|
CommieGIR posted:The Microsoft Sentinel demo did not go well, unfortunately. What else have you looked at? So far I've looked at: Devo - Lol Gravwell - Probably too good to be true, still evaluating Chronicle - Amazing Search, VT bolted in, little else Whaterver that PAN one was called. Exabeam maybe? Probably some others that I don't remember because they're all poo poo At this point I'm probably going to go back to developing all the missing components I need for Collaborative Searches in Elastic (Spark plays a huge role here) and pay the drat infrastructure costs. Its really sad no one has just reverse engineered and released "Skunk" or something.
|
# ? May 15, 2019 18:23 |
|
|
# ? May 13, 2024 10:39 |
|
Mustache Ride posted:What else have you looked at? Sentinel Splunk Logrythm IBM QRadar One or two others that were not really that impressive.
|
# ? May 15, 2019 18:42 |
|
We use Splunk and a third-party provider for doing correlation and analysis of data which has been for the most part fine albeit with lots of headaches to get properly integrated. I'd talk about them but I keep my cards close to my chest but am happy to talk about it in person if we ever meet. Word of advice: figure out how to not have multi-line items in any log collection you do. Event logs are by far the worst for this.
|
# ? May 15, 2019 18:51 |
|
Just don't use ArcSight, I have PTSD from that
|
# ? May 15, 2019 18:52 |
|
Showing my ignorance here, does no one use Elastic Stack or does that not have specific enough tools for what InfoSec folks need?
|
# ? May 15, 2019 19:05 |
|
CLAM DOWN posted:Just don't use ArcSight, I have PTSD from that Before I came into this company, they had bought an ArcSight licence at a six-figure value and it went nowhere. I know people who sell it and hate it. Internet Explorer posted:Showing my ignorance here, does no one use Elastic Stack or does that not have specific enough tools for what InfoSec folks need? It comes down to support. If I pay Splunk for their software, I can get support. If I pay someone for Elastic Stack, it doesn't necessarily mean I'll get the same level of support due to the way it is developed. I may in fact consider it in the future anyway but there is a risk that comes with it.
|
# ? May 15, 2019 19:36 |
|
Lain Iwakura posted:It comes down to support. If I pay Splunk for their software, I can get support. If I pay someone for Elastic Stack, it doesn't necessarily mean I'll get the same level of support due to the way it is developed. I may in fact consider it in the future anyway but there is a risk that comes with it. For sure. I know that if I have something in production I want to have support for it. Was not sure how strict that rule was for InfoSec folks as it seems a little more flexible for the DevOps folks. We had Splunk at my last place, but was very small, only doing 5 GB/day and even that was really expensive for what it got us. There definitely seems to be room in this space for tools that aren't $TEXAS.
|
# ? May 15, 2019 19:51 |
|
Lain Iwakura posted:Word of advice: figure out how to not have multi-line items in any log collection you do. Event logs are by far the worst for this. What types of logs have this issue? Java logs are the only ones we've really had issues with.
|
# ? May 15, 2019 20:02 |
|
Lucid Nonsense posted:What types of logs have this issue? Java logs are the only ones we've really had issues with. Windows Event Logs
|
# ? May 15, 2019 20:05 |
|
Google recalls Titan Security Keys because Bluetooth is insecure as poo poo. Just lol if you use literally anything other than a Yubikey, and gently caress Google for allowing a Chinese manufacturer to add further FUD to the public consciousness regarding 2FA.
|
# ? May 15, 2019 20:25 |
|
The Fool posted:Windows Event Logs Really? I haven't seen that issue unless the forwarding agent isn't rfc5424 compliant. Snare works fine, but the Datagram syslog agent just truncates the messages.
|
# ? May 15, 2019 20:26 |
|
Lucid Nonsense posted:Really? I haven't seen that issue unless the forwarding agent isn't rfc5424 compliant. Snare works fine, but the Datagram syslog agent just truncates the messages. That is our current issue, Snare is just converting Event Forwarding logs and ruins the formatting.
|
# ? May 15, 2019 20:30 |
|
CommieGIR posted:That is our current issue, Snare is just converting Event Forwarding logs and ruins the formatting. Ah, we fix the formatting with a parser rule. I just haven't run into any multi-line issues with it.
|
# ? May 15, 2019 20:49 |
|
CommieGIR posted:That is our current issue, Snare is just converting Event Forwarding logs and ruins the formatting. Are you grabbing them as XML or just using the default WinEventLog Splunk collector?
|
# ? May 15, 2019 21:18 |
|
The newline issue with Windows Event Logs is a major issue with other log collectors outside of Snare. Snare doesn't have this problem but I sadly cannot use it within our setup.
