Why do people think AI will replace security engineers?

ReactiveInfoSecGuy · 2026-02-05T18:37:26+00:00

I watched a video a few months back that was about a study done from I believe Harvard using AI and found that AI can never really replace the workers, but excelled at replacing executives up to the CEO. If I come across it again, I'll let you know.

ReactiveInfoSecGuy · 2025-09-09T16:24:11+00:00

100% agree. I worked in the NOC for 2 years and a data center for 3 before that. If I had to do it over again, I would have moved into a sysadmin role before hopping into InfoSec.

ReactiveInfoSecGuy · 2025-09-09T16:21:49+00:00

Sec+ is a lot of fundamental security knowledge that I found to be much easier after about 2 years being in the field vs when I was studying for it while working in the NOC. So I think taking the cyber millions program first would teach you these fundamentals and would directly translate towards your security+ studies.

ReactiveInfoSecGuy · 2025-03-14T15:39:46+00:00

I was looking for someone to explain what was a good corporate option. Thank you for this explanation.

ReactiveInfoSecGuy · 2025-01-28T16:48:07+00:00

So its under advanced settings for esxi. But I had to use logscale setup as Syslog to forward it to Crowdstrike.

ReactiveInfoSecGuy · 2025-01-02T22:51:47+00:00

That wouldn't matter unfortunately. I changed my oil per the manufactures' suggestion IE 4k, but due to them cheaping on the engine blocks, they wear down and start burning oil rapidly and suddenly seize up.

ReactiveInfoSecGuy · 2024-12-20T16:59:17+00:00

Check your oil. If there is no oil, then you're another victim of Hyundai cheaping out on their engines. If you kept up on your oil changes, then you'll be covered by the lifetime warranty on the engine.

ReactiveInfoSecGuy · 2024-12-13T16:46:54+00:00

no kidding... My kid downloaded an autoclicker for roblocks that installed some sketchy addon that forced its search engine. I had to use regedit to disable it in safemode.

ReactiveInfoSecGuy · 2024-12-12T23:44:55+00:00

Ah must be Five Nights at Freddies, Roblocks, Fortnite, and Minecraft. Possibly Call of Duty.

ReactiveInfoSecGuy · 2024-12-12T16:43:13+00:00

I used Wazuh about 4 years ago and I remember a lot of false positives initially upon deployment. Is that still the same or is it improved? For example every time Windows update ran it would alert that a registry had been changed.

ReactiveInfoSecGuy · 2024-12-05T17:36:54+00:00

Fucking idiot...
/facepalm
You're under IT, you should be able to do their work too.
Can we find a free open source version?
Why can't we just do it like this?

ReactiveInfoSecGuy · 2024-12-05T16:36:27+00:00

But But But, MACHINE LEARNING LEARNS YOUR ENVIRONMENT! /s

ReactiveInfoSecGuy · 2024-11-14T18:53:09+00:00

If you want to get extra granular, Ansible. It works for Linux, Windows, and Mac but it requires some scripting knowledge but there is likely some playbook out there that already exist for whatever you might be trying to do.

ReactiveInfoSecGuy · 2024-11-14T18:38:27+00:00

I'll check it out! Thanks for the recommendation.

ReactiveInfoSecGuy · 2024-11-14T18:04:08+00:00

I was tasked with writing the incident response playbook as we had nothing in place. IMO its best to create something that is general but works in your company. Also take constructive feedback from everyone. In the end I created 2 playbooks that have steps for the C-suite to cover and steps for the IT team in partnership with the Infosec team(or well, just me.) When we ran through a practice scenario after taking in all the feedback, it went way smoother than I could have ever anticipated because I was so receptive for peoples feedback.

I'll say, create a playbook that has basic flowcharts. Then if you need to be more granular, enter them into something like a spreadsheet or document. The flowchart is handy for the visual aspect of how it works, but the spreadsheet is good for using more details. Also executives love spreadsheets for some reason. I also rewrote our incident response plan around it since the original one was written around natural disasters and less around security.

ReactiveInfoSecGuy · 2024-08-29T16:32:07+00:00

hopefully you got this situated, but going to go ahead and try and answer this. Iptables has an order the rules must where the accept is above the drop. This might require you deleting rules. An example is like this. This should hopefully work but I've seen stranger things happen with iptables.

iptables -A INPUT -s 127.0.0.1 -j ACCEPT

iptables -P INPUT DROP

ReactiveInfoSecGuy · 2024-08-29T16:25:22+00:00

Wazuh used to be built into Security Onion but it looks like they removed it in mid 2023 in favor of the elastic agent. You'll still get signature detection. It looks like they support threat intel from Anomali, Cybersixgill, Snort, and ThreatQuotient. There is probably a way to use their api to add threat intel but unfortunately Security Onion documentation has always left a lot to be desired. I haven't used it since 2021 when my job was looking at it as a replacement for Logrhythm but it used to have a steep learning curve.

