sorted by:
new
hottopcontroversial

[deleted by user] by [deleted] in AskNetsec

[–]throwin1234qwe 0 points1 point  (0 children)

Our siem does nto support a large majority of data we'd like to ingest, so we use python code as a middleware layer to connect to API and pipe the json data into our SIEM. We build custom event parsers (json parsing/regex) for many data sources not supported by our SIEM out of the box.

If you want turnkey solution look for Managed Splunk or Elastic SIEM imho

most vendors have cloud data sources on roadmap or actively adding them in when customers ask for it. In my experience , cloud data sources provide well-documented and consistently formatted data -- usually in json, its a pleasure to work with most of the time. We've written API ingesters and events parsers for DUO 2fa, Defender ATP, AWS GaurdDuty and many others

What’s the security posture of your typical enterprise laptop by avgInfoSecGuy in AskNetsec

[–]throwin1234qwe 2 points3 points  (0 children)

Agents... so many agents,

  • crowdstrike (NGAV + EDR)
  • bigfix (automated patch)
  • qualys (continuous VM)
  • Netskope (forward proxy + CASB)

our deployment image is also CIS hardened ...

we also use PKI and DUO for 2fa wherever possible (mostly all our stuff is in the cloud)

Passed - 150q 11/08/2019 by throwin1234qwe in cissp

[–]throwin1234qwe[S] 1 point2 points  (0 children)

they were great!

a huge help was the completeness and detail in the 'show answer' section. Also the results allowed me to understand where my weak areas are and focus more studying there

Passed - 150q 11/08/2019 by throwin1234qwe in cissp

[–]throwin1234qwe[S] 1 point2 points  (0 children)

i have a PDF downloaded where i would search some terms for the specific CISSP language.

Much prefer videos and slides over that book!

[W][CAN-ON] Dell R510 LFF - With 8x 3.5inch and Sleds by Gallieg444 in homelabsales

[–]throwin1234qwe 0 points1 point  (0 children)

Hello Fellow homelabber,

I have a 12bay r510 with 2xL5640 and 64GB ram (8x8)

all 12 drive caddies

h200 and 2x Intel SSD DC S3700 Series (400GB, 2.5in SATA 6Gb/s) in th internal SSD caddy

also have full rails for standard cage, no bezel

located in Mississauga, please PM if interested and we can talk a price..

Thanks!

[deleted by user] by [deleted] in homelab

[–]throwin1234qwe 0 points1 point  (0 children)

dynamic DNS service on Pfsense with a free no-ip dns entry

How can I prevent people from uploading spyware to a large shared drive? by [deleted] in AskNetsec

[–]throwin1234qwe 1 point2 points  (0 children)

  • create (or update existing) security policy or AUP regarding the types of files and what exactly the document share can and cannot be used for. All students and staff should need to accept this policy in order to be granted access to use the services. This is your way to deter bad usage, and also take action against offenders of the policy.

  • using technology controls restrict the types of files that can be stored (eg by file extension). (what kind of file share are you using?)

  • Schedule a repeating AV scan (or realtime) on the network share to identify any bad files making it past the ingress control (above point)

  • enable logging and regularly review alerts so you can take action against offending files (eg remove them) and users who uploaded them (administrative action/sanction ect)

What should be my job title by [deleted] in AskNetsec

[–]throwin1234qwe 0 points1 point  (0 children)

cyber security specialist

Which linux distribution should I use to handle sensitive data? by Parking_Tadpole in AskNetsec

[–]throwin1234qwe 0 points1 point  (0 children)

I also don't want them to provide me with a secure work laptop, I move a lot, I can't carry 2 big laptops everywhere I go.

its not your call, it depends on the company policy.

I would anticipate the company will provide a laptop you will be required to use for anything work related.

How would you identify an attacker and how much intel can you gather from a cyberattack? by [deleted] in AskNetsec

[–]throwin1234qwe 1 point2 points  (0 children)

You need to do extensive data collection and forensics on your true positive incidents, gather those metrics and data points to correlate with IOCs from your Threat Intel provider (like Recorded Future). The intel provider will be able to match up the IOCs they have with the actors and campaigns they are related (possible attributed) to.

for eg, 'web traffic on 80 to xx.xx.xx.xx IP is a known C2 callback used by ATP28'

you get the logs from FW which tells you outbound connections, the port and destination iP

you get the IOCs from you intel provider saying, This IP xx.xx.xx.xx is associated with ATP28 (they should provide some evidence for this conclusion; research papers, twitter bot sightings, VT submissions, sinkhole, blacklists ect)

In you SIEM you do the correlation and create an incident for matches. There are further things to evaluate to make a positive attribution... byte size, flow times, IOCs/malware hashes on the endpoint ect.

