You get a tool to use. The tool looks good, in fact other tools from the same company look good. This tool though seems to be the red-headed stepchild.
Recently, I have been trying to clean up and tune an endpoint solution. It is made by a company I have some respect for, and I had seen in the past. The tool itself seems to work well. The problem, like with so many tools, is getting the best data out of it. The signal to noise ratio on the monitoring aspect is huge! The threat detection and prevention works well enough, but the amount of data to sift through on data that is just being brought in for you to monitor is difficult at best. The issue is a fine line between being able to warn about a potential threat and knowing what normal behavior is. The example I will use here is opening known PDFs. These are seen as an application, each with their own hash by said product, for scanning purposes. All fine and dandy, but when the PDF is opened, certain executables that get called cause a trigger for a monitoring alert to be made. These executables are known and trusted applications (part of the PDF reader), but due to the unknown nature of the PDF, they come up as an alert for running the executable. This creates a ton of noise in the alerts area. The problem is there is no real way to tune out these alerts, as the product is set up now, without risking not seeing alerts that one might need to check on. It makes the monitoring alerts useless, unless you feed the data to a SIEM where you can do the filtering. The kicker is customers have been complaining in the user forums about this for over a year now, and still nothing has been officially announced as being done. The rumor is they stealth fixed this in an update to the product, but there is nothing in the release notes. So in the mean time, I have to go through and keep the alert area clean of the noise, which eats into my time to do other things. A company my size it is nowhere as bad as what could happen in a huge company with tens of thousands of endpoints.
Situations like this can leave a bad taste in the customers mouth. Companies get so overprotective of certain things, and hate admitting mistakes. Personally, I would rather a company be up front and over communicate what is going on with an issue such as this. I am more likely to recommend a company that is upfront and honest, and has good communication with a not quite as mature product than a completely mature product but hides from their customers, especially the smaller ones. They need to remember that while the larger companies bring in the greater money, attackers tend to move from the smaller fish into the bigger ones, therefore showing attention to the smaller companies gives you a good reputation with the larger ones.
Leave a Reply