Twitter | Search | |
Dr. Anton Chuvakin
Information security - , , , ... formerly VP & Distinguished Analyst at Gartner! Now doing security product strategy Cloud
18,369
Tweets
5,811
Following
27,959
Followers
Tweets
Dr. Anton Chuvakin 11h
Replying to @Seven_Stones @cyb3rops
No, by domain I mean "cyber" security
Reply Retweet Like
Dr. Anton Chuvakin 11h
Replying to @Seven_Stones @cyb3rops
Well, 20 min is probably not the norm, but I have seen it, for sure. Over my entire career doing this, I'd assume that "real time" means "seconds" in our domain.
Reply Retweet Like
Dr. Anton Chuvakin 12h
Replying to @Viking_Sec
I've seen this happen in ... ahem... another language too :-)
Reply Retweet Like
Dr. Anton Chuvakin retweeted
Richard Bejtlich Aug 19
"Internet security is quite possibly the most intellectually challenging profession on the planet... for two reasons... complexity... and rate of change [are] your enemy." Dan Geer, 2009, Marcus Ranum's Rear Guard Security podcast.
Reply Retweet Like
Dr. Anton Chuvakin 12h
Replying to @cyb3rops
I always refer to a "3am test" as in is this alert good enough to wake some people at 3am?
Reply Retweet Like
Dr. Anton Chuvakin retweeted
Florian Roth Aug 20
Security Monitoring Wisdom: Realtime alerts do only make sense if you plan to also react in realtime. (e.g. fw block, disconnect systems) Otherwise the cost is too high. Better schedule a query that runs every 5 mins on the log data of the last 5 mins.
Reply Retweet Like
Dr. Anton Chuvakin retweeted
Enno Rey Aug 18
Top 10 SIEM Log Sources in Real Life? by
Reply Retweet Like
Dr. Anton Chuvakin Aug 19
Replying to @haroonmeer
They all do, 100%. Are you asleep at the wheel? :-)
Reply Retweet Like
Dr. Anton Chuvakin Aug 19
Replying to @silascutler
On Feedly still since ... ahem ... G Reader was killed :-(
Reply Retweet Like
Dr. Anton Chuvakin retweeted
Florian Roth Aug 16
Yes, check the "sysmon" and "process_creation" folders
Reply Retweet Like
Dr. Anton Chuvakin Aug 18
Given some luck, we may :-)
Reply Retweet Like
Dr. Anton Chuvakin retweeted
Augusto Barros Aug 18
I am "tuning the cassette player head while making the computer load code from a tape" years old
Reply Retweet Like
Dr. Anton Chuvakin Aug 18
This is a really good discussion to have, IMHO. Personally, I used to advocate that very view but I don't anymore. EDRs became too damn good for this.
Reply Retweet Like
Dr. Anton Chuvakin Aug 18
You basically summarized the blog post :-)
Reply Retweet Like
Dr. Anton Chuvakin retweeted
Dylan Aug 18
Web proxy logs despite their volume are invaluable to investigations. Mail logs are important as well. I like to have targeted sysmon and event logs. Identify high value targets (dc's, sysadmins etc) and monitor those heavily. Current pricing models not conducive for covers.
Reply Retweet Like
Dr. Anton Chuvakin retweeted
J Wolfgang Goerlich Aug 17
InfoSec Twitter: Be the community ’s dev friends think we are. High note to end a Saturday on.
Reply Retweet Like
Dr. Anton Chuvakin retweeted
Eva Aug 17
I'm "2400 baud handshake noise" years old.
Reply Retweet Like
Dr. Anton Chuvakin retweeted
Daniel Miessler Aug 17
Is there a darkweb site I can upload my PII to or something so that I don't have to constantly accept cookie policies? This isn't how any of this is supposed to work.
Reply Retweet Like
Dr. Anton Chuvakin retweeted
Phil Venables Aug 16
Replying to @philvenables
So, detect early, respond decisively, formalize accountability and test constantly (and apply lessons from tests quickly). Limit the blast radius of potential events through business and technology process adjustment (for example: data minimization). 10/12
Reply Retweet Like
Dr. Anton Chuvakin retweeted
Phil Venables Aug 16
Replying to @philvenables
Recognize that basic and relentless technology controls (e.g. CIS Top 20), hygiene/operational discipline are essential. They won’t stop all attacks but will stop many (depending on your threat model). Note: “basic” doesn’t mean easy - hence “relentless” is the key word. 7/12
Reply Retweet Like