Transcript Here

What You’ll Learn

• What really happens before, during, and after a cyberattack
• Why alerts alone aren’t enough—and what action truly looks like
• How our “Big R” response approach drives results
• The critical role of human insight in an AI-driven world
• What it takes to stay ahead of evolving threats

Featuring

Erica Smith, Director of Security Operations (Moderator) | Stephanie Camacho, SOC Shift Lead | Ryan Bratton, SOC Auditor

The post On Demand Webinar – Tales from the SOC: When Action Speaks Louder Than Alerts appeared first on CyberMaxx.

USB devices pose several risks, related to a higher number of threats than most people ever consider. It is important that these common, yet potentially dangerous, items are not forgotten in your security program. Regularly scanning for them, not just for connections or uploads to them, but their general activity, is a missed opportunity too often. That’s the first part of success here, knowing the full picture and vectors of the threat landscape, then accounting for them in your defense strategy. Going beyond simple awareness, scanning and monitoring for activity from the device are next-step tactics that are too often unknown.

The discovery of illegal activity, specifically activity of this nature here, is a possibility you have to be aware of in the world as a defender. Not every discovery you make fits nicely into standard buckets or procedures, things that can be easily automated, so you can just set it and forget it. No, some items, the nefarious items, require an understanding of the law and handling a sensitive investigation, without compromising the investigation or alerting the perpetrator that they’ve been discovered too soon.

All security programs should have an established working relationship with law enforcement. It requires human contact and human interaction. Not all events are the same, so being able to contact law enforcement, share your intelligence, and then take actions as proscribed by them, even if it means not overtly acting right away, requires understanding, coordination, and a moral sense of right and wrong.

It’s easy to sound the alarm as soon as any threat or malicious activity is discovered. But you always need to be able to consider the context and details specific to every single event. All your experiences provide insight, context, and guidance in every new incident that a security practitioner encounters. It requires taking that extra step, sometimes confirming the unthinkable, before acting. You must be aware of all risks, practically at all times. That includes the risks associated with being wrong about an initial analysis. Defenders must possess the wherewithal to confirm what they see, verify its accuracy, and know exactly what action to take next, given the totality of the circumstances.

Our ability to prevent cyber incidents for the companies we protect is very rewarding. It fills you with a sense of purpose, of pride. But being able to act and make an impact on those grander issues, the ones unthinkable, there is no greater sense of purpose than when you get to fulfill that. It takes fortitude and resilience. To see something abhorrent, yet know to act rationally, follow proper steps to allow for the greatest impact. To know when an event needs to be taken out of the usual procedural loop and acted upon with deference and sensitivity.

The post Tales from the SOC CISO Perspective: Key Takeaways from A Thumb Drive and a Criminal Investigation appeared first on CyberMaxx.

Threats do not exist in a vacuum. There can be direct impact to physical security from a cyber threat, and the same is true of a physical security threat implicating our cyber security. A strong monitoring program accounts for all potential threat vectors and ingests that information to greatly expand their sources of information. It is not uncommon for cybersecurity teams to become hyper-focused on only the digital threat landscape, forgetting that there is a physical element and physical world where we all exist.

What’s more, maintaining focus and awareness in both worlds provides for more information to be consumed, corroborated, and hidden connections or new insights to be obtained.

It’s not just your monitoring that needs to be continuous, but you should be able to have your response be continuous too. We often pigeon-hole response into specific circumstances; this is how we “respond” when we see this attack occurring or this incident is in progress. But Response truly goes beyond that paradigm. Every bit of information and intelligence that we take in offers us the ability to Respond in some manner. We can strengthen defenses, updates settings and configurations, create a period of hyper focus on an area of our environment, create awareness among our people for what to be on the lookout for, extrapolate information across the whole of our environment. Acting on new information received to proactively improve our security posture or increase our monitoring focus is a part of the whole Response paradigm.

Our Response to this new intel information and cross-referencing across our environment, review our defenses, puts us in a stronger position than we would have been to respond once the event or incident does occur. It’s the old saying, “failing to plan, is planning to fail.” You can’t plan without information, without knowing all the factors that you’re up against, and how you want to set yourself up for success.

There are plenty of alerts and “chatter” that we will come across as we gather intel to learn what new threat is out there, or how an existing one is modifying its approach. Simply taking that information and sharing it, or filing it away for awareness, is not a full approach to securing our stacks. We have to act upon that information.

Read the Tales from the SOC eBook.

The post Tales from the SOC CISO Perspective: Key Takeaways from A Physical Threat to Cyber Defense appeared first on CyberMaxx.

