Top 10 posts with the most lifetime views (excluding paper announcement blogs, Medium posts only):

1. Security Correlation Then and Now: A Sad Truth About SIEM
2. Can We Have “Detection as Code”?
3. Detection Engineering is Painful — and It Shouldn’t Be (Part 1)
4. NEW Anton’s Alert Fatigue: The Study
5. Revisiting the Visibility Triad for 2020 (update for 2025 is coming soon)
6. Beware: Clown-grade SOCs Still Abound
7. Why is Threat Detection Hard?
8. A SOC Tried To Detect Threats in the Cloud … You Won’t Believe What Happened Next
9. Top 10 SIEM Log Sources in Real Life? [updated/modified version]
10. How to Think about Threat Detection in the Cloud

Top posts with paper announcements:

• New Paper: “Future of the SOC: SOC People — Skills, Not Tiers”
• New Paper: “Future of the SOC: Forces shaping modern security operations”
• New Paper: “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance” (Paper 3 of 4)
• New Paper: “Future of the SOC: Evolution or Optimization — Choose Your Path” (Paper 4 of 4.5)
• New Paper: “Future of SOC: Transform the ‘How’” (Paper 5)
• New Paper: “Autonomic Security Operations — 10X Transformation of the Security Operations Center” (the classic 2021 ASO paper!)
• New Paper: “Securing AI: Similar or Different?“ (update for 2025 coming soon!)

NEW: recent 3 fun posts, must-read:

• Anton’s Alert Fatigue: The Study (long!)
• The Return of the Baby ASO: Why SOCs Still Suck?
• 15+ Years of Loading Threat Intel into SIEM: Why Does This Still Suck?

Top 7 Cloud Security Podcast by Google episodes (excluding the oldest 3!):

1. EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil (our best episode! officially!)
2. EP8 Zero Trust: Fast Forward from 2010 to 2021
3. EP47 “Megatrends, Macro-changes, Microservices, Oh My! Changes in 2022 and Beyond in Cloud Security”
4. EP17 Modern Threat Detection at Google
5. EP109 How Google Does Vulnerability Management: The Not So Secret Secrets!
6. EP103 Security Incident Response and Public Cloud — Exploring with Mandiant
7. EP153 Kevin Mandia on Cloud Breaches: New Threat Actors, Old Mistakes, and Lessons for All

Now, fun posts by topic.

Security operations / detection & response:

• “Security Correlation Then and Now: A Sad Truth About SIEM”
• “Migrate Off That Old SIEM Already!” (VIDEO!)
• “Measuring the SOC: What Counts and What Doesn’t in 2025?” (Google Cloud Blog)
• “Can We Have “Detection as Code”?”
• “Revisiting the Visibility Triad for 2020”
• “Beware: Clown-grade SOCs Still Abound”
• “Why is Threat Detection Hard?”
• “A SOC Tried To Detect Threats in the Cloud … You Won’t Believe What Happened Next”
• “Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait…”
• “Top 10 SIEM Log Sources in Real Life?” (NEWER VERSION)
• “Debating SIEM in 2023, Part 1”
• “Debating SIEM in 2023, Part 2”
• “Log Centralization: The End Is Nigh?”
• “How to Make Threat Detection Better?”
• “SIEM Content, False Positives and Engineering (Or Not) Security”
• “Modern SecOps Masterclass: Now Available on Coursera”

(if you only read one, choose this one!)

Cloud security:

• “Using Cloud Securely — The Config Doom Question”
• “Who Does What In Cloud Threat Detection?”
• “How to Solve the Mystery of Cloud Defense in Depth?”
• “Does the World Need Cloud Detection and Response (CDR)?”
• “Use Cloud Securely? What Does This Even Mean?!”
• “How CISOs need to adapt their mental models for cloud security” [GCP blog]
• “Who Does What In Cloud Threat Detection?”
• “Cloud Migration Security Woes”
• “Move to Cloud: A Chance to Finally Transform Security?”
• “It’s a multicloud jungle out there. Here’s how your security can survive“

HGD:

• “How Google Does It: Finding, tracking, and fixing vulnerabilities” (Google Cloud blog)
• “How Google Does It: Red teaming at scale” (Google Cloud blog)

CISO, culture, FMC, etc

• “New Office of the CISO Paper: Organizing Security for Digital Transformation”
• “10 ways to make cyber-physical systems more resilient”

AI security:

• ”Our Security of AI Papers and Blogs Explained” [this has a whole lot of AI security fun links that you so want to click!]
• “Securing AI Supply Chain: Like Software, Only Not” (Google Cloud blog, 30K views…)
• “Spotlighting ‘shadow AI’: How to protect against risky AI practices” (part 1)
• “Shadow AI Strikes Back: Enterprise AI Absent Oversight in the Age of Gen AI” (part 2)
• “New Paper: “Securing AI: Similar or Different?“
• “The Prompt: What to think about when you’re thinking about securing AI”
• “Gen AI governance: 10 tips to level up your AI program”
• “AI Adoption: Learning from the Cloud’s Early Days”
• NEW: “Demystifying AI Security: New Paper on Real-World SAIF Applications”
• “To securely build AI on Google Cloud, follow these best practices”
• “Oops! 5 serious gen AI security mistakes to avoid”
• “3 new ways to use AI as your security sidekick” (Google Cloud blog)

(if you only read one, choose this one!)

NEW: fun presentations shared:

• Detection Engineering Maturity — Helping SIEMs Find Their Adulting Skills (2024)
• Future of SOC: More Security, Less Operations (2024)
• SOC Meets Cloud: What Breaks, What Changes, What to Do? (2023)
• Meet the Ghost of SecOps Future (2023)
• The Future of Log Centralization for SIEMs and DFIR — Is the End Nigh? (2023)
• 20 Years of SIEM (2022)

Enjoy!

Previous posts in this series:

• Anton’s Security Blog Quarterly Q4 2024
• Anton’s Security Blog Quarterly Q3 2024
• Anton’s Security Blog Quarterly Q2 2024
• Anton’s Security Blog Quarterly Q1 2024 Lite
• Anton’s Security Blog Quarterly Q3 2023
• Anton’s Security Blog Quarterly Q2 2023
• Anton’s Security Blog Quarterly Q1 2023
• Anton’s Security Blog Quarterly Q4 2022
• Anton’s Security Blog Quarterly Q3 2022
• Anton’s Security Blog Quarterly Q2 2022
• Anton’s Security Blog Quarterly Q1 2022
• Anton’s Security Blog Quarterly Q4 2021
• Anton’s Security Blog Quarterly Q3 2021
• Anton’s Security Blog Quarterly Q2 2021
• Anton’s Security Blog Quarterly Q1 2021
• Anton’s Security Blog Quarterly Q3.5 2020

- By Anton Chuvakin (Ex-Gartner VP Research; Head Security Google Cloud)

Original link of post is here

Thank you to everyone who joined us on board for the CISO Cocktail Reception at RSA Conference 2025! It was a truly special evening, and we’re so glad to have shared it with our incredible cybersecurity community. We were thrilled to be a part of the CISO Cocktail Reception during the RSA Conference USA 2025 — not just any reception, but one set aboard a private yacht, cruising the beautiful San Francisco Bay! With the iconic skyline as our backdrop, the event offered the perfect blend of high-level networking and relaxed, memorable conversations.

It’s always powerful to see this community come together — not just in conference rooms but also in moments like these. The yacht party gave CISOs, CSOs and senior cybersecurity executives a chance to connect beyond the day-to-day, share real stories and enjoy some well-deserved downtime. The evening was organized by EC-Council, with CISO Platform and FireCompass as proud community partners. From stunning views and sunset selfies to lively chats about the future of cybersecurity, this was more than an event — it was a celebration of community.

CISO Platform was proud to support this exclusive experience. As a trusted peer network of 40,000+ cybersecurity leaders, we’re committed to enabling real-world collaboration, sharing proven frameworks, and helping CISOs stay ahead of emerging threats.

We’re excited about what’s ahead — and we’d love for you to get a sneak peek too. Thanks again for being a part of this. Until next time! 

>> If you wish to join us next year, express interest here : Express Interest Here  

Read More: (Sneak Peek) RSA Conference USA Innovation Sandbox 2025 | Top Cyber Security Companies
Curious about the top 10 cybersecurity companies that made it to the finals of the RSA Innovation Sandbox 2025? Click here to explore the full list.

Welcome to the April edition of CISO Platform Highlights – your quick snapshot of the most insightful content, expert conversations, and community updates from the world of cybersecurity leadership.

This month, we delved into the often-hidden journey of stolen data on the dark web – from breach to monetization – in an eye-opening Fireside Chat. Plus, we spotlight two deeply analytical community reads that explore the evolution of SOCs and the formalization of cybersecurity weaknesses. Also, a quick heads-up: Nominations for the CISO 100 Awards & Future CISO Awards USA 2025 are now open! Recognize the cybersecurity leaders making a difference in your network—or put your own name forward!

Fireside Chat You Can’t Miss

The Dark Path of Stolen Data – Understanding the Underground Economy

A powerful discussion featuring:

• Matthew Maynard - Security Operations Specialist, BJC Healthcare

• Erik Laird - Vice President (North America, FireCompass)

These experts unpack the lifecycle of breached data, its economic implications, and how organizations can better protect themselves in the face of organized cybercrime.

>>Read the Executive Summary 

Featured Reads from the Community

1) The Return of the Baby ASO: Why SOCs Still Suck? | Anton Chuvakin

SOCs still suck—why? Security legend Anton Chuvakin dives into the surprising return of the “Baby ASO” and what it reveals about modern security ops. A must-read for anyone frustrated with the state of SOCs.

>>Read More 

2) Bugs Framework (BF): Formalizing Cybersecurity Weaknesses and Vulnerabilities | Irena Bojanova 

Discover how the BUGS Framework brings clarity by formalizing cybersecurity weaknesses. Don't miss this game-changing approach to smarter, more structured vulnerability management!

>>Read More

Call for Nominations: CISO 100 Awards & Future CISO Awards (USA) | In Association With EC Council

We’re thrilled to open up nominations for the CISO 100 Awards & Future CISO Awards – USA Edition. Know someone who’s leading the charge in cybersecurity? Or think you should be recognized? 

Date: 1st & 2nd October 2025
Venue: Renaissance Atlanta Waverly Hotel & Convention Center

>>Nominate Yourself or a Peer 

(Sneak Peek) RSA Conference USA Innovation Sandbox 2025 | Top Cyber Security Companies

Over 20 years, RSAC Innovation Sandbox contest brings cybersecurity's new innovators to put the spotlight on their potentially game-changing ideas. Each year, 10 finalists grab the spotlight for a three-minute pitch while demonstrating groundbreaking security technologies to the broader RSA Conference community. Since the start of the contest, the top 10 finalists have collectively seen over 90 acquisitions and $16.4 billion in investments.

>>Read More 

Join The Cyber Security Community 

At CISO Platform, our mission is to deliver high-quality insights and create meaningful connections among senior cybersecurity professionals. With a global network of 6,500+ CISOs and InfoSec leaders, you’ll always find ideas, answers, and allies here. 

Want to contribute your insights? Share a blog on CISOPlatform.com and help others make smarter security decisions.

>>Sign Up 

One of my friends, Greg van der Gaast tells this great story that perfectly illustrates one of the biggest challenges we face in cybersecurity today. It goes something like this…

“Imagine someone who loves coffee. They have a fantastic coffee shop just steps from their home, serving the best lattes and espressos in town. But instead of strolling over to enjoy this local gem, they hop in their car and drive miles away for an average cup from a chain café. Why? Not because the coffee is better, but because they love cars and driving so much more—it’s their joy, their comfort zone, and safe space.”

This simple analogy speaks volumes about how cybersecurity operates today. Instead of focusing on accessible, impactful solutions like human risk management, we gravitate toward shiny new technologies—tools and systems that feel exciting, measurable, and comfortably within our domain of expertise. While these technological investments have their value, they’re not enough to solve the fundamental problem—the majority of risks come from humans. Much like driving to a chain café, this approach might feel familiar, but it often delivers underwhelming results.

To achieve true resilience in cybersecurity, we need to break out of this tech-first mindset. Greg’s coffee story pushes us to think differently. It’s not about the excitement of the drive or the allure of the car but about returning to what truly delivers value—the human side of cybersecurity. Leadership, culture, and human risk management need to become the core focus if we’re to build a sustainable and secure framework for the future.

The Allure of Technology in Cybersecurity

Cybersecurity professionals, like Greg’s car-loving coffee enthusiast, often find comfort in technology. Tools like Generative AI, advanced encryption systems, quantum computing, and automated threat detection are thrilling to evaluate, offering dashboards full of data and the tantalising promise of cutting-edge solutions. Technology feels tangible, and it gives us a sense of control in a rapidly evolving threat landscape.

But just like the coffee drinker who bypasses their local shop, our focus on technology often distracts us from what’s most important. The hard truth is that technology alone can’t fix the root causes of cyber risk. Whether it’s a mis-click on a phishing email, poor password management, acting on a deepfake, or a misconfiguration, human error accounts for most breaches.

These are challenges that require more than just a flashy new tool to overcome. They require addressing the people behind the processes.

Why Human Risk Management Matters

Greg’s analogy has a direct lesson for us in cybersecurity: just as the best coffee is right outside the door in his scenario, the most impactful cybersecurity solution for organisations is already available to them – it’s their people! When we invest in cybersecurity human risk management, we build stronger foundations that improve resilience across the board.

