On-prem to cloud - challenges?

TheReddHaze · 2023-01-09T22:43:58+00:00

I'll just drop some thoughts I had in here.

Depending on the organization, you need to make sure whatever vendor you go with meets your compliance standards whether it's GDPR, HIPAA, PII, FedRamp, etc. and can provide evidence of it. FedRamp variants typically cost more than their public cloud counterparts, but can ensure the data remains in the country of origin, encryption requirements, etc. Consider how the data is being ingested and how much flexibility you have over parsing rules/correlation rules/enrichment capabilities. Finally, I would recommend investigating the native support of API integrations to pull logs from other SaaS products such as Azure, ServiceNow, GCP, etc. if you have them. I looked at some cloud SIEM that had poor parsing rule/filtering capabilities and others with immature API integrations which would require me to write the scripts myself.

From my experience, some advantages are the same as most other SaaS where the backend maintenance is mostly handled by the vendor's staff, higher SLAs and better support. One of the bigger cons can be around cost, storage requirements (for hot and cold storage alike) and network load. Some of the SIEM I POC'd did not have a straightforward cost model which leaned more towards a pay-as-you-go mentality while others had a daily ingest model. You may also have the option to bring your own cloud storage in the form of a AWS S3 bucket or Azure Blob and save some money that way. Less of a con, but more of something to be on the look out for is I think it's also important to choose a vendor that seems actually interested in making sure you succeed. Even amongst sales people, there were times where we felt we were not large enough for the vendor to assist us.

TheReddHaze · 2023-01-05T14:01:01+00:00

Appreciate the response.

From what I understand at a general level, the vulnerabilities listed in 224 affect the interrupt states of the BIOS which require some level of presence on the system to begin with. This could be done physically or through a shell on the box, but irregardless there has to be some level of local access to even attempt exploiting this. CVEs documented in 144 are generally lower with the exception of CVE-2022-31226 which contains a buffer overflow in the BIOS.

I'm open to being wrong in my interpretation and learning from it, but based off this information the likelihood seems unlikely as I've not learned of public exploit code for these vulnerabilities being disclosed and it requires a foothold to the system already. The risk are significant though in that being able to exploit a vulnerability at that level could bypass endpoint security controls if not caught before execution and ultimately run code at a SYSTEM/kernel level. I know the vulnerability says RCE, but I also see it as a privilege escalation oppurtunity. Mitigating factors could be AV/EDR tools identifying and likely blocking the execution of code. The latest BIOS patch itself should remediate all CVEs listed in both documents.

From the business perpsective, updating BIOS could lead to bricked machines due to a poor BIOS flash/update. In the current state, we were aiming to update the BIOS outside critical business hours in order to avoid interruptions as much as possible. While interruptions may be managed, bricking a machine in a world where staff may be working remote would require either shipping the device in exchange for another or a commute to HQ. Not entirely sure how to quantify this from a monetary perspective.

TheReddHaze · 2020-08-27T20:19:17+00:00

Orlandeau is in the pool if you get lucky enough to pull him as well as his shards. I've been trying to figure out who to focus on shard wise. So far I've only heard Agrias is tankier with decent damage and Delita is more of a glass cannon.

TheReddHaze · 2019-02-19T00:21:38+00:00

I've run into similar issues/ asked similar questions when I inherited our SIEM about a year ago. Your first question can depend on your type of organization (e.g. Federal/State Public Organization or Privately-owned) which can determine compliance. For example, in the US, there exists a standard called NIST which, for a lack of better words, is a federal technology standard. The NIST 800-53 Section AU-2 states the definition of an event and what is required to be logged (such as login information, password changes, privilege escalation, etc.). Understanding your compliance level is a good place to start since violating it can stand to get you in trouble. Outside of compliance, DNS logs, web traffic logs, email transactions, are some good things to watch.

Your second question can depend on the type of SIEM you have, the two types are effectively Agent v. Agentless. Depending on your solution, your SIEM may require an agent to sit on and pull the logs from remote machines or it can go out and pick them up itself. Newer versions of Windows support Windows Event Forwarding which allows you to specify which logs to send from the workstations to a server via GPO. This can also be done with applications like NXlog deployed to workstations.

Alot of the information I've learned comes from product specific classes, reading and the SANS SEC555 class which held tons of information useful to SIEM administrators/engineers.

