by jdpoteet | May 28, 2025 | News, Blogs
Cyber threats are more frequent, complex, and damaging than ever. To maintain trust and ensure operational continuity, organizational leaders must take proactive steps to detect and respond to these threats. Two technologies increasingly at the heart of modern cybersecurity strategies are Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms.
This blog offers an overview of the executive-level insights into what these platforms do, their value, and key considerations for implementing them effectively. Please download the PDF for CISA’s full guidance.
DOWNLOAD PDF CISA’S FULL GUIDANCE
Understanding the Value of SIEM and SOAR
At their core, SIEM and SOAR platforms improve visibility and response—two pillars of an effective cybersecurity strategy.
SIEM platforms collect and centralize log data from various systems across an organization. By analyzing this data in real time, SIEMs detect suspicious activity and generate alerts to security teams. This capability supports compliance requirements and provides a clearer picture of what’s happening in your environment.
SOAR platforms take things a step further by automating certain responses to those alerts. Using predefined workflows, or “playbooks,” SOAR tools can isolate compromised devices, trigger alerts, or begin remediation processes automatically. This reduces response time and allows security teams to focus on more complex threats.
Together, SIEM and SOAR platforms help organizations:
- Enhance detection of cyber incidents
- Shorten response time to active threats
- Improve operational efficiency through automation
- Align with frameworks like the Essential Eight and CISA’s Cybersecurity Performance Goals
However, these benefits depend on thoughtful, well-managed implementation.
How SIEM and SOAR Work
A single organization can generate vast amounts of data from endpoints, cloud services, and internal systems. SIEMs act as a central hub, gathering and analyzing this data to identify anomalies—such as unauthorized access attempts or unusual behavior patterns.
If a SIEM identifies potential malicious activity, it raises an alert. The SOAR platform can then respond using automation. For example, it might block a suspicious IP address or disable a compromised user account, based on a set of predefined rules.
Importantly, SOAR doesn’t replace human analysts—it empowers them by handling repetitive tasks and accelerating the overall response process.
Challenges Executives Should Understand
While SIEM and SOAR tools are powerful, they are not turnkey solutions. Two primary challenges stand out:
- Configuring Accurate Alerts
Security teams must identify the right types of data and apply precise rules. If not tuned properly, SIEMs can flood teams with false positives—or worse, miss real threats altogether.
- Avoiding Automation Errors
If a SOAR tool acts on false information, it could disrupt legitimate business operations. Careful configuration and testing are essential to avoid unintended consequences.
These platforms also require ongoing oversight, skilled personnel, and regular updates to adapt to evolving threats.
Strategic Implementation Recommendations
1. Assess In-House vs. Outsourced Capabilities
Managing SIEM/SOAR in-house offers more visibility and control but demands significant expertise and staffing. Outsourcing can help fill gaps but requires careful vetting of providers for trustworthiness, data handling practices, and service quality.
2. Be Mindful of Pricing Models
Many SIEMs are priced based on how much data they ingest. Costs can escalate quickly if data volume isn’t managed carefully. Understand pricing structures and monitor ingestion levels to avoid hidden expenses.
3. Invest in Ongoing Training
Technology alone isn’t enough. Cybersecurity teams must be continuously trained to tune, operate, and evolve these platforms effectively.
4. Start with SIEM, Then Layer on SOAR
It’s generally best to establish a well-functioning SIEM before introducing SOAR. Automating a flawed detection process can create more problems than it solves.
5. Regularly Test Platform Effectiveness
As networks and threats evolve, performance must be tested regularly. Consider internal exercises and external penetration testing to ensure platforms perform as intended.
