Arg! The money spent the month before I stated here.

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

I don't want to be part of the reason the company gets ransomware because I wanted to say "I told you so" or to prove a point.

It's not about proving a point. It's about factors like cost and social engineering (even when unintentional.) Companies with UTMs, I would wager, are vastly more likely to do things like have machines deployed without proper protections, AV break and not be fixed, patches not kept up with... because it creates a sense of security.

UTMs don't keep malware off of the network. In a perfect world they keep it from entering through one vector. But all those things that people are plugging in that you don't control - they have all bypassed the UTM and are the bigger threat. If having a UTM ever makes someone feel that they can have AV that isn't updated or a system that isn't matched because they feel that malware was kept off of the network - that's my whole point. I'd rather have the fear and the pressure to keep the network protected universally and not rely on LAN security, than to have LAN security feel good enough to maybe not worry about other things.

It's the human factor more than anything. If the UTM is secret and even management doesn't know... you could make a better case. But if people in decision making positions know about it, I bet it influences how they react to other risk vectors.

scottalanmiller

In a perfect world, of course a UTM might be a good thing. If the UTM never introduced risks, costs, people, or performance issues. But UTMs aren't universally good. At best, they always bring cost, at worst, they bring all of the above. It's a neat idea, but it isn't a pure win. It always comes with trade offs.

Obsolesce

@scottalanmiller

Yeah the trick is treating it as if you have not UTM. That's the case, but even so there's those things I mentioned before. So in my case it's beneficial because without the UTM, nothing would change no matter what I do.

StorageNinja

@scottalanmiller said in Arg! The money spent the month before I stated here.:

It's not about proving a point. It's about factors like cost and social engineering (even when unintentional.) Companies with UTMs, I would wager, are vastly more likely to do things like have machines deployed without proper protections, AV break and not be fixed, patches not kept up with... because it creates a sense of security.

It's the other way. You are an airline or other company who doesn't control 80% of the code going into production...

scottalanmiller

@storageninja said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

It's not about proving a point. It's about factors like cost and social engineering (even when unintentional.) Companies with UTMs, I would wager, are vastly more likely to do things like have machines deployed without proper protections, AV break and not be fixed, patches not kept up with... because it creates a sense of security.

It's the other way. You are an airline or other company who doesn't control 80% of the code going into production...

Just have good security and don't let that happen. Basically what I hear over and over again is "our IT department is bad, so we use UTMs as a bandaid", which is exactly my concern. Is your company only willing to do dangerous things in production because it trusts in LAN centric security?

Obsolesce

Good security also consists of all easily identifiable holes being covered the best that can be done for a cost that makes sense for the environment. If we deploy all devices with good AV, but there are still devices without it such as personal devices and those we deploy that stop functioning correctly sometimes, it's not a bad thing to use the built-in AV the SonicWALL provides as an additional protection layer. (or only AV protection layer in some cases)

I do completely understand what you are saying, but you also need to understand that in some places, there are devices that are not controlled by IT and due to some reasons I beyond the scope of this topic, there's nothing that can be done no matter what. In this case the SonicWALL AV and SSL-DPI is very beneficial. It also helps to keep things off the network, not even giving the client devices a chance to get it.

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

Good security also consists of all easily identifiable holes being covered the best that can be done for a cost that makes sense for the environment. If we deploy all devices with good AV, but there are still devices without it such as personal devices and those we deploy that stop functioning correctly sometimes, it's not a bad thing to use the built-in AV the SonicWALL provides as an additional protection layer. (or only AV protection layer in some cases)

Things that I have to ask though, are...

• Why are insecure personal devices being allowed onto the network?
• Why is security focus not covering those devices (they bypass security and have access to the LAN?)
• Why do you care if they are protected if the owners do not?

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

I do completely understand what you are saying, but you also need to understand that in some places, there are devices that are not controlled by IT and due to some reasons I beyond the scope of this topic, there's nothing that can be done no matter what. In this case the SonicWALL AV and SSL-DPI is very beneficial. It also helps to keep things off the network, not even giving the client devices a chance to get it.

I feel like you are saying that "some companies refuse to secure their networks, so we do this to work around that a little and make them feel a little secure". It's "instead of fixing a problem, we band aid." I get it, but it's really important to recognize that there is an actual security gap here, a huge one, that is being ignored. And IT has the power to fix it, but someone running IT up top has decided to leave it open. IT always has control to be secure, but often decides not to be. That's how I see UTM most of the time, an artefact of places deciding to not take security to what I'd consider a minimum bar.

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Right, and I'd argue (and have) that having UTM makes people feel that they don't need to have good AV. But they do, because threats originate often from inside the LAN where the UTM is powerless.

Obsolesce

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

Good security also consists of all easily identifiable holes being covered the best that can be done for a cost that makes sense for the environment. If we deploy all devices with good AV, but there are still devices without it such as personal devices and those we deploy that stop functioning correctly sometimes, it's not a bad thing to use the built-in AV the SonicWALL provides as an additional protection layer. (or only AV protection layer in some cases)

Things that I have to ask though, are...

• Why are insecure personal devices being allowed onto the network?
• Why is security focus not covering those devices (they bypass security and have access to the LAN?)
• Why do you care if they are protected if the owners do not?

1. That's not my call, and if it were up to me, I'd not allow it. I've already expressed my thoughts on that matter. The consensus on that was to be reactive instead of preventative. Basically, allow it until something bad happens.

2. They are supposed to use the Guest wifi, but users also do know the LAN wifi password. Things get on the LAN.

3. I don't care about their devices at all. What I care about is making sure their devices aren't a network infection vector.

