zzm9980 wrote:I didn't say to "do nothing". I said the solutions proposed in this thread are very ineffective, cost a lot to maintain (effort and money), and will impose employee productivity burdens (assuming they need to email with external people). You don't do something just to 'make noise' if you're not going to have an appropriate return for your money. Security at its core is Risk Management, not risk elimination. You manage risks by spending a commensurate amount of resources to mitigate them.
Companies will get compromised, even those with the best security groups. Your best hope is to detect it ASAP and contain it. Just to start, I would recommend something like this:
1) Still scan incoming emails (catch low hanging fruit)
2) Locked on desktop tier with aggressive config and patch management. There will be zero-days you can't catch, but better make sure you apply your patches ASAP
3) Holistic network activity monitoring at every layer you can. Agents on the desktops, network firewalls looking at the application layer, DNS activity, netflow collection for *everything*. All of this needs to go into a system which can intelligently process it and make sense of it (This is hard as most off the shelf products fail for any company at scale)
4) More so than anything else, you need intelligent analysts who can keep up with what is going on and understand what they're seeing (This is absolutely the hardest and most expensive part.). Even better if they know how to build their own tools. Off-the-shelf almost never works.
Looks into what companies with cutting edge security teams like Google, Netflix, and Facebook are doing. They publish reports, create open source tools, and share information to help everyone solve these issues. That's the bar. Not cheap vendor email quarantine crap.
Thank you for explaining how it could (and should) be done better.
Agree that commercial, "off-the-shelf" quarantining products are not sufficient -- they are essentially just doing step 1 ("Still scan incoming emails" to "catch low hanging fruit").
At best, it's merely coarse filtering for the obvious stuff.
Also agree that IT security is "a process" and that there is no such thing as "risk elimination."
The challenge is not static.
Each effective solution developed is just another challenge to the most clever hackers to circumvent it.
IT administrators must never become complacent.
No single approach will be sufficient.
The more layers, the greater the risk mitigation.
Distributing the monitoring makes sense as a pragmatic way to deal with the scale issue.
Unfortunately, for all this there really is no return for money spent.
It is all just "insurance" premium -- hopefully, they get better coverage when they spend more on monitoring and analysis.