Application inventory, Discovery, Blocking? Was RE: EnCase Enterprise experiences

[James H Moore <jhmfa () RIT EDU>]

I was just looking at it, because, it offers the capabilities of
discovery and blocking.  If we find an executable on one
(administrative) computer, usually the next question is "Is this running
anywhere else?"  And that is a long, less than reliable process.  I am
looking for streamlining.  If something starts to spread that is not
detected in anti-virus, then it can be blocked.  This can take place, I
believe for legitimate programs as well (like commercial keystroke
loggers), and other things that shouldn't be on our network, but that
A/V vendors might be hesitant to detect.

 

So maybe a better question is what are people using for application
inventory, discovery, blocking? 

 

One other thing that is useful about the EnCase Enterprise, has to do
with grabbing a memory image.  Something dropped a copy of Dameware, but
did it successfully install, and is it running?

 

Jim

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

"We will have a chance when we are as efficient at communicating
information security best practices, as hackers and criminals are at
sharing attack information"  - Peter Presidio




________________________________

From: Theresa Semmens [mailto:theresa.semmens () NDSU EDU] 
Sent: Tuesday, December 13, 2005 2:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] EnCase Enterprise experiences

 

We do not use the enterprise version but do use the other version for
our acceptable use investigations.  We've found that it delivers what we
ask of it.  

 

Theresa Semmens, CISA
IT Security Officer
North Dakota State University
IACC 210C
Ph: 701-231-5870
E-mail: theresa.semmens () ndsu edu

"Opportunity is missed by most people because it is dressed in overalls
and looks like work."  Thomas Edison

________________________________

From: James H Moore [mailto:jhmfa () RIT EDU] 
Sent: Tuesday, December 13, 2005 1:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] EnCase Enterprise experiences

 

Anyone using EnCase Enterprise in Higher Ed?  What settings?  What
problems with fears of Big Brother?  Are you getting the expected
returns?

 

Jim

 

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

"We will have a chance when we are as efficient at communicating
information security best practices, as hackers and criminals are at
sharing attack information"  - Peter Presidio