31Wedge

Source: Why you should purple team your SOC | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4083612/the-soc-parachute-needs-more-than-packing-it-needs-practice.html

ONE SENTENCE SUMMARY:

Purple teaming should shift from a one-time exercise to a continuous, collaborative discipline enhancing SOC effectiveness through simplicity and learning.

MAIN POINTS:

1. SOCs often fail due to being overloaded, reactive, and disconnected from actual breach methods.
2. Purple teaming is typically treated as a one-off exercise instead of a continuous discipline.
3. Purple teams should facilitate collaboration between red and blue teams for continual improvement.
4. A single engagement creates false confidence without building real capability.
5. Regular practice, similar to aviation, is key for maintaining SOC proficiency.
6. Collaborative, not adversarial, approaches in purple teaming are crucial for learning and improvement.
7. Focusing on simplicity enhances SOC defenses, reducing distracting metrics.
8. Teaching the “why” alongside the “what” is essential for effective phishing awareness and SOC training.
9. Effective SOCs operate like projects, with embedded project managers and delegated decision-making.
10. Continuous learning, rather than complex defenses, is vital for SOC uplift and effectiveness.

TAKEAWAYS:

1. Treat purple teaming as an ongoing discipline for SOC readiness.
2. Emphasize collaboration over rivalry in purple teams for effective learning.
3. Simplify metrics to enhance SOC focus and reduce noise.
4. Implement project-based SOC models for better coordination and decision-making.
5. Shift from defensive to inquisitive SOC strategies for continuous improvement.

Source: cisotradecraft.substack.com

Author: CISO Tradecraft

URL: https://cisotradecraft.substack.com/p/warning-your-30-day-patching-sla?utm_medium=web

ONE SENTENCE SUMMARY:

Effective vulnerability management requires transforming processes, aligning incentives, and leveraging automation and AI to rapidly reduce patching times.

MAIN POINTS:

1. The 99% security achievement often overlooks significant patching backlogs and outdated systems.
2. CVE publication has doubled from 2020, increasing patching workload and exposing staff shortages.
3. AI accelerates vulnerability exploitation, making old 30-day patching timelines obsolete.
4. CISO must enforce full-stack awareness and align executive compensation with patching metrics.
5. Shift from single vulnerability patching to end-to-end process optimization using lean principles.
6. Quantify and address process inefficiencies by focusing on critical steps for rapid improvement.
7. Use attack graphs over CVSS scores to prioritize vulnerability management effectively.
8. Enforce zero-tolerance quality gates in source code pipelines for robust security.
9. Deploy layered defenses and complex defense stacks to provide crucial security buffers.
10. Leverage AI tools for rapid remediation to minimize developer effort and accelerate patching.

TAKEAWAYS:

1. Aligning incentives such as bonuses with patching performance can drive significant organizational change.
2. Process optimization and strategic automation are crucial for reducing patching times.
3. Integrated security measures within code pipelines can prevent vulnerabilities effectively.
4. Layered defenses and AI-powered remediation tools are essential for rapid vulnerability management.
5. Comprehensive understanding and management of the full technology stack is critical for effective security.

Source: Rivial Security Blog

Author: Lucas Hathaway

URL: https://www.rivialsecurity.com/blog/hipaa-cybersecurity-requirements-guide-2026-rivial-security

ONE SENTENCE SUMMARY:

The 2026 HIPAA update enhances cybersecurity by emphasizing risk analysis, continuous monitoring, and proactive breach prevention in healthcare.

