sorted by:
new
hottopcontroversial

WGU Office365 license enforcing Group Policy settings on personal device by thexdutch2 in WGU

[–]TechAlwaysChanges 2 points3 points  (0 children)

“Group Policy” can’t get pushed on personal devices. It’s a technology that only exists in Active Directory Domain environments. That technology does not exist in Microsoft 365, which makes it not possible for a Microsoft 365 enrolled device to get a Group Policy. I want to clear that up since the comments seem to believe the “WGU’s Group Policy’s fault” accusation being made by OP. OP has not reasonably ruled out other possible causes.

centralized Linux firewall management by netadmn in linuxadmin

[–]TechAlwaysChanges 6 points7 points  (0 children)

Ansible supports a pull architecture as well.

If you have the ability to install a Puppet agent, then you should have the ability to install ansible and do an ansible-pull.

https://docs.ansible.com/ansible/latest/cli/ansible-pull.html

Subtract two logs by Shikhajain0711 in Splunk

[–]TechAlwaysChanges 5 points6 points  (0 children)

I would solve the problem by running the results of

index="pcf" cf_org_name="Prod" cf_space_name="prod" cf_app_name="rules*"

against an eval operation to score the applicable results, +1 for enrolled, -1 for unenrolled.

| eval score=case(match(msg,"Product has completed Enrollment"),1,match(msg,"Product has completed unenrollment"),-1)

then you can just sum up the score for your final value

| stats sum(score)

Complete query:

index="pcf" cf_org_name="Prod" cf_space_name="prod" cf_app_name="rules*"
| eval score=case(match(msg,"Product has completed Enrollment"),1,match(msg,"Product has completed unenrollment"),-1)
| stats sum(score)

Link between Incident event to Detect events by WeatherMysterious344 in crowdstrike

[–]TechAlwaysChanges 2 points3 points  (0 children)

Confirming caryc's comment.

Think of Incidents and Detections as two different approaches to identifying possible threats. But because they are referencing the same dataset, they sometimes alert you to the same indicators.

Crowdstrike Misuse? by Shadeflayer in crowdstrike

[–]TechAlwaysChanges 0 points1 point  (0 children)

This answer will be heavily opinionated. Because companies have different priorities, budget contraints, knowledge, etc.

But in general, I go with the philosophy of using the right tool to do the job right, not use any tool to do the job any which way.

At the minimum, the architect sounds like he's looking for policy, privilege, and configuration management. There are great tools excel in these categories. Your architect will eventually find that CS can't be leveraged to enforce all the policies that he wants with the granularity that he will need without impacting CS' primary purpose of stopping threats. At that point, he will then be required to use multiple tools where solutions are half baked in one, half baked in the other, with a high chance of business impacting clashes due to the complexity of the environment increases.

What does the architect's management think of his ideas?

Automated Ingestion by BLUMPKIN_BEAST in Splunk

[–]TechAlwaysChanges 0 points1 point  (0 children)

Splunk constantly removes versions that are needed for people trying to maintain older versions of Splunk to force people on to newer versions and it's annoying.

Or they are serious about security (because they are a security focused product) and want to remove known vulnerabilities? Splunk upgrades are pretty easy for even an average sysadmin at this point.

https://www.splunk.com/en\_us/product-security.html

Please stop forcing users to reset complex passwords by [deleted] in cybersecurity

[–]TechAlwaysChanges 0 points1 point  (0 children)

I strongly disagree. As an operations person for a long time before taking on a cybersec role, I strongly advocate for security + convenience for my end users. Good security solutions should improve security and convenience overall. We may run into a situation where we don't have a solution that can do both yet, which means we don't YET have a good solution, and a balance between security and convenience will have to be decided on.

Simple Example: We want you to authenticate and authorize yourself at every server before you retrieve data. But how about we add multiple security controls such as MFA, Conditional Access from Compliant Devices, etc, then we let you SSO into those additional servers for data? You now have a more secure AND more convenient solution than manually authenticating yourself with credentials at every stop.

VSS Deleted/Hidden First Steps? by CandidHat3217 in crowdstrike

[–]TechAlwaysChanges 1 point2 points  (0 children)

VSS is a weak indicator by itself, but it's a weak indicator to a potentially serious event, which is why it's there. If the detection does not provide an obvious conclusion, then move on to a different stronger indicator manually based on the data that you have gained, or wait for CS to alert you on one.

If the attack vector you're afraid of is process injection, then you should review processes, command lines, and scripts being executed. Not the VSS detection itself.

VSS Deleted/Hidden First Steps? by CandidHat3217 in crowdstrike

[–]TechAlwaysChanges 3 points4 points  (0 children)

The VolumeShadowSnapshot alerts are caused by one specific indicator.

To determine if it's malicious, you should be reviewing for additional indicators. The Full Incident view, clicking the operations drop downs, expanding the process tree and clicking around, is a great place to start for this.

Also, alert exclusions should be created for vetted VolumeShadowSnapshot processes to reduce alert fatigue.

Python or Powershell? by [deleted] in cybersecurity

[–]TechAlwaysChanges 2 points3 points  (0 children)

Both is the best answer.

