BSides Vancouver 2022 Keynote: Beautiful Basics with Rob "mubix" Fuller

hi so uh welcome to besides vancouver um i am very honored to be here today i'm going to be talking about um beautiful basics and this term was actually told me you told me um by uh um janine defiore who's an awesome cisso here um here at united where i work um but i i loved how how it sounded said um so i really wanted to um incorporate that because it incorporates what i've been learning over my career so let me see if i can move to the next slide and a little bit about me um so father husband those are the most important things to me um the dollar sign next to the cert actually looks

and affects that pretty significantly um the red team director cyber and intel director um been doing ccdc for a number of years i i so i have quite a bit of experience when it comes to all kinds of um cyber related things and one of the things that that i have noticed over the years this is you know um from job to job i've done a little bit of job uh hopping and you'll see in this um but um i've noticed that we all talk about basics we all talk about hey why aren't you doing you know the the you know the simple stuff and i've seen too many talks exactly this style um that is all about

you know have better passwords do this do that and a lot of them don't tell you how to get there a lot of them you know they say things that are super simple when they're not they don't really give the background for them so um i've heard complaints like all of that is well and good but it'll never work where i work or um it's not as easy as you are making it sound or we already know all this and to those to those things i want to say that um this is a journey through my career and my experiences and i hope that you you see that um as i go through the different jobs

that i've had as i've gone as i go through the different uh positions that i've filled um unfortunately it's like a resume but like i hope that you learn a little bit from it and so here's my lesson uh lessons learned the hard way that's as a as a marine um that tends to be how i learn things as as hard as possible like the worst way possible so like i said i was in the marine corps participated in the mars cert so this is the first job that i kind of had in cyber security i learned a ton um but one of the things that stuck out one of the key things that stuck out every single time

i had a conversation when it came to anything cyber security related was the same thing that i really found at the senate and same thing that i found at the pentagon and it's any government work i think um you'll you'll get the same thing well this is legacy if we take it down it's not going to work um we don't have the people here anymore to do the legacy we don't um or to manage the legacy device or whatever like that is one of the permeating excuses because the government had one of the first networks in the world right so it has all of that legacy stuff so how do you deal with that well

it's by changing the the conversation and i think that legacy systems do their job they do it well but it's it's because we have these outdated mindsets on them um that really stagnates and they're and it's like i can't move this system to a windows 10 machine are because it only works on xp or windows 2000 or windows nt and that's because the people moving it the person or other individuals moving it think that the only way to move this machine to a newer os or to modernize it is to move it by figuring out how the installer works or figuring out how the pieces work then making sure that those pieces work in windows 10 um

or when or a newer version of linux or whatever and so the the problem isn't the legacy device it's the fact that we don't have the people thinking that this is the way they can move it and and i i fall victim to this all the time but this is one of the things that i learned really um early on in my career in military and and the government is that we think of things in the sense of how we learned them and that that point in time information on how we can move things i know plenty of people who who still think that ghost norton ghost is the only way to clone a machine whereas we have like

uh virtualization software out the wazoo like you can get virtualization software it comes installed on os's everywhere right so like um we have to we have to battle the the legacy issue not at the system level but at the mindset level and find and teach people better ways of doing things and and staying up with those things is really hard and so um training and teaching and and pushing people outside of their comfort zone and norton ghost is a comfort zone for many um some of you don't even know what that is i'm googling frantically on what that is right now but um uh that's a comfort zone for people so we need to push

people to go outside their comfort zone to learn new technologies dev sec ops devops all of this new stuff not is devops even new anymore um yeah so so pushing everyone outside their boundaries and going forward and thinking of way new ways to deal with the legacy stuff because you can essentially clone a system push it up into aws and it'll work for the most part right so you can have a windows nt machine sitting there in nato s and essentially have it modernized by putting firewalls and all kinds of things around it um so gotta figure out how to things i don't like lift and shift but we can get to that at another time

so then i worked at applied security um where i learned one of the most frustrating but awesome things um is that the frustrating part is that at the small little company um so big u.s government small little company um we had it so that no one actually had admin privileges and this was back in 2009-ish like there wasn't a lot of least privileged talk out there um but back in back in 2009 um this company had it so that no one really had admin privileges you had to check out uh just like if you wanted to check out a book from a library that was a temporary administrative privilege and it was logged on what you were going to do with

