I'm sharing this because I believe it is relevant to ongoing decisions in this community. I'm in a senior leader cyber group and got the chance to follow the headliner yesterday on Vulnerability Assessment tools. I lit them up, and had a CEO reach out to me afterwords on LI...here's the conversation:
Hi Monti, Thank you for your thoughts on the ... call today. This SolarWind breach was really something. At the end of your talk you said clients might be looking hard into what agents they allow on their network. Is your view clients could pull back from VM solutions like [company1] because they create vulnerabilities, or they embrace them more? Or, do clients move in the direction of logging applications like [company2] that shut down any questionable activity? I am ... trying to understand how the security landscape changes due to this security breach.
[Name] good to e-meet you, and thanks for the question. Long answer follows...but I hope you believe it worthy.
IMHO: in the near term, companies are going to swap one set of risks for another. In the longer term, they will realize they are tools rich, but capabilities poor, and start cleaning the gluttony out.
Bottom Line: If I have to hard install it, I have to tune it, credential it, train on it, incorporate it into my enterprise....ugh. Am I working for the tool, or is the tool working for me?
SolarWinds provided incredible visibility and convenience...at a cost. It's only now that people are starting to realize that capability cost included a risk that they hadn't considered before. We had network monitoring solutions before (WUG, HP OpenView, etc.) and many of those were based on configured traps, lil packets of data we'd use like social media notifications to a centralized enterprise server. I'm not saying we'll revert, but what other options are out there?
Agents: I think people who don't know better are going to want to add more "security" and if that comes in the form of a pervasive and persistent credentialed agent, they'll have swapped one risk for another, repeating the same mistake. Personally, I hate agents as do many of my security brothers/sisters. They give insights but are incredibly high maintenance, create alert fatigue, and hog computing resources as if they were mining cryptocurrency. Personally, I think VA and BAS and IT OPS agents are going the way of the dodo.
Inline Logs: Is the loss of visibility at the endpoint worth it if you employ an inline logging solution (and I haven't seen [company2] shut anything down, it alerts...but maybe they are expanding their capability)? [company2] is awesome at visualizations and correlating data across logs...better than most SIEMs/SOARs I've seen, But does it prioritize action? Give context? Does it need an agent?
SaaS Assessments: I am biased, but I believe the right pivot will be capabilities that are uncredentialed and ephemeral so they pose minimal additional risk to an environment (cloud or prem or hybrid) and the critical data within. Our company has created a capability that does just that, and we're growing fast.
EDRs (agents) and even Microsoft (OS) claims it will shut down questionable activity...that's a double-edged sword, one I've rarely seen work well. That inspection is a tax on your resources, and inevitably works best after an "other" company was pwnd and we now have Indicators of Compromise, such as with FireEye and SolarWinds, so we're all looking for a specific hashed file or credential, or malicious C2 domain. By this time, we're all Monday morning QB'ing.
If you couldn't tell, I'm pretty passionate about this stuff. This incident was massive and terrible and brilliant...and is FAR from over.