Latest news with #AlexLanstein
Forbes
04-08-2025
- Business
- Forbes
The Hidden Questions Behind 'Did You See This Threat Intel Report?'
Alex Lanstein is the CTO of StrikeReady, pioneering unified AI-powered Security Command Center solutions for Security Operations Centers. It's a common scenario among cybersecurity analysts: the boss approaches the security operations center (SOC), waving a threat intelligence report that they heard about in a board meeting or at an InfraGard event. They ask a question that is likely to determine what SOC professionals will be working on for the rest of the day: 'Did you see this?' And with those four words, the boss has set a certain expectation for the SOC. But to effectively go on this fact-finding mission, analysts need to understand what the question really means—and the challenges they may face when trying to answer it. The Three Real Questions Behind 'Did You See This?' While the boss may have only uttered four words, there are generally three distinct questions being asked, and each one comes with different expectations. To answer this first question, an analyst begins by extracting all of the indicators—which could be in the hundreds—including domains, hashes, IP addresses and URLs. Security operations teams block millions of things per day based on generic policies, but often these alerts predate finished intel, so there is no reason an analyst would have noticed a random IP address getting blocked by a web app. While doing these searches, the SOC will rely on federated search capability in the stack that can look for data in every single security tool and find out what, if anything, has been blocked related to this threat. However, this can be easier said than done. Companies may rely on SIEM, XDR and EDR detection systems for this type of search, and there may be blind spots created if the systems haven't been effectively integrated—particularly if load balancers, edge devices and SaaS platforms are being used. As a result, the SOC may miss critical signals that analysts need to know. Answering this question can be more challenging than the first, because now the SOC is dealing with significantly more data—and has no alerts to work with because the threat had not been detected. To answer this question, professionals have to search logs and telemetry, which can include firewall records, email click-through data, DNS records and browser histories. These systems tend to be decentralized, and if there is no way to do a scalable, federated search, analysts are tasked with looking for data in each individual location. That means Chrome-tab whiplash galore. Furthermore, this is not only a time-consuming endeavor—it can also be a fruitless and frustrating one. Analysts are only likely to find something useful one percent of the time, so they usually don't get to answer their boss' question or feel the emotional satisfaction that comes with finding the threat they're looking for. To reiterate: Most hunt activities from broadly produced intel result in no findings on an unrelated network—but who wants to take that risk by not fully triaging a report? The third question can possibly be answered by going to a vendor directly for information. However, it's usually not that simple. Factors that can influence whether or not a product can detect a specific threat include how it's configured, the level of service a SOC paid for, whether it's in block vs alert mode or if it got a particular signature pack at the right time. This means SOCs will need to simulate threats to test the tools they use for protection. It can be a painstaking process that involves testing hashes in a controlled environment, monitoring whether or not the detection and response program flags them and observing detection responses. Why Most Organizations Fail At This Attempting to answer the question, 'Did you see this?' is often unsuccessful, despite SOC professionals' best efforts. This is generally because there's not a single place they can go to understand the enterprise's potential exposure—akin to a Google search for enterprise tools. Most enterprises can't search their SharePoint and JIRA in one place, much less the 50 security vendors large enterprises use on average. Without a centralized search or correlation engine, this tool sprawl leaves analysts manually searching logs across multiple platforms. And in this case, even the strongest analyst intuition may not be enough to overcome this challenge. Recommendations For Business And Security Leaders Cybersecurity threats come and go quickly, so there are going to be many times when the boss comes to the SOC asking those four words. Businesses and security leaders can make threat hunting easier by first finding out from the SOC team how long it takes to check the environment for the indicators of compromise from a threat report. Based on that answer, companies can implement several solutions. For example, they can ensure that logs and telemetry are readily accessible to the SOC, so analysts are not just relying on alerts. Also, a company can invest in technology that allows real-time threat validation across alerts and logs, thus saving time. In addition, automating indicator extraction and federated search, consolidating visibility into a single location, and utilizing live testing and simulation capabilities in-house can make the threat detection process much smoother. 'Did you see this?' is a common question that SOC professionals hear—and it can lead to going down rabbit holes that turn out to be empty. As a result, this isn't the only question business leaders need to be asking their analysts to get the most robust answers. Instead, leaders can also ask SOCs, 'How quickly can we confirm, defend and adapt?' when it comes to a specific cybersecurity threat. This helps to make the SOC more proactive than reactive, while ensuring the organization is more resilient when threats do occur. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Forbes
