Security, IT
Jason MIller
EDR Testing and Evaluation is a PITA
General, Security
Jason MIller
If you don’t have IAM(Identity Access ...

IAM (Identity and Access Management) is important because it helps organizations control who has access to their resources, and what actions those users can perform. This is essential for maintaining the security and integrity of sensitive data, and for complying with regulatory requirements. IAM also makes it easier for organizations to manage user access across multiple systems and services, and to quickly revoke access when necessary. Additionally, IAM enables organizations to implement a "least privilege" model, where users only have the permissions they need to do their jobs, which can help prevent accidental or malicious breaches.

If you don’t have IAM(Identity Access Management system) get one!
Culture
Jason MIller
Angry, hurt, and sad

Black lives matter and these are a few of my thoughts

Image credit:[George Floyd’s Death At The Hands Of Police Is A Terrible Echo Of The Past: Code Switch: NPR](https://www.npr.org/2020/05/29/865261916/a-decade-of-watching-black-people-die)

Angry, hurt, and sad
Recaps, General
Jason MIller
2018 A year in review

A 2018 review of my year.

General
Jason MIller
Be wary when traveling

Community

,

EDR Testing and Evaluation is a PITA

,

Over the last three years, I have worked with my teams, stakeholders, end-users, and antivirus (a/v) and endpoint detection response(EDR) account reps to help secure my company's assets. During this journey, one common thread is that marketing teams must be explicit about what exact SKUs these companies offer. The only way to find out what companies offer is to contact sales and have a conversation. It would be best to look at each platform's features, write down the features you think you would like, and ask how their pricing bundles work. This will allow you to determine if their "Enterprise" SKU includes all the features you need versus the ones they are trying to sell you.

The guide below is material I created and have utilized over the last few years when evaluating EDRs. While it is not an all-encompassing list of items, the items are a great building block to launch your version of an EDR POC. With that said, check out the resources below.

Questions to ask an EDR vendor before you POC their product.

  • How does your EDR detect and respond to threats?
  • Can you provide examples of threats your EDR has detected and responded to?
  • Does the EDR integrate with other security tools, such as firewalls and intrusion detection systems?
  • How easy is it to use and manage the EDR?
  • How scalable is the EDR? Can it accommodate a large number of endpoints?
  • What kind of technical support and updates do you offer?
  • How does your EDR help with compliance and regulatory requirements?
  • How does your EDR handle false positives?
  • Can you provide a demo or trial of the software?
  • What are the pricing options, and what is included in the package?
  • How does your EDR handle data privacy and security?
  • How does the EDR handle remote workers and mobile devices?
  • Does the EDR provide threat intelligence and analytics?
  • Does the EDR have an incident response plan and incident management?
  • Is SSO based on service tier?
  • Is console access IP based?
  • What IAM roles are available on your platform?

While these may seem like many questions, it's essential to find out this information to determine the maturity of each company and the platform.

Below is a Comparison Chart I developed in Notion, but it can easily be a Confluence page, Google Sheets, or Excel Worksheet.

Here is an EDR & XDR Comparison Chart.

My advice to all of you is to choose 2 - 3 platforms for POC. You can evaluate and resource as many as you would like, but only select one of the tools you think will be good for your environment and company. Preparation is critical, and before you gain access to your POC environments, please set up your testing environment for each POC.

  • Set up 3-5 of each Operating System for each tool you are testing. Prep the physical machines, virtual machines, or remote desktops before getting access to tenants.
  • Identify Beta users who will enroll their devices into the POC platforms.

If you use Beta users, there are two routes you can take, fully automate the installation experience or have users manually install the agent. The are pros and cons to both; however, you should utilize whatever will help enroll users into your program with the least amount of friction. Some environments are more technical than others, so choose wisely.

Key things to complete before Kicking off your POC.

  • Set a timeline for the start and stopping of the POC
  • Prep Machines for POCs
  • Prep documentation for user enrollment & unenrollment
  • Prep documentation for why the company is evaluating an EDR tool.
  • Prep what information will be collected during the POC
  • Identity Beta Users
    • Identify outspoken users 1 - 2 minimum
    • Identify proponents of IT / 1 - 2 people minimum
    • Identify Engineers/Technical individuals
    • Identify a Senior Member of the executive team

Here is a sample EDR Testing plan you could utilize as a framework. Please note that this should only be a framework, and you need to modify this to meet your organizational needs based on the SKUs you are acquiring. For example, if you pick up a Vulnerability Management plugin from your EDR vendor, you will need to add in testing to verify the module's functionality. EDR & XDR Testing Plan.

EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) Test Plan

Introduction: This test plan outlines the testing process for evaluating the effectiveness of an EDR and XDR solution. The goal of this testing is to ensure that the EDR and XDR solution can detect, respond to, and prevent security threats on endpoint devices and networks.

