Buttered Jorts
Anybody out there actually practicing Kolide’s https://honest.security model?
Honest Security

A guide to endpoint security and device management that doesn't erode your values.

Mar 24 at 9:26pmWeb
Show threadButtered Jorts6d ago

Particularly interested in anyone doing it without using Kolide. Our tech-stack at work is gonna be static for the foreseeable future, so new tooling is gonna be out. I’m most interested in doing the best we can using what’s described there as “dishonest” tools.

We’re also limited in some ways by “inheriting” security controls and implementation requirements from a couple layers of public entities, so we don’t have the freedom to say e.g. from their examples “actually it’s completely fine for you to self-manage your employer-owned device”, having an organization-controlled device management agent capable of doing lots of “dishonest” things is a hard requirement, and I think we’ll run into similar in many other cases.

Show threadAMS6d ago

@ajn142 Step 1 is do not lie. When a user asks, you answer. Fully and completely. Especially things about "what behaviors are expected of your corporate malware". You need to have lists of IPs and ports ready if anyone is WFH.

Also for WFH, you only own your equipment. You do not scan the network.

2 is announce when and why ahead of time for big changes in security tooling. Especially important for that 5% of uses where something will break. Letting people know in time to work with you makes you a partner or at least competent, not an enemy.

Show threadWill Brien6d ago

@ajn142 @FritzAdalis

> 4 - The security team should
> anticipate and expect that end-users
> use their company owned devices for
> personal activities and design their
> detection capabilities with this in
> mind.”

i’m going to say… no

Show threadButtered Jorts6d ago

@willb @FritzAdalis very loaded topic.

I’ve always been in camp “incidental personal use, sure”, sort of an Inverse of work resources on personal devices (e.g. Teams, email) for convenience. Radical “you can treat your work device as if it is your personal device” has always been where I drew the line, but that was also hard because our environment is not corporate and there’s been a culture much, much larger than any individual contributor, or even the IT department, that let people get away with doing so.

Best anyone could do is communicate the risks of doing so, such as personal stuff being subject to litigation holds, open records requests, etc., or being lost due to termination, a wipe, etc., and encourage good practice. Back when I did user support that was one of the areas I’d go out on a bit of a limb, I’d consult about personal devices (not touch them) if folks came to me about personal stuff so that they’d get it off their work device.

Show threadButtered Jorts6d ago
@willb @FritzAdalis I don’t think that stance will change. We have neither the inclination nor time to spend looking into folks personal usage, as long as they aren’t doing things that put the org’s interests at risk. Anything that does create a risk, is gonna be treated the same whether it’s e.g. pirating Adobe products to build graphics for a work presentation or pirating games to play on their lunch break.