[paholg]

I used to work in this space, and I always had the nagging question of "is any of this stuff actually useful?"

It seems a hard question to answer, but are there any third party studies of the effectiveness of Crowdstrike et al. or are we all making our lives worse for some security theater?

[nocsi]

It’s like trying to study the effectiveness of antivirus. But you already said it. As long as it produces consumable metrics a c-level can ingest, then it’s worth it. Because really, how does it make sense to add something so invasive? Anyways in the 90s, antivirus makers also wrote viruses. They’d go on to flood networks with their creations, but magically block infection for their subscribers.

[marcosdumay]

Have you seen it actually stop anything? (I'm sure the company that made the tool used it too, right?)

If I make a WWW-wide question of "has anybody seen it?", somebody will appear. But the number of people that got a security flaw caused by those tools is huge, and the people that got stability and availability problems because of them is basically the number of people that use them.

[paholg]

I worked on something different, but we integrated with Crowdstrike and such.

Maybe someone could do a study of like breaches in Fortune 500 companies that use an EDR vs. those that don't, but they probably all do at this point.

[sam_bristow]

I would imagine any study like that would also be just packed with confounding factors.