutes later the account was removed from the privileged group and the audit functionalities were reactivated. This was happening on hundreds of POSs at[…]

Read more


First-time Access to an Asset - Is it Risky or Not?: A Machine Learning Question

Looking for outliers or something different from the baseline is a typical detection strategy in user and entity behavior analytics (UEBA). One example is a user’s first-time access to an asset such as a server, a device or an application. The logic is sound and is often used as an example in the press for behavior-based analytics. However, it is an open secret among the analytics practitioners that alerts of this type has a high[…]

Read more

Topics: data science, SECURITY