MAIN POINTS:

1. HIPAA’s 2026 update strengthens cybersecurity expectations on risk analysis, vulnerability scanning, and incident response.
2. Organizations must transition from static audits to continuous risk monitoring and mitigation.
3. Access control is crucial, with enforced MFA and least-privilege access as core expectations.
4. HHS anticipates healthcare programs focusing more on resilience than mere compliance.
5. HIPAA’s updated framework aims to prevent breaches rather than just fulfill regulatory requirements.
6. Broad application includes healthcare providers, health plans, insurers, and their affiliates.
7. Current requirements involve administrative, physical, and technical safeguards, including regular risk analyses.
8. Future regulations emphasize a comprehensive technical inventory and continuous risk monitoring.
9. Multifactor authentication and tighter identity management are critical for future compliance.
10. Rivial Data Security offers tools for clear risk assessment, streamlined audits, and efficient compliance management.

TAKEAWAYS:

1. Transition to continuous, proactive cybersecurity measures ahead of HIPAA’s 2026 update.
2. Emphasize access control by maintaining up-to-date technical inventories and implementing MFA.
3. Focus on resilience, not just compliance, to prevent breaches effectively.
4. Future audits require ongoing risk assessments and advanced authentication protocols.
5. Utilize platforms like Rivial for streamlined compliance and efficient security management.

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/cisco-actively-exploited-firewall-flaws-now-abused-for-dos-attacks/

ONE SENTENCE SUMMARY:

Cisco has released updates to address vulnerabilities in ASA and FTD firewalls being exploited in attacks causing reboot loops.

MAIN POINTS:

1. Cisco released security updates on September 25 for vulnerabilities CVE-2025-20362 and CVE-2025-20333.
2. CVE-2025-20362 allows unauthenticated access to restricted URLs.
3. CVE-2025-20333 enables remote code execution on vulnerable devices.
4. Chained vulnerabilities let attackers gain full control over systems.
5. CISA ordered federal agencies to secure or disconnect affected devices within 24 hours.
6. Shadowserver tracks over 34,000 vulnerable ASA and FTD instances online.
7. Vulnerabilities are exploited in denial of service (DoS) attacks.
8. Attackers from the ArcaneDoor campaign are behind these exploits.
9. Cisco fixed another critical vulnerability, CVE-2025-20363, in its IOS and firewall software.
10. New security patches issued for Cisco Contact Center software to address critical flaws.

TAKEAWAYS:

1. Immediate updates are crucial for securing Cisco firewall devices.
2. Vulnerabilities can lead to severe consequences like denial of service attacks.
3. Federal agencies are under strict directives to safeguard network security.
4. Shadowserver’s tracking shows the widespread presence of vulnerable systems.
5. Continued vigilance and patching are vital as new threats emerge.

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/11/hidden-logic-bombs-in-malware-laced.html

ONE SENTENCE SUMMARY:

Nine malicious NuGet packages are designed to sabotage database operations and industrial control systems with time-delayed payloads.

MAIN POINTS:

1. Nine malicious packages were published by “shanhai666” in 2023 and 2024.
2. The packages download payloads triggered on specific future dates, August 2027 and November 2028.
3. Sharp7Extend is the most dangerous, targeting industrial PLCs with dual sabotage mechanisms.
4. Packages were downloaded 9,488 times before being removed from NuGet.
5. Malicious logic activates immediately post-installation, with termination stopping by June 2028.
6. 80% chance of sabotaging write operations between 30-90 minutes after installation.
7. Certain packages, like MCDbRepository, trigger on August 8, 2027, others on November 29, 2028.
8. The attack uses C# extension methods for stealthy code injection.
9. Attack attributed to a possible Chinese origin “shanhai666” based on source code analysis.
10. The staggered trigger dates disguise attacks as random failures, complicating incident response.

TAKEAWAYS:

1. Time-delayed payloads pose significant risks to database and industrial system security.
2. Sharp7Extend’s clever use of immediacy and delay phases enhances its destructiveness.
3. Malicious NuGet packages can easily blend into legitimate software environments.
4. Sophisticated tactics make identifying and mitigating the attack challenging.
5. Ensuring supply chain security requires rigorous verification and monitoring of software dependencies.

