New customer - greenfield setup
-
@scottalanmiller said in New customer - greenfield setup:
@dave247 said in New customer - greenfield setup:
I was able to add many category-based exceptions which included banking and medical services, among others. So at least that concern is somewhat removed there, but still.
That's good that they try. A problem with that, though, is that categories have to be maintained and trusted. So if you use Bank of America or Wells Fargo, I'm sure you are fine. But what if you use a local savings and loan or credit union or a foreign bank or do your banking through a third party site? Sure, your bank might make their list, but it might not. They make an effort, and probably a good one, but at some point it's just people making a list of sites they feel should be in a category. They don't really know. Anyone can make a fake bank website to get around that, there's no way to have enough staff to check sites. And I'm sure tons of real financial institutions get missed because no one though of checking that name.
Yes, great points there. Oh hey, I was also going to ask you why you excluded Sophos from your deep packet inspection comment. I assume you will say they do it right, and if that's they case, how do they do it better / correctly?
-
@dave247 said in New customer - greenfield setup:
@scottalanmiller said in New customer - greenfield setup:
@dave247 said in New customer - greenfield setup:
I was able to add many category-based exceptions which included banking and medical services, among others. So at least that concern is somewhat removed there, but still.
That's good that they try. A problem with that, though, is that categories have to be maintained and trusted. So if you use Bank of America or Wells Fargo, I'm sure you are fine. But what if you use a local savings and loan or credit union or a foreign bank or do your banking through a third party site? Sure, your bank might make their list, but it might not. They make an effort, and probably a good one, but at some point it's just people making a list of sites they feel should be in a category. They don't really know. Anyone can make a fake bank website to get around that, there's no way to have enough staff to check sites. And I'm sure tons of real financial institutions get missed because no one though of checking that name.
Yes, great points there. Oh hey, I was also going to ask you why you excluded Sophos from your deep packet inspection comment. I assume you will say they do it right, and if that's they case, how do they do it better / correctly?
I only excluded them as not being an exhaustive list. I like them better than most vendors, but in a category of vendors I don't like much. They are like... if I was forced to do this, I'd choose them first most of the time. That doesn't mean I like it, I just dislike them less. Mostly experience, but also they offer most of their products in both crappy "on firewall" designs and "offloaded to a server" designs which is, at least, one step improved.
-
@scottalanmiller said in New customer - greenfield setup:
@dave247 said in New customer - greenfield setup:
@scottalanmiller said in New customer - greenfield setup:
@dave247 said in New customer - greenfield setup:
I was able to add many category-based exceptions which included banking and medical services, among others. So at least that concern is somewhat removed there, but still.
That's good that they try. A problem with that, though, is that categories have to be maintained and trusted. So if you use Bank of America or Wells Fargo, I'm sure you are fine. But what if you use a local savings and loan or credit union or a foreign bank or do your banking through a third party site? Sure, your bank might make their list, but it might not. They make an effort, and probably a good one, but at some point it's just people making a list of sites they feel should be in a category. They don't really know. Anyone can make a fake bank website to get around that, there's no way to have enough staff to check sites. And I'm sure tons of real financial institutions get missed because no one though of checking that name.
Yes, great points there. Oh hey, I was also going to ask you why you excluded Sophos from your deep packet inspection comment. I assume you will say they do it right, and if that's they case, how do they do it better / correctly?
I only excluded them as not being an exhaustive list. I like them better than most vendors, but in a category of vendors I don't like much. They are like... if I was forced to do this, I'd choose them first most of the time. That doesn't mean I like it, I just dislike them less. Mostly experience, but also they offer most of their products in both crappy "on firewall" designs and "offloaded to a server" designs which is, at least, one step improved.
Well - according to the above article - trusting them for SSL interception is just plain bad - just like most of the rest on that list.
-
@dashrender said in New customer - greenfield setup:
@scottalanmiller said in New customer - greenfield setup:
@dave247 said in New customer - greenfield setup:
@scottalanmiller said in New customer - greenfield setup:
@dave247 said in New customer - greenfield setup:
I was able to add many category-based exceptions which included banking and medical services, among others. So at least that concern is somewhat removed there, but still.
