gallop w/a boner posted:

Sorry if this doesn't fit in with the rest of the thread. I have just moved to a new position. I have an 'IT Security Manager' reporting to me.

Their role is quite poorly defined. As far as I can ascertain, they currently do the following 4 things:

• Read security blogs and other news sources and alert other technical staff of potential problems (e.g. send an email to the relevant Ops group to advise of a vulnerability in MS Exchange).
  
• Triage tickets raised from our Managed SIEM service (e.g. raise a ticket with the desktop team to advise that a PC may have adware because the cloud SIEM have noticed it sent a HTTP request to somewhere suspicous).
  
• Arrange Penetration Tests from external suppliers, distribute the results of those tests to the internal groups so they can take action.
  
• Provide guidance on compliance when tendering for contracts (e.g. advises sales what our AD password policies are)
  

What would you expect a high-performing IT Security Manager to do? E.g. would you expect them to be able to perform some vulnerability testing themselves? Would you expect them to develop reporting capability? Get involved in development practices? Any specific examples would be great. I suppose it seems odd to me that this person does not do any hands-on technical work, and they don't have a very deep technical understanding (e.g. didn't understand the mechanism behind a SQL injection attack).

It's a professional services company, not a technology company. Usual sort of landscape, mostly Windows clients and servers.

Volmarias posted:

If you hired someone competent, would they leave from boredom/underpay?

Volmarias posted:

Why were they hired? Who hired them? Are they there just to tick a box in one of your contracts, and or to be a prop in client meetings?

If you hired someone competent, would they leave from boredom/underpay?

Bullet Magnet posted:

I apologize as I'm going to make a few broad assumptions.

IT Security Manager is a rather broad term, in my opinion. What I imagine they'll be doing is what one might consider an IAM (Information Assurance Manager) to perform. If he has anyone under him, they'd likly be doing more of the technical work. As an IAM, one tends to spend more time developing policy and verifying compliance at a much broader level: think like working with the FSO to determine policies for server downtime, change management, keeping track of Certificates and their expirations, working with HR to ensure passwords are changed when employees leave, etc. here's the first link I found when I google'd "Information Assurance Manager job description" https://resources.infosecinstitute.com/job-titles/information-assurance-manager/#gref.

As well, I would expect him to be keeping up with the Compliance of entire groups of systems. For example, you will likely have a production environment and (god willing) a development/testing environment at least. He would likely ensure that the development environment is held to the same standards as the production environment, however he should likely have paper work explaining exemptions that exist in the development environment to allow people to develop; no single environment should be a "Wild Wild West".

He should probably be keeping up with major security vulnerabilities (i.e. Security Blogs, IASE https://iase.disa.mil/Pages/index.aspx, other such places). In a perfect world, he'd also be able to UNDERSTAND the technical side of these explanations, and offer some sort of broad arching plan for mitigation to whomever he reports to. Likely, instead he should be able to delegate said information to someone more technical, and work with them to develop a Plan of Action & Mitigation.

He should probably be able to perform regular account audits, ensuring the the correct people have the correct account permissions according to Least Access is determined to be best applicable to your company.

Basically, if your developers (if you have any) and/or administrators are not bitching on a constant and regular basis about his draconian laws and policies, he's probably being pretty goddamn lazy. Because the alternative is that he's goddamn brilliant and understands how to slide all that poo poo into place without admins and developers knowing (i.e. he's VERY technically capable).

gallop w/a boner posted:

I think this person was possibly 'shuffled' into the security position because they struggled with technical work, but were relatively well-liked?

peak debt posted:

That's basically what the IT security guy does in our company. Subscribe to email alerts, read articles, and write design papers for fancy poo poo that gets recommended in trade magazines like NAC, network zones or application whitelisting. The email alerts are usually kinda pointless, like who the hell needs to be alerted that Adobe released a critical Flash update on the second tuesday...

gallop w/a boner posted:

They were previously in a senior systems administrator role. I think this person was possibly 'shuffled' into the security position because they struggled with technical work, but were relatively well-liked?

quote:

Thanks! This is really useful. I think there is resentment coming from the Ops/Dev guys essentially because this guy seems to have so much free time, and an undemanding set of duties.

Absurd Alhazred posted:

Palladium posted:

Workplace politics happened? Why us never.

Mustache Ride posted:

I've done a little with Splunk, using the following APIs: https://developers.google.com/google-apps/
I think theres a few apps on splunkbase now. No idea if they're any good, but you can steal the python from those and use it for your own solution.

Which SIEM?

