Re: Application inventory, Discovery, Blocking? Was RE: EnCase Enterprise experiences

[Chad McDonald <chad.mcdonald () GCSU EDU>]

So maybe a better question is what are people using for application
inventory, discovery, blocking?
We have been using Altiris to this end for a few years now.  We are very
pleased with our installation.


Chad McDonald, CISSP

Chief Information Security Officer

Georgia College & State University

Office    478.445.4473

Cell       478.454.8250



  _____

From: James H Moore [mailto:jhmfa () RIT EDU]
Sent: Tuesday, December 13, 2005 2:34 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Application inventory, Discovery, Blocking? Was RE:
[SECURITY] EnCase Enterprise experiences



I was just looking at it, because, it offers the capabilities of discovery
and blocking.  If we find an executable on one (administrative) computer,
usually the next question is "Is this running anywhere else?"  And that is a
long, less than reliable process.  I am looking for streamlining.  If
something starts to spread that is not detected in anti-virus, then it can
be blocked.  This can take place, I believe for legitimate programs as well
(like commercial keystroke loggers), and other things that shouldn't be on
our network, but that A/V vendors might be hesitant to detect.



So maybe a better question is what are people using for application
inventory, discovery, blocking?



One other thing that is useful about the EnCase Enterprise, has to do with
grabbing a memory image.  Something dropped a copy of Dameware, but did it
successfully install, and is it running?



Jim

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

"We will have a chance when we are as efficient at communicating information
security best practices, as hackers and criminals are at sharing attack
information"  - Peter Presidio




  _____

From: Theresa Semmens [mailto:theresa.semmens () NDSU EDU]
Sent: Tuesday, December 13, 2005 2:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] EnCase Enterprise experiences



We do not use the enterprise version but do use the other version for our
acceptable use investigations.  We've found that it delivers what we ask of
it.



Theresa Semmens, CISA
IT Security Officer
North Dakota State University
IACC 210C
Ph: 701-231-5870
E-mail: theresa.semmens () ndsu edu

"Opportunity is missed by most people because it is dressed in overalls and
looks like work."  Thomas Edison

  _____

From: James H Moore [mailto:jhmfa () RIT EDU]
Sent: Tuesday, December 13, 2005 1:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] EnCase Enterprise experiences



Anyone using EnCase Enterprise in Higher Ed?  What settings?  What problems
with fears of Big Brother?  Are you getting the expected returns?



Jim



- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

"We will have a chance when we are as efficient at communicating information
security best practices, as hackers and criminals are at sharing attack
information"  - Peter Presidio