"That Can be Evaded" and the Imperfect Detector
Every detection can be evaded. So what's worse: missing an attack or drowning in noise? The Base-Rate Fallacy shows that false positives are the true limiting factor. The goal isn't to be perfect; it's to be a difficult target. Each layer that forces an adversary to adapt is a win.
Fuzzy Hashing Research: A Paper Highlight with Practitioner's Notes
A new paper questions fuzzy hashing, but real-world data tells a different story. I share practical lessons for reducing false positives and argue that the future of TLSH isn't in alerting, it's in enriching events to create high-fidelity detections.
Maximizing the Value of Indicators of Compromise and Reimagining Their Role in Modern Detection
Have we become so focused on TTPs that we've dismissed the value at the bottom of the pyramid? This post explores what role IOC's have in a modern detection program if any, and what the future may look like for them.
What Does "Visibility" Actually Mean When it comes to Cybersecurity?
In cybersecurity, nobody agrees on what "visibility" means. This post cuts through vendor hype with a practical framework, using a Splunk article's model of telemetry, monitoring, and observability to give your entire team a shared language to build better defenses.
EDR Telemetry Project Criticism Author Response
The author of the EDR Telemetry Project responded, accusing me of spreading misinformation by saying his project was for detection, that it's always only ever been about telemetry.
The problem is, his own words contradict him.
Why the EDR Telemetry Project is Misleading
The EDR Telemetry Project is misleading. Its scoring only defines if telemetry is collected, not if it's actually useable. This post breaks down why the project is flawed in its current state and how some minor tweaks could make it truly valuable.
Software Development Nuggets for Security Analysts Part 2: The Browser
The response to the first article was really positive, and it highlighted something I've seen a lot: many