I'm not naive, and I do realize these things shouldn't be that way... and if they were not, then yes the SonicWALL AV is dumb. But that's not the case, and given the environment (not just mine, but many are like that), it can make sense to use it, especially if there is no negative impact.

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

I'm not naive, and I do realize these things shouldn't be that way... and if they were not, then yes the SonicWALL AV is dumb. But that's not the case, and given the environment (not just mine, but many are like that), it can make sense to use it, especially if there is no negative impact.

Is there any possibility that providing that UTM somehow influences these things being allowed to happen?

I'm not saying that you are doing something wrong here. I'm saying that someone making the decisions here is clearly not approaching security from even a minimum level. For the UTM to be useful, it requires something else to be wrong. Making the UTM universally, it would seem, a band aid.

Obsolesce

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Right, and I'd argue (and have) that having UTM makes people feel that they don't need to have good AV. But they do, because threats originate often from inside the LAN where the UTM is powerless.

I don't use the UTM because I can't use AV some places, and as an additional layer of protection in a different way... not to make myself feel like I don't need good AV. Maybe other people, but not me.

Obsolesce

@scottalanmiller said in Arg! The money spent the month before I stated here.:

Is there any possibility that providing that UTM somehow influences these things being allowed to happen?

No, it was like that before and after the UTM. The UTM was not a negotiation for lack of security elsewhere.

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

Is there any possibility that providing that UTM somehow influences these things being allowed to happen?

No, it was like that before and after the UTM. The UTM was not a negotiation for lack of security elsewhere.

Seems odd, they were willing to pay for a UTM, but not willing to do other things. Not that it is a crazy cost, but it's far from free.

Obsolesce

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

Is there any possibility that providing that UTM somehow influences these things being allowed to happen?

No, it was like that before and after the UTM. The UTM was not a negotiation for lack of security elsewhere.

Seems odd, they were willing to pay for a UTM, but not willing to do other things. Not that it is a crazy cost, but it's far from free.

The UTM is there whether we use it or not. It was included in a package of other stuff we do use. It does not cost anything extra to use it vs not use it.

scottalanmiller

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

Is there any possibility that providing that UTM somehow influences these things being allowed to happen?

No, it was like that before and after the UTM. The UTM was not a negotiation for lack of security elsewhere.

Seems odd, they were willing to pay for a UTM, but not willing to do other things. Not that it is a crazy cost, but it's far from free.

The UTM is there whether we use it or not. It was included in a package of other stuff we do use. It does not cost anything extra to use it vs not use it.

Well, it required buying an overpriced device that only costs what it does because it is a UTM. Someone bought a UTM, that's what they paid for. Now that it was already purchased, sure, it doesn't cost twice. But nearly the entire cost of that device was for the UTM. The rest is for the brand name.

scottalanmiller

For perspective, I guess I'm saying that from your perspective where someone else is making the insecure decisions, someone else bought the UTM and installed it, yes it makes sense to enable it.

From the CIO or CEO's perspectives, it's all insane. From an IT department view point, it makes no sense. No sense to have bought a UTM, no sense to not secure the environment, etc.

Dashrender

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

Is there any possibility that providing that UTM somehow influences these things being allowed to happen?

No, it was like that before and after the UTM. The UTM was not a negotiation for lack of security elsewhere.

Seems odd, they were willing to pay for a UTM, but not willing to do other things. Not that it is a crazy cost, but it's far from free.

The UTM is there whether we use it or not. It was included in a package of other stuff we do use. It does not cost anything extra to use it vs not use it.

Then I would say someone considered the wrong package. For example, someone purchased a SonicWall instead of a EdgeRouter.

Obsolesce

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

Is there any possibility that providing that UTM somehow influences these things being allowed to happen?

No, it was like that before and after the UTM. The UTM was not a negotiation for lack of security elsewhere.

Seems odd, they were willing to pay for a UTM, but not willing to do other things. Not that it is a crazy cost, but it's far from free.

The UTM is there whether we use it or not. It was included in a package of other stuff we do use. It does not cost anything extra to use it vs not use it.

Well, it required buying an overpriced device that only costs what it does because it is a UTM. Someone bought a UTM, that's what they paid for. Now that it was already purchased, sure, it doesn't cost twice. But nearly the entire cost of that device was for the UTM. The rest is for the brand name.

@scottalanmiller said in Arg! The money spent the month before I stated here.:

For perspective, I guess I'm saying that from your perspective where someone else is making the insecure decisions, someone else bought the UTM and installed it, yes it makes sense to enable it.

From the CIO or CEO's perspectives, it's all insane. From an IT department view point, it makes no sense. No sense to have bought a UTM, no sense to not secure the environment, etc.

And I agree!

That aside, it's really nice and does an excellent job. I do like it. SonicWALL is not a bad product from what I've seen over the last 6 years dealing with a number of them.

Is it needed? No, there are so much better options. But if that's what was being used for such a long time and they grew attached to it... well you can imagine why they stick with it.

Dashrender

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Right, and I'd argue (and have) that having UTM makes people feel that they don't need to have good AV. But they do, because threats originate often from inside the LAN where the UTM is powerless.

I don't use the UTM because I can't use AV some places, and as an additional layer of protection in a different way... not to make myself feel like I don't need good AV. Maybe other people, but not me.

You're environment is much more likely to be infected by a user's device that shouldn't be on your production network than from some user downloading something that an AV scanner on the UTM is going to detect.