That's good that they try. A problem with that, though, is that categories have to be maintained and trusted. So if you use Bank of America or Wells Fargo, I'm sure you are fine. But what if you use a local savings and loan or credit union or a foreign bank or do your banking through a third party site? Sure, your bank might make their list, but it might not. They make an effort, and probably a good one, but at some point it's just people making a list of sites they feel should be in a category. They don't really know. Anyone can make a fake bank website to get around that, there's no way to have enough staff to check sites. And I'm sure tons of real financial institutions get missed because no one though of checking that name.
Yes, great points there. Oh hey, I was also going to ask you why you excluded Sophos from your deep packet inspection comment. I assume you will say they do it right, and if that's they case, how do they do it better / correctly?
I only excluded them as not being an exhaustive list. I like them better than most vendors, but in a category of vendors I don't like much. They are like... if I was forced to do this, I'd choose them first most of the time. That doesn't mean I like it, I just dislike them less. Mostly experience, but also they offer most of their products in both crappy "on firewall" designs and "offloaded to a server" designs which is, at least, one step improved.
Well - according to the above article - trusting them for SSL interception is just plain bad - just like most of the rest on that list.
Trusting anyone with doing that, to me, is a bad idea. It's both an unnecessary point of really risky trust, and it means trusting a vendor who is supposed to be a security vendor that's willing to look the other way on security concerns. Um... it's like trusting a security guard to not need a door, who literally just told you he'll happily not worry about security because it's not his problem.
-
@scottalanmiller said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
@scottalanmiller said in New customer - greenfield setup:
@dave247 said in New customer - greenfield setup:
@scottalanmiller said in New customer - greenfield setup:
@dave247 said in New customer - greenfield setup:
I was able to add many category-based exceptions which included banking and medical services, among others. So at least that concern is somewhat removed there, but still.
That's good that they try. A problem with that, though, is that categories have to be maintained and trusted. So if you use Bank of America or Wells Fargo, I'm sure you are fine. But what if you use a local savings and loan or credit union or a foreign bank or do your banking through a third party site? Sure, your bank might make their list, but it might not. They make an effort, and probably a good one, but at some point it's just people making a list of sites they feel should be in a category. They don't really know. Anyone can make a fake bank website to get around that, there's no way to have enough staff to check sites. And I'm sure tons of real financial institutions get missed because no one though of checking that name.
Yes, great points there. Oh hey, I was also going to ask you why you excluded Sophos from your deep packet inspection comment. I assume you will say they do it right, and if that's they case, how do they do it better / correctly?
I only excluded them as not being an exhaustive list. I like them better than most vendors, but in a category of vendors I don't like much. They are like... if I was forced to do this, I'd choose them first most of the time. That doesn't mean I like it, I just dislike them less. Mostly experience, but also they offer most of their products in both crappy "on firewall" designs and "offloaded to a server" designs which is, at least, one step improved.
Well - according to the above article - trusting them for SSL interception is just plain bad - just like most of the rest on that list.
Trusting anyone with doing that, to me, is a bad idea. It's both an unnecessary point of really risky trust, and it means trusting a vendor who is supposed to be a security vendor that's willing to look the other way on security concerns. Um... it's like trusting a security guard to not need a door, who literally just told you he'll happily not worry about security because it's not his problem.
OK I get all that - and am more aware of things than I was before this thread.
What is your defense in layer strategy for malware, etc?
I can't recall if you're a fan of web filtering or not?
You've spoken of PiHole before, though again, not sure if you're really a fan of that - or not?
What about blacklisting at the firewall level - We've discussed Ad nauseam about how poor geo blocking is (it's just so wrong, and can frequently get in the way).
Do you rely solely on the AV of the endpoint for protection of bad shit happening to endpoints? -
@dashrender said in New customer - greenfield setup:
Do you rely solely on the AV of the endpoint for protection of bad shit happening to endpoints?
Honestly, I feel that that's a last ditch effort. Should you always have it? Yeah, on Windows. But if you need it, something is wrong. Why are people downloading malware? How are you getting malware in the first place? Typically malware is an HR problem. That doesn't mean that we shouldn't do what we can, but if we do something it needs to be real.
The problem is two fold: what you do, and what you don't do.
Anything you DO do, needs to actually be beneficial. That means actually improving your security. Anything that doesn't improve your security and/or actively makes it worse is a serious problem.
What many of these things do is... nothing. They take time, probably money, and have no security benefit. They are smoke and mirrors sold to management who hear fancy words, see fancy mock ups, and say "spend spend spend" because it makes them feel like they did something. But as IT people, we should know that much of the time, it's just BS to keep the managers on top feeling like they contribute.