Here’s how human-centered strategies can transform cybersecurity:

1. Leadership Creates the Framework

Strong leadership is the foundation for a successful cybersecurity strategy. Leaders must set the tone, providing vision, fostering accountability, and—as Greg might put it—ensuring we “park the car and start walking toward what really matters.” A leadership culture that emphasises psychological safety enables teams to ask questions, admit mistakes, and innovate confidently. Without such commitment at the leadership level, it’s impossible to truly address deeper, human-related cybersecurity risks.

2. Culture Shapes Everyday Decisions

Leadership sets the tone, but organisational culture turns cybersecurity into a collective habit. A strong culture integrates security into the organisation’s DNA, helping everyone from entry-level employees to executives become active participants in defence.

The problem is that many organisations treat culture-building as an afterthought. They rely on compliance-driven security awareness training that barely scratches the surface. A meaningful security culture is only possible through engagement, diversity, and collaboration. When everyone in an organisation feels responsible for cybersecurity, its security posture improves exponentially.

3. Cybersecurity Human Risk Management Simplifies the Complex

Another reason we focus on technology is that it feels like the straightforward answer to overwhelming complexity. Hundreds of dashboards, endless alerts, and a flood of metrics, however, create decision paralysis within cybersecurity teams. Paradoxically, tools that are implemented with the intention of providing simple solutions to complex problems often end up further complicating them.

A human-focused approach to cybersecurity human risk management emphasises clarity and focus. Fewer, more targeted metrics allow teams to home in on what truly matters, empowering them to act decisively without being overwhelmed by noise. By simplifying processes, we can improve outcomes while reducing stress on cybersecurity professionals.

4. Technology as a Tool, Not the Strategy

Technology absolutely has a role in cybersecurity, but it should amplify human efforts, not serve as a substitute for them. When we start with a foundation of leadership, culture, and people-focused processes, technology becomes exponentially more effective. It’s the complement, not the crutch.

Breaking Out of the Comfort Zone

Greg’s coffee lover isn’t making the best choice—they’re operating inside their comfort zone. Similarly, cybersecurity professionals often stay in the familiar realm of tech solutions, avoiding the more challenging territory of human risk management. But real change happens when we address these foundational issues. By investing in people-first strategies, organisations can finally achieve the resilience they’ve been chasing through technology alone.

It’s time to ask ourselves a hard question. Are we driving miles for an average cup of coffee, or are we ready to step outside our comfort zone and grab the great one waiting on our doorstep?

Boost Cybersecurity Strategy Through Human Risk Management

The strongest cybersecurity strategies don’t rely on the latest tools. They depend on the strongest foundations—leadership, culture, and people. If you’re still stuck in the tech-comfort zone, now is the time to step into a new way of thinking.

Greg’s story reminds us that better results are closer than we think. Walk to the coffee shop. Build a foundation around cybersecurity human risk management. And create a safer, more resilient future for your organization.

If you’re ready to shift your focus to people and put human risk management at the centre of your cybersecurity strategy, we’re here to help.

Now I want to hear from you

If you’re ready to shift your focus to people and put human risk management at the centre of your cybersecurity strategy, I’m here to help. Contact me today to start the conversation.

By Jane Frankland (Business Owner & CEO, KnewStart)

Original link of post is here

Imagine building a house on sand or precariously stacking blocks in a game of Jenga. No matter how carefully you place the materials or how advanced the tools you use, the structure is doomed to collapse without a strong, stable foundation.

This is the state of cybersecurity today.

Organisations invest heavily in governance, risk, and compliance (GRC) and risk management efforts while neglecting foundational elements like leadership and culture. The result? Fragile systems that fail to keep pace with attackers.

To break free from this cycle, we must rethink how we approach cybersecurity. A useful analogy is Maslow’s hierarchy of needs—a psychological framework that explains human motivation as a progression from fundamental needs to self-actualisation. Likewise, cybersecurity demands a layered approach, starting with foundational human-centered elements and building toward a resilient, secure business environment. Without these foundations, all the technology in the world won’t secure your organisation.

The Illusion of Security Built on Sand

Organisations are pouring resources into cybersecurity technologies, from generative AI to emerging quantum solutions. These tools undoubtedly offer opportunities to enhance defences, detect threats, and streamline operations. However, technology alone cannot solve the security puzzle. By focusing disproportionately on tech and GRC metrics, organisations are neglecting the deeper structural issues—much like stacking new blocks onto a shaky Jenga tower.

Consider this problem in light of Maslow’s hierarchy. Just as safety and belonging must precede human accomplishments, leadership, culture, and people-centric processes must underpin any secure environment. Without these base layers, organisations are left vulnerable, spending millions but achieving little more than an illusion of security.

The Cybersecurity Hierarchy of Needs

To secure a business—truly secure it—we need to reframe our strategies, moving away from tech-dependent approaches and focusing on what really matters. Here’s how applying the principles of Maslow’s hierarchy can transform cybersecurity:

1. Leadership Is the Foundation (Physiological Needs)

Leadership acts as the bedrock of effective cybersecurity. Strong leaders set vision, build trust, and foster accountability. Yet, today’s cybersecurity leaders often operate in a culture of fear, where asking questions feels unsafe and decisions are made with uncertainty. This weak leadership results in cracks at the very foundation of cybersecurity efforts.

To build securely, organisations must prioritise psychological safety. Teams need leaders who understand the complexity of cybersecurity and support innovation, not just compliance. When leadership is strong, the rest of the structure can rise.

2. Culture Embeds Security into Daily Life (Safety Needs)

If leadership is the foundation, culture is the frame that gives the structure its shape. A strong cybersecurity culture ensures that security isn’t just an afterthought—it becomes part of the organisation’s DNA. But too many businesses still approach cybersecurity with a compliance checklist mindset, treating it as a box to tick rather than a way to embed awareness and responsibility across the enterprise.

An effective culture prioritises continuous education, diversity of thought, and collaboration. It transforms employees into active participants in defence, rather than passive liabilities. Without this layer, even the best technology will fail because the human element is left unaddressed.

3. Risk Management Brings Clarity (Belonging and Love Needs)

The middle of the hierarchy addresses our need for connection and clarity. For organisations, this is the role of risk management. However, many businesses today drown in data, bombarded with endless alerts, metrics, and dashboards. This overload leads to analysis paralysis, distracting teams from what matters most.

Simplifying risk management through targeted metrics and actionable insights strengthens an organisation’s focus. By subtracting noise and zeroing in on critical threats, we can empower cybersecurity teams to act quickly and decisively, avoiding the chaos that often occurs during high-stress scenarios.

4. Defence Enhances Confidence (Esteem Needs)

Defence strategies are like esteem in Maslow’s hierarchy—they provide the confidence and trust that organisations need to function securely. But focusing solely on perimeter defences or siloed solutions isn’t enough. Attackers evolve constantly, and static defence mechanisms quickly become irrelevant.

Layered, adaptive security strategies that protect both operational reputation and critical assets are essential. However, these defences must also balance usability. Overly restrictive security measures can cripple operations, alienate teams, and even drive risky workarounds, which is what we regularly see.

5. Community Unlocks Purpose and Growth (Self-Actualization)

At the top of the hierarchy is community—collaboration beyond the organisation itself. When businesses engage with industry peers, share threat intelligence, and partner with external stakeholders, they elevate their security posture while contributing to a broader, safer digital ecosystem.

From cross-industry alliances to public-private partnerships, building community collaboration unlocks the full potential of a cybersecurity strategy. It transforms the fight against cyber threats from an isolated battle to a shared mission.

Technology Alone Is Not Enough

Generative AI, quantum computing, and other technological advancements offer promising possibilities, but they’re not silver bullets. Generative AI, for instance, can streamline threat detection—but it can also generate hallucinations or misuse data. Similarly, quantum computing may disrupt cryptography but also brings new vulnerabilities. Without the grounding of people and processes, such technologies can exacerbate risk rather than reduce it.

To move forward, we must place people at the centre of our cybersecurity strategies. Technology is a tool—when used in isolation, it lacks the capacity to drive meaningful change. Only by anchoring it in strong leadership, a supportive culture, and effective processes can you achieve the ultimate goal of doing business securely.

The Human Cost of Neglect

Failing to address foundational cybersecurity needs isn’t just a strategic misstep—it’s a human crisis. Overworked and overwhelmed, cybersecurity professionals face alarming rates of burnout, absenteeism, and even industry attrition. According to recent studies:

• • 62% of cybersecurity leaders report experiencing burnout in the last 2-years, with nearly half feeling this way multiple times.

• • 67% of Security Operations Centre (SOC) analysts suffer from alert fatigue, with 83% of alerts being false positives.

• • Gartner predicts that this year, half of cybersecurity leaders will leave the industry entirely.

When human capacity is stretched too thin, mistakes happen. Alert fatigue, decision-making paralysis, and mental health challenges undermine the very professionals tasked with protecting your organization.

Rebuilding Cybersecurity from the Ground Up

The way forward is clear. Stop building cybersecurity strategies on the unstable sands of GRC metrics and isolated tech investments. Start with people.

Reassess your approach today. Are you missing foundational layers like leadership and culture? Are your cybersecurity strategies propped up by technology without addressing the people at their core? If so, it’s time to rebuild.

True security isn’t about doing cybersecurity better—it’s about doing business securely. This means investing in leadership, fostering a culture of security, and prioritising the health and well-being of your cybersecurity teams before layering on technology and process improvements.

To End: The Human-Centric Cybersecurity Alternative

We have a choice. Continue stacking blocks into a fragile cybersecurity Jenga tower or start building a resilient structure with strong foundations.

Emerging approaches like cybersecurity human risk management enable organizations to better measure, evaluate, and understand the behaviors and risk profiles of the humans that make up the foundational layer of truly effective cybersecurity.

Adaptive security awareness training solutions leverage individuals’ data to personalize their security awareness training, ensuring that the right person receives the right training, at the right time.

These approaches reflect the foundational insight that human-centric cybersecurity starts by putting human beings at the heart of cybersecurity, ensuring that the technology layered thereafter are compatible with the people they’re intended to protect.

The choice is simple.

Now I want to hear from you

Tell me in the comments, what’s the biggest challenge you’ve faced in getting people to engage with cybersecurity from a human risk management perspective—and how did you tackle it?

If you want to move toward a people-first cybersecurity strategy, and are unsure how to do that, join in the conversation on Linkedin or better sill schedule a discovery call.

By Jane Frankland (Business Owner & CEO, KnewStart)

Original link of post is here

Key Cybersecurity Challenges In 2025—Trends and Observations

by Chuck Brooks

In 2025, cybersecurity is gaining significant momentum. However, there are still many challenges to address. The ecosystem remains unstable in spite of investments and the introduction of new tools. In addition to adding my own findings, I have examined some recent statistics, trends, and remedies. Among the subjects covered are ransomware, DDoS attacks, quantum technology, healthcare breaches, artificial intelligence and AI agents, and cybersecurity for space assets. No doubt, there are many more that could be added.

Artificial Intelligence, Cybersecurity, and AI Agents

“87% of security professionals report that their organization has encountered an AI-driven cyber-attack in the last year, according to a new study by SoSafe, Europe’s largest security awareness and human risk management solution.” 87% of firms hit by AI cyber-attacks

“Agents are the talk of the AI industry—they’re capable of planning, reasoning, and executing complex tasks like scheduling meetings, ordering groceries, or even taking over your computer to change settings on your behalf. But the same sophisticated abilities that make agents helpful assistants could also make them powerful tools for conducting cyberattacks. They could readily be used to identify vulnerable targets, hijack their systems, and steal valuable data from unsuspecting victims.” Cyberattacks by AI agents are coming | MIT Technology Review

Benefits such as cyber protection technologies, AI may also have disadvantages as described in the articles above. Threat actors can use them. Malicious hackers and antagonistic countries can already recognize and exploit vulnerabilities in threat detection models using AI agents.

However, agentic AI enabled cybersecurity holds enormous potential for detecting, filtering, neutralizing, and remediating cyberthreats. Agentic AI can tackle the core issues of threat detection, response time, and analyst burden. Security teams can function more efficiently in a more hostile digital environment thanks to these technologies, which automate operations while preserving human oversight.

Additionally, GenAI and predictive algorithms may be able to use predictive models in cybersecurity more effectively, producing better outcomes and more reliable security data. AI agents combined with GenAI could be used to recommend paths for mitigation and optimize cybersecurity knowledge and incident response for businesses and organizations.

AI Agents Trending

“The growth in the popularity of AI agents in the latter months of 2024 mirrors how ChatGPT and other generative AI systems catapulted into and transformed the AI market in 2022. Vendors seemingly jumped from developing the latest large language models (LLMs) and AI chatbots to creating agents and action models.” 2025 will be the year of AI agents | TechTarget

AI Agents For Good- Artificial General Decision Making™ (AGD™)

“A San Francisco company founded in 2023 called Klover AI defines Artificial General Decision Making™ (AGD™) as the creation of systems designed to enhance human decision-making capabilities, ultimately leading to “superhuman productivity and efficiency” for individuals . The fundamental goal of AGD™, according to the company, is to empower individuals to such an extent that every person on the planet can achieve a state of “superhuman” capability through the use of advanced decision-making systems. Dany Kitishian, the founder of Klover AI, describes these AI agents as sophisticated software entities capable of perceiving their environment, making informed decisions, and performing actions to achieve specific objectives, thereby significantly enhancing communication and user interactions . This vision is rooted in the idea of augmenting human capabilities rather than replacing them, aligning with a “people-centered AI strategy” that aims to amplify human strengths and provide individuals with more opportunities through better-informed systems .” Google Gemini Deep Research confirms Klover pioneered and Coined Artificial General Decision Making™ (AGD™) | by Dany Kitishian | kloverai | Mar, 2025 | Medium

CB Thoughts: Advancements in technology have led to significant changes in businesses and societal norms through artificial intelligence. This new era may alter our self-perception through AI and machine learning-based computing and Agentic AI will be a catalyst and help lead the way. The integration of engineering, computer algorithms, and culture is ushering in an era of rapidly advancing, interconnected devices. The growth of technology will influence societal progression. Scientific and technological developments are anticipated to significantly impact humanity.

