Security Boulevard

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Incoming Asteroid’ appeared first on Security Boulevard.

As Valentine’s Day approaches, cybercriminals are ramping up their efforts to exploit consumers through romance scams, phishing campaigns and fraudulent e-commerce offers.

The post Cybercriminals Exploit Valentine’s Day with Romance Scams, Phishing Attacks appeared first on Security Boulevard.

Check Point Software Technologies and cloud security provider Wiz are teaming up to enhance cloud security for enterprises by integrating cloud network protection with Cloud Native Application Protection (CNAPP).

The post Check Point, Wiz Partner on Enterprise Cloud Security appeared first on Security Boulevard.

Eric Gan, the ex-SoftBank executive, who took over as CEO of Cybereason in 2023, is suing SoftBank and Liberty Capital, claiming its largest investors are blocking much-needed financial proposals and driving the cybersecurity firm toward bankruptcy.

The post Cybereason CEO: Mnuchin, SoftBank Pushing Company To Bankruptcy appeared first on Security Boulevard.

Artificial intelligence (AI) is profoundly transforming cybersecurity, reimagining detection through remediation.

The post The Current AI Revolution Will (Finally) Transform Your SOC appeared first on Security Boulevard.

Authors/Presenters: Diego Jurado & Joel Niemand Sec Noguera

Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – Leveraging AI For Smarter Bug Bounties appeared first on Security Boulevard.

The first post in a five-part practical guide series on maximizing the professional, educational, and financial value of the OffSec certification pursuit for a successful career in offensive cybersecurity consulting

Disclaimer:

All opinions expressed in this article are solely my own. I have reviewed the content to ensure compliance with OffSec’s copyright policies and agreements. I have not been sponsored or incentivized in any way to recommend or oppose any resources mentioned in this article.

Introduction

Love it or hate it, the Offensive Security Certified Professional (OSCP) remains a significant hurdle for many aspiring offensive security consulting professionals. While the course and exam offer undeniable educational value, I believe there are underappreciated practical steps students can take during their “OSCP journey” to strengthen their candidacy and develop the essential soft and technical skills needed for success in the field. In this post (hopefully the first of a small series), I’ll explore three pieces of practical advice for students to consider before enrolling in the course. In future posts, I hope to explore more advice tailored to distinct phases of the OSCP journey.

PEN-200: Penetration Testing Certification with Kali Linux | OffSec

A Little Bit About Me

I am an associate consultant in the offensive security consulting industry, having successfully transitioned from a career as a software engineer in information technology (IT). While my background in offensive security consulting is still growing, I feel that my recent experience as a student trying to earn the OSCP certification (or, as I like to call them, “OSCP-hopefuls”) and my successful pivot into this field have provided me with valuable insights to share on this topic.

Some Background Context

The OSCP is a popular cybersecurity certification that tests an individual’s ability to identify, exploit, and report on misconfigurations/vulnerabilities affecting web applications, common network services, and the Linux and Windows operating systems. Maintained by OffSec (formerly Offensive Security), the certification stands out due to its rigorous exam, which requires candidates to complete a 24-hour practical black-box penetration testing scenario. Students are given an additional 24 hours to write and submit a report for grading. To earn the OSCP, candidates must successfully exfiltrate a minimum number of “flags” and submit a satisfactory report.

Infosec & Cybersecurity Training | OffSec

Employers widely recognize the OSCP as a valuable credential for entry-level roles in the offensive security consulting industry, which includes cybersecurity services like penetration tests, red team engagements, and purple team exercises. Its frequent appearance in job postings (which has earned it the joking moniker, “the LSAT for hackers”) and the challenging nature of the exam for junior ethical hackers make it a significant milestone. As a result, it’s common for students who pass the exam to altruistically share their experience in OSCP journey articles, offering insights to others who are on the same path, detailing what they studied, how they approached the exam, and their personal takeaways.

I was originally going to write my own article following this same prototype, but recent developments led me to reconsider. Although I passed the exam in March 2024, the OSCP exam underwent a significant format change in September 2024. Given these changes, I felt that a “review” of my OSCP journey would likely be outdated.

So Why Are You Writing This?

https://medium.com/media/b1003f5942a041283d0aad0d331b5f88/href

While I consider the OSCP a strong addition to my resume, I’ve found that much of the “value” I gained from the pursuit of the OSCP — value I’ve leveraged during job applications and in my current role— came from unexpected places. As it turns out, the OSCP journey is just as important, if not more so, than the credential itself. With that in mind, I felt compelled to share specific details of my OSCP experience, the lessons that served me well, and the actions I would take if I could go back and do it all over again.

If you look at the bulk of OSCP-related content online, it’s clear that the focus is overwhelmingly on developing the technical mastery needed to pass the exam. While this focus is understandably important, it overlooks the broader picture. The exam itself, along with the technical content required to pass it, offers valuable lessons, but they’re just one part of the overall journey that can contribute to a thriving career in offensive security.

