topic Re: Comparison required from experience: Microsoft Defender vs Carbon Black or others in Tech Talk

Comparison required from experience: Microsoft Defender vs Carbon Black or others

Caute_cautim — Thu, 30 Jan 2020 03:31:12 GMT

Hi All

I need an objective assessment from your experiences: Microsoft Defender is yet, another heavily discounted solution from the same stable. So lets paint the scenario the Microsoft tool set is compromised, how can you then trust the same tool set to detect, prevent and respond to those same threats? Can you trust it?

Cost is a great weapon, to the CEO, CIO, CFO but from a practical security perspective would you feel safe to put your name behind the decision?

Even NIST talks about layers of defense, so putting cost aside - how would you rate Microsoft Defender within your organisation?

Regards

Caute_cautim

Re: Comparison required from experience: Microsoft Defender vs Carbon Black or others

me_shail — Thu, 30 Jan 2020 04:51:13 GMT

We are using defender. Also using crowdstrike in some machines (edge network and web facing). We are getting better results with defender, when it comes to catching the malware. We actually replaced bitdefender with MS defender across the organisation after doing a trial of defender for about 6 months. In some cases the third party tools like bitdefender or others did better than ms-defender but overall results were in favour of ms-defender. Cost was one of the factors.

Re: Comparison required from experience: Microsoft Defender vs Carbon Black or others

Steve-Wilme — Thu, 30 Jan 2020 11:44:40 GMT

Different anti malware vendors are sometimes better at detecting particular strains than others. It varies with time depending on how up to date the signatures they issue are and how good their heuristic detection is. If you go with a free / low cost product you're trade this cost off against the risk of down time and data loss. A more sensible approach is to have a layered defence in place and consider the risk holistically and contextually.

Re: Comparison required from experience: Microsoft Defender vs Carbon Black or others

Beads — Thu, 30 Jan 2020 15:38:25 GMT

Depends on your first line and compensating controls. Would using Defender at the desktop be sufficient stopping enough malware on its own? Do you see your other controls detecting malware before hitting your desktop? What do your other network level controls look like? For example, BADs, Nbads, 802.1x, sandboxing at the firewall, ingress screening and many others all have their place at the table.

I am currently consulting for a major US based retailer that uses Defender and from a security standpoint, works quite well next to all the other goodies capable of supporting a well managed security platform.

If you can cut some money out of your budget and gain more security elsewhere, go for it. Keep metrics on your before and after statistics concerning number of detections, infections, events, incidents and breaches (pro and con) to prove or disprove your A/V choice down the road, of course. Like any business purchase the "proof is in the pudding". Always be prepared with metrics to defend your purchase or revert to more expensive solutions.

Personally, having not seen my home machines detect anything since the mid 1990s, stopped subscribing to expensive malware suites about a year ago and simply use Defender on all my machines. Backed up by a small firewall with an open source NIDS, daily backups, etc. Its all "delightfully excessive" (overkill) of course but that's a trade off for being a security person, isn't it?

Re: Comparison required from experience: Microsoft Defender vs Carbon Black or others

Caute_cautim — Thu, 30 Jan 2020 18:34:16 GMT

@Steve-WilmeTotally concur with the layered defense perspective. Also from an objectivity perspective as well, many stories of Azure, Microsoft having been compromised - and we know Microsoft are putting a great deal of investment into protecting their brand.

Independent assessments, talk about the lack of support ongoing and none of the additional capabilities that other suppliers have such as Characterisation, Application Whitelisting etc - essential for Government agencies.

But as others have stated cost take out is a great carrot.

Yes, the risk mitigation strategy has to also be put into the equation. I have seen at least one occasion, where dependence on traditional AV has failed and the Incident Response Teams, have had to go into emergency response mode and actually use additional what some call New Generation AV suppliers to resolve the situation and ensure ongoing operational resilience.

Regards

Caute_cautim

Re: Comparison required from experience: Microsoft Defender vs Carbon Black or others

Caute_cautim — Thu, 30 Jan 2020 18:42:05 GMT

@BeadsSeveral things come to mind: "You get what you pay for" is one old adage. The other "Horses for Courses" or the practice of choosing the best person for a particular job, the best response for a situation, or the best means to achieve a specific end.

I have seen several retailers caught out in the past and had to deal with the Saturday 9am call , using traditional methods in the past, especially those interlinked internationally - and having to mop up and ensure they could open at 9am on Monday.

Layers of defense is all good, but it will only take one slip up and the reputation of the single vendor will be tarnished vs cost vs risk vs impact to the business.