30-06-2025
- Business
- Forbes
Understanding The Challenges Of Cybersecurity Threat Readiness
Alex Lanstein is the CTO of StrikeReady, pioneering unified AI-powered Security Command Center solutions for Security Operations Centers. The importance of keeping an organization's data safe can't be overstated. According to Thomson Reuters, just one data breach can cost a company millions—with no sign of that cost decreasing. Effective threat readiness helps reduce the risk of falling victim to cybercriminals and paying a staggering sums to address the damage. But before security operations center (SOC) analysts can prevent attacks, organizations must first understand the core challenges to becoming truly threat-ready. Common Threat Readiness Challenges Threat readiness means being able to identify, prepare for and respond to cybersecurity threats. While all organizations should be concerned, there's no one-size-fits-all approach to staying secure. It's critical to develop methodologies tailored to each organization's specific needs and security landscape. The first challenge in becoming threat-ready is identifying which threats matter the most. It's unrealistic to try to combat every attacker, every time. An intel-driven approach can help focus resources on high-priority threats—but leaders need to determine which ones are worth the focus. Simulation scenarios must be relevant to a company's sector and geography. Threat actors often target based on industry, region or past vulnerability. For instance, an attacker focused solely on Sri Lanka, Bangladesh and Pakistan is likely irrelevant to a Texas-based tax software company. SOC teams should also track which threat groups have targeted them in the past. Getting breached once is forgivable—but being breached twice by the same actor can have serious professional consequences. By building profiles of likely attackers, cybersecurity teams can define the relevant actors, tactics and motivations, then design defenses that address them. While it may feel safer to respond to every threat, doing so wastes time and resources. Unless your organization has infinite budget, it's better to focus than overreact. 'Plumbing' refers to the behind-the-scenes effort of filtering, applying and managing security data effectively. SOCs are innundated with information—thousands of indicators, alerts and threat group signatures. Without good plumbing, teams can drown in a flood of false positives or irrelevant data. Improper filtering can not only trigger irrelevant alerts, it can also cause outages in network or endpoint infrastructure—potentially obscuring real threats amid the noise. Blocking threats is a central goal, but automating this action introduces risk. Automatically blocking infrastructure based on threat intelligence may inadvertently disrupt employee access to legitimate applications. For example, some threat actors use trusted services—like obscure file-sharing platforms or even Google Calendar—for command and control. APT41 has used this exact tactic. If you block infrastructure flagged in threat intel without vetting, the outages you cause could be worse than the threats themselves. Confidentiality is a cornerstone of effective threat readiness—but it's harder to maintain when integrating AI into workflows. AI can help analysts manage large volumes of data, but feeding sensitive information into third-party systems raises privacy concerns. Organizations should be cautious when uploading alert data into AI platforms like OpenAI or Google Gemini. These companies have legitimate access to user input, and while their analysts are skilled professionals, they openly publish threat intel on their public blogs—indicating that customer data may be actively reviewed. When a data breach is suspected, especially in regulated industries, SOCs must act quickly—while also following strict protocols. Investigations need to be trackable and auditable to ensure clarity later. If an analyst investigates a breach involving a senior executive, they must document every step. Without clear records, actions like pulling files or accessing email accounts can raise internal or legal concerns and may reduce trust in future automation. Getting Ahead Of The Threat Curve Navigating threat readiness challenges requires a strategic blend of human expertise, actionable intelligence and smart automation. Rather than adopting generic security frameworks, companies should build comprehensive, adaptable programs that reflect their unique threat landscape and operational priorities. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Forbes
18-04-2025
- Business
- Forbes
Proving The Value Of SOCs When Nothing Is On Fire
