[isatsam]

This makes sense, but in this case, isn't the company behind Huntress having direct access to this data still a problem? For example, if the government purchased Outlook licenses, I'd assume DoD can read clerks' emails, but Microsoft employees can't. I imagine worst case compromising a lot of Huntress' users is just a question of compromising of its developers, like one of the people in the authors section of this article.

[evanjrowley]

Many businesses outsource their SOC to third parties like Huntress, Carbon Black, SentinelOne, all of whom offer very fancy Endpoint Detection and Respone (EDR) tools. Just about every EDR solution is a Cloud/SaaS offering provided either directly or indirectly through a third party Managed Service Provider (MSP). We call this Managed Detection and Respone (MDR). From technical and privacy standpoints, it probably sounds like a huge risk, but it's also worth acknowledging that EDR companies operate immense threat intelligence platforms through real-time monitoring of customers. From a C-suite perspective, it makes a lot of sense to offload the specializations of real-time protection and malware analysis to EDR solutions. There are risk managers who have quantified the risk tolerance for these types of products/arrangements. The company legal department, the CFO, and the board of directors are all satisfied with the EDR solutions placement on the Gartner quadrant and SOC Type 3 report saying the EDR provider follows best practices. Sometimes it's even a requirement for "cyber insurance" which a business may need depending on the industry. For better or for worse, EDR is how most institutions secure their IT infrastructure today.

[rcxdude]

For worse, I would say. This kind of thing is about accountability shuffling and not at all about improving security.

[NegativeK]

I'm concerned that you're not familiar with EDR and organizations who flat out can't build a full 24/7 SOC. Which is the vast majority of businesses.

EDR is a rootkit based on the idea that malware hashes are useless, and security needs to get complete insight into systems after a compromise. You can't root out an attacker with persistence without software that's as invasive as the malware can get.

And a managed SOC is shifting accountability to an extent because they are often _far_ cheaper than the staff it takes to have a 24/7 SOC. That's assuming you have the talent to build a SOC instead of paying for a failed SOC build. Also, don't forget that you need backup staff for sick leave and vacation. And you'll have to be constantly hiring due to SOC burnout.

If all of this sounds like expensive band-aids instead of dealing with the underlying infection, it is. It's complex solutions to deal with complex attackers going after incredibly complex systems. But I haven't really heard of security solutions that reduce complexity and solve the deep underlying problems.

Not even theoretical solutions.

Other than "unplug it all".

[glitchc]

> This kind of thing is about *accountability shuffling* and not at all about improving security.

You nailed it. Can't really blame CISOs for pursuing this model though.

[cwmoore]

It would be a shame if justice ever found itself obstructed by "accountability shuffling".

[cybergreg]

Huh? Small and medium sized businesses have how much to spend on security? Let alone IT?

[jacquesm]

> For example, if the government purchased Outlook licenses, I'd assume DoD can read clerks' emails, but Microsoft employees can't.

Funny, my automatic assumption when using any US based service or US provided software is that at a minimum the NSA is reading over my shoulder, and that I have no idea who else is able to do that, but that number is likely > 0. If there is anything that I took away from the Snowden releases then it was that even the most paranoid of us weren't nearly paranoid enough.

[d4mi3n]

Oh, absolutely. There are some ways to avoid this--customer managed encyrption keys, for example--but there will always be some kind of trade-off. The less an EDR (endpoint detection & response) tool can see, the less useful it is. Going with a customer managed encryption approach means the customer is then on the hook for watching and alerting on suspicious activity. Some orgs have the capacity and expertise to do this. Many do not. It often comes down to deciding if you have a budget to do this yourself to a level you and an auditor/customer is comfortable with (and proving it) or outsourcing to a known and trusted expert.

EDIT: For additional context, I'd add that security/risk tradeoffs happen all the time. In practice trusting Huntress isn't too different than trusting NPM with an engineer that has root access to their machine or any kind of centralized IT provisioning/patching setup.

[rcxdude]

You would think so, but in general the kind of attitude to security that results in these kinds of products actively encourages increasing the number of entities that have very highly privileged access to your system. 'Supply chain attacks' and 'attack surface' don't really register in this area, but 'buy this and you will be more secure' sales pitches very much do, especially with a dose of FOMO from 'industry standard' rhetoric.