Healthcare Breaches Continue to Rise

“In 2024, healthcare data breaches reached an all-time high, with 276,775,457 records compromised – a 64.1% increase from the previous year’s record and equivalent to 81.38% of the United States population. Despite managing sensitive patient data, findings reveal that healthcare organizations still struggle with corporate customer data protection.” Data breaches rock leading US hospitals| Cybernews

“Cyberattacks targeting healthcare organizations are rising, and the financial and operational toll they take is growing. A recent report from Proofpoint found 92% of healthcare organizations reported experiencing a cyberattack in 2024, up from 88% in 2023, while the average cost of the most expensive attack was $4.7 million.” The Biggest Healthcare Cybersecurity Threats in 2025 | HealthTech

CB Thoughts: It is hardly surprising that criminal hackers are still focusing on the healthcare industry. As medical care grows more networked and connected through computers and other devices, the digital environment of health administration, clinics, hospitals, and patients has become increasingly vulnerable. It is necessary to safeguard many facets of the cybersecurity healthcare environment. These include safeguarding patient privacy, securing medical devices and equipment, and protecting hospital and medical facility information security networks. Healthcare organizations must implement intrusion detection and response systems, conduct regular security audits, and use penetration testing to safeguard sensitive data. In addition to reducing the impact of bot assaults and improper IT configurations, these techniques can be used to identify potential insider threats.

Multifactor authentication and employee training are two aspects of good cyber hygiene that hospitals and other healthcare organizations should implement. Additionally, they want to employ several firewalls, multilayer protection, and real-time network system monitoring. To reduce security risks, medical devices should also be encrypted. Plans for backup, recovery, and continuity should be in place for hospitals and other healthcare facilities. The risks are too high to overlook the necessity of an all-encompassing approach to holistic cybersecurity.

Quantum Cybersecurity Becoming an Imperative

“Quantum computing is becoming real and will soon be able to solve problems well beyond the capabilities of today's fastest supercomputers. In the wrong hands, however, quantum computers will also create a new pain level for cybersecurity professionals.” How quantum cybersecurity changes the way you protect data | TechTarget

‘In a striking development, researchers have created a quantum algorithm that allows quantum computers to better understand and preserve the very phenomenon they rely on – quantum entanglement.” Quantum Computers Just Got Smart Enough to Study Their Own Entanglement

“These computers work by harnessing quantum physics — the strange, often counterintuitive laws that govern the universe at its smallest scales and coldest temperatures. Today’s quantum computers are rudimentary and error-prone. But if more advanced and robust versions can be made, they have the potential to rapidly crunch through certain problems that would take the current computers years. That’s why governments, companies and research labs around the world are working feverishly toward this goal.” Quantum Computing Explained | NIST

CB Thoughts: There is concern that protected data may be cracked using quantum computers in the future. The processing power of quantum computers poses a risk to cybersecurity through their ability to quickly decode complex problems. This situation poses an immediate threat to financial systems and critical infrastructure.

The RSA-2048 encryption standard would require a billion years for a conventional computer to break, but a quantum computer could theoretically do so in less than two minutes. Quantum researchers refer to the day when large-scale quantum computers can use Shor's algorithm to break all public key systems based on integer factorization as "Q-Day".

The era of quantum computing is approaching faster than anticipated, with artificial intelligence likely to be integrated with quantum technology. The convergence of these technologies will have significant implications. It is important to prepare for both the positive and negative impacts of quantum technologies due to their disruptive potential.

Cybersecurity for Space Assets

“As the space domain continues to evolve, so do its threat actors. In the proverbial game of keeping data safe and secure, how is the cybersecurity world keeping up?

Via Satellite spoke with cybersecurity and space experts to predict what’s to come in 2025, including the impact of rapid advancements in Artificial Intelligence (AI) and quantum technologies.” Game-Changing Predictions for Cybersecurity in 2025 | April/May 2025

“Protecting the frontier of space systems is unquestionably a security priority for governments and industry. Due to our increasing reliance on space, and particularly satellites, for communications, security, intelligence, and business, satellite and space cybersecurity is becoming increasingly important in this new digital era.” (26) Cybersecurity of Space Systems | LinkedIn

CB Thoughts: Space increasingly serves nations for information exchange and surveillance, monitoring threats and geopolitical developments, which is essential for national security. The national security apparatus recognizes the rising threat posed by cyber threats to satellites.

The reliance on space and satellites for communications, security, intelligence, and commerce highlights the growing importance of satellite and space security in the digital era. In recent years, the number of satellite launches has increased, resulting in thousands of satellites in low-Earth orbit that are susceptible to cyberattacks. Satellites facilitate data transfer over long, international distances, and many communication networks are transitioning from land-based communications to cloud systems. As launch costs have decreased, the number of satellites in orbit has surged, expanding the potential targets for hackers both in space and at ground control centers.

Alarming Ransomware Attacks Continue

“A new report from Ivanti surveyed more than 2,400 security leaders and found that the top predicted threat for 2025 is ransomware. According to the report, nearly 1 out of every 3 security professionals (38%) believe ransomware will become an even greater threat when powered by AI. The report found a gap in preparedness for ransomware attacks, with only 29% of security leaders saying they are very prepared for ransomware incidents.” 1 in 3 security leaders say AI will make ransomware a greater threat | Security Magazine

“The Travelers Companies, an insurer, published findings indicating that ransomware remains a significant threat. The fourth quarter of 2024 experienced the highest level of ransomware activity recorded in any prior quarter, with a total of 1,663 known victims posted on leak sites, according to that research. In addition, 55 new ransomware groups emerged last year — a 67% increase in group formation compared with 2023, the Travelers report said.” Ransomware attacks surged 50% in February: NCC | CFO Dive

CB Thoughts: Businesses are facing ransomware more frequently because of AI enabled phishing attacks combined with social engineering. In ransomware attacks, hackers encrypt vital files so victims cannot access their data. They demand a ransom to restore the systems and data. These attacks can spread fear and disrupt company networks and systems, especially for businesses dependent on supply chain coordination.

Small businesses, healthcare facilities, and higher education institutions have been found to be the most susceptible sector to ransomware cyberattacks due to their lack of cybersecurity expertise and significant security resources. They have paid a high price and frequently covertly pay ransoms in cryptocurrencies to avoid liabilities and suffering closures, even though it is not encouraged.

DDoS Attacks Problematic

“The number of Distributed Denial of Service (DDoS) attacks has shot up since the first half of last year, according to new research, with DDoS-for-hire services becoming increasingly sophisticated. Figures from Netscout show there were almost nine million DDoS attacks in the second half of 2024, up 12.75% on the first half. The rise is driven by the increasing use of DDoS attacks as a tool of choice in cyber warfare linked to socio-political events such as elections, civil protests, and policy disputes.” Surging DDoS attack rates show no sign of slowing down – here’s why | IT Pro

CB Thoughts: A Denial-of-Service attack (DDoS) occurs when an adversary utilizes many devices to flood a target system, network, or website with traffic. This technique stops authorized users from accessing the target by overloading its processing power.

Hackers often target networking equipment that connects to the internet in DDoS assaults, taking advantage of common server and network device behavior. As a result, attackers focus on edge network elements (such switches and routers) rather than individual servers. A denial-of-service attack overloads the devices that deliver bandwidth, or the network's pipe. DDoS as a service platform is also used by criminals to launch assaults against corporate websites and demand ransom payments, threatening to degrade the service if the money is not paid.

As innovative technologies like artificial intelligence and quantum computing advance in capabilities and comprehension, 2025 will see a variety of both old and new cyberthreats. For everyone concerned, defending their data and business continuity against cyberattacks will be particularly difficult this year.

- By Chuck Brooks (President, Brooks Consulting International)

Original link of post is here

Cyber Crime: Stages of Trial in Court

There are four types of Trials under the ‘Bhartiya Nagrik Surksha Sanhita 2023’ (BNSS):

1. Summons Trial

2. Warrant Trial

• I. Cases instituted on police report
• II. Cases instituted otherwise than on police report

3. Session Trial

4. Summary Trial

1. Filing a Complaint

• Reporting the Crime: The victim or informant files a complaint with the police or a specialized cybercrime police station or cell. This is the first step in initiating legal action.

• FIR Registration: A First Information Report (FIR) is registered under Section 154 of CRPC earlier and under Section 173(1) and Sction 173(2) BNSS, which mandates the recording of information about a cognizable offense.

2. Investigation

• Evidence Collection: The police or investigating agency collects digital evidence, such as IP addresses, transaction records, and forensic data. This is governed by Section 157 of BNSS, which outlines the procedure for investigation.

• Identifying the Culprit: Investigators trace the origin of the cybercrime, often involving international collaboration if the crime crosses borders.

• Filing the Charge Sheet: Once the investigation is complete, a charge sheet is filed under Section 173 of BNSS, which requires the police to submit a report to the magistrate.

Relevant Sections:

• BNSS Section 157: Investigation by the police.

• BNSS Section 173: Submission of the charge sheet.

3. Framing of Charges

• Court Review: The magistrate or sessions court reviews the charge sheet and evidence to determine if there is sufficient ground to proceed.

• Framing Charges: Charges are framed under Section 228 of BNSS, which allows the court to formally charge the accused based on the evidence.

Relevant Sections:

• BNSS Section 228: Framing of charges.

4. Trial Proceedings

• Prosecution’s Case: The prosecution presents its case, including evidence and witness testimonies, under Section 244 of BNSS. This stage aims to prove the guilt of the accused beyond a reasonable doubt.

• Defence’s Case: The defense presents its arguments and evidence under Section 247 of BNSS, challenging the prosecution’s case.

• Cross-Examination: Both sides cross-examine witnesses under Section 137 of BNSS, which governs the examination and cross-examination of witnesses.

Relevant Sections:

• • BNSS Section 244: Prosecution evidence.

  • BNSS Section 247: Defense evidence.

  • BNSS Section 137: Examination of witnesses.

5. Judgment

• Final Arguments / Verdict / Quantum of Punishment / Judgment under Sections 257 to 258

This is the final stage of trial where both parties, after proper evaluation of statements, evidence, and testimony of witnesses, put their case before the Court, through oral arguments. Based on the arguments and the material evidence on record, the judge will pronounce if the accused is convicted or acquitted of the charges leveled against them. If the judge convicts the accused, then he will have to hear the accused on the quantum of the judgment under Section 401 of BNSS as to what shall be the period of him serving the term for the offence committed by him and on hearing the accused, the judge will pass a detailed judgment, recording all the reasons as to why, the accused shall be punished for the offence.

• Court’s Decision: The judge delivers a verdict under Section 392 of BNSS, either acquitting or convicting the accused.

Relevant Sections:

• BNSS Section 352: Final arguments.

• BNSS Section 392 : Judgment.

6. Appeal

• Right to Appeal: If either party is dissatisfied with the judgment, they can appeal to a higher court under Section 413 of BNSS.

• Final Resolution: The appellate court reviews the case and may uphold, modify, or overturn the original decision.

Relevant Sections:

• BNSS Section 413: Right to appeal.

7. Execution of Sentence

• Implementation: If the accused is convicted, the sentence is executed as per the court’s orders under Section 458 of BNSS.

• Rehabilitation: In some cases, the court may recommend rehabilitation programs for the accused.

Relevant Sections:

• BNSS Section 458: Execution of sentence.

Key Points to Remember

• Burden of Proof: The prosecution must prove the accused’s guilt beyond a reasonable doubt, as per BNSS Section 101.

• Types of Trials: Cybercrime trials are typically conducted as sessions trials under BNSS, given the severity of such offenses.

• Electronic Evidence: The admissibility of digital evidence is governed by BNSS Section 65B, which aligns with the Indian Evidence Act.

Conclusion

The stages of a cybercrime trial in India are meticulously structured under the Bharatiya Nagarik Suraksha Sanhita (BNSS) and Bharatiya Nyaya Sanhita (BNS). From filing an FIR to executing the sentence, each stage ensures that justice is served while addressing the unique challenges posed by digital offenses. By understanding these stages and the relevant legal provisions, victims, defendants, and legal professionals can navigate the system more effectively.

By: Adv. (Dr.) Prashant Mali Founder at Cyber Law Consulting (Advocates & Attorneys)

Original link to the blog : Click Here

The digital realm has permeated every facet of modern life, leaving an indelible mark on the legal landscape. Electronic evidence, encompassing emails, messages, social media posts, and digital documents, has become a cornerstone in legal proceedings. India's legal system, recognizing this paradigm shift, has evolved to accommodate electronic evidence under the Indian Evidence Act, 1872 (IEA), and subsequently the Bharatiya Sakshya Adhiniyam, 2023 (BSA).

This blog post delves into the evolution of electronic evidence jurisprudence in India through landmark case laws, providing a comprehensive overview of the legal precedents under IEA and BSA up to 2025.

