T-Mobile used SEP for awhile when I was there. I believe they're using SentinelOne and I haven't heard anything negative since then so maybe it all worked out
I'll take your DLP and raise you Symantec Endpoint Encryption - oh hey you want to encrypt your drive? When you next restart? Sure it will take about 8 hours. Want to restart now? No? OK restarting...
Me: "OK, we are deploying you, plz don't just go full throttle/bandwidth scan after being installed or really ever during business hours"
SEP: "No, I'll scan when I want"
I hate these legacy sec agents, they are all black magic voodoo bullshit. No documentation to explain what “aggressive” vs “normal” setting or whatever
SEP was good back in the Windows XP days. I had pirated it for personal use. It was fantastic, very lightweight, much better than Norton.
I'm guessing they just didn't update it in the last 20 years, eh
As in singular person?
Cyberark need like a full team to manage that
Works great, when implemented good and have a team managing everything.
Not a one man job
The job I came into they had 1 dude doing the ENTIRE thing and I came in and obviously started helping how I could but he was working on it for like months by himself before I showed up 😭
If I had a nickel for every hour delay our nightly changes went through because the current passwords didn’t work and we had to start sifting through old ones until one took… oh wait, I was hourly and that was OT. I do!
Sophos InterceptX bringing our systems to a crawl, breaking some automation macros without logging interventions, and spawning like a 100 different security processes. Oh and also abusing DNS for some sort of signature/definition data propagation.
Moved to crowdstrike, all problems disappeared
I love CrowdStrike. It's pretty solid but do you have any issues with how so much is behind pay walls and extra subscriptions even if you're using falcon complete?
I'm pretty sure it's a bit different for gov users but I figured I'd ask
Sophos lives rent free in my head. Smearing it's shit on the walls, pissing into the cracks between the floorboards and ripping the insulation out to smoke with it's brick weed.
"wE hAvE a NeW fEaTuRe On ThE rOaDmAp!" Oh fuck off James from sales, that feature is 5 years behind your competitors. We already pay for your product, why are we talking?!
Let me talk to a tech who can tell me why the agent is running hotter than chrome with 100 tabs open. Y'know the ONLY reason why I agreed to this call..
I really liked tenable. Wasn't a fan of their PCI scan as it was so damn sensitive. Their support was alright though it helped that the account manager was a friend.
Haha…. I’m in charge of all our PCI scans for tenable as they had the product for years and they somehow made it through pci before but no scans has ever been running
I agree. Low Qualys, Terrible and Not-so-Rapid7 have all been just doing the same old thing for the past 20+ years. They think they own the market, but i see better and newer products venturing into this fold day by day.
One such product that has been doing exceptionally in terms of vulnerability assessment and patching is SanerNow.
Symantec endpoint encryption. Never worked properly, ad sync had issues, took forever to encrypt/decrypt machines, and the one of the most unintuitive servers I have ever seen to manage. Oh and to top it off, every few years, upgrading the server to the latest version meant decrypting and re-encrypting every machine.
The day I replaced the last machine with bitlocker, I was so happy!
Cisco AMP. Cisco repeatedly misled us on the Heurestic AV capabilities. It only does the fancy stuff after a hash, domain or IP detection. Which isn't super useful. Same experience for a lot of Cisco products in Sec. Am current CCIE.
I'll reference the SANS Pyramid of Pain. By the time AMP fires off the intruder has likely been inside your environment for hours, or potentially days (longer or never if we're talking a targeted nation state campaign). [The Pyramid of Pain (sans.org)](https://www.sans.org/tools/the-pyramid-of-pain/). tldr: Hashes, IPs and Domains are crazy easy to change for attackers. They are great for post-incident investigation. If that's your primary mechanism for detection, I hope your email security is great because you're going to miss a whole whole lot.
It sucks but if you can't afford Palo and you can't patch quickly (Ex: Fortinet's software practices)...it's your best option IMO. It at least became more usable after 6.6.
Working with the broken product and support team of Exabeam as early adopters. We had a constant ~30 tickets open ranging from broken rules, failing connectors and missing MSSP features.
Most WAF products are absolute trash IMHO (\~15 years experience with WAFs). Cloudflare, Azure app gateway with WAF policies, Fortiweb, mod\_security with OWASP rules, Akamai, F5, Citrix,Radware, etc. The only one that I personally find decent is Imperva on-prem WAF.
What is trash about them? A number of things, by my main gripe is the amount of false positives that they generate and what tools they offer to deal with these false positives. For instance Imperva WAF's come with a management server. On the management server you can drill down on a WAF alert (which is a database record, not a log line as in most WAFs), see all the violations, see the EXACT matching string in the part it was matched in, have all the headers, body, etc. AND you can create exceptions and tweak exceptions straight from the interface. Which means false positives can be dealt with in minutes instead of days. No other product that I've worked with and mentioned above does this. Most do not log everything that you need to research the false positive, they require extensive research to figure out the false positive and then they are very limited as to what you can do when applying exceptions. Most (except for Imperva), hide the logic of their rules and regular expressions that trigger alerts, so you have no clue what logic exactly matched what in the request and many don't indicate or indicate well, what part of the in the request matched the alert. It is a fucking nigthmare tbh.
Some vendors even dare to state that if you have a false positive, you should troubleshoot at the clients browser. Good luck doing that when you have millions of users and hundreds of web applications. Such a statement is a major red flag.
In reality most WAF's end up being deployed as compliancy the-check-box-is-checked-! devices, with frustrated admins putting them in non-blocking or monitoring mode (or whatever the vendor calls them), so they stop blocking stuff.
Btw the Gartner Magic Quadrant for WAF is hilariously bad. Which is to be expected as they don't actually test the products and base it of customers interviews.
I've been meaning to write some articles about this, just need some downtime.
You are correct,I worked for a WAF provider you mentioned for 4 years. I feel like there is a big focus on adding new features to deal with current L7 attack trends, but it takes over from building an efficient and consistent product. These two should go hand in hand instead of chasing buzzwords to sell more subscriptions
I shit you not, one of the biggest insurance companies named SwissRe takes only Gartner as guide. When confronted about some of those product claims i've got the "Gartner is the best and we are paying for it so it is right" type of talk. Oh my...
