AV - should companies keep buying it?
-
@Dashrender said in AV - should companies keep buying it?:
@scottalanmiller said in AV - should companies keep buying it?:
@Dashrender said in AV - should companies keep buying it?:
@RojoLoco said in AV - should companies keep buying it?:
@Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.
What? How can they install something? They dont' have admin rights, right?
There are a lot of things that you can "install" (using install in the light sense) that can include ransomware, that doesn't require admin rights, as we saw at a now customer over the last few days. It was an end user account with access to the main document store that ransomed everything.
of course - I know this. I truly detest Google because Google Chrome and Chromium can be installed without local admin rights... and many programs can just run without the need for local admin - and yeah, infect, encrypt whatever it wants.
Slack client, too.
-
@IRJ said in AV - should companies keep buying it?:
@RojoLoco said in AV - should companies keep buying it?:
@scottalanmiller said in AV - should companies keep buying it?:
@RojoLoco said in AV - should companies keep buying it?:
@Dashrender said in AV - should companies keep buying it?:
@RojoLoco said in AV - should companies keep buying it?:
@Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.
What? How can they install something? They dont' have admin rights, right?
See bold text. And yes, I know. Beyond my control.
If you have end users acting as admins, then a powerful central AV is way more important and doing things potentially beyond standard AV functions that are making more of a difference for you.
That's my take on it as well. My users are mostly excellent, they rarely do dumb things. In fact, they often call me over to look at stuff they deem suspect, and it makes me smile to know they stopped to think first. But I sleep better knowing webroot is there.
Even IT people should not be local admins. It's partly about doing something dumb, but things can happen accidentally, too.
I have this conversation all the time. "I'd never be an admin on my own box, so if the system admin wouldn't do it, why are the end users?"
And I'm not, my desktop account right now isn't the local admin.
-
@scottalanmiller said in AV - should companies keep buying it?:
@IRJ said in AV - should companies keep buying it?:
@RojoLoco said in AV - should companies keep buying it?:
@scottalanmiller said in AV - should companies keep buying it?:
@RojoLoco said in AV - should companies keep buying it?:
@Dashrender said in AV - should companies keep buying it?:
@RojoLoco said in AV - should companies keep buying it?:
@Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.
What? How can they install something? They dont' have admin rights, right?
See bold text. And yes, I know. Beyond my control.
If you have end users acting as admins, then a powerful central AV is way more important and doing things potentially beyond standard AV functions that are making more of a difference for you.
That's my take on it as well. My users are mostly excellent, they rarely do dumb things. In fact, they often call me over to look at stuff they deem suspect, and it makes me smile to know they stopped to think first. But I sleep better knowing webroot is there.
Even IT people should not be local admins. It's partly about doing something dumb, but things can happen accidentally, too.
I have this conversation all the time. "I'd never be an admin on my own box, so if the system admin wouldn't do it, why are the end users?"
And I'm not, my desktop account right now isn't the local admin.
I made this change for myself about 8 years ago.. later than it should have been.. but meh, at least I did it.
I ditched Local admin rights here when I moved past Windows XP.
-
@Dashrender said in AV - should companies keep buying it?:
@RojoLoco said in AV - should companies keep buying it?:
@scottalanmiller said in AV - should companies keep buying it?:
@RojoLoco said in AV - should companies keep buying it?:
#3 is why I like webroot. Easy central control. Can you get any kind of management console for windows defender without giving MS a bunch more money?
You can make your own, but that's the same as spending money (basically.) The nice thing about Defender is that you rarely need central control. If that's something you need, then Defender is weak today. But rarely have we found a need for that.
The console is mostly to see who did something stupid so I can say "hey, don't do that shit".
But again, I ask - to what end? it's not likely the company will fire them if they do it again, or do it 10 more times. So why waste your breath? As an IT person I want to help people be safer on the internet, etc - but I've come around to realize that unless I'm the dictator - that's simply not a priority in most companies - and I just need to LET IT GO.
Why waste your time telling people not to do something? Then why train them with security awareness, like KnowBe4, as you brought up?
-
I just found an extension for Windows Admin Center that looks like it might be some sort of central console for windows defender. Installing now, will report back findings.
-
So that extension is pretty basic. It also says "preview", so hopefully they will add some more functionality later. As of now, it only shows status and threat history, and to see that you have to go into each system's page and click on security. Totally bare bones, but at least you can get defender info from a semi-centralized interface.
-
The current price of Webroot is cheaper than us billing time to nuke and setup machines a couple times a year.
We do consistently get minor alerts on things stopped.
-
@wrx7m said in AV - should companies keep buying it?:
@Dashrender said in AV - should companies keep buying it?:
@RojoLoco said in AV - should companies keep buying it?:
@scottalanmiller said in AV - should companies keep buying it?:
@RojoLoco said in AV - should companies keep buying it?:
#3 is why I like webroot. Easy central control. Can you get any kind of management console for windows defender without giving MS a bunch more money?
You can make your own, but that's the same as spending money (basically.) The nice thing about Defender is that you rarely need central control. If that's something you need, then Defender is weak today. But rarely have we found a need for that.
The console is mostly to see who did something stupid so I can say "hey, don't do that shit".
But again, I ask - to what end? it's not likely the company will fire them if they do it again, or do it 10 more times. So why waste your breath? As an IT person I want to help people be safer on the internet, etc - but I've come around to realize that unless I'm the dictator - that's simply not a priority in most companies - and I just need to LET IT GO.
Why waste your time telling people not to do something? Then why train them with security awareness, like KnowBe4, as you brought up?
Oh, that's not the same at all. Training hopefully will be accepted and integrated - but simply telling - so often just goes unheard.
While there shouldn't be a difference, the end person often sees a HUGE difference - one being that the company actually values educating the company as a whole, not just a chastising of someone for something something wrong/bad/etc.
