Re: endpoint security software

[Kevin Wilcox <wilcoxkm () APPSTATE EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 08/03/16 08:45, Ashfield, Matt (NBCC) wrote:

> Our institution, like a large percentage in higher ed are running
> the Microsoft security essentials on desktops, which is included in
> our licensing agreement with Microsoft. While that works ok for AV 
> detection, I'm wondering if any institutions out there are doing 
> running additional desktop security software (e.g. anti-malware 
> software like MalwareBytes, or others) and if so, if you had
> related RFP/RFI for such a procurement. Any info you can provide
> is appreciated.

Matt - just a quick tangential comment related to SCEP/Security
Essentials.

- From my perspective, I'm about 15:1 (and 20:1 some times) in detecting
infected systems using Snort with the "free" Emerging Threats rules
and following up with further Bro mining versus what we find/block
with SCEP. I suspect that would favour me even more if we used the Pro
rules and that it would favour AV/AM a little more if we layered
additional AV/AM.

MBAM is great as part of a tiered approach, even if it's just for your
"high value targets". As with traditional AV, you need to decide how
you're going to act when it sees something. I view an AV/AM alert as
confirmation that the endpoint needs to be wiped and imaged (or
acquired for further forensics, depending on the data on or accessed
by the system) so it's (sometimes) useful from a containment
perspective but I really treat most AV/AM as HIDS.

kmw
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlbe6WYACgkQsKMTOtQ3fKFr4ACdHg1MJIABLjfWzrQRmp90M+XK
qfEAn3g3ptYt6QwblBQI4ThySJ64hQ4I
=q4xO
-----END PGP SIGNATURE-----