Re: [BULK] Re: [SECURITY] [BULK] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [BULK] Re: [SECURITY] Microsoft Defender ATP

[Curt Kappenman <ckappenman () ANDERSONUNIVERSITY EDU>]

Robert,
  Contact me off group @ ckappenman () andersonuniversity edu<mailto:ckappenman () andersonuniversity edu>.  I will 
provide you contact info for the data.

Curt

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Bridges, Robert 
A." <0000008d8011d045-dmarc-request () LISTSERV EDUCAUSE EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, March 24, 2020 at 3:17 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [BULK] Re: [SECURITY] [BULK] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [BULK] Re: [SECURITY] Microsoft Defender 
ATP

Thanks!


Robert A. Bridges, PhD, Cybersecurity Research Mathematician, Oak Ridge National Laboratory


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Curt Kappenman 
<ckappenman () ANDERSONUNIVERSITY EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, March 24, 2020 at 3:11 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [BULK] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [BULK] Re: [SECURITY] Microsoft Defender ATP

Because the test was not commissioned for us, we have not been able to see the results.  We were only told the findings 
because we were asking them about whether there was a better option for us to consider when our contract with Cylance 
was under review.  I will reach to see if the vendor is willing to share any results or data at this time.

Curt Kappenman

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Bridges, Robert 
A." <0000008d8011d045-dmarc-request () LISTSERV EDUCAUSE EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, March 24, 2020 at 3:02 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [BULK] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [BULK] Re: [SECURITY] Microsoft Defender ATP

Curt,  can you send details of the test—e.g., what tools, how many malware/benignware, what filetypes were tested, and 
results—detection rate, false alert rate, time to detection, … etc.?

Thanks
Bobby


Robert A. Bridges, PhD, Cybersecurity Research Mathematician, Oak Ridge National Laboratory


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Curt Kappenman 
<ckappenman () ANDERSONUNIVERSITY EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, March 24, 2020 at 2:42 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [EXTERNAL] Re: [SECURITY] [BULK] Re: [SECURITY] Microsoft Defender ATP

I know that I am late to this discussion.  We use Cylance Protect and Cylance Optics.  I know for many the issue is 
price but I think it is well worth it.  Our main security vendor did a penetration test against the top 10 AV products. 
 They said the best one of the group was Microsoft ATP (the one that is part of the A5 license) followed very closely 
by Cylance Protect with Optics.  If you are open to look at other products, I would suggest taking a look at the 
Cylance product line as well.


Curt Kappenman
Security Compliance Officer
Anderson University
Anderson, SC

On 3/12/20, 2:55 PM, "The EDUCAUSE Security Community Group Listserv on behalf of Kimmitt, Jonathan" <SECURITY () 
LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> on behalf of jonathan-kimmitt () UTULSA 
EDU<mailto:jonathan-kimmitt () UTULSA EDU>> wrote:

    For what its worth... I've been on several conference panels in the last year with different pentesters (red team 
vs blueteam type thing), and they have a general consensus that they hate trying to pentest organizations with 
Microsoft ATP....  That its pretty hard to get past....

    Instead they focus on phishing and social engineering, instead of trying to get in at the network/system level.....

    -Jonathan



    -----Original Message-----
    From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Dexter Caldwell
    Sent: Thursday, March 12, 2020 1:40 PM
    To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
    Subject: Re: [SECURITY] Microsoft Defender ATP

    Considering the same, however Defender was quite underwhelming by itself.  With ATP Gartner has showed a huge 
turnaround in Microsoft's position in the quadrant in the last year or two.  We're still digging into why that is.  Is 
their AI really that much better in terms of detection and response? Is it just the way Gartner's formulas work for 
ranking?   We have a multilayered approach we're evaluating currently, but I'm as interested in the answer to these 
questions as anyone.

    -----Original Message-----
    From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of King, Ronald A.
    Sent: Thursday, March 12, 2020 2:28 PM
    To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
    Subject: Re: [SECURITY] Microsoft Defender ATP

    We are migrating f/staff to O365 later this year. We will also be setting up InTune. After, we will start to look 
at the potential for ATP to replace our AV.

    Ronald King
    Director of Technical Services and OIT Security

    Office of Information Technology
    (757) 823-2916 (Office)
    raking () nsu edu<mailto:raking () nsu edu>
    
https://nam04.safelinks.protection.outlook.com/?url=www.nsu.edu&amp;data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7C68a2ecff8db4459a55da08d7c6b4b8a3%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637196351801135308&amp;sdata=yRqeCGH%2BRw95L1UmlAAG2mR3IUWtpUoa8G68R3JO%2BZw%3D&amp;reserved=0
    @NSUCISO (Twitter)



    -----Original Message-----
    From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Brian Epstein
    Sent: Thursday, March 12, 2020 1:26 PM
    To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
    Subject: Re: [SECURITY] Microsoft Defender ATP

    We are also moving in this direction.  It seems like Defender has caught up and will reduce our spend.