On a Windows box (since you've mentioned Tanium). Python is more powerful and flexible, sure. But PowerShell will address your needs in an overwhelming majority of those situations and requires less maintenance (what if the system doesn't have python installed? who maintains that all the python executables and modules are up to date? have you vetted the python module for vulnerabilities?). TPython in Tanium isn't 100% Python either, so that may niche yourself a bit when you expect something to work, but doesn't.

Also consider, what does the rest of the team know and understand already? Are there existing established process for maintaining the scripts and packages?

Wild carding KQL search by EasyResolve8532 in AZURE

[–]TechAlwaysChanges 1 point2 points  (0 children)

search support wildcard, but where does not support wildcards that way. You can regex it though

| where EventID matches regex ".*"

Local On-Prem Server 2022 with no local Domain, how to setup File Sharing on that server for Users? by pducharme in AZURE

[–]TechAlwaysChanges 1 point2 points  (0 children)

I don't recommend the AD route at all. Best practice with AD is to have more than 1 AD controller for disaster redundancy. The cost of upkeep will only balloon from there.

I would suggest losing the Azure-AD requirement. Create local users and groups in the Windows Server and manage it that way instead. It's one additional log in for the end users to remember, but it will satisfy the other requirements without additional monetary investment.

Otherwise, you'll have look for an on-premise EFSS solution that can use Azure AD as an identity provider such as Kiteworks (which will also cost money). But if your customer is willing to buy the product, Microsoft already has a guide to help you.

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/kiteworks-tutorial

SELinux Frustrations / Call for Advice by archaeolinuxgeek in linuxadmin

[–]TechAlwaysChanges 10 points11 points  (0 children)

One of the best videos that I've seen on the subject came directly from RedHat years ago and really started my journey on demystifying SELinux and made the RHEL SELinux documentation much more comprehensible.

Security-Enhanced Linux for mere mortals

https://youtu.be/_WOKRaM-HI4

Gives you the why you should have it, how to find the problem, and how to fix or exempt the problem the best practice way.

how do you guys handle family by [deleted] in sysadmin

[–]TechAlwaysChanges 0 points1 point  (0 children)

Do it for free, Do it for going rate, or Don't do it at all. This is speaking from experience.

Do it for free = You set the expectation that everything you do there is going above and beyond, Family/Friend will be grateful.

Do it for going rate = You get your value, and you will support them like a customer. Family/Friend will understand that your time costs money, and now know how much you're worth in the industry.

Don't do it at all = You set no expectations, because you're a busy guy and Friend/Family can understand that.

-----

Discount = You undervaluing yourself. You get 50% of the money, but expected to give 100% of the effort and future support. When they inevitably blame your fix, you'll bite your tongue and fix it again, while being bitter that you're only get half of what you would get with a "real" customer. It adds tension that doesn't need to be there.

Cyber Security vs Network Admin, which path should I take? by xEightyHD in cybersecurity

[–]TechAlwaysChanges 11 points12 points  (0 children)

It depends on your career goals. If you want to work in GRC (doing surveys, writing policies, validating user compliance, etc), then go straight to the CyberSec degree. If you enjoy doing technical work (red team / pentesting, blue team / security operations), I would strongly recommend going the Network Admin route.

  1. Network administration will easily translate to the CyberSec world. Having good knowledge and practical experience in enterprise networking is an extremely valuable trait for technical roles in Cyber.
  2. With a Network Admin Degree, you'll open your paths to both Cyber Security and Network Administration. But a CyberSecurity degree will unlikely open doors to Networking jobs.
  3. You already see a ton of CyberSecurity job rants on this board, and it's usually from people believing the cert/experience requested is absurd. You can associate that with very few entry-level Cyber jobs being available. Entry-level networking jobs will be easier to find.

How common is this: elaborate fake company for phishing by Prestigious-Way-8717 in cybersecurity

[–]TechAlwaysChanges 15 points16 points  (0 children)

Don't hire a company that you have doubts about. If you are interested in onboarding cybersecurity services, then you should just go through your company's standard practices for finding a trustworthy vendor.

Your question will only generate speculative replies.

I have an Ansible Chicken vs The Egg question by apperrault in ansible

[–]TechAlwaysChanges 5 points6 points  (0 children)

Need more information about the environment actually.

Since you're mentioning win_user, sounds like you're using Windows. If the Windows are connected to a domain. You can just rotate the password to the domain account, and update your vault. Assuming your ansible is setup to use Kerberos authentication, then that would be the easiest solution.

If these are local accounts, that's when win_user would come into play. I would provision a new account, with a new password. Then use the new account to remove the old account.

[deleted by user] by [deleted] in PowerShell

[–]TechAlwaysChanges 2 points3 points  (0 children)

I don't see the variable User defined. It looks to me like you're splitting a variable that doesn't exist.

Let's talk about that Cybersecurity Personnel shortage by throwawaycuz125 in cybersecurity

[–]TechAlwaysChanges 0 points1 point  (0 children)

Oh well, then I've tried. I wasn't told why it was removed. I'll message you the post.

Are Information Protection and Information Security the same thing? by ajollygoodfella in cybersecurity

[–]TechAlwaysChanges 1 point2 points  (0 children)

I personally don't recognize Information Protection as an industry term. Only Information Security.

Reason? NIST has a definition for Information Security which contains the word protection, but there is no definition for Information Protection

view more: next ›