Hi,
Thanks for your reply. Interesting. The question that occurs to me is how much security is enough, is necessary, for any particular user. I'm not in an organization but a one computer guy. Yes, of course, backups, multiple are needed - iCloud, "other" cloud service and static to an attached physical external drive or internal network source. At least these three. Plus offsite full backups to make it four.
I was not familiar with the built in security things you mentioned in your post. So, I have been looking into them. Below, when I remark "Am I missing something" it is not rhetorical, but an actual question to you.
The read only system exists in Windows, so no real advantage there. Even so its an improvement compared to say, 10-15 years ago. So yes its helpful.
Effectiveness of the built in layers of security the Mac OS has, is not as protective as laid out by Apple, from what I have read, I'm sorry to report back to you. Yes, it is helpful but I will make a case why it is not nearly enough. This is concerning App Store, gatekeeper, Notarization, XProtect and MRT.
Replying on gatekeeper and App Store seems not that practical, as a feature for reliance, for many, like me. To function with a Mac OS it is often necessary to install software not available on the App Store, and gatekeeper is informational as a function not protective. User decision bypasses this layer easily. As we know over 90% of data breaches occur due to users, not defenses in place, even the best defenses in depth get the run around from errant user decisions. So, expecting all users to use software only from the App Store is plain silly and not practical. I see no management tool, for a single Mac computer to remedy this lack of forced compliance. Or have I missed something?
Notarization requires an app be submitted to Apple to function as intended. Notarization is intended to be a malware scanning service, however app behavior, outside of apps submitted to Apple is not evaluated in the security environment but requires the app be "known" by Apple. Many apps that function on a Mac OS have never been submitted to Apple for notarization, and won't be. Malware definition updates through Notarization are only possible for apps from the App Store. Yes, a nice idea but it does not go far enough for me. Again, am I missing something?
XProtect, while a nice idea, is not able to be evaluated in real time as to its functionality. We just "trust " it is working. There is no management, no follow up, no logs, no administration of this I see. Again, am I missing something? Using YARA signatures is great in concept, and can be effective, BUT, again we cannot verify its effectiveness since there is not a management tool to evaluate its effectiveness. "We need to see results, people. Verify, verify, verify" to take a phrase out of a Jason Bourne movie.
If you are a financial company, do you use your own internal auditors to assess your compliance with best financial accounting practices, or is it more responsible to hire an outside firm to asses that for you? If you are a CFO, do you not want another opinion than your own for the sake of the continued viability of your company? Applying this concept to XProtect, there is an apparent conflict of interest due to lack of real follow up. It is hidden in the OS as to how it functions and real administration is apparently not possible. Again, am I missing something?
MRT does not appear to have verifiable signatures for malware nor reference to a database a security administrator can evaluate, nor administration for latest updates related to the current threat environment in the US or other parts of the world. So, again, this is fairly hidden in the OS, and we just "trust" is it working. That does not seem to be a good security posture in my view. I need a higher standard of verification and evidence it is actually working as designed.
If your layers of security are not reporting at least a minimal false positive, then they are not diving deep enough into the security systems and subsystems that relate to evaluating behavior deeply enough. This is why too much of a good thing is necessary, at least in a small measure, in systems security.
None of these built in security layers seem adequately capable of addressing ransomware unless is it old, and Safari seems incapable of any defense in depth. It did not detect an attempted drive-by that Sophos quashed easily.
To give a number evaluation on a scale of 1 to 10, it appears to me these built in security items score a 6 out o 10 in my view.
I will be keeping Sophos on Mac OS Monterey for now and appreciating it. Again, Mr. Hoffman, thanks for your response. And if in my complaints above, if one can do what I report is not able to be done, such as administration, follow-up, verification and the like, in your opinion, please do issue your view on that. I am appreciating that in advance.
Thank you,
JH