|
Additionally, if something bad happens, who will actually be called on the carpet? If there's an AD password policy, who made it, and who keeps it updated? e: basically, it's weird. If you're big and mature enough to have a FTE explicitly in a security role, I'd expect your security policies and procedures and who does them to be pretty fully fleshed out and written down. Albinator fucked around with this message at 15:51 on Feb 1, 2019 |
# ? Feb 1, 2019 15:48 |
|
|
# ? May 27, 2024 06:56 |
|
That's basically what the IT security guy does in our company. Subscribe to email alerts, read articles, and write design papers for fancy poo poo that gets recommended in trade magazines like NAC, network zones or application whitelisting. The email alerts are usually kinda pointless, like who the hell needs to be alerted that Adobe released a critical Flash update on the second tuesday... He is relatively technically competent though - he's CISCO certified, and is smart enough to understand non-networking stuff like data execution. But he also does absolutely no technical work. Part of that seems to have been a requirement from our consultants that created the position, that he would have read rights on just about every system we have to run reporting tools on, but no admin rights anywhere.
|
# ? Feb 1, 2019 17:11 |
|
gallop w/a boner posted:Sorry if this doesn't fit in with the rest of the thread. I have just moved to a new position. I have an 'IT Security Manager' reporting to me. I apologize as I'm going to make a few broad assumptions. IT Security Manager is a rather broad term, in my opinion. What I imagine they'll be doing is what one might consider an IAM (Information Assurance Manager) to perform. If he has anyone under him, they'd likly be doing more of the technical work. As an IAM, one tends to spend more time developing policy and verifying compliance at a much broader level: think like working with the FSO to determine policies for server downtime, change management, keeping track of Certificates and their expirations, working with HR to ensure passwords are changed when employees leave, etc. here's the first link I found when I google'd "Information Assurance Manager job description" https://resources.infosecinstitute.com/job-titles/information-assurance-manager/#gref. As well, I would expect him to be keeping up with the Compliance of entire groups of systems. For example, you will likely have a production environment and (god willing) a development/testing environment at least. He would likely ensure that the development environment is held to the same standards as the production environment, however he should likely have paper work explaining exemptions that exist in the development environment to allow people to develop; no single environment should be a "Wild Wild West". He should probably be keeping up with major security vulnerabilities (i.e. Security Blogs, IASE https://iase.disa.mil/Pages/index.aspx, other such places). In a perfect world, he'd also be able to UNDERSTAND the technical side of these explanations, and offer some sort of broad arching plan for mitigation to whomever he reports to. Likely, instead he should be able to delegate said information to someone more technical, and work with them to develop a Plan of Action & Mitigation. He should probably be able to perform regular account audits, ensuring the the correct people have the correct account permissions according to Least Access is determined to be best applicable to your company. Basically, if your developers (if you have any) and/or administrators are not bitching on a constant and regular basis about his draconian laws and policies, he's probably being pretty goddamn lazy. Because the alternative is that he's goddamn brilliant and understands how to slide all that poo poo into place without admins and developers knowing (i.e. he's VERY technically capable).
|
# ? Feb 1, 2019 17:54 |
|
You mentioned penetration testing, but do you currently have any vulnerability scanning in place? This should come first. In my experience, some sysadmins are still bad about updating their servers because they won't want to break the SQL server with a bunch of real time financial transactions occurring.Volmarias posted:If you hired someone competent, would they leave from boredom/underpay? This point is important too. A title doesn't mean much if you're just paying them 50k a year.
|
# ? Feb 1, 2019 21:09 |
|
Volmarias posted:Why were they hired? Who hired them? Are they there just to tick a box in one of your contracts, and or to be a prop in client meetings? They were previously in a senior systems administrator role. I think this person was possibly 'shuffled' into the security position because they struggled with technical work, but were relatively well-liked? Bullet Magnet posted:I apologize as I'm going to make a few broad assumptions. Thanks! This is really useful. I think there is resentment coming from the Ops/Dev guys essentially because this guy seems to have so much free time, and an undemanding set of duties.
|
# ? Feb 1, 2019 21:32 |
|
gallop w/a boner posted:I think this person was possibly 'shuffled' into the security position because they struggled with technical work, but were relatively well-liked?
|
# ? Feb 2, 2019 04:15 |
|
peak debt posted:That's basically what the IT security guy does in our company. Subscribe to email alerts, read articles, and write design papers for fancy poo poo that gets recommended in trade magazines like NAC, network zones or application whitelisting. The email alerts are usually kinda pointless, like who the hell needs to be alerted that Adobe released a critical Flash update on the second tuesday... If he is writing design papers I guess he is actually planning implementations at some level of detail? This would actually be useful.
|
# ? Feb 2, 2019 11:16 |
|
If "everyone likes him", it sounds like this guy may have actual good use if put into more of a sales or marketing role, rather than expecting any specific technical output. Can you have him rearranged to a different department and free your own budget up? Does this guy have any actual reports? Would any of them be competent to do his nominal job?
