NG AV / Endpoint Protection in 2021
-
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@dbeato said in NG AV / Endpoint Protection in 2021:
Centralized management is not about knowing the status of the agents, it is also the way to manage all the settings and policies from one place instead of doing manual work on each computer (Windows Defender) to apply the changes.
Sure, but what settings and policies do you need? Keep the computer safe, stop monkeying about with policies. I truly believe this entire policy market is a scam. All these unnecessary settings, that put customers at risk, to justify paying for a centralized system.
Skip it all. Problem solved. Centralized reporting of status so that you know things are running and up to date: great. But with Defender, that's free. All the rest, I absolutely, 100% think it's BS that people are trying to charge for that.
Don't get me wrong, I know why it is a good market of easy money and that it is super easy to get customers to request it. But as a CIO, my job is always to educate my customers that this is not in their interest and it is all "sounds good" mombo jumbo that is hard to refute, but in practice is not in any way done for their benefit.
I'm curious, how do you handle centralized reporting with Defender? That's still the 1 missing piece most places I deal with want, and I don't know of a way to do it with Defender itself.
-
@travisdh1 said in NG AV / Endpoint Protection in 2021:
I'm curious, how do you handle centralized reporting with Defender? That's still the 1 missing piece most places I deal with want, and I don't know of a way to do it with Defender itself.
Reporting on it being up to date and running? Both MeshCentral and TacticalRMM report on that. So do lots of other tools.
-
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@travisdh1 said in NG AV / Endpoint Protection in 2021:
I'm curious, how do you handle centralized reporting with Defender? That's still the 1 missing piece most places I deal with want, and I don't know of a way to do it with Defender itself.
Reporting on it being up to date and running? Both MeshCentral and TacticalRMM report on that. So do lots of other tools.
Can you give a screenshot of this? I just can't conceptualize how these tools can give you a report on running, updates, number of findings, what the findings are, etc.
-
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@travisdh1 said in NG AV / Endpoint Protection in 2021:
I'm curious, how do you handle centralized reporting with Defender? That's still the 1 missing piece most places I deal with want, and I don't know of a way to do it with Defender itself.
Reporting on it being up to date and running? Both MeshCentral and TacticalRMM report on that. So do lots of other tools.
Can you give a screenshot of this? I just can't conceptualize how these tools can give you a report on running, updates, number of findings, what the findings are, etc.
I can understand how MeshCentral and TacticalRMM can keep you informed of updates, it's what they do, but how do they alert you to detections?
-
@travisdh1 It doesn't that is the issue.
-
@scottalanmiller many applications have issues but none of them are intentional so I can understand frustration. By that definition Microsoft including Defender shouldn't be used
but again I have no idea of what NTG is dealing with those specific Bitdefender clients. -
@scottalanmiller A lot of Endpoint Protection have the Bitlocker Management for Encryption and other modules that go hand in hand with the Agent so there are many settings that can be used. Also most Endpoint protection systems offer the central management for Free included on the licensing which Bitdefender does have.
-
What is centralized AV?
AV status, alerting, and policy managementA SIEM and HIDS solution provide the first two for you and there are so many mechanisms which you can use to handle policies like powershell, salt, Ansible, etc.
-
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
-
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
-
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
It makes a hell of a lot of sense when you can save $10 a month per user and use standard windows defender, but you're right SMB don't do things that are logical and cannot see big picture.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.
-
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.
Thanks, I'll put this on my plate.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
You mention this a lot. But you point out that people often do a bad job in a context that seems like you are saying we shouldn't do or recommend doing a good job because of it.
It's like the vaccine. We shouldn't all give up just because most people aren't going to do it. It remains good for us, and good advice, regardless. Bad advice should never be given intentionally.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.
Thanks, I'll put this on my plate.
Why not hire it out? You were willing to hire it out with AV, why not pay to have it done right instead?
-
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
I think for 90% or more, it is plenty. It's a rare shop that has some valuable action to take when they find out that the AV caught something. Most times it just wastes resources and causes people to start ignoring it. In theory, it's great to have, and that's what a SIEM is for, for sure. But most shops can't do things like test patches or look over logs, they just don't have the resources or knowledge. So getting them maximum benefit at minimum cost is critical and allowing them as much time as possible to deal with meaningful problems.
In a shop that can afford to do so and can make actionable policies around events, absolutely, it can have value.
-
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
I think for 90% or more, it is plenty. It's a rare shop that has some valuable action to take when they find out that the AV caught something. Most times it just wastes resources and causes people to start ignoring it. In theory, it's great to have, and that's what a SIEM is for, for sure. But most shops can't do things like test patches or look over logs, they just don't have the resources or knowledge. So getting them maximum benefit at minimum cost is critical and allowing them as much time as possible to deal with meaningful problems.
That's why you need alerts in addition to logs. You need your alerts to have low noise so you actually can respond to them. I do think keeping logs is important even if it's just for forensics after the fact.
-
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.
Thanks, I'll put this on my plate.
Why not hire it out? You were willing to hire it out with AV, why not pay to have it done right instead?
Hire out? I guess I take that to mean something else…
If you mean buy a SIEM service that I manage, yeah I’d be down foe that. -
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
I think for 90% or more, it is plenty. It's a rare shop that has some valuable action to take when they find out that the AV caught something. Most times it just wastes resources and causes people to start ignoring it. In theory, it's great to have, and that's what a SIEM is for, for sure. But most shops can't do things like test patches or look over logs, they just don't have the resources or knowledge. So getting them maximum benefit at minimum cost is critical and allowing them as much time as possible to deal with meaningful problems.
In a shop that can afford to do so and can make actionable policies around events, absolutely, it can have value.
This is the main argument I was attempting to make shy they don’t have SIEM in the first place.