Scope: The scope of this test plan includes the following:

  • Evaluating the EDR and XDR solution's ability to detect, respond to, and prevent security threats on endpoint devices and across the network.
  • We are evaluating the EDR and XDR solution's ability to integrate with other security solutions, such as firewalls, intrusion detection and prevention, and antivirus.
  • We are evaluating the EDR and XDR solution's ability to provide detailed forensic information on security threats and incidents.
  • Evaluating the EDR and XDR solution's ease of use and management.

Pre-Test Preparation:

  • Configure the EDR and XDR solution according to the vendor's instructions.
    • Set up test endpoints, including Windows and MacOS systems and mobile devices. Install the EDR and XDR agent on the test endpoints.
    • Set up EDR and XDR solution test cases to detect and respond to.
    • Create a test environment that simulates a production environment.

Testing Procedures:

Threat Detection and Response Testing:

  • Inject test cases of known security threats, such as malware, into the test environment.
  • Observe the EDR and XDR solution's ability to detect and respond to threats.
  • Evaluate the EDR and XDR solution's ability to prevent the threats from executing.
  • Evaluate the EDR and XDR solution's ability to provide detailed forensic information on the threats and incidents.

Integration Testing:

  • Test the EDR and XDR solution's ability to integrate with other security solutions, such as firewalls, intrusion detection and prevention, and antivirus.
  • Test the EDR and XDR solution's ability to share threat intelligence with other security solutions.
  • Evaluate the EDR and XDR solution's ability to automate incident response actions across multiple security solutions.

Ease of Use and Management Testing:

Test the EDR and XDR solution's ease of use and management, including the ability to:

  • Configure and deploy the EDR and XDR agent on endpoint devices.
  • Manage and monitor the EDR and XDR solution from a central console.
  • Generate reports and alerts on security threats and incidents.

Acceptance Criteria:

  • The EDR and XDR solution should detect and respond to at least 90% of the test cases of known security threats.
  • The EDR and XDR solution should integrate with other security solutions and share threat intelligence with at least 80% accuracy.
  • The EDR and XDR solution should be easy to use and manage, with a user-friendly interface and minimal training required.

Documentation:

  • Test results, including screenshots, logs, and reports, should be documented and shared with the vendor for review and feedback.
  • Any issues or bugs discovered during testing should be reported to the vendor and tracked until resolved.
  • A final report should summarize the test results and include improvement recommendations.

Post-Test Clean-up:

  • Remove the EDR and XDR solution from the test environment. Remove the EDR and XDR agents from the test endpoints.
  • Delete any test cases.

If you need to test an EDR detection capability, I will use the eicar.org Anti-malware file. This file can be downloaded onto devices, resulting in a positive hit in an EDR system. If this fails to hit, I would ask EDR if they have any commands that will produce a positive result so you can simulate a positive/negative event.

Notion Database Tools

The links below will allow you to duplicate the database into your own instance of notion, and does allow for comments. I will follow up with the comments as well.

This post will provide the kicking-off point for getting your EDR testing and evaluation off the ground.

Please contact me if anyone has any comments or wants to add to the samples provided.

Penn State MacAdmins 2015

 

Penn State MacAdmins conference was last week. Over 600+ MacAdmins traveled from all over the world to discuss and share knowledge regarding OS X. This was my first year at PSU MacAdmins so I did not know what to expect. With that said I found this conference to very informative and collaborative. 

The first day there were five workshop's for attendees to choose from:

  • Apple Workshop
  • Fundamentals of Wi-Fi(or, Arguing with Physics)
  • Packaging Workshop
  • All Things Security
  • Introduction to Cocoa Development and Reverse Engineering on OS X

All great workshops but I choose the Packaging Workshop. This was of particular interest to me because I did not know how an installer should actually look and behave. This workshop explained did a great job of explaining how packages should look and behave. In addition to this information there were helpful tips with hands on packaging experience in the GUI and on the command line. The workshop had some of the following topics and suggested a few applications: 

There was also scripting and Stupid packaging tricks recommendations. This was by far one of the most helpful sessions for me all conference. I did not have a strong background with this particular topic but after this workshop I feel more than confident in my ability to exam and build proper applications packages for deployment. 

There were a plethora of amazing sessions all week long. Check out the schedule http://psumac2015.sched.org. Some of my favorites were:

  • Integrating AutoPKG and the Casper Suite with the JSSImporter
  • To 12,00 Macs and beyond....
  • Administering Office 2016 for Mac
  • It's Dangerous to Go Alone, Take This!
  • Automated Testing with VMware Fusion
  • The 12 Unix Commands Everyone Should Know
  • OS X Operating System Security at Scale
  • Using AutoPKG for Windows Software
  • Open (and/or Free) vs Closed Source - Steel Cage Death Match
  • Using Google's Open Source Tools to Manage Macs

The list is too long to list all the other sessions that I enjoyed because I could not attend them all. But something interesting occurred during this conference, crowd sourcing notes with Google Docs. I have always wondered why more people are not using crowd sourcing note taking.  It could allow you to be in multiple places at once or the ability to review the notes at the end of the day. Slack was the primary driver when organizing notes for most of the sessions and EVERYONE seemed to be on board with the idea. Many times before a session would be begin someone would place a link to the notes in #PSUMAC slack channel to allow note collaboration. 

