|
Check out FIDO from Netflix: https://github.com/Netflix/Fido A lot of Automation and Remediation built in to the tool. We rebuilt it into Splunk and its working great as a QRadar replacement. Here's the presentation we've been giving on it
|
#
¿
Apr 28, 2016 13:53
|
|
|
|
| # ¿ Apr 25, 2024 00:20 |
|
|
Like Microsoft.
|
|
#
¿
Apr 29, 2016 19:59
|
|
|
My company is like that too. We don't apply to any of those regulations and we're at >30,000 endpoints. However we just use the free Microsoft av because it comes with our Microsoft subscription, it's free, and it's better than nothing. Security is like an onion, the more poo poo you have layered on top of each other, the better off you'll be.
|
|
#
¿
Apr 30, 2016 19:12
|
|
|
No no no, you're not getting it at all. I agree that av is crap. That's why we don't pay for it. You should at least use something you get with a Microsoft license than nothing at all to stop the limited crap it does catch. The people who pay for it are the idiots.
|
|
#
¿
May 1, 2016 00:44
|
|
|
Jesus tapdancing christ, why is everyone so loving angry in these threads?
|
|
#
¿
May 1, 2016 07:12
|
|
|
online friend posted:because if you get called out on being wrong about a thing you shouldn't double down on being wrong Thats not a good reason to be angry. Soon you'll only be left arguing with yourself about how good you are at masturbating about security.
|
|
#
¿
May 1, 2016 07:28
|
|
|
I had an interesting meeting with Cylance. yesterday, who said they are using math models to predict the APIs and library loads commonly used by malware instead of signatures or  heuristics OSI have you used their engine before? They claim it didn't need to be online to pull signatures and it has some pretty nice looking features that makes us want to rip and replace our Bit9 infrastructure with it.
|
|
#
¿
May 5, 2016 12:28
|
|
|
That's what I figured as well but they claim it's not true heuristics, but an algorithm generated using machine learning over 18 million PEs.
|
|
#
¿
May 5, 2016 12:37
|
|
|
Yeah I realize that. I'm giving you guys the responses I got when I said these exact same things. I just wondered if anyone here had played with it and if it was worth a POC to throw some stuff against it and see if it holds up. It certainly sounds too good to be true to me, but we have some specific cases where we need some sort of solution that doesn't require being online. I have no intention of changing anything without a full in depth POC and more details behind closed doors about how it works.
|
|
#
¿
May 5, 2016 12:50
|
|
|
Yeah, in the sit down the Sales Engineer had some intersting things to say about some of the questions I had, including, and I quote "We're not on Virustotal because we would catch everything and then the big 6 would use us as a reputation source and everyone would be using our engine."  My boss and I also kept cracking up in the meeting because the sales douches were so like those in the most recent Silicone Valley episode. The Cylance guys had not seen Silicone Valley, of course.
|
|
#
¿
May 5, 2016 15:01
|
|
|
Hey this is good news: http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/
|
|
#
¿
May 19, 2016 16:23
|
|
|
Goddamn, I'm sitting in a FireEye MVX presentation, and all I can here is "signature signature signature signature". When will these assholes learn that signatures aren't the answer?
|
|
#
¿
May 26, 2016 00:27
|
|
|
I made this during a vendor meeting today. For you
|
|
#
¿
Jun 7, 2016 19:52
|
|
|
sudo nmap -n -PN -sT -sU -p- remote_host Run nmap against this.
|
|
#
¿
Jun 15, 2016 22:47
|
|
|
The issue isn't if you're on VPN or not. It's generally a poor practice to send anything plaintext, regardless of a secure connection, because unless you can see the entire wire run and all devices on the network, anyone can put a sniffer and still get your password. There's a pretty good SANS article about this that even includes some workarounds, but as it says in the article, you'd probably be better off with WMIC or WinRM through powershell instead.
|
|
#
¿
Aug 5, 2016 00:06
|
|
|
Not lightbulbs, but how about this from defcon? http://thenextweb.com/gadgets/2016/08/08/thermostats-can-now-get-infected-with-ransomware-because-2016/
|
|
#
¿
Aug 18, 2016 18:40
|
|
|
Oh you're saying that they did a PoC and gave you the results that show criminal behavior from their tool, but won't show you what the problem is unless they pay for it? That's kinda hosed up, honestly. Nevermind showing management a win without even purchasing the tool and almost guaranteeing the purchase, now they want to withhold data that can prove the criminal activity actual took place and verify that the tool worked correctly. gently caress em. Take the data they give you and do your own investigation into who did what. Who is it? I'll put them on my vendor ignore list. Mustache Ride fucked around with this message at 12:32 on Aug 22, 2016 |
|
#
¿
Aug 22, 2016 12:15
|
|
|
I think he was talking about hardware fingerprints like user agents and device metadata, not your actual fingerprint. At least I hope he was, how the hell would whatsapp have access to your stored fingerprint info?
|
|
#
¿
Aug 25, 2016 18:00
|
|
|
Back in the day the messages weren't even encrypted. They were stored in a plaintext database on the iPhone and relied solely on the iPhone's encryption to protect it (hah!). I haven't had to run a forensic case on an iPhone in a while, I wonder how much that has actually changed.
