Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«149 »
  • Post
  • Reply
Beccara
Feb 3, 2005


Cheers guys, I'm being met with "Why are you even raising this? It's not a problem" and "The vendor says they wont do anything so why don't you trust them?" It doesnt sit right with me and it sounds like it shouldn't sit right with anyone

Adbot
ADBOT LOVES YOU

Thanks Ants
May 21, 2004

I am quite pissed at my fat man avatar.
I am too politically correct to say this out loud though.
I yearn for a reason to exist.
Help.


Fun Shoe

You're trusting (probably) any random employee at the vendor with full unsupervised access to your AD

RFC2324
Jun 7, 2012

Http 418


Beccara posted:

Cheers guys, I'm being met with "Why are you even raising this? It's not a problem" and "The vendor says they wont do anything so why don't you trust them?" It doesnt sit right with me and it sounds like it shouldn't sit right with anyone

Seriously, you should follow up with the fact that, if your access is unaudited, YOU have too much access and need to implement auditing. If they insist on going through at least protect yourself and your company by ensuring your backups are good, working, and frequent as well as auditing. That way when their social media intern accidentally your domain, you can prove it was them and fix the problem they caused.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

Tooting my own horn again here:
https://blog.keigher.ca/2018/03/per...-dentistry.html

So yeah. We just finished our migration off of Splunk Cloud. I will not and cannot recommend it.

Sickening
Jul 15, 2007

Black Summer was the best summer.

Lain Iwakura posted:

Tooting my own horn again here:
https://blog.keigher.ca/2018/03/per...-dentistry.html

So yeah. We just finished our migration off of Splunk Cloud. I will not and cannot recommend it.

I dug the windows nt screenshot. Nice.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

Sickening posted:

I dug the windows nt screenshot. Nice.

I wanted to be cheeky so I looked for something antiquated.

D. Ebdrup
Mar 13, 2009

If... if they do find out...

keseph posted:

If you were designing your own password manager from the ground up, what would be your most critical feature(s)?

My company has an annual program where you/your team can take a week to work on any project your heart desires, so long as you present the project at the end. One of my security developer colleagues wants to write a password manager for said project and the more input the better, naturally. I've already given my list, but I would appreciate any useful, professional opinions and I will deliver them as community input -- via PM if you don't want to clutter up the thread.

Yes, I know this largely goes against the very name of the thread, but there would be a proper SDLC review team if it looks promising enough to take out of incubation.

We now return you to your regularly-scheduled QRadar grousing.
To extend the very good but somewhat cryptic 'don't roll your own crypto' answer you got earlier, the original 'cryptographic right answers' recommendations by Colin Percival, FreeBSDs security officer emeritus and maker of tarsnap, have recently been updated. For your use-case, scrypt is the recommendation, which hasn't really changed.


In other news, a new botnet, this time with advanced capabilities has been outed, and it can do almost everything. It's kinda cool, in a very scary way.

D. Ebdrup fucked around with this message at May 24, 2018 around 07:12

Saukkis
May 16, 2003



Beccara posted:

Cheers guys, I'm being met with "Why are you even raising this? It's not a problem" and "The vendor says they wont do anything so why don't you trust them?" It doesnt sit right with me and it sounds like it shouldn't sit right with anyone

The issue is not simply trusting the people at the vendor. When they want to implement such a shoddy and dangerous update method it is an indication of incompetence and you can't trust that they are able to protect their own systems. They would be a direct route to the heart of your systems and probably many others. When the wrong people learn about this setup the vendor becomes a juicy target for adversaries. Your company may not be a big enough target to spend such effort for hacking, but sound like the vendor would certainly be and your company and numerous others will go down with them.

Softcox
Jul 13, 2004

But I will not hesitate.
Not for a second.


Lain Iwakura posted:

Tooting my own horn again here:
https://blog.keigher.ca/2018/03/per...-dentistry.html

So yeah. We just finished our migration off of Splunk Cloud. I will not and cannot recommend it.

Iím currently tearing my hair out dealing with Splunk cloud support, the one saving grace of Cloud is hybrid search. Having an on-prem search head at least gives you some additional flexibility

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

Softcox posted:

Iím currently tearing my hair out dealing with Splunk cloud support, the one saving grace of Cloud is hybrid search. Having an on-prem search head at least gives you some additional flexibility

Cloud support's SLA is absolute garbage. The amount of time it takes me now to install an app in contrast to how long it took when they managed it for me is absolutely asinine.