it and how you're going to use it and it gets me every time that i work in an organization where there's you know 15 domain admins or named domain admins or are named administrators for global admin or aws administration or azure as administration that why aren't these generic accounts why um why don't we manage who has access to them and when they have access to them and yeah it could you know it's it's difficult to set up in and you know admins are going to complain about it because that's not how they are used to doing things but that's really really important because that permission that even if it's automatic netflix actually does this or did this

at least back in 20 i think it was 12 they posted a really good blog post about how every time someone checks out an administrative uh credential temporarily um it goes into a slack channel for them and everyone gets the update kind of thing in a single channel and then um it goes to also them and they can approve disapprove it's like a side mfa thing it was really amazing and so um more generic accounts more more logging on those usage is really where we should be going and and this beautiful basic again 2009 right um this is when that was happening and so we need to move towards that and and this is not a you know instant overnight

thing you gotta go slowly with it but if you're not already to the point where um you have a you're using something like uh shoot vault i forget who makes it hashicorp um if you're not using hashicorp vault or something where you're vaulting the service accounts and stuff like that that's something you should already have on your um your timeline no matter what size company you are right if you have any administrative rights for anything even if you're mom and pop you should have a way to have a credential even if it's in a password manager that you both share where it's only only used as a last resort it's not an everyday use administrative rights should not be

everyday carries is my new say um so rapid seven this is my first consulting gig this is when i started having pen doing pen testing for lots of different companies and one of the interesting things about pen testing a lot of different companies is that you notice how you actually get caught and how you don't and so uh over time over the year and some changes that i worked there i did a pen test a week so that's 52 weeks worth of pen testing different companies and and i noticed a trend like every time that i would um actually get caught by an organization it was because a person not security related would say hey my oracle

box has a new user on it why um i'm i'm reporting this to security or um i got a phishing email i'm reporting this to security or or me as the attacker i hit a honey token and the honey token is essentially a fake user or fake file that creates a detection when it's accessed or used and so i was detected so many times by by these system administrators not even security people system administrators that would do um small things to to get me detected and um there's a small little ad at the bottom saying things canaries are awesome and they really are um i'm not paid by them or anything but like it's really an amazing tool um they have an

open source version too you can spin up even if you're a small mom and pop shop which is um awesome that they give back to a community like that and so people and honey invest in your people invest in your honey tokens um that's where your best detective measures come out of play um i've like i said i've been detected multi by these honey tokens more times than multi-million dollar edrs so then i went from consulting all the way up to general electric which is giant big honking company i think 1.6 some odd million users on it and this is where i learned the really hard lesson as a as a marine i learned that security

yeah is everyone's job every marine is a rifleman um that gets bundled into every single day of your life as a military member um if you stand watch versus or or go to war or anything like ever everyone's has your back and that's really important for those scenarios but one of the things that i hear time and time again at every conference that i go to is that it's the users stupid users darn users and um it's not their job and one of the cool things i learned at general electric was that we can make it not their job and as security professionals it's on us to do that it's on us to configure the things correctly so that

even if they do click a link if they download a thing that it doesn't do anything um and while enabling their job so incentivizing and protecting um there should not be a single negative thing when someone clicks a phishing email and what i mean by that and i say thing because as generic as i need there should not be any repercussions for them clicking on it they shouldn't have extra training or anything like that they also um shouldn't have anything happen on their machines click malware whatever so what i mean by that on this on the um repercussion side is if you incentivize them if you say hey um you get 10 points every time you report

a phishing email people are going to report it more and that you know comes with some false positives but you want people to to know that and do that it's not their job so you pay them essentially in points um and points can come out of nowhere by making it um fun for them um where they can get you know if they get 2000 points or whatever um they can get a five dollar gift card from amazon or if they get twenty thousand points they can get a fifty dollar gift card from amazon whatever you make it incentivize for them and you will have people uh loving security at that point right um so you incentivize it and and we need

to we need to hold ourselves accountable for doing a better job at at security in general because we're just to be honest like we're not doing a great job and we need to do better so r5 industries is where i headed next this is a small little startup unfortunately it's no longer around but i learned a very very valuable lesson there too um is that when i was consulting um i found that companies that did attack surface reduction um and not really pen testing pen testing is great um but you don't really get the follow through with it and it's and um those types of vulnerabilities that a pen test will show up is gonna come back again