This article aims to fill that gap by offering practical advice that students can follow to not only pass the OSCP but also to grow into well-rounded penetration testers. Some of this advice may be considered “extra mile” exercises, while others are proactive steps that can be employed more passively. Regardless, all of them are designed to help candidates maximize the professional, personal, and financial value of earning an OSCP certification.

A Few Disclaimers Before We Dive In:

• Article Structure: Due to the length of my original draft, I decided to split this post into a five-part series representing each “phase” of the OSCP journey: 1) pre-course preparation, 2) during the course, 3) during the labs, 4) during the exam, and 5) after the exam (pass or fail)
• Target Audience: While the primary audience for this article is for students hoping to break into the offensive security consulting industry, I do not mean to discount or exclude individuals who have already secured a consultant role or are pursuing the OSCP for other reasons such as personal enrichment or workplace/regulatory compliance (luckily, I believe much of my advice still generally applies to these individuals)
• Not an Endorsement: This article is not an endorsement of the OSCP itself (at various points in this series, I will submit what I believe to be valid but fair criticism of the credential), but rather a vehicle to share insights from my personal experience with the certification
• No Guarantees: I cannot promise that students who follow this advice will pass the OSCP exam or successfully pivot into the offensive security consulting industry
• Other Paths are Valid: The OSCP is not a gatekeeper to the offensive security consulting industry (I know many junior to senior-level experts without the credential) and I would advise students to consider every path to a successful and fulfilling career before committing to the certification program

Before the Course…

https://medium.com/media/eee6d6acc2d770c541367dfafd8e066f/href

“By failing to prepare, you are preparing to fail.” - Benjamin Franklin

Let’s start with advice that applies to students who are either considering enrolling in the PEN-200 course or are actively planning to. If you could walk away from this article with just three takeaways, here they are:

1. Estimate whether the return on investment (ROI) will be positive or negative before committing to enrollment, and explore ways to reduce upfront costs
2. If you’re preparing for the PEN-200 with external training, complete the training before enrolling and use that time to build your resume with practical and challenging achievements
3. Start creating a reference guide (AKA a “command cheat sheet”) early to improve your testing efficiency and become more familiar with common offensive security tools

Consider the ROI

The OSCP is undeniably an expensive certification program. Given the steep financial and time commitments, one must consider whether the tangible and intangible benefits of the program represent a net-positive, neutral, or net-negative ROI relative to the candidate’s career goals and personal circumstances.

At the time of this article, the base cost of the OSCP certification starts at $1,749, which includes 90 days of access to the online course, lab materials, and a single exam attempt. However, a more realistic estimate — factoring in multiple exam attempts and lab extensions — can easily exceed $2,000. Individual exam retakes cost $250 each, while 30-day lab extensions cost $360 apiece. Additionally, many students choose to invest in external training resources, each with its own associated costs (more on that later). For those seeking an extended study period and additional benefits, the LearnOne subscription offers a year of course and lab access, two exam attempts, and other perks for $2,749/year.

Individual Pricing | OffSec

Additionally, studying for the OSCP is a significant time investment, and failed exam attempts include mandatory cooldown periods that can further extend the overall timeline and costs. While everyone progresses through the PEN-200 course and labs at their own pace, the most effective approach is often a marathon pace, not a sprint. If you’re under a strict time constraint or primarily seeking quick, incremental resume boosters, the OSCP may not align with your current goals.

The OSCP is also not the only practical ethical hacking certification program available, many of which are more cost-effective. Some of these courses cover material that is not included in the PEN-200 course but is arguably critical knowledge in the offensive security consulting industry, such as command and control (C2) frameworks and their infrastructure, antivirus (AV) evasion techniques, and more sophisticated web application and Active Directory (AD) attack vectors. While my personal experience is limited to Zero Point Security’s Certified Red Team Operator (CRTO) certification, I’ve heard positive reviews of the Hack the Box Certified Penetration Testing Specialist (HTB CPTS) and Practical Network Penetration Tester (PNPT) credentials. These programs are comparable in difficulty and scope to the OSCP and, perhaps most notably, are currently below $500, making them a more affordable alternative to the OSCP.

Security Certification Roadmap - Paul Jerimy Media

It should also be noted that certification programs are just one of many pathways to a career in offensive security consulting. While they are often a key metric technical recruiters use to assess candidates, other accomplishments — such as independent ethical hacking projects, competitive tournaments, or content creation — can carry equal or even greater weight on an application. These alternative routes showcase not only technical expertise but also initiative, creativity, and passion for cybersecurity, most of which come at a much lower upfront cost.

https://medium.com/media/8d8849e1b061a00182fe04afa64bc38d/href

Still, there are notable benefits to pursuing the OSCP. The PEN-200 course encompasses an impressive breadth of penetration testing knowledge and the exam itself is notoriously challenging. Considering this, the OSCP has earned a well-deserved reputation as a litmus test for prospective consultants and technical recruiters therefore eagerly seek OSCP-certified candidates. Additionally, the certification has been around for a relatively long time and has strong name-brand recognition in the industry. Finally, it includes an impressive set of lab networks for students to practically apply the technical skills learned during the course to an environment composed of intentionally vulnerable machines. This aspect in particular provides a well-defined path to an audience — mostly composed of entry-level ethical hackers — from beginner to professional-level penetration testing mastery.

