• biscuitswalrus
    link
    fedilink
    arrow-up
    3
    ·
    8 months ago

    Yep though I’m a sysadmin and can feel for that, these consolidated platforms are being used as a straight “you trust this, when I infect you, I’ll use payloads I’ll temporarily host in github because you adjust already block overseas by default expect a bunch of whitelist trusted domains.”.

    https://arstechnica.com/security/2024/02/github-besieged-by-millions-of-malicious-repositories-in-ongoing-attack/

    It’s technically easy to allow a subdomain, but it’s really hard to unblock just a path.

    So yeah, what generally happens is the SOC team complains that the new threat is here, and either vendors (had this with fortinet) move the risk rating of github from a 3.5 to a 6 out of 10, I had put the threshold at a default 5, and now it’s being blocked. I wonder why it wasn’t blocked before, well it wasn’t as risky last week as it is now.

    Anyway just thought I’d share the IT sysadmin POV.

    More to point, using security as an example, we use SentinelOne and azure sentinel. I’ve had a ‘I want to compare crowdstrike and huntress labs’ because I’ve seen really good things with those xdr seim tools. But I got shot down. Why? We can’t deviate our standards. Well, how will we know if the competition is better? Is our choice good? Who knows.

    I still don’t know. I sleep easy knowing it’s not my burden though. It’s their fault if they get compromised on an attack that the other vendor would stop.