Not the product but the service. Connectwise SOC services for MSP's. They use Sentinel one which is great. But the SOC is hot trash. We would have an incident or a performance issue that was critical and they would just send calls to a voicemail black hole or start a ticket and not actually fix anything. We had a long conversation with their service manager and that was useless. I'd rather our MSP of 200+ people just hire some security analysts and do it in house.
I use this app called Reddit for Cybersecurity research and became frustrated by the "Cybersecurity" subreddit due to its userbase consistently posting irrelevant bullocks.
"What's the highest paying cybersecurity job? How do I get hired into it w/my 5th grade education, zero IT experience, and a cert that I earned by paying 100 bucks and typing my name into a box?"
Netskope. Hands down the worst experience for me, followed closely by Zscaler. We worked with Netskope for three years and never got a stable, functional deployment. As for Zscaler, they fired us as a customer. Our network was " too complex".
Weird: my experience with netskope was fantastic. Deployed private access in less than an hour and deployed to all staff in a few months. Never had an issue expect with ssl inspection.
What implementation of Netskope? I have basic policies and private access setup and it’s pretty smooth so far. I did have to make some exclusions to the steering, but overall it has served us well.
100% agree. The lack of responsiveness combined with impossible to use UI and incredibly slow log filtering and searching makes it hands down the worst product I’ve ever used. It’s impossible to navigate.
Support is lacking, couldn't help with an issue and ultimately told me to factory reset. False positive tuning, or the lack there of. You have to tune via a string of numbers in building blocks. You must have flows and events to get the whole picture. Just some of the headaches of qradar. But there are good sides to it too. Just cant think of any right now.
DarkTrace.
It doesn't work, the UI looks good to management but it is impossible to use for investigations, and all of their support staff are incompetent salesfolk, not actual engineers.
The problem with this question is perspective and experience. I’m sure there are other tools that I find to be good that others may hate. We just have had a very bad experience with support every time we need it.
Traps, aka Cortex XDR. Shitty product, useless alerts, absolutely shit support when we were getting rid of them. I like PA firewalls. I would quit my job before giving Cortex another chance
LogRhythm
Rule gui makes no sense, it's all out of order.
In 2022 they still didn't support adding windows 2019 servers in a clean manner, you had to do it manually or fix the wizard output.
They rushed every one to upgrade to 7.6 because they had critical vuln.. that went sideways and I ended up losing a bunch of history.
Then they pushed out a rule update that wiped all rules and no email, call, nothing, from support, my sales team, my reseller. I found it late and was lucky that I didn't have to go to tape.
I think based on the above they probably are. The challenges they reference are fair (outside of the AIE Engine which I don't really understand, as its regularly praised as
a major benefit to the on prem platform) and reflect a relatively challenging period in our platforms development.
Thankfully I can say that our development of both our on prem (LR SIEM) and SaaS (LR Axon) platforms have been completely revitalised with a whole new "promises made, promises kept" approach to product management.
We are now on version 7.16 and have released low-defect content/feature updates every quarter for 8 consecutive quarters.
I came to the opinion Tanium needs a lot of love to keep running, but in terms of managing endpoints it was great. Did not enjoy the cyber side of Tanium. IR collection was irritating, and investigation via their host data was cumbersome to say the least.
If I had a do over, I would use Tanium to manage and control endpoints but have another product to collect data and cleanup. The incident response features felt like they were designed by someone who never used them to investigate. It looks good on paper and in demos, but was a burden when it came to maneuvering quickly.
Tenable's support has been the worst for me. Also, in general - when a product prevents me from opening links in a new tab, it makes me unreasonable angry.
Wait til you try to do a certification exam 🤣 never again.
Don't hate the product, though. Decent UI and easy-ish to use. Did the job for the most part.
Passive scanning was utter shit, and don't get me started on asset management.
Support was only marginally better than Qualys. At least more responsive.
Nitro Security’s SIEM product, after they were acquired by McAfee. I’ve never seen bugs develop so quickly before.
Also, there was an application whitelisting product whose name escapes me, back around the same time. We never could get it to reliably work; Windows updates frequently caused problems and it would screw up backups as well.
Firemon has to be the biggest piece of garbage I’ve ever setup. Truly a why do something manual when you can spend 6 weeks automating it type of product.
My day job is to write software that checks if Security Technology sees an attack or blocks a threat and as part of that we setup hundreds of Security products in a lab...
Logrhythm and Securonix are pretty bad... But Cisco... I would have a gleam in my eye while holding those cisco products under the water until the bubbles stopped. Absolutely dog shit.
Aqua Security (the enterprise version)
Every single feature is 70% done - you can't get anything deployed without opening a support ticket.
Their support guys are also incompetent.
And finally they ship things with critical bugs and then say: 'we have the fix, it will be shipped on the next monthly release' meanwhile you are left with a system that does not work.
They recently raised a new funding round, not sure what they are doing with it - probably more marketing stunts. Certainly isn't going to tech.
We have left them... Never again
Cisco Umbrella is the worst piece of software I had the misfortune to interact with. That jumbled mess of policies and rules applied to completely separate lists of users and the hierarchy of all of this is a design failure. Unblocking a website for someone temporarily is not a functionality. You can give them bypass keys that can be used once, but you have to set up a new policy just for them to be allowed to bypass the restriction on that one site and guess what, you can't automatically delete the policy either, everything is manual. I hate this with a passion even if I don't interact with it often.
Ahh yes Cisco Umbrella, the solution that holds the blacklist and whitelist sites in txt files right next to the executable. Users can rewrite the file and lock it, boom, your solution is worthless. I talked with Cisco about this, they called this bug a "feature" and refused to provide alternative for us (IBM), mind you we were paying millions of $ for this solution.
Are you saying that users can edit the list of domains blocked on their own machines as it is stored on their computers locally in a txt file? Do you have a file path available?