|
|
#
¿
Aug 25, 2016 18:08
|
|
|
This was a pretty good read on iPhone exploits that has to do with infosec: https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ And here's a detailed tech analysis of that attack: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf Looks like this was the cause of the 9.3.5 update. Mustache Ride fucked around with this message at 20:20 on Aug 25, 2016 |
|
#
¿
Aug 25, 2016 20:14
|
|
|
Brian Krebs usually does a good job with technical stuff: http://krebsonsecurity.com/
|
|
#
¿
Sep 18, 2016 21:06
|
|
|
I sat in a meeting today, as I have done for many months, asking that 2fa be put on O365. One of the development directors told me today that her team could make their own 2fa solution that could do what the parade of companies my team had brought on were offering. I stood up, yelled "DON'T ROLL YOUR OWN CRYPTO" and walked out. Can I drink with you guys too? Mustache Ride fucked around with this message at 01:04 on Sep 27, 2016 |
|
#
¿
Sep 27, 2016 01:01
|
|
|
Alien Vault looks like a very scaled down SIEM, mainly it looks like a Nessus knock off with some network hardware stuff built in, and an endpoint agent that doesn't really do much. If that's what you're looking for, great, but I'd rather be able to put my own data streams into a SIEM, or even forget the whole SIEM thing and do something like FIDO
|
|
#
¿
Sep 27, 2016 13:02
|
|
|
ES is poo poo, don't pay for that crap.
|
|
#
¿
Sep 28, 2016 13:54
|
|
|
We hired a software engineer as an "Automation Specialist". Basically he scripts our security tools together using APIs so that everything talks to each other and real time threat data is passed everywhere. Now he's learning about reverse engineering and after a little training he'll probably be one hell of a good reverser. But there have been times when we haven't given him much to do, and he took the initiative to develop his own thing. So if you're not much of an innovator you might get easily bored.
|
|
#
¿
Oct 20, 2016 12:58
|
|
|
Now's the perfect time to go to market with a home firewall/network security tool. Goon ProjectŠ?
|
|
#
¿
Oct 23, 2016 22:39
|
|
|
ming-the-mazdaless posted:
Yay me too! Senior Security Engineer. gently caress you oil and gas market. 
|
|
#
¿
Nov 4, 2016 18:39
|
|
|
|
|
#
¿
Nov 22, 2016 21:00
|
|
|
There's no full security. Full disk encryption can be beaten by a mouse jiggler. Denying USB access can be beaten by a motivated guy taking pictures of documents on a screen with a cell phone. You have to conform to the "good enough" security model, and hope you never have to deal with motivated people, basically.
|
|
#
¿
Nov 22, 2016 21:42
|
|
|
Ugh these recruiters keep sending us these certificate whores who don't have any real world experience and don't know anything except what you can learn in a training manual. Who hires these people?
|
|
#
¿
Dec 8, 2016 22:40
|
|
|
Mostly consulting groups it seems. What a waste of time the past 2 interviews have been.
|
|
#
¿
Dec 8, 2016 22:56
|
|
|
Hey I'd be happy with a new grad. Just not a mid 30s loving certification whore who hasn't worked for anything that didn't end in "group" and who believes that powerpoints are the best form of communication.
|
|
#
¿
Dec 8, 2016 23:25
|
|
|
How about the leaked Mirai botnet source? https://github.com/jgamblin/Mirai-Source-Code Or just go on virustotal and find a botnet. You can download off of there if you sign up for an account, I think.
|
|
#
¿
Jan 10, 2017 22:45
|
|
|
Well this will be fun: https://boingboing.net/2017/03/24/symantec-considered-harmful.html Google: Chrome will no longer trust Symantec certificates, 30% of the web will need to switch Certificate Authorities
|
|
#
¿
Mar 29, 2017 17:46
|
|
|
CB/Bit9 is a great product, but its not designed for large enterprises. If you have over 10k endpoints, you better be prepared to throw a poo poo ton of money and FTEs to keep it running.
|
|
#
¿
Apr 22, 2017 20:30
|
|
|
Crap RSA moved to April and I need CPEs before then. Any other good conference between now and March that'll fill me up with CPE goodness?
|
|
#
¿
Sep 14, 2017 17:09
|
|
|
I here Toronto is nice in November, right? That's easier than podcasts, nobody has time for those. Thanks guys.
|
|
#
¿
Sep 14, 2017 19:33
|
|
|
Basically a Splunk Span Port adapter. I haven't heard it used for DNS, what's wrong with the default windows input?
|
|
#
¿
Jun 14, 2018 19:25
|
|
|
Elastic means the timeline is always hosed. If you're able to have Enterprise level data following into it and it won't crash hilariously every other day, we need to talk.
|
|
#
¿
Jun 29, 2018 02:03
|
|
|
|
| # ¿ Apr 25, 2024 00:20 |
|
|
What I've found is that if you have a support team that can keep it up and running constantly, then it'll work fine. But most security orgs can't waste manpower on cluster support, and it's still not integrated into most orgs enough for a separate infrastructure group to keep it running unless you're very very lucky.
|
|
#
¿
Jun 29, 2018 15:36
|
|