Re: Endpoint Protection - App Whitelisting?

[James McClure <jmcclure () WSWHEBOCES ORG>]

I can echo Brian’s sentiments. We are a larger install base (~1200) but performing a similar exercise.

We have expanded our audit beyond our base image to mitigate false positives when we go live. We have 7 locations and 
after seeing Applocker function in other schools (we are quasi K-12) I am not forecasting any need for staffing 
increases. 

If the implementation goes south I’ll be sure to let everyone know!

From:  The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of BRIAN R GRILLI 
<brg3 () PSU EDU>
Reply-To:  The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date:  Monday, November 13, 2017 at 1:57 PM
To:  <SECURITY () LISTSERV EDUCAUSE EDU>
Subject:  Re: [SECURITY] Endpoint Protection - App Whitelisting?

I have been in the auditing phase the last few weeks with deploying Applocker to my staff machines.  Since I was able 
to generate my whitelist off our standard staff computer image (and our staff do not have admin rights to install any 
software), setting up the rules and exceptions was pretty easy.  During the audit I haven't run into too many issues of 
legitimate things getting blocked, but I'm sure we will see more as time goes on.  If it becomes too much to manage, we 
may end up abandoning it.  This is a deployment on <100 machines, so I'd imagine going campus wide you would definitely 
need quite a few support staff trained to manage this.

Prior to this, we survived mainly on user education, and of course good backups :)
From: "Chad Tracy" <chad.tracy () COLBY EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Sent: Monday, November 13, 2017 1:18:34 PM
Subject: [SECURITY] Endpoint Protection - App Whitelisting?

Good afternoon,

We currently use Carbon Black's CB Protection (application whitelisting) on some of our end user computers (we have a 
licensing for 300 endpoints... however we only ever got it working on around 70 Windows machines...) It has not been 
working out well and we are looking to move in a different direction. 

I recently learned, from a call with Gartner, that "typically" application whitelisting is utilized on servers and 
systems that are fairly locked down (think of machines used by the insurance and medical industry, kiosks...) 

Knowing this, we are looking to see what you all are doing to lock down your systems to assist in ransomware and 
zero-day incidents:

Have any of you had luck in deploying application whitelisting on their end users machines... or is this a lost cause 
that takes to much money and FTEs to support?

Do you have Endpoint protection deployed on your campus? 

If so, who with?

Kind Regards,

Chad Tracy
Director of Information Security
Colby College 
Waterville, ME 04901
207 . 859 . 4199
chad.tracy () colby edu