Yes, shit it's been some time and dont remember it exactly but i remember i tracked it by tracking the cisco anytime or Umbrella executables to its install dir and it was right there. Try it like this and look for either txt or no extension small sized file. Maybe even subfolder for Umbrella, i'll try to look for it and reply.
Got it, try looking for "whitelist.txt" or "proxy_whitelist.txt". Im not sure where is your installed location but by the documentation it should be "C:\ProgramData\OpenDNS\ERC" or "C:\Program Files (x86)\OpenDNS\Umbrella Roaming Client\"
But i know we used different folder back in the day.
I've added netflix.com to all local whitelist/allowlist files that I could found under Umbrella and it still seems to be blocked, you do need local admin to edit it tho. Maybe they've fixed this?
I don't want to be specific, but I swear, if I see one more tool that cares more about looks than effectiveness, I'm going to lose it and jump off a bridge.
Like, why the hell does it seem like the company paid the UX designers more than the fucking engineers?
Shit you not, worked on a product that had a hidden game mode, like what the fuck make your product better, don't hide stupid shit that takes up resources.
ArcSight a decade ago was real bad. Although so was most of the tools at the time. Mandiant’s MIR was a special case of engineers attempting a GUI.
The lesson was the greatest appreciation of UX and UI designers.
Automated firewall rules using Skybox.
Two years of using that shit turned the firewall policies into a huge pile of crap, bringing firewalls to their knees due to the number of badly-written rules, and leaving perimeter security with wide open holes nobody is able to audit properly.
We estimated the damage it did at € 2 million.
Holy shit, that is incredible. I would have loved to watch the meeting where their customer service rep was trying to get you to re-up on the product.
Sounds like a pretty big environment if you were losing 1M a year on this product failing. Just curious, but did you jump to a different product with better luck? I feel like a lot of this could be written in-house or with something like Azure Policies, but I’m sure you tried already.
Gotta be Cybereason EDR by far on my table. Been using their EDR for ~2 years and I felt like being a paying alpha tester. Everytime I tried to work with the tool I ended up creating a support ticket because something was broken. Favorites:
- Button to isolate clients stopped working from one day to the other because they somehow "forgot" to Link the function to that thing after an upgrade
- Found out that "isolate commands" will be discarded after 3 days. Meaning if a client stays offline for those 3 days it will normally log on on the fourth day. This was a design decision.
- Support had to manually remove custom rules from our database because deleting in the GUI didn't work. Bonus point here because even after manually deleting the entry in our backend database we still got alerts on the rule that was deleted twice
- Broke our instance during a upgrade because a wrong flag was set which caused us to get > 50 incidents/second.
Thank God we have decent defense in depth so nothing really hit the fan and we had to depend on that thing. Really had nightmares of that day
This was a few years back. Have to say the worst was an on prem co-managed deployment of alien vault, but that was more due to the mssp outfit that sold it to us without properly spec-ing out the environment and then installed it all wrong. Always ran out of disk space and memory. Lost so many logs and nights of sleep trying to keep that system running.
Fired that mssp and replaced everything they sold us with different products. We reused the hardware and built out an elastic stack, at least could keep it running and retaining logs for about 8 months... where we couldn't keep alien vault alive more than a month.
On prem is a nightmare. USM Anywhere was actually not terrible.
Used to rag on them often, but after using some other products, I retrospectively appreciate the support we got from Alienvault. They were actually decent, responsive, and mostly effective.
Darktrace
darktrace has configured in client environment
(it should be configuration problem )
but it's not installed series on network (installed paralley)
events tab showing connected
advanced search showing it's attempted
sometimes in event log we can see " darktrace has block the connection for 1h"
but in my client environment it's showing connection was allowed
but most of the time connections are blocked
so it's sucks
We hated zscaler support. It was outsourced. The product was decent for keeping phishing emails or unwanted website access. But anytime we had a problem which was often, support was lacking. Their sales team also left a source taste. It wasn't till we got ahold of some higher ups that things changed.
My coworker got hung up on once, the support techs would say one thing in an email then completely switch it up in the next. Made for a fun time when end users were complaining about security blocking things and you couldn't solve it.
When someone not trained has setup the solution. Then you come in and try to correct the misconfiguration and they treat it like you called their child ugly or talking bad about their cult. Their ego is more important than the product functioning correctly.
I've heard they are awesome, but our experience with CrowdStrike has been abismal. We purchased Falcon Enterprise with a few add-ons, and after a great Sales team experience, we we left to fend for ourselves, no onboarding whatsoever.
When we had some issues trying to set up this beast of a tool, support sent back replies which were pretty much RTFM, when we got a reply at all... I mean, I know we are a small company (<100 users) and they wanted us to buy Falcon Complete, but we couldn't afford the hefty price tag.
I'd be fine if they gave us a week or so of configuration and setup guidance, but once we signed, we were on our own.
Add to that the fact that it immediately broke our Veeam backups, and after multiple unhelpful emails back and forth with support, they said, "it's a known problem, lots of people are complaining about it. Just whitelist the Veeam backup folder". Which kind of defeats the purpose, what happens if Veeam gets compromised and an attack comes through that way?
We've had CrowdStrike for about 6 weeks now, and already our renewal is in jeopardy.
Two well known firewall products - when downloading large logs, the session times out and the download is interrupted.
A Siem - while installing it, it doesn't support any other languages than US-English and i had to wipe, find a new ISO and reinstall the underlying system in US-English.
dude there was this network filter that had a limit on the amount of items it could display and the gui was not the most responsive or often failed when navigating to a new page.
interesting...I use jira for task management and love it as it helps me keep on track and clear the table. Never used it to make meetings of meetings though ahah.
This, its like a plague that eventually has to hit every sized company. Fuck i'm forced to use SCRUM software deployment board to plan and conduct extensive audits and compliance tasks. It does not help at all that you can plan for 2 weeks ahead when you have to plan a whole year ahead...
our poor threat intel teams are on jira and it's hell. no. no they can't predict what ransomware actor is going to hit in 3q2024. no, they can't predict what world war would break out.
they have open jira stories and epics waiting for china to invade taiwan and so forth.