Alex Lanstein is the CTO of StrikeReady, pioneering unified AI-powered Security Command Center solutions for Security Operations Centers. Every day, security operations center (SOC) professionals protect their companies' systems through proactive threat intelligence activities that include gathering information about potential cyberattacks, analyzing their impact and determining the most effective way to respond to them. During a cyberattack, the worth of an SOC is clear. When everything is burning down, SOCs are the firefighters working to protect an organization's systems. But how do SOCs demonstrate their worth when nothing is on fire? Unfortunately, some company decision makers may regard SOCs as the seatbelt they can remove because they haven't been in any accidents lately. Even though they're getting the benefits of the daily protections SOCs provide, when there's no clear evidence of this defense, companies may decide that the precautions aren't worth the cost. SOCs already know how valuable they are, but it doesn't matter if no one else sees what they bring to the table. As a result, it's important for SOCs to actively and consistently prove their worth by changing the way they operate. When SOCs have effectively warded off security breaches, it can be difficult for them to get the visibility and credibility they deserve because nothing is happening. And when nothing is happening, an organization's management may be left wondering what the SOC actually does—and why it's even necessary. To help make the business case for SOCs, leveraging metrics is key. There are numerous points in the analyst workflow that can be highlighted. • Extracting Indicators: SOCs regularly review threat intelligence reports. It's important to highlight the importance of this work. Outlining all of the domains, IP addresses, hashes and URLs that may have been problematic without their intervention demonstrates how many fires could have burned a company's system down—but didn't get a chance to ignite. • Checking Intelligence Feeds: Often, leaders are overlooking the effort spent to proactively block threats, and they assume the things being prevented are not 'novel.' But that is not necessarily the case. SOCs should show how they've extracted and searched for indicators that were caught by security tools, on a retroactive basis. To say it another way, there is very little finished threat intel about today's threats. Those intel products are released weeks or months from 'boom,' so you need to run a retrospective analysis to help tell a better story of the attacks you blocked three months ago. It didn't happen to you, but it did impact another organization. Otherwise, there would be no intel. • Reviewing Alerts: Security tools should be maximally implemented and effective, but are they really? SOCs should provide metrics about which tools are producing what quality of alerts on an ongoing basis. Oftentimes, cybersecurity vendors wax and wane with the quality of their detection capabilities, and management should be able to understand when that once-hot vendor starts to taper off in value. • Searching Logs: Alerts are only as good as the frequency at which they're generated. Leaders won't know about threats that no one was warned about, but SOCs will. They can communicate with decision makers about their ability to look at endpoint telemetry, network traffic and browser activity logs to find indicators of threats that were present, but never triggered an alert. Creating metrics about the time it takes to execute basic hunts (indicator-based searches) shows where telemetry and search horsepower could be improved. • Simulating Attacks: A simulation is a fire that never actually sparked, but one that could have. SOCs should execute controlled threat simulations in virtual environments to determine the effectiveness of security tools for detecting and responding to possible threats. Since organizations generally don't track these time-consuming tasks, letting executives know about simulations—or even showing one in action—can illustrate the importance of SOCs' work. Despite the various metrics SOCs can report to their organizations, they generally don't monitor their effectiveness. One major factor that precludes reporting on metrics is the manual effort it takes. Developing and updating connectors to collect, analyze and correlate threat intelligence information from various security tools would be extremely onerous. Although security orchestration tools do exist, they require companies to build their own playbooks and manage APIs that can frequently change. This means only the most sophisticated organizations with security engineers can create effective workflows—leaving other companies to toil with the more labor-intensive approach. However, this doesn't mean metrics should not be measured at all. If SOC analyst workflow metrics are too challenging to quantify and record, there is another way they can show their value: benchmarking. Establishing benchmarks allows SOCs to adopt a data-based strategy that boosts their effectiveness. This also allows them to illustrate how many reports have been handled, as well as how much time was spent on each phase of the process. Some of the questions SOCs can use as the foundation for measuring benchmarks include: • How long does it currently take to fully analyze one threat intelligence report? • How many reports should be reviewed per day or week to achieve threat coverage? • Where are the logjams? • Does a tool or manual workflow cause delays? • How can automation be used to increase the speed of these processes without jeopardizing the quality? Answering these questions can be a starting point for how SOCs present their daily activities in a way that's meaningful to management. Chances are, executives aren't aware of the numerous activities SOC analysts engage in when there's no obvious threat to manage. This problem can be solved by SOCs regularly documenting their efforts through weekly reports. Cybersecurity is a dynamic field, so organizations must shift from a defensive approach to managing threats proactively. However, in order to do this, SOCs must be able to demonstrate the importance of their roles and justify their budgets. Otherwise, leaders may come to the conclusion that SOCs just aren't needed. By creating performance benchmarks and measuring how effective they are, SOCs can prove that the data fires that never burn are the most important fires of all. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