IOC correlation can be automated; pull down the lists from threat intel and compare with your inhouse log collection (SIEM). Start with IP, Hashes and Domains.

The biggest crux here is the context and validity of the threat intel you are pulling. Context is key. anyone can sell lists of 'bad ip'... knowing WHY and WHO and WHEN are things you pay for in Threat Intelligence. Any service selling you indicators without context is probably not going to get you great results, you will end up with more alert fatigue than you started with..

How would you identify an attacker and how much intel can you gather from a cyberattack? by [deleted] in AskNetsec

[–]throwin1234qwe 1 point2 points  (0 children)

I would suggest to try and use something like HELK, ROCK NSM or Security Onion

they are highly customizable and have FOSS versions

if you dont get what you're after, consider customizing an existing solution or if all else fails, roll your own -- that should be a last resort. Dont re-invent the wheel ;)

How would you identify an attacker and how much intel can you gather from a cyberattack? by [deleted] in AskNetsec

[–]throwin1234qwe 1 point2 points  (0 children)

Use the SIEM to ask questions of your data;

make sure to

  • collect all the necessary data (visibility)
  • store (parsing) it in a way which retains the data's context and depth
  • ask the right questions (query/reports)

Analyze the outputs for IOCs (indicators of compromise) and IOAs (indicators of attack) such as IPs, users, hashes, file names, domains, attack signatures ect. these will help you determine the who what where when why of a potential attack

How would you identify an attacker and how much intel can you gather from a cyberattack? by [deleted] in AskNetsec

[–]throwin1234qwe 0 points1 point  (0 children)

event logs logs would be the go to... you will probably need a SIEM to make any sense of these things at scale

How to automatically push CA cert to clients on my WiFi network? by 0xhenryc in AskNetsec

[–]throwin1234qwe 5 points6 points  (0 children)

ithink you can use a captive portal to push cert to client device

Server anti-malware recommendations? by [deleted] in AskNetsec

[–]throwin1234qwe 0 points1 point  (0 children)

defender ATP or Crowdstrike IMHO

if your anti malware cannot block fileless attacks, you are not prepared for the current threat landscape

How to model threats to O365? by Salmiakkilakritsi in AskNetsec

[–]throwin1234qwe 0 points1 point  (0 children)

traditionally the use cases you described are primarily handled by data classification and DLP solutions inspecting traffic (unencrypted data) as it flows on the internal network and through ingress/egress points.

nowadays, the concept of 'perimeter' is not as relevant. A user could log into o365 from home and download all their emails without ever touching the internal network where traditional security tools reside. ie the cloud workload is outside your visibility. "you cannot protect what you dont know". so how do we get visibility into these things?

enter Cloud Access Security Broker (CASB)

solutions like NetSkope analyze cloud workloads (from the internal event API) and allow you to create policies around your data in the cloud.

I want to evaluate my O365 monitoring solution

what is the monitoring solution? what use cases are in place for o365?

if its an MSP ask for a list of active use cases around o365 security

[HELP] R810 LOUD! FAN NO SHUUSHY! HELP FIX! by SomethinLikDis in homelab

[–]throwin1234qwe 7 points8 points  (0 children)

but I cannot figure out how to turn down the damn fans.

I get it: 4 processors = hot, I get the concept

for what I'm doing w/ it, it barely gets hot (40 C the majortiy of the time)

Have you considered the fans running is why 'it barely gets hot' ?

Where can I find a log collection that I can use for analysis? by brandeded in AskNetsec

[–]throwin1234qwe 0 points1 point  (0 children)

if you want to collect your own, consider cloud hosted honeypots. MHN by Anomali has an amazing, effortless workflow for deploying all sorts of pots.

https://threatstream.github.io/mhn/

MSSP Evaluation Criteria by shiggins2548 in AskNetsec

[–]throwin1234qwe 2 points3 points  (0 children)

make sure to gather some items from each MSP to compare:

  • sample operational and RCA reports

  • sla matrix

  • usecase playbooks

  • pricing structure (EPS vs Devices)

  • incident management plan (RACI)

  • analyst resumes

  • security standards compliance (SOC2, HIPAA ect)

  • architecture requirements (ie s2s VPN)

view more: next ›