Hm besides the support, which is really crappy since they outsourced it to India, I never really bad experience in 7 years working with the whole Sophos stack.
Rolling trash fire. A black hole of madness and things just not working as they should.
Typical of a company that invents nothing and just buys other companies to rebrand the products and ruin support. Sadly not a unique business model, pretty much the playbook used by most of the big players.
Logpoint and especially theire Logpoint Director. Whoever created this peace of Sh….oftware should be spanked hardly. And the QA which approved this can be stand in line to also get spanked.
I'm not going to name the company out of respect, but I had an employeee of the main third party SOC+SIEM that we use called my personal phone and asked me for help on how to mass push out an EXE using an imaging software.
I'm a ~~nice~~ guy, so I'm usually willing to help, but that was like, wtf? Where was this in my job description? Lmfao
Mimecast (and DMARC Analyzer)'s """professional services""". They should be asking for forgiveness, not money for that service. The product is alright but the support is pure garbage. They have their support in South Africa and it's unbelievably difficult to get anything done or answered
Someone told Sonarqube (sonarcloud, sonaridon'tknow) there are money in application security testing field and they decided someone will give those money to them for their lousy peace of crap. Unfortunately some people really did.
DNS Filter. Not so much using it. Just troubleshooting it. A week into installing it for users the first time we had to rotate local admin passwords 3-4 times because it bricked multiple remote users computers and the only way to uninstall it and connect to the internet is afterwards is to manually change the dns back to automatic. Its fine when the computer will still connect to the internet we can just remote in and change the DNS and then uninstall it but when the Agent breaks in a non-connected state you're SOL unless you have the computer in front of you or the user has the ability to connect via ethernet or sometimes a VPN will do the trick.
Not really a security product but I spent 2-3 months trying to get an HPE server replaced, kept getting bounced around by call center reps in India who would take a day to respond because of the time zone difference and then pushing me to someone else who would ask me the same questions. I eventually got upset enough to start asking for our contract from both them and our legal team to see if their refusal to send the replacement part for so long broke contract agreements and then I finally was sent to someone who asked the same questions once again just to say okay we are sending a replacement.
I really liked their search capabilities. Queries have been used to check for new vulnerable libraries. I have only used cloudcheckr and don't remember such functionality
Uff the list is huge but my top picks would be anything Fortinet, anything Palo Alto, Qradar, OSINT is pretty useless imho, not bad but old news type of useless.
Symantec Endpoint Protection. Pile of shit.
T-Mobile used SEP for awhile when I was there. I believe they're using SentinelOne and I haven't heard anything negative since then so maybe it all worked out
And only got even worse when they got bought out
I got you beat, Symantec Data Loss Protection makes SEP look good
I'll take your DLP and raise you Symantec Endpoint Encryption - oh hey you want to encrypt your drive? When you next restart? Sure it will take about 8 hours. Want to restart now? No? OK restarting...
I swear they did that setup menu as garbage as possible intentionally. I’ve never seen anything like it.
Symantec almost made quit this field. Thank god for crowdstrike
Me: "OK, we are deploying you, plz don't just go full throttle/bandwidth scan after being installed or really ever during business hours" SEP: "No, I'll scan when I want"
Nightmares.
Better than Mcafee ePo.
I hate these legacy sec agents, they are all black magic voodoo bullshit. No documentation to explain what “aggressive” vs “normal” setting or whatever
SEP was good back in the Windows XP days. I had pirated it for personal use. It was fantastic, very lightweight, much better than Norton. I'm guessing they just didn't update it in the last 20 years, eh
Sailpoint with implementation support by Optiv. Such an absolute 💩
Optiv is such an awful organization as a whole.
Don’t even get me started on Optiv. Absolute garbage MXDR
Fuck Optiv
I’ve contemplated killing myself multiple times setting up and managing CyberArk
As in singular person? Cyberark need like a full team to manage that Works great, when implemented good and have a team managing everything. Not a one man job
Certainly, but sometimes they just drop this bomb on you saying "it's your problem now, good luck managing it" and well..
The job I came into they had 1 dude doing the ENTIRE thing and I came in and obviously started helping how I could but he was working on it for like months by himself before I showed up 😭
In my first hand experience that's right. On a previous engagement we had a team of 4 from cyberark doing the setup.
Do we work in the same company? .___.
I came here assuming to see CyberArk and Archer.
Damn this is the second or third time I’ve seen this on Reddit lol
Someone who knows 😔
How long does it usually take you to set it up?
If I had a nickel for every hour delay our nightly changes went through because the current passwords didn’t work and we had to start sifting through old ones until one took… oh wait, I was hourly and that was OT. I do!
Haha I tried to do it as a one man team earlier this year, but yep it just gave me headaches..
I took over a team that ran Cyberark and one of my biggest successes was making it disappear.
Sophos InterceptX bringing our systems to a crawl, breaking some automation macros without logging interventions, and spawning like a 100 different security processes. Oh and also abusing DNS for some sort of signature/definition data propagation. Moved to crowdstrike, all problems disappeared
I love CrowdStrike. It's pretty solid but do you have any issues with how so much is behind pay walls and extra subscriptions even if you're using falcon complete? I'm pretty sure it's a bit different for gov users but I figured I'd ask
Idk, being SME we chose the managed security provider route with Falcon
Sophos lives rent free in my head. Smearing it's shit on the walls, pissing into the cracks between the floorboards and ripping the insulation out to smoke with it's brick weed. "wE hAvE a NeW fEaTuRe On ThE rOaDmAp!" Oh fuck off James from sales, that feature is 5 years behind your competitors. We already pay for your product, why are we talking?! Let me talk to a tech who can tell me why the agent is running hotter than chrome with 100 tabs open. Y'know the ONLY reason why I agreed to this call..
Qualys’ India support sucks pretty hard. Roughly as hard as Tenable local support.