Slides and video's will be released at a later on PSU Mac Admins website and on youtube but for those who people want to immediately review this was the perfect medium. Slack brought people who weren't even at the conference into the conversation adding input regarding topics or peering into the notes, causing further interest about all of the talks and topics. Here is a Google Docs Collection links from the notes taken by everyone at PSU Mac Admins 2015:

One particular theme that I heard constantly whether in the packaging workshop, sessions or during general conversations at Legends, automation is key. There are plenty of tools that can help you automate very simple and complex task during your day. If you have not heard of autopkg, please go and read the github page.. It interfaces with many of the tools you use everyday, and will take the mundane task of patching & deploying applications out of your hands. Automate your VMs with vfuse by Joseph Chilcote or with Rich Trouton's session on virtualization testing. The theme was your time is precious as a Mac admin, therefore save time where you can which will free your mind to accomplish more challenging tasks. 

I do want to give a thank you to Penn State Mac Admins Conference, Penn Stater, and for all the individuals who attended or interacted with community during the conference. I can't wait for PSU Mac Admins 2016! See you then and thank you again for the best week of Summer Camp. 

Mic check 1, 2, 1, 2

There are plenty of open source projects out in the wild that are built on a variety of platforms. Github, BitBucket and Mercurial. Open source projects rely on these services because they are able to version control their code. Version control has some of the following benefits:

  • Archive successive versions of source-controlled items
  • Maintain detailed history and version information
  • Collaborate on projects
  • Recover from accidental deletions or errors

Deploying version control within an organization can a help staff produce efficient and stable code. It allows everyone to view, comment, and edit code before it hits production servers. Many times when people write code,  normally the code works well on their system and maybe on a few of their test systems, but in an environment that has hundreds or thousands of nodes it is important to fully test every potential system your code will touch. This leads to the another important component of writing code Documentation.

Documentation is something that is lacking in most I.T. departments. Technicians deploying systems usually feel pressed to roll out a service or finish a project so they can move onto the next item on their agenda. Versioning will allow technicians to document every change. Co-workers can follow the logic that went into developing a code base. Documentation can also help save you when having to restore or update services. I.T. professionals move at a lightening pace and it helps if you store helpful hints for yourself or team. For those co-workers who need to motivation of why to document, Rich Trouton, gave a presentation at Mactech Conference about documentation that is worth a read. 

Open source projects that utilize these tools allow anyone who is interested in a project to provide and enhance code. For example, the Autopkg project, is an automated preparation of software to be deployed to OS X clients. This project was created because there is a need to  automate software updates for applications. The creators of the tool started a repository that users can pull updates for certain applications. However, they set up the application framework which enables anyone to create "recipes" and contribute to the project. Autopkg code lives all on Github, which allows for collaboration on a global scale. 

Because of the popularity of Autopkg another open source project, based upon Github and version control, is Autopkgr. This open source project is a GUI wrapper for Autopkg. Due to version control the creators of Autopkgr are able to allow anyone to help modify the code to help benefit the community. 

Lastly if you are looking to set up a code sync, the Client Platform Engineering (CPE) team at Facebook, has opened sourced some of their code sync tools. In addition users can use some of these other tools to help with versioning and checking code:

These are not the only or definitive list of versioning, editing, or checking code but just a start. 

Here are some questions I have for you:

  • Do you version control your code?
  • What do you use to version control your code?
  • How to implement version control?
  • If you are currently not using version control do you see yourself implementing version control?

Just some food for thought. 

We are stronger as a Whole

Macbrained's November meeting was held at Salesforce. This meet up was a bit different from the events we've held previously. Normally we have a guest speaker talk about a topic of their choice, then we network. This time around we still networked however we held to panels: General I.T. and Security. We took questions from the the community via Google Moderator and Macbrained FB page. Here is a sample of the questions the community submitted:

  • AV Software on a Mac, is it there for legit reasons, or just for compliance?
  • What are the top security threats for OS X right now?
  • Binary white listening is becoming a thing on OS X, rolling it to a mac user base is likely to cause bigger waves than a Windows based userbase that is used to having restricted rights etc. Anyone have a plan?
  • What type of aggregate syslog collection/analysis is everyone using?

These are some of the questions that were answered during the panel. There were followers on Twitter who chimed in with responses as well. Answers consisted of AV is for compliance more than protection, check out Google Santa Open Source program, and users should attempt to utilize Facebooks OS Query

Communities help expose people to resources to help them accomplish their goals and gives people a chance to give back. Those goals can entail scripting, new ideas of how to implement or solve a problem, someone to bounce ideas off of, or just someone to lean on. 

Do you belong to any communities? Do you give back to the open source community? Here are some images from the Macbrained November Meet-Up. 

Security Panel, General I.T. Panel, and the Macbrained Family