and when you actually look at attack surface reduction what that means is essentially you look at a single kind of category of things and you say all right we're gonna we're gonna fix x we're gonna fix our azure standpoint we're gonna fix our aws standpoint we're gonna fix our cicd pipeline we're going to fix our whatever and you make it an entire project or program at your organization and say hey i'm going to go fix this it does wonders it does more than patching it does more than um pen testing it does more than red teaming just focusing thing focusing down an object until it gets well secured and then you focus down another one

um and i like to think that that's one of the best things about being an internal red teamer is that you get this opportunity to do that because it takes more than finding a ton of vulnerabilities in the line to actually do anything it takes more than um like one-time interactions or five-time interactions with a single point of contact it takes collaboration it takes programs it takes projects to get and solve problems and so um when you do an attack service reduction program you work with all of the people who build those things that you're attacking and reducing the risk the actual risk to them and so um if you have an internal red team you

should have them be doing tax reduction projects and have and tell them hey you know our cicd pipeline is what we want to focus on next and tell them go tear it apart go figure it out not tear it apart you don't want any outages but still like find all these problems with them excuse me all right then um unfortunately like i said that resulted in um that company not resulted in that's a bad way of saying that company unfortunately didn't quite make it so um uh i went on and had the awesome opportunity to work at ibm's x-force red when they were just starting to kind of stand that back up and the lesson i learned here

this was consulting yet again and um and i noticed that one of the things that i would do is i would somehow grab credentials because this was about the time when fishing using exploits wasn't really working anymore the java jar and java applets didn't work anymore um and so credential grabbing was starting to become a thing and i noticed that when i had grab credentials i could fly drive whatever up to the up to the place where they had the corporate offices especially i mean this wasn't during covid but like especially during code when no one's around you can sit out in a driveway in a parking lot next to a building whatever and access wireless super easy

and nobody's talking about this i know that the hack five pineapple does a bunch of enterprise stuff i know that um uh sensepost has an amazing track record of uh i think they're a new company now not since posted anymore but they have an amazing track record of doing all kinds of amazing attacks on enterprise level things but i don't think it's talked about enough that if i grab a set of credentials or certificate from a company i i can then access them permanently um and no one notices and no one can tr and it's very hard for people to track down wireless connections um and i could go months with my own machine that isn't monitored

um at all on a system so what i'm asking here is hey on those radius servers on those aruba servers turn on mfa turn on the ability to do a push notification um to a system so that when you connect you have to you have to say go ahead and connect because um if i steal a credential i'm not going to have their phone i'm not going to have wherever their mfa is going so then i can't connect make it so that i can't just use a single factor a certificate or a username and password some companies have both where it's a certificate username and password and those not are not really um well that's not really multi-factor

because i have a certificate that means i had access to your corporate network once um and that's it i don't have to have it for a very long time because all i have to do is request assert or have a cert or have exploited a single system with assert and i'll just be honest very little times where those usernames and passwords match up with the certificate um or are checked between the two um and you can just connect and um during my consulting time i noticed that oh my gosh i don't even know how many times um but i would just drive over and the the customer or point of contact would be like why on earth are you at my office or um

how did how did you do that because you have access to all of the things and i fished them once i didn't use their vpn i didn't use all of the other things that do have mfa these days and if you don't use mfa on vpn please do um but that's enough for another story um but uh i know that mfa on wi-fi isn't talked about that much but it is an option and finding that option isn't easy just from experience on a lot of different companies that i've worked with trying to turn this on but it can be turned on and it's not a super um difficult thing because all you do is at the beginning of the day have

your users push the button on on mfa and then they're connected for the rest of the day which is fine um but that that's the minimum that should be that should be wireless these days all right uber um so after consulting i noticed and this will be a trend you'll you'll see is i am not a fan of consulting but it seems to draw me back every single time at uber i was an internal red teamer flash instant responder and my first week i think there uh i noticed something that was pretty mon mind boggling and so when i when i uh when i first started using chrome i noticed that they were doing these

rolling automatic updates essentially um in the background and and firefox does the same thing now ie does it or edge does the same thing now and but i noticed something even more amazing at uber is that the mindset that chrome has on rolling updates where you're constantly getting these updates has a i don't know if it's an intended effect but it's it's certainly effective on something and what i mean by that is that vulnerabilities or exploits if you're building an exploit for chrome you have to have a very specific version in mind you have to have um and that worked for ie2 when um for internet explorer you you targeted ie6 ie7 not individual small little

