So, @tinker expressed dismay at something that I see a -lot- of: small business IT people choosing to log directly into their domain controller to do administrative things, including managing their SIEM - which is sometimes hosted as a VM running on a machine where the DC is the bare metal OS.
The reasons for this are a little bit complex in how they interlock, but here's how it boils down:
@munin @tinker Any thoughts to getting small business insurance, banks, etc., to take role in this? Those are forces which can role unanticipated costs into anticipated (and visible) costs, and press for best practices.
Great war story and methds. Plays into a lot of what I'm thinking about #GreshamsLaw, #UnanticipatedConsequences, #HygieneFactors, and #DelayedInformation realisation.
The tools that insurance and banks generally bring to bear on this are compliance audits - which drive SIEM sales, sure, but don't really help the underlying issues here.
The ultimate problem here is that the prime mover in the market - Microsoft - is very difficult for people to set up without specific training and experience; it is expensive to get that training and experience...
There's second-order consequences to that approach, as every single managed service provider would come down on that like a ton of bricks - because it would kill their business model for scaling their customer base.
Mandating physically separate hardware means you can't have multitenancy for clients. Vastly higher costs to do business.
@munin @tinker Isn't the question slightly more one of mandating _competently managed_ base hardware?
I mean, what you're saying would kill, say, AWS. Which ... might be politically difficult. (Or Azure, or Rackspace, or ...) You've got to approach this with realism and actual risk in mind.
If multi-tenancy is in fact a real risk, then address it as such. If it's not, /given specific standards of practice/, then ensure those standards are followed and verified.
....you're the one who brought up "physical isolation of equipment providing roles" so....
@munin @tinker Let's add the proviso to that of "in a self-managed arrangement".
I'd also suggest not getting hung up on specific suggestions, and focus more on the goals and/or attainment of same. If I'm saying something clearly stupid, call me on it. I keep in good practice on that.
And the suggestion came from your initial post describing the situation of SEIM as VM on a DC:
https://mastodon.hasameli.com/users/munin/updates/5698
@tinker @munin If there's a more precise way to say "this thing, don't do that, or at least if you must, do it /this/ way", to useful effect, then by all means, do.
My initial suggestion was less about the specific advice given, than on the concept of using an organisation used to assessing and managing risks (insurance) to address and manage risks.
But here we are off in the weeds of largely irrelevant minutia.
Munin, Keeper of Lore
Doc Edward Morbius ❌