I had a couple of customers that deployed 7 endpoint security tools of the "hook into processes and inspect everything" variety. The exact mix was customer-specific, but if you're wondering what that looks like:
* Stand-alone "best of breed" endpoint DLP
* Stand-alone "best of breed" EDR
* Process whitelisting tool
* NAC posture assessment agent
* Three different AV agents
This is not even counting their VPN client(s) or the third party disk encryption agent they used.
I marveled at how they even got all of the agents to coexist, let alone have enough CPU left for people to do their jobs.
And after all that, your company gets hacked through a misconfigured router.
> And after all that, your company gets hacked through a misconfigured router.
Or a more likely scenario - some dev with admin on their machine grabs a malicious NPM package, EDR doesn't grab it because they successfully lobbied to have certain directories exempt for performance reasons (like DevDrive on Windows, or WSL). SSH keys get stolen, and despite all the fancy security products, the environment is still a mess (which is why there's so many products to cover up that fact) so the dev actually has keys to prod, then you're hosed.
I've seen my fair share of orgs with a plethora of security "solutions" and yet fail to understand some basic principles like least privilege or separation of concerns and think all their security software is going to save them.
Or one of the seven endpoint agents, each of which has a kernel module and at least half of which are doing dodgy process injection and read process memory shenanigans.