Martytoof
Feb 25, 2003


I'm out of my head
of my heart
and my mind



Beccara posted:

Cheers guys, I'm being met with "Why are you even raising this? It's not a problem" and "The vendor says they wont do anything so why don't you trust them?" It doesnt sit right with me and it sounds like it shouldn't sit right with anyone

At this point they've made their decision so in your shoes I would just say "I can't in good conscience approve this so if you really want to proceed then it has to be okayed at a higher level".

If you're lucky enough to have a structure where that can happen. Ideally InfoSec doesn't report in to the same C as IT, but I suspect that's not the case in a lot of smaller orgs.

Proteus Jones
Feb 28, 2013



College Slice

Martytoof posted:

At this point they've made their decision so in your shoes I would just say "I can't in good conscience approve this so if you really want to proceed then it has to be okayed at a higher level".

If you're lucky enough to have a structure where that can happen. Ideally InfoSec doesn't report in to the same C as IT, but I suspect that's not the case in a lot of smaller orgs.

Yeah, if thereís any way this can blow back on you definitely create a CYA email trail.

Jowj
Dec 25, 2010

My favourite player and idol. His battles with his wrists mirror my own battles with the constant disgust I feel towards my zerg bugs.

Softcox posted:

Iím currently tearing my hair out dealing with Splunk cloud support, the one saving grace of Cloud is hybrid search. Having an on-prem search head at least gives you some additional flexibility

Yeah its _infuriating_.

I don't know about hybrid search with cloud; what did having the second search head give you? I'm trying to figure out what it would gain me and can't think of anything but I'm guessing that could easily be explained with a "scale" thing.


Lain Iwakura posted:

Cloud support's SLA is absolute garbage. The amount of time it takes me now to install an app in contrast to how long it took when they managed it for me is absolutely asinine.

You migrated to on prem? Were you able to retain the logs from cloud instance? Did they move over to your new cluster or stay in the cloud, accessible but apart from your new cluster?

In about...8 months when we hit the end of the contract with splunk cloud i'm gonna be pushing hard for on prem and am curious about road blocks.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

Jowj posted:

You migrated to on prem? Were you able to retain the logs from cloud instance? Did they move over to your new cluster or stay in the cloud, accessible but apart from your new cluster?

In about...8 months when we hit the end of the contract with splunk cloud i'm gonna be pushing hard for on prem and am curious about road blocks.

Yes, yes, and to answer your last question: we hired a contractor to create a hybrid search and then once the new indexers were in place we had the pre-existing data migrated to an S3 bucket and then restored via that. It took us about two months to get it down right but minus some hitches with our local forwarders, everything went flawlessly. What made it not suck so much was the fact that we were still going to have it all in AWS but 100% in our control otherwise.

If I ever get it cleared by my director, I'll probably blog about it.

Jowj
Dec 25, 2010

My favourite player and idol. His battles with his wrists mirror my own battles with the constant disgust I feel towards my zerg bugs.

Lain Iwakura posted:

Yes, yes, and to answer your last question: we hired a contractor to create a hybrid search and then once the new indexers were in place we had the pre-existing data migrated to an S3 bucket and then restored via that. It took us about two months to get it down right but minus some hitches with our local forwarders, everything went flawlessly. What made it not suck so much was the fact that we were still going to have it all in AWS but 100% in our control otherwise.

Dope. That process doesn't seem like murder, and my env would only have like 6-8 TB to move around.

Lain Iwakura posted:

If I ever get it cleared by my director, I'll probably blog about it.
If it ever gets cleared i'd def read it, that'd be hella useful. Splunk turned into an "I own it" but I lack the background so it's a lot of figuring poo poo out from scratch.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.


Taco Defender

Jowj posted:

Dope. That process doesn't seem like murder, and my env would only have like 6-8 TB to move around.

Compressed, our data was about 32 TB. We do about 150-200 GB/day but have clearance up to 300 GB. My new project starting sometime this summer will see me collect way more data than before.

Adbot
ADBOT LOVES YOU

evil_bunnY
Apr 2, 2003



Beccara posted:

LocalSystem level access on a PDC
lol no

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«149 »