There are also pragmatic reasons to pursue the OSCP. Although I don’t have specific metrics to support my claim, my anecdotal experience in the job market suggests that many organizations incorporate the OSCP in their hiring process. Some firms require candidates to hold the certification, model their technical interviews after the exam, or mandate new hires to earn the credential within a specified time frame. Earning the OSCP early in your job search could therefore open up more doors for you professionally. Moreover, if your next role represents a significant increase in base income, the associated costs of the OSCP may be offset relatively quickly.

One straightforward way to increase the ROI of an OSCP investment is to reduce the upfront cost associated with the bundle. For currently enrolled university students, OffSec offers a 10% discount on a LearnOne subscription through its Achieve financing program. OffSec has also historically held an annual sale on LearnOne subscriptions during November through January. Beyond OffSec, many nonprofits offer partial or complete discounts for common certification programs — including the OSCP — to successful applicants of scholarship programs. Many companies also provide professional development benefits, which can cover the cost of an OSCP voucher. This is especially common among cybersecurity consulting firms and serves as a compelling argument in favor of waiting until after securing a new position before enrolling in the PEN-200.

Discount Programs | OffSec

In summary, the OSCP is a significant financial investment and prospective students should not take it lightly. For many, it represents a major milestone in their ethical hacking journey, a source of personal growth, and a pathway to a new career. For others, its benefits may only be marginal or, depending on the circumstances, not in their best interests. Ultimately, the decision rests with the individual, who should weigh all the factors and considerations to determine if the OSCP is the right choice for them.

Build Your Resume While You Study

While the course provides robust hands-on training, many OSCP-hopefuls — including myself — supplement their PEN-200 training with additional resources to enhance their learning experience. By strategically choosing training options, you can not only deepen your technical knowledge but also strengthen your resume or CV, making your study efforts even more rewarding.

The official OffSec motto is “Try Harder”, which essentially means that successful problem solvers are persistent, creative, and open to new ideas. At the risk of sounding arrogant, I’d suggest adding another adjective to the mix: “retrospective”. Penetration testers and others who face recurring challenges throughout their careers are more likely to succeed if they can learn from past experiences and apply those lessons to current problems. External training, then, is a natural extension of the Try Harder mindset. It’s also prudent, since we can deliberately select exercises we can showcase on a resume, reference in cover letters, or leverage using the STAR method during behavioral interviews.

https://medium.com/media/a3582fbc69d6b4ff991adacceb3bb683/href

Generally, I recommend completing external resources before enrolling in PEN-200 for two reasons. First, supplemental training establishes a solid foundation in both theoretical knowledge and practical experience with tactics, techniques, and procedures (TTPs) before starting the course. Although PEN-200 assumes no prior experience in ethical hacking, having a baseline understanding of key concepts can make the course more manageable and improve your efficiency. Second, when you purchase a course and exam voucher, your access to the online course material and lab networks is automatically activated, and the expiration date is set. If you complete the course and labs before your access expires but still require additional training, any time spent on external resources during this period could have been used to take full advantage of OffSec’s official resources (such as reviewing the course material or writing reports on the lab networks, which I will discuss later in the series). Finishing most or all of your external training before starting PEN-200 ensures you aren’t wasting the expensive time you paid for by focusing on extrinsic resources.

Take full advantage of the low-pressure environment of external training by experimenting with different commands, refining your assessment methodology (more on that later in the series), and discovering which technology stack you enjoy hacking the most. Platforms like Hack the Box (HTB) and OffSec’s Proving Grounds are perfect for this. You may even pick up knowledge that isn’t covered in the PEN-200, giving you a potential edge when applying for jobs and helping you stand out as a candidate. Additionally, many external training platforms have active communities where learners can collaborate, share insights, and support each other. Building connections within these communities can provide valuable peer feedback, challenge your assumptions, and give you a sense of camaraderie as you navigate the complexities of penetration testing.

In conclusion, practical supplemental training offers the dual benefit of preparing you for the challenging PEN-200 course while strengthening your profile as a candidate for offensive security consulting roles. Below, I have included a table of my personal recommendations for practical training resources, including their costs, the types of challenges they offer, and how they can enhance your job application. I have focused primarily on resources that I have personally used and are affordable, keeping in mind our previous discussion on ROI.

https://medium.com/media/eef7156ad4b4dd7b3e9c7a8ff3b16b47/href

Begin Writing a Reference Guide

https://medium.com/media/4772ce49df69e2e4a8f035350a0f5363/href

A reference guide is essentially a structure where consultants store key information they need to recall during engagements, such as command syntax or the requirements to launch a specific attack — essentially a “cheat sheet”. Not only is this type of resource valuable for the OSCP labs and exam, but it can also be an asset during a live engagement or published as a personal project that can be included on a job application.