|
# ? Feb 2, 2019 18:25 |
|
gallop w/a boner posted:They were previously in a senior systems administrator role. I think this person was possibly 'shuffled' into the security position because they struggled with technical work, but were relatively well-liked? Though you can see why well-liked is an important quality for security. The best relationships at web-app sec is when the developers get into it and bring stuff up to you before it becomes a problem. This is in a non-lovely DevOps situation though where they can do that type of analysis. quote:Thanks! This is really useful. I think there is resentment coming from the Ops/Dev guys essentially because this guy seems to have so much free time, and an undemanding set of duties. ...though this bugs me. Does he anything helpful like training, testing, research, development work?
|
# ? Feb 2, 2019 22:07 |
|
https://twitter.com/bldgblog/status/895728956724322304
|
# ? Feb 3, 2019 22:40 |
|
That's so 2017
|
# ? Feb 3, 2019 22:47 |
|
Workplace politics happened? Why us never.
|
# ? Feb 4, 2019 03:36 |
|
Palladium posted:Workplace politics happened? Why us never. I feel like that's horrifying when it comes to security, though.
|
# ? Feb 4, 2019 03:42 |
|
It sounds like this guy is destined for a C-level job
|
# ? Feb 4, 2019 04:24 |
|
Anyone ever done some SIEM integrations into GApps? I'm looking to pull whatever data they have available on there and am looking around to see what others have done. Namely I am looking at collecting whatever data Google will make available to my org and dumping into our log collector for further use.
|
# ? Feb 4, 2019 19:55 |
|
I've done a little with Splunk, using the following APIs: https://developers.google.com/google-apps/ I think theres a few apps on splunkbase now. No idea if they're any good, but you can steal the python from those and use it for your own solution. Which SIEM?
|
# ? Feb 4, 2019 21:18 |
|
Mustache Ride posted:I've done a little with Splunk, using the following APIs: https://developers.google.com/google-apps/ Splunk, but the GApps one isn't an official app and I am always a bit sketched when I have to make use of them. I'm not adverse to writing my own app from the bottom up that said since if it breaks then I know where it broke, et cetera.
|
# ? Feb 4, 2019 21:47 |
|
Palladium posted:Workplace politics happened? Why us never. I missed this.. what's the meaning I'm missing?
|
# ? Feb 4, 2019 21:59 |
|
Lain Iwakura posted:Splunk, but the GApps one isn't an official app and I am always a bit sketched when I have to make use of them. I'm not adverse to writing my own app from the bottom up that said since if it breaks then I know where it broke, et cetera. Yeah, those are typically kinda screwy. I haven't done much with Splunk, just the GApps Admin SDK, Drive API, and a few of the GMail stuff (delegation, history, etc). Google's development docs are pretty good, so you can probably create your own stuff and roll with it. GApps isn't really all that complicated, so you don't need to go hog wild with all of the API options.
|
# ? Feb 4, 2019 22:07 |
|
Mustache Ride posted:Yeah, those are typically kinda screwy. I haven't done much with Splunk, just the GApps Admin SDK, Drive API, and a few of the GMail stuff (delegation, history, etc). Google's development docs are pretty good, so you can probably create your own stuff and roll with it. GApps isn't really all that complicated, so you don't need to go hog wild with all of the API options. Yeah. Looking at its API, it's not so bad. I just hate the fact that I have the support this myself, but alas.
|
# ? Feb 4, 2019 22:37 |
|
Does anyone have any news on Samsung leaking or being hacked for passwords for their android phones? Admin of a scamwatch group posted a youtube link but I can't find any other info out there. Not posting the link, and haven't watched it. [Won't add to the click-count until there's collaborating sources.]
|
# ? Feb 5, 2019 03:08 |
|
How would Samsung have the phone passwords in the first place?
|
# ? Feb 5, 2019 03:17 |
|
Yeah... the post seems to be about the email password collections that happened a few days ago but had a misleading preview about the Samsung leaked designs. As you were.
|
# ? Feb 5, 2019 03:29 |
|
Lain Iwakura posted:Anyone ever done some SIEM integrations into GApps? I'm looking to pull whatever data they have available on there and am looking around to see what others have done. Namely I am looking at collecting whatever data Google will make available to my org and dumping into our log collector for further use. "I want to dump a bunch of poo poo to splunk and then figure out what's important" is not a use-case or even a worthwhile plan. "I know I eventually want to dump stuff to splunk" and "I want to catch this particular event" is a good use-case and an actionable plan. I know you're just asking us for the "what events" portion but if you give it 5 minutes thought you'll come up with a few and then you can look to the community for other suggestions to extend that. I would start with items matching certain criteria being shared with external parties. You probably want to set a policy for what items and which paths can be shared, and then monitor for exceptions.
