|
CLAM DOWN posted:What's your opinion on Azure Sentinel, Lain? I’m about to evaluate it.
|
#
?
May 11, 2019 01:19
|
|
|
|
| # ? May 13, 2024 23:31 |
|
|
CLAM DOWN posted:I'm quite literally excited for your take on this. We're also examining Logarythm, which has some really cool features like Incident quick actions and playbooks. Sentinel also has playbooks, and quick or auto actions based on alerting.
|
|
#
?
May 11, 2019 02:51
|
|
|
CommieGIR posted:We're also examining Logarythm, which has some really cool features like Incident quick actions and playbooks. Stay the gently caress away from LogRhythm.
|
|
#
?
May 11, 2019 03:06
|
|
|
Welp, I can't think of a more impactful anti-endorsement than that.
|
|
#
?
May 11, 2019 03:17
|
|
|
The Fool posted:Welp, I can't think of a more impactful anti-endorsement than that. No poo poo.
|
|
#
?
May 11, 2019 03:46
|
|
|
Lain Iwakura posted:
Is the Y axis short for "Ability to Remote Code Execute"?
|
|
#
?
May 11, 2019 06:44
|
|
|
geonetix posted:Is the Y axis short for "Ability to Remote Code Execute"? I think they prefer the term “cross-organization administration capabilities”.
|
|
#
?
May 11, 2019 07:39
|
|
|
For something to do on a saturday or sunday if you have nothing else to do, you can always watch this talk by Matt King and Paul McMillan on "Securing Bare Metal Hardware at Scale": https://www.youtube.com/watch?v=PEVVRkd-wPM It goes into some of the ways we can try to guarentee that the runtime and attestation of firmware, at least in datacenters - and more importantly, the fact that if more of the vendors customers want it, there's a bigger chance we can actually have it. It also contains a pretty great image that can be used as an avatar.
|
|
#
?
May 11, 2019 10:56
|
|
|
Lain Iwakura posted:Stay the gently caress away from LogRhythm.  I don't know if that will be up to me, but please give me some talking points?We currently have Symantec MSS, which is garbage. We have Splunk, but we don't have anyone capable of building out a working Security dashboard. I mean, I use ELK a lot without issue...
|
|
#
?
May 11, 2019 15:26
|
|
|
Lain Iwakura posted:Stay the gently caress away from LogRhythm. Everyone knows the rhythm method is unreliable.
|
|
#
?
May 11, 2019 16:40
|
|
|
Walking in rhythm attracts the worms.
|
|
#
?
May 11, 2019 18:32
|
|
|
CommieGIR posted:
Lack of available extractions and availability of apps, their API was trash for the longest time and is still their biggest weakness, and it's really poor at scaling. Splunk's problem is that it requires ES and is a complete crapshoot when it comes to licensing these days, but at least it scales and has a variety of half-decent apps available. Honestly I just have such a firm opinion on LogRhythm having had to develop for it and told my boss I'd sooner quit than deal with it when it came up as a joke.
|
|
#
?
May 11, 2019 20:03
|
|
|
Lain Iwakura posted:Lack of available extractions and availability of apps, their API was trash for the longest time and is still their biggest weakness, and it's really poor at scaling. Splunk's problem is that it requires ES and is a complete crapshoot when it comes to licensing these days, but at least it scales and has a variety of half-decent apps available. The Security suite they showcased is fantastic looking, I hope its not just a farce. Most of the other engineers on my team are already sold, and we're bringing on a Managed Services team to help build/configure it.
|
|
#
?
May 11, 2019 20:12
|
|
|
CommieGIR posted:The Security suite they showcased is fantastic looking, I hope its not just a farce. Most of the other engineers on my team are already sold, and we're bringing on a Managed Services team to help build/configure it. That's because you saw the showcase. it looks like magical christmas-land because they need to. my personal theory is that if the presenters can talk even a little bit of shop of how the product would fit without handing me a phamplet, then its worth looking at.
|
|
#
?