I personally find command reference guides incredibly useful in both simulated training environments and live engagements. A well-organized, personalized reference guide not only improves your efficiency but also reinforces your assessment methodology, core-concept understanding, and technical writing abilities. Think of your guide as a living document that evolves alongside your growth as an ethical hacker, serving as a modular and reliable resource. Starting your reference guide early— even before beginning the PEN-200 course —can significantly enhance your testing efficiency and tool expertise.

A reference guide can arguably be started at any point in the OSCP journey, but I chose to include it in the “Pre-Course” section for multiple reasons. First, the guide should ideally transcend the OSCP and be useful for any ethical hacking project, so it makes sense to include it in one of the sections separate from the PEN-200 material. Second, if the student intends to pursue external training resources, they are bound to encounter useful tools before starting the course, making it prudent to document their usage. Finally, maintaining a reference guide is a continuous process, so I would like to get students in the habit of writing reference guides early as opposed to much later in the OSCP journey.

My favorite tool for creating reference guides is Obsidian, a free and cross-platform node-based note-taking utility. It offers a rich set of features, including an interactive graph, Markdown language support, a tagging system, and much more. Other node-based programs worth considering are Microsoft OneNote, Standard Notes, and CherryTree.

Obsidian - Sharpen your thinking

Let’s take impacket-GetUserSPNs as an example. This tool is part of Fortra’s Impacket suite and is based on the original GetUserSPNs.py module. It automates the “Kerberoasting” attack, which allows attackers to retrieve the password hash of a service account in an AD environment.

impacket/examples/GetUserSPNs.py at master · fortra/impacket

If we were writing a page for this tool in Obsidian, we could start with an overview section. This would include a link to the source code for the tool, as well as the MITRE ATT&CK framework page for Kerberoasting.

Next, we need to define the requirements necessary for this attack to be feasible. In this case, we should note that the attacker needs access to a valid credential set in AD and that the target user(s) must be a service account associated with a Service Principal Name (SPN). Additionally, it’s important to mention that this tool can be executed remotely from the attacker’s Linux machine on the same network, as some tools require execution on a victim’s Windows machine or through a C2 framework like Cobalt Strike. If verifying the feasibility of an attack requires additional tools, we can create links to other Obsidian pages and embed them here.

Next, we should include some command examples. Tools like impacket-GetUserSPNs often have many different command-line arguments and optional flags, so it’s best to prioritize the ones most relevant to you and omit the others.

Although it is considered [mostly] out of scope of the PEN-200 course, I still recommend including a section discussing how to enhance the “stealth” of a given command and thwart operational security (OPSEC) efforts. This is a critical topic in offensive security consulting and could help you stand out among other job candidates (a candidate who can demonstrate both technical aptitude with a given tool and how to use it stealthily is more desirable than one who only knows the former). While Kerberoasting is generally considered an “OPSEC-loud” technique, we will do our best to evade detection and explain our efforts in the OPSEC section. If you’re unsure whether a TTP can be made stealthier, consider researching it on resources like HackTricks or revisit this section later.

Finally, we will want to include the output from the command’s help menu (impacket-GetUserSPNs --help ).

If we wanted to go a step further, we could include an in-depth analysis of what happens “under the hood” when executing a typical Kerberoasting command. This would involve screenshots of the impacket-GetUserSPNs source code and network packets that Wireshark captured in a personal lab (more on this later in the series). Additionally, we could use Obsidian’s tagging system to link this page to a “kerberoasting” tag, unifying all other tools related to the Kerberoasting technique.

On a final note, a reference guide can serve multiple purposes depending on how you design it. A personalized guide — tailored to your study habits, tools, and workflow — can significantly improve your efficiency during exams or live engagements by helping you quickly locate critical information. If you’re like me and struggle with staying organized during an assessment, structuring your guide around an adversary emulation framework (e.g., the MITRE ATT&CK Framework, Lockheed Martin’s Cyber Kill Chain, and Mandiant’s Targeted Attack Lifecycle) can support a systematic approach to problem solving. In any case, it is best to start writing your own guide early and continue building it as you progress on your ethical hacking journey.

Conclusion

https://medium.com/media/c2e39e72b19d45fed41b683d7584cb02/href

I hope you enjoyed the first post in this series. If you have any comments, criticisms, or advice you think should have been included, please feel free to leave a comment. In the next post, I’ll explore additional advice for students as they begin reading the official PEN-200 course materials.

Getting the Most Value out of the OSCP: Pre-Course Prep was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Getting the Most Value out of the OSCP: Pre-Course Prep appeared first on Security Boulevard.

Recently we reached a milestone in our design partnership with BNY, one of the world’s preeminent financial institutions and our nation’s oldest bank. You can read more about this milestone in our official announcement of our graduation from BNY’s Ascent program and can read much more about our approach in many of our blogs located here and in resources on our website. We can also provide a detailed write-up of our methodology, architecture, and results under NDA to users.

Users can also try a flavor of what we outline here, using our Tempo model running as a NativeApp on Snowflake.