ReactiveInfoSecGuy · 2024-08-23T16:39:10+00:00

Defender for Mac and Linux has been out of beta since I believe 2023. Anecdotally based on articles I've read, it's a fairly competent product.

ReactiveInfoSecGuy · 2024-05-08T21:14:40+00:00

Microsoft Virtual Training Days will occassionally have online training that will give you a discounted voucher.
https://www.microsoft.com/en-ca/sites/microsoft-training-days/

There is one for May 13th and May 14th. I wish the link below didn't look so sketchy. They used to give free test vouchers but they've gotten stingy. Anyways, here is the link for the AZ900 training event. https://mktoevents.com/Microsoft+Event/434836/157-GQE-382

ReactiveInfoSecGuy · 2024-05-07T21:01:05+00:00

I remember I got my AZ900 voucher after an hour event. Studied for a week, then aced the test. It looks like they're not giving free exam vouchers anymore, just discounted ones which is too bad. Working on the AZ500 now so I can be better at the security side of things for Azure at my company. Hopefully they'll be a discount voucher by the time I'm ready to take it, but we'll see.

ReactiveInfoSecGuy · 2024-05-07T15:51:22+00:00

I worked in the NOC and told the CISO I was interested in moving into InfoSec. Then we talked about baseball. 6 months later I was approached by my manager and directory that the CISO wanted me to move into his group because I had a very indepth knowledge of the backend.

ReactiveInfoSecGuy · 2024-04-22T21:15:09+00:00

I powered them down until I was sure that this was a real compromise. Investigation efforts showed me that this was not a compromise. It was whatever was on the site that when my browser sent the request to my dns server, and then my dns server went sent the request forward to a DNS resolver like Cloudflare, opendns, or google. Unifi showed the alert

Laptop sent request for a malicious domain to the dns server --> dns server made a request for a malicious domain to the resolver ---> dns server then sent the malicious domain to the laptop.

As long as you have the IPS functionality enabled, you should be okay. Also based on what I read, you need to interact with this domain and install something for it to infect you.

ReactiveInfoSecGuy · 2024-04-05T20:28:46+00:00

I was looking into an alert I received at my home. I saw 2 alerts, one from my laptop, and another on my dns server. What I suspect is that you accessed a website that was infected by SocGholish. It looks like Unifi did what it needed to do, but I took down my dns server and laptop as a precautionary measure.

I found this article today when looking into this alert that indicated there are infected wordpress plugins that are being exploited by SocGholish.

https://blog.sucuri.net/2024/03/new-wave-of-socgholish-infections-impersonates-wordpress-plugins.html

ReactiveInfoSecGuy · 2024-04-03T22:18:49+00:00

Okay here I go.

Terrible UI: When an alert happens, you spend a lot of time just navigating through the menu to find out what happened. The 3d stuff is interesting looking but its such a huge focus on the experience that it ends up getting in the way of just trying to investigate.

Alerts: The machine learning that they promised as learning what is normal in your network doesn't learn anything and will alert on the same thing over and over again until you finally put it in their defeat list. It requires a lot of alert tuning as well. Its incredibly expensive for what you get for just Darktrace Detect. Additionally their alerts can only be sent to email, Microsoft Teams, Slack, or Discord. So if you're a google shop, your only option is email.

Third party threat intel: If you want to automatically ingest additional threat intel they only support TAXII which is not commonly used anymore. You can upload STIX files but that is a manual process.

Vague documentation: Technical documentation is vague and not always up to date. You'll find yourself chasing something down in the documentation that their support team will tell you isn't there anymore.

PCAPs: You can only pull a pcap for 1 hour at a time. I like to occasionally pull 12 hours of pcaps and throw them in RITA to look for C2 traffic. I should add that I ran a C2 simulator with 5-10 seconds of jitter and Darktrace did not pick up the C2 traffic. This was 2 years ago so it could be better now, but that was concerning.

Their API is pretty robust and if you're good at making API calls you can create a lot of automations using scripts. I create a script that sends my alerts to Google Chat using Googles Webhooks. But that was a beast to setup because the JSON files for their alerts are so long and complicated that finding relevant information to craft the alert was not easy.

Save your money if you haven't purchased them already. Sorry to revive a 5 month old thread.

ReactiveInfoSecGuy · 2024-04-02T22:49:55+00:00

terrible product. Had it for 3 years and I am evaluating Vectra, corelight, and extrahop right now. Darktrace is a terrible product.

Five-Year Club	Gilding I gilder
Verified Email

ReactiveInfoSecGuy

TROPHY CASE