Read on Twitter
I took control over an area of the network+policies that apply, then built machines by hand from scratch, so that everything works the same as the gold image.
I have discovered reasons for mystery behaviors and improvements, and a better understanding of how everything works.
I have discovered reasons for mystery behaviors and improvements, and a better understanding of how everything works.
This kind of stuff, where you think you understand how things work from print-outs of policy and settings, but turns out you don’t actually, and it turns out nobody currently does, is why outside perspectives/rebuilds are important for any kind of long-running infrastructure.
I’m now administering a group of coworker machines, as a proof of concept for replacing gold image configuration with the one I built by hand – with no unknown settings and even more modern defaults.
It’s easier when you can hold a laptop that’s working faster after you secure it
It’s easier when you can hold a laptop that’s working faster after you secure it
That’s the thing about deeply complicated enterprise loadouts of Windows machines. You can keep slathering security on top of them and making them slower with each agent, or you can question your assumptions and end up with a faster system that’s even more secure.
Additionally, I’ve been rebuilding the configurations of all Security agents on our desktops, and recommending changes to other teams’ configurations of their tools.
I intend to push a package of revolutionary security changes through under the guise of performance improvements.
I intend to push a package of revolutionary security changes through under the guise of performance improvements.
I now have multiple overlapping layers of <security product types> and <audit abilities> and the machine is faster than it was before.
Also the battery life is better and the fan doesn’t turn on as much. I’m idling at a few CPU %.
Also the battery life is better and the fan doesn’t turn on as much. I’m idling at a few CPU %.
My main machine is a monster with NVMe SSD I bought because the old one wasn’t fast enough, Xeon, two fans, and 64GB of RAM. Even the SCCM VM is fast.
My 2nd machine is a staff laptop from 2015 I took from a bin. I’ve learned a whole lot more about our network from that one.
My 2nd machine is a staff laptop from 2015 I took from a bin. I’ve learned a whole lot more about our network from that one.
One thing about performance:
Laptop processors are governed by heat. If you have security products loading one or two cores even lightly in the background, they are maintaining heat.
When a user application needs to surge on another core, it has less thermal headroom to boost.
Laptop processors are governed by heat. If you have security products loading one or two cores even lightly in the background, they are maintaining heat.
When a user application needs to surge on another core, it has less thermal headroom to boost.
*and power.
That user process should have been able to instantly boost and maintain a core to 4GHz and handled its needs. Instead it boosted and stalled out. Even on a core that had an empty queue.
The optimizations that happen in mature technologies hide these behaviors.
That user process should have been able to instantly boost and maintain a core to 4GHz and handled its needs. Instead it boosted and stalled out. Even on a core that had an empty queue.
The optimizations that happen in mature technologies hide these behaviors.
Let me say, you can have multiple layers of complex security products. I’m doing it. But it requires just huge amounts of time to tune them. Some don’t perform out of the box. The authority to make decisions and execute, to rapidly iterate. Meetings with vendors. Upgrades. Staff.
When the law says you need a technical control, the software cost 16 million dollars, a director bought it without consult, and nobody has the authority to remove anything to compare or modify its configuration - You get a black box of dismal experiences and no accountability.
One of your most important abilities, is to make a call in security configurations based on judgement.
An attacker could use this avenue, documents recommend it, but costs of this auditing too great.
Just critical in exclusion tuning. And it’s possible by using defense in depth.
An attacker could use this avenue, documents recommend it, but costs of this auditing too great.
Just critical in exclusion tuning. And it’s possible by using defense in depth.
I have one tool that intensively scans files. Another alerting PE file creation. Another logs on file extension. I have NTFS SACLs. I have change journaling. By understanding all my tools and attacker behavior, I get to choose which areas of the endpoint I can reduce intensity.
It’s not popular to talk about even theoretical gaps in coverage. Expose any idea of weaknesses.
Scan everything. Enable every option. Allow nothing.
Somebody has to make the call, stand behind it, build compensating controls, and know they have absolute organizational support.
Scan everything. Enable every option. Allow nothing.
Somebody has to make the call, stand behind it, build compensating controls, and know they have absolute organizational support.
In the end, you have to have leaders willing to trust people and take the risk they might build a better organization
ProTip: Instead of spending years in excruciating detail to make other people’s Windows machines faster by taking ownership of your department’s tools and impact, just buy a Mac and tell the Helpdesk people to fuck off when they ask to install antivirus. You work in Security.
I mean, technically, you can’t make machines faster, only stop depriving collective lifetimes from humans trapped by a vampiric chronoportal to Hell they’ve resigned themselves to sitting in front of and not complaing about in order to feed their children and get medical coverage