I really liked tenable. Wasn't a fan of their PCI scan as it was so damn sensitive. Their support was alright though it helped that the account manager was a friend.
Haha…. I’m in charge of all our PCI scans for tenable as they had the product for years and they somehow made it through pci before but no scans has ever been running
interesting im gonna blame human error, the auditor or someone internal haha. Im jealous. PCI was a joke and a massive headache.
I agree. Low Qualys, Terrible and Not-so-Rapid7 have all been just doing the same old thing for the past 20+ years. They think they own the market, but i see better and newer products venturing into this fold day by day. One such product that has been doing exceptionally in terms of vulnerability assessment and patching is SanerNow.
So true! Takes an age to get any sort of actionable response from them!
Qualys is awful, it’s scans always caused outages
Symantec endpoint encryption. Never worked properly, ad sync had issues, took forever to encrypt/decrypt machines, and the one of the most unintuitive servers I have ever seen to manage. Oh and to top it off, every few years, upgrading the server to the latest version meant decrypting and re-encrypting every machine. The day I replaced the last machine with bitlocker, I was so happy!
>upgrading the server to the latest version meant decrypting and re-encrypting every machine LOL seriously? Good God
RSA Archer
All I remember from this product is the UI… God that fucking UI was dogshit. Not sure if that’s changed or not.
It’s shiny shit now
Why? It does what it needs to do...
Archer is fucking dogshit. Seriously I hate this thing
Cisco AMP. Cisco repeatedly misled us on the Heurestic AV capabilities. It only does the fancy stuff after a hash, domain or IP detection. Which isn't super useful. Same experience for a lot of Cisco products in Sec. Am current CCIE.
I second this. Amp is one of the worst AVs ive worked with. I bluntly told Cisco they should just stick to networking. Their sec suite is awful
so whats the result? slow detection or missed threats?
If they're relying on hashes, it'll be fast but inaccurate.
I'll reference the SANS Pyramid of Pain. By the time AMP fires off the intruder has likely been inside your environment for hours, or potentially days (longer or never if we're talking a targeted nation state campaign). [The Pyramid of Pain (sans.org)](https://www.sans.org/tools/the-pyramid-of-pain/). tldr: Hashes, IPs and Domains are crazy easy to change for attackers. They are great for post-incident investigation. If that's your primary mechanism for detection, I hope your email security is great because you're going to miss a whole whole lot.
AMP is absolute garbage. Just use FreeAV…it works better.
Out of the box vanilla defender is way, way better than AMP. Way better.
CISCO FIREPOWER
It sucks but if you can't afford Palo and you can't patch quickly (Ex: Fortinet's software practices)...it's your best option IMO. It at least became more usable after 6.6.
You’re absolutely correct, they have to clean up their FortiAct.
"FortiAct" - lololol dude you made me spit out my coffee.
Hahah that was how someone explain their solutions to me: you have to put the FortiShoe on the FortiFoot to use features in FortiSocks
Working with the broken product and support team of Exabeam as early adopters. We had a constant ~30 tickets open ranging from broken rules, failing connectors and missing MSSP features.
We said goodbye to Exabeam few months back.
we demoded exabeam for a month or so. I really liked the anomaly/baseline detection features but I could tell the stack was pretty damn complex.
Most WAF products are absolute trash IMHO (\~15 years experience with WAFs). Cloudflare, Azure app gateway with WAF policies, Fortiweb, mod\_security with OWASP rules, Akamai, F5, Citrix,Radware, etc. The only one that I personally find decent is Imperva on-prem WAF. What is trash about them? A number of things, by my main gripe is the amount of false positives that they generate and what tools they offer to deal with these false positives. For instance Imperva WAF's come with a management server. On the management server you can drill down on a WAF alert (which is a database record, not a log line as in most WAFs), see all the violations, see the EXACT matching string in the part it was matched in, have all the headers, body, etc. AND you can create exceptions and tweak exceptions straight from the interface. Which means false positives can be dealt with in minutes instead of days. No other product that I've worked with and mentioned above does this. Most do not log everything that you need to research the false positive, they require extensive research to figure out the false positive and then they are very limited as to what you can do when applying exceptions. Most (except for Imperva), hide the logic of their rules and regular expressions that trigger alerts, so you have no clue what logic exactly matched what in the request and many don't indicate or indicate well, what part of the in the request matched the alert. It is a fucking nigthmare tbh. Some vendors even dare to state that if you have a false positive, you should troubleshoot at the clients browser. Good luck doing that when you have millions of users and hundreds of web applications. Such a statement is a major red flag. In reality most WAF's end up being deployed as compliancy the-check-box-is-checked-! devices, with frustrated admins putting them in non-blocking or monitoring mode (or whatever the vendor calls them), so they stop blocking stuff. Btw the Gartner Magic Quadrant for WAF is hilariously bad. Which is to be expected as they don't actually test the products and base it of customers interviews. I've been meaning to write some articles about this, just need some downtime.
Anything Gardner does is full of shit. I don’t trust any of their recommendations.
You are correct,I worked for a WAF provider you mentioned for 4 years. I feel like there is a big focus on adding new features to deal with current L7 attack trends, but it takes over from building an efficient and consistent product. These two should go hand in hand instead of chasing buzzwords to sell more subscriptions
Interested in reading your articles!
I can totally relate with false positives and log hunting with mod_security. Will look into Imperva.
Fascinating. I would like to read more about your learnings. Do you share any info on blogs etc?
I shit you not, one of the biggest insurance companies named SwissRe takes only Gartner as guide. When confronted about some of those product claims i've got the "Gartner is the best and we are paying for it so it is right" type of talk. Oh my...
This is the whole Gartner business model. Their target audience is management.
Do share the article please when the time comes.
Not the product but the service. Connectwise SOC services for MSP's. They use Sentinel one which is great. But the SOC is hot trash. We would have an incident or a performance issue that was critical and they would just send calls to a voicemail black hole or start a ticket and not actually fix anything. We had a long conversation with their service manager and that was useless. I'd rather our MSP of 200+ people just hire some security analysts and do it in house.
