Re: Bit9 and getting rid of anti-virus tool

["Hall, Rand" <hallr () MERRIMACK EDU>]

The technology itself looks like it works (today, but who knows how hard it
will be to mathematically model the next big threat). I think the problem
with Cylance is the pricing model. They have a VERY expensive annual
subscription model. Services are likely to be a big part of the equation,
too, as it's not an easy install (more like deploying whitelisting).


Rand

Rand P. Hall
Director, Network Services                 askIT!
Merrimack College
978-837-3532
rand.hall () merrimack edu

If I had an hour to save the world, I would spend 55 minutes defining the
problem and five minutes finding solutions. – Einstein

On Fri, Apr 29, 2016 at 1:53 PM, Alex Keller <axkeller () stanford edu> wrote:

> Hi Raisha,
>
>
>
> I’ve repeatedly attempt to contact Cylance through various channels to
> discuss conducting a real world test of their product against some of the
> malware targeting our institution. Initially they were responsive and
> directed me to a “demo” which amounted to a webinar/video but when pressed
> further on performing actual tests against real-world malware they have
> gone dark.
>
>
>
> I’d love to hear from anybody using this product or similar next-gen
> endpoint protection…but in the absence of being able to directly observe it
> stopping malware samples that weren’t detected through traditional
> products, I am notably skeptical.
>
>
>
> If you make any headway in this space, please keep us posted.
>
>
>
> Best,
>
> Alex
>
>
>
> Alex Keller
>
> Stanford | Engineering
>
> Information Technology
>
> axkeller () stanford edu
>
> (650)736-6421
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Cobb, Raisha
> *Sent:* Friday, April 29, 2016 6:06 AM
>
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Bit9 and getting rid of anti-virus tool
>
>
>
> I share Eric’s sentiments…
>
>
>
> Looking at a product called Cylance (SaaS solution), which takes a
> different approach to AV by using mathematical models and Artificial
> Intelligence to handle real-time endpoint protection.  They claim you can
> use them with your AV solution (client agent avg. 5MB of memory, 1% of CPU)
> or solely use theirs.  Pretty interesting, and doesn’t require an Internet
> connection or signature updates. Supports MS XP SP3 and up, Server 2003 and
> up, Mac OSX, next month RHEL 6 & 7, and integrates into SIEM.  Has
> AppControl, HIPS
>
>
>
> Plan is to release McAfee and go to free Microsoft with this product
> running in tandem.  If all goes well with our testing and comparing of
> success ratio/false positive results, looking to migrate solely to
> Cylance.  I perceive possibly being able to replace other applications with
> this such as DeepFreeze, and greatly reducing the amount of devices
> requiring wiping/re-imaging and the time wasted by our support staff.
>
>
>
> *If any other University is a Cylance customer, I’d love to hear from you
> on your experiences with the product (deployment, ease of tuning,
> reliability, performance, lessons learned, etc.).*
>
>
>
> Regards,
>
>
>
> Raisha Cobb
>
> Executive Director of Communications Technology  & Information Security
> Manager
>
> Office of Information Technology
>
> *♈**  Winston-Salem State University **♈*
>
> *1209 Elva Jones Computer Science Building*
>
> Winston-Salem, NC 27110
>
> Email: cobbr () wssu edu
> ------------------------------
>
> [image: cid:image002.jpg@01D1A1F5.EFBDD530] <http://www.wssu.edu/>
>
>
>
> This message and any response to this message is being sent from a state
> e-mail system and may be subject to monitoring and disclosure to third
> parties, including law enforcement.  This email and any files transmitted
> with it are confidential and intended solely for the use of the individual
> or entity to whom addressed. If you have received this email in error,
> please notify your email administrator. If you are not the named addressee,
> you should not distribute or copy this e-mail. Please notify the sender
> immediately if you have received this e-mail by mistake and delete the
> message from your system. If you are not the intended recipient, note that
