Re: Bit9 and getting rid of anti-virus tool

[Sue Rivera <srivera () CSUB EDU>]

Thank you everyone for your valuable comments that we will consider!

Sue Rivera
Information Security Analyst
Office of Information Security
Information Technology Services
California State University Bakersfield
https://www.csub.edu/its/
https://twitter.com/itscsub

661-654-2408


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric 
Lukens
Sent: Thursday, April 28, 2016 7:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Bit9 and getting rid of anti-virus tool

A few years ago we determined traditional AV wasn't doing us any good and switched to Microsoft's solution since we 
were already licensed for it. Some AV products claim to include "better" firewalls and application-whitelisting 
capabilities, but with the Enterprise editions of Windows 7 and above (plus Education on Windows 10) you get AppLocker, 
which isn't as nice as Bit 9 but we've done surprisingly well with it.  Otherwise, to me it seems most AV product's 
attempts to stay relevant are just replications of what is actually available in the operating system or from 
Microsoft--such as the EMET. Even worse, sometimes the AV software doesn't really have these features and is just 
managing the official Windows settings for you.

If you are able to afford Bit 9, I'd say use it and downgrade to Microsoft's AV since you probably are already licensed 
for it. Our old AV product created a lot of issues on the computers, especially if it was time to upgrade. While 
Microsoft's AV solution is not as good at detection as other AV software, it is much less burdensome on our 
computers--using less resources and installing updates easily without constant care and feeding. Plus WSUS or SCCM or 
Windows Update can update the Microsoft AV, so there's easy ways to keep it up-to-date. The only place the Microsoft AV 
is somewhat annoying is on centralized reporting, which is required by some security standards. SCCM is required for 
centralized reporting, unless you use something to watch the logs on the machines for alerts.

EMET: https://technet.microsoft.com/en-us/security/jj653751

On Wed, Apr 27, 2016 at 6:49 PM, Fulton, Lora <lfulton () bu edu<mailto:lfulton () bu edu>> wrote:
Usually we need to keep AV around for compliance purposes as the new products are not yet recognized as acceptable 
replacements (or at least they weren’t last I heard which was a few months ago now).

-Lora

[http://www.bu.edu/brand/files/2012/10/master-logo-small.gif]

Lora Fulton | Manager, Incident Response and Vulnerability Program, Information Services & Technology
111 Cummington Mall | Boston University | Boston, Massachusetts 02215
617.353.8293 |  lfulton () bu edu<mailto:lfulton () bu edu>     Send me a secure 
message<https://securecontact.me/lfulton () bu edu>
Listen. Learn. Lead.




From: EDUCAUSE Listserv on behalf of Sue Rivera
Reply-To: EDUCAUSE Listserv
Date: Wednesday, April 27, 2016 at 7:00 PM
To: EDUCAUSE Listserv
Subject: [SECURITY] Bit9 and getting rid of anti-virus tool

Hello everyone!
Has anyone implemented Bit9/Carbon Black EDR tool and been able to do away with anti-virus tool, such as McAfee or 
Symantec? Or, do we need both and why?

All comments welcome! Thank you in advance!

Sue Rivera
Information Security Analyst
Office of Information Security
Information Technology Services
California State University Bakersfield
https://www.csub.edu/its/
https://twitter.com/itscsub

661-654-2408




--
Eric C. Lukens
IT Security Compliance & Policy Analyst
ITS-Information Security
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
(319) 273-7434
http://www.uni.edu/elukens/

"Security is a process, not a product."  Bruce Schneier