Looking deeply at Deep Learning

This blog focuses on the evaluation process, as opposed to the value proposition for our Tempo LogLM. I hope that by sharing these tips and lessons learned we will accelerate the use advanced technology in incident identification. As mentioned below, we are open-sourcing our approaches including Python code and example logs. We welcome industry and academic collaboration.

Start with criteria

We have found a true partner in BNY, one with the breadth and depth of understanding of the domains necessary to better protect an institution from increasingly sophisticated attackers. BNY, from our experience, is forward-looking while also being locked down and focused. BNY’s acquisition of an NVIDIA superpod years ahead of its peers in the financial service industry shows its commitment to innovation and vision. For these and other reasons, BNY is an ideal partner for us as we reshape cybersecurity via deep learning for collective defense.

Together, we determined that BNY would be interested in at least the following criteria in the first phase and additional attributes in a subsequent phase.

Phase I:

• Accuracy — including F1 score
• Adaptability

Phase II:

• Explainability
• Efficiency
• Return on investment

Accuracy

In the short term, the accuracy of the model was our focus. This is a standard consideration in any approach that attempts to find incidents — it answers the question of how effective is this incident identification. Like most teams of deep learning engineers — we are extremely proud of our F1 scores, which are aggregate measures of accuracy.

Some challenges in measuring the accuracy of a cybersecurity model include a lack of labels and a risk that an approach could overfit to identify a particular attack pattern while failing to identify derivatives of that pattern; rules, in particular, are unable to see similar attacks and machine learning models that have been trained to see specific indicators can have a similar challenge.

The lack of labels is inherent to cyber security — there are relatively few known attacks that most enterprises will have available. This is one reason that transfer learning from a foundation model is so important. More on that below — adaptability.

The lack of labels can make determining the precision of a model challenging. One approach is to manually review the output of a model or set of indicators. BNY, thankfully, was willing to conduct this analysis for us. Our LogLM identified dozens of apparently concerning sequences of attacks and flagged those IP addresses contained within the sequences. A manual investigation was done into each of these sequences, using the IP addresses and related IP addresses as anchors of this investigation.

As an aside, the lack of labels is also why a self-supervised approach to pretraining foundation models is the right approach. Very large-scale pretraining of foundation models has been impractical in the past — however transformer-based approaches allow for the building of models of unimaginable scale, accuracy, adaptability, and even explainability.

Another approach we have undertaken is to build Mitre Att&cks and then use these to help calibrate a classifier. We discussed this approach in a prior blog. We will be open-sourcing this work in the weeks to come. You can raise your hand to assist — whether that is providing wish lists or perhaps spending some time contributing useful Python in the Open Security Community here: https://github.com/deepsecoss

Additionally, we must credit the Canadian Institute of Cybersecurity. The work that they did years ago helped us to pre-train our Tempo LogLM model over the last two years. You can find more about their work here.

BNY like all mature security enterprises also uses red team evaluations and we are also participating in these activities.

Lastly, in cyber security, the SOC often has the last word. Do they trust the solution once it runs in production? Can they quickly apply the alerts provided or are they deprioritized by the SOC? I view this as the most critical test of all — how will the insights of our Tempo LogLM be usedupon in production?

Adaptability

Adaptability is underemphasized in cyber security. Most machine learning solutions take months of tuning to show effectiveness in a new environment. And of course, most rules are hard-coded to work best within a particular environment. A lack of adaptability has led us to have a very brittle set of systems that are expensive to maintain and that take a long time to deliver benefits.

By comparisons, we build foundation models which we call LogLMs. These LogLMs generalize well and can show their capabilities quickly, often without ANY time spent on customization at all.

To quantify this adaptation, our BNY partners suggested we follow a three-part approach. In all cases, the model identified concerning sequences, and, as mentioned above, BNY detection engineers examined the validity of these results.

The four parts of the evaluation were as follows:

1. No adaptation — most limited data set
2. No adaptation — additional data provided
3. Rapid — classifier based — adaptation — limited data set
4. Rapid — classifier based — adaptation — with additional data provided

This four-part approach sought to first establish a baseline for the model and to then demonstrate the ability of the model to adapt within the BNY domain with the assistance of more data and the aid of a classifier.

Whereas many machine learning models and products take months of tuning to achieve acceptable precision — a precision all too easily lost as the environment changes — our Tempo LogLM compared as well as these models before any adaptation. And then showed further improvement in tests 2, 3, and 4.

This approach should be rather simple for any deep learning based solution to follow to demonstrate whether it adapts well. If it does, it is likely a foundation model and all that entails. Not all deep learning is the same, by the way. GNNs have not been shown to generalize well, an Achilles heel that may have contributed to Lacework’s challenges as I previously explained.

Explainability

As mentioned above, the real test for any set of indicators is to what extent the SOC comes to rely upon them. We heard early on from our advisors and investors, such as Chris Bates, the long-time former CISO and chief trust officer at SentinelOne, that a more accurate black box would be of limited interest to the SOC operator. Our founding engineer Josiah Langley, has shared that as a former threat hunter and engineer at Dragois, he had to deeply understand the rules and other indicators to know how or whether to act upon their alerts.