> disclosing, copying, distributing or taking any action in reliance on the
> contents of this information is prohibited.
> ------------------------------
>
>
>
> *From:* Sue Rivera [mailto:srivera () CSUB EDU <srivera () CSUB EDU>]
> *Sent:* Thursday, April 28, 2016 2:38 PM
> *Subject:* Re: Bit9 and getting rid of anti-virus tool
>
>
>
> Thank you everyone for your valuable comments that we will consider!
>
>
>
> Sue Rivera
>
> Information Security Analyst
>
> Office of Information Security
>
> Information Technology Services
>
> California State University Bakersfield
>
> https://www.csub.edu/its/
>
> https://twitter.com/itscsub
>
>
>
> 661-654-2408
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
> Behalf Of *Eric Lukens
> *Sent:* Thursday, April 28, 2016 7:08 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Bit9 and getting rid of anti-virus tool
>
>
>
> A few years ago we determined traditional AV wasn't doing us any good and
> switched to Microsoft's solution since we were already licensed for it.
> Some AV products claim to include "better" firewalls and
> application-whitelisting capabilities, but with the Enterprise editions of
> Windows 7 and above (plus Education on Windows 10) you get AppLocker, which
> isn't as nice as Bit 9 but we've done surprisingly well with it.
> Otherwise, to me it seems most AV product's attempts to stay relevant are
> just replications of what is actually available in the operating system or
> from Microsoft--such as the EMET. Even worse, sometimes the AV software
> doesn't really have these features and is just managing the official
> Windows settings for you.
>
>
>
> If you are able to afford Bit 9, I'd say use it and downgrade to
> Microsoft's AV since you probably are already licensed for it. Our old AV
> product created a lot of issues on the computers, especially if it was time
> to upgrade. While Microsoft's AV solution is not as good at detection as
> other AV software, it is much less burdensome on our computers--using less
> resources and installing updates easily without constant care and feeding.
> Plus WSUS or SCCM or Windows Update can update the Microsoft AV, so there's
> easy ways to keep it up-to-date. The only place the Microsoft AV is
> somewhat annoying is on centralized reporting, which is required by some
> security standards. SCCM is required for centralized reporting, unless you
> use something to watch the logs on the machines for alerts.
>
>
>
> EMET: https://technet.microsoft.com/en-us/security/jj653751
>
>
>
> On Wed, Apr 27, 2016 at 6:49 PM, Fulton, Lora <lfulton () bu edu> wrote:
>
> Usually we need to keep AV around for compliance purposes as the new
> products are not yet recognized as acceptable replacements (or at least
> they weren’t last I heard which was a few months ago now).
>
>
>
> -Lora
>
>
>
> [image: http://www.bu.edu/brand/files/2012/10/master-logo-small.gif]
>
> *Lora Fulton* | Manager, Incident Response and Vulnerability Program,
> Information Services & Technology
> 111 Cummington Mall | Boston University | Boston, Massachusetts 02215
> 617.353.8293 |  lfulton () bu edu     Send me a secure message
> <https://securecontact.me/lfulton () bu edu>
>
> *Listen. Learn. Lead.*
>
>
>
>
>
>
>
> *From: *EDUCAUSE Listserv on behalf of Sue Rivera
> *Reply-To: *EDUCAUSE Listserv
> *Date: *Wednesday, April 27, 2016 at 7:00 PM
> *To: *EDUCAUSE Listserv
> *Subject: *[SECURITY] Bit9 and getting rid of anti-virus tool
>
>
>
> Hello everyone!
>
> Has anyone implemented Bit9/Carbon Black EDR tool and been able to do away
> with anti-virus tool, such as McAfee or Symantec? Or, do we need both and
> why?
>
>
>
> All comments welcome! Thank you in advance!
>
>
>
> Sue Rivera
>
> Information Security Analyst
>
> Office of Information Security
>
> Information Technology Services
>
> California State University Bakersfield
>
> https://www.csub.edu/its/
>
> https://twitter.com/itscsub
>
>
>
> 661-654-2408
>
>
>
>
>
>
>
> --
>
> Eric C. Lukens
> IT Security Compliance & Policy Analyst
> ITS-Information Security
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> (319) 273-7434
> http://www.uni.edu/elukens/
>
> "Security is a process, not a product."  Bruce Schneier