Educause Security Discussion mailing list archives

Re: CIS vs NIST

From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Wed, 2 May 2018 15:59:13 -0400

On 30 April 2018 at 12:52, Valdis Kletnieks <valdis.kletnieks () vt edu> wrote:

To the best of my knowledge, nobody's using the Linux kernel audit logs for
near real time detection of events - it's of more use for forensic analysis of
incidents and system/package testing.


I do. If a process is started by a user for the first time (or first
time for however long I have log data for that host), if previously
unused commands are kicked off, if commands with <x> name are started
from <y> path where it's never been seen, etc., all trigger alerts.
The same holds true for Windows process creation, powershell usage,
AppLocker stopping something (or if it would have stopped something),
etc.

kmw

Current thread:

Re: [External Sender] Re: [SECURITY] CIS vs NIST, (continued)
- - - Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
- Re: CIS vs NIST Adam Menos (Apr 30)
- Re: CIS vs NIST Simanovich, Roman (Apr 30)
  - Re: [External Sender] Re: [SECURITY] CIS vs NIST Davis, Chris (Apr 30)
    - Re: [External Sender] Re: [SECURITY] CIS vs NIST Edgmand, Craig (Apr 30)
- Re: CIS vs NIST Menne, Michael S (Apr 30)
  - Re: CIS vs NIST Valdis Kletnieks (Apr 30)
    - Re: CIS vs NIST Bridges, Robert A. (Apr 30)
    - Re: CIS vs NIST Valdis Kletnieks (Apr 30)
    - Re: CIS vs NIST Bridges, Robert A. (Apr 30)
    - Re: CIS vs NIST Kevin Wilcox (May 02)
    - Re: CIS vs NIST Bridges, Robert A. (May 03)
    - Re: CIS vs NIST Kevin Wilcox (May 03)
- Re: CIS vs NIST randy (Apr 30)
- Re: CIS vs NIST Penn, Blake C (Apr 30)
- Re: CIS vs NIST Mark Corlew (May 21)
  - Re: [External] Re: [SECURITY] CIS vs NIST Bennett, Daniel (May 21)
    - Re: [External] Re: [SECURITY] CIS vs NIST Larry K. Emmons (May 21)