< ciso
brief />
Tag Banner

All news with #security analytics tag

30 articles

CloudWatch Logs Insights adds 25 query commands

🔍 Amazon CloudWatch Logs Insights now supports 25 new commands and functions to enhance log querying, transformation, correlation, and analysis. The additions include type conversion and encoding, date/time, string, JSON inspection, statistical, sessionization, sequencing, null-handling, comparison, join, and lookup enrichment capabilities. These features are available today in all commercial AWS Regions and extend common tasks such as outlier detection, time-window comparisons, enrichment with lookup data, and handling of nulls in time-series analysis. See the CloudWatch Logs documentation for details.
read more →

Designing SOCs That Mirror Human Decision Modes

🧠 The article argues that effective AI-enabled SOCs should mirror Kahneman’s dual-system model: a fast, autonomous layer handling ~98% of alerts and a slow, deliberative layer for the small fraction needing human judgment. It warns against asking analysts or large language models to perform repetitive triage and emphasizes in-house investigation to retain the knowledge base. The right architecture frees analysts to supervise and improves detection over time.
read more →

Fixing data architecture vs. upgrading detection models

🔍 Security teams often default to retraining AI models when detections fail, but the real root cause is usually upstream data issues. Fragmented telemetry, inconsistent schemas and stale baselines degrade ML effectiveness long before models see events. Standardizing schemas, monitoring data quality at ingestion and applying governance to security telemetry are practical priorities that restore detection reliability without wholesale platform replacements.
read more →

Verify threat indicators before acting on feeds

🔍 The author recounts multiple cases where threat intelligence feeds and advisories mischaracterized malware or buried stronger indicators in machine-readable files. They describe a commercial feed mislabeling a Windows DonutLoader variant as the Linux Chalubo RAT, an official advisory whose PDF lacked stronger hashes present in the STIX bundle, and a CERT report with binary-level discrepancies. The piece stresses that labels and pipeline metadata are guesses until validated and urges analysts to open structured files and detonate samples when stakes are high.
read more →

Cloud Monitoring adds long-lookback PromQL alerts

🔔 Google Cloud announces preview support for long-lookback alert policies in Cloud Monitoring using PromQL, enabling queries across up to two years of metric history. The feature unlocks dynamic thresholding—alerts that compare recent behavior to historical baselines—helping catch anomalies that static thresholds miss. Google outlines example algorithms (moving averages, z-score, and seasonal time-offsets), discusses trade-offs like flakiness for new workloads, and shows a practical use case for preventing runaway spend.
read more →

Growing detection gaps across non-email collaboration platforms

🔍 New research from KnowBe4 finds cybersecurity leaders increasingly lack confidence in detecting threats on non-email channels like Slack and Microsoft Teams. An Infosecurity Europe 2026 survey of 169 professionals reports that 50% of organizations do not have strong visibility across messaging and social platforms, even as 60% say attacks are moving beyond email. While email remains viewed as the riskiest channel, confidence in stopping email attacks (83%) is far higher than for Teams (61%), social media (51%), SMS/WhatsApp (50%) and Slack (40%).
read more →

Forrester TEI: 124% ROI from Microsoft Security

🔒 Microsoft commissioned Forrester Consulting to evaluate the economic impact of consolidating security with its AI-first, end-to-end platform. Based on interviews and a survey of customers, Forrester modeled a composite 10,000-employee B2B organization and projected $30M in benefits against $13.4M in costs over three years, yielding a 124% ROI and $16.6M NPV. The study highlights faster decisions, reduced friction, and improved defender productivity as key operational gains.
read more →

Storage Insights datasets add activity visibility

🔍 Storage Insights datasets now include activity insights that provide near-real-time visibility into object and bucket operations across your Google Cloud Storage estate. These BigQuery-linked views expose object-level writes, updates, deletes and errors, bucket-level aggregates and regional traffic patterns to support cost optimization and faster troubleshooting. The feature is generally available and customizable by org, folder, project, or specific buckets, enabling queries, Looker visualizations, and integration with other Storage Intelligence capabilities.
read more →

Most SOCs See Limited Value from First‑Wave AI

🔎 The SOC-CMM 2026 report shows rapid AI adoption across SOCs but limited perceived value: only about 10% report excellent value while 71% report some or no value. The dominant deployment pattern is the taker model—off‑the‑shelf AI bolted into existing tools—creating fragmented workflows and weak handoffs. The report argues the next wave must be architectural: AI that operates across detection, hunting, investigation, remediation, and threat intel with built‑in governance and institutional knowledge.
read more →

Gain visibility into DDoS attacks with flow logs

🛡️ This post explains how AWS Shield Advanced attack flow logs capture metadata during DDoS events and publish records to Amazon S3, CloudWatch Logs, or Data Firehose. It outlines the fields included in each flow log entry, describes delivery configuration and required IAM permissions, and shows how to create the CloudWatch Logs delivery objects that connect a Shield protection to a destination. The article also covers output formats, file size and timing, cost considerations, and cross-account/Region aggregation options.
read more →