As our underlying model relies upon a many-to-many comparison of 768-dimensional tensors, explainability was a challenge to us and one we started to address even before founding DeepTempo.

It is hard to know exactly how to measure explainability. Our approach includes the following — and some other proprietary techniques:

Provide and measure the accuracy of a mapping of incidents to Mitre Att&ck patterns

• We may not think in 768 dimensions, but if you work in a SOC you speak Mitre Att&ck.

Create and provide the sequences within the logs themselves

• It is a simple enough requirement — can a user immediately see the concerning sequence? We have put a lot of thought into how to make all of the embeddings our model creates useful including those that are flagged as concerning and those that are not.

This usefulness can be evaluated largely by human feedback as well as the accuracy of the model in predicting the ground truth of the sequences themselves.

Dashboards

• Splunk, Snowflake, and other vendors have the eyeballs of the data analysts and the SOC. We provide dashboards to our users that fit our information into these environments. Whether they use our dashboards or their own — our users can apply all the context of these solutions, for example looking at everything impacting an IP, including the outputs of our Tempo LogLM.
• Please review a demo of an example dashboard on our YouTube channel: https://www.youtube.com/@DeepTempo-ai

Efficiency

To measure efficiency, we capture concrete metrics and attempt to measure harder-to-measure soft metrics.

First, the soft metrics — when discussing our approach with potential users we want to get to know them better. We often ask — how do you build and maintain your rules-based indicators? Who built them? How are they documented? How are they tested?

The point from these questions is to understand what the team is doing and to emphasize the costs of the massive technical debt under which most of the cybersecurity industry is struggling. This segues naturally into the efficiency gains from having a quick-to-adapt and extremely accurate solution with baked-in explainability. Still — these are often hard to quantify.

Easier to quantify is the ability of our models and other software to handle large streams of data while using a relatively small amount of computing and memory. Without getting into proprietary details here, we have shown that the approach can scale horizontally with the help of standard containerized approaches from NVIDIA and Snowflake. Additionally, in many cases, the bottleneck is getting the logs back to a location for their analysis. In these cases, our models and related software are run in a decentralized manner.

ROI

A friend who is a deep technology investor who generally avoids cyber security explained to us in an all-company meeting last fall — there are two kinds of solutions in cyber security, those that just document stuff and keep the lawyers and regulators happy and those that apply deep technology to address the fundamental job of cyber security — i.e. greater security.

In our case, we add value by reducing the risk of especially advanced attacks. How can we quantify this? What is the value of reducing the risks of potentially successful attacks? In the case of BNY, they are a bedrock of capitalism itself, as old as the United States. What is the benefit of further securing that foundation?

We also have a hard ROI from cost avoidance. In particular, users decrease their retention of flow logs in expensive systems as they come to trust our solution to better identify and alert on certain attack vectors. The use of our embeddings for retroactive use cases along with the log sequences we parse out and make immediately available also increases confidence in users pushing a greater percentage of their logs into lower-cost datalakes like Snowflake, object storage, and other platforms.

Our approach to pricing is to attempt to share the hard ROI benefits and to leave all of the soft ROI benefits to the user.

It gets a bit more complicated than that, of course. Like many enterprise vendors we have a detailed ROI model that is used by larger customers to document their decision to rely upon our Tempo. Other users just try it out, burning off some of their credits on Snowflake to get started and go from there.

Conclusion

Cyber security has some inherent measurement challenges which is likely one reason it seems to be making unwise and backward-facing investments. While spending on cyber security is increasing rapidly, so are losses. Thanks to their success, attackers have much more to spend than the $200-$250bn we collectively spend on cyber security. These attackers do not share our measurement challenges — they have a very simple method of measuring their success.

As this blog outlines, measurement across at least the following criteria has proven helpful to our users: accuracy, adaptability, explainability, efficiency, and ROI. We hope this blog and other work including our open source contributions will help buyers to make more fact-based decisions about necessary investments in improved cyber security.

Watching the Watcher: How we evaluated DeepTempo with BNY’s help was originally published in DeepTempo on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Watching the Watcher: How we evaluated DeepTempo with BNY’s help appeared first on Security Boulevard.

By Josselin Feist Writing smart contracts requires a higher level of security assurance than most other fields of software engineering. The industry has evolved from simple ERC20 tokens to complex, multi-component DeFi systems that leverage domain-specific algorithms and handle significant monetary value. This evolution has unlocked immense potential but has also introduced an escalating number […]

The post The call for invariant-driven development appeared first on Security Boulevard.

Sonar achieves SOC 2 Type II compliance, reflecting its dedication to protecting customer data and ensuring the integrity of its operations now and in the future.

The post Sonar Earns SOC 2 Type II Compliance appeared first on Security Boulevard.

Organizations need to embrace the transformative powers of AI but do so with a vigilant eye toward the data security and privacy challenges it presents.

The post Navigating Security Challenges in the Age of Data Complexity  appeared first on Security Boulevard.