The Genesis: Electronic Evidence under IEA

The IEA, initially designed for a pre-digital era, received its first major amendment in 2000 with the introduction of Section 65B. This provision sought to address the admissibility of electronic records, acknowledging their growing significance in legal proceedings. However, the absence of a prescribed format for the certificate under Section 65B led to inconsistencies and challenges in judicial interpretations.

Landmark Case Laws under IEA:

• State (N.C.T of Delhi) vs. Navjot Sandhu @ Afsan Guru (2005) 11 SCC 600 (Parliament Attack Case): This case, arising from the 2001 terrorist attack on the Indian Parliament, witnessed the Supreme Court admitting call detail records (CDRs) as evidence without strict adherence to Sections 65A and 65B. This decision, however, was subsequently overruled in the Anvar vs Basheer case, emphasizing the mandatory nature of the certificate for admissibility.

• Manu Sharma vs. The State (NCT of Delhi) (2010) 6 SCC 1 (Jessica Lal Murder Case): The court recognized the evidentiary value of electronic records, including witness testimonies and phone records, in this high-profile murder case. The case highlighted the potential of digital evidence to corroborate and contradict traditional forms of evidence.

• Anver P.V vs. P.K Basheer & Ors AIR 2015 SC 180: This landmark judgment clarified the mandatory requirement of a certificate under Section 65B(4) for the admissibility of electronic records as secondary evidence. The court stressed the need to establish the authenticity and integrity of electronic evidence, considering its susceptibility to manipulation.

• Shafhi Mahommad vs. The State of Himachal Pradesh (2018) 2 SCC 801: This case presented a contrasting viewpoint, suggesting that the certificate requirement under Section 65B(4) might be relaxed when the party presenting the electronic evidence lacks possession of the device. This position, however, was later overruled in the Arjun Panditrao Khotkar case.

• Arjun Panditrao Khotkar vs. Kailash Kishanrao (2020) 3 SCC 216: Overruling the decisions in the Tomaso Bruno and Shafhi Mohammad cases, the Supreme Court reaffirmed the mandatory nature of the certificate under Section 65B(4). The court emphasized that challenges in obtaining the certificate do not justify the admission of electronic evidence without fulfilling the procedural requirements. The court also clarified that the certificate is unnecessary if the original document itself is produced, such as the owner of a device containing the original information testifying and proving ownership.

Embracing the Digital Age: The Bharatiya Sakshya Adhiniyam, 2023

The introduction of the BSA in 2023 marked a significant step in aligning the Indian evidence law with the digital age. The Act repealed the IEA, introducing comprehensive changes, particularly in the realm of electronic evidence.

Key Changes under BSA:

• Digital Evidence as Primary Evidence: Section 57 of the BSA elevates the status of electronic records, recognizing them as primary evidence. This move signifies a crucial shift in acknowledging the intrinsic value and reliability of digital evidence.

• Expanded Scope of Secondary Evidence: Section 58 broadens the scope of secondary evidence, encompassing oral and written admissions and evidence provided by experts examining complex digital documents.

• Standardized Certificate Format: The BSA introduces a standardized format for the certificate under Section 63, ensuring uniformity and clarity in the presentation of electronic evidence. The format includes two parts: Part A to be filled by the party presenting the evidence and Part B by an expert.

• Clarification on "Proper Custody": The BSA provides a definition for "proper custody" in relation to electronic records, adding an explanation to Section 80 to clarify its interpretation in the context of digital evidence.

Case Laws under BSA (till 2025):

As the BSA is relatively recent, case laws specifically interpreting its provisions are still developing. However, existing pronouncements under IEA continue to guide the admissibility and appreciation of electronic evidence.

Challenges and the Road Ahead

While the BSA represents a progressive step towards integrating electronic evidence, challenges persist:

• Defining the "Expert": The BSA lacks a clear definition of the "expert" required to sign Part B of the certificate under Section 63. This ambiguity may lead to inconsistencies and disputes regarding the qualifications and expertise necessary for certification.

• Data Protection and Privacy: The collection and use of electronic evidence raise concerns about data protection and privacy. Balancing the need for evidence with individual rights necessitates robust safeguards and legal frameworks.

• Cross-Border Issues: The global nature of digital data necessitates international cooperation and legal frameworks to address cross-border issues related to the collection, admissibility, and enforcement of electronic evidence.

Conclusion

The evolution of electronic evidence law in India reflects a continuous effort to adapt to the digital revolution. The BSA, with its progressive provisions, lays a solid foundation for a robust and technologically aligned legal framework. However, addressing the existing challenges, particularly clarifying the role of the "expert" and ensuring robust data protection mechanisms, remains crucial for the effective and just utilization of electronic evidence in Indian courts.

As a cyber lawyer, I remain optimistic about the future of electronic evidence in India. The legal system's proactive approach in embracing technology promises a future where justice prevails in the digital age.

By: Adv. (Dr.) Prashant Mali Founder at Cyber Law Consulting (Advocates & Attorneys)

Original link to the blog: Click Here

Case Overview:   Download the PDF

This case, adjudicated under the Information Technology Act, 2000, involves a significant breach of cybersecurity and financial fraud. The Complainant, Dhule Vikas Sahakari Bank Ltd. (DVSB), a cooperative bank, alleged that Axis Bank Limited (Respondent) failed to implement reasonable security measures, leading to unauthorized transactions amounting to ₹2,06,50,165. The Complainant sought compensation for the financial loss, mental distress, and legal expenses incurred due to the breach.

Key Facts:

1. Unauthorized Transactions:

On June 7 and 8, 2020, 27 unauthorized transactions were conducted from DVSB’s current account with Axis Bank. These transactions occurred before the bank’s official operating hours, and no OTPs or batch numbers were generated, bypassing the mandatory security protocols.

2. Security Lapses:

The Complainant alleged that Axis Bank failed to enforce basic security measures, such as OTP verification and real-time fraud detection, which are mandated under Section 43A of the IT Act. The breach was attributed to the hacking of Axis Bank’s systems, as admitted in the FIR filed by Axis Bank.

3. Financial Loss:

The Complainant suffered a loss of ₹2,06,50,165, of which ₹30,43,784 was recovered through freezing of funds. The remaining ₹1,76,06,381 was claimed along with 18% interest, legal charges of ₹3,00,000, and compensation for mental agony.

4. Legal Arguments:

• Complainant’s Argument: Adv. Prashant Mali, representing DVSB, argued that Axis Bank failed to comply with REsoanable security practices as mandated under Section 43A of the IT Act,2000, and RBI guidelines on KYC and anti-money laundering practices. He emphasized that the bank’s negligence in securing its systems directly led to the breach.

• Respondent’s Defense: Axis Bank claimed that the breach occurred due to remote access software installed by DVSB. However, this argument was countered by the fact that the transactions occurred on a bank holiday, and the FIR filed by Axis Bank admitted to hacking within its own systems.

Court’s Findings:

1. Liability under Section 43A:

The Adjudicating Officer held that Axis Bank failed to implement reasonable security practices, as required under Section 43A of the IT Act. The bank’s negligence in securing its systems directly contributed to the unauthorized transactions.

2. Failure in Real-Time Monitoring:

The absence of robust real-time monitoring and fraud detection mechanisms underscored Axis Bank’s non-compliance with RBI guidelines and the IT Act.

3. Compensation:

The court ordered Axis Bank to reimburse the Complainant for the actual loss of ₹1,76,06,381 with 18% compound interest, legal charges of ₹3,00,000, and compensation of ₹50,00,000 for mental agony and harassment.

Conclusion:

This case is a landmark judgment in the realm of cybersecurity and banking liability. It reinforces the importance of financial institutions adhering to stringent security protocols and highlights the legal consequences of failing to protect customer data. The judgment sets a precedent for holding banks accountable for breaches resulting from inadequate security measures.

Praise for Adv. Prashant Mali:

Adv. Prashant Mali’s representation of Dhule Vikas Sahakari Bank Ltd. in this case was nothing short of exemplary. His meticulous preparation, deep understanding of cybersecurity laws, and strategic arguments were instrumental in securing a favorable judgment for his client.

1. Mastery of Legal Nuances:

Adv. Mali’s ability to dissect complex technical and legal issues, such as the failure of Axis Bank to comply with Section 43A of the IT Act and RBI guidelines, demonstrated his profound expertise in both banking and cybersecurity law.

2. Strategic Argumentation:

His emphasis on the lack of OTPs, batch numbers, and real-time fraud detection mechanisms exposed the glaring security lapses on the part of Axis Bank. By highlighting the bank’s admission of hacking in its FIR, he effectively countered the Respondent’s defense.

3. Client-Centric Approach:

Adv. Mali’s relentless pursuit of justice for his client, including seeking compensation for both financial loss and mental agony, showcased his commitment to ensuring that the victim of a cyber breach is adequately compensated.

4. Landmark Victory:

This case is a testament to Adv. Mali’s legal acumen and dedication. His victory not only brought relief to his client but also set a significant legal precedent, reinforcing the accountability of financial institutions in safeguarding customer data.

Adv. (Dr.) Prashant Mali’s performance in this case is a shining example of legal excellence, and his contribution to the field of cybersecurity law will undoubtedly inspire future practitioners. His ability to navigate complex legal and technical terrains with such finesse is commendable and deserving of the highest praise.

Complete Briefing of the Case

I. Introduction

This document reviews the key themes, facts, and legal implications arising from a case involving a security breach at Axis Bank resulting in unauthorized transactions from the Dhule Vikas Sahakari Bank Ltd. (DVSB) account. The document integrates information from the final order of the adjudication, excerpts from Section 43A of the Information Technology Act, and excerpts from the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. The core issue is the liability of a "body corporate" (in this case Axis Bank) for failing to implement adequate security measures, as defined under the IT Act, and causing financial loss to a customer.

II. Case Overview: DVSB vs. Axis Bank

• Parties:Complainant: Dhule Vikas Sahakari Bank Ltd. (DVSB), a co-operative bank.

• Respondents: 1) Axis Bank Limited, 2) Mr. Amitabh Chaudhry (MD & CEO, Axis Bank Limited)

• Incident: On June 7th and 8th, 2020, 27 unauthorized online transactions occurred from DVSB's current account, totaling ₹2,06,50,165.

• Key Findings and Allegations by DVSB:Time of Transactions: Transactions occurred between 7:00 AM and 10:00 AM, before DVSB's official banking hours.

• Security Lapses: Axis Bank's system failed to enforce basic security protocols, including the mandatory OTPs and batch numbers required for transactions. DVSB alleges that the system was able to bypass the "maker-checker" authorization mechanism required by the Pay-Pro System.

• Lack of Real-time Fraud Detection: The complainant also highlighted the lack of fraud detection mechanisms.

• Bypassed OTPs: Despite separate registered mobile numbers for the maker and checker receiving OTPs, no OTPs were received during the fraudulent transactions.

• Violation of IT Act: DVSB alleged that Axis Bank violated the IT Act, 2000, specifically Section 43A (failure to implement reasonable security practices) and Section 43(g) (permitting unauthorized access). DVSB also cites offenses under Section 85 of the IT Act (holding companies accountable for such lapses).

• Use of Any Desk Software DVSB stated that Axis Bank employees had installed the software “Any Desk” on their systems for remote access.

• Loss and Damages: DVSB suffered financial losses amounting to ₹2,06,50,165, as well as mental distress and hardship. They sought reimbursement of the loss and compensation for mental agony, legal fees and other incidental costs.

• KPMG Cyber Forensic Team Findings:KPMG investigation highlighted that “Five successful remote desktop logon were made on 6th June 2020 from different IP addresses.”

• KPMG did not conduct a full audit and cautioned not to consider their report as legal advice or a professional opinion.

• Adjudicating Officer's Decision:The Adjudicating Officer determined that Axis Bank failed to ensure reasonable security practices mandated by Section 43A of the IT Act.

• The bank’s failure to protect sensitive customer data led to a compromise of confidential information and subsequently to fraudulent transactions.

• The lack of real-time monitoring and fraud detection further established a failure to comply with prescribed standards.

• Order: Axis Bank was ordered to:

• Reimburse the actual loss of ₹1,76,06,381.

• Pay interest at 18% per annum from the date of the contravention until full payment.

• Pay Legal Charges of ₹3,00,000.

• Pay Compensation of ₹ 50,00,000 for mental agony, pain, and undue harassment.

III. Legal Framework: Section 43A of the Information Technology Act

• Liability for Data Protection: Section 43A of the IT Act outlines the liability of a body corporate for negligence in protecting sensitive personal data or information.

• Quote: "Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected."

• Definitions:Body Corporate: Encompasses companies, firms, sole proprietorships, and associations engaged in commercial or professional activities.

• Reasonable Security Practices and Procedures: Refers to security measures designed to protect information from unauthorized access, damage, misuse, or disclosure.

• Sensitive Personal Data or Information: as specified in the IT rules includes data such as passwords and financial information such as bank account and payment instrument details.

• Key Takeaway: Section 43A establishes that companies holding sensitive personal data have a legal obligation to secure that data. Failure to do so, resulting in financial loss, incurs liability.

IV. Information Technology (Reasonable Security Practices and Procedures) Rules, 2011

• Purpose: The rules provide more granular detail regarding security practices and procedures which are mandated by the IT Act.

• Key definitions:Cyber Incidents: defined as adverse events impacting cybersecurity including unauthorised access, denial of service, changes to data without authorisation etc.

• Personal Information: information that relates to a natural person and is capable of identifying such person when combined with other available information.

• Sensitive personal data or information includes information related to passwords, financial information, biometric data, health conditions, and sexual orientation.