|
# ? Feb 5, 2019 08:30 |
|
porkface posted:"I want to dump a bunch of poo poo to splunk and then figure out what's important" is not a use-case or even a worthwhile plan. Lain has written at length and presented about data onboarding for a SIEM. I took it as a, "Hey, I've never dealt with this platform, any insight into how to deal with it?" Where I'm at we're currently looking at the same time but with Azure. The Electronaut fucked around with this message at 15:57 on Feb 5, 2019 |
# ? Feb 5, 2019 15:21 |
|
porkface posted:"I want to dump a bunch of poo poo to splunk and then figure out what's important" is not a use-case or even a worthwhile plan. LOL. Trying to school Lain of all people on How to Log.
|
# ? Feb 5, 2019 15:52 |
|
The Electronaut posted:Lain has written at length and presented about data onboarding for a SIEM. I took it as a, "Hey, I've never dealt with this platform, any insight into how to deal with it?" Where I'm at we're currently looking at the same time but with Azure. Man, gently caress Azure log integration. Every other week it changes, and now you want me to pay for Event Hub? Fuckers.
|
# ? Feb 5, 2019 16:02 |
|
porkface posted:"I want to dump a bunch of poo poo to splunk and then figure out what's important" is not a use-case or even a worthwhile plan. lol Mustache Ride posted:Man, gently caress Azure log integration. Every other week it changes, and now you want me to pay for Event Hub? Fuckers. This is a thing that may become my problem in the coming months. How bad are we talking?
|
# ? Feb 5, 2019 16:08 |
|
I'm pretty happy with our move to Humio for log aggregation. A bit of a clusterfuck to get the sizing/hardware config right for a large deployment because you're optimizing around sequential 1MB IOs instead of whatever tiny random ones Splunk does but it works well
|
# ? Feb 5, 2019 16:09 |
|
ChubbyThePhat posted:This is a thing that may become my problem in the coming months. How bad are we talking? Ah, its not as bad as I'm making it out to be. It changes, but its pretty slow. Eventually Event Hub will be the destination for all log data for AAD, o365, and Azure Apps, but its taking them time to make the switch. For now most of the old stuff will continue to work.
|
# ? Feb 5, 2019 16:13 |
|
porkface posted:"I want to dump a bunch of poo poo to splunk and then figure out what's important" is not a use-case or even a worthwhile plan. Listen, I rarely like tooting my horn but I know what I am doing. I asked a question and didn't need this sort of response. And for those who are interested: we're doing Azure AD for the authentication side of things so that is a good chunk of my work done since I am already collecting that stuff (and holy crap is it ever a turd to collect from) but my main concern was going through the audit trail and whatnot.
|
# ? Feb 6, 2019 01:04 |
|
Are you authenticating G Suite against Azure AD? I need to do that but Google seem adamant they won’t help, and they have no way to pilot it. Have you got any tips?
|
# ? Feb 6, 2019 01:22 |
|
Thanks Ants posted:Are you authenticating G Suite against Azure AD? Yeah. All I can say is look at this and best of luck. I’m fortunately not involved in this GApps project but I am trying to get data pulled before we get too deep. https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial That is all I have but I am guessing you may have read it too. I can say it works however.
|
# ? Feb 6, 2019 01:41 |
|
Lain Iwakura posted:Listen, I rarely like tooting my horn but I know what I am doing. I asked a question and didn't need this sort of response. Sorry I thought this was someone coming at it for the first time and didn't want them to start shoveling data without some idea how to use it.
|
# ? Feb 6, 2019 06:11 |
|
Mustache Ride posted:Man, gently caress Azure log integration. Every other week it changes, and now you want me to pay for Event Hub? Fuckers. Lain Iwakura posted:Listen, I rarely like tooting my horn but I know what I am doing.
|
# ? Feb 6, 2019 12:38 |
Does Windows still do the thing where, if you enable Hyper-V, it doesn't let any other hypervisor access VT-x/AMD-V?
|
|
# ? Feb 6, 2019 12:46 |
|
D. Ebdrup posted:Does Windows still do the thing where, if you enable Hyper-V, it doesn't let any other hypervisor access VT-x/AMD-V? Yes
|
# ? Feb 6, 2019 15:35 |
|
D. Ebdrup posted:Does Windows still do the thing where, if you enable Hyper-V, it doesn't let any other hypervisor access VT-x/AMD-V? Sure does. ^ beat by a mile
|
# ? Feb 6, 2019 15:51 |
|
exclusive locking in general is a big old clusterfuck on windows. "no, you can't play/open/close/delete/write/copy this resource or file. someone, somewhere has it open"
|
# ? Feb 6, 2019 15:59 |
|
|
# ? May 27, 2024 06:56 |
|
This Exchange vuln rules https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
|
# ? Feb 6, 2019 18:03 |