NEW! In Cloud Monitor: Policy Enhancements We’re thrilled to introduce our latest Cloud Monitor policy updates! We designed these enhancements to make it easier than ever for administrators to keep students safe and secure in the classroom. With smarter alerting and automation, identifying and addressing violations now takes less manual effort, allowing you to stay ...

The post Product Update | Cloud Monitor + Content Filter appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.

The post Product Update | Cloud Monitor + Content Filter appeared first on Security Boulevard.

With "Operation Phobos Aetor," international law enforcement, including the US DOJ and Europol, arrest four Russian nationals and seize infrastructure connected to the 8Bbase ransomware group, the largest affiliate of the prolific Phobos RaaS operation.

The post Authorities Seize 8Base Ransomware Infrastructure, Arrest Four Russians appeared first on Security Boulevard.

Nick Kakolowski, senior research director for IANS, dives into a survey done in conjunction with Artico Search on the current state of the CISO. At its core, the study highlights how CISOs are facing an unprecedented expansion of responsibilities, with some thriving under the added scope and others struggling with burnout. Kakolowski explains that CISOs..

The post The Current State of the CISO with Nick Kakolowski appeared first on Security Boulevard.

Enhancing IAM Security with AI Agents: A Strategic Approach by SecureFLO Enhancing IAM Security with AI Agents: A Strategic Approach by SecureFLO As cyber threats continue to evolve, Identity and Access Management (IAM) is no longer just about authentication—it’s about intelligent, adaptive security. AI-driven IAM solutions are reshaping how organizations manage identities, permissions, and security […]

The post Enhancing IAM Security with AI Agents: A Strategic Approach by SecureFLO appeared first on Cyber security services provider, data privacy consultant | Secureflo.

The post Enhancing IAM Security with AI Agents: A Strategic Approach by SecureFLO appeared first on Security Boulevard.

Adam Khan, vice president of global security operations for Barracuda Networks, explains what makes securing schools, such as universities, so much more difficult than the average enterprise IT environment.  Unlike traditional enterprises, schools operate on limited budgets, often relying on outdated infrastructure while managing vast amounts of sensitive student, financial, and research data—making them prime..

The post Adam Khan on the Unique Security Challenges in Education IT appeared first on Security Boulevard.

1. 3Critical
2. 52Important
3. 0Moderate
4. 0Low

Microsoft addresses 55 CVEs with three rated critical and four zero-day vulnerabilities, including two that were exploited in the wild.

Microsoft patched 55 CVEs in its February 2025 Patch Tuesday release, with three rated critical and 52 rated as important. Our counts omitted one vulnerability reported by HackerOne.

This month’s update includes patches for:

• Active Directory Domain Services
• Azure Active Directory
• Azure Firmware
• Azure Network Watcher
• Microsoft AutoUpdate (MAU)
• Microsoft Digest Authentication
• Microsoft High Performance Compute Pack (HPC) Linux Node Agent
• Microsoft Office
• Microsoft Office Excel
• Microsoft Office SharePoint
• Microsoft PC Manager
• Microsoft Streaming Service
• Microsoft Surface
• Microsoft Windows
• Outlook for Android
• Visual Studio
• Visual Studio Code
• Windows Ancillary Function Driver for WinSock
• Windows CoreMessaging
• Windows DHCP Client
• Windows DHCP Server
• Windows DWM Core Library
• Windows Disk Cleanup Tool
• Windows Installer
• Windows Internet Connection Sharing (ICS)
• Windows Kerberos
• Windows Kernel
• Windows LDAP - Lightweight Directory Access Protocol
• Windows Message Queuing
• Windows NTLM
• Windows Remote Desktop Services
• Windows Resilient File System (ReFS) Deduplication Service
• Windows Routing and Remote Access Service (RRAS)
• Windows Setup Files Cleanup
• Windows Storage
• Windows Telephony Server
• Windows Telephony Service
• Windows Update Stack
• Windows Win32 Kernel Subsystem

Remote code execution (RCE) vulnerabilities accounted for 38.2% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 34.5%.

Important CVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

CVE-2025-21418 is an EoP vulnerability in the Ancillary Function Driver for WinSock for Microsoft Windows. It was assigned a CVSSv3 score of 7.8 and is rated important. A local, authenticated attacker could exploit this vulnerability to elevate to SYSTEM level privileges.

Microsoft notes this vulnerability was exploited in the wild as a zero-day. At the time this blog post was published, there was no other information about this exploitation.

Since 2022, there have been nine Ancillary Function Driver for WinSock EoP vulnerabilities patched across Patch Tuesday releases, including three in 2022, three in 2023, and three in 2024, including one that was exploited in the wild as a zero-day (CVE-2024-38193) by the North Korean APT known as the Lazarus Group to implant the FudModule rootkit.

Important CVE-2025-21391 | Windows Storage Elevation of Privilege Vulnerability

CVE-2025-21391 is an EoP vulnerability in Windows Storage. It was assigned a CVSSv3 score of 7.1 and is rated important. A local, authenticated attacker could exploit this vulnerability to delete files from a system. According to Microsoft, this vulnerability does not disclose confidential information to an attacker, rather, it only provides them with the capability to delete data, which may include data that could result in service disruption.

