Jon Turner

Has anyone done any pen testing against endpoints using Palo alto traps? Is it an effective defense, any blue team experience? I'm never sure with these type of tools whether they a realistically ever deployed correctly, that's my previous experience with tools that control which apps run.

Its a question of where do I spend my days out the office to get the maximum value, I'd rather spend the day somewhere without the product pitches like Gartner which is 2 weeks afterwards

probably not, I really don't like the vendor driven one's with the 1:1 meetings, which are mandatory product pitches.

If you can find a copy, read Man of Steel, Woman of Kleenex by Larry Niven. a short Essay about the Issues Superman has.... https://en.wikipedia.org/wiki/Man_of_Steel,_Woman_of_Kleenex

Here's my 10cents. AV works, EDR a bit more so, i.e. It blocks lots if stuff and stops many bad things happening. Pen testers may laugh at it, but most organisations day to day threats are malware related not Pen testers or targeted attacks . Will it stop everything? No? Does that mean don't use it? No. Does it mean targeted attacks won't happen? No Would whitelisting be better? Yes. Can it be rolled out at scale? yes but never commonly happens as it's a PITA. I seem to be saying this everyday now.. 'Don't left Perfect be the enemy of Good'. Security people seem to be amazing at letting crap happen because it's not the perfect solution. In the medical world they use these definitions: Nice definitions "Effectiveness :How beneficial a test or treatment is under usual or everyday conditions, compared with doing nothing or opting for another type of care. Efficacy: How beneficial a test, treatment or public health intervention is under ideal conditions (for example, in a laboratory), compared with doing nothing or opting for another type of care. Empirical evidence : Evidence that is based on experience (observation or an experiment) rather than on reasoning alone." Do we have Empirical evidence that AV/EDR is effective? Yes. We need to focus more on what's effective not what's perfect (I.e. Effectiveness v Efficacy)

I'll be there and not sitting at a stand for once, both 'yay' and 'oh...' See you there...

We’re doing large upgrade programs and deploying mitigation’s where there is stuff that can’t be upgraded. For example we have clients that have critical software we’re there is no version that works beyond 2003 (gulp). So they’re segregated, big patches applied and enhanced endpoint controls deployed, 2008 will get similar treatment if they can’t move.

Hi, I’m Jon, I’m now CISO at large service provider but been working in security for 19 years in various roles. But started long before that, interning at my Uni, pen testing their system in ‘92... Just about to start building another security team, yay....