Things like PiHole or CloudFlare filtering or whatever that keep you from accidentally going to a malicious website go a long way. Preventing accidents I think is a great process. Make it hard to accidentally download malware.
But that's just for accidents. For people downloading things at work, that's what HR is for. If HR isn't doing its job, IT is helpless. At the end of the day, we are only as secure as HR makes us. If HR says malware is okay, bottom line malware is okay. Not your monkey, not your circus.
If you truly want to defend against malware, don't give users unfettered access to data. Don't let them treat their work machines like their home machines. Don't block them from doing sensible things or their jobs. Hire quality works, train them, trust them, fire them when they refuse. Treat them like adults, maybe they will act like them.
Malware is 99.99% a Windows with Active Directory and shared folders (mapped drives) problem. Essentially all malware depends on that combination of things. Not that any of those things is a problem on its own, but together they are one seriously big and easy target. Combine that with the Windows system admin ecosystem of distrusting MS updates, of MS not taking their own products seriously and making patching a nightmare, of accepting outrageously unprofessional software to be deployed into production environments and of course you get malware; companies are begging to be infected.
Choose any alternative and malware really isn't an issue. Coming from a company that works 100% in LAN-less, Windows-less, AD-less, mapped drive-less architecture and its easy to forget that malware and ransomware are actually things people have to worry about. That's not on the radar of modern networks. It's just not a real problem. I've never seen an environment for the last decade or so that got infected without doing crazy things that begged for it (turned off firewalls, disabled AV, replaced good AV with some scam product, didn't have HR say malware was bad, etc.) I still see malware once in a great while in customers, where people demand that there be little to no security. But even there, it's gotten pretty rare.
Minimal effort... good patching, don't run as admin, basic DNS filtering, sane HR policies with teeth, avoid windows, avoid AD, avoid mapped drives, supply what users need to work, good AV when on Windows, modern apps.... any number of items alone can be enough to essentially curb malware issues.
And of course, at the end of the day, malware is always a risk and the true strategy comes down to two things...
- Make malware a "background noise" issue. This is trivially easy. It's always a risk, but you can make it a minor one.
- Have good, true backups so that a malware event is minimally disruptive and you can recover instead of going into a disaster.
-
@scottalanmiller said in New customer - greenfield setup:
Anything you DO do, needs to actually be beneficial. That means actually improving your security. Anything that doesn't improve your security and/or actively makes it worse is a serious problem.
Yep, I agree with this. Knowning now how bad the vendors fail with the SSL interception, it's clear how and why that's horrible - on many levels.
So what do we do in general?
DNS filter - this is beneficial - prevents resolution to known bad sites and others blocked by the DNS filter.
Email filter - removes some/most bad links/virus laden files and spam/phishing
Local AV - additional scan locally for items missed by filters
All things already covered above.
User education is next thing - and we do provide user education at hiring and then once a year. I really wonder - for the average worker - how effective is it? I think the answer to this comes down to your employees themselves. Again, someone also already mentioned that as well.
-
@dashrender said in New customer - greenfield setup:
User education is next thing - and we do provide user education at hiring and then once a year. I really wonder - for the average worker - how effective is it? I think the answer to this comes down to your employees themselves. Again, someone also already mentioned that as well.
This comes down to a lot of factors. Is this a classroom setting where people have a focused 30 minutes to talk about this? Is it interactive? Does management make it clear that this is a high priority? Do people know that they will be accountable for this in practice?
-
@dashrender said in New customer - greenfield setup:
User education is next thing - and we do provide user education at hiring and then once a year. I really wonder - for the average worker - how effective is it? I think the answer to this comes down to your employees themselves. Again, someone also already mentioned that as well.
In my company, KnowBe4 has been really good. Users get yearly and quarterly videos and are encouraged to ask questions. Plus I setup a random monthly phishing scam test in addition to my very targeted bi-annual spear phishing tests I setup.
I really like it when users ask for help to decipher whether an email is phishing or not. We go over the potential red flags and if it is a Phishing test, I will let the user decide whether to click the link or not. 99% of the time they pass. If they click it, we have a small chat right then and there about what just happened.
Management only gets serious about it when they hear something in the news or through the client grapevine. Then its all hands on deck until.....