• Responsibilities of Body Corporates:Privacy Policy: A policy that outlines practices, data types, collection purposes, information disclosure and security procedures must be established and easily accessible.

• Consent: Written consent is needed before collecting sensitive data, and the purposes for collection, intended recipients and contact details of agencies collecting and retaining the information must be disclosed.

• Data Retention: Data must not be retained longer than necessary.

• Security: Body corporates must implement security practices and standards, including a documented information security program with managerial, technical, operational, and physical security controls.

• Grievance Redressal: A grievance officer must be appointed to address discrepancies within a month.

• Disclosure: prior permission is needed to disclose information to a third party unless it is mandated by law or agreed to in the contract between the two parties. Sensitive data cannot be published.

• Transfer: Data can only be transferred to entities with the same level of security.

• Reasonable Security Practices:Compliance with the IS/ISO/IEC 27001 standard is considered sufficient.

• If alternate standards are used, they must be approved by the Central Government.

• Security practices must be regularly audited (at least annually) by an independent auditor approved by the Central Government.

V. Analysis and Conclusions

• Breach of Duty: Axis Bank's systems were found to be deficient by the Adjudicating Authority, lacking adequate security measures, real-time fraud detection, and in the way their implemented OTP and maker-checker systems were bypassed. This constitutes a breach of their duty under Section 43A of the IT Act.

• Compensatory Damages: The Adjudicating Authority's order demonstrates the financial and reputational consequences of not implementing adequate security.

• Importance of Compliance: The IT Act and associated rules provide a clear framework for data protection, emphasizing that organizations handling sensitive information have an obligation to protect that data. Failure to do so exposes organizations to considerable financial liability.

• Reliance on Standards: The IT rules highlight the importance of adhering to international standards such as IS/ISO/IEC 27001 and of conducting regular security audits.

• Responsibility for Third Party Software The case also highlights the risk associated with installing third party software on systems that handle sensitive information.

• Lessons Learned:Financial institutions must implement robust security measures that prevent fraudulent access even outside normal business hours.

• Adherence to KYC (Know Your Customer) and AML (Anti-Money Laundering) practices is critical to prevent fraudulent transactions.

• Real-time monitoring and fraud detection systems are essential.

• Compliance with legal frameworks is crucial for the protection of both customer information and institutional reputation.

This briefing document highlights the significant implications of the DVSB vs. Axis Bank case, underscoring the legal and financial risks associated with data breaches under the IT Act.

By: Adv. (Dr.) Prashant Mali Founder at Cyber Law Consulting (Advocates & Attorneys)

Original link to the blog : Click Here

We’re excited to bring you an insightful fireside chat on "Navigating the Cyber Insurance Landscape: Key Considerations for CISOs" with Dan Bowden (Global Business CISO, Marsh McLennan (Marsh, Guy Carpenter, Mercer, Oliver Wyman)) and Erik Laird (Vice President - North America, FireCompass). In this fireside chat, we'll decode the complexities of cyber insurance from a CISO’s lens and uncover how to make smarter, security-aligned decisions when it comes to policy design, claims, and ROI.

As cyberattacks grow in sophistication and cost, cyber insurance is becoming a strategic necessity—not just a financial safeguard. But how do you ensure your policy provides the coverage you truly need? What are the key elements insurers look for in your security posture? And how can CISOs advocate for meaningful coverage in today’s risk landscape?

Key Discussion Points:

1) Understanding Coverage and Policies: Overview of cyber insurance types, common exclusions, and tips for securing comprehensive protection.

2) Integrating Cyber Insurance with Risk Management: How cyber insurance fits into your broader risk strategy and how to align coverage with real-world threats?

3) Claims Process and Response Planning: Understand the basics of filing claims and why a solid incident response plan is key to a smooth recovery.

Date: May 9, 2025 (Friday)

Time: 9:00 AM PT | 12:00 PM ET | 9:30 PM IST

Join us live or register to receive the session recording if the timing doesn’t suit your timezone

>> Register Here

We had a community fireside chat on "The Dark Path of Stolen Data: Understanding the Cybercrime Ecosystem" with Matthew Maynard (Security Operations Specialist, BJC Healthcare) & Erik Laird (Vice President - North America, FireCompass), where we delve deep into the hidden layers of cybercrime, exploring how stolen data is monetized, its impact, and how organizations can fight back.

The cybercrime ecosystem is thriving, with stolen data fueling a complex underground economy. This session explores the lifecycle of stolen data—from breach to black market—its impact on businesses and individuals, and the defense strategies organizations must adopt to stay ahead. Gain insights into the hidden world of cybercrime and how to better protect your sensitive information in today’s digital age.

Key Highlights:

1. Lifecycle of Stolen Data
We’ll trace the full journey of stolen data — from the initial breach to its sale in underground forums. Who are the key players in this illicit trade? How does stolen data change hands, and what makes certain types of data more valuable than others?

2. Impact on Businesses and Individuals
Data breaches don’t end with just stolen records. We’ll explore the short-term and long-term consequences for businesses and individuals. How can companies assess the real cost of a breach — from financial loss to reputational damage?

3. Defense Strategies
Cybercrime is constantly evolving, but so are defense mechanisms. We’ll discuss proactive security measures, threat detection tools, and how to build an effective incident response plan. Learn the best practices organizations must adopt to stay a step ahead of threat actors.

About Speaker

• Matthew Maynard (Security Operations Specialist, BJC Healthcare)
• Erik Laird (Vice President - North America, FireCompass)

Download Presentation : Click Here

Executive Summary (Session Highlights):

1) Cybercrime as a Business: Initial Access Brokers and Monetization Tactics

Matthew revealed how cybercrime operates as a full-fledged economy. It starts with Initial Access Brokers (IABs)—threat actors who gain access via phishing, exploits, or insiders, then sell those credentials on underground forums. Prices can start as low as $400 for root or shell access.

Once data is acquired, attackers:

• Use escrow systems and reputation scores to build trust during sales.

• Engage in marketing strategies to describe, promote, and price stolen data.

• Apply sales tactics similar to legitimate businesses—complete with support, newsletters, and forum credits for community engagement.

2) The Underground Economy: Structure, Tools, and Psychology

Forums are structured ecosystems where threat actors behave like corporate sellers:

• Rankings such as "God-level" users denote trust and credibility.

• Stolen data is often exchanged for forum credits, which can be earned through simple community participation.

• Common tools used include curl, rclone, and file-hosting platforms like PixelDrain to exfiltrate data.

Matthew shared real chat logs between attackers, providing insight into how they communicate, brag about their exploits, and negotiate deals. He also observed false flag operations and internal fraud, where scammers sell fake data, leading to skepticism even among criminals.

3) Case Study: Oracle Breach & the Community’s Role in Legitimacy

A compelling case covered was the alleged Oracle breach, which triggered internal debate on its authenticity. While the threat actor posted samples and proof-of-concept videos, other users—including suspected Oracle sock puppets—challenged the validity of the breach.

This illustrated that:

• Not all data breaches result in successful sales.

• Even on breach forums, reputation and verification matter deeply.

• The criminal ecosystem has its own self-regulating mechanisms based on trust.

4) Impact of Stolen Data on Individuals and Organizations

Matthew emphasized that while businesses often have cyber insurance, individuals suffer the most from breaches. From identity theft to financial fraud, the downstream effects are devastating—and often overlooked in the broader cybersecurity conversation.

He stressed the importance of dark web research to understand adversary tactics and detect early signals of impending attacks.

5) Defensive Takeaways: Thinking Like a Hacker

To counter evolving threats, Matthew advocates for a proactive defense mindset:

• “Think like a hacker”: Simulate real-world attack scenarios using the same tools and forums as threat actors.

• Embrace red and purple team exercises to discover vulnerabilities internally.

• Understand how attackers move data and mimic their behaviors in controlled environments to improve detection.

“If you're worried about data leaving your network, try to move it yourself. Learn how the bad guys think, because they already know how you operate.” — Matthew Maynard

6) Conclusion: Illuminate the Shadows

• Cybercrime follows structured, business-like models—often more organized than assumed.

• Cyber defenders must go beyond traditional perimeter defenses and engage with threat actor ecosystems to stay ahead.

• Passion and curiosity are essential traits in cybersecurity. As Matthew puts it, "If you're not excited when your feet hit the floor in the morning, you're in the wrong field."

The session served as both a reality check and a call to action: It’s time to shine more light into the dark corners of the cyber underground.

Cybersecurity professionals have long relied on vulnerability databases and CWE lists, but NIST's Bugs Framework (BF) brings a refreshing formalism and extensibility to the field. Developed by Irena Bojanova and detailed in NIST Special Publication 800-231, BF offers a structured, scalable model for categorizing and analyzing software bugs that lead to cybersecurity issues.

Why This Matters

The landscape of software vulnerabilities is ever-growing and increasingly complex. While CVEs and CWEs offer essential catalogs, the Bugs Framework takes things a step further by formalizing the semantics of bugs, allowing researchers and analysts to understand not just what went wrong, but how and why it went wrong at a fundamental level.

BF enables a systematic classification of bugs, which is invaluable for everything from secure coding practices to the automated detection of software flaws. As security teams strive for more proactive defense mechanisms, this kind of framework provides the semantic backbone necessary to achieve it.

What Is the Bugs Framework (BF)?

BF is a formal, extensible, and tool-friendly classification system for cybersecurity weaknesses and vulnerabilities. Unlike informal taxonomies, it uses a structured model that identifies the cause, mechanism, and consequence of a bug. The framework introduces the concept of a “Bug Class,” which includes:

• Source (e.g., insecure design, flawed implementation)

• Trigger (e.g., unsafe input)

• Type (e.g., buffer overflow)

• Impact (e.g., privilege escalation)

• Context (runtime environment and code patterns)

This multidimensional view enables much more than labeling—it enables root cause analysis, bug propagation understanding, and mitigation strategy development.

A Game-Changer for Tool Developers and Analysts

One of the standout features of BF is its utility for tool creation and enhancement. Static and dynamic analysis tools can leverage this structured approach to detect bugs earlier and with higher accuracy.

By encoding knowledge about bug mechanics, tools can offer explainability—a crucial feature in today’s era of AI-driven code analysis. Plus, BF's extensible nature means it can evolve alongside new programming paradigms and languages.

Real-World Use Cases

BF isn't just academic theory. It has real-world applications such as:

• Improving Secure SDLC practices

• Training machine learning models for bug detection

• Supporting security certification and compliance workflows

• Developing language-agnostic bug taxonomies

For industries building critical infrastructure software, BF can provide formal assurance that vulnerabilities are identified and mitigated comprehensively.

Final Thoughts

The Bugs Framework is an important step toward making software security more scientific, systematic, and scalable. Irena Bojanova and the NIST team have given the security community a powerful lens through which to view and understand vulnerabilities.

Want the full technical deep dive?
Download the official NIST publication here: Click Here

Credits:
This blog is based on the NIST publication by Irena Bojanova (Computer Scientist, National Institute of Standards and Technology). All intellectual credit goes to the original author and the National Institute of Standards and Technology (NIST).

Welcome to the March edition of CISO Platform Highlights – your quick snapshot of the most insightful content, expert conversations, and community updates from the world of cybersecurity leadership.

This month, we explored one of the industry's most pressing issues – CISO burnout – and shared expert takes, practical strategies, and community knowledge to help you stay resilient and ahead of the curve. Plus, nominations for CISO 100 Awards & Future CISO Awards USA 2025 are now open!

Fireside Chat You Can’t Miss

The Challenge Of CISO Burnout – Impacts & Strategic Mitigation Tactics

A powerful discussion featuring:

• Bikash Barai – Co-Founder, FireCompass

• Daniel Chechik – CISO, Walkme

• Andy Ellis – CISO, Orca Security

• Michael Seaman – VP IT, Skopos Financial

• Gary Bronson – CIO, Fortium Partners

These top voices explored the growing mental health crisis among security leaders, its impact on organizations, and how strategic mitigation can make a real difference.

>>Read the Executive Summary 

Featured Reads from the Community

1) The Cost of ISO 27001 Compliance: Is It Worth It? | By Ray Parker

A practical breakdown of the financial and operational aspects of achieving ISO 27001 certification. The piece dives deep into costs, benefits, and ROI for organizations looking to boost compliance and trust.

>>Read More

2) 15+ Years of Loading Threat Intel into SIEM: Why Does This Still Suck? | By Anton Chuvakin

A refreshingly honest take on the long-standing struggle of integrating threat intelligence into SIEMs. Anton explores what’s broken—and what still has potential.

>>Read More

Call for Nominations: CISO 100 Awards & Future CISO Awards (USA) | In Association With EC Council

We’re thrilled to open up nominations for the CISO 100 Awards & Future CISO Awards – USA Edition. Know someone who’s leading the charge in cybersecurity? Or think you should be recognized? 

Date: 1st & 2nd October 2025
Venue: Renaissance Atlanta Waverly Hotel & Convention Center

>>Nominate Yourself or a Peer 

Access Guide: CISO Platform Top 100 Awards & Annual Conference – India + Middle East

The February 21st edition of our India + Middle East Awards & Conference was a resounding success! Check out the Master Guide to relive the highlights, insights, and moments that mattered. 

>>Access the Guide

Join Our Community

At CISO Platform, our mission is to deliver high-quality insights and create meaningful connections among senior cybersecurity professionals. With a global network of 6,500+ CISOs and InfoSec leaders, you’ll always find ideas, answers, and allies here. 