I agree, even I take a layered approach even for my home system too.

Regards

Caute_cautim

Re: Comparison required from experience: Microsoft Defender vs Carbon Black or others

Caute_cautim — Thu, 30 Jan 2020 19:44:56 GMT

Also an interesting article on ransomware attacks not being detected by traditional AV:

https://securityintelligence.com/news/efs-ransomware-attacks-overcome-major-antivirus-tools-in-proof-of-concept-tests/

Layers layers of defense altogether now.

Regards

Caute_cautim

Re: Comparison required from experience: Microsoft Defender vs Carbon Black or others

jmarshall1956 — Thu, 30 Jan 2020 20:32:38 GMT

Steve-Wilme said it best below - layers are good. We also use MS Defender on the end points, coupled with Palo Alto Firewalls for Web and Content filtering and Proofpoint for eMail filtering. We are also looking for an AI/ML tool for the Network/Zero-Day space - right now I like Senseon but we have not purchased yet.

Jim Marshall

Re: Comparison required from experience: Microsoft Defender vs Carbon Black or others

Caute_cautim — Thu, 30 Jan 2020 20:39:43 GMT

@jmarshall1956 Thanks Jim for the response. One of my colleagues also pointed out to me in order to obtain NGAV (New Generation AntiVirus) the client would also have to add ATP as well. However, this brings in implications as they would have to go through a cloud risk assessment, as well especially as they are a government agency.

Regards

Caute_cautim

Re: Comparison required from experience: Microsoft Defender vs Carbon Black or others

jmarshall1956 — Thu, 30 Jan 2020 20:41:14 GMT

Hmm, I'll have to look into that - I did sign up for the ATP pilot but then never followed up after the pilot ended. Thanks for the reminder.

Re: Comparison required from experience: Microsoft Defender vs Carbon Black or others

Steve-Wilme — Fri, 31 Jan 2020 08:37:41 GMT

Very true, traditional AV isn't necessarily the silver bullet against ransomware. You can have fully up to date endpoint protection on clients and servers, but still be subject to successful ransomware attacks. You need to ensure that you're patched up to date and not just OS patches, have filtering on your internet proxies, anti malware running on firewalls, control of removable media, tight control of the software your run internally etc. Ransomware can exploit any weakness in your overall security posture, even a simple things such as being a few days late to patch a vulnerability.

Re: Comparison required from experience: Microsoft Defender vs Carbon Black or others

Caute_cautim — Sat, 01 Feb 2020 04:07:22 GMT

Hi @jmarshall1956 I followed up with some of my international colleagues, they stated that with the MS Defender, one should remember that central management is provided by SCCM, which is also associated with SMS messaging and all the issues that comes with it too - from an organisational perspective.

If they want full NGAV (New Generation AV) then any organisation would have to add the MS Advanced Threat Protection (ATP) as well, which does come from a cost. I totally agree with others, who have contributed it is a balance of risk and layers of defense. However, in my opinion, one should not be entirely dependent on one vendor, as no matter what they say, do or promise in terms of capability or fantastic offer. They can be caught out, and unfortunately, the consumer then becomes the victim.

Regards

Caute_cautim

Re: Comparison required from experience: Microsoft Defender vs Carbon Black or others

rslade — Sat, 01 Feb 2020 19:30:24 GMT

> Caute_cautim (Community Champion) posted a new reply in Tech Talk on 01-31-2020

> If they want full NGAV (New Generation AV)

Oooh!! The 5G of antivirus protection! I feel all tingly!

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
The things that count most in life, usually can't be counted.
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Comparison required from experience: Microsoft Defender vs Carbon Black or others

Caute_cautim — Sat, 01 Feb 2020 23:17:01 GMT

@rsladeYou most certainly could feel tingly, if someone turns up the power on the inside 5G antenna at 30- GHz : https://spectrum.ieee.org/news-from-around-ieee/the-institute/ieee-member-news/will-5g-be-bad-for-our-health

https://www.howtogeek.com/423720/how-worried-should-you-be-about-the-health-risks-of-5g/

Its not the power that is emitted, at the transmitter, even if it is low, one should be looking at the actual gain of the antenna used, which can cause the actual RF power to many times higher than original input.

It's rather like the days of ship borne radio officer's one was always told to remove the fuses, before doing maintenance, in the hope some idiot did not replace them, whilst one was maintaining the antenna or looking down the waveguide.

Here's to the tingly feeling and you are wondering, why you are feeling hot under the collar.

Regards

Caute_cautim