This article covers two things:
- Do these products even work?
- If they do work, will/do people even bother or know how to configure them to the maximum?
Over the years and still to this date I have seen examples of both. Before I go into the personal examples, let’s talk about two massive buzzwords this year, AI (artificial intelligence) and ML (machine learning). I am not here to say they do not work but these are newish technologies and they are still in their infancy thus time will improve them.
The boards of companies are very often extremely non-technical and some CISO’s to are removed from actual hands-on thus they can often believe salespeople claiming, buy this for £100,000 and all your problems will be fixed. Even if the product is a “silver bullet” it may only solve one area, i.e. endpoint malware blocking not firewalling or two factor authentication.
Some anonymised stories for you:
HP TippingPoint, now owned by Trend Micro. One day the customer services team of a client sent through thousands of web-form entries and 95% were junk. SQLi, XSS, directory traversal etc. and all were coming from Netsparker which is a web app vulnerability scanner. Surely the defences in the outsourced hosting firm must be able to block such obvious strings, esp. from a known product?
After going through the entries, I went to the rep of the large hosting firm and said why did the TippingPoint not nab them? A TippingPoint is a large looking server which is an IPS (intrusion prevention system) - it costs thousands or even over £10,000 with subscriptions. I asked for a copy of the signatures and was surprised, under 20% was even turned on. Why I asked? “We just turned the defaults on as we did not want to break anything”. It is possible they didn’t know how to tweak it.
The website(s) were running Drupal, yet Drupal signatures were not enabled and many were enabled which were pointless. Over time we requested some to be enabled, in test mode of course.
Microsoft Intune, which is a SaaS MDM (mobile device management) to control/enforce managed smartphones. The full story is long, but the short story is a MDM roll-out happened without turning on any of the actual settings!
Office 365 Advanced Threat Protection, which is an addon to Office365 for URL/file sandboxing. The service is great and very fairly priced. By default (or as of a few months ago) there is a setting to deliver attachments, sandbox and then re-deliver or warn afterwards. This is silly since the attachment gets through before advanced checking.
On-Premise Web Protection, which filters and scans web traffic inc. downloads. The product claimed to protect against DBDL (drive by downloads) and I set it up to block exe’s and other similar files over 80/443. It didn’t even block a file downloaded by a product doing a software updated despite having an enforced agent on it forcing all web traffic through the on-premise product.
The moral of the story?
Look at independent reviews, test it out yourself by playing with all the settings which in my case usually exposes flaws without even try to and lastly if you buy something go through all the settings twice with a fine-tooth comb. Do not believe everything sales folk say!