things in between but big version numbers is what you could target and now with chrome because it updates all the time because it does all this all the time you are no longer able to say i can exploit chrome 99 all across the board not easily like in rare cases but it's such a rarity these days um that it dawned on me on previous jobs that the reason why vulnerabilities aren't as as well seen in browsers anymore is because of these rolling updates and when i started working at uber i noticed that they were doing the same for which boggled my mind and so i dug into it learned that they would have individual server groups go down

do the patches all of the patches while these other servers were load balanced and could handle the load and they would spin up and down um like and grow and shrink uh using uh aws and and azure and all the other gcp and stuff like that automatically but um but they were doing the same same for servers and um that had the same effect that chrome did when they first started doing security updates is that these systems were no longer they were no longer auto you know or they no longer stayed online forever and that offline that that downtime actually increased security by a lot and it also made me as an attacker when i

was doing red team stuff for them i couldn't stay on a server for very long because it would stay alive for maybe an hour or a day um and i could do what i could but like as certain as soon as that server went offline got wiped and re re-loaded um and this is where devops and and uh infrastructure's code and that kind of stuff comes in is that uh i couldn't stay on these systems for very long and that was very new to me i i i love persistence um and and figuring all that out was very tough um and so as an attacker it was really hard to stay on any of the services that um

uber had because they were always changing and there were microservices all over the place and it was and they were getting destroyed all the time so how does this how how can you work this into a corporation how can you work this into a bigger product well load balancing resiliency um you build servers where it's not just a single monolithic giant server that does everything you use microservices you use docker containers and blow them away um and then have them be rebuilt all the time that way you say ahead of patches that way you stay ahead of um uh all kinds of things but obviously you have to patch your core images and then we're getting back to all of the you

know uh the problems we had with norton ghost is where you know that image would get out of date and then you'd deploy it to a server and it'd take five years to patch because um your base image was out of date so you update your base image auto goes to the latest that's one of the coolest things about docker is that if you're pulling from latest it will automatically do that and pull and go up so um if you can change your mindset of any server that you currently have be it esxi be it um uh active directory even we'll talk about that in a second but any identity provider any other thing where you can

have persistent data with a non-persistent service um you will go miles ahead of things and that applies to everything that really does you see you see everything going to kubernetes or docker and that's because it can um and it's and it's not as hard as you think um and moving things that way and getting them to and with that mindset in place you will deal with security it will deal with security without even thinking about it all right uh this is probably one of the most the the hardest to consume beautiful basic lesson that i had um but it was amazing and so telling people about this getting them to embrace it is really hard because people like their

laptops um and they use them for all kinds of things but uh when i when again when i worked at uber there was a um there was a system that would continue to be you know infected with random malware um and every time it was because people were plugging in usb sticks and it wasn't it wasn't that they were plugging in usb sticks that was the problem and that's what everyone talks about is hey you know you shouldn't allow usb sticks but we need to change that thinking and make it so that they can still change it on a usb stick and it doesn't do anything bad um and this is what the whole talks

about right is finding ways to make it so that um the bad thing doesn't happen and the good thing still does and um so we deployed a chromebook to that system um to that location and uh instantly overnight no more vulnerability no more malware infections because the malware on those usb sticks was windows focused or mac focused right and so if it's a chromebook it doesn't have a platform for that necessarily there's there are chrome book vulnerabilities but not as much and as i said chrome changes all all the time so but if you if you expand that if you take it to and say hey does my hr person really honestly need need a full windows machine if they're

using office 365 or google sheets and gusto and all of these other products that are out there that are all web-based if if you if you have a person in mind that doesn't doesn't use anything but web-based platforms and that's where everything's going these days then do they really need a windows machine um do they really need a back and the answer is probably no but tearing it out of their hands is going to be tough and so what you need to do to get this to work is and i found found this to work is you start with you know beta testers people who will get an additional chromebook but not get it not get their main

machine refreshed on them so they get the new chromebook they start to like it because it's portable and easy to use or whatever um and are a lot a lot more portable than the standard laptop um mean it's a lot faster because there's no os to deal with there's no edr to deal with that kind of thing and they start to like it and they start to use it more and then they when you do the refresh and they have to turn in their old laptop it's been sitting in a corner for six months and so um to get this to work to get it to you don't force it down in anyone's throat none of these lessons you force down you