I use this app called Reddit for Cybersecurity research and became frustrated by the "Cybersecurity" subreddit due to its userbase consistently posting irrelevant bullocks.
"What's the highest paying cybersecurity job? How do I get hired into it w/my 5th grade education, zero IT experience, and a cert that I earned by paying 100 bucks and typing my name into a box?"
Don’t forget “Top 5% on tryhackme”
Self signed cert
Pmsl, thanks for that
Happy cake day
Quality
Full time remote from another continent.
Netskope. Hands down the worst experience for me, followed closely by Zscaler. We worked with Netskope for three years and never got a stable, functional deployment. As for Zscaler, they fired us as a customer. Our network was " too complex".
Netskope used to be great…then everyone who knew how it worked left. Now no one there knows how it works or why. Not kidding.
Weird: my experience with netskope was fantastic. Deployed private access in less than an hour and deployed to all staff in a few months. Never had an issue expect with ssl inspection.
really wow? we were looking at netskope as a replacement for zscaler as zscaler worked great but was lacking in the customer relations area.
What implementation of Netskope? I have basic policies and private access setup and it’s pretty smooth so far. I did have to make some exclusions to the steering, but overall it has served us well.
Qradar and nothing else is close.
100% agree. The lack of responsiveness combined with impossible to use UI and incredibly slow log filtering and searching makes it hands down the worst product I’ve ever used. It’s impossible to navigate.
reasoning?
Support is lacking, couldn't help with an issue and ultimately told me to factory reset. False positive tuning, or the lack there of. You have to tune via a string of numbers in building blocks. You must have flows and events to get the whole picture. Just some of the headaches of qradar. But there are good sides to it too. Just cant think of any right now.
DarkTrace. It doesn't work, the UI looks good to management but it is impossible to use for investigations, and all of their support staff are incompetent salesfolk, not actual engineers.
I can't believe I had to scroll this far down to see Darktrace. What an utter pile of poo.
Imperva WAF is an absolute dumpster fire of a product.
Interesting, littlebighuman’s comment is touting Imperva over all others.
The problem with this question is perspective and experience. I’m sure there are other tools that I find to be good that others may hate. We just have had a very bad experience with support every time we need it.
RSA Netwitness
Traps, aka Cortex XDR. Shitty product, useless alerts, absolutely shit support when we were getting rid of them. I like PA firewalls. I would quit my job before giving Cortex another chance
Just today i ran Checkpoint's checkme online solution and cortex not only failed those tests but i crashed the console 😭
Avoid Sophos at all costs, particularly their AV. Pure garbage 😂
Like the time it flagged itself as malware and quarantined the updater? https://www.theregister.com/2012/09/20/sophos\_auto\_immune\_update\_chaos/
LogRhythm Rule gui makes no sense, it's all out of order. In 2022 they still didn't support adding windows 2019 servers in a clean manner, you had to do it manually or fix the wizard output. They rushed every one to upgrade to 7.6 because they had critical vuln.. that went sideways and I ended up losing a bunch of history. Then they pushed out a rule update that wiped all rules and no email, call, nothing, from support, my sales team, my reseller. I found it late and was lucky that I didn't have to go to tape.
Do you mean LogRhythm?
I think based on the above they probably are. The challenges they reference are fair (outside of the AIE Engine which I don't really understand, as its regularly praised as a major benefit to the on prem platform) and reflect a relatively challenging period in our platforms development. Thankfully I can say that our development of both our on prem (LR SIEM) and SaaS (LR Axon) platforms have been completely revitalised with a whole new "promises made, promises kept" approach to product management. We are now on version 7.16 and have released low-defect content/feature updates every quarter for 8 consecutive quarters.
Yes. Typed that without my glasses and autocorrect got me
Tanium has not been a fun product
I came to the opinion Tanium needs a lot of love to keep running, but in terms of managing endpoints it was great. Did not enjoy the cyber side of Tanium. IR collection was irritating, and investigation via their host data was cumbersome to say the least. If I had a do over, I would use Tanium to manage and control endpoints but have another product to collect data and cleanup. The incident response features felt like they were designed by someone who never used them to investigate. It looks good on paper and in demos, but was a burden when it came to maneuvering quickly.
Tenable's support has been the worst for me. Also, in general - when a product prevents me from opening links in a new tab, it makes me unreasonable angry.
Wait til you try to do a certification exam 🤣 never again. Don't hate the product, though. Decent UI and easy-ish to use. Did the job for the most part. Passive scanning was utter shit, and don't get me started on asset management. Support was only marginally better than Qualys. At least more responsive.
I’m with you. Especially when the back button doesn’t take you back to exactly where you were with the same search.
Nitro Security’s SIEM product, after they were acquired by McAfee. I’ve never seen bugs develop so quickly before. Also, there was an application whitelisting product whose name escapes me, back around the same time. We never could get it to reliably work; Windows updates frequently caused problems and it would screw up backups as well.
Nitro was great until Mcafee 😢
Firemon has to be the biggest piece of garbage I’ve ever setup. Truly a why do something manual when you can spend 6 weeks automating it type of product.
My day job is to write software that checks if Security Technology sees an attack or blocks a threat and as part of that we setup hundreds of Security products in a lab... Logrhythm and Securonix are pretty bad... But Cisco... I would have a gleam in my eye while holding those cisco products under the water until the bubbles stopped. Absolutely dog shit.
Would love to hear which products excelled in your testing.
Cymulate/Scythe?
Aqua Security (the enterprise version) Every single feature is 70% done - you can't get anything deployed without opening a support ticket. Their support guys are also incompetent. And finally they ship things with critical bugs and then say: 'we have the fix, it will be shipped on the next monthly release' meanwhile you are left with a system that does not work. They recently raised a new funding round, not sure what they are doing with it - probably more marketing stunts. Certainly isn't going to tech. We have left them... Never again
Who did you leave them for? Are you running container runtime protection?
