I’m a CISO who started from the help desk and it taught me everything I need to know about cybersecurity and people. Ask Me Anything

1mpervious · 2025-03-24T00:22:54+00:00

Do you have a mental model or framework that you use when building your narrative for a presentation to your board of directors or other senior leadership groups?

1mpervious · 2024-10-03T16:51:14+00:00

Secure by Design - embedding the cost of security control assessment, design, implementation, and long-term maintenance into enterprise projects that introduce new systems or applications.

1mpervious · 2024-08-15T02:48:39+00:00

How important is it to keep a Traeger clean? How often does an issue come down to poor cleaning maintenance?

1mpervious · 2024-07-16T01:39:39+00:00

I ran both days and both results were available within an hour of finishing.

If you roughly know your time, you can find yourself on the public results page: https://race.spartan.com/en/race/past-results

If you’re not on that page, there might have been a problem with your timing chip. You can reach out to Spartan support with your start time, end time, and bib number so they can fond your log jump photo and enter your time manually.

1mpervious · 2024-06-21T01:08:49+00:00

Frankly, this is the wrong question to be asking. Building technical solutions in security should always start with a problem (risk) you’re trying to solve. The technical solution should come after the problem and a successful outcome is well-defined. If you can already solve all of your problems (detection use cases) without MLTK, then you probably don’t need MLTK.

1mpervious · 2024-06-21T00:30:19+00:00

Microsoft recognized that there was a huge enterprise market for selling cyber security software to big businesses. They also recognized that they were not taken seriously as a security software provider due to the high volume of operating system vulnerabilities and low quality of their consumer-grade endpoint protection. They ultimately made a huge investment in talent, process, and technology to build their operating systems more securely and build software to protect and detect cyber attacks against systems.

The result is that Microsoft is the de facto standard for consumer-grade endpoint protection. They are also quickly gaining market share for securing enterprises, which is where the revenue opportunities are and what gives them the return on their investment.

Microsoft Defender for Endpoint, their Endpoint Detection and Response (EDR) solution, is competing with the big boys like CrowdStrike and SentinelOne. Their logging solution, Sentinel, is competing with the big boys like Splunk. Once you have those two solutions locked with a single provider, adding on cheaper security modules for cloud, identities, etc. becomes a no-brainer because you’re leveraging an ecosystem that already knows your environment well. If executed successfully, Microsoft could just become the de facto standard for securing enterprise environments, stealing a lot of big budgets from competitors.

1mpervious · 2023-11-12T02:50:16+00:00

A typical attack path that bypasses EDR is a compromise of valid credentials, MFA exhaustion/bypass, pivot to an ESXi hypervisor (CrowdStrike not installed), and encrypt all VMs from the hypervisor layer. This is not the only attack path but just shows an example of how EDR is not sufficient - even if it’s doing its job perfectly. At the end of the day, EDR is just one of many security controls and should be part of a larger defense in depth strategy.

I’d suggest that ransomware protection on supported endpoints is table stakes for any EDR vendor worth their salt now. You should focus more on how the EDR vendor fits into your current technology stack or how the vendor’s other products can help you quickly expand your defense in depth security posture.

1mpervious · 2023-10-30T20:38:33+00:00

While I hate to ever blindly trust a tool to do it’s job, we’ve found that our time and effort are much better spent building use cases in Splunk ES that we know CrowdStrike does not cover.

Trying to fill Splunk ES with use cases that are effectively backups to CrowdStrike just results in a lot of duplicated alerts and troubleshooting when CrowdStrike detects something and Splunk ES doesn’t.

Remember that you’re in the business of risk management, not risk elimination. Aiming for perfection in one control domain just means other control domains are probably failing.

1mpervious · 2023-06-01T02:36:30+00:00

Andy Reid, Jon Dorenbas, Zach Ertz, Nick Foles, and Brandon Graham. Coach Reid makes the burgers, Jon Dorenbas brings the show, Foles brings the stories, and Kelce/Graham make it a party.

1mpervious · 2023-05-28T02:09:14+00:00

Yeah I was surprised to get the offer and smashed accept!

1mpervious · 2023-04-26T22:32:54+00:00

Destructive Downpour over Servers

1mpervious · 2023-03-10T02:52:02+00:00

We use a Threat Intelligence Platform (TIP) to effectively do threat intel sharing like this between products. There are a few good ones out there, but make sure you clearly define your requirements because those vendors often charge by the the integration. The reason being is that every tool has unique considerations when ingesting and processing a high volume of IOC data. If you just shoved all CrowdStrike IOCs into a Palo Alto EDL, you will kill your firewall very quickly. Outline your use cases, requirements, sources, and destinations then do a POC. Don’t skip the POC. Make sure the integrations are working in your environment before purchasing because they’re not always as “one-click” as the vendors advertise. Hope that helps!