Gap Between Threat Intelligence and Business Risk

🔍 A new paper from Silobreaker and the SANS Institute warns that business leaders often misunderstand threat intelligence and its value, creating an "intelligence–stakeholder gap." The report, launched at Infosecurity Europe 2026, finds that intelligence outputs can be overlooked or misinterpreted, limiting funding and visibility for intelligence teams. To close the gap, teams must tailor briefings to senior leaders, provide forward-looking exposure analysis, prioritise speed and seek regular stakeholder feedback to ensure intelligence changes decisions and drives risk-informed actions.
read more →

AI Won’t Replace SOCs, It Will Reshape Analyst Roles

🛡️ Vendors at Infosecurity Europe 2026 agree that AI will not eliminate security operations centers but will automate repetitive triage and ticketing. Experts urge treating AI as a glass box, ensuring transparency and human-in-the-loop validation. The shift accelerates junior analysts into supervisory tier-1.5 roles and creates demand for cyber defense engineers who build and tune detection systems.
read more →

EvidenceForge: Realistic Synthetic Security Logs

🔍 EvidenceForge is an open-source project from Cisco Talos that generates correlated, multi-source synthetic security logs using a single canonical event model, causal ordering, and realistic background noise. It outputs synchronized telemetry across 20+ log formats (Windows, Linux, network, and EDR) from a version-controllable YAML scenario file and includes AI-assisted scenario authoring. The tool emphasizes deterministic generation, sensor-aware visibility, and built-in validation to produce datasets suitable for training, testing, and exercises.
read more →

Criminal IP and Securonix Integrate Threat Intel Operations

🔗 Criminal IP and Securonix have integrated Criminal IP’s exposure-based threat intelligence into ThreatQ, enabling organizations to enrich IP indicators with contextual data such as maliciousness scoring, VPN/proxy detection, exposed services, open ports, and known vulnerabilities. The integration leverages APIs and ThreatQ’s orchestration engine to automate continuous enrichment and evaluation of incoming indicators, reducing manual analyst effort. Analysts can perform on-demand lookups and view expanded investigation graphs within ThreatQ, improving prioritization and response workflows.
read more →

Calm Ransom: When Confidence Hides Cybersecurity Risk

🔒 Calm does not equal secure — organizations often mistake a long period without incidents for strong defenses. This article warns that mental shortcuts like WYSIATI (What You See Is All There Is) and overreliance on compliance can blind teams to active threats, such as credentials appearing in infostealer logs before attacks. Remediation requires behavioral detection, continuous threat intelligence, and disciplined vigilance to prevent costly ransomware and data‑leak consequences.
read more →

Stopping Fraud Across the Customer Journey Seamlessly

🔒 Modern fraud intelligence platforms enable organizations to stop fraud at signup, login, and checkout without broadly adding customer friction. By correlating dozens of real-time signals — IP, device, email, phone, and payment instrument intelligence — these systems produce composite risk scores for fast, proportional decisions. IPQS is presented as an example of a unified platform that enriches point solutions and applies tiered responses, favoring lightweight challenges or seamless approval for low-risk users while reserving hard blocks for clearly malicious sessions.
read more →

Engineering Fairness in Multi-tenant SIEM Platforms

🔎 While reviewing five popular SIEM solutions for a security awards panel, the author observed consistent marketing claims—24/7 SOCs, AI-driven detections, integrations and SLA promises—but a notable omission: how vendors manage multi-tenancy. The piece explains the engineering risk of the “noisy neighbor” effect in shared cloud stacks and shows how poor isolation can produce ingestion latency, delayed detection and violated SLAs. It recommends concrete architectural controls—admission control, fair-share scheduling and resource partitioning—and urges buyers to demand transparency or opt for dedicated clusters when compliance or performance require strict isolation.
read more →

Residential proxies bypass IP reputation in 78% of attacks

🕵️ GreyNoise analyzed 4 billion malicious sessions over three months and found residential proxies accounted for roughly 39% of traffic yet evaded IP reputation feeds in 78% of cases. Researchers say the short-lived, systematically rotated, or low-activity nature of these addresses prevents timely cataloging by reputation systems. They recommend moving from IP-based blocking to behavior-focused detection, such as spotting sequential probing and tracking device fingerprints that persist through IP rotation.
read more →

Five Key Trends Reshaping the SIEM Market for 2025

🔍 Modern SIEM platforms have evolved far beyond simple log collection, embedding AI/ML, XDR, and SOAR to enable real-time detection, automated remediation, and analyst workspaces. Convergence with XDR and SOAR is creating unified platforms that reduce complexity and accelerate response, while many SMBs opt for MDR instead of maintaining full SIEM deployments. Economic shifts and AI compute costs are changing cloud vs. on-prem trade-offs, and vendors are consolidating functionality through M&A and bundling.
read more →

Proactive Cyber Resilience Strategies with Wazuh Platform

🔒 Wazuh is an open-source SIEM and XDR platform designed to help organizations build proactive cyber resilience by delivering centralized visibility, continuous detection, and automated response across endpoints, servers, cloud workloads and containers. It collects telemetry via agents, syslog and agentless methods, enabling early detection through log analysis, File Integrity Monitoring and correlation rules. Automated response actions and AI-assisted analysis speed containment and remediation while vulnerability detection and security configuration assessments support ongoing IT hygiene and compliance.
read more →