|
# ? May 15, 2019 21:19 |
|
Mustache Ride posted:Are you grabbing them as XML or just using the default WinEventLog Splunk collector? I'm going to assume the latter. I was not involved in configuring it, and was before my time.
|
# ? May 15, 2019 21:56 |
|
Ok i'm in a little bit of a meltdown (heh) from trying to get my head around all these CPU attacks released yesterday. Can anyone in the know tell me how hosed I am still with MDS Tool showing me this: I suspect I'm due a ESX patch for microcode but I can't quite tell. I've followed: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in The section I've applied is reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f And applied this patch manually to be sure https://support.microsoft.com/en-nz/help/4499165/windows-8-1-update-kb4499165 But the MDS tool is not exactly friendly edit:// Yeah I might be in the wrong thread but you guys know your poo poo better when it comes to the attacks themselves Beccara fucked around with this message at 23:09 on May 15, 2019 |
# ? May 15, 2019 23:05 |
|
Kerning Chameleon posted:Google recalls Titan Security Keys because Bluetooth is insecure as poo poo. I'm hoping that Safari NFC U2F thing gets onto iOS someday. It'll be nice to use that and ditch that bluetooth key. It's really only there for iOS compatibility.
|
# ? May 15, 2019 23:16 |
|
crazysim posted:I'm hoping that Safari NFC U2F thing gets onto iOS someday. It'll be nice to use that and ditch that bluetooth key. It's really only there for iOS compatibility. Well, and people who can't afford Android phones with NFC built-in.
|
# ? May 16, 2019 00:05 |
|
Lucid Nonsense posted:What types of logs have this issue? Java logs are the only ones we've really had issues with. Proofpoint syslog feeds. But fear not on that one, they now have a JSON feed you can query that consolidate them to make your life less of a living hell.
|
# ? May 16, 2019 00:37 |
|
BangersInMyKnickers posted:Proofpoint syslog feeds. But fear not on that one, they now have a JSON feed you can query that consolidate them to make your life less of a living hell. That seems like a workaround rather than a fix. What's the performance on those queries? Or am I just missing the sarcasm?
|
# ? May 16, 2019 01:34 |
|
Lucid Nonsense posted:That seems like a workaround rather than a fix. What's the performance on those queries? Or am I just missing the sarcasm? A little bit of sarcasm, but for the most part the json feed is a huge quality of life improvement. If you are ingesting a Proofpoint syslog feed, the strings that hold together all the logs together are the message_session_id (SMTP session) AND the unique_message_session_id (individual messages inside that SMTP session). A single message transaction generates one log line for every combination of module and rule it runs through, and in a typical message transaction will generate a dozen or more syslog lines. Proofpoint both re-uses and omits many fields across these lines, so if you want to look at something like the spam scores from a specific sender IP you have to run a two stage query that collects all the message_session_id or unique_message_session_id values for lines matching your sender IP and then join that to the second query pulling all the spam score values from the other lines matching those id field values you joined. It trashes your search head and sucks. The generally accepted workaround to this problem is to do summary logging where you dump the raw syslog feed in to a staging location, let them collect for a while, then re-parse to consolidate the lines with either a matching unique_message_session_id (messages) or ones with message_session_id and no unique_message_session_id and also parse to determine which rule "one" to handle overwriting/conflicting fields and a bunch of other infuriating horse poo poo. Oh and this will break some number of slow transactions that run on for longer that the amount of time you give them to queue before reparsing but that's just living with Proofpoint. With the new JSON feed, they do all that on their end and better than you can do it, so you just curl with your API key and the time ranges of the logs you're pulling in and you get a single log line for each SMTP session or message passing in that session and all the fields are normalized and tagged properly and it is worlds better.
|
# ? May 16, 2019 03:08 |
|
Yup PPS syslog is a grade A garbage fire.
|
# ? May 16, 2019 03:23 |
|
Internet Explorer posted:Showing my ignorance here, does no one use Elastic Stack or does that not have specific enough tools for what InfoSec folks need? dougdrums fucked around with this message at 05:19 on May 16, 2019 |
# ? May 16, 2019 05:16 |
|
ELK suffers from a more severe version of what splunk struggles with and that is your data has to be formatted reasonably well at ingest and most logging is hot garbage and hard to manipulate into a sane data structure. the key with all logging projects is to get the basic logging right, first. That means standardised formatting, processes to ensure it's enabled, processes around retention etc. Unless you have ~infinite money~ dumping all your logs into ELK or Splunk won't produce practical results outside of certain circumstances like appliance logging (firewalls, LBs, etc).