Want to contribute your insights? Share a blog on CISOPlatform.com and help others make smarter security decisions.

Sign Up

We’re excited to bring you an insightful fireside chat on "The Dark Path of Stolen Data: Understanding the Cybercrime Ecosystem" with Matthew Maynard (Security Operation Specialist, BJC Healthcare | Incident Response Analyst | Ethical Hacker | Dark Web Researcher & Cybersecurity Writer) and Erik Laird (Vice President - North America, FireCompass), where we delve deep into the hidden layers of cybercrime, exploring how stolen data is monetized, its impact, and how organizations can fight back.

The cybercrime ecosystem is thriving, with stolen data fueling a complex underground economy. This session explores the lifecycle of stolen data—from breach to black market—its impact on businesses and individuals, and the defense strategies organizations must adopt to stay ahead. Gain insights into the hidden world of cybercrime and how to better protect your sensitive information in today’s digital age.

Key Discussion Points:

1. Lifecycle of Stolen Data

We’ll trace the full journey of stolen data — from the initial breach to its sale in underground forums. Who are the key players in this illicit trade? How does stolen data change hands, and what makes certain types of data more valuable than others?

2. Impact on Businesses and Individuals

Data breaches don’t end with just stolen records. We’ll explore the short-term and long-term consequences for businesses and individuals. How can companies assess the real cost of a breach — from financial loss to reputational damage?

3. Defense Strategies

Cybercrime is constantly evolving, but so are defense mechanisms. We’ll discuss proactive security measures, threat detection tools, and how to build an effective incident response plan. Learn the best practices organizations must adopt to stay a step ahead of threat actors.

Date: April 16, 2025 (Wednesday)

Time: 9:00 AM PT | 12:00 PM ET | 9:30 PM IST

Join us live or register to receive the session recording if the timing doesn’t suit your timezone

>> Register Here

“Flickering screens, a sickly, yellow glow. Humming servers, a constant, low thrum of digital malaise. Alerts screamed into the void, a cacophony of meaningless noise, lost in the echoing expanse of our digital tomb. Playbooks, relics of a forgotten war, their pages yellowed and brittle, offered no solace, only a hollow echo of outdated procedures. We were digital ghosts, sorting through the digital detritus of a network that had long since abandoned us. Management saw tickets, not threats, numbers on a spreadsheet, not human beings drowning in a sea of pointless, false alerts. Training: PowerPoint purgatory, a soul-crushing parade of bullet points and stock photos, designed to induce sleep, not understanding.

Each sunrise, a fresh wave of futility crashed against our resolve, another day of meaningless tasks and unfulfilled potential. We were Sisyphus, eternally pushing the boulder of alerts uphill, only to watch it roll back down, crushing our spirits with its relentless weight. The network decayed around us, a slow, agonizing rot, and we decayed with it, our skills atrophying, our purpose fading. Meaningless tasks, endless nights, the same alerts, the same useless playbooks, the same hollow promises. The hum never stopped, a constant, droning reminder of our insignificance, a soundtrack to our slow, digital demise.” [Gemini 2.0 Flash when prompted ‘write a very very depressing short story about working in a bad SOC’]

SOC stuck in the past via Meta AI

So, where am I going with this?

1. You have a SOC, and you hate your SOC; you have a right to do so — frankly your SOC sucks. And it causes pain.
   
2. You are vaguely aware that a better model may exist [OK, it does exist, but you are not yet convinced that it does or that it applies to you, so I am using “may” here]
   
3. You have no idea whatsoever what to do about it.

Sure, you read a lot on this, you read the original SOCless piece from Netflix (2018), its ADS prequel (2017), other prequels (also 2017, with this gem “When a human being is needed to manually receive an alert, contextualize it, investigate it, and mitigate it… it is a declaration of failure.”) and more recent writing like our ASO (2021), my “baby ASO” (2024), and even some practical advice on “SOCless on-call” (here as well).

Yet you are left with utter confusion about “modern SOC”, “SOCless” (or is it “sock-less”?) practical applicability in your environment. Depression is creeping in. You start to believe in ghosts … and AI SOC seems plausible by comparison.

Any hope, Anton?

Maybe.

Let’s borrow from Cognitive Behavior Therapy and start with the facts (PLEASE, if you see a vile opinion creep in the list below, let me know)

1. Classic “NOC DNA” or “helpdesk DNA” SOC is not working well enough for modern threats and environments (but mostly the environments)
   
2. The “Alert Tsunami” continues to overwhelm analysts. Traditional SOCs are drowning in a sea of alerts, many of which are false positives. This has not changed in decades.
   
3. Many ways to make it slightly better exist, none of them (even used collectively) truly fix the problem described in 1, but only make this slightly less painful, at best.
   
4. AI, naively applied, is one of the ways mentioned in #3 above. It works. It helps. It does not “fix it.”
   
5. Living with the problem unsolved remains possible for many organizations, and this will be true for some time. It is considered “OK” to have a 2005-style SOC in 2025
   .
6. Some try to outsource the problem; it occasionally “works” and sometimes fails spectacularly. Otherwise, see item #3 again.
   
7. A way (never stated to be the only way, hence “a”) to actually fix this exists (SOCless, ASO, etc) but it remains largely unachievable by many.
   
8. SOCless or “engineering-led approach to D&R” does not mean “just abolish your SOC.” The way involves radical change, not (only) incremental improvements. This is what those who did it report
   
   
9. Attempts to make less radical changes to solve the problem are largely unsuccessful (yes, linking to my own blog as an example). This is filed under “You Can’t Cross a Chasm in Two Small Jumps”
   
10. Simply buying modern tools (modern SaaS SIEM/SOAR, “decoupled SIEM”, etc) does not change anything if people/processes remain in “NOC DNA” 1980s land. Rewind your Walkman!
    
11. New environments (newsflash: cloud is new to some!) add complexity. The shift to cloud and hybrid environments has expanded the attack surface and introduced new challenges and “alien” [to classic security!] IT practices like DevOps, further straining traditional SOC models
    
12. It is a lot easier to modernize your SOC (D&R) if the rest of your stack is modern as well (security and, yes, IT as well).

With me so far? So what’s next? Let’s try these for now (additional advice):

The path — SOC team lead:

• Self-assess: Realize where you are with your team (SOC is a team first!)
  
• Prioritize Automation: Identify and implement automation opportunities (likely using SOAR or a DIY equivalent) to reduce manual work and optimize analyst time. Pick up a fight with toil!
  
• Start with the low-hanging fruit. Identify the 3 most repetitive tasks your analysts are doing and automate those this week. Use SOAR, or even a simple Python script.
  
• Shift Metrics: Move from volume-based (e.g., tickets closed) to effectiveness-based metrics (e.g., automation coverage) to measure true impact.
  
• Develop Engineers: Encourage analysts to learn detection engineering and implement role rotations to build engineering skills in the team.

The path — SOC “analyst” / team member:

• Learn Detection: Focus on understanding how detections are created, not just responding to them, to improve proactive threat hunting.
  
• Suggest Automations: Identify and recommend tasks suitable for automation to reduce manual toil.
  
• Improve Processes: Participate in blameless postmortems to learn from incidents and improve processes, make the feedback loop faster.

The path — CISO or equivalent:

• Acknowledge SOC Evolution: Recognize that traditional SOC models need radical change, not just minor improvements, for modern environments and threats. Stop obsessing over tools, start obsessing over people.
  
• Invest in Engineering: Allocate resources for automation and engineering skills within the SOC for long-term effectiveness. Allocate 10% of your SOC budget specifically for training and development in engineering skills. Track it, measure it, hold people accountable!
  
• Align Metrics: Ensure SOC metrics reflect strategic security goals, focusing on effectiveness vs threats over operational efficiency.

More on this soon! Now, go and pick one of these recommendations and implement it this week.

Related resources (a lot more of those are all over the blog):

• Baby ASO: A Minimal Viable Transformation for Your SOC (this is Part 1 to this blog)
• DtSR Episode 632 — The Politics of Detection Response and Security Ops
• New Paper: “Future of the SOC: Evolution or Optimization — Choose Your Path” (Paper 4 of 4.5)
• Building the SOC of the Future — JP Bourget — ESW #399
• New Paper: “Autonomic Security Operations — 10X Transformation of the Security Operations Center” (2021)
• EP180 SOC Crossroads: Optimization vs Transformation — Two Paths for Security Operations Center

- By Anton Chuvakin (Ex-Gartner VP Research; Head Security Google Cloud)

Original link of post is here

Icarus, in Greek mythology, son of the inventor Daedalus who perished by flying too near the Sun with waxen wings. 

BALANCE

Throughout my career, I’ve had the opportunity to help many organizations out with operational, tactical, and strategic security things. From hands-on technical operational stuff such as vulnerability management, patch management, identity & access management, infrastructure security, tactical road-maps & improvement plans to long-term security strategies.

My observations through my career and my empiric knowledge have proven to me that most organizations are less good at the strategic aspects. And one of the most common reasons is that it is given far too little attention and resources. This can also be a natural effect that there is a lack of skills related to how a security strategy shall be developed, aligned with the business objectives, and executed.

What I also have learned is that developing a security strategy doesn’t need to be complex but many tend to overthink and overcomplicate it. Of course, if you as a security leader have never developed one it will take a bit more brainpower the first and second time, but see these as learning opportunities. As moments when you go to the “security leadership gym” and practice by doing those reps to build up your strengths.

Don’t let perfect be the enemy of good.

Voltaire, French philosopher

Every day we as security leaders practice at something. Every moment we take on a new task is a moment where we can learn something new. From all these moments when we learn new things we also expand our perspectives. We become less perceptive (our personal and a bit more narrowed viewpoint) and increase our perspectives (the broader viewpoint of things). I believe that a security leader needs to have a broad perspective. And to develop this form of capability I also believe that we as security leaders need to take on tasks that challenge our perception.

If you want to become a good security leader you need to have the capability to view the world from the lenses of your stakeholders and customers. And this is also key to when you develop a security strategy for your organization. You do it for your organization. Your security strategy is not about you. It is about your organization. It is about supporting your organization to become successful to reach the business vision, mission, and objectives.

And I agree with Voltaire, don’t let perfect be the enemy of good. Doing something compared to doing nothing when it comes to the strategic portion of security is for sure a better way of doing it. Don’t let the ambition of perfection hinder your organization’s success.

MYTH-BUSTER: PART 4

There is no point in developing a long-term security strategy, the threat landscape, regulations, and external factors move so fast.
Just because things go fast doesn’t remove the need for long-term planning of security in an organization. This statement is totally wrong.

Long-term planning of security is not necessary, the future is not possible to predict.
Yes and no. The future is impossible to predict but a security strategy is not about predicting the future, it is about future readiness.

A security strategy does not add value to an organization.
Common belief and somewhat true, it is the execution of the strategy that realizes the value creation of security for an organization. A security strategy does not serve a self-existence or operate in a vacuum. A security strategy has the purpose of supporting the organization’s vision, mission, and objectives.

Developing a security strategy is just a waste of time that could be spent on protecting the organization.
Protection is one dimension of what security is about. Only focusing on the protection of the organization will not guarantee that the value creation from security is optimized for the organization.

There is only one way how to operationalize a security strategy.
No, the same principles as mentioned above apply. Pick the one that will support your organization the best so that the horse powers from the initiatives are executed and realized in the most beneficial way.

Our customers don’t care if we have a security strategy. For this reason, we should not develop one either.
This is not a valid reason for neglecting the development of a security strategy. If your customers do not have a security strategy, that could potentially tell you and your organization something about your customer’s security maturity, posture, and cyber resilience. Your customers are a part of your supply chain, who you deliver value to and do business with. If this is true, reflect on what this means for your organization.

We are very confident with our security capabilities, we don’t need a security strategy for our organization.
Security doesn’t work that way. It is not something that is influenced or impacted based on what you feel or think. Security favors preparedness. To be prepared, planning from an operational, tactical, and strategic point of view is needed.

We have a very high maturity in our operational security capabilities, we don’t need to spend time on tactical and strategic security stuff.
This is also wrong, kind of the same answer as above. Many organizations fall into this trap for some reason. They neglect the value of tactical and strategic security work. This usually bites these organizations in their asses later on. Don’t make this mistake.

We develop our security strategy on the latest yearly security reports exposing and describing the attack and threat landscape.
This is for sure one parameter to take into consideration but this should not be how a security strategy is developed. The truth is, there is no external security report out there that knows your organization better than you as a security leader. Base your organization’s on the requirements of your organization.

We have developed our security strategy based on <Partner name/Country/Institute/Competitor/…>, this is great!
No, this is not great. We are there again, you need to create a security strategy that is aligned with your own organization’s needs. Sure, take some inspiration and consider why those or that entity are doing what they are doing from a strategic security viewpoint. But this or that entity doesn’t know your organization as well as you.

EPILOGUE

I think that many security leaders should have as a goal to at least try to reach a point where operational, tactical, and strategic security initiatives are closer to equilibrium, i.e. balanced. It might not be possible to find a total balance where you spend an equal amount of resources on each portion. But going from zero strategic security to at least spend, let’s say, 10% of your annual budget on developing, aligning, and focusing on working on that long-term security strategy for your organization is a direct win. Doing something is far better compared to doing nothing. And one can of course argue what those 10% will do for your organization. I would rather flip that question around and say if you don’t spend any time or resources on developing your security strategy is not something to strive for.

Icuarussing yourself as a security leader is not something to strive for.

