Educause Security Discussion mailing list archives

Re: Cylance

From: Bernardo Manuel Vasquez <bernardo.vasquez () NYU EDU>
Date: Thu, 8 Jun 2017 11:59:45 +0000

Since you also asked about approach - I will share ours. Hope it helps.

This is based on an endpoint strategy we are formulating leveraging
deployed technologies while we roll out our Enterprise SIEM and Global NGFW.

First:
Sophos and Carbonblack were discussed here by Tim at Arkansas State.

https://edtechmagazine.com/higher/article/2017/05/4-ways-best-it-security-can-be-team-sport

Secondly:
Carbonblack, Cylance, AMP and TRAPs EDRs (Endpoint Detection & Response)
are on the table for consideration. I don't believe one size fits all.

For managed assets, Carbonblack's whitelisting strengths and granular
viability are attractive. Also, if you have an MSSP like SecureWorks they
can infuse their intelligence, offer monitoring and tuning of the
deployment as an additional service.

The last two are worth considering because of the cloud intelligence and
executable/malware detonation capabilities in concert with your NGFW. I
don't think choosing more that 2 EDR vendors is prudent.

Above all:
No matter what you/we choose, where possible, it should be done in concert
with an endpoint management and asset backup strategy for managed and
unmanaged assets. Read: work closely with you IT helpdesk team(s).

KACE is gaining steam here while our Abu Dhabi and Shanghai campuses are
solidly on Ivanti [Formerly LANdesk - an interesting security acquisition/
merger].

For backups, we're also looking at technologies like Crashplan and Code42.
I suspect the Internet2/Net+ discounting will play a role in what we choose.

Lastly:
All managed and hopefully many unmanaged endpoints should alert to a
central EDR server and then tie that back to our central SIEM.

This comprehensive layered approach is what we feel will help PROTECT and
if bypassed RECOVER from ransomware and other use cases.

Assumptions:
Let us remember what the Verizon DBIR has been saying the same thing
forever - minimize administrative access. Most people really don't need it
and where they think hey do an alternative privledge account may do. We
will be making that a point of focus this next academic year.

Best,
BMV

On Wed, Jun 7, 2017 at 14:47 Shaun Gray <SGray () medford k12 nj us> wrote:

Anyone have any experience with Cylance? I’m strongly considering moving
on from Symantec. The sales pitch sounds great with the intelligence, