Educause Security Discussion mailing list archives
Re: Bit9 and getting rid of anti-virus tool
From: "Cobb, Raisha" <cobbr () WSSU EDU>
Date: Fri, 29 Apr 2016 13:05:40 +0000
I share Eric’s sentiments… Looking at a product called Cylance (SaaS solution), which takes a different approach to AV by using mathematical models and Artificial Intelligence to handle real-time endpoint protection. They claim you can use them with your AV solution (client agent avg. 5MB of memory, 1% of CPU) or solely use theirs. Pretty interesting, and doesn’t require an Internet connection or signature updates. Supports MS XP SP3 and up, Server 2003 and up, Mac OSX, next month RHEL 6 & 7, and integrates into SIEM. Has AppControl, HIPS Plan is to release McAfee and go to free Microsoft with this product running in tandem. If all goes well with our testing and comparing of success ratio/false positive results, looking to migrate solely to Cylance. I perceive possibly being able to replace other applications with this such as DeepFreeze, and greatly reducing the amount of devices requiring wiping/re-imaging and the time wasted by our support staff. If any other University is a Cylance customer, I’d love to hear from you on your experiences with the product (deployment, ease of tuning, reliability, performance, lessons learned, etc.). Regards, Raisha Cobb Executive Director of Communications Technology & Information Security Manager Office of Information Technology ♈ Winston-Salem State University ♈ 1209 Elva Jones Computer Science Building Winston-Salem, NC 27110 Email: cobbr () wssu edu<mailto:cobbr () wssu edu> ________________________________ [cid:image002.jpg@01D1A1F5.EFBDD530]<http://www.wssu.edu/> This message and any response to this message is being sent from a state e-mail system and may be subject to monitoring and disclosure to third parties, including law enforcement. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom addressed. If you have received this email in error, please notify your email administrator. If you are not the named addressee, you should not distribute or copy this e-mail. Please notify the sender immediately if you have received this e-mail by mistake and delete the message from your system. If you are not the intended recipient, note that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. ________________________________ From: Sue Rivera [mailto:srivera () CSUB EDU] Sent: Thursday, April 28, 2016 2:38 PM Subject: Re: Bit9 and getting rid of anti-virus tool Thank you everyone for your valuable comments that we will consider! Sue Rivera Information Security Analyst Office of Information Security Information Technology Services California State University Bakersfield https://www.csub.edu/its/ https://twitter.com/itscsub 661-654-2408 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Lukens Sent: Thursday, April 28, 2016 7:08 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Bit9 and getting rid of anti-virus tool A few years ago we determined traditional AV wasn't doing us any good and switched to Microsoft's solution since we were already licensed for it. Some AV products claim to include "better" firewalls and application-whitelisting capabilities, but with the Enterprise editions of Windows 7 and above (plus Education on Windows 10) you get AppLocker, which isn't as nice as Bit 9 but we've done surprisingly well with it. Otherwise, to me it seems most AV product's attempts to stay relevant are just replications of what is actually available in the operating system or from Microsoft--such as the EMET. Even worse, sometimes the AV software doesn't really have these features and is just managing the official Windows settings for you. If you are able to afford Bit 9, I'd say use it and downgrade to Microsoft's AV since you probably are already licensed for it. Our old AV product created a lot of issues on the computers, especially if it was time to upgrade. While Microsoft's AV solution is not as good at detection as other AV software, it is much less burdensome on our computers--using less resources and installing updates easily without constant care and feeding. Plus WSUS or SCCM or Windows Update can update the Microsoft AV, so there's easy ways to keep it up-to-date. The only place the Microsoft AV is somewhat annoying is on centralized reporting, which is required by some security standards. SCCM is required for centralized reporting, unless you use something to watch the logs on the machines for alerts. EMET: https://technet.microsoft.com/en-us/security/jj653751 On Wed, Apr 27, 2016 at 6:49 PM, Fulton, Lora <lfulton () bu edu<mailto:lfulton () bu edu>> wrote: Usually we need to keep AV around for compliance purposes as the new products are not yet recognized as acceptable replacements (or at least they weren’t last I heard which was a few months ago now). -Lora [http://www.bu.edu/brand/files/2012/10/master-logo-small.gif] Lora Fulton | Manager, Incident Response and Vulnerability Program, Information Services & Technology 111 Cummington Mall | Boston University | Boston, Massachusetts 02215 617.353.8293 | lfulton () bu edu<mailto:lfulton () bu edu> Send me a secure message<https://securecontact.me/lfulton () bu edu> Listen. Learn. Lead. From: EDUCAUSE Listserv on behalf of Sue Rivera Reply-To: EDUCAUSE Listserv Date: Wednesday, April 27, 2016 at 7:00 PM To: EDUCAUSE Listserv Subject: [SECURITY] Bit9 and getting rid of anti-virus tool Hello everyone! Has anyone implemented Bit9/Carbon Black EDR tool and been able to do away with anti-virus tool, such as McAfee or Symantec? Or, do we need both and why? All comments welcome! Thank you in advance! Sue Rivera Information Security Analyst Office of Information Security Information Technology Services California State University Bakersfield https://www.csub.edu/its/ https://twitter.com/itscsub 661-654-2408 -- Eric C. Lukens IT Security Compliance & Policy Analyst ITS-Information Security Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 (319) 273-7434 http://www.uni.edu/elukens/ "Security is a process, not a product." Bruce Schneier
Current thread:
- Bit9 and getting rid of anti-virus tool Sue Rivera (Apr 27)
- <Possible follow-ups>
- Re: Bit9 and getting rid of anti-virus tool Fulton, Lora (Apr 27)
- Re: Bit9 and getting rid of anti-virus tool Eric Lukens (Apr 28)
- Re: Bit9 and getting rid of anti-virus tool Sue Rivera (Apr 28)
- Re: Bit9 and getting rid of anti-virus tool Eric Lukens (Apr 28)
- Re: Bit9 and getting rid of anti-virus tool Cobb, Raisha (Apr 29)
- Re: Bit9 and getting rid of anti-virus tool Alex Keller (Apr 29)
- Re: Bit9 and getting rid of anti-virus tool Hall, Rand (May 03)
- Re: Bit9 and getting rid of anti-virus tool Alex Keller (Apr 29)