Arg! The money spent the month before I stated here.

Dashrender

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Right, and I'd argue (and have) that having UTM makes people feel that they don't need to have good AV. But they do, because threats originate often from inside the LAN where the UTM is powerless.

I don't use the UTM because I can't use AV some places, and as an additional layer of protection in a different way... not to make myself feel like I don't need good AV. Maybe other people, but not me.

You're environment is much more likely to be infected by a user's device that shouldn't be on your production network than from some user downloading something that an AV scanner on the UTM is going to detect.

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

That aside, it's really nice and does an excellent job. I do like it. SonicWALL is not a bad product from what I've seen over the last 6 years dealing with a number of them.

It's the device I've had the worst results with. It's not that it is "bad", but that it is bad in comparison to all of the alternatives that I've worked with

Dashrender

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

Is there any possibility that providing that UTM somehow influences these things being allowed to happen?

No, it was like that before and after the UTM. The UTM was not a negotiation for lack of security elsewhere.

Seems odd, they were willing to pay for a UTM, but not willing to do other things. Not that it is a crazy cost, but it's far from free.

The UTM is there whether we use it or not. It was included in a package of other stuff we do use. It does not cost anything extra to use it vs not use it.

Well, it required buying an overpriced device that only costs what it does because it is a UTM. Someone bought a UTM, that's what they paid for. Now that it was already purchased, sure, it doesn't cost twice. But nearly the entire cost of that device was for the UTM. The rest is for the brand name.

@scottalanmiller said in Arg! The money spent the month before I stated here.:

For perspective, I guess I'm saying that from your perspective where someone else is making the insecure decisions, someone else bought the UTM and installed it, yes it makes sense to enable it.

From the CIO or CEO's perspectives, it's all insane. From an IT department view point, it makes no sense. No sense to have bought a UTM, no sense to not secure the environment, etc.

And I agree!

That aside, it's really nice and does an excellent job. I do like it. SonicWALL is not a bad product from what I've seen over the last 6 years dealing with a number of them.

Is it needed? No, there are so much better options. But if that's what was being used for such a long time and they grew attached to it... well you can imagine why they stick with it.

Grew attached to it? i.e. someone not doing their job as Scott would say.

scottalanmiller

@dashrender said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Right, and I'd argue (and have) that having UTM makes people feel that they don't need to have good AV. But they do, because threats originate often from inside the LAN where the UTM is powerless.

I don't use the UTM because I can't use AV some places, and as an additional layer of protection in a different way... not to make myself feel like I don't need good AV. Maybe other people, but not me.

You're environment is much more likely to be infected by a user's device that shouldn't be on your production network than from some user downloading something that an AV scanner on the UTM is going to detect.

Mostly because devices are allowed to leave the network, get infected, and join again. If the UTM covered them at home, it would be different.

Plus I assume that those devices can be multihomes while in the office to the LAN and to the Cell network (4G) so they might bypass the UTM even while still in the office.

Dashrender

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@dashrender said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Right, and I'd argue (and have) that having UTM makes people feel that they don't need to have good AV. But they do, because threats originate often from inside the LAN where the UTM is powerless.

I don't use the UTM because I can't use AV some places, and as an additional layer of protection in a different way... not to make myself feel like I don't need good AV. Maybe other people, but not me.

You're environment is much more likely to be infected by a user's device that shouldn't be on your production network than from some user downloading something that an AV scanner on the UTM is going to detect.

Mostly because devices are allowed to leave the network, get infected, and join again. If the UTM covered them at home, it would be different.

Plus I assume that those devices can be multihomes while in the office to the LAN and to the Cell network (4G) so they might bypass the UTM even while still in the office.

Agreed.

jmoore

@tim_g said in Arg! The money spent the month before I stated here.:

Good security also consists of all easily identifiable holes being covered the best that can be done for a cost that makes sense for the environment. If we deploy all devices with good AV, but there are still devices without it such as personal devices and those we deploy that stop functioning correctly sometimes, it's not a bad thing to use the built-in AV the SonicWALL provides as an additional protection layer. (or only AV protection layer in some cases)

I do completely understand what you are saying, but you also need to understand that in some places, there are devices that are not controlled by IT and due to some reasons I beyond the scope of this topic, there's nothing that can be done no matter what. In this case the SonicWALL AV and SSL-DPI is very beneficial. It also helps to keep things off the network, not even giving the client devices a chance to get it.

