I work at an MSP with 30,000+ endpoints and servers. Our doctrine has always been, a good layered system with a dash of threat surface reduction is enough to protect virtually anyone not specifically targeted. That means a Layer 7 UTM/NGFW on the gateway, a good endpoint antivirus and ensuring best practice for the AD/Radius/DHCP setup, etc. Good email protection such as Trend HES with aggressive anti-malware and anti-phishing settings.
However 2017 has shown us that this is no longer sufficient. We've seen infection after infection on systems behind what used to be 'enough'. Clearly proving to us that conventional security is becoming much less efficient in these times. UTM/NGFW manufacturers are responding 'slowly' to this because you just can't break networks and desktops for large corporations when deployment of many solutions takes place. It's cost prohibitive for a large organization to lock down their entire infrastructure and resort to whitelisting systems or Default-Deny on HTTP/HTTPS.
In another thread I pointed out that through testing a new product I found my personal home system compromised. Despite an absolutely abusive level of protection on my gateway and lan, Trend Micro Core Processes were hijacked and sending telemetry. Consider the following was in place at the time I got mysteriously compromised;
1) Fortigate 200 L7 UTM (DNS set to Malware Blocking DNS)
2) Untangle (Transparent) behind that with full AV(2 engine) and Web Filtration.
3) Trend Micro Titanium on desktops.
4) Licensed Zemana Anti-logger on desktops w/realtime+pandora.
5) Chrome, uBlock, etc.
6) All patches applied, firmware updated, etc.
7) Reduced threat surface practices. No Java, No Flash, No Office, etc.
8) Good practices throughout.
Yet I was compromised by something that injected into Trend Core Services to re-direct traffic through that service to a datamining site. Since of course, Trend whitelists itself, and Zemana whitelists Trend, nobody was watching the watcher! Morale of the story is, none of this was enough despite my 'safe' practices. Sure, the above setup is absolutely immense against normal junk out there, but when something tough comes through, or someone decides you need to be data mined, none of it really matters.
Mind you, I am aware of how to protect MY endpoint (VDI's, Sandboxes, Whitelisting, etc). My goal was to provide an incredibly safe network for my home going well above and beyond corporate/enterprise best practices. Now in terms of the fairly large MSP I am an engineer at.. Just yesterday I isolated threats on MULTIPLE desktops of a medium size company using almost all of the industry best practice security protocols.
We've clearly entered a new threat dimension... I read an article that came out the other day that said 20-25% of every business/corporation in America is fully compromised without any awareness of their compromises. Some cybersecurity newsletters I get say 75% of every desktop/latop in the country is compromised without awareness of the compromise by the user.
For the record, I've significantly ramped up my home network and endpoints since the 'event' that was well documented here in another thread. Including drastic measures of doing a Win10 reset on all 10 of our Windows boxes and isolating all of them into VDI's and Sandboxes until I can ensure network/gateway integrity. Significant new hardware has been deployed and an internal network scanning appliance added. I'm about ready to pull the systems out of the VDI's and drop off the sandboxing to see how it goes.