|
# ? May 16, 2019 05:35 |
|
Internet Explorer posted:Showing my ignorance here, does no one use Elastic Stack or does that not have specific enough tools for what InfoSec folks need? We are using Elastic Stack, we run completely without support, it's a bit of a pain in the rear end but it does the job and I've learned a ton. abigserve posted:ELK suffers from a more severe version of what splunk struggles with and that is your data has to be formatted reasonably well at ingest and most logging is hot garbage and hard to manipulate into a sane data structure. Yeah having to customize outliers with ruby code with their custom API-calls is something else. As you say its a pain to learn how to do and not to do things, but when its there its great.
|
# ? May 16, 2019 06:03 |
|
Yeah that's what I'm slowly finding out ELK is cool if I log stuff from an API that's already sorted out, and honestly it's pretty swanky for $0 (well, $0 plus the machinery). I'm just always chasing what I need to map out for this product it seems.
|
# ? May 16, 2019 06:05 |
|
How much time would you guys say you spend learning and configuring with ELK?
|
# ? May 16, 2019 13:37 |
|
Lucid Nonsense posted:How much time would you guys say you spend learning and configuring with ELK? With my SELK setup, which is an IDS/IPS + ELK, it was fairly simple to do. Tested it with a could of my honeypots and got good results.
|
# ? May 16, 2019 14:48 |
|
Gonna wear my Security Onion shirt tomorrow and cry about how easy it is vs rolling your own Elastic.
|
# ? May 16, 2019 16:34 |
|
I'd like to dedicate this post to Cisco who's latest IPS GeoDB update zeroed out my list of blocked countries which caused the access control list to freak out and drop all traffic causing a production outage. Queue the director of IT Ops calling me on my cell and yelling at me directly. I love this job some days. Just kidding, I can't wait to quit. From college to burned the gently caress out in three years.
|
# ? May 17, 2019 01:01 |
|
IT sucks, hell yeah
|
# ? May 17, 2019 01:06 |
|
Diametunim posted:I'd like to dedicate this post to Cisco who's latest IPS GeoDB update zeroed out my list of blocked countries which caused the access control list to freak out and drop all traffic causing a production outage. I've seen some fun stuff like that. One customer made a config change on an ASA and it started generating over 1k error messages per second for several hours afterward. Just a routine change, not a mistake. Cisco bug. Another customer changed their logging from udp to tcp, and it killed their wan access. Another Cisco bug.
|
# ? May 17, 2019 01:07 |
|
Blinkz0rz posted:IT sucks, hail satan
|
# ? May 17, 2019 01:25 |
|
So it turns out all of those SQL passwords stored in a Sharepoint? All of those servers have mixed mode authentication on, we can log in with admin rights just by using our credentials. So there’s zero loving point in us having the credentials in the first place.
|
# ? May 17, 2019 01:45 |
|
Lucid Nonsense posted:I've seen some fun stuff like that. One customer made a config change on an ASA and it started generating over 1k error messages per second for several hours afterward. Just a routine change, not a mistake. Cisco bug. Ask me about the bug where deleting almost any config item on our A10 load balancer would cause the device to panic and reload It was 100% reproducible. One of those real “how the gently caress did this ever get released” bugs cause it wasn’t some edge case, it’s a normal operation you do all the drat time. Computers are the worst. it got released because A10 is hot garbage Docjowles fucked around with this message at 02:55 on May 17, 2019 |
# ? May 17, 2019 02:52 |
|
Lucid Nonsense posted:I've seen some fun stuff like that. One customer made a config change on an ASA and it started generating over 1k error messages per second for several hours afterward. Just a routine change, not a mistake. Cisco bug. If you're referring to the thing where the ASA will stop all traffic forwarding if it can't reach a syslog server over TCP, it's not a bug. In fact, that is Cisco Approved Default Behavior. You have to specifically configure the ASA not to become a brick if it can't send syslog data over TCP. Some colleagues of mine were introduced to this behavior recently, and it may or may not have involved a total failure of all outbound web traffic because of it. Death to the ASA.
|
# ? May 17, 2019 03:25 |
|
In an enterprise context, how risky is it allowing BYOD Android devices to be used for Push/SMS/Voice 2FA and email access? Is BYOD just a joke in the first place and you don't allow it period? But if you do allow it, what is your policy on Android version/security updates?
|
# ? May 17, 2019 05:28 |
|
Ranter posted:In an enterprise context, how risky is it allowing BYOD Android devices to be used for Push/SMS/Voice 2FA and email access? It's fine.
|
# ? May 17, 2019 05:46 |
|
|
# ? May 13, 2024 10:39 |
|
So no concerns if they're running a device that no longer receives security updates? I'm wondering if we need to get Finance to change our T&E policy to allow for partially or fully paying for new phones every 2 years, since we don't give out company phones and require them to log in. Bald Stalin fucked around with this message at 08:18 on May 17, 2019 |
# ? May 17, 2019 08:14 |