went through it's it's a process to get there and project to get there and and that's why i think that internal red teams are really good because they can help these projects along and talk about risk to them um and so when we're when you do something like this the it's really hard for um ransomware or malware to get get in touch with them and then by by making it so individuals or smaller groups don't have these types of os's anymore it makes the attack surface in your whole organization go lower and that does amazing things um and it makes it really hard for me as an attacker to to laterally move to go anywhere else

if if i get on your one windows machine you know now where to focus all your all your efforts when it comes to edr um it if i get on your one you know cert windows server that you haven't been able to migrate into smaller clustered services or or deployment services or rotating services then you know where to focus right so the more that you can reduce that attack surface the better and to do that start by giving chromebooks or or other similarly os minimalist minimalist systems i hope this is all making sense because i can't see any feedback or anything um and so when i when i moved on from uber i worked at um cruise automation

um and one of the things that i always knew that firewalls good right everyone knows firewall's good um but one of the cool things i learned at sort of at uber but more firmly at cruz was that even their servers that weren't in ios even their servers that weren't in um weren't in uh azure or gcp or or containers they had their firewalls fully turned on and that was like and it was just windows firewalls or ip tables they were turned on in deny mode and unless they specifically allowed that port it wasn't going anywhere and so what that did was me as an attacker and i worked as a red teamer at cruz was

i couldn't find windows you know smp everywhere i had to really work it like i could only talk to the domain controller i had to really work at finding those different parts so when every server only has you know certain ports allowed maybe to everyone but like just to ranges because we had good you know network ranges um then i would have to get to another server i'd have to find a vulnerability in one of the servers in that same range to be able to talk to the server i wanted to talk to and that was and that really goes back to one of the previous lessons where if you reduce their uh the attack surface if you

reduce that if you push an attacker into a corner i have to make more hops as an attacker to get somewhere and yes i might still get there no network is perfect but the more hops i have to do the easier it is for that detection to happen and so um with this one though firewalls uh one of the great things about aws is that it starts with firewall deny any on everything like uh allowed in and you have to specifically allow things in and i love that mindset with a deny any as default because uh because you have to do a little work to get it going but once it's going you're good and

that works really well but we need to start doing it on internal servers and i mean if you have if you have windows servers in your network right now turn them all on on on on the firewall they're going to have all the exclusions in there already but you need to go in and remove those exclusions and um it's a one by one yes or it might be group policy to to set those but it's it's a lot of work it's tedious work but it's amazing like it's super effective and if i if i saw any corporations do the the network of firewalling uh on like the built-in firewall on each system um you would be so close to zero trust with

this like that is that is the key to zero trust is when when you can get every system in your network to have their host based firewall turned on not just on like in the workstation phase and this is what i'm going to talk about here is like windows firewall and domain mode isn't a firewall everything that you can imagine needing as an attacker is allowed on the domain mode and so what you need to do is put it into public mode even if it's connected to the domain every single workstation should be always in public mode and what i mean by that is that at this current point in time no one needs to rdp to a workstation

like servers yeah sure um but first issues no um you should have some kind of remote administration on everything like an edr almost every edr i've ever looked at has a remote administration of some sort one one form or fashion um every single i.t support staff thing has a way to access the machine because it has an agent on the machine i mean every every system on a modern corporate network at any level has at least two to three or fifteen agents on it that you can figure out a way to remotely administer there should be zero reasons why anything should be coming in to a workstation on a corporate network and that's what public mode does and if you

turn on public mode for every network um that does an amazing thing also for when they go home when they're remotely working when they are anywhere at a coffee shop or whatever so it was that mode was designed for coffee shops and hotel wi-fi but it it does just as good at home it does just as good in the corporate office it even does more because if a system in the corporate office is owned then then they can get to the workstations and that's where all the users are logged in he is an attacker i want to get to where all the users are logged in so i can get more credentials so i can go more places

so um unfortunately cruz did a but uh a big layoff and i was part of that um and then i was welcomed with with the wide arms and the black hills information security of the family there is amazing um they are an awesome group of people i'm i was so happy to work with them um and what i learned there through consulting is that there were a couple companies um that were on the move or already there was one company that was already there but um very close to dropping active directory completely now active directories is monolith and we're getting away from that in as an industry we're getting away from these monolithic servers that do all of everything for us