The knowledge of that progression allows an analyst to go back through the logs and search for the various activities that are often a prelude to the action that was just noisy enough to draw attention to itself. In a vacuum, viewed as a singular event, it would likely not cause much additional action or review. But to a person with knowledge of TTP’s and the knowledge of how those actions flow, the move to discovery sits less on the immediate flag being thrown and moves towards the prior events that it likely followed.

The compromise of a single account or system for a threat actor is a win, but the ability to expand that compromise across multiple accounts and/or systems really provides them with a greater foothold in their target environment. We know this to be a preference and one of the first goals they look to accomplish when they’ve gained initial entry into an environment. Once you’ve worked your way back to this point, revoking that access becomes a priority.

That’s a lot of work and a lot of time. The ability to see activity at scale, work backwards through it to look for the inciting events you know likely preceded the point where you are at now, takes you to that moment of initial foothold. When you combine all those capabilities and add in the ability to rapidly respond to not just the one, but any of the accounts that have been compromised, that gets you out of playing whack-a-mole and allows you to take mass action.

A lot of organizations may think to change the password on a compromised account, but that doesn’t necessarily have the desired effect. Knowing how access is maintained once an account authenticates, through what are known as sessions, means you need to go further and revoke any active session associated with that user. It’s the devil-in-the-details kind of knowledge that a SOC can provide, giving you both the breadth and depth of insight into the actions to take.

What’s more, by seeing the TTPs and identifying the action the threat actor is using to spread further across the environment, an organization can take additional preventative steps too. Notifying everyone of the malicious email, the malicious file, and pulling out of any mailbox it may be present in, before the next recipient ever sees it.

This is going beyond the single response to the one identified event, the mailbox rule. The knowledge of context and execution allows you a stronger, broader response, that increases the likelihood of quelching the attack from doing the worst damage it could.

Read the full Tales from the SOC eBook.

The post Tales from the SOC CISO Perspective: Key Takeaways from Malicious Inbox Rule appeared first on CyberMaxx.

Just like we saw with “The Call That Protected Four Clients,” that sense of, “I have a bad feeling about this,” and a scope with which to run down that feeling, creates an opportunity for discovery of a threat that an organization could take far longer to discover when working in isolation. Much like when statisticians talk about the importance and relevance of sample size, a SOC from an MDR can apply discovery to an exponentially larger sample than any one organization could itself.

That provides the opportunity to take advantage of an attacker taking their quietness for granted. It’s about that expanded sample size. It’s one thing to be a singular dot in a small cluster. But to be the same, singular dot in multiple clusters, that becomes noticeable much faster. It’s no longer an anomaly in an environment. Its repetitive nature in multiple environments belies its identification as an anomaly. It reminds me of the saying, “once is happenstance, twice is a coincidence…” But the catch for a security practitioner is that we don’t like coincidence. It’s too neat and clean of an explanation. The presence of a coincidence makes us want to dig deeper and prove it as such.

It’s that element of human curiosity that you can’t truly automate. Sure, once the curiosity is piqued, I can automate their ability to conduct searches and queries, provide the results, but it’s still that human curiosity that is the catalyst to digging deeper, doing more to ensure that a coincidence is just that.

We hear that attackers are automating a lot, but there’s still a human at their initiation point too, which means they can’t help but act according to their normal behavior. That creates a pattern that is discoverable once you start to look for it. What may seem quiet as a singular one-off becomes a flashing red light when you see it repeated over and over again.

By expanding the sample size and applying that innate doubt about “coincidences,” patterns begin to emerge that tell a more detailed story of activity. That’s where the SOC shines brightly. That’s a capability that I can’t replicate as a standalone organization. It’s a pattern I won’t be aware of until others start reporting it as an “anomaly” too, and by then, it’s almost too late and a compromise has occurred.

Read the Tales from the SOC eBook.

The post Tales from the SOC CISO Perspective: Key Takeaways from One IP Address, Two Organizations Saved appeared first on CyberMaxx.

Welcome, friend, you’ve broken clear.

CyberMaxx is ever mindful of the simple truth that it’s less about what we do and more about what our clients get. It’s right there in our Security Operations Mission: “Our clients will take confidence in the Security Operations team as the standard for business-enabling security services, delivering innovation and protection against cyber-threats, through a talented team of security professionals.”

And this client-focused mission is purposely fulfilled by our values of Integrity, Trust and Enablement. We stay grounded in the simple truth that we exist to protect our clients. Our tools and technologies are a means to that end. Full Stop.

By this philosophy, we are pleased to introduce our new eBook, where we share some stories in fulfillment of our mission, in service to our clients.  These ‘Tales from the SOC’ delve into our efforts to thwart an international ring of threat actors, requiring that we engage with government officials.  There’s a story of looking beyond what appeared to be a benign alert that proved to be a reconnaissance effort for a larger attack. Then there’s the case where we pursued a threat to one of our clients, where in the process of a full scope of compromise investigation, we uncovered others who were equally vulnerable.

