Unsolved NG AV / Endpoint Protection in 2021
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.
-
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.
Thanks, I'll put this on my plate.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
You mention this a lot. But you point out that people often do a bad job in a context that seems like you are saying we shouldn't do or recommend doing a good job because of it.
It's like the vaccine. We shouldn't all give up just because most people aren't going to do it. It remains good for us, and good advice, regardless. Bad advice should never be given intentionally.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.
Thanks, I'll put this on my plate.
Why not hire it out? You were willing to hire it out with AV, why not pay to have it done right instead?
-
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
I think for 90% or more, it is plenty. It's a rare shop that has some valuable action to take when they find out that the AV caught something. Most times it just wastes resources and causes people to start ignoring it. In theory, it's great to have, and that's what a SIEM is for, for sure. But most shops can't do things like test patches or look over logs, they just don't have the resources or knowledge. So getting them maximum benefit at minimum cost is critical and allowing them as much time as possible to deal with meaningful problems.
In a shop that can afford to do so and can make actionable policies around events, absolutely, it can have value.
-
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
I think for 90% or more, it is plenty. It's a rare shop that has some valuable action to take when they find out that the AV caught something. Most times it just wastes resources and causes people to start ignoring it. In theory, it's great to have, and that's what a SIEM is for, for sure. But most shops can't do things like test patches or look over logs, they just don't have the resources or knowledge. So getting them maximum benefit at minimum cost is critical and allowing them as much time as possible to deal with meaningful problems.
That's why you need alerts in addition to logs. You need your alerts to have low noise so you actually can respond to them. I do think keeping logs is important even if it's just for forensics after the fact.
-
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.
Thanks, I'll put this on my plate.
Why not hire it out? You were willing to hire it out with AV, why not pay to have it done right instead?
Hire out? I guess I take that to mean something else…
If you mean buy a SIEM service that I manage, yeah I’d be down foe that. -
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
I think for 90% or more, it is plenty. It's a rare shop that has some valuable action to take when they find out that the AV caught something. Most times it just wastes resources and causes people to start ignoring it. In theory, it's great to have, and that's what a SIEM is for, for sure. But most shops can't do things like test patches or look over logs, they just don't have the resources or knowledge. So getting them maximum benefit at minimum cost is critical and allowing them as much time as possible to deal with meaningful problems.
In a shop that can afford to do so and can make actionable policies around events, absolutely, it can have value.
This is the main argument I was attempting to make shy they don’t have SIEM in the first place.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.
Thanks, I'll put this on my plate.
Why not hire it out? You were willing to hire it out with AV, why not pay to have it done right instead?
Hire out? I guess I take that to mean something else…
If you mean buy a SIEM service that I manage, yeah I’d be down foe that.It can mean either. Why add constraints?
FFS. Just hire someone that already knows how to setup systems like Wazuh once off. Then manage it.
Or yes, go buy a subscription to ArticWolf or one of the million other systems out there.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
Hire out? I guess I take that to mean something else…
Meaning, with the AV you were happy to pay to get a service that does this (packaged as a product.) If you stop paying the AV for something like that, why not pay some other mechanism to do it better?
-
So in simple terms, people are saying dump the AV products like Webroot/Bitdefender/Eset and move over to a more SIEM orientated setup whether that's in house or externally managed (we wouldn't have the resources internally)
What about products like CrowdStrike, Cynet XDR, Mimecast. Does these fall into the SIEM realm? As they say they monitor machines for changes in system files/logs/other stuff for behaviour that looks like issues i.e. Virus/Ransomware.
-
@hobbit666 said in NG AV / Endpoint Protection in 2021:
So in simple terms, people are saying dump the AV products like Webroot/Bitdefender/Eset and move over to a more SIEM orientated setup whether that's in house or externally managed (we wouldn't have the resources internally)
What about products like CrowdStrike, Cynet XDR, Mimecast. Does these fall into the SIEM realm? As they say they monitor machines for changes in system files/logs/other stuff for behaviour that looks like issues i.e. Virus/Ransomware.
It's not just about having an anti-virus software updated to the latest definitions. I would say definition based malware threats are pretty much the basic 1-9% of the whole picture. This is where the solutions such as some CrowdStrike products and Microsoft 365 Defender come into play to cover the ~90% of the whole picture.
-
@obsolesce said in NG AV / Endpoint Protection in 2021:
@hobbit666 said in NG AV / Endpoint Protection in 2021:
So in simple terms, people are saying dump the AV products like Webroot/Bitdefender/Eset and move over to a more SIEM orientated setup whether that's in house or externally managed (we wouldn't have the resources internally)
What about products like CrowdStrike, Cynet XDR, Mimecast. Does these fall into the SIEM realm? As they say they monitor machines for changes in system files/logs/other stuff for behaviour that looks like issues i.e. Virus/Ransomware.
It's not just about having an anti-virus software updated to the latest definitions. I would say definition based malware threats are pretty much the basic 1-9% of the whole picture. This is where the solutions such as some CrowdStrike products and Microsoft 365 Defender come into play to cover the ~90% of the whole picture.
https://www.amazon.com/UNIDOPRO-Socket-Tapping-Bottle-Bracket/dp/B07G3XS4W8
Thanks for the bolt recommendation.
-
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@obsolesce said in NG AV / Endpoint Protection in 2021:
@hobbit666 said in NG AV / Endpoint Protection in 2021:
So in simple terms, people are saying dump the AV products like Webroot/Bitdefender/Eset and move over to a more SIEM orientated setup whether that's in house or externally managed (we wouldn't have the resources internally)
What about products like CrowdStrike, Cynet XDR, Mimecast. Does these fall into the SIEM realm? As they say they monitor machines for changes in system files/logs/other stuff for behaviour that looks like issues i.e. Virus/Ransomware.
It's not just about having an anti-virus software updated to the latest definitions. I would say definition based malware threats are pretty much the basic 1-9% of the whole picture. This is where the solutions such as some CrowdStrike products and Microsoft 365 Defender come into play to cover the ~90% of the whole picture.
https://www.amazon.com/UNIDOPRO-Socket-Tapping-Bottle-Bracket/dp/B07G3XS4W8
Thanks for the bolt recommendation.
Oops, copied link from wrong browser tab lol, fixed link in post.
-
@hobbit666 said in NG AV / Endpoint Protection in 2021:
So in simple terms, people are saying dump the AV products like Webroot/Bitdefender/Eset and move over to a more SIEM orientated setup whether that's in house or externally managed (we wouldn't have the resources internally)
By and large, just dump them. If you need SIEM, that's a different discussion. But definitely dump those. ESET is outright evil, they are an active threat. We've had actual criminal activity from them. They are nothing like the others.
Bitdefender and Webroot, they just don't add value over what is included, but do have some pretty significant negatives (not only cost.) Performance and, especially with Bitdefender, all kinds of application breakages.
The upside to customers who keep installing Bitdefender against our advice... boy does it rack up the billable hours to fix issues that it introduces.