we're getting into microservices we're getting into the small bits that we can actually control way better and because active directory is so giant so i'm massive no one can ever think of we're gonna we're gonna get rid of active directory in five years because that undertaking just seems like an impossibility like no way not possible and i'm here to tell you it is um it's it's a slow process um and you start with you know moving users off of active directory or groups off of active directory um and one of the and this is actually a previous company that i saw where all of the groups for all permission and stuff like that they were still pointed at active

directory at the time but they were all managed through a another software and i think it was built in-house but still all of the group membership everything where me as a manager or me as a director i had you know the ability to add or move people from my my groups very easily through this interface and i have a whole list of them all at once whereas with active directory i'd have to know all of the groups i own and then find a way to look at each one it's just too complex to be good for corporations these days um and so how you deal with this is by moving it slowly you you take one group move it

off you take another group move it off you get an idp that syncs up with active directory and you slowly move everything to look at that idp and eventually active directory is no longer needed other than for ldap and then you cut the ldap tie it's a slow process um i'm not going to say it's not but it's not impossible and the great thing about so how do i manage my systems then how do i how do i do sccm how do i push things to my systems and that's all through mdm windows 11 windows 10 they all support mobile device management i don't even think it's called mobile device management anymore but mdm managing uh osx managing

macs are way easier through mdm managing corporate phones all of that it's so much easier through mdm and um and it has a very specific purpose versus the active directory we can do everything and i hate to say it but like that's kind of what we need to need to be doing um it might take five years it might take two years it might take ten years but we need to get rid of all of the monolithic servers that do everything for a corporation and start moving to a place where we can rapidly change and and do that um quickly so um united airlines is where i work currently um and one of the um lessons not

necessarily like i'm still learning lessons here but like this is not one specifically that i learned here but multiple different companies on the way back but one that most security people are not going to want to hear is that if you don't know if your tools are functioning they aren't um i want to know just in comments um uh on twitter or otherwise how many systems you actually have checking into your edr and does that fluctuate fluctuate um on a on a day to day how do you know which ones is there any alerting that one isn't checking in anymore or hasn't for a while um is there any way that you know that those systems are actually working

and one of the uh one of the the questions that scares every single splunk engineer on the planet is would you know if logs stop coming in from one server i guarantee the answer is no this is this is what we need to start doing with our security tools right um uh originally one of the things one of the beautiful basics that i talked about uh or talk about frequently is mfa on security tools which is thankfully not a thing anymore uh well it is a thing and that's why i don't talk about it because almost every security tools that i talked to originally used to have default credentials ng way worse than the other things that

we're scanning like like what was it one of the vulnerability management tools they had a default username password and so i could just log into that default username and password on a couple systems that i was doing um that i was doing these uh assessments for and then i know where the vulnerabilities are so i find mso8267 oh it's on that system okay done and we didn't really secure our tools now we're getting way better at securing our tools as security professionals and security engineers um but we're not doing a very good job at logging them so if if the swunk or or sumo server goes down how do you like you'll know that the

sumo server is down but if the services are up but the things that are feeding it are no longer up you don't really know and that's one of the that's one of the harder things that we're getting to is finding when those happen and there was an organization i worked at um previously where we had um i think a uh an edr on i think it was something like ten thousand servers ten thousand systems and um there was a patch that came through that um the the update on these edr systems they patched all of them and 5 000 of them were no longer checking it because the patch didn't work 5 000 of them

out of 10 000 and no one knew because there was no system in that system to say this is how or how many are checking in or this is you know we saw a large deficit in people or number of check-ins nothing is correlating that data with firewall logs or seeing if those systems are actually online but no longer checking in the edr and 5 000 systems were blind and we just happened as a pen test team to come in and hit those those specific systems without knowing that they didn't work um because it was a 50 50 chance at that point um and we hit those systems and they were and we're we're actually doing

a purple team and we're like hey do you see this hey do you see this hey they're like no we don't which is really weird and um pipeline monitoring and what i mean by pipeline is is the pipeline of of endpoint to logging to detection to whatever else automation that you have all of that pipeline we do a pretty crap job at monitoring making sure those work and so we can we really need to get to a point where we're doing those things and and we will and how to do that is is involving i.t i.t are really good at doing their job at monitoring things going up and down they really are that is one of their main focuses when

