Educause Security Discussion mailing list archives
Re: CIS vs NIST
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Wed, 2 May 2018 15:59:13 -0400
On 30 April 2018 at 12:52, Valdis Kletnieks <valdis.kletnieks () vt edu> wrote:
To the best of my knowledge, nobody's using the Linux kernel audit logs for near real time detection of events - it's of more use for forensic analysis of incidents and system/package testing.
I do. If a process is started by a user for the first time (or first time for however long I have log data for that host), if previously unused commands are kicked off, if commands with <x> name are started from <y> path where it's never been seen, etc., all trigger alerts. The same holds true for Windows process creation, powershell usage, AppLocker stopping something (or if it would have stopped something), etc. kmw
Current thread:
- Re: [External Sender] Re: [SECURITY] CIS vs NIST, (continued)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Adam Menos (Apr 30)
- Re: CIS vs NIST Simanovich, Roman (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Edgmand, Craig (Apr 30)
- Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Menne, Michael S (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: CIS vs NIST Bridges, Robert A. (Apr 30)
- Re: CIS vs NIST Kevin Wilcox (May 02)
- Re: CIS vs NIST Bridges, Robert A. (May 03)
- Re: CIS vs NIST Kevin Wilcox (May 03)
- Re: CIS vs NIST Valdis Kletnieks (Apr 30)
- Re: [External] Re: [SECURITY] CIS vs NIST Bennett, Daniel (May 21)
- Re: [External] Re: [SECURITY] CIS vs NIST Larry K. Emmons (May 21)