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Good points. Maybe we should have a different thread to talk about the best way to layer security? There seems to be many opinions on how to do it. I am sure it would help a few people. I know it will depend on the environment but well laid out template would at least give you places to start. Its just the same as crafting a program, you have lots to consider and you have plans in place for as many situations as possible. Good idea or not?

scottalanmiller

@jmoore said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

Good security also consists of all easily identifiable holes being covered the best that can be done for a cost that makes sense for the environment. If we deploy all devices with good AV, but there are still devices without it such as personal devices and those we deploy that stop functioning correctly sometimes, it's not a bad thing to use the built-in AV the SonicWALL provides as an additional protection layer. (or only AV protection layer in some cases)

I do completely understand what you are saying, but you also need to understand that in some places, there are devices that are not controlled by IT and due to some reasons I beyond the scope of this topic, there's nothing that can be done no matter what. In this case the SonicWALL AV and SSL-DPI is very beneficial. It also helps to keep things off the network, not even giving the client devices a chance to get it.

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Good points. Maybe we should have a different thread to talk about the best way to layer security? There seems to be many opinions on how to do it. I am sure it would help a few people. I know it will depend on the environment but well laid out template would at least give you places to start. Its just the same as crafting a program, you have lots to consider and you have plans in place for as many situations as possible. Good idea or not?

I agree, lots of good discussion to have there. Go ahead and open a thread.

Obsolesce

@jmoore said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

Good security also consists of all easily identifiable holes being covered the best that can be done for a cost that makes sense for the environment. If we deploy all devices with good AV, but there are still devices without it such as personal devices and those we deploy that stop functioning correctly sometimes, it's not a bad thing to use the built-in AV the SonicWALL provides as an additional protection layer. (or only AV protection layer in some cases)

I do completely understand what you are saying, but you also need to understand that in some places, there are devices that are not controlled by IT and due to some reasons I beyond the scope of this topic, there's nothing that can be done no matter what. In this case the SonicWALL AV and SSL-DPI is very beneficial. It also helps to keep things off the network, not even giving the client devices a chance to get it.

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Good points. Maybe we should have a different thread to talk about the best way to layer security? There seems to be many opinions on how to do it. I am sure it would help a few people. I know it will depend on the environment but well laid out template would at least give you places to start. Its just the same as crafting a program, you have lots to consider and you have plans in place for as many situations as possible. Good idea or not?

Sounds good.

travisdh1

@tim_g said in Arg! The money spent the month before I stated here.:

@jmoore said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

Good security also consists of all easily identifiable holes being covered the best that can be done for a cost that makes sense for the environment. If we deploy all devices with good AV, but there are still devices without it such as personal devices and those we deploy that stop functioning correctly sometimes, it's not a bad thing to use the built-in AV the SonicWALL provides as an additional protection layer. (or only AV protection layer in some cases)

I do completely understand what you are saying, but you also need to understand that in some places, there are devices that are not controlled by IT and due to some reasons I beyond the scope of this topic, there's nothing that can be done no matter what. In this case the SonicWALL AV and SSL-DPI is very beneficial. It also helps to keep things off the network, not even giving the client devices a chance to get it.

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Good points. Maybe we should have a different thread to talk about the best way to layer security? There seems to be many opinions on how to do it. I am sure it would help a few people. I know it will depend on the environment but well laid out template would at least give you places to start. Its just the same as crafting a program, you have lots to consider and you have plans in place for as many situations as possible. Good idea or not?

Sounds good.

Little did I know what getting a little frustration of my chest would spawn! Good discussion to have on a consistent basis.

scottalanmiller

@travisdh1 said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

@jmoore said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

Good security also consists of all easily identifiable holes being covered the best that can be done for a cost that makes sense for the environment. If we deploy all devices with good AV, but there are still devices without it such as personal devices and those we deploy that stop functioning correctly sometimes, it's not a bad thing to use the built-in AV the SonicWALL provides as an additional protection layer. (or only AV protection layer in some cases)

I do completely understand what you are saying, but you also need to understand that in some places, there are devices that are not controlled by IT and due to some reasons I beyond the scope of this topic, there's nothing that can be done no matter what. In this case the SonicWALL AV and SSL-DPI is very beneficial. It also helps to keep things off the network, not even giving the client devices a chance to get it.

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Good points. Maybe we should have a different thread to talk about the best way to layer security? There seems to be many opinions on how to do it. I am sure it would help a few people. I know it will depend on the environment but well laid out template would at least give you places to start. Its just the same as crafting a program, you have lots to consider and you have plans in place for as many situations as possible. Good idea or not?

Sounds good.

Little did I know what getting a little frustration of my chest would spawn! Good discussion to have on a consistent basis.

Yeah, this one exploded.