If you as a security leader have a hard time justifying your contribution to your organization and how that realizes value from a business perspective I would say that it is time to spend some time sorting this out. To sort this question out, you can not do it alone without interacting with the stakeholders in your organization. You will not find the answer to this question by running around and focusing all your efforts on operational security initiatives or putting out those “security fiers” burning and flaring up on a day-to-day basis. This is of course also needed but many times, if there is a high pile of operational security stuff popping, there is a high likelihood that this is a symptom of less strategic and tactical security thinking.

Don’t be afraid of testing something else out or seek help from others who can help you climb out from that operational security hole. You as a security leader are the one who needs to start climbing. How you do it, with the help of others or on your own, is up to you. But it all starts with acknowledging you are stuck in that hole. And there is nothing wrong in realizing this is the case. Many organizations and security leaders struggle with exactly this challenge, trust me. And I tend to see that here and there some of these leaders do not ask for help to get out of that hole. As a security leader do not go the path of icarussing yourself, i.e. letting your arrogance stand in the way of the success of your organization.

Start doing those things today, i.e. focusing more on tactical and strategic security, that will benefit you and your organization in the future. You will thank yourself later by taking this advice and by starting to do so. It is not rocket science. With dedication, you can come very far. With dedication and “passion” (for lack of a better word) you can accomplish very, very, very good results. As I said before, reach out and ask for help if you as a security leader need it. There is nothing wrong in doing so, this is also what is expected of you as a security leader. Lead yourself with the help of others who can help you accomplish the goals you have created together with your stakeholders to make your organization successful. Teamwork. Security is a team sport.

Question:
For "who" is a security strategy developed?

a.) The IT department
b.) The cybersecurity team
c.) The local soccer team
d.) all the above options

Hint: The correct answer to the question is found in the article.

Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com 

“COBIT is not about security!”

I have heard this statement being said a couple of times about COBIT and for a bunch of different certificates and certifications throughout my career. There is of course truth in this statement as COBIT is not explicitly about security. However, the principles that you can learn from COBIT will absolutely improve your skills as a security leader. This is true for many certificates, certifications, and knowledge out there that are not explicitly about security, and it is especially true if you want to improve your skills as a security leader.

I personally think that a security leader needs to have a broad set of skills and tools. A security leader has a wide perspective related to security and is very comfortable in a broad span of domains. To become this form of a security leader, if this is what you are striving for, there are some things found in COBIT that will help you out. I think that the stuff that you can learn from COBIT can potentially make you a more well-rounded security leader. It will provide you with, but not limited to, a foundational understanding of governance and management.

TERMS & DEFINITIONS

Below are terms and definitions that will be used several times in this article:

• COBIT – Control Objectives for Business and Information Technology. This certificate is targeted toward those who want to demonstrate their knowledge of the standard, i.e. COBIT. For example CIO, IT Directors, IT Managers, IT Auditors, Security leaders (CISO, Directors, Managers), and decision-makers in both IT and security.

• ISACA – Information Systems Audit and Control Association
  (ISACA) is the organization that provides the certification mentioned above.

INFORMATION

This article is not a “how-to pass the COBIT certificate”. This article does not provide a detailed review of the content within COBIT.

This article will give you as a reader my perspectives and reflections on the knowledge that can be gained from COBIT and its application to security leaders.

This article will explain what you as a security leader can learn from the knowledge provided by COBIT. I will also give you some practical scenarios for where you as a security leader can use the stuff that is found within COBIT.

If you think this sounds interesting, continue reading.

REALITY

“Many of the concepts and no methods provided are theoretical and do not directly apply to reality!”

I have heard people say this about the knowledge and things in ISACA and other frameworks, standards, practices etcetera. And I also think this I true to some extent. But, I think that security leadership is not about copy-pasting concepts, frameworks, and methods from a textbook directly into reality. To become a well-rounded security leader I think that he/she must have an understanding of how to transfer and adapt those theories into reality and practice. Theories and reality will not always align. This is the truth and the sooner you make yourself friends with this, the smoother your security leadership journey will become. Trust me. Don’t try to force theories into reality. This is also highly true for COBIT. It will not fit into each and every organization just because it says so in the material, i.e. that it can be applied to any form of organization. This is not something that is a unique statement for COBIT, it is something that is true and found in many frameworks, standards, practices, and theories.

And keep this in mind, how certain aspects and concepts related to security governance and management will not look the same in each and every organization. The actual implementation will differ —> “It depends.”. Many theoretical principles and concepts are still valid and can be used as a baseline or starting point but if they fit into reality are not something absolute. Some of the things that I have learned through my career that will play an incredibly important role in how security governance and management will manifest itself in an organization are:

• culture
• maturity
• economics

You as a security leader can, to some extent but not on your own, impact all these things. But that will not happen over a lunch break. And somewhere along the road, you might need to settle with the truth that:

Changing the culture may be impossible and also nothing that you should change. If the culture in the organization you are supporting has led to success, why go in there and try to change it? Would be kind of a suboptimal thing in my world. Security is in most organizations, not a core business function, it is a supporting function that has a purpose to make the organization successful. The way forward here is to adapt to reality. Security does not serve a self-existence or operate in a vacuum. Don’t make it into an ego game.

The maturity related to security in an organization takes time to improve. Some things will be quick wins but these are limited. Maturity kind of goes a bit hand in hand with culture but with a slight difference. How organizations view security will differ. This can be a part of the culture or dependent on the industry where the organization is operating. An organization operating in a highly regulated industry with high compliance requirements will most often have a higher maturity and understanding of the importance of security. This should at least be the case, but this is not always the truth. Some organizations pursue the “Compliance diploma” and think it is equivalent to security. In my world, compliance should be the result of making things secure. There are some ifs and buts here but I will leave it here for now.

Economics might be the thing that in almost every organization will dictate what and “how much” can be realized when it comes to security. There are very few organizations that have infinite amounts of dollz, resources, and manpower. Many times it comes down to a prioritization of initiatives and this is also how reality looks like. To ensure a long-term value realization from security investments I think that every organization that takes security seriously should have a security strategy. Security is not something that lives for a quarter at a time or shall be treated as a feature development in a software project. It is not something that can only be approached from a purely operational viewpoint. Doing it this way is kind of like frakenstiening potential value realization from security investments. Yes, I have seen this happening in reality. I mean, doing security on a quarterly basis and planning for 3 months at a time or just focusing on operational things is better compared to just going out swinging blindly.

But there are better ways to do it. If you want to know more, about how to do it in a better way, check these articles out:

• SECURITY STRATEGY – WHAT IS THAT?
• SECURITY STRATEGY – LONG TERM PLAN
• SECURITY STRATEGY – DIRECTION
• SECURITY STRATEGY – CREATING VALUE
• SECURITY STRATEGY – REALITY VS THEORY

WHAT TO LEARN FROM COBIT?

COBIT provides a framework for the governance and management of IT. What COBIT does well is to explain “How” IT governance and management can be applied to increase the value realization of IT within an organization. This is mainly done through:

• Benefit realization
• Resource optimization
• Risk optimization

These three things –> Benefit realization, resource, and risk optimization <– can all be applied in the context of security. They are not exclusive to IT. This is what you can learn from COBIT as a security leader. How to increase value realization through security in an organization.

A foundational part of COBIT is to understand the differences between governance and management. These things are not the same but many actually think so. And I get it. The words are thrown around here and there, they are also made and applied in scenarios and situations where they don’t make any sense. This is most true for “Governance”. Many speak about governance and management interchangeably.

COBIT provides a very clear explanation of the distinction.

Governance is mainly about evaluating, directing, and monitoring strategic objectives. Governance is conducted by the board which is accountable for the strategic decisions related to an organization. The board = Shareholders/Owners of an organization. The operationalization, I.e. responsibility to conduct the actual work, of the decisions are delegated to the C-level. The C-level executives are responsible for the management and making sure the strategic objectives are executed in the organization.

In reality, things might be a bit different but this is the main distinction between governance and management. These principles, related to governance and management, can be applied inside an organization and not only on the board and executive level. A security leadership team could act as the governing body with key stakeholders from the organization (I.e. finance, research & development, sales & marketing, security, IT, HR) who together are setting the strategic direction, evaluating and monitoring the progress. The execution on the other hand is conducted by teams, dedicated or cross-functional, where subject matter expertise is located.

Many still confuse governance and management. And here and there people also sometimes confuse governance with maintenance. Governance sets the direction and paves the way forward. In reality, this may have different characteristics but almost every organization has some sort of governance established whether they call it governance or not. There is usually some form of “system” in place where people make these forms of decisions to set the strategic direction. And when a direction is set it does not stop there. A strategy needs, or according to my belief, to be developed, communicated, and launched to realize the potential values in the set direction. Benefit realization is impossible if those great strategic ideas, that the governing entity came up with, aren’t operationalized. This is also where management comes into play, i.e. the delegation of the responsibility to conduct the actual tasks needed to achieve the wanted outcome.

Executive Summary

Governance
Has the ultimate accountability for the success and failure. Sets the strategic direction. Less about the details. More about the holistic and bigger picture.

Management
Is responsible to actualize the tasks related to the strategic direction. More about the details and about doing the actual work. Reports performance to the governing entity.

FRAMEWORK & TOOLS

Simple as that, this is what you will learn from COBIT. You will learn a new framework and a couple of new tools that you as a security leader can leverage to better:

• Develop a security governance framework
• Develop a governance system
• Develop security goals from both a management and governance perspective
• Optimize value realization of security investment
• Resource optimization and utilization
• Risk optimization and planning
• Overall strategic and tactical planning

Yes, this list sounds like a bunch of random fluff that has been written in many other articles around the internetz. The truth though is, that this is what you CAN learn if you understand how to use the knowledge gained from COBIT in reality. The thing here is that the COBIT foundation might not be enough for most people to be able to do all those things I listed. The COBIT foundation certificate doesn’t really go into the design and implementation (that is covered in the design and implementation certificate).

You will not get a how-to manual from the COBIT foundation material that explains how you shall or can do the things I listed. It will provide you with very good principles and methods. But the rest, how these will be carried out in reality in your organization is for you to figure out. And personally, this is a good thing. You as a security leader shall be the person who understands what you and your organization need, which should not come from a theory, standard, or framework. Don’t get me wrong here. The stuff you learn from a theory, standard, or framework is good stuff. It goes directly into your broadened perspective as a security leader but it does not mean that you know what your organization needs. The needs in your organization related to governance and management, in terms of system/framework/methods/<insert>, will highly be dependent on what I wrote in the ingress of this article –> Culture, Maturity, & Economics.

Cobit goals cascade model is one of the tools covered in the framework.

But, here comes another good thing. If you get an understanding of the concepts, methods, and principles, and if you and your organization already have a governance framework and system established, you will most likely find some gems in COBIT that can be applied to improve your current implementation. The stuff you will find in COBIT is not something revolutionary. It is though a solid and well-tested framework that has been around the block for a while. And if something manages the test of time that is usually a good indicator that there is some solidity in the stuff. If you find something interesting in COBIT or another standard/framework for that reason, be curious, and 1.) Contemplate the findings and application to your organization and 2.) Don’t be scared to test things out. Testing things out can be done on a small scale. Do it as a part of a project or a scoped initiative. Or do a dry run of it together with a couple of colleagues. Discuss the learnings and try together to figure out if it would make any sense to implement in your organization.

Personally, I think that many security people often make the mistake that when a new theory, method, or concept for example is to be tested the scope is made way too large. The scope limits the people from testing the thing out. It becomes too large in a phase when the knowledge and skills related to that new theory, method, or concept also is limited. Why not shrink the scope? Test the things out and see if it makes sense. Expand the scope based on the findings and lessons learned. Test things out again and learn from there. Doing it this way also provides something very important to those doing the work with the new theory, method, or concept. Confidence. They gain confidence in how things work in reality and how things work in your organization. Just because something is written on a piece of paper or on the internet doesn’t mean it will work in reality.

MY LEARNING PATH

This section may come out as a bunch of brags, but I’m willing to stick my nose out as I want to be transparent with my journey up to taking the COBIT 2019 foundation certificate. Many of the concepts and principles in COBIT were not new to me. I have had the opportunity to work in organizations that have been applying and taking inspiration from COBIT. Of course, the real world often looks a bit different compared to the textbook but according to my belief, there is no substitute for real-life experience.

In the COBIT foundation material, the Balance Score Card (BSC) is one of the concepts you will learn about. I have worked with this concept for almost two decades and used it in many different ways and really like it. The thing here is though, the first time this article was written and when I took the COBIT 2019 foundation certificate, no visual diagrams or figures illustrating what a BSC is in the learning material. Yes, this can easily be looked up on the internet but personally, I think it would make perfect sense to show the student “What” and “How” a BSC may be used in a governance framework and system. The same thing is relevant for other parts of the learning material, this is not something that is a showstopper for the student to prepare for the exam. But this will limit the holistic understanding especially if the person is new to the concepts. One may pass the exam and know what to answer on a certain question but still be scratching the head afterward and not really understanding what a BSC is or what a governance system looks like in reality. Or how these things will be used in reality.

A very simple model visualizing how a balanced scorecard looks like from a holistic viewpoint.

My preparation for the COBIT exam consisted of reading through the standard twice alongside my daily work. I did so when I was in a spot where I needed to integrate a strategy framework with a governance framework. These two forms of frameworks kind of should go hand in hand in my world, they don’t need to but I think that the closer these two frameworks (strategy and governance) are to each other, the more value will be generated.

