Re: Bit9 and getting rid of anti-virus tool

["Cobb, Raisha" <cobbr () WSSU EDU>]

I share Eric’s sentiments…

Looking at a product called Cylance (SaaS solution), which takes a different approach to AV by using mathematical 
models and Artificial Intelligence to handle real-time endpoint protection.  They claim you can use them with your AV 
solution (client agent avg. 5MB of memory, 1% of CPU) or solely use theirs.  Pretty interesting, and doesn’t require an 
Internet connection or signature updates. Supports MS XP SP3 and up, Server 2003 and up, Mac OSX, next month RHEL 6 & 
7, and integrates into SIEM.  Has AppControl, HIPS

Plan is to release McAfee and go to free Microsoft with this product running in tandem.  If all goes well with our 
testing and comparing of success ratio/false positive results, looking to migrate solely to Cylance.  I perceive 
possibly being able to replace other applications with this such as DeepFreeze, and greatly reducing the amount of 
devices requiring wiping/re-imaging and the time wasted by our support staff.

If any other University is a Cylance customer, I’d love to hear from you on your experiences with the product 
(deployment, ease of tuning, reliability, performance, lessons learned, etc.).

Regards,

Raisha Cobb
Executive Director of Communications Technology  & Information Security Manager
Office of Information Technology
♈  Winston-Salem State University ♈
1209 Elva Jones Computer Science Building
Winston-Salem, NC 27110
Email: cobbr () wssu edu<mailto:cobbr () wssu edu>
________________________________
[cid:image002.jpg@01D1A1F5.EFBDD530]<http://www.wssu.edu/>

This message and any response to this message is being sent from a state e-mail system and may be subject to monitoring 
and disclosure to third parties, including law enforcement.  This email and any files transmitted with it are 
confidential and intended solely for the use of the individual or entity to whom addressed. If you have received this 
email in error, please notify your email administrator. If you are not the named addressee, you should not distribute 
or copy this e-mail. Please notify the sender immediately if you have received this e-mail by mistake and delete the 
message from your system. If you are not the intended recipient, note that disclosing, copying, distributing or taking 
any action in reliance on the contents of this information is prohibited.
________________________________

From: Sue Rivera [mailto:srivera () CSUB EDU]
Sent: Thursday, April 28, 2016 2:38 PM
Subject: Re: Bit9 and getting rid of anti-virus tool

Thank you everyone for your valuable comments that we will consider!

Sue Rivera
Information Security Analyst
Office of Information Security
Information Technology Services
California State University Bakersfield
https://www.csub.edu/its/
https://twitter.com/itscsub

661-654-2408


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric 
Lukens
Sent: Thursday, April 28, 2016 7:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Bit9 and getting rid of anti-virus tool

A few years ago we determined traditional AV wasn't doing us any good and switched to Microsoft's solution since we 
were already licensed for it. Some AV products claim to include "better" firewalls and application-whitelisting 
capabilities, but with the Enterprise editions of Windows 7 and above (plus Education on Windows 10) you get AppLocker, 
which isn't as nice as Bit 9 but we've done surprisingly well with it.  Otherwise, to me it seems most AV product's 
attempts to stay relevant are just replications of what is actually available in the operating system or from 
Microsoft--such as the EMET. Even worse, sometimes the AV software doesn't really have these features and is just 
managing the official Windows settings for you.

If you are able to afford Bit 9, I'd say use it and downgrade to Microsoft's AV since you probably are already licensed 
for it. Our old AV product created a lot of issues on the computers, especially if it was time to upgrade. While 
Microsoft's AV solution is not as good at detection as other AV software, it is much less burdensome on our 
computers--using less resources and installing updates easily without constant care and feeding. Plus WSUS or SCCM or 
Windows Update can update the Microsoft AV, so there's easy ways to keep it up-to-date. The only place the Microsoft AV 
is somewhat annoying is on centralized reporting, which is required by some security standards. SCCM is required for 
centralized reporting, unless you use something to watch the logs on the machines for alerts.

EMET: https://technet.microsoft.com/en-us/security/jj653751

On Wed, Apr 27, 2016 at 6:49 PM, Fulton, Lora <lfulton () bu edu<mailto:lfulton () bu edu>> wrote:
Usually we need to keep AV around for compliance purposes as the new products are not yet recognized as acceptable 
replacements (or at least they weren’t last I heard which was a few months ago now).

-Lora

[http://www.bu.edu/brand/files/2012/10/master-logo-small.gif]

Lora Fulton | Manager, Incident Response and Vulnerability Program, Information Services & Technology
111 Cummington Mall | Boston University | Boston, Massachusetts 02215
617.353.8293 |  lfulton () bu edu<mailto:lfulton () bu edu>     Send me a secure 
message<https://securecontact.me/lfulton () bu edu>
Listen. Learn. Lead.




From: EDUCAUSE Listserv on behalf of Sue Rivera
Reply-To: EDUCAUSE Listserv
Date: Wednesday, April 27, 2016 at 7:00 PM
To: EDUCAUSE Listserv
Subject: [SECURITY] Bit9 and getting rid of anti-virus tool

Hello everyone!
Has anyone implemented Bit9/Carbon Black EDR tool and been able to do away with anti-virus tool, such as McAfee or 
Symantec? Or, do we need both and why?

All comments welcome! Thank you in advance!

Sue Rivera
Information Security Analyst
Office of Information Security
Information Technology Services
California State University Bakersfield
https://www.csub.edu/its/
https://twitter.com/itscsub

661-654-2408




--
Eric C. Lukens
IT Security Compliance & Policy Analyst
ITS-Information Security
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
(319) 273-7434
http://www.uni.edu/elukens/

"Security is a process, not a product."  Bruce Schneier