IMHO, it has been pretty effective when they see demonstrations of what is possible as compared to letting them read a PowerPoint, answer a couple questions and move on. Kind of like the great Medical - Fraud, Waste and Abuse presentation. All I hear is, "Ugh, anyone have the answers?" or similar statements.
-
@scottalanmiller said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
User education is next thing - and we do provide user education at hiring and then once a year. I really wonder - for the average worker - how effective is it? I think the answer to this comes down to your employees themselves. Again, someone also already mentioned that as well.
This comes down to a lot of factors. Is this a classroom setting where people have a focused 30 minutes to talk about this? Is it interactive? Does management make it clear that this is a high priority? Do people know that they will be accountable for this in practice?
Training during orientation is definitely focused.
The yearly sessions are normally group based - outside of normal work, mostly with people in a circle/arc of chairs and it is interactive.without saying "this is high priority - you must follow this" - I'm not sure how to answer the question.
As for accountability - no, not really. I mean, they are told to not surf pages during working time - but again, they are allowed to surf whatever during their lunches/breaks - so....
I also say - shit happens, it even happens to IT Admins - I don't expect most people to get fired over opening an attachment that has a virus, at least not the first time, and probably not even the second (luckily this is pretty rare in my experience - but it is still the primary way of being infected) so I'm not sure what the accountability would look like? -
@pmoncho said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
User education is next thing - and we do provide user education at hiring and then once a year. I really wonder - for the average worker - how effective is it? I think the answer to this comes down to your employees themselves. Again, someone also already mentioned that as well.
In my company, KnowBe4 has been really good. Users get yearly and quarterly videos and are encouraged to ask questions. Plus I setup a random monthly phishing scam test in addition to my very targeted bi-annual spear phishing tests I setup.
I really like it when users ask for help to decipher whether an email is phishing or not. We go over the potential red flags and if it is a Phishing test, I will let the user decide whether to click the link or not. 99% of the time they pass. If they click it, we have a small chat right then and there about what just happened.
Management only gets serious about it when they hear something in the news or through the client grapevine. Then its all hands on deck until.....
IMHO, it has been pretty effective when they see demonstrations of what is possible as compared to letting them read a PowerPoint, answer a couple questions and move on. Kind of like the great Medical - Fraud, Waste and Abuse presentation. All I hear is, "Ugh, anyone have the answers?" or similar statements.
Yeah, I've been asking for a solution like this for years. I even did one of their free tests, and the amount of people (and the specific people) who failed it was staggering (OK not really - come on, we know users). But the board just said - come on, can't you just train them? which I replied - no, I can't. it's not my skillset and the other features included in these packages would take ages for someone like me to develop, etc - they still said no.
Now fast forward to now - new CEO, new board members - those two groups have decided to buy into training solution because of other reasons.. and this solution does include some computer smarts type training.
-
@dashrender said in New customer - greenfield setup:
@pmoncho said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
User education is next thing - and we do provide user education at hiring and then once a year. I really wonder - for the average worker - how effective is it? I think the answer to this comes down to your employees themselves. Again, someone also already mentioned that as well.
In my company, KnowBe4 has been really good. Users get yearly and quarterly videos and are encouraged to ask questions. Plus I setup a random monthly phishing scam test in addition to my very targeted bi-annual spear phishing tests I setup.
I really like it when users ask for help to decipher whether an email is phishing or not. We go over the potential red flags and if it is a Phishing test, I will let the user decide whether to click the link or not. 99% of the time they pass. If they click it, we have a small chat right then and there about what just happened.
Management only gets serious about it when they hear something in the news or through the client grapevine. Then its all hands on deck until.....
IMHO, it has been pretty effective when they see demonstrations of what is possible as compared to letting them read a PowerPoint, answer a couple questions and move on. Kind of like the great Medical - Fraud, Waste and Abuse presentation. All I hear is, "Ugh, anyone have the answers?" or similar statements.
Yeah, I've been asking for a solution like this for years. I even did one of their free tests, and the amount of people (and the specific people) who failed it was staggering (OK not really - come on, we know users). But the board just said - come on, can't you just train them? which I replied - no, I can't. it's not my skillset and the other features included in these packages would take ages for someone like me to develop, etc - they still said no.
Now fast forward to now - new CEO, new board members - those two groups have decided to buy into training solution because of other reasons.. and this solution does include some computer smarts type training.
We have KB4 Gold package that is good enough for us. No need to go above that for the medical field IMHO.