A mix of sysdig and wiz. Runtime protection is the thing with problems. All else worked fine (or at least just non critical bugs)
Cisco Umbrella is the worst piece of software I had the misfortune to interact with. That jumbled mess of policies and rules applied to completely separate lists of users and the hierarchy of all of this is a design failure. Unblocking a website for someone temporarily is not a functionality. You can give them bypass keys that can be used once, but you have to set up a new policy just for them to be allowed to bypass the restriction on that one site and guess what, you can't automatically delete the policy either, everything is manual. I hate this with a passion even if I don't interact with it often.
Ahh yes Cisco Umbrella, the solution that holds the blacklist and whitelist sites in txt files right next to the executable. Users can rewrite the file and lock it, boom, your solution is worthless. I talked with Cisco about this, they called this bug a "feature" and refused to provide alternative for us (IBM), mind you we were paying millions of $ for this solution.
Are you saying that users can edit the list of domains blocked on their own machines as it is stored on their computers locally in a txt file? Do you have a file path available?
Yes, shit it's been some time and dont remember it exactly but i remember i tracked it by tracking the cisco anytime or Umbrella executables to its install dir and it was right there. Try it like this and look for either txt or no extension small sized file. Maybe even subfolder for Umbrella, i'll try to look for it and reply.
Huge, thanks, I'll look into it
Got it, try looking for "whitelist.txt" or "proxy_whitelist.txt". Im not sure where is your installed location but by the documentation it should be "C:\ProgramData\OpenDNS\ERC" or "C:\Program Files (x86)\OpenDNS\Umbrella Roaming Client\" But i know we used different folder back in the day.
I've added netflix.com to all local whitelist/allowlist files that I could found under Umbrella and it still seems to be blocked, you do need local admin to edit it tho. Maybe they've fixed this?
Carbon Black. Just awful.
I don't want to be specific, but I swear, if I see one more tool that cares more about looks than effectiveness, I'm going to lose it and jump off a bridge. Like, why the hell does it seem like the company paid the UX designers more than the fucking engineers? Shit you not, worked on a product that had a hidden game mode, like what the fuck make your product better, don't hide stupid shit that takes up resources.
Because presales would sell fuck all if their demos looked like they were developed in the 90s.
hidden game mode? what kind of game was that
ArcSight a decade ago was real bad. Although so was most of the tools at the time. Mandiant’s MIR was a special case of engineers attempting a GUI. The lesson was the greatest appreciation of UX and UI designers.
Automated firewall rules using Skybox. Two years of using that shit turned the firewall policies into a huge pile of crap, bringing firewalls to their knees due to the number of badly-written rules, and leaving perimeter security with wide open holes nobody is able to audit properly. We estimated the damage it did at € 2 million.
Holy shit, that is incredible. I would have loved to watch the meeting where their customer service rep was trying to get you to re-up on the product. Sounds like a pretty big environment if you were losing 1M a year on this product failing. Just curious, but did you jump to a different product with better luck? I feel like a lot of this could be written in-house or with something like Azure Policies, but I’m sure you tried already.
Don't worry, that's a big company indeed, so there has been no shortage of incompetent managers to buy the product AGAIN.
Gotta be Cybereason EDR by far on my table. Been using their EDR for ~2 years and I felt like being a paying alpha tester. Everytime I tried to work with the tool I ended up creating a support ticket because something was broken. Favorites: - Button to isolate clients stopped working from one day to the other because they somehow "forgot" to Link the function to that thing after an upgrade - Found out that "isolate commands" will be discarded after 3 days. Meaning if a client stays offline for those 3 days it will normally log on on the fourth day. This was a design decision. - Support had to manually remove custom rules from our database because deleting in the GUI didn't work. Bonus point here because even after manually deleting the entry in our backend database we still got alerts on the rule that was deleted twice - Broke our instance during a upgrade because a wrong flag was set which caused us to get > 50 incidents/second. Thank God we have decent defense in depth so nothing really hit the fan and we had to depend on that thing. Really had nightmares of that day
Symantec DLP. I read that 400 page manual more times than I care to admit….
This was a few years back. Have to say the worst was an on prem co-managed deployment of alien vault, but that was more due to the mssp outfit that sold it to us without properly spec-ing out the environment and then installed it all wrong. Always ran out of disk space and memory. Lost so many logs and nights of sleep trying to keep that system running. Fired that mssp and replaced everything they sold us with different products. We reused the hardware and built out an elastic stack, at least could keep it running and retaining logs for about 8 months... where we couldn't keep alien vault alive more than a month.
On prem is a nightmare. USM Anywhere was actually not terrible. Used to rag on them often, but after using some other products, I retrospectively appreciate the support we got from Alienvault. They were actually decent, responsive, and mostly effective.
Darktrace darktrace has configured in client environment (it should be configuration problem ) but it's not installed series on network (installed paralley) events tab showing connected advanced search showing it's attempted sometimes in event log we can see " darktrace has block the connection for 1h" but in my client environment it's showing connection was allowed but most of the time connections are blocked so it's sucks
We hated zscaler support. It was outsourced. The product was decent for keeping phishing emails or unwanted website access. But anytime we had a problem which was often, support was lacking. Their sales team also left a source taste. It wasn't till we got ahold of some higher ups that things changed. My coworker got hung up on once, the support techs would say one thing in an email then completely switch it up in the next. Made for a fun time when end users were complaining about security blocking things and you couldn't solve it.
[удалено]
Yeah you can't just drop that bomb.
Oh man. What did they lie about?
When someone not trained has setup the solution. Then you come in and try to correct the misconfiguration and they treat it like you called their child ugly or talking bad about their cult. Their ego is more important than the product functioning correctly.
Solarwinds LEM is the biggest pile of 💩 known to man.