May 11, 2019 20:18
|
|
|
CommieGIR posted:The Security suite they showcased is fantastic looking, I hope its not just a farce. Most of the other engineers on my team are already sold, and we're bringing on a Managed Services team to help build/configure it.  I've been burnt many times in my career over fancy demos only to be disappointed. The reason why log collection has gone so well at my company is because I used to sell the product we use when I worked as a consultant but otherwise it would have been dead in the water. Unless you got someone on your team who is well-versed in this sort of stuff, you're not going to get the fancy setup that the sales engineers will attempt to convince you'll get.
|
|
#
?
May 11, 2019 20:24
|
|
|
Lain Iwakura posted:
Yeah, I wish I had more to go off of to sway the other engineers away from Logrythm, then 
|
|
#
?
May 11, 2019 20:57
|
|
|
CommieGIR posted:
Splunk wouldn't play ball with us on licensing so we're moving to Humio which saves us a ton on licensing and allows us to take on staff to do the dashboard build out. Shoot me a PM if you want any info, your existing Splunk hardware probably won't get repurposed well due to the way to works under the hood.
|
|
#
?
May 13, 2019 15:59
|
|
|
Btw everyone complaining about Splunk, are you talking about the rea,l here's the server it lives on, Splunk or the Cloooouuuud version of Splunk which has those annoying limits on upload and download?
|
|
#
?
May 13, 2019 16:46
|
|
|
EVIL Gibson posted:Btw everyone complaining about Splunk, are you talking about the rea,l here's the server it lives on, Splunk or the Cloooouuuud version of Splunk which has those annoying limits on upload and download? with our current log generation, on-prem splunk would be licensed in the 7 figure range
|
|
#
?
May 13, 2019 17:41
|
|
|
Judge Schnoopy posted:with our current log generation, on-prem splunk would be licensed in the 7 figure range So like, double digit gigs per day? 
|
|
#
?
May 13, 2019 17:43
|
|
|
EVIL Gibson posted:Btw everyone complaining about Splunk, are you talking about the rea,l here's the server it lives on, Splunk or the Cloooouuuud version of Splunk which has those annoying limits on upload and download? On-prem licensing costs are already terrible, cloud was a complete non-starter. We're trying to ingest upwards of 2TB/day
|
|
#
?
May 13, 2019 17:49
|
|
|
Docjowles posted:So like, double digit gigs per day? lol, gigs.
|
|
#
?
May 13, 2019 17:50
|
|
|
Judge Schnoopy posted:with our current log generation, on-prem splunk would be licensed in the 7 figure range that loving sucks. it used to be on prem was cheaper than cloud and it was obvious which one was better especially with the daily caps on cloud
|
|
#
?
May 13, 2019 17:58
|
|
|
Are people on those license levels just startups burning through cash on Splunk licenses because they don't know any better, or is there a valid reason to go down that route vs. bringing on some devs to dedicate their time to your logging platform?
|
|
#
?
May 13, 2019 19:24
|
|
|
Thanks Ants posted:Are people on those license levels just startups burning through cash on Splunk licenses because they don't know any better, or is there a valid reason to go down that route vs. bringing on some devs to dedicate their time to your logging platform? probably because they have enough traffic spread out across a wide infrastructure (like among several countries) that trying to fit them together any other way for investigation would be days of time instead of going to one place and searching logs of all locations at once. if its a multinational or large enough national company you are probably paying way more on other systems like salesforce.
|
|
#
?
May 13, 2019 19:31
|
|
|
Security folks want all the data. If you're over 10,000 heads, that's probably about 2TB+ data per day, and millions of dollars on the Splunk licenses. Now the fun one is Splunk in Private Cloud. 700k+ in cloud resources a year plus 1+ mil in Splunk licence costs, and you've got an expensive rear end log system that hardly gets used.
|
|
#
?
May 13, 2019 20:43
|
|
|
Mustache Ride posted:Security folks want all the data. If you're over 10,000 heads, that's probably about 2TB+ data per day, and millions of dollars on the Splunk licenses. We're doing about 8,000 endpoints, a few thousand servers, and around 12,000 users and we're just doing under 500 GB/day. We also went through a migration two-years ago where we dropped our Splunk Cloud for on-premise and that was because Cloud was a complete pile of poo poo to deal with. I want to get into a rant about Splunk licensing but I am not ready to talk about the bullshit we're dealing with right now.
|
|
#
?