Source: Why can’t enterprises get a handle on the cloud misconfiguration problem? | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4083736/why-cant-enterprises-get-a-handle-on-the-cloud-misconfiguration-problem.html

ONE SENTENCE SUMMARY:

Cloud security remains a significant issue with widespread misconfigurations, emphasizing the need for better inbuilt security measures and proactive management.

MAIN POINTS:

1. Cloud configuration errors continue to expose enterprise data despite initial warnings seven years ago.
2. A Qualys report highlights frequent misconfiguration in major cloud platforms, posing significant security risks.
3. 28% of surveyed organizations experienced cloud or SaaS breaches in the past year.
4. Many publicly accessible VMs lack encryption, increasing vulnerability.
5. Proliferation of SaaS tools expands opportunities for configuration mistakes.
6. Default insecure settings by cloud providers contribute to widespread security issues.
7. Inadequate inclusion of cybersecurity teams in decision-making leads to afterthought security.
8. The biggest configuration mistake involves lack of private network communication.
9. Lack of MFA and encryption are major security concerns in cloud environments.
10. Top cybersecurity practices include MFA, private networks, encryption, and continuous scanning.

TAKEAWAYS:

1. Implement multi-factor authentication for all cloud access to prevent account takeovers.
2. Default to private network communication to reduce exposure to public internet risks.
3. Encrypt all sensitive data to protect against unauthorized access.
4. Enforce least-privilege access controls to minimize overprivileged accounts.
5. Use infrastructure as code to manage and audit changes systematically.

Source: BankInfoSecurity.com RSS Syndication

Author: unknown

URL: https://www.bankinfosecurity.com/microsegmentation-just-dream-for-many-teams-a-29951

ONE SENTENCE SUMMARY:

Microsegmentation faces challenges like operational complexity, policy maintenance, and audit issues, making full implementation difficult for many organizations.

MAIN POINTS:

1. Microsegmentation aims to limit hackers’ movement by controlling network traffic between applications.
2. Adoption faces operational complexity, policy drift, and mounting technical debt post-deployment.
3. Automation shifts policy maintenance issues but doesn’t resolve dynamic nature of segmentation policies.
4. IT and security teams experience increased policy changes and prolonged temporary exceptions.
5. Regulatory compliance adds complexity with audit evidence difficult to produce from technical artifacts.
6. Most organizations only partially achieve microsegmentation targets due to legacy systems and constraints.
7. Poor documentation and unknown dependencies challenge segmentation of legacy applications.
8. Vendors focus on intent-based policies and cross-functional team alignment to address deployment challenges.
9. Automation is limited by insufficient inventory data and unclear policy logic ownership.
10. Security architects need to design granular policies and prioritize based on risk.

TAKEAWAYS:

1. Microsegmentation is complicated by evolving application environments and backend system complexities.
2. Regulatory demands necessitate better connections between technical intent and audit requirements.
3. Legacy systems significantly hinder full microsegmentation implementation.
4. Successful implementation requires organizational alignment and cross-department cooperation.
5. Effective policy design requires balancing simplicity and risk prioritization for easier maintenance.

Source: Tenable Blog

Author: Allison Eguchi

URL: https://www.tenable.com/blog/it-uptime-vs-cybersecurity-risk-the-patch-management-paradox

ONE SENTENCE SUMMARY:

Effective patch management requires integrating specialized tools for security and IT, transforming friction into seamless collaboration by preserving each team’s focus.

MAIN POINTS:

1. Patching creates friction between security and IT due to differing priorities.
2. Security focuses on risk reduction, while IT emphasizes uptime and stability.
3. Manual processes and unsuitable tools exacerbate the friction.
4. Ideal solutions offer “collaboration with validation,” integrating both teams’ needs.
5. Tenable Patch Management provides visibility and context for seamless teamwork.
6. Security identifies critical risks using prioritized data like VPR and ACR.
7. IT uses specialized tools to implement patches without disrupting business operations.
8. Integrated platforms enable automated workflows, eliminating manual spreadsheet processes.
9. Closed-loop visibility ensures risk remediation is confirmed through subsequent security scans.
10. Empowering each team with tailored tools creates a secure, stable environment.