it comes to server administration is uptime and they have tons of tools to do that a myriad of tools to do that involve them say hey i need to integrate my edr with this monitoring tool to make sure that if this system is offline via these seven checks or is online view of these seven checks but offline because of the an edr is not saying it say something because then you instantly know when an attacker is or even a malicious insider is trying to be more invisible all right and i think we're getting close to my time but if not i'm already done so i can answer a bunch of questions if there are any um thank you

so much for um having me out i hope that this keynote at least learned something out of it um but if not i apologize uh you can always hit me up on twitter um i have my direct messages open there if you want to talk to me here in the comments too i'm open to that um but thank you so much for your time thank you for listening to me and i appreciate besides vancouver for having me out all right let's see if there's any questions in here

[Music]

my org has 080 that's awesome how easy are chromebooks to centrally manage from a config and update perspective super easy they just like any android device they connect to mdm very easily so if you already have an mdm for phones um these would just check into that and super easy thanks for the question tyler

yeah docker latest is awesome norton ghost takes me back yup some people actually remember it uh so there's so bruce says responsibility equals if you see something say something um i agree with that when it especially when it comes to safety and safety is security sometimes many times but i think it stops there and we and we we as a as security professionals try to make it more um through security awareness training through other things but like um we try and push the fact that um it's more of their fault for not patching for not you know learning of the security awareness stuff or not um whatever and we push too much on them from jack have you seen any really good

solutions for confirming that logs are arriving and sim properly um yeah uh so it's more it's more the uh arriving in this improperly that's that's an engineering thing initially when you first get it it's more the outages um that are the problem and um when a system is offline or a service is offline to push those those logs that's when it's not that they're not arriving correctly it's that they're arriving at all and so stuff like uh datadog monit um oh man there's uh a bunch of different secure it monitoring systems that can create checks to see if services are online if um if data's flowing all kinds of network configuration stuff that can work really

well to do that and we just have to apply it to our security tools just like the servers and it apply to their applications and services um can you go without a d if you're going down azure path absolutely um you'll have azure id possibly for their identity provider um but they they also pretty sure they also have an additional identity provider it could be wrong there but i think they have another path if you're not doing the ad route but aad or azure ad is decent you don't have to use all of the features of ad and there's a lot of protections that come with azure id with the automation rotation and all of that

when it being a cloud platform when it comes to log monitoring do you look at it at a transport layer or do you look at it at a landing zone both seem ideal but what's the biggest impact um i look at it more on not on like i said not on the landing zone not on the transport layer but more on the system that would be providing those services so um so if i have server a and server a is going to splunk for instance um i'm monitoring the service on so i'll have a like a splunk group and then inside that group i'll be monitoring splunk itself but i also have a plugin or a piece

going to server a that says this service on server a like file beat whatever win log b i want to make sure that it goes it is always online and if it goes offline there's a red dot in our splunk server and that way it can monitor in both

all right i think that's everything that i saw

thanks again for your time appreciate it have a nice day i i don't know how to log out of here thanks a lot rob there's a couple other questions here that popped up in the uh in the chat that we didn't get to if you have the time um yeah but one of the questions here was do you have any recommendations for wi-fi mfa they're using uh octa id as their ivp but they seem to be only compatible with cisco so that's a that's an interesting question a little deeper than okay so they have octa they have um cisco cisco does have um features and capabilities to turn on mfa on their radius services um but it's non-standard and so you got

to get their engineering team involved in enabling that on your systems and if you have all the older systems it's not going to be there unfortunately so um it's a newer thing that's starting to roll out um on the cisco side aruba i think has it our hat does definitely have it already a few other wireless aps and and services already have it but i don't think cisco has it as a default yet or is an available option by default yet and just one last one here is uh are there any recommended ways to configure command-based privilege escalation on windows systems with a non-login account similar to sudoers on linux this is nothing to do with my

my talk but um pick it up there's absolutely um if you want to send me a direct message i will answer that um uh there's tons of ways to do it um a great blog to go look at though is hexcorn's um um uh uh after the run key or past the run key i'm forgetting the name of it um but hexacorn's um blog series he has like 170 things on persistence on windows that totally work on different levels so that's the that's the path i would send you all right thanks again for your time we really appreciate it and uh thanks for kicking off besides uh vancouver no problem thank you so much for having me

have a great day take care