May 13, 2019 22:12
|
|
|
What’s a good on-site password manager (preferably capable of storing extra information related to the accounts) that allows multiple log-in accounts? Access logging would be a nice feature too. My company stores admin account information for servers that contain extremely valuable client data on Sharepoint. I’m not sure whether that is better or worse than it sounds to me, but it doesn’t sound good. That’s potentially millions in fines, even more from legal fees and damages from lawsuits and a destroyed reputation if someone gets on the Sharepoint and takes the credentials. Granted you need an account that can access the servers hosting the VMs, but still.
|
|
#
?
May 13, 2019 23:27
|
|
|
You've probably already figured this out, but don't store the credentials you need to restore and gain emergency access to your password management system solely within that password management system.
|
|
#
?
May 13, 2019 23:37
|
|
|
keepass will do all of that except the logging part Otherwise you're looking at deploying something like Secret Server. Secret Server itself seems to have fallen out of favor, but I'm not familiar with any of it's alternatives for an on prem password vault. We use 1pass for teams at my work.
|
|
#
?
May 13, 2019 23:38
|
|
|
22 Eargesplitten posted:What’s a good on-site password manager (preferably capable of storing extra information related to the accounts) that allows multiple log-in accounts? Access logging would be a nice feature too. We use PMP at my company. From my perspective as a user (I'm a server admin who needs to look up a shared credential now and then), it works great, but I never see the back end so I have no idea if it's a pain in the rear end or not. But I don't recall ever hearing the team that manages it complain about it, though.
|
|
#
?
May 13, 2019 23:50
|
|
|
The Fool posted:keepass will do all of that except the logging part Thanks. I thought keepass could only have one password for the DB, and that would invariably mean using one simple obvious password, which is a poo poo solution. They actually already have keepass set up for other stuff, so I might actually be able to sell them on that. Odds are nothing actually comes of this, even if I point out that it could do huge amounts of damage to the company to not protect client data better than a goddamn Sharepoint page. But the company has a few new directors and a new-ish VP so it's worth a shot. At the least it's a small amount of effort to propose and might help my director think of me as having potential for something other than crap-tier support. Got to build up that reputation so I have some leeway when I burn out and start slacking off and doing the absolute minimum 
|
|
#
?
May 14, 2019 00:27
|
|
|
https://twitter.com/passantino/status/1128066136447143938 What's Upp?
|
|
#
?
May 14, 2019 00:30
|
|
|
22 Eargesplitten posted:What’s a good on-site password manager (preferably capable of storing extra information related to the accounts) that allows multiple log-in accounts? Access logging would be a nice feature too. We use CyberArk and have little complaints. It will even record RDP and SSH sessions.
|
|
#
?
May 14, 2019 00:37
|
|
|
22 Eargesplitten posted:Thanks. I thought keepass could only have one password for the DB, and that would invariably mean using one simple obvious password, which is a poo poo solution. They actually already have keepass set up for other stuff, so I might actually be able to sell them on that. Sorry, you are right, a keepass database can only have a single key. Before we switched to 1pass we had a long randomly generated key that we all stored in our personal keepass databases that was used as the key for the shared database.
|
|
#
?
May 14, 2019 00:38
|
|
|
Lain Iwakura posted:We use CyberArk and have little complaints. It will even record RDP and SSH sessions. CyberArk is what we are using as well.
|
|
#
?
May 14, 2019 00:50
|
|
|
azure key/secret tools are turning out to be sexy as hell for me 
|
|
#
?
May 14, 2019 01:30
|
|
|
Potato Salad posted:azure key/secret tools are turning out to be sexy as hell for me Yes, this. Azure Key Vault integrating with Azure Devops Pipelines is super easy and super nice.
|
|
#
?
May 14, 2019 01:31
|
|
|
If you don't have Azure DevOps, but still want something try Hashi's Vault Pretty good logging, fully API based key vault, and can even work as a PKI service. And Free if you don't need replication.
|
|
#
?
May 14, 2019 02:20
|
|
|
|
| # ? May 13, 2024 23:31 |
|
|
Vault is very good and it's open source. Just make sure you have good backups and reliable storage (or put it in the cloud).
|
|
#
?
May 14, 2019 03:54
|
|