TAKEAWAYS:

1. Effective patch management hinges on specialized tools for security and IT.
2. Integrated systems transform friction into productive collaboration.
3. Automated workflows replace manual, error-prone processes.
4. Security and IT maintain their distinct, crucial roles.
5. A unified platform leads to a more secure and stable organization.

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/11/the-evolution-of-soc-operations-how.html

ONE SENTENCE SUMMARY:

Security Operations Centers benefit from integrating exposure management, enhancing alert accuracy and response efficiency against sophisticated threats.

MAIN POINTS:

1. SOCs face alert overload, with many false positives and reactive detection challenges.
2. Lack of context and narrow focus hinder traditional security tools’ effectiveness.
3. Attackers use multiple techniques and exposures, often evading traditional detection.
4. Exposure management platforms provide critical attack surface visibility and intelligence.
5. Integration with existing tools enhances SOC workflows and threat investigations.
6. Exposure intelligence transforms alert triage, investigation, and response precision.
7. Continuous exposure management creates actionable threat intelligence for SOCs.
8. Real-time context aids in understanding potential risks and attack paths.
9. Precise response actions reduce disruption and enhance incident remediation.
10. Future SOC success depends on exposure prevention and tailored threat responses.

TAKEAWAYS:

1. Integrating exposure management increases SOC efficiency and reduces alert fatigue.
2. Enhanced context allows more targeted and effective security responses.
3. Understanding attack paths and exposures improves threat investigation and triage.
4. SOCs benefit from proactive exposure reduction and tailored threat intelligence.
5. Continuous learning from incidents strengthens future security capabilities.

Source: What does aligning security to the business really mean? | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4080670/what-does-aligning-security-to-the-business-really-mean.html

ONE SENTENCE SUMMARY:

Tim Sattler emphasizes the crucial role of aligning security with business strategy to harness AI and other technologies effectively.

MAIN POINTS:

1. Tim Sattler integrates AI for strategic benefits at Jungheinrich AG, highlighting security’s evolving role.
2. Security chiefs like Sattler are increasingly involved in AI conversations, focusing on opportunities beyond risks.
3. Sattler emphasizes understanding both risks and benefits of new technologies like ChatGPT and quantum computing.
4. Alignment between security and business strategies supports organizational goals, innovation, and growth.
5. Research reveals many CISOs are not involved in strategic decisions, showing a need for greater alignment.
6. Effective security-business alignment involves using business metrics to gauge security success.
7. CISOs should adjust strategies based on business objectives, threats, and potential security incidents.
8. Security’s early involvement in company initiatives reduces friction and enhances deployment trust.
9. Successful alignment demonstrates security as a key player in operational support and risk management.
10. Misalignment leads to reactive security measures, increased costs, and operational inefficiencies.

TAKEAWAYS:

1. Aligning security with business strategies enhances both risk management and opportunity identification.
2. CISOs play a pivotal role in integrating security within business initiatives from the outset.
3. Early engagement and understanding business priorities are crucial for effective security practices.
4. Misalignment can result in increased costs and missed strategic opportunities for organizations.
5. Successful security-business alignment significantly contributes to enterprise-wide strategic initiatives.

Source: Heatmaps to Histograms: Field Notes

Author: Tony Martin-Vegue

URL: https://substack.com/home/post/p-174805183

ONE SENTENCE SUMMARY:

This issue explores quantifying unprecedented risks, emphasizing scenario building, risk categorization, and focusing on practical risk analysis.

