Security in the cloud

This video was prompted by discussions with someone that was adamant that they would never, never, everrrrr put their logs in the cloud.

I enquired as to why they weren’t open to the option, and their response was that they don’t believe that sensitive information like logs should be in the cloud.

Now that’s all cool and stuff – I mean, everyone has their own risk models. But in the big scheme of things, the company was already using cloud infrastructure and apps for a variety of different things.

I mean, if you’re putting your entire customer management system, and your financials in a cloud app – there aren’t many more valuable things left to protect.

I’m not saying you should or shouldn’t adopt the cloud, or use a particular provider or not. What I do reckon, is that we should be a bit more sensible when looking at the wider corporate adoption and all the information contained therein, and adapt the security controls accordingly.

What is AlienVault

It’s coming up on my 3 year anniversary at AlienVault – and after a conversation with a friend, it dawned on me that I don’t think I’ve ever really explained what AlienVault does.

So, when I was in Austin this last week I recruited some of my colleagues to help make this short video to give an overview of the product.

Find out more at
Or follow @AlienVault on twitter (tell them I sent you)


I think I’ve been hacked

A lot of individuals and companies of all sizes often use the phrase where they ‘think’ they’ve been hacked or breached, or had some form of unwanted event.

There is usually a lack of conviction in this statement, and in hindsight it’s not easy to validate.

Sure, one could use a service like to retrospectively check, or wait for a service provider to inform them that their data has been compromised – but there are better ways, if one is more proactive in their approach.

Perhaps one of the best features of Gmail is the ability to add a +something to your email address to identify which providers are either breached or have shared your email address.

For example, if my email is [email protected]; when signing up for BSidesLondon, I’ll provide my email address as [email protected]

It’s also worth looking at getting an adblocker (note not all adblockers are created equally – look for a good one that won’t sell you out in other ways). But basically, the less scripts that are allowed to run in your browser, the less tracking, and the less opportunity available for anyone to inject malicious content is good.

For those that have a bit more patience to validate every connection, get something like LittleSnitch or RadioSilence (or similar – I’m not endorsing these products). But anything that can detect outbound connections applications and software on your machine is making. It gives you the ability to control and decide which apps can communicate externally and send who knows what data.

Finally, one of my favourite techniques is to use honey tokens. The free ones available at Canarytokens are super easy to use and set up.

Other ways to set up your own honey tokens would be to put false customer records into your CRM. Set this customers email to an address that you control. That way, if you ever get emails sent to that particular address, you know that your customer records have been compromised – probably by your most recently-departed sales person.

While there are many other things one can do to enable quick detection of compromises, I find these some of the easiest and quickest to setup and get running with.

Having an early warning system is good, but it’s only as good as the response. Therefore you should have a plan of action as to what to do if you are notified that someone has accessed your files or compromised your accounts. Mainly this would include changing your passwords, notifying relevant parties, and putting your guard up. But it will depend on what is triggered, by who, and what your personal risk tolerance is.

For small businesses, and even larger corporations, these techniques can still work – however, there robust enterprise-grade offerings available which are more suited to the task (maybe the Canary hardware device is good for you, or AlienVault USM Anywhere) . Still, I wouldn’t be against having a few honey tokens scattered around a corporate network just to see who may be poking their nose around where it doesn’t belong.

19 ways to say “Good job” to your security colleagues

Anytime we discuss security, it’s mainly to talk about the failures. So I’m taking time out today to spread some positivity to all those security folks that have made it through the week without an incident occurring.


Carphone Warehouse fined

via IFTTT After its 2015 breach, the Information Commissions Office (ICO) has released a very thorough report which highlights a number of deficiencies in Carphone Warehouse’s security.

I’ve summed up some of the key points in dramatic fashion

The report well worth a read:


It dawned on me, that I’ve never written a browser extension before.

And there are words IT Security articles continually overuse that I wish they wouldn’t.

So, I combined both these together and wrote a chrome extension that would change commonly misused words to something a little more interesting.


– IoT becomes ‘cheap connected garbage’
– Machine learning becomes magic
– gdpr becomes the MacGuffin
– Cyber becomes IT

Full details of the words changed and link to download the extension available at


M&A Mania

2018 has kicked off with a flurry of M&A activity in the infosec space. There have been four that I’ve been aware of,

Barracuda acquired Phishline
Cyxtera acquired Immunity Inc
Verizon acquired Niddel
Threatcare acquired Savage Security

I wonder how many more deals will be announced between now and RSA. Either way, it looks like it could be a busy year ahead.