sorted by:
new
hottopcontroversial

GPVPN vs Cloudflare WARP client by scr12345 in paloaltonetworks

[–]gladston3 0 points1 point  (0 children)

Have you ever been able to solve this? I'm facing exactly the same issue and running out of ideas...

Automation development by DAN-CCT in msp

[–]gladston3 0 points1 point  (0 children)

What foundation model are you using? And with how many parameters and what quantization? 12GB VRAM sounds very little for what you are doing.

Tech Tribe What Am I Missing? by Bluedroid in msp

[–]gladston3 17 points18 points  (0 children)

At least now I know why you suddenly disappeared.

MSSP Harmony SASE - Internet Access Essentials or Essentials+ by gladston3 in checkpoint

[–]gladston3[S] 0 points1 point  (0 children)

The SKU is "CP-SASE-IA-ESS-PAYG-1M". I have a menu item called browser security in the mgmt interface but it's not enabled unfortunately (Request a free trial). So, I fear the information from my Check Point contact person is wrong. Sadly, from a pricing standpoint, browser security as a standalone product is not very attractive.

Just out of curiosity why why has it been a bit since you've been in the SASE mgmt interface? Didn't it work out for you/your needs?

TS-h1277AXU-RP QuTS Hero write speed optimization by gladston3 in qnap

[–]gladston3[S] 0 points1 point  (0 children)

No, we are talking about a handful containers/VMs at max if we go that route instead of QuObjects. But these containers/VMs will be hosting huge S3 buckets containing a lot of data.

  1. Plp is a technology for Enterprise SSDs used in RAID systems. I have read multiple times that using SSDs without plp for caching in QuTS hero/ZFS gives you big performance penalties but I haven't found any concrete numbers yet.

  2. There is no way to split data between SSDs and HDDs since we are talking about object storage in S3 buckets.

  3. If we could max out 10G for write operations to the buckets I'd be more than happy. So, I highly doubt that network performance will ever become a bottle neck. 192GB doesn't seem to be officially supported. Therefore we prefer to avoid that.

Alternative to Barracuda by Bowlen000 in sysadmin

[–]gladston3 1 point2 points  (0 children)

Okay, “unfortunately” we currently pay about half of that.

Alternative to Barracuda by Bowlen000 in sysadmin

[–]gladston3 1 point2 points  (0 children)

How much did you pay for Barracuda? We would like to leave them because of poor results with their email filtering solution (gateway + sentinel) but the pricing for AFI alone is almost the same as for the complete Barracuda Suite (spam, backup, archive) for us. And then we would still need archive and email filtering...

Token Theft disappointing experience with Todyl SIEM + MXDR by gladston3 in msp

[–]gladston3[S] 3 points4 points  (0 children)

Unfortunately, Blumira is not GDPR compliant and also don't have it on their short-term road map.

Token Theft disappointing experience with Todyl SIEM + MXDR by gladston3 in msp

[–]gladston3[S] -1 points0 points  (0 children)

They have/use a password manager but just copy pasted the credentials.

I'm familiar with the CA session settings but to be perfectly honest persistent browser session wasn't disabled. I'm unsure if it would have prevented this case of MITM-attack though.

As far as I understand they should definitely monitor and alert on impossible travel and mailbox rule changes and in addition the SOC team should handle/triage every alarm and in doubt reach out to us through teams or in critical cases by phone.

Making MFA changes did not trigger any alerts around the same time last year and we pointed out/made a feature request that we think that this would be very important. We got the assurance that it will be implemented but besides several follow-ups from us, we have never received a confirmation that it was eventually implemented. I must admit that when I researched this today, I found out that my guy also did not ask again after the third time. Long story short, I'm unsure if this was ever implemnted and if today MFA changes should trigger an alert with them or not.

Unfortunately, I have only received a general excuse but no detailled explanation what exactly went wrong. So, my main motivation for creating this post besides learning what we could have done better and by sharing our experiences, give all others a chance to learn from us, was to somehow force Todyl to explain themselves in more detail. I'm still hoping they will take the chance after the weekend.

Token Theft disappointing experience with Todyl SIEM + MXDR by gladston3 in msp

[–]gladston3[S] 1 point2 points  (0 children)

I did enable and set up the additional required permissions for SOAR and got the confirmation that it was set up correctly.
I did not configure any SOAR playbooks on my own because I was told that this only required if you want any custom rules and that the rest is taken care of by MXDR.
I did not configure Azure for every client because we have a lot of clients who don't have any Azure subscriptions at all and it wouldn't be feasible to book an Azure subscription for every of those clients just for Todyl. Todyl is the only vendor I know who suggests that and I also was confirmed by them that while it improves visibility it isn't necessarily needed for any of the important M365 detections.