Final Thoughts
SIEM and SOAR platforms can significantly enhance your organization’s cybersecurity readiness. But their success hinges on strategic planning, skilled execution, and continuous improvement. With the right approach, these tools can become a powerful foundation for detecting and responding to the threats that matter most.
by jdpoteet | May 26, 2025 | News
by jdpoteet | May 22, 2025 | News, Blogs
🚨 Speaker Spotlight at #TETL2025! 🚨
We’re excited to announce that Dr. Mike Saylor, CEO of Blackswan Cybersecurity, will be presenting at the TETL 2025 Summer Conference — celebrating 20 years of empowering K12 technology leaders! 🎉
🧠 Session Topic: Cybersecurity Technology Optimization
📅 Date: Wednesday, June 25
⏰ Time: 2:30 PM
📍 Location: Waterway 6
Join Dr. Saylor as he shares practical strategies for optimizing cybersecurity investments to strengthen and safeguard K12 learning environments.
🎟️ Registration Info: https://www.tetl.org/cpages/summer-conference
TETL Members – $249
Non-Members – $299
Additional Sponsors – $349
Don’t miss this chance to connect, grow, and lead at one of the most important events for Texas K12 tech leaders.
by jdpoteet | May 20, 2025 | News, Blogs
State and local governments are under siege from a rising tide of cyber threats. From ransomware and supply chain compromises to attacks on social services systems and K12 District networks, the public sector has become a prime target for nation-state actors and financially motivated threat groups. As stewards of our most vital systems—public safety, education, water, energy, and healthcare—state and local entities carry the enormous responsibility of defending both infrastructure and public trust.
A new report by the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) underscores the urgency. Titled “Strengthening Critical Infrastructure: State, Local, Tribal & Territorial Progress & Priorities, Volume 1,” the report paints a sobering picture: much of the U.S. critical infrastructure is managed at the state and local level, and disruptions—from the classroom to the clinic to the courthouse—can have cascading effects.
SLTT (State, Local, Tribal, and Territorial) critical infrastructure underpins nearly every aspect of daily life. Cyberattacks on these services—whether they disrupt food assistance platforms like RIBridges in Rhode Island or exploit vulnerabilities in rural K12 Districts—can leave communities reeling. According to the report, these threats are not just technical—they’re strategic, designed to erode trust in public institutions.
A Call for National-Scale Collaboration
The report calls for increased support and coordination between public entities and cybersecurity providers, pointing to successful initiatives such as shared services, regional security operations centers (SOCs), and round-the-clock monitoring led by partners like MS-ISAC. These programs offer centralized threat intelligence, peer collaboration, and real-time incident response—all of which are crucial in defending against highly coordinated threat actors.
Terry Loftus, Chair of the MS-ISAC Executive Committee, noted, “The strategies and priorities outlined in this report are more than a blueprint for safeguarding our communities—they are a call to action for every level of government to stand together against the threats that challenge our way of life.”
Among the top priorities: bolstering cyber resilience, strengthening small and rural communities, investing in skilled personnel, and building trust through transparent communication. These align closely with the needs of education systems and credit unions, which often operate with limited cybersecurity resources despite handling sensitive personal and financial data.
Blackswan Cybersecurity: A Trusted Ally for the Public Sector
At Blackswan Cybersecurity, we specialize in helping SLTT entities—from city governments and school districts to community credit unions—navigate this evolving threat landscape. Through our 24/7 Cyber Fusion Center, vCISO services, and industry-leading Open XDR technology, we provide tailored, right-sized protection for organizations that can’t afford to leave gaps in their defense.
Our work is grounded in decades of experience supporting critical infrastructure and public sector institutions. We understand the constraints facing IT teams in the field and partner closely with stakeholders to turn reactive environments into resilient ones.
Whether you’re a district IT director, a CIO at a county agency, or a board member at a local financial institution, the takeaway is clear: the time to act is now. Cyber threats aren’t slowing down, and your constituents depend on your ability to respond.
Want to learn how we can help? Connect with us to explore customized cybersecurity solutions that support your mission—and protect your community.