StorageNinja

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@dashrender said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Right, and I'd argue (and have) that having UTM makes people feel that they don't need to have good AV. But they do, because threats originate often from inside the LAN where the UTM is powerless.

I don't use the UTM because I can't use AV some places, and as an additional layer of protection in a different way... not to make myself feel like I don't need good AV. Maybe other people, but not me.

You're environment is much more likely to be infected by a user's device that shouldn't be on your production network than from some user downloading something that an AV scanner on the UTM is going to detect.

Mostly because devices are allowed to leave the network, get infected, and join again. If the UTM covered them at home, it would be different.

Plus I assume that those devices can be multihomes while in the office to the LAN and to the Cell network (4G) so they might bypass the UTM even while still in the office.

This is where either forcing the wifi to route through the UTM to reach the server network, or having IDS functionality delivered by some sort of SDN controller (Tipping point can tap into open flow) can handle pushing security down as close to that device as possible on the network (So you don't end up with the squishy internal problem).

StorageNinja

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@storageninja said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

It's not about proving a point. It's about factors like cost and social engineering (even when unintentional.) Companies with UTMs, I would wager, are vastly more likely to do things like have machines deployed without proper protections, AV break and not be fixed, patches not kept up with... because it creates a sense of security.

It's the other way. You are an airline or other company who doesn't control 80% of the code going into production...

Just have good security and don't let that happen. Basically what I hear over and over again is "our IT department is bad, so we use UTMs as a bandaid", which is exactly my concern. Is your company only willing to do dangerous things in production because it trusts in LAN centric security?

This only works if you control the IT from the start. Most companies IT is "mature" at this point (Hell SABRE is like 70 years old) and if your company runs on it, you're stuck with a choice of spending a few hundred million to get off of it, or accepting you don't control your own code.

scottalanmiller

@storageninja said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@storageninja said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

It's not about proving a point. It's about factors like cost and social engineering (even when unintentional.) Companies with UTMs, I would wager, are vastly more likely to do things like have machines deployed without proper protections, AV break and not be fixed, patches not kept up with... because it creates a sense of security.

It's the other way. You are an airline or other company who doesn't control 80% of the code going into production...

Just have good security and don't let that happen. Basically what I hear over and over again is "our IT department is bad, so we use UTMs as a bandaid", which is exactly my concern. Is your company only willing to do dangerous things in production because it trusts in LAN centric security?

This only works if you control the IT from the start.

All companies control their IT from the start

scottalanmiller

@storageninja said in Arg! The money spent the month before I stated here.:

Most companies IT is "mature" at this point (Hell SABRE is like 70 years old) and if your company runs on it, you're stuck with a choice of spending a few hundred million to get off of it, or accepting you don't control your own code.

Pretty sure everyone has accepted that the choice to stay on SABRE has crippled the industry and that they would have all been better moving off of it.

StorageNinja

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@storageninja said in Arg! The money spent the month before I stated here.:

Most companies IT is "mature" at this point (Hell SABRE is like 70 years old) and if your company runs on it, you're stuck with a choice of spending a few hundred million to get off of it, or accepting you don't control your own code.

Pretty sure everyone has accepted that the choice to stay on SABRE has crippled the industry and that they would have all been better moving off of it.

A 2-3 year project that costs 9-11 figures depending on your size? Good luck getting a bored to approve and see that thru in an industry that is tied to the boom/bust cycle of oil prices.
Only reason I know one airline pulled it off as they were still small when they did it, they doubled the spending to do it in 18 months before oil snapped back up and the investors caught wind of it. Also their board/management is so incestuous, shareholder revolts were able to be ignored till they got it done before the stock tanked from the short-term dive in earnings per share for 6 quarters.

There is a LOT of things that the stock market will not let you do, and LONG capital-intensive projects that promise long slow returns on investment are pretty much only acceptable for utilities (and only if the RIOC can be kept on a straight line growth as the project completes in sections or else you lose your capital market access).

scottalanmiller

@storageninja said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@storageninja said in Arg! The money spent the month before I stated here.:

Most companies IT is "mature" at this point (Hell SABRE is like 70 years old) and if your company runs on it, you're stuck with a choice of spending a few hundred million to get off of it, or accepting you don't control your own code.

Pretty sure everyone has accepted that the choice to stay on SABRE has crippled the industry and that they would have all been better moving off of it.

A 2-3 year project that costs 9-11 figures depending on your size? Good luck getting a bored to approve and see that thru in an industry that is tied to the boom/bust cycle of oil prices.

You are using the "people make bad decisions, so we should make bad decisions" logic. If the logic for using a UTM is "we won't do smart things" then we are back to "people use UTMs mistakenly."