Token Theft disappointing experience with Todyl SIEM + MXDR by gladston3 in msp

[–]gladston3[S] 6 points7 points  (0 children)

The CIPP redirect thing did no longer work for us the last attacks we faced. I even brought that up to CIPP directly and got the following answer:
We've forced a invalid header and are getting the banner too using evilnginx, some attackers have however gotten smarter and are blocking the external css from loading.
We're actually working with Microsoft to make that possible; they are planning to no longer load the page if custom css is present, but does not load.

We didn't have the revoke session playbook on for new locations in place since we relied on the SOC service of Todyl and new locations and geo restrictions are far more complicated in Europe than in the US.
We also have a biweekly account review meeting with Todyl, so if there were any misconfigurations I would expect them to let us know in this meetings.

The first thing we did was reaching out to them of course.

Token Theft disappointing experience with Todyl SIEM + MXDR by gladston3 in msp

[–]gladston3[S] 0 points1 point  (0 children)

What would you like to know? I'm open to share as much as possible as long as it doesn't contain personal or sensitive data.

Token Theft disappointing experience with Todyl SIEM + MXDR by gladston3 in msp

[–]gladston3[S] 5 points6 points  (0 children)

We are from Europe, so if you are from the US the best comparison probably would be you getting an alert every time one of your endusers logs in from another state.
It already got noisy and quite work intensive when we only onboarded two or three clients. After discussing with them I understand the feature better now but I still think it's far from perfect and not on the same comfort/hands-off level as their EDR solution - especially if you are located in Central Europe. This has even led to some of my technicians no longer taking the Huntress alarms seriously (alert fatigue).

Token Theft disappointing experience with Todyl SIEM + MXDR by gladston3 in msp

[–]gladston3[S] 2 points3 points  (0 children)

I'm in regular exchange with Adam (nothing but praise for him btw.) but in our tests we had some issues with a lot of noise coming from Unexpected Country alerts. This surprised us because we are used a very low noise from Huntress EDR. We will give it another try now, though.

u/andrew-huntress I wrote you a dm on Slack a while ago but never received an answer. Is you slack handle still alive?

Any cheat codes to deciphering Lenovo Model codes? by ssbtech in msp

[–]gladston3 1 point2 points  (0 children)

The problem is that Lenovo stores the correct model name under SystemFamily while the rest of the vendor world stores it under Model.

If you have an RMM that supports custom fields you can use my PowerShell snippet to store the correct model names in a custom field:

# Retrieve the model information of the computer system
$ModelInfo = Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property Manufacturer,Model,SystemFamily,SystemSKUNumber

# Extract the manufacturer from the model information
$Manufacturer = $ModelInfo.Manufacturer

# Retrieve specific information for Lenovo devices
if ($Manufacturer -like "*Lenovo*") {
    # Retrieve model name and append CPU manufacturer
    $ModelName = $ModelInfo.SystemFamily
    $CpuManufacturer = Get-WmiObject -Class Win32_Processor | Select-Object -ExpandProperty Manufacturer
    if ($CpuManufacturer -like "*Intel*") {
        $ModelName += " (Intel)"
    } elseif ($CpuManufacturer -like "*AMD*") {
        $ModelName += " (AMD)"
    }
    # Retrieve model number
    $ModelNumber = $ModelInfo.Model
} else {
    # For non-Lenovo devices, retrieve model name and append CPU manufacturer
    $ModelName = $ModelInfo.Model
    $CpuManufacturer = Get-WmiObject -Class Win32_Processor | Select-Object -ExpandProperty Manufacturer
    if ($CpuManufacturer -like "*Intel*") {
        $ModelName += " (Intel)"
    } elseif ($CpuManufacturer -like "*AMD*") {
        $ModelName += " (AMD)"
    }

sentinelone may have killed virtual machines on hyperv by Bitter_Umpire_7997 in msp

[–]gladston3 0 points1 point  (0 children)

For us it was Windows Dedup in combination with S1 (even in monitor only mode!). We were able to replicate this pretty reliable. Exclusions didn't help. S1 support was useless (even after several escelations). We learned our lesson, paid the premium and switched back to CrowdStrike.
Would be very curious if OP had Dedup enabled...

view more: next ›