Ok, I don’t want to give away too much. Take a look, you will find these stories representative of our mission, and by this share in what a privilege it is to be defenders of our clients. You’ll also get the answer to that ever-important question.

Link to eBook

The post Tales from the SOC: Considering the Client POV appeared first on CyberMaxx.

Information sharing groups are great because they provide that information in a bit more targeted forum. I’m in this industry, this threat is being seen by my industry, so it helps with prioritizing. But that’s just the tip of the iceberg too, when it comes to triaging information and working through threat intelligence.

That’s what stands out to me about “The Call that Protected Four Clients.” It is a prime example of getting to the crux and being able to act on information. An organization itself would have to hope that the call that one client made would have been shared within our business community. That’s a lot to expect. Organizations are hesitant to share information because of the view that we are mostly competitors. Sharing a potential weakness feels like we are unnecessarily exposing ourselves to a risk not worthwhile.

But here, we have a company entrusting information to their shared partner protector. The fortunate component is that the partner is a trusted partner to many organizations in the same vertical. That allows them to apply knowledge from one to many, which collectively provides additional security to an exponential number of companies from a threat that they might not be aware of yet themselves.

This is the greatness of strength in numbers. I’m in a position where my focus is on the application of a potentially active threat, as opposed to working me through any number of infinite possible threats that may be theoretical at best. My vertical, my organizational size, those are two factors when I triage the threat landscape itself that I need to prioritize parsing out, and here that work is already done when I first hear about the threat.

That puts my organization and me in a position to be proactive in our reactive response. Yes, we’re reacting to the information, but our response is proactive, even if it’s just a little bit, we’re hardening defenses and taking action prior to an active incident in our environment. Preventive measures in a proactive stance allow for more forethought and calm minds to make determinations, since we’re not operating under the intensity of an active incident.

Context and critical thinking, plus that gut feeling, are components I don’t take for granted. There’s always something to be said for them, something to trust, and to lean into. If I can get them from a source of expertise, it allows me to focus on execution, not excavation.

Read the full eBook: Tales from the SOC: Security Success Stories Powered by Proactive Intelligence and Real-Time Response

The post Tales from the SOC CISO Perspective: Key Takeaways from The Call That Protected Four Clients appeared first on CyberMaxx.

Linthicum Heights, MD – June 3, 2025– CyberMaxx, a leading Managed Detection and Response (MDR) provider, has announced the release of a new eBook titled “Tales from the SOC: Security Success Stories Powered by Proactive Intelligence and Real-Time Response.”

This collection of true stories from CyberMaxx’s Security Operations Center (SOC) gives an in-depth insight into why human instincts and human-led response are still essential in a market driven by automation.

The Importance of Human-AI Balance

“Tales from the SOC” explores the power of CyberMaxx’s signature approach to cybersecurity, known as “Big R.” Unlike the industry-standard “little r” response model, which often ends at passive alerting, Big R focuses on the importance of ethical human judgment. This is essential when investigating, containing, and eradicating threats in real time before they can cause widespread damage.

Behind the Scenes of Frontline Security Stories

The eBook details several high-stakes incidents where CyberMaxx’s SOC team pushed beyond standardized procedures to protect clients from cyber threats. Each instance involved acting on early warning signs before they triggered formal alerts.

Highlights include:

• One IP address, two organizations saved: How investigating an IP address that repeatedly appeared uncovered a hidden threat that almost went unnoticed.
• A malicious inbox rule and 300+ shares: How rapid response and forensic investigation contained a fast-moving email threat before it could escalate further.
• A thumb drive and a criminal investigation: A suspicious device turned into a high-stakes criminal investigation, showing the critical role of human ethics in cybersecurity.

Why Big R Matters

“Tales from the SOC” explains why protecting your organization requires more than throwing money at automated tools and refreshing your business dashboard.

Sometimes, it involves letting an activity play out a little longer to build a clearer picture and better understand the threat. Above all else, it demands human expertise and creativity.

Discover how CyberMaxx stops attacks before alerts are even triggered. Download the full eBook here: Tales from the SOC eBook | CyberMaxx

About CyberMaxx

CyberMaxx provides comprehensive managed detection and response (MDR) services that protect organizations from today’s complex cyber threats. Focusing on proactive security measures, CyberMaxx delivers industry-leading technology combined with expert human oversight, offering robust protection and peace of mind to clients across various industries.

For more information about CyberMaxx’s Modern Managed Detection & Response (MDR), visit www.cybermaxx.com

Press Release on PR Web

Media Contact

John Pinkham
E: jpinkham@cybermaxx.com
M: 781-801-5352

The post CyberMaxx Highlights the Role of Human Judgment in New eBook, Tales from the SOC appeared first on CyberMaxx.