Palladium posted:

Workplace politics happened? Why us never.

Lain Iwakura posted:

Splunk, but the GApps one isn't an official app and I am always a bit sketched when I have to make use of them. I'm not adverse to writing my own app from the bottom up that said since if it breaks then I know where it broke, et cetera.

Mustache Ride posted:

Yeah, those are typically kinda screwy. I haven't done much with Splunk, just the GApps Admin SDK, Drive API, and a few of the GMail stuff (delegation, history, etc). Google's development docs are pretty good, so you can probably create your own stuff and roll with it. GApps isn't really all that complicated, so you don't need to go hog wild with all of the API options.

Lain Iwakura posted:

Anyone ever done some SIEM integrations into GApps? I'm looking to pull whatever data they have available on there and am looking around to see what others have done. Namely I am looking at collecting whatever data Google will make available to my org and dumping into our log collector for further use.

porkface posted:

"I want to dump a bunch of poo poo to splunk and then figure out what's important" is not a use-case or even a worthwhile plan.

"I know I eventually want to dump stuff to splunk" and "I want to catch this particular event" is a good use-case and an actionable plan.

I know you're just asking us for the "what events" portion but if you give it 5 minutes thought you'll come up with a few and then you can look to the community for other suggestions to extend that.

I would start with items matching certain criteria being shared with external parties. You probably want to set a policy for what items and which paths can be shared, and then monitor for exceptions.

porkface posted:

"I want to dump a bunch of poo poo to splunk and then figure out what's important" is not a use-case or even a worthwhile plan.

"I know I eventually want to dump stuff to splunk" and "I want to catch this particular event" is a good use-case and an actionable plan.

I know you're just asking us for the "what events" portion but if you give it 5 minutes thought you'll come up with a few and then you can look to the community for other suggestions to extend that.

I would start with items matching certain criteria being shared with external parties. You probably want to set a policy for what items and which paths can be shared, and then monitor for exceptions.

The Electronaut posted:

Lain has written at length and presented about data onboarding for a SIEM. I took it as a, "Hey, I've never dealt with this platform, any insight into how to deal with it?" Where I'm at we're currently looking at the same time but with Azure.

porkface posted:

"I want to dump a bunch of poo poo to splunk and then figure out what's important" is not a use-case or even a worthwhile plan.

"I know I eventually want to dump stuff to splunk" and "I want to catch this particular event" is a good use-case and an actionable plan.

I know you're just asking us for the "what events" portion but if you give it 5 minutes thought you'll come up with a few and then you can look to the community for other suggestions to extend that.

I would start with items matching certain criteria being shared with external parties. You probably want to set a policy for what items and which paths can be shared, and then monitor for exceptions.

Mustache Ride posted:

Man, gently caress Azure log integration. Every other week it changes, and now you want me to pay for Event Hub? Fuckers.

ChubbyThePhat posted:

This is a thing that may become my problem in the coming months. How bad are we talking?

porkface posted:

"I want to dump a bunch of poo poo to splunk and then figure out what's important" is not a use-case or even a worthwhile plan.

"I know I eventually want to dump stuff to splunk" and "I want to catch this particular event" is a good use-case and an actionable plan.

I know you're just asking us for the "what events" portion but if you give it 5 minutes thought you'll come up with a few and then you can look to the community for other suggestions to extend that.

I would start with items matching certain criteria being shared with external parties. You probably want to set a policy for what items and which paths can be shared, and then monitor for exceptions.

Thanks Ants posted:

Are you authenticating G Suite against Azure AD?

I need to do that but Google seem adamant they won’t help, and they have no way to pilot it. Have you got any tips?

Lain Iwakura posted:

Listen, I rarely like tooting my horn but I know what I am doing. I asked a question and didn't need this sort of response.

And for those who are interested: we're doing Azure AD for the authentication side of things so that is a good chunk of my work done since I am already collecting that stuff (and holy crap is it ever a turd to collect from) but my main concern was going through the audit trail and whatnot.

Mustache Ride posted:

Man, gently caress Azure log integration. Every other week it changes, and now you want me to pay for Event Hub? Fuckers.

Lain Iwakura posted:

Listen, I rarely like tooting my horn but I know what I am doing.

D. Ebdrup posted:

Does Windows still do the thing where, if you enable Hyper-V, it doesn't let any other hypervisor access VT-x/AMD-V?

D. Ebdrup posted:

Does Windows still do the thing where, if you enable Hyper-V, it doesn't let any other hypervisor access VT-x/AMD-V?