It's not just CrowdStrike – the cyber sector is vulnerable

Security: You must install Microsoft Defender on all Linux VM's

Devs: Ugh...why?

Security: For safety!

Devs: Fine, we won't argue. Deploy it if you may.

A few moments later...

Devs: All of our VM's are slow as crap! Defender is using 100% of the CPU!

Security: Add another core to your VM's. ticket closed

Management: Why are our developers up 30% on their cloud spend!?

Cyber Security is a matter of national security, but currently we sacrifice our national security for the convenience of companies.

The disconnect is that companies are both (1) the only entity in control of their system and how it is tested and (2) not liable if a security breach does happen.

I believe we need to enable red teams (security researchers) to test the security of any system, with or without permission, so long as they report responsibly and avoid obviously destructive behavior such as sustained DDoS attacks.

A branch of the government, possibly of the military (the Space Force?) could constantly be trying to hack the most important systems in our nation (individuals and private companies too). The bad guys are doing this anyway, but hopefully the good guys could find the security holes first and report them responsibly.

Again, currently this doesn't happen because it would be embarrassing and inconvenient for powerful companies. We threaten researchers who do nothing more than press F12 (view HTML source) with jail time and then have our best surprised Pikachu faces ready for when half the nations data is stolen every week or major systems go down. Actually, we don't make faces at all, half the nation's data is stolen every week--no, actually we don't even take notice, we just accept it as the way things have to be. Because, after all, we can't expect companies to be liable, but we can trust companies to have exclusive control over the testing of their security. How convenient for them.

they're correct, all the others are similarly shit

sentinelone, tanium, guardicore, defender endpoint, delina

all running as root (or worse), sucking up absurd amounts of resources, often more than the software running on the machine (but advertised as "LOW IMPACT")

they also cause reliable software to break due to bugs in e.g. their EBPF

also often serialises all network and disk on the machine through to one single thread (so much for multi-queue NVMe/NICs)

the risk and compliance attitude that results in this corporate mandated malware being required needs to go

this software creates more risk than it prevents

For most corporations, security and robustness are -- and for a long time have been -- an afterthought.

Making systems hard to hack and robust to rare events:

* is really hard,

* costs a lot of money, and

* reduces earnings in the short term.

Faced with these inconvenient facts, many executives who want to see stock prices go up prioritize... other things.

It's rapidly getting to the point where the cure is worse than the disease, when it comes to this kind of product.

It's almost as if we're seeing the downsides to our cloud based decisions. Uncontrolled costs, lack of visibility, placing control of critical processes in the hands of other groups...that also have control of critical processes globally.

Am I bitter at losing the business decisions that push ease of management by sending control to service providers? Not really. It's been dozens of times, and I lose every time.

I can raise the concerns to make sure the decisions are educated ones, and then let the decisions be made.

For a business that relies on SaaS applications over cloud and uses dumb machines (windows, iPad, whatever) as client terminals, can someone please explain what are the actual threat factors that these EDR tools like Crowdstrike Falcon address? And if SaaS applications can restrict access, detect anomalies with user behavior, have MFA for auth, etc.. will that mitigate these risks? I guess common issues like key loggers, malwares, virus attacks have much simpler solutions than a complex EDR which seems to need root access!! Someone, please educate.

Cyber was a 90s buzz word that died out and became vogue when cyber security became cool. I cringe every time I hear it drop.

I remember being proud of the fact that I had an intimate knowledge and understanding of every single process running on my dev machine. Things felt sane. I could fully comprehend what was happening on my system at all times. Then the button pusher configurator class got called a new name, "DevOps" and started pushing all this crap on us. I'm ready to just start doing work on a private machine at this point.

Don't do automatic updates....roll updates manually. That would be a nice thing for the beginning.

Centralisation is really the core of the problem here.

Take ZScaler, which is a service that proxies all network connections of a computer to a central cloud proxy server, mitms it (decrypt, inspect, log, and encrypt), and then forwards it to the target server. Imagine that this is hacked, and this isn't immediately discovered. Hackers listening in and being able to tap off cookies, bearer tokens and other confidential information for weeks. That would affect so many companies. And if they would want to cause a DoS, many computers and servers would be left without an operational internet connection.

I've been trialling application allowlisting, but wow is it ever frustrating. So much stuff isn't signed, and when it is the accompanying DLLs aren't. or the signature is invalid. or some of Windows' own executables/dlls aren't signed (why?? you make applocker??) or the installer is, but none of the actual resultant end files

Is it just me?

We build our "cyber fortress" out of the Turing Complete analog of Crates of C4... and wonder why things go wrong all the time.

As I say every time this happens (and it will keep happening for the next decade or so)... Ambient Authority systems can't be secured, we need to switch to Operating Systems designed around Capability Based Security.

We need at least 2 of them, from competing projects.

The real financial problem is that cybersecurity is mostly box checking. It's an industry that is open to commoditization, as startups in lower-cost global regions manage to check the box as well as the next-most-expensive region, and cost conscious companies keep migrating. But the power of the box checking is strong.

I do not invest in cybersecurity companies, it is very risky IMO

thats true, it is disheartening when security controls are only seen as a checklist to comply with some framework, and not actually implemented. https://medium.com/@confusedcyberwarrior/what-is-soc2-how-to... This gives a false sense of security, which is further bad for cyber space. Crowdstrike incident on other hand shows that how we still have single points of failure on our supposedly secure and safe systems. https://medium.com/@confusedcyberwarrior/when-security-becom...

Works where archive.ph is blocked:

https://webcache.googleusercontent.com/search?q=cache:https:...

Works where archive.ph is blocked:

https://cc.bingj.com/cache.aspx?d=464600016483&w=i7yXBm7Gwof...

So how do you actually cybersecure a company in a compliant and practical way?

Probably get a lot more of this when the full force of the cyber resilience act kicks in.

Honestly until we can get rid of the perception that SOC2/Sables-Oxly/HiTrust provides any meaningful security we’re stuck.

The "cyber sector" is... awful? Nah... irresponsible? Nah... immature? Yeah, probably!

Right now, pretty much everyone is looking to outsource their "security" to a single vendor, disregarding the fact that security is not a product, but a process.

That... won't change! And incumbents will get less-awful about their impact on "protected" systems.

And yet, there's an opportunity here! Do you truly understand Windows? And whatever happens on that platform? And how to monitor that activity for adverse actions? Without taking down your customers on a regular/observable basis?

Step right up! There are a lot of incumbents facing imminent replacement...