Microsoft notes this vulnerability was exploited in the wild as a zero-day. At the time this blog post was published, there was no other information about this exploitation.

Since 2022, there have been seven Windows Storage EoP vulnerabilities patched across Patch Tuesday releases, including two in 2022, one in 2023 and four in 2024. However, this is the first Windows Storage EoP vulnerability exploited in the wild.

Important CVE-2025-21194 | Microsoft Surface Security Feature Bypass Vulnerability

CVE-2025-21194 is a security feature bypass vulnerability affecting Microsoft Surface. This vulnerability was assigned a CVSSv3 score of 7.1 and was publicly disclosed prior to a patch being available from Microsoft. According to the advisory, exploitation requires multiple steps, including an attacker successfully gaining access to the same network as the device. Additionally, exploitation requires the attacker to convince the user to reboot their device. With multiple requirements for exploitation, this flaw was assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index.

Important CVE-2025-21377 | NTLM Hash Disclosure Spoofing Vulnerability

CVE-2025-21377 is a New Technology LAN Manager (NTLM) Hash disclosure spoofing vulnerability that was publicly disclosed prior to a patch being made available. Despite the medium severity CVSSv3 score of 6.5, Microsoft assesses this vulnerability as “Exploitation More Likely.” Successful exploitation requires an attacker to convince a user to interact with a malicious file, such as inspecting the file or “performing an action other than opening or executing the file.” Exploitation would allow an attacker to obtain a user's NTLMv2 hash, which could then be used to authenticate as that user.

Microsoft’s advisory also notes that users that only install “Security Only” updates will also need to install Internet Explorer (IE) Cumulative updates in order to be fully protected against this vulnerability.

Critical CVE-2025-21376 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

CVE-2025-21376 is a critical RCE vulnerability affecting Windows Lightweight Directory Access Protocol (LDAP). This vulnerability was assigned a CVSSv3 score of 8.1, rated as critical and assessed as “Exploitation More Likely" according to Microsoft. Successful exploitation requires winning a race condition via a specially crafted request necessary to exploit a buffer overflow. If successful, the attacker could achieve RCE on an affected host.

This is the first LDAP RCE in 2025, with three having been patched in the December 2024 Patch Tuesday release, each of which were also rated as critical.

Important CVE-2025-21400 | Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2025-21400 is a RCE vulnerability affecting Microsoft SharePoint Server. This vulnerability was assigned a CVSSv3 score of 8.0 and rated as important. Successful exploitation would grant an attacker the ability to execute arbitrary code. Exploitation requires an attacker to coerce the victim machine to first connect to a malicious server. This vulnerability was credited to cjm00n of Cyber Kunlun Lab and Zhiniang Peng.

Important CVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 | Windows Core Messaging Elevation of Privileges Vulnerability

CVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 are EoP vulnerabilities affecting Windows Core Messaging. Two of the three vulnerabilities were assigned CVSSv3 scores of 7.0, while CVE-2025-21358 was assigned a CVSSv3 score of 7.8. Exploitation of these flaws could allow an attacker to elevate their privileges to SYSTEM.

According to Microsoft, exploitation for CVE-2025-21184 and CVE-2025-21414 requires an attacker to gather information about the target as well as take additional measures to prepare a target for exploitation. Despite the differing requirements necessary for exploitation, Microsoft assesses all three of these vulnerabilities as “Exploitation More Likely.”

Tenable Solutions

A list of all the plugins released for Microsoft’s February 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

• Microsoft's February 2025 Security Updates
• Tenable plugins for Microsoft February 2025 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post Microsoft’s February 2025 Patch Tuesday Addresses 55 CVEs (CVE-2025-21418, CVE-2025-21391) appeared first on Security Boulevard.

1 in 10 Fortune 500 employees had their credentials exposed. Each compromised account was found an average of 5.7 times.

The post Fortune 500 Employees’ Credentials Under Siege appeared first on Security Boulevard.

via the respected Software Engineering expertise of Mikkel Noe-Nygaard and the lauded Software Engineering / Enterprise Agile Coaching work of Luxshan Ratnaravi at Comic Agilé!

Permalink

The post Comic Agilé – Luxshan Ratnaravi, Mikkel Noe-Nygaard – #325 – Fixing the Bug appeared first on Security Boulevard.

Transform your network monitoring capabilities with the powerful combination of Arista Networks' advanced telemetry and Splunk's powerful analytics platform. This comprehensive guide will walk you through establishing a robust integration between these industry-leading solutions, enabling sophisticated network visibility and analytics. Prerequisites Ensure you have the following components ready:  Arista switch administrative credentials  CLI access to the Arista [...]

The post The Field Engineer’s Handbook: Configuring an Arista Networks Switch with Splunk appeared first on Hurricane Labs.

The post The Field Engineer’s Handbook: Configuring an Arista Networks Switch with Splunk appeared first on Security Boulevard.