Brutkey

cR0w
@cR0w@infosec.exchange

Fuck this unnamed EDR.

EDR: Suspicious file modification detected. Anti-Ransomware Protection enabled.

Me: What's the file that was modified?

EDR: IDK.

Me: What process modified it?

EDR: IDK.

Me: How was it modified?

EDR: IDK.

Me: Who was the user logged on at the time?

EDR: IDK.

Me: Did you prevent the file modification?

EDR: No, just reporting it. But here's the hostname.

Little girl from a Shake 'n Bake commercial where she said "It's Shake 'n Bake and I helped."
Billy O'Neal
@malwareminigun@infosec.exchange

@cR0w@infosec.exchange I'm still waiting for the threat EDR supposedly protects from despite it being mass deployed all over everything.

One would think after the CrowdStrike incident someone would have had to better explain by now.

cR0w
@cR0w@infosec.exchange

@malwareminigun@infosec.exchange I get more admin functionality from them than I get security functionality. And that's not a compliment.

But there's also the compliance benefit so I guess that helps with business risk.

Billy O'Neal
@malwareminigun@infosec.exchange

@cR0w@infosec.exchange What 'compliance' ?

wertzui
@wertzu1@mastodon.social

@malwareminigun@infosec.exchange @cR0w@infosec.exchange there is a thing called Fips (in the us atl) that specifies what your network needs to be like to be "secure" in order to handle stuff like medical or finantial information

cR0w
@cR0w@infosec.exchange

@malwareminigun@infosec.exchange Industry-specific regulations and insurance requirements are the first ones that come to mind.