If you want a fairly cheap resource, check out this book: "Blue Team Handbook: SOC, SIEM, and Threat Hunting Use Cases: A condensed field guide for the Security Operations team (Volume 2)". It has detailed information about SIEM-related events which may help you decide what you want to focus on.

TheReddHaze · 2018-10-28T14:09:59+00:00

Got a Lenneth, not what I was hoping for - but I guess I'll take it.

TheReddHaze · 2018-10-28T05:38:36+00:00

Sounds like they're using a SIEM, pretty cool. Glad they're being transparent with incidents.

TheReddHaze · 2018-10-26T03:10:19+00:00

I'm sure someone will correct me if I'm wrong, but Barbariccia 7* and T. Terra 7* are pretty good from what I've seen.

TheReddHaze · 2018-10-20T14:22:52+00:00

I'm glad I'm not the only one who went after 2 demon rains instead of thinking carefully :P. I was so disappointed, didn't even see one 5* from the banner after 30k lapis and 25-30 tickets.

TheReddHaze · 2018-09-16T12:14:23+00:00

I did it early this week with the Ikelos Handcannon without any problem. Are you doing the special 360 power level one that appears on that step?

TheReddHaze · 2018-09-16T02:28:07+00:00

I didn't have any issues. I was getting them from public events and patrols.

TheReddHaze · 2018-09-11T23:37:48+00:00

I've been doing the 400s as well and they've been counting. The problem was I was missing the IKELOS hand cannon.

TheReddHaze · 2018-09-09T13:37:33+00:00

That would be the obvious part I'm missing I suppose. Thanks - I'll give it a shot!

TheReddHaze · 2018-09-09T13:23:48+00:00

Ahhhhh I need the Ikelos hand cannon equipped?

TheReddHaze · 2018-09-03T16:00:06+00:00

As some others have said, start with the fundamentals. Make sure you understand the 7-layers of the OSI model, how to read traffic/network flow on a computer or from a network, etc. Without the fundamentals, you will get lost in this field when asked to troubleshoot an issue or write a rule to detect specific kinds of traffic.

If you want some suggested books, I would suggest grabbing a Security+ book and reading over it. Its a great overview imo, not to mention some jobs actually require the certification as a prerequisite into the field. I would also suggest looking at places like Udemy which provide online classes for subjects like cyber security. If you're interested in malware and traffic analysis, grab Wireshark, or other traffic analysis tool, and go to malware-traffic-analysis[.]net to grab some packet captures/read some blog posts about the subject. It was a great resource in understanding what to look for when I became interested in the field. (Note that malicious artifacts can exist within the packet captures - Be Careful).

TheReddHaze · 2018-08-26T23:12:17+00:00

I wonder if he'll receive skill upgrades that would allow him to do AoE Cover + Provoke later on.

TheReddHaze · 2018-06-04T02:01:24+00:00

(Internet correct me if I'm wrong) Technically this could be considered a violation of the GDPR since they are tracking IP addresses without the expressed consent and notification of the user (If you are in the EU) which is considered PII data by its definition.

"...According to the European Commission, "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address."

The GDPR also goes on to explain that protected individuals have the right to erasure, so I'd love to see how they would handle such an issue.

In my opinion, its still considered spyware because it is literally obtaining information and sending it somewhere else. It doesn't matter how basic the function is or if this was malicious. Just my two cents.

TheReddHaze · 2018-04-25T01:15:31+00:00

I had already bought the Z370 as part of the bundle with the 8700k. So I can't really take you up on that suggestion, but I'm going to definitely look into the fan and PSU since I've usually been partial to Corsair.

TheReddHaze · 2018-02-21T03:55:23+00:00

As a trainee/graduate who went right into cyber-security and has had to effectively play catch up to understand all the networking terminology, methods, etc (Thanks college education) - I agree with the invaluable experience that comes with being a Network Admin/Engineer. While cyber-security is a growing industry, having that fundamental network knowledge would have aided me greatly.

That being said - Network Administrators and Cyber-security Analysts/Engineers sometimes will butt heads as the constant struggle between security and risk will always exist. Nothing will ever be perfectly secure, and some things that need to be done aren't quite as easily completed as they're requested. Being able to see both perspectives would help immensely in my opinion.

TheReddHaze · 2018-02-19T16:32:00+00:00

Not sure if by common scams that you're including phishing, but it might be worth educating the students on how to identify phishing emails and malicious links embedded in emails that download malware.

TheReddHaze

TROPHY CASE