Salem Cyber

Where does Salem Cyber get its name? There are a variety of reasons (like our founder's love of Hocus Pocus 🧙♀️) but the name is in part inspired by Winston-Salem, our headquarters, which has its own spooky past. One of the most famous ghost 👻 stories is The Little Red Man: Old Salem’s most famous ghost story begins nearly 250 years ago inside the Single Brothers House, where single men in the Salem community lived. One of those residents was shoemaker Andreas Kremser, a man of slight stature known to be a notorious — and often reckless — prankster. To keep Kremser busy, town leaders often assigned him laborious tasks such as cleaning chimneys and laying bricks. In 1786, he was asked to dig a cellar for an addition to the Single Brothers’ House. Days into the excavation, tragedy struck as the cellar floor beneath Kremser caved in, completely blanketing him in earth. A rescue effort ensued, and he was eventually dug out alive, but he’d die within hours and was buried in God’s Acre. After his passing, unusual phenomena began manifesting within the Single Brothers House. Some claimed to hear a shoemaker’s hammer tapping, while others claimed to have seen a small man in red floating through the hallways. Could this be Kremser? Most believed it was, especially since he was dressed in red the day he passed. Over the years, the brothers began attributing anything odd that happened to Kremser, nicknaming him the Little Red Man. This tradition continues today — as do the reported sightings — as the Single Brothers House now houses the offices for Old Salem Museum & Gardens. Happy Halloween 🎃

DLP is a pressing concern for many of our clients. In this Playbook, we give analysts tools for recognizing Data Exfiltration, a frequently used DLP tactic. For more playbooks and resources, visit our website.

Happy SOC Analyst Appreciation Day! As former cyber analysts, we know the job can be demanding and overwhelming. That's why we put together a series of Alert Triage Playbooks to help analysts tackle common cyber alerts. Check out our website for more!

Last week, the Salem Cyber team traveled to Philly and DC to attend NetDiligence® and speak at LimaCharlie's MSSN CTRL. A big thank you to our partners at Vendetta Cyber Defense for connecting us with so many great people in the Philadelphia cyber community. And thanks to LimaCharlie for hosting such a fantastic event full of amazing speakers!

Microsoft Sentinel is the fastest growing SIEM in the market with 2000% YoY growth. We've seen this growth firsthand with the customers we serve as they find Sentinel an effective yet cost efficient tool. We remain excited to be a Microsoft partner as we grow together! source: Cribl report

Great insights by The Cyber Security Hub™ on the future of AI in cybersecurity. Here are some trends we are excited about: 🤖 AI is moving from assistive to autonomous roles, particularly in data-intensive tasks 👩💻  Human-AI collaboration is emerging as a key model, especially in complex decision-making scenarios 🔁 AI is excelling in speed and pattern recognition, outperforming humans in many routine tasks The cybersecurity industry is moving towards a model where AI handles the bulk of routine, data-intensive tasks (like alert triage), allowing human experts to focus on more strategic and creative cybersecurity tasks.

Interesting new statistics by IBM regarding data breaches: 💲 2.22M - The average cost savings for organizations that used security AI and automation extensively in prevention versus those that didn’t. 💲 4.88M - The global average cost of a data breach in 2024—a 10% increase over last year and the highest total ever. We're excited to continue to see the positive impact of adopting security AI and automation in fighting data breaches!

We're excited to announce that Salem is integrated with Splunk! With this integration, Salem is now able to: 1️⃣ Automatically triage Splunk alerts and notable events 2️⃣ Use Splunk search to add context to alerts 3️⃣ Trigger Splunk actions to automate response actions 4️⃣ Update Enterprise Security incident status and comments Want to see if Salem works with your security tools? 📩 Message us to find out! We offer seamless integrations with top cybersecurity solutions like Splunk.

The Salem team is heading to Black Hat Las Vegas this week! Looking forward to connecting with cybersecurity experts and discussing the latest cyber threats and solutions. If you're there, send us a message and let's connect 📩

This past weekend, we watched Olympic athletes strive to beat their personal best by milliseconds to pull ahead of competitors in swimming 🏊♂️ , run for a try in rugby 🏉 , and sprint down the floor to hit a vault in gymnastics 🤸♀️ . For many Olympians, speed is everything. And while cybersecurity is not an Olympic sport (though maybe it should be), for many cybersecurity practitioners, increasing speed to detect threats is of the upmost importance. However, we have seen that the main metric for calculating speed (Mean-time-to-respond) is often not as accurate as it can be in organizations: 🥇 MTTR isn't being calculated correctly How should it be calculated? The simplest and best answer is MTTR is the time between when an attack occurs and when some action is taken to stop the threat. Unfortunately, that’s often not what’s being reported to cyber leaders. Instead, many MTTRs start the clock when an alert was generated (see point 2), or when the analyst begins their investigation. This is especially common in reporting from an MSSP or MDR. The net effect is that your MTTR looks better than it actually is. This not only misrepresents the effectiveness of your cyber program, but it also robs your organization of opportunities to optimize cyber capability. 🥈  Alerts are late getting to your SOC Alerts take longer than you think to get to your SOC… a lot longer.  Most alerts you rely on to inform your SOC are generated by Boolean logic rules.  These rules are deployed in tools such as an EDR, SIEM, or other specialized cyber monitoring tech.  In an effort by tool vendors to minimize resource utilization, their rules are almost always run on a schedule that looks back over a period of time. It’s not uncommon for rules, especially those aligned to identity-based attacks, to only run once every 24 hours, meaning it could take an average of 12 hours before your SOC is notified of threat activity. 🥉  Alert prioritization is not accurate The most common reason for less-than-optimal MTTR is the time it takes to triage a cyber alert and recognize it represents a real threat. There are many avenues for optimization in SOC processes and analyst training. The one we focus on is prioritization. Are your analysts spending time on the right alerts? Most alert prioritization models are nothing more than outdated hocus-pocus junk. “I look at my crucial and high severity alerts” is a common refrain. But little intelligence goes into setting alert severities. Most often they are an indicator of how rare an event is and less about how likely that particular alert is to represent a threat. AI intelligence and expert systems can help identify what your team needs to run fast on, and what they can ignore.