-
@JaredBusch said in AV - should companies keep buying it?:
The current price of Webroot is cheaper than us billing time to nuke and setup machines a couple times a year.
We do consistently get minor alerts on things stopped.
So you do consider it a better spend than on training and/or update solution.
-
All of the training in the world won't stop a sophisticated attack. Users are a great way to prevent a lot of the lowly attacks, but attacks from state actors or people who are targeting the business will, eventually be successful.
AV is a frontline, along with user training and awareness. It's not a bullet proof shield.
-
@DustinB3403 said in AV - should companies keep buying it?:
All of the training in the world won't stop a sophisticated attack. Users are a great way to prevent a lot of the lowly attacks, but attacks from state actors or people who are targeting the business will, eventually be successful.
AV is a frontline, along with user training and awareness. It's not a bullet proof shield.
neither will any AV - so in that case, they both do nothing really, against state actors. I consider actual education much more valuable in a case against state actors - because the goal there often is to get the user to do something wrong... IF it can be seen by the user - it will be stopped.... if it's a zero day - the AV likely won't do squat.
-
@Dashrender said in AV - should companies keep buying it?:
if it's a zero day - the AV likely won't do squat.
But neither would the user. As a lot of zero day's are all behind the scenes. Or things that are so ingrained in the day to day that a user doing nothing abnormal is exposed via the same process, but because of a malicious actor.
-
@DustinB3403 said in AV - should companies keep buying it?:
@Dashrender said in AV - should companies keep buying it?:
if it's a zero day - the AV likely won't do squat.
But neither would the user. As a lot of zero day's are all behind the scenes. Or things that are so ingrained in the day to day that a user doing nothing abnormal is exposed via the same process, but because of a malicious actor.
in most spearphishing attacks, the user has to initiate the contact - by clicking a link, etc. So, yes.. training can make the suspicious and possibly prevent them from clicking the link.
-
@Dashrender said in AV - should companies keep buying it?:
@DustinB3403 said in AV - should companies keep buying it?:
@Dashrender said in AV - should companies keep buying it?:
if it's a zero day - the AV likely won't do squat.
But neither would the user. As a lot of zero day's are all behind the scenes. Or things that are so ingrained in the day to day that a user doing nothing abnormal is exposed via the same process, but because of a malicious actor.
in most spearphishing attacks, the user has to initiate the contact - by clicking a link, etc. So, yes.. training can make the suspicious and possibly prevent them from clicking the link.
Is most spearphising you're seeing of the zero-day variety? The kind I'm seeing are of the "yup, we know about it and AV killed it, and our user notified us of it before clicking on the link anyways" varietal.
-
@DustinB3403 said in AV - should companies keep buying it?:
@Dashrender said in AV - should companies keep buying it?:
@DustinB3403 said in AV - should companies keep buying it?:
@Dashrender said in AV - should companies keep buying it?:
if it's a zero day - the AV likely won't do squat.
But neither would the user. As a lot of zero day's are all behind the scenes. Or things that are so ingrained in the day to day that a user doing nothing abnormal is exposed via the same process, but because of a malicious actor.
in most spearphishing attacks, the user has to initiate the contact - by clicking a link, etc. So, yes.. training can make the suspicious and possibly prevent them from clicking the link.
Is most spearphising you're seeing of the zero-day variety? The kind I'm seeing are of the "yup, we know about it and AV killed it, and our user notified us of it before clicking on the link anyways" varietal.
yeah, but in your case - the training was still the first to kick in - not the AV, that is assuming the training/user didn't fail. Of course if it did - which is the only reason the AV would be 'stopping' something.. then in that case, because not zero day - the av worked.
But - as Scott already said - the idea here isn't to be rid of AV, because Windows comes with a decent AV already included...
It more about it is better to buy the centralized console for AV or instead spend the money on training/update management solution?
-
@RojoLoco said in AV - should companies keep buying it?:
I just found an extension for Windows Admin Center that looks like it might be some sort of central console for windows defender. Installing now, will report back findings.
Whoa, that would be a huge win. I hope that this is real.
-
@JaredBusch said in AV - should companies keep buying it?:
The current price of Webroot is cheaper than us billing time to nuke and setup machines a couple times a year.
Agreed that Webroot would be way cheaper than doing that. But not having Webroot, I've not seen anyone getting infected like that.
If infections happened that often, and if Webroot would stop it, then absolutely that's a great deal. But without Webroot, but with proper setup otherwise (not running as admin, using Defender, etc.) we don't see but the rarest of infections.
-
@Dashrender said in AV - should companies keep buying it?:
one being that the company actually values educating the company as a whole, not just a chastising of someone for something something wrong/bad/etc.
That could be worded that one expects their employees to be grown ups and the other feels the need to be condescending and treat them like idiots.
It's all perspective.
-
@DustinB3403 said in AV - should companies keep buying it?:
All of the training in the world won't stop a sophisticated attack. Users are a great way to prevent a lot of the lowly attacks, but attacks from state actors or people who are targeting the business will, eventually be successful.
Same with security products. Even the best ones only stop so much.
-
@Dashrender said in AV - should companies keep buying it?:
@DustinB3403 said in AV - should companies keep buying it?:
@Dashrender said in AV - should companies keep buying it?:
if it's a zero day - the AV likely won't do squat.
But neither would the user. As a lot of zero day's are all behind the scenes. Or things that are so ingrained in the day to day that a user doing nothing abnormal is exposed via the same process, but because of a malicious actor.
in most spearphishing attacks, the user has to initiate the contact - by clicking a link, etc. So, yes.. training can make the suspicious and possibly prevent them from clicking the link.
True, spearphishing and zero day don't go together, though. A spearphishing attack by definition isn't a zero day.