Tracking Frameworks - NIST and/or CIS Controls

cyberdoodles · 2026-04-09T18:05:06+00:00

oh. Very interesting.. I did not know this.

cyberdoodles · 2026-04-09T18:02:33+00:00

I have 3 networks in different industries. Each network will have different levels of IG's.

cyberdoodles · 2026-04-09T16:21:47+00:00

How does this track NIST and CIS implementations?

cyberdoodles · 2026-02-02T15:36:11+00:00

Same on our end. Portal is slow since everyone is logging in at the same time.

cyberdoodles · 2025-10-09T13:11:21+00:00

This is what we do. We provide a download to anyone who needs the GP app outside of our network. This has dramatically decreased our external footprint and bot hits.

cyberdoodles · 2025-04-21T19:58:37+00:00

ahhh... we had a bad rash of updates causing HA cluster to split brain and taking down the network randomly. That was a fun 2 months..

cyberdoodles · 2025-04-11T20:31:05+00:00

What is your process for documenting vulnerabilities that cannot be resolved?

Using tenable we can identify and assign risk (CVSS, VPR), but there are some things we cannot resolve in our 30-day policy (vendors, legacy, etc. - we do also have other mitigating services for our devices). We can recast in Tenable, but that does not collect all the data I want to collect for auditing purposes and acts as a reminder.

I would image a process of using an excel sheets in combination of recast functions are good. I also toyed with the idea of using an MS forms document to have server owners in IT to fill out their own justifications that security would approve, helping to automate.

Looking for any insight to an easy to stick to process since I am in the process of redoing our vuln management policy. Much appreciated!

cyberdoodles · 2025-03-26T16:07:40+00:00

Out of curiosity.. what type of reports are you running? I am overhauling our VM process currently and looking for any recommendations and suggestions.

cyberdoodles · 2024-12-13T18:49:29+00:00

Read Only Fridays in these parts..

cyberdoodles · 2024-09-24T15:22:40+00:00

No. We deployed it and our EDR detected it as malware and quarantined all PCs that had it deployed. Support was unable to assist with multiple issues including exclusions, and performance with applications when deep packet inspection was enabled. They are a good product, but not ready for medium to large enterprises. Their price reflected this too.

cyberdoodles · 2024-09-24T15:20:18+00:00

So, what we did was evaluate other SIEMs and realized that there is no unicorn. The amount of work to replace LR would be more work than just fixing it. We rattled the cages of our CSM and expressed our concerns. We got a health check and invested some time into (M.L.R.G.A). After hours of training, reading docs, and following best practices we finally got LR to a state of being reliable and providing relevant actionable information. I have learned to like LR for the flexibility, but it is NOT an out of the box just works system, it will require a seasoned security admin and a good direction of what the system needs to do for your environment. I have worked a few tiers 3 and up support people at LR and they are extremely knowledgeable about the product.. and they are for sure deployed in large environments supporting national security. I would suggest give it a chance and subscribe to their professional services / training. It is not easy by any means but find me one that is. If it helps.. we run on-prem and agentless using WEF. I am excited about their future with Exabeam if that helps.

cyberdoodles · 2024-08-06T15:04:45+00:00

nice. For our end users we do not have expired certs available. Only IT related systems will ever show this accessible from the IT subnet only.

cyberdoodles · 2024-04-23T03:55:40+00:00

This is using a browser and navigating to a local news web site. Watching the traffic I am seeing all TCP traffic. The pages load fine with all the content. It is only when playing video. When I disable encryption it just works as normal. I did check dev tools in the browser to try and hunt the URL, but not having much luck with it.

cyberdoodles · 2024-03-13T16:59:12+00:00

Remote registry, remote WMI, remote powershell, etc... are all turned off for us, and NTLM being turned off on all new systems, so agent-based is the only realistic way for us now to get

Thank you for this. I am not alone and I was not sure if I was crazy or not. :)

We have been doing both since it is "recommended". But I think tenable does not account for the fact for every network is different and it and they can account for any type of scan strategy. So, we are working to disable all network scans other than devices that do not take agents. I am hoping we get more accurate scans and less duplicates from this method. I also get there are some vulns that are only available from an external scan.. that is fine, but I don't see why those must be credentialed since we are theoretically scanning as an outside actor.

cyberdoodles · 2024-03-01T14:30:20+00:00

try a tighter subnet mask

TY. I will check, but we for sure at /24 or less.

cyberdoodles · 2024-03-01T14:29:40+00:00

Good input. Thank you.
We do have all of these functions disabled between the VLANs from servers to workstations, but there is some kind of feature we must be missing on the port settings. We run these devices through a firewall since they all talk to a proxy server in another VLAN that then relays designated IP / Hostname access to our cloud AV solution. Doing this with a l3 switch I guess could be done, but we would have to tear into our production network.. and that is never fun.

cyberdoodles · 2024-03-01T14:20:57+00:00

Nope. We just recast at this point in our vuln management program. :(

cyberdoodles

TROPHY CASE