MAIN POINTS:

1. Scenario-building chapter in the book emphasizes measurable, data-supported risk analysis.
2. The book aims to make quantitative thinking accessible and understandable.
3. Three types of unknown risks: unexperienced, unrealized, and inconceivable.
4. “Unexperienced but Observable” risks can be quantified using external data.
5. “Unrealized but Conceivable” risks require analogical reasoning for potential analysis.
6. “Inconceivable and Unimaginable” risks focus on system resilience over prediction.
7. Use structured expert judgment to quantify unknown risks.
8. Focus on decisions influenced by analysis rather than over-polishing data precision.
9. Risk analysis prioritizes actionable scenarios over remote, impractical ones.
10. The philosophy of practical risk analysis focuses on meaningful, business-relevant scenarios.

TAKEAWAYS:

1. Effective risk analysis combines measurable scenarios with practical reasoning.
2. Unknown risks require different strategies based on their nature.
3. Resilience is crucial when predictions are impossible.
4. Clarifying what type of risk is faced guides effective analysis.
5. The book is designed to simplify complex quantitative concepts for practitioners.

Source: Cyber Security News

Author: Guru Baran

URL: https://cybersecuritynews.com/ghost-spns-and-kerberos-reflection-attack/

ONE SENTENCE SUMMARY:

CVE-2025-58726 exploits ghost SPNs and Kerberos reflection for SYSTEM-level access on Windows SMB servers lacking enforced signing.

MAIN POINTS:

1. Vulnerability CVE-2025-58726 targets Windows SMB servers using ghost SPNs and Kerberos reflection.
2. The flaw affects all Windows versions without enforced SMB signing, impacting default AD configurations.
3. Attackers leverage domain users’ DNS rights to hijack ghost SPNs for unauthorized access.
4. Kerberos reflection exploits unresolved SPNs, bypassing credential requirements for SYSTEM-level access.
5. The attack circumvents prior mitigations like CVE-2025-33073, highlighting Kerberos’ reflection susceptibilities.
6. Microsoft targets the srv2.sys driver for patching, focusing on SPN validity and connection source verification.
7. Mitigation includes enforcing SMB signing, auditing SPNs, and restricting DNS write access.
8. Network traces using Wireshark or ETW can monitor suspicious Kerberos TGS-REQ activities.
9. October 14 patch emphasizes Active Directory hygiene to combat ghost SPN issues.
10. Successful mitigation involves integrating current and evolving Kerberos abuse defenses.

TAKEAWAYS:

1. Enforce SMB signing to prevent privilege escalation vulnerabilities.
2. Regularly audit and purge ghost SPNs to improve AD security.
3. Monitor for unusual Kerberos activities to detect potential breaches.
4. Apply patches promptly to address emerging vulnerabilities.
5. Strengthen domain configuration by limiting unnecessary user permissions.

Source: Medium

Author: Stephen Shaffer

URL: https://systemweakness.com/quantifying-swiss-cheese-the-bayesian-way-b2b512472d85

ONE SENTENCE SUMMARY:

The article discusses using EPSS and Bayesian inference to quantify and update exploit likelihood by measuring control effectiveness.

MAIN POINTS:

1. EPSS predicts CVE exploitation likelihood within 30 days with scores from 0 to 1.
2. EPSSg estimates the probability of at least one CVE exploitation on an asset.
3. Swiss Cheese Model represents layers of defense, with each control as probabilistic filters.
4. Bayesian inference helps update beliefs about control effectiveness using SME surveys.
5. Control effectiveness rates determine a control’s success in preventing exploitations.
6. Observations, like firewall logs, refine initial beliefs and tighten confidence intervals.
7. Dynamic models update exploit likelihood as new evidence accumulates.
8. FAIR-CAM provides a framework for understanding control influence on risk.
9. Multiple controls can be modeled successively to refine exploit likelihood estimates.
10. The approach allows for continuous risk assessment and informed decision-making.

TAKEAWAYS:

1. EPSS and EPSSg assess global exploit pressure and asset-specific risk.
2. Bayesian inference allows for evidence-based updates of control effectiveness.
3. Control reliability is represented as probabilities and refined with real-world data.
4. FAIR-CAM principles inform a structured approach to risk quantification.
5. Continuous model updates enhance understanding and strategic vulnerability management.