    Thanks,
    ep

    --
    Brian Epstein <bepstein () ias edu<mailto:bepstein () ias edu>>                     +1 609-734-8179
    Manager, Network and Security           Institute for Advanced Study
    Key fingerprint = A6F3 9F5A 26C5 5847 79ED  C34C C0E5 244A 55CA 2B78

    ----- Original Message -----
    From: "Watkins, Jameson" <jmwatkins () PNWU EDU<mailto:jmwatkins () PNWU EDU>>
    To: "The EDUCAUSE Security Community Group Listserv" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>>
    Sent: Thursday, March 12, 2020 11:26:24 AM
    Subject: [SECURITY] Microsoft Defender ATP

    Hi all,

    Our Sophos anti-virus licenses are up for renewal this summer and we're reviewing the landscape. We've landed on 
looking at MS Defender ATP. It's ranked highly in the Gartner magic quadrant and reviews we've seen are favorable. The 
cost for us to move to the security option of the A5 license tier, when combined with everything else offered, makes it 
a hard deal to pass up.

    But I've not seen a peep out of customers using it, especially in higher ed. Is anyone using it? What are we 
missing?

    We also haven't seen details on how it handles ransomware. Sophos has a crypto guard that stops files from 
encrypting which has saved us at least once. Anyone have more info on how Defender handles it?

    Finally and more broadly, does anyone have advice on how you actually test endpoint detection without using live 
viruses?

    Thanks.


    Jameson Watkins
    Chief Information Officer
    Pacific Northwest University of Health Sciences
    509.249.7719
    
https://nam04.safelinks.protection.outlook.com/?url=www.pnwu.edu&amp;data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7C68a2ecff8db4459a55da08d7c6b4b8a3%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637196351801135308&amp;sdata=GMyG3AEgWdbruQUwKV4quqwe6uEnxFPdGF3bxDMXq4w%3D&amp;reserved=0<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.pnwu.edu%2F&amp;data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7C68a2ecff8db4459a55da08d7c6b4b8a3%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637196351801135308&amp;sdata=PWt%2BuLiIRiJ%2FBsP8g7RRbpRWO%2BG51D7IGCbKyk9jmAs%3D&amp;reserved=0><https://nam04.safelinks.protection.outlook.com/?url=www.pnwu.edu&amp;data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7C68a2ecff8db4459a55da08d7c6b4b8a3%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637196351801135308&amp;sdata=GMyG3AEgWdbruQUwKV4quqwe6uEnxFPdGF3bxDMXq4w%3D&amp;reserved=0%3chttps://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.pnwu.edu%2F&amp;data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7C68a2ecff8db4459a55da08d7c6b4b8a3%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637196351801135308&amp;sdata=PWt%2BuLiIRiJ%2FBsP8g7RRbpRWO%2BG51D7IGCbKyk9jmAs%3D&amp;reserved=0%3e>



    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7C68a2ecff8db4459a55da08d7c6b4b8a3%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637196351801135308&amp;sdata=Ls7gVGxk3F1pjebcjYTecFBeWDzGNxJadRKwUgb%2BMyE%3D&amp;reserved=0

    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7C68a2ecff8db4459a55da08d7c6b4b8a3%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637196351801135308&amp;sdata=Ls7gVGxk3F1pjebcjYTecFBeWDzGNxJadRKwUgb%2BMyE%3D&amp;reserved=0

    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7C68a2ecff8db4459a55da08d7c6b4b8a3%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637196351801145304&amp;sdata=Wrk0QE%2FWtunsDVCKuZpvthmI%2BNU7dO5oPGO4v8AJE0Q%3D&amp;reserved=0

    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7C68a2ecff8db4459a55da08d7c6b4b8a3%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637196351801145304&amp;sdata=Wrk0QE%2FWtunsDVCKuZpvthmI%2BNU7dO5oPGO4v8AJE0Q%3D&amp;reserved=0

    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,CVoi8-FoD1x0sd5IaMtn2mx4pzLK1mCHT4JWNWhwy3IM2hQztWqxIlmagH2YI8k1zg5PYD15NXhxNNHjIx076LFpGEK2MJEuRCXINj3lGLQI6Q1d1A,,&typo=1



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,QRV7b5ta9iU6cecTpzO063bre96c7-uivs_nXQCueAcWlA3dzL7Pf4kAbVTX_I3HQNmzDLznQEDU4cZbUqZNlzmRKbsxN5vg-qmkiTMB_5XWgWJS1_tGCQ,,&typo=1>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,NjGm5qFLKgeB-7p08dy_1KjXKvTpIDKiXUPY7j2miK7duTc2EO2RmniEhkuR_Y64tmmL-aR9YNdLEhgP3TYvDwQ5MF3UayDjvDqt8sPyeBaEHkOj&typo=1>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,DLSt-MAmwUB3j7oTJisGUdcTDJ-qyHv425Ii2w4xaijSWfidNX_E_ADbVosf7rLWZvrZqoC3_rCVIqL_r0-DDuh4LcdKyHsgz62cKWd3zcah_qOArWn7xt1ubxWm&typo=1>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,3suPVjCdvivFN6AVfuH-bQrY7qbIysA5_BdT5kKrFk4JUIH24nEqHH1sIaAid-_4uY9HBpEhh5ElwW7WCLQENHj6xhL9SHsG5oTUgXzSrtv__ntBp7I,&typo=1>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community