> I guess world will essentially loop back into "thin-client" model as the connections are getting faster and lower latency than ever.
Things have been going this direction as long as "the cloud" has been a phrase.
Endpoint management is a pain for a lot of reasons other than ransomware, there's a lot that is solved in an enterprise by making your endpoints dumb and controlling your production environment centrally.
While it's still a good idea for companies to have an endpoint protection software on their employees' machines, they should also invest in educating them. Users are the first line of defense, and knowing what you're doing and being careful is the best antivirus. No software can change this.
I agree in a theoretical way. But in the real world corporations don't have skilled infosec/cyber people and they wouldn't even know how to find them [1]. So they end up with incompetent departments imposing ridiculous limitations for theater. And these worsen end user aversion to security. Younger generations care less and less about security and privacy. And the growing corporate disdain of employees (in particular to the ones who sacrificed to the company) make employees care even less. There were recent cases of employees selling corporate secrets for peanuts. And many gangs just reach out to employees being laid off to gain access. I know from second-hand this was the way it happened in one of the biggest ransomware scandals a couple of years ago.
I really don't know how to fix this situation. In fact, it seems to be deteriorating very fast.
But in the real world corporations don't have skilled infosec/cyber people and they wouldn't even know how to find them
That was not my experience at the last employer. We had some incredibly talented security architects, engineers and developers. The issue we ran into was that some of the early hires were a bit over-zealous and created a layer of fear in management that the security teams would induce too much friction, some that was indeed needed. The result was the head of software development put a development manager in charge of the entire security org. Their standing order was to never say "no" and never get in the way. It's still a more secure company than most but it's a constant battle with management and leads to burnout and that is one of the many reasons myself and many others retired early. Most other reasons for me were unrelated to the company.
Training can help to reduce failures, but it can never prevent failures, because even at the minimum, human err at scale is guaranteed.
If a monkey randomly types on a typewriter for an infinite amount of time, it will eventually produce any given text, including ̶t̶h̶e̶ ̶c̶o̶m̶p̶l̶e̶t̶e̶ ̶w̶o̶r̶k̶s̶ ̶o̶f̶ ̶S̶h̶a̶k̶e̶s̶p̶e̶a̶r̶e̶.̶ opening a ransomware attachment
Unfortunately, the number of users that engage mindfully with SAT is a very small percentage.
A better solution is to demand better from software companies. People deal with so much Microsoft ux/quality abuse on this planet like it’s how its supposed to be it’s astonishing. And quality elsewhere isn’t increasing, certainly.
Elaborate. I can agree that spending big money on some fancy software may not add much than using Windows Defender, but as a company I would still have an AV active for when it comes the day that someone ends up opening a link in a phising email.
Meanwhile endpoint security solutions themselves are creating a larger attack surface.
I guess world will essentially loop back into "thin-client" model as the connections are getting faster and lower latency than ever.
> I guess world will essentially loop back into "thin-client" model as the connections are getting faster and lower latency than ever.
Things have been going this direction as long as "the cloud" has been a phrase.
Endpoint management is a pain for a lot of reasons other than ransomware, there's a lot that is solved in an enterprise by making your endpoints dumb and controlling your production environment centrally.
While it's still a good idea for companies to have an endpoint protection software on their employees' machines, they should also invest in educating them. Users are the first line of defense, and knowing what you're doing and being careful is the best antivirus. No software can change this.
I agree in a theoretical way. But in the real world corporations don't have skilled infosec/cyber people and they wouldn't even know how to find them [1]. So they end up with incompetent departments imposing ridiculous limitations for theater. And these worsen end user aversion to security. Younger generations care less and less about security and privacy. And the growing corporate disdain of employees (in particular to the ones who sacrificed to the company) make employees care even less. There were recent cases of employees selling corporate secrets for peanuts. And many gangs just reach out to employees being laid off to gain access. I know from second-hand this was the way it happened in one of the biggest ransomware scandals a couple of years ago.
I really don't know how to fix this situation. In fact, it seems to be deteriorating very fast.
[1] https://en.wikipedia.org/wiki/The_Market_for_Lemons#Conditio...
But in the real world corporations don't have skilled infosec/cyber people and they wouldn't even know how to find them
That was not my experience at the last employer. We had some incredibly talented security architects, engineers and developers. The issue we ran into was that some of the early hires were a bit over-zealous and created a layer of fear in management that the security teams would induce too much friction, some that was indeed needed. The result was the head of software development put a development manager in charge of the entire security org. Their standing order was to never say "no" and never get in the way. It's still a more secure company than most but it's a constant battle with management and leads to burnout and that is one of the many reasons myself and many others retired early. Most other reasons for me were unrelated to the company.
Training can help to reduce failures, but it can never prevent failures, because even at the minimum, human err at scale is guaranteed.
If a monkey randomly types on a typewriter for an infinite amount of time, it will eventually produce any given text, including ̶t̶h̶e̶ ̶c̶o̶m̶p̶l̶e̶t̶e̶ ̶w̶o̶r̶k̶s̶ ̶o̶f̶ ̶S̶h̶a̶k̶e̶s̶p̶e̶a̶r̶e̶.̶ opening a ransomware attachment
> Training can help to reduce failures, but it can never prevent failures, because even at the minimum, human err at scale is guaranteed
Sure,and indeed the goal is to have better security, not prefect security. If you look for the perfect solution, you will never find it.
Unfortunately, the number of users that engage mindfully with SAT is a very small percentage.
A better solution is to demand better from software companies. People deal with so much Microsoft ux/quality abuse on this planet like it’s how its supposed to be it’s astonishing. And quality elsewhere isn’t increasing, certainly.
> While it's still a good idea for companies to have an endpoint protection software on their employees' machines
Disagree
Elaborate. I can agree that spending big money on some fancy software may not add much than using Windows Defender, but as a company I would still have an AV active for when it comes the day that someone ends up opening a link in a phising email.
Can you please elaborate as you certainly work in cybersecurity and have weighted the pluses and minuses of an EDR?