Source: Cybersecurity management for boards: Metrics that matter | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4081319/cybersecurity-management-for-boards-metrics-that-matter.html

ONE SENTENCE SUMMARY:

Boards need actionable cyber resilience metrics to evaluate financial impact, operational readiness, and strategic risk for effective governance.

MAIN POINTS:

1. Ransomware can significantly disrupt operations without warning.
2. Boards struggle with technical metrics, needing insights into business impact.
3. Resilience-focused metrics improve clarity, alignment with business goals, and regulatory compliance.
4. Financial metrics such as average incident cost and downtime are crucial.
5. Governance indicators include regulatory violations and training completion.
6. Operational metrics should track detection, response times, and system uptime.
7. Strategic metrics assess future readiness, residual risk, and threat landscape.
8. Metrics should drive resilience, not just reflect it.
9. Boards require evidence of effective cyber governance, not involvement.
10. Clear and meaningful metrics empower boards to govern cybersecurity successfully.

TAKEAWAYS:

1. Shift focus from technical metrics to business impact and resilience.
2. Prioritize metrics that align with continuity and financial goals.
3. Use governance indicators to measure cultural and compliance health.
4. Ensure strategic metrics predict and prepare for future cyber challenges.
5. Regularly audit and refine board metrics to expose and address blind spots.

Source: Blog Feed – Center for Internet Security

Author: unknown

URL: https://www.cisecurity.org/insights/blog/how-secure-by-design-helps-developers-build-secure-software

ONE SENTENCE SUMMARY:

Secure by Design provides strategies for embedding security within software development through practical, risk-focused methodologies.

MAIN POINTS:

1. Focuses on integrating security into the software development lifecycle.
2. Offers practical strategies for risk management.
3. Advocates for a risk-based approach to software security.
4. Emphasizes the importance of proactive security planning.
5. Provides guidance on implementing security measures effectively.
6. Aims to enhance overall software protection.
7. Encourages collaboration between development and security teams.
8. Details best practices for secure software design.
9. Supports the creation of resilient software architectures.
10. Highlights the need for continuous security updates.

TAKEAWAYS:

1. Risk management is central to effective software security.
2. Proactive planning helps mitigate potential vulnerabilities.
3. Collaboration between teams strengthens security integration.
4. Continuous updates maintain robust software protection.
5. Secure design practices lead to resilient architectures.

Source: Dark Reading

Author: Sara Peters

URL: https://www.darkreading.com/cyber-risk/beyond-burnout-what-is-cybersecurity-doing-to-us–

ONE SENTENCE SUMMARY:

Cybersecurity professionals face mental health challenges from stress and isolation, leading to burnout, impacting both personal and organizational safety.

MAIN POINTS:

1. Cybersecurity professionals continually experience stress, isolation, and burnout.
2. CISOs often work more than their contracted hours, impacting their health and relationships.
3. Observing cybercrimes deeply affects mental wellbeing, resembling PTSD symptoms.
4. Many infosec roles are misunderstood within organizations, leading to unrealistic expectations.
5. Stress can be exacerbated by workplace culture and lack of proper support.
6. Fear-based security messaging can reduce effectiveness and increase user anxiety.
7. The concept of “psychiatric engineering” poses new threats to stressed security workers.
8. Organizations are encouraged to incorporate mental health support into incident response.
9. Empowering professionals with resources and a sense of mission enhances wellbeing.
10. Understanding attackers as fellow humans can alter perceptions of stress in cybersecurity.

TAKEAWAYS:

1. Enhancing mental health support and recognizing stress risks in cybersecurity is crucial.
2. Balancing cybersecurity duties with personal life requires organizational change and support.
3. Communication and culture changes are key to reducing stress in infosec environments.
4. Tools and strategies for stress management need promoting within cybersecurity teams.
5. Viewing adversaries as human may shift approaches to cybersecurity stress management.