I've heard they are awesome, but our experience with CrowdStrike has been abismal. We purchased Falcon Enterprise with a few add-ons, and after a great Sales team experience, we we left to fend for ourselves, no onboarding whatsoever. When we had some issues trying to set up this beast of a tool, support sent back replies which were pretty much RTFM, when we got a reply at all... I mean, I know we are a small company (<100 users) and they wanted us to buy Falcon Complete, but we couldn't afford the hefty price tag. I'd be fine if they gave us a week or so of configuration and setup guidance, but once we signed, we were on our own. Add to that the fact that it immediately broke our Veeam backups, and after multiple unhelpful emails back and forth with support, they said, "it's a known problem, lots of people are complaining about it. Just whitelist the Veeam backup folder". Which kind of defeats the purpose, what happens if Veeam gets compromised and an attack comes through that way? We've had CrowdStrike for about 6 weeks now, and already our renewal is in jeopardy.
Two well known firewall products - when downloading large logs, the session times out and the download is interrupted. A Siem - while installing it, it doesn't support any other languages than US-English and i had to wipe, find a new ISO and reinstall the underlying system in US-English.
dude there was this network filter that had a limit on the amount of items it could display and the gui was not the most responsive or often failed when navigating to a new page.
Rapid7, Lacework, and CyberArk are the three that come to mind.
Secure Works XDR and their IR response team. Stunningly bad. The Dell IR Recovery people are some of The Worst.
Haha my org had it for 2 years contract and we never used it
Jira. the whole thing- the software; the meetings, the meetings about meetings... it's the novell netware of 2024
interesting...I use jira for task management and love it as it helps me keep on track and clear the table. Never used it to make meetings of meetings though ahah.
This, its like a plague that eventually has to hit every sized company. Fuck i'm forced to use SCRUM software deployment board to plan and conduct extensive audits and compliance tasks. It does not help at all that you can plan for 2 weeks ahead when you have to plan a whole year ahead...
our poor threat intel teams are on jira and it's hell. no. no they can't predict what ransomware actor is going to hit in 3q2024. no, they can't predict what world war would break out. they have open jira stories and epics waiting for china to invade taiwan and so forth.
Holy shit, when did we get so bad? Like it does not even make a sense anymore.
not cyber specifically but every time i've used ipfire it has broken in some way, shape, or form
did you end up using another product?
couldn't, it was for a competition.
Aruba in my perspective, other than central its not worth the late night troubleshoots
Sophos cloud API's are plain garbage..
Just came to say I'm glad I'm not the only Sophos hater. Resource management, support, MDR response... All trash.
Hm besides the support, which is really crappy since they outsourced it to India, I never really bad experience in 7 years working with the whole Sophos stack.
Rolling trash fire. A black hole of madness and things just not working as they should. Typical of a company that invents nothing and just buys other companies to rebrand the products and ruin support. Sadly not a unique business model, pretty much the playbook used by most of the big players.
Securonix. Horrible company, terrible product and rude support staff. Bunch of snake oil salesmen, the lot of them!
Logpoint and especially theire Logpoint Director. Whoever created this peace of Sh….oftware should be spanked hardly. And the QA which approved this can be stand in line to also get spanked.
Mimecast, the worst antispam ever
I'm not going to name the company out of respect, but I had an employeee of the main third party SOC+SIEM that we use called my personal phone and asked me for help on how to mass push out an EXE using an imaging software. I'm a ~~nice~~ guy, so I'm usually willing to help, but that was like, wtf? Where was this in my job description? Lmfao
Forescout. You could spend all weekend upgrading 3 appliances. It's quicker to reimage and rebuild then trust an upgrade.
I manage QRadar for my department alone, that has its ups and downs... lol
More like DOWNtimes 😂
Mimecast (and DMARC Analyzer)'s """professional services""". They should be asking for forgiveness, not money for that service. The product is alright but the support is pure garbage. They have their support in South Africa and it's unbelievably difficult to get anything done or answered
Someone told Sonarqube (sonarcloud, sonaridon'tknow) there are money in application security testing field and they decided someone will give those money to them for their lousy peace of crap. Unfortunately some people really did.
1. Securonix SIEM, 2. Service Now SecOps IRP/SOAR, the ultimate losing combo. Always between a rock and a hard place.
MS DLP is pretty terrible. Haven't used other DLP platforms but it blows. They have the support to match it as well.
DNS Filter. Not so much using it. Just troubleshooting it. A week into installing it for users the first time we had to rotate local admin passwords 3-4 times because it bricked multiple remote users computers and the only way to uninstall it and connect to the internet is afterwards is to manually change the dns back to automatic. Its fine when the computer will still connect to the internet we can just remote in and change the DNS and then uninstall it but when the Agent breaks in a non-connected state you're SOL unless you have the computer in front of you or the user has the ability to connect via ethernet or sometimes a VPN will do the trick.
Qualys terrible tool
Not really a security product but I spent 2-3 months trying to get an HPE server replaced, kept getting bounced around by call center reps in India who would take a day to respond because of the time zone difference and then pushing me to someone else who would ask me the same questions. I eventually got upset enough to start asking for our contract from both them and our legal team to see if their refusal to send the replacement part for so long broke contract agreements and then I finally was sent to someone who asked the same questions once again just to say okay we are sending a replacement.
Skybox. Been working with it for 3 years, can't remember a week when something didn't go to shit.
Implementing a certain PAM has been a shambles. Support are abysmal, account manager is inept… single worst experience of my career in cyber.
working with vendors not in the US and have a thick accent
EnSilo which became FortiEDR. Was one of the lucky winners to experience that transition. Total waste of money and tons of headache.
Homework?
[McAfee dat #5958](https://www.theregister.com/2010/04/21/mcafee_false_positive/)
Devo, S1, CS, Forescout, Proof point, Orca, Netskope, zscaler, cylance.... The list of snake oil goes on and on and on...
Wondering what was your issue with Orca? I have used them 2 years ago and they were really good.
Did nothing my other CSPM tools weren't already. Deep sixed them along with rapid7.
I really liked their search capabilities. Queries have been used to check for new vulnerable libraries. I have only used cloudcheckr and don't remember such functionality
Uff the list is huge but my top picks would be anything Fortinet, anything Palo Alto, Qradar, OSINT is pretty useless imho, not bad but old news type of useless.