References:
- https://www.cybersecuritydive.com/news/critical-infrastructure-state-local-cyber/741273/
- https://www.cisecurity.org/about-us/media/press-release/new-report-highlights-critical-infrastructure-threats-and-the-role-of-state-and-local-government-organizations-in-national-security
by jdpoteet | May 14, 2025 | News, Blogs
At Blackswan Cybersecurity, we’ve seen firsthand how ransomware has transformed—from noisy, opportunistic malware into coordinated, multi-stage attacks that strike fast and cause deep disruption. And while some organizations are getting better at preparing for these threats, the reality is still sobering: ransomware remains one of the most damaging and persistent threats to modern businesses.
Recent industry research confirms what we’ve long known—ransomware isn’t going away. In fact, while the percentage of organizations hit by ransomware dropped slightly from 75% to 69%, a staggering number are still falling victim. And when those attacks hit, the ability to bounce back remains limited. Only 1 in 10 organizations recovered more than 90% of their data, while over half recovered less than 50%.
This isn’t just a technical problem—it’s an operational and reputational one. And as a 24/7 Cyber Fusion Center with deep expertise across verticals, Blackswan Cybersecurity helps our clients close that gap with right-sized, proactive defense strategies that go beyond alerts and automation. We partner with your team to build lasting resilience, ensuring you’re prepared not just to detect and contain threats, but to recover from them—fast.
Exfiltration-Only and Double Extortion Attacks Are on the Rise
One of the most concerning trends we’ve observed in the field is the shift toward data exfiltration-only attacks. Instead of locking down systems, attackers quietly steal sensitive data—patient information, student records, intellectual property—and use it as ransom leverage. In many cases, this is paired with double extortion, where encryption and data leaks are both used to coerce payment.
Making matters worse, attackers are moving faster than ever. The dwell time—how long they remain in your network before striking—has dropped from weeks to just hours. Without round-the-clock detection and response, many organizations don’t even realize they’ve been breached until the ransom note arrives.
Blackswan’s Texas-based, always-on Cyber Fusion Center monitors for these threats in real-time. Our advanced multi-signal MDR and Open XDR platform reduces attacker dwell time and accelerates containment—often within minutes, not hours or days.
The Landscape is Shifting: Ransom Payments Are Down, But the Stakes Are Higher
Interestingly, the overall value of ransom payments fell in 2024. Roughly 36% of victims chose not to pay, and among those that did, the majority paid far less than originally demanded. Why? Because organizations are learning that attackers can’t be trusted to keep their word—and are instead investing in robust, independent recovery strategies.
This shift is being reinforced by new legal and regulatory frameworks that discourage ransom payments. At the same time, entities like the International Counter Ransomware Initiative are encouraging organizations to boost their defenses, not their payouts.
At Blackswan, we support that philosophy 100%. Our vCISO and incident response services help clients build robust recovery playbooks, implement immutable backups, and maintain business continuity without ever having to negotiate with criminals.
Recovery Starts with Resilience
Organizations that emphasize proactive data resilience are recovering from ransomware attacks up to 7x faster than their peers. What separates them? A strategic mix of:
-
Frequent and verified backups
-
Immutable backup storage
-
Clear incident response protocols
-
24/7 threat detection and containment
-
Executive alignment across IT, security, and leadership
Unfortunately, many organizations overestimate their preparedness. While 98% claim to have a ransomware response plan, fewer than half include crucial components like backup frequency or defined chains of command. Confidence plummets after an attack—especially among CIOs, whose perceived readiness often drops by 30%.
That’s where Blackswan comes in. Our vCISO advisory program works hand-in-hand with your team to build cyber resilience from the ground up—establishing baselines, identifying blind spots, and ensuring technical, operational, and strategic alignment before a crisis strikes.
Partner with Blackswan to Build a Stronger, Safer Future
At Blackswan Cybersecurity, we believe prevention, detection, and recovery must be seamlessly integrated. Our Cyber Fusion Center delivers enterprise-grade protection to organizations of all sizes—without the bloat or complexity of traditional vendors.
Ransomware isn’t going away. But with Blackswan at your side, neither is your peace of mind.
→ Ready to build your ransomware resilience?
Schedule a 15-minute discovery call and learn how our 24/7 Cyber Fusion Center and vCISO services can right-size your cybersecurity program.
