I've been making this point for some time, but you would be right to think I might be biased. Jake isn't.https://twitter.com/MalwareJake/status/964919935699857410 …
-
-
Also a defence-in-depth strategy is required for any larger organisation. Monitoring network traffic to the internet, patch management, web screening etc. You'll never get to 100% but additional layers can soon create a pretty secure environment.
1 reply 0 retweets 3 likes -
Replying to @ConradLongmore @justinschuh and
That sounds like something pulled directly from a security vendor marketing material, you just need to say "layered approach" a bit more. Do you wrap your servers in asbestos for extra defense?
1 reply 0 retweets 1 like -
Replying to @taviso @ConradLongmore and
Every new piece of software inspecting untrusted traffic adds complexity and attack surface. If you run 50 security products on your endpoints you're not 50 times more secure - you just multiplied your attack surface by 50 for arguable benefit.
1 reply 0 retweets 1 like -
Replying to @taviso @ConradLongmore and
How wonderful would it be if you could just buy more security products and be more secure? Do you really think that's how it works? Did you learn about security from reading banners at RSA?
2 replies 0 retweets 3 likes -
Replying to @taviso @ConradLongmore and
Hey, I'm totally fine with people saying that security vendors make outrageous claims, that their products aren't as good as we think they are. That they also increase the threat surface and that they need to sandbox their stuff and what not.
1 reply 0 retweets 0 likes -
Replying to @martijn_grooten @taviso and
But saying that they don't make a difference, that is simply not true for most people. And it's actually harmful advice.
1 reply 0 retweets 0 likes -
Replying to @martijn_grooten @ConradLongmore and
Tavis Ormandy Retweeted Tavis Ormandy
Are you going to make me repeat this analogy?https://twitter.com/taviso/status/965635354874146825 …
Tavis Ormandy added,
Tavis OrmandyVerified account @tavisoReplying to @martijn_grootenImagine a bank that doesn't check ID's, but they have a list of every person ever convicted of fraud and will check if the person claiming to be you is on this list. This will catch real attacks, agreed? By your logic, this system works. Is your money safe in this bank?2 replies 0 retweets 1 like -
Replying to @taviso @martijn_grooten and
It stretches credulity to think you'd assert that the bank that does this is _less_ safe than the one that does not.
1 reply 0 retweets 0 likes
I didn't assert that. This is what antivirus does (a pretty modest function, at best) in exchange, it introduces serious problems that they refuse to take responsibility for. It's like wrapping your endpoint in asbestos. Now it's fireproof, but... is it worth the cost?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.