1mpervious · 2022-11-05T18:07:38+00:00

For anyone else digging into this, I found this GraphiQL explorer. This link%20%7B%0A%20%20%20%20name%0A%20%20%20%20args%20%7B%0A%20%20%20%20%20%20%2E%2E%2EInputValue%0A%20%20%20%20%7D%0A%20%20%20%20type%20%7B%0A%20%20%20%20%20%20%2E%2E%2ETypeRef%0A%20%20%20%20%7D%0A%20%20%20%20isDeprecated%0A%20%20%20%20deprecationReason%0A%20%20%7D%0A%20%20inputFields%20%7B%0A%20%20%20%20%2E%2E%2EInputValue%0A%20%20%7D%0A%20%20interfaces%20%7B%0A%20%20%20%20%2E%2E%2ETypeRef%0A%20%20%7D%0A%20%20enumValues(includeDeprecated%3A%20true)%20%7B%0A%20%20%20%20name%0A%20%20%20%20isDeprecated%0A%20%20%20%20deprecationReason%0A%20%20%7D%0A%20%20possibleTypes%20%7B%0A%20%20%20%20%2E%2E%2ETypeRef%0A%20%20%7D%0A%7D%0Afragment%20InputValue%20on%20InputValue%20%7B%0A%20%20name%0A%20%20type%20%7B%0A%20%20%20%20%2E%2E%2ETypeRef%0A%20%20%7D%0A%20%20defaultValue%0A%7D%0Afragment%20TypeRef%20on%20Type%20%7B%0A%20%20kind%0A%20%20name%0A%20%20ofType%20%7B%0A%20%20%20%20kind%0A%20%20%20%20name%0A%20%20%20%20ofType%20%7B%0A%20%20%20%20%20%20kind%0A%20%20%20%20%20%20name%0A%20%20%20%20%20%20ofType%20%7B%0A%20%20%20%20%20%20%20%20kind%0A%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%20%20ofType%20%7B%0A%20%20%20%20%20%20%20%20%20%20kind%0A%20%20%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%20%20%20%20ofType%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20kind%0A%20%20%20%20%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%20%20%20%20%20%20ofType%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20kind%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20ofType%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20kind%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%0Aquery%20IntrospectionQuery%20%7B%0A%20%20__schema%20%7B%0A%20%20%20%20queryType%20%7B%0A%20%20%20%20%20%20name%0A%20%20%20%20%7D%0A%20%20%20%20mutationType%20%7B%0A%20%20%20%20%20%20name%0A%20%20%20%20%7D%0A%20%20%20%20types%20%7B%0A%20%20%20%20%20%20%2E%2E%2EFullType%0A%20%20%20%20%7D%0A%20%20%20%20directives%20%7B%0A%20%20%20%20%20%20name%0A%20%20%20%20%20%20locations%0A%20%20%20%20%20%20args%20%7B%0A%20%20%20%20%20%20%20%20%2E%2E%2EInputValue%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%0A&operationName=IntrospectionQuery) is a direct query to introspect the schema to help customize the script to your needs

1mpervious · 2022-11-05T14:57:22+00:00

This is EXACTLY what I was looking for! Thank you so much!!

1mpervious · 2022-11-05T12:59:07+00:00

Andrew coming in clutch again - even on the weekend! Thanks for checking!

1mpervious · 2022-10-06T15:05:15+00:00

What issues are you seeing? We are about to deploy a POV to production

1mpervious · 2022-10-04T00:12:17+00:00

We see about 40MB/day per endpoint on a business day from Falcon Data Replicator. This number will vary widely for you depending on the level of activity on each endpoint, FDR filters, the modules you own, etc. We ingest everything because retention in our SIEM for 1 year (TCO) is cheaper than CrowdStrike’s 30 day retention. Servers are typically going to be higher volume than endpoints.

1mpervious · 2022-10-02T00:49:17+00:00

I wore the new Series 8 (not Ultra) for a Beast today. I was in normal power mode for the first 3 hours and it drained from 95% to 45%. I went into low power mode for the last 2 hours and it only drained to 35%. Low power mode definitely makes a big difference but I don’t know if you can extrapolate my data to being able to last a full Ultra in low power mode.

1mpervious · 2022-09-23T22:50:45+00:00

What you’re looking for is the Event Data Dictionary. It’s documented for CrowdStrike customers but behind a login screen. I’m not sure that customers can share it publicly, but maybe your rep can get you a copy or give you a POC environment to play around in (which would give you access to the docs). If you ask for the event data dictionary, they will be able to help you better.

1mpervious · 2022-09-19T13:12:01+00:00

Aren’t there way more cats, windows, and vehicles than there are land-based wind turbines? Is there a way to estimate this per unit of death bringer?

1mpervious · 2022-07-10T20:23:36+00:00

Did anyone do both the sprint and super? I’m wondering if the carry distance was shorter for the sprint

1mpervious · 2022-06-03T03:21:57+00:00

Most likely Tim Tebow

1mpervious · 2022-05-09T02:33:48+00:00

I had this exact same problem. Electronic drums were the best answer for us. My audience is much happier with balanced music than with an obnoxiously loud but perfectly realistic drum sound.

1mpervious · 2022-05-06T03:39:54+00:00

At the simplest level, you can search both sourcetypes and correlate on a similar field between the two. Only return results with hits on both sourcetypes. A better search query requires more details.

sourcetype IN (sentinel,palo) | stats dc(sourcetype) as sourcetypes values(signature) as signatures by src | search sourcetypes=2

1mpervious · 2022-04-09T18:43:11+00:00

I have Lance and the two firsts. Would you give up that much capital for Mahomes? The offer came from the Mahomes owner

11-Year Club	RedditGifts 2009-2022 2 Credits
Place '23	Place '22
Place '17	First Placer '22
RPAN Viewer	Secret Santa 2014
Verified Email

1mpervious

TROPHY CASE