[lopsa-tech] Identify illicit behavior

2016-02-19 Thread Edward Ned Harvey (lopser)
Suppose a company has a policy about permitted use of the company laptops and internet, but you have suspicion that some user(s) are using it for illicit purposes such as porn. You've already taken measures to prevent accidental access - content filtering firewall, dns filtering, etc. You want

Re: [lopsa-tech] Identify illicit behavior

2016-02-19 Thread Graham Dunn
We use OpenDNS Umbrella, with only the malware deny mode on, but everything is logged and OpenDNS will generate a report of flagged URLs, so it's possible to go back to your own systems (we send all DNS/DHCP activity into ELK) and correlate who it was. OpenDNS will also sell you a box that does

Re: [lopsa-tech] Identify illicit behavior

2016-02-19 Thread Dan Ritter
On Fri, Feb 19, 2016 at 03:12:54PM +, Edward Ned Harvey (lopser) wrote: > Suppose a company has a policy about permitted use of the company laptops and > internet, but you have suspicion that some user(s) are using it for illicit > purposes such as porn. You've already taken measures to preve

Re: [lopsa-tech] Identify illicit behavior

2016-02-19 Thread Jeremy Charles
We also use OpenDNS Umbrella. We have deployed their Virtual Appliances inside our network so that the OpenDNS logs show the real IP address of the DNS clients. (Otherwise, our firewall would PAT the addresses on the way out to the Internet.) We have not yet implemented anything to sniff out

Re: [lopsa-tech] Identify illicit behavior

2016-02-19 Thread Doug Hughes
> Suppose a company has a policy about permitted use of the company laptops > and internet, but you have suspicion that some user(s) are using it for > illicit purposes such as porn. You've already taken measures to prevent > accidental access - content filtering firewall, dns filtering, etc. > > >

[lopsa-tech] Browser history sync - and porn - vs company policy

2016-02-19 Thread Edward Ned Harvey (lopser)
An interesting topic that spun off of another thread - If misuse of company internet or computers is suspected, because of Bad Things (TM) in browser history, consider the possibility that the browser history is just synchronizing between the company computer, and some personal computer or devi

Re: [lopsa-tech] Identify illicit behavior

2016-02-19 Thread Mario Obejas
The guy that gave this LISA talk isn't a complete idiot, and even though it was 2010, you might still find some applicable ideas in there: Enterprise-scale Employee Monitoring | USENIX |   | |   | |   |   |   |   |   | | Enterprise-scale Employee Monitoring | USENIXSince June 2009, I have been th