Unsolved NG AV / Endpoint Protection in 2021
-
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@travisdh1 said in NG AV / Endpoint Protection in 2021:
I'm curious, how do you handle centralized reporting with Defender? That's still the 1 missing piece most places I deal with want, and I don't know of a way to do it with Defender itself.
Reporting on it being up to date and running? Both MeshCentral and TacticalRMM report on that. So do lots of other tools.
Can you give a screenshot of this? I just can't conceptualize how these tools can give you a report on running, updates, number of findings, what the findings are, etc.
I can understand how MeshCentral and TacticalRMM can keep you informed of updates, it's what they do, but how do they alert you to detections?
-
@travisdh1 It doesn't that is the issue.
-
@scottalanmiller many applications have issues but none of them are intentional so I can understand frustration. By that definition Microsoft including Defender shouldn't be used
but again I have no idea of what NTG is dealing with those specific Bitdefender clients. -
@scottalanmiller A lot of Endpoint Protection have the Bitlocker Management for Encryption and other modules that go hand in hand with the Agent so there are many settings that can be used. Also most Endpoint protection systems offer the central management for Free included on the licensing which Bitdefender does have.
-
What is centralized AV?
AV status, alerting, and policy managementA SIEM and HIDS solution provide the first two for you and there are so many mechanisms which you can use to handle policies like powershell, salt, Ansible, etc.
-
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
-
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
-
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
It makes a hell of a lot of sense when you can save $10 a month per user and use standard windows defender, but you're right SMB don't do things that are logical and cannot see big picture.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.
-
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.
Thanks, I'll put this on my plate.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
You mention this a lot. But you point out that people often do a bad job in a context that seems like you are saying we shouldn't do or recommend doing a good job because of it.
It's like the vaccine. We shouldn't all give up just because most people aren't going to do it. It remains good for us, and good advice, regardless. Bad advice should never be given intentionally.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.
Thanks, I'll put this on my plate.
Why not hire it out? You were willing to hire it out with AV, why not pay to have it done right instead?
-
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
I think for 90% or more, it is plenty. It's a rare shop that has some valuable action to take when they find out that the AV caught something. Most times it just wastes resources and causes people to start ignoring it. In theory, it's great to have, and that's what a SIEM is for, for sure. But most shops can't do things like test patches or look over logs, they just don't have the resources or knowledge. So getting them maximum benefit at minimum cost is critical and allowing them as much time as possible to deal with meaningful problems.
In a shop that can afford to do so and can make actionable policies around events, absolutely, it can have value.
-
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
I think for 90% or more, it is plenty. It's a rare shop that has some valuable action to take when they find out that the AV caught something. Most times it just wastes resources and causes people to start ignoring it. In theory, it's great to have, and that's what a SIEM is for, for sure. But most shops can't do things like test patches or look over logs, they just don't have the resources or knowledge. So getting them maximum benefit at minimum cost is critical and allowing them as much time as possible to deal with meaningful problems.
That's why you need alerts in addition to logs. You need your alerts to have low noise so you actually can respond to them. I do think keeping logs is important even if it's just for forensics after the fact.
-
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.
Thanks, I'll put this on my plate.
Why not hire it out? You were willing to hire it out with AV, why not pay to have it done right instead?
Hire out? I guess I take that to mean something else…
If you mean buy a SIEM service that I manage, yeah I’d be down foe that. -
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
I think for 90% or more, it is plenty. It's a rare shop that has some valuable action to take when they find out that the AV caught something. Most times it just wastes resources and causes people to start ignoring it. In theory, it's great to have, and that's what a SIEM is for, for sure. But most shops can't do things like test patches or look over logs, they just don't have the resources or knowledge. So getting them maximum benefit at minimum cost is critical and allowing them as much time as possible to deal with meaningful problems.
In a shop that can afford to do so and can make actionable policies around events, absolutely, it can have value.
This is the main argument I was attempting to make shy they don’t have SIEM in the first place.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.
Thanks, I'll put this on my plate.
Why not hire it out? You were willing to hire it out with AV, why not pay to have it done right instead?
Hire out? I guess I take that to mean something else…
If you mean buy a SIEM service that I manage, yeah I’d be down foe that.It can mean either. Why add constraints?
FFS. Just hire someone that already knows how to setup systems like Wazuh once off. Then manage it.
Or yes, go buy a subscription to ArticWolf or one of the million other systems out there.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
Hire out? I guess I take that to mean something else…
Meaning, with the AV you were happy to pay to get a service that does this (packaged as a product.) If you stop paying the AV for something like that, why not pay some other mechanism to do it better?
-
So in simple terms, people are saying dump the AV products like Webroot/Bitdefender/Eset and move over to a more SIEM orientated setup whether that's in house or externally managed (we wouldn't have the resources internally)
What about products like CrowdStrike, Cynet XDR, Mimecast. Does these fall into the SIEM realm? As they say they monitor machines for changes in system files/logs/other stuff for behaviour that looks like issues i.e. Virus/Ransomware.