During this work, I decided to revisit COBIT and wanted to mainly take a look at the governance and management objectives. But as it was a couple of years ago I spent time on the framework I decided to go through the foundations from top to bottom. And when doing so I kind of found a couple of more gems in COBIT that I took with me into the framework integration task I was into in my day-to-day work. Along the road of my work and refreshing my knowledge I decided to go for the Pokémon, i.e. COBIT 2019 foundation certificate. I felt like I got the perfect opportunity to take a shot at the exam, where I got to apply the knowledge into reality in combination with studying for the exam.

The Cobit 20109 foundation Pokemon, i.e. digital badge.

I know people have different study approaches and learning methods. For me, applying theoretical things in reality is superior. To test shit out. To share those theoretical models, concepts, learnings, and ideas with others. Theory does not always fit into reality and here is where the true magic happens as I see it. Doing the theoretical stuff in such a way that works in reality. It is much easier to change a theory to fit into reality compared to doing it the other way around. Try to change the operational environment, company culture, or threat landscape for example. Like trying to punch that green little ball into a red square. As I wrote in the previous chapter, there are very effective ways how you can test theories, concepts, and frameworks out in reality to gain better hands-on experience and learning.

INFORMATION & REFLECTION

Before I sat for the COBIT foundation certificate, approximately one year earlier, I took the CGEIT from ISACA. There are some similarities but when reflecting on CGEIT and COBIT I think it would make perfect sense to start with COBIT before going for the CGEIT. Some foundational principles will be learned from COBIT that will be useful to understand when going for CGEIT. This is though not something that is a must. I did it the other way around, CGEIT first and then COBIT. Keep in mind though that CGEIT is an agnostic certification compared to COBIT which is a specific test on the COBIT framework.

IS COBIT FOR SECURITY LEADERS?

Yes, this certificate makes perfect sense for security leaders. It will not smash your skill levels up to the stratosphere. Still, I think the knowledge covered in the foundational material is good for both upcoming, new, and seasoned security leaders. You who are new or striving for a security leadership role will be learning foundational concepts, related to IT Governance and Management, that have a high carry-over to the security field. As I said before, Governance and Management are not exclusive to IT. The principles are universal but may take a different form of role in reality.

But all in all, I think that many security leaders who are familiar with security governance will have an edge on the knowledge covered in COBIT. You will learn a thing or two but don’t expect to come out on the other end as Batman with a high set of new cool tools and things.

And if you stand there and start to compare if you should take ITIL or COBIT, there is a thing that needs to be said here. These certificates are not the same or cover the same body of knowledge. ITIL is about IT Service Management. COBIT is about the Governance and Management of IT. Yes, both of them make sense as I see it for a security leader. Are they absolutely needed? No. A certain amount of or a specific combo of teddy bears (= certifications, diplomas, degrees, certificates etc.) does not guarantee one is the ultimate security end boss leader.

LEARNING MATERIAL

To pass the COBIT foundation certificate, all that is needed is out there for free from ISACA and covered in COBIT 2019 Introduction and Methodology. Reading through and understanding the concepts in the material covers all that you need to know to pass the exam. But as I said before, some of the concepts might be a bit abstract if one lacks experience and exposure to reality.

The COBIT 2019 Introduction and Methodology material is around 60 pages long. That doesn’t sound much but I think that it is easy to underestimate the knowledge covered in the material.

When preparing for the exam I also think it makes sense to go through parts of the COBIT 2019 Governance and Management Objectives material. This gives a good overview of how some of the things explained in COBIT 2019 Introduction and Methodology fit together. Now you can get a better overview of for example:

• Components
• Practices
• Management objectives
• Governance objectives
• Enterprise goals
• Alignment goals

As I said, you do not need to read through the COBIT 2019 Governance and Management Objectives material to pass the exam. But I think there is value in spending at least 1-2 hours on it just to get a deeper understanding of the framework.

FYI
It was the COBIT 2019 Governance and Management Objectives material that I was after initially when I did that work-related thing ( = integration of the strategy and governance framework). So I started to look at this paper, then went through the COBIT 2019 Introduction and Methodology, and then did some IRL work. Did some more IRL work. Somewhere here I thought it made perfect sense to go for the Pokemon, i.e. COBIT 2019 foundation certificate.

EPILOGUE

Is COBIT worth it? Should you as a security leader go for it? Will you benefit from it? I have said it before in several other articles, if you find the learning journey interesting and value-adding for YOU, go for it.

As COBIT is a certificate and not a certification it does not come with a yearly fee and the requirement of reporting CPEs. The monetary fee for the COBIT exam is, when this article was written, holding a reasonable price tag. The learning material needed to pass the exam is out there for free. And foremost, whether you are going for the COBIT certificate or not should not be the ultimate goal. It should be to learn the stuff in the framework.

Personally, I am one of those who like to learn stuff. I like to accumulate knowledge as this enables me to expand my perspectives. And this is also something that I think is very important for a security leader, to have a broad perspective of things. You don’t need to know it all down to the details about everything. That is not what leadership is about. However, having a good and broad understanding of several different domains and disciplines will add to your overall toolbox as a security practitioner.

Link to original article – Click Here
Follow Henrik Parkkinen on LinkedIn – Click Here
Visit HenrikParkkinen.com 

Threat hunting is more than a buzzword. It’s a discipline. A practice. A continuous pursuit of anomalies that might just be lurking beneath the surface. When we talk about Threat Hunting 360, we mean looking at threats from every possible angle. No assumptions. No biases. Just a sharp eye on potential dangers — whether they’re subtle nuisances or critical threats.

Why Threat Hunting 360?

Imagine you’re standing at a crowded crossroads. You see cars, bikes, and people moving in all directions. Now imagine trying to spot someone who doesn’t belong there. That's threat hunting. You’re scanning everything — new arrivals, familiar faces, unexpected movements. With Threat Hunting 360, you’re not just checking major intersections. You’re peeking down alleys, watching parked cars, and checking who’s lingering too long.

In cybersecurity, this means scanning both low-level threats and high-impact risks. The goal? Catch them before they cause harm.

Breaking Down the Approach

1. Back to Basics

Threat hunting starts with fundamentals. Basic security measures can be the difference between catching a threat early or reacting too late. Hunters always begin by understanding the environment.

• Where are the weak spots?
  
  
• Are the access controls working?
  
  
• How are the security configurations?
  
  

It’s like locking your doors before going to bed. You might check twice, just to be sure.

2. Getting Scared: The Reality Check

Once the basics are covered, it's time to dig deeper. Cybersecurity is scary — and that’s okay. Knowing what’s out there keeps you prepared.

Consider this: Would you rather know about a lurking predator or stumble upon it? The same applies to cyber threats. Threat Hunting 360 shines a light on what’s hiding.

• Advanced persistent threats (APTs)
  
  
• Insider threats
  
  
• Vulnerabilities hiding in plain sight
  
  

3. Data Protection Across OSI Layers

Data protection isn’t one-dimensional. Think of it like protecting a house. You lock the doors, secure the windows, and maybe even add cameras.

In cybersecurity, this translates to securing data across multiple OSI layers. Hunters examine traffic, analyze logs, and scrutinize everything from the physical layer to the application layer. Nothing is off-limits.

The Framework: How Threat Hunting 360 Works

Step 1: Define the Objectives

Before setting out on a hunt, it’s critical to establish goals. What are you looking for? Are you trying to spot unusual login patterns? Anomalies in data traffic? Knowing the “what” guides the “how.”

Step 2: Gather and Analyze Data

Hunters thrive on data. Logs, network activity, and user behavior patterns — all tell a story. It's about finding the story before it unfolds.

Step 3: Establish a Baseline

Understanding what’s “normal” is the key to identifying what’s not. Think of it like knowing how your home sounds at night. You know when something feels off.

• What’s the typical traffic pattern?
  
  
• How do users interact with systems?
  
  
• Are there any unusual spikes?
  
  

Step 4: Hunt Across Vectors

Threats don’t come neatly packaged. They move across multiple vectors — endpoints, networks, and cloud environments. Threat Hunting 360 takes a comprehensive approach by covering:

• Endpoint Detection and Response (EDR)
  
  
• Network Traffic Analysis (NTA)
  
  
• User and Entity Behavior Analytics (UEBA)
  
  

Building a Culture of Threat Hunting

Threat hunting isn’t just a job. It’s a mindset. It’s about creating a culture of vigilance where everyone — from the security team to the executive board — is aware and invested.

1. Continuous Learning

Cyber threats evolve. So should your hunters. Regular training sessions and simulated threat scenarios keep skills sharp.

2. Team Collaboration

No hunter works alone. Effective threat hunting requires cross-team collaboration. Security teams, DevOps, and IT all play a role in spotting and mitigating threats.

3. Leveraging Automation

Manual processes slow down response time. Smart hunters automate routine tasks, freeing up bandwidth for deeper analysis.

Overcoming Threat Hunting Challenges

Even the best threat hunters face hurdles. Understanding these challenges is half the battle.

• Volume of Data: Too much data, not enough time.
  
  
• False Positives: Chasing ghosts can drain resources.
  
  
• Skill Gaps: Not everyone is trained to identify subtle anomalies.
  
  

The solution? Refine, automate, and educate.

Conclusion: Wrapping It Up

Threat Hunting 360 isn’t just about spotting threats. It’s about building resilience. It’s about anticipating what’s next while keeping a sharp eye on the present.

Just like a well-trained scout scans the terrain for danger, threat hunters assess their environment with precision. They anticipate, investigate, and protect. And when the unexpected happens — they’re ready.

Join CISO Platform — the CyberSecurity Community
Gain exclusive insights from top security professionals and access cutting-edge research.
Join Now

By: Nathan Zimmerman (Sr. Information Security Officer, YMCA)

The Basics Never Change

Cybersecurity trends come and go. New threats emerge. Fancy tools promise magic solutions. But ask any seasoned threat hunter, and they’ll tell you—the fundamentals are what keep organizations safe. The problem? Too many people ignore them.

Threat hunting isn’t about the latest AI-powered detection system. It’s about knowing what’s in your network, understanding how it should behave, and spotting when something’s off. Simple? Yes. Easy? Not at all.

So, let’s get back to basics.

Assumptions Will Get You Hacked

Every security breach starts with one thing—assumption.

• "Our firewall will catch it."
• "The EDR has us covered."
• "We have strong passwords."

Wrong. Attackers thrive on assumptions. They know you’re relying on automated tools and outdated policies. They know where you’re not looking. And they know how to blend in until it’s too late.

Good threat hunting means questioning everything. Assume nothing. Validate everything.

Know Your Network (Really Know It)

How many devices are on your network right now? What systems talk to each other daily? Where does sensitive data live? If you don’t have quick, confident answers, you’re already behind.

Attackers don’t break in. They log in. They use stolen credentials, misconfigured systems, and forgotten accounts to move quietly through your environment. And unless you’re actively looking for them, they’ll stay hidden.

Threat hunters know their network like their own home. They can spot when something doesn’t belong, even when it’s trying to blend in.

Logs Are Useless (Unless You Use Them)

You’re collecting logs. Great. But are you looking at them?

Security teams drown in data but miss the big picture. Alerts fire off constantly. False positives pile up. Eventually, people stop paying attention. That’s exactly what attackers want.

Threat hunting isn’t about responding to alerts. It’s about finding what didn’t trigger an alert but should have. It’s about stitching together seemingly harmless logs to reveal a hidden attack.

What You Should Be Asking:

• What’s talking to the internet that shouldn’t be?
• Who logged in from an unusual location?
• Why did this service account suddenly escalate privileges?

Find the gaps. Then close them.

The Art of Thinking Like an Attacker

Most security teams think defensively. Threat hunters think offensively.

If you were an attacker, where would you go first? How would you hide? What would you do to blend in? Answering these questions is the key to finding real threats before they explode into full-blown incidents.

Some common attacker tricks:

• Living off the land – Using built-in admin tools like PowerShell to avoid detection.
• Credential stuffing – Trying stolen passwords from breaches to get into your systems.
• Pivoting – Gaining access to one system and using it to jump deeper into the network.

The best way to catch an attacker? Think like one.

The Myth of "Advanced" Threats

We love to talk about APTs—Advanced Persistent Threats. Nation-state hackers. Highly sophisticated attacks. But here’s a dirty little secret: Most breaches aren’t advanced.

They happen because of basic mistakes.

• A server missed a critical patch.
• An employee clicked on a phishing link.
• A misconfigured database was left open to the internet.

Threat hunting isn’t about chasing the next zero-day exploit. It’s about fixing the vulnerabilities that attackers are actually using.

Hunt or Be Hunted

You can’t defend what you don’t understand. And you can’t stop an attack if you don’t see it happening.

Threat hunting isn’t a luxury. It’s a necessity. The best security teams aren’t just responding to incidents—they’re actively searching for threats before they strike.

What You Can Do Today:

1. Inventory Your Assets – Know every system, device, and account in your network.
2. Monitor for Anomalies – Stop relying on alerts. Actively look for suspicious activity.
3. Patch the Basics – Don’t chase exotic threats when old vulnerabilities are still open.
4. Educate Your Team – Security awareness isn’t a one-time training. It’s a mindset.

Back to Basics, Back to Security

The fundamentals work. Always have. Always will. The best security professionals aren’t the ones using the most expensive tools. They’re the ones who understand their environment, challenge assumptions, and never stop learning.

Threat hunting is about discipline. Awareness. And a relentless commitment to getting the basics right.

Join CISO Platform — the CyberSecurity Community
Gain exclusive insights from top security professionals and access cutting-edge research.
Join Now

By: Nathan Zimmerman (Sr. Information Security Officer, YMCA)