Unsolved NG AV / Endpoint Protection in 2021
-
@dagors said in NG AV / Endpoint Protection in 2021:
@scottalanmiller
Thanks for the explanation!No problem!
-
@obsolesce said in NG AV / Endpoint Protection in 2021:
@notverypunny said in NG AV / Endpoint Protection in 2021:
Any vendors people want to recommend or warn off with regards to endpoint and server protection? We're shopping options to replace our current NG solution. Currently on a call and it's kinda meh.... I'm not a fan of sales in any context and this seems to be lots of sizzle and not a lot of steak (or bacon... substitute your delicious protein of choice)
Crowdstrike has worked well in a few large places I've seen. It's great cross platform.
That's what we just moved to.
-
@scottalanmiller Like what? I am confused, I have worked with many AV and Bitdefender has been one of the less problematics AV I have worked with. Most of the time Bitdefender doesn't allow something it is purely a setting that blocks access to File shares or local folders but once allowed it works same with Windows Defender has the same feature and can be annoying. Centralized management is not about knowing the status of the agents, it is also the way to manage all the settings and policies from one place instead of doing manual work on each computer (Windows Defender) to apply the changes.
-
@dbeato same never had issues with most AV.
-
@dbeato said in NG AV / Endpoint Protection in 2021:
Like what? I am confused, I have worked with many AV and Bitdefender has been one of the less problematics AV I have worked with.
That's a low bar. You should really have like... zero problems. With Bitdefender we have issues with nearly everything. With management tools, other security tools (like Defender), with remote access, with line of business applications, with general OS performance. You name it.
-
@dbeato said in NG AV / Endpoint Protection in 2021:
Most of the time Bitdefender doesn't allow something it is purely a setting that blocks access to File shares or local folders but once allowed it works same with Windows Defender has the same feature and can be annoying.
Right. That's a major problem unless you are billing by the hour, then creating these issues is a good thing for the pocket book. Having to log in and fix applications not working because we installed an unnecessary application to create the problem in the first place is a great way to make money quickly but isn't a good way to do IT. Blocking standard applications and requiring a human to log in (which is also often blocked by the AV) instead of "just working" like Defender does, is a HUGE problem.
If I was a business owner and found a company doing this to us, I'd be considering legal action. Not just putting us at risk, but then billing to fix the problem that they created. All while disabling a better AV that was already there and doesn't (typically) have these problems!
-
@dbeato said in NG AV / Endpoint Protection in 2021:
Centralized management is not about knowing the status of the agents, it is also the way to manage all the settings and policies from one place instead of doing manual work on each computer (Windows Defender) to apply the changes.
Sure, but what settings and policies do you need? Keep the computer safe, stop monkeying about with policies. I truly believe this entire policy market is a scam. All these unnecessary settings, that put customers at risk, to justify paying for a centralized system.
Skip it all. Problem solved. Centralized reporting of status so that you know things are running and up to date: great. But with Defender, that's free. All the rest, I absolutely, 100% think it's BS that people are trying to charge for that.
Don't get me wrong, I know why it is a good market of easy money and that it is super easy to get customers to request it. But as a CIO, my job is always to educate my customers that this is not in their interest and it is all "sounds good" mombo jumbo that is hard to refute, but in practice is not in any way done for their benefit.
-
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@dbeato said in NG AV / Endpoint Protection in 2021:
Centralized management is not about knowing the status of the agents, it is also the way to manage all the settings and policies from one place instead of doing manual work on each computer (Windows Defender) to apply the changes.
Sure, but what settings and policies do you need? Keep the computer safe, stop monkeying about with policies. I truly believe this entire policy market is a scam. All these unnecessary settings, that put customers at risk, to justify paying for a centralized system.
Skip it all. Problem solved. Centralized reporting of status so that you know things are running and up to date: great. But with Defender, that's free. All the rest, I absolutely, 100% think it's BS that people are trying to charge for that.
Don't get me wrong, I know why it is a good market of easy money and that it is super easy to get customers to request it. But as a CIO, my job is always to educate my customers that this is not in their interest and it is all "sounds good" mombo jumbo that is hard to refute, but in practice is not in any way done for their benefit.
I'm curious, how do you handle centralized reporting with Defender? That's still the 1 missing piece most places I deal with want, and I don't know of a way to do it with Defender itself.
-
@travisdh1 said in NG AV / Endpoint Protection in 2021:
I'm curious, how do you handle centralized reporting with Defender? That's still the 1 missing piece most places I deal with want, and I don't know of a way to do it with Defender itself.
Reporting on it being up to date and running? Both MeshCentral and TacticalRMM report on that. So do lots of other tools.
-
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@travisdh1 said in NG AV / Endpoint Protection in 2021:
I'm curious, how do you handle centralized reporting with Defender? That's still the 1 missing piece most places I deal with want, and I don't know of a way to do it with Defender itself.
Reporting on it being up to date and running? Both MeshCentral and TacticalRMM report on that. So do lots of other tools.
Can you give a screenshot of this? I just can't conceptualize how these tools can give you a report on running, updates, number of findings, what the findings are, etc.
-
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@scottalanmiller said in NG AV / Endpoint Protection in 2021:
@travisdh1 said in NG AV / Endpoint Protection in 2021:
I'm curious, how do you handle centralized reporting with Defender? That's still the 1 missing piece most places I deal with want, and I don't know of a way to do it with Defender itself.
Reporting on it being up to date and running? Both MeshCentral and TacticalRMM report on that. So do lots of other tools.
Can you give a screenshot of this? I just can't conceptualize how these tools can give you a report on running, updates, number of findings, what the findings are, etc.
I can understand how MeshCentral and TacticalRMM can keep you informed of updates, it's what they do, but how do they alert you to detections?
-
@travisdh1 It doesn't that is the issue.
-
@scottalanmiller many applications have issues but none of them are intentional so I can understand frustration. By that definition Microsoft including Defender shouldn't be used but again I have no idea of what NTG is dealing with those specific Bitdefender clients.
-
@scottalanmiller A lot of Endpoint Protection have the Bitlocker Management for Encryption and other modules that go hand in hand with the Agent so there are many settings that can be used. Also most Endpoint protection systems offer the central management for Free included on the licensing which Bitdefender does have.
-
What is centralized AV?
AV status, alerting, and policy managementA SIEM and HIDS solution provide the first two for you and there are so many mechanisms which you can use to handle policies like powershell, salt, Ansible, etc.
-
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
-
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
-
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
It makes a hell of a lot of sense when you can save $10 a month per user and use standard windows defender, but you're right SMB don't do things that are logical and cannot see big picture.
-
@dashrender said in NG AV / Endpoint Protection in 2021:
@stacksofplates said in NG AV / Endpoint Protection in 2021:
@irj said in NG AV / Endpoint Protection in 2021:
Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.
We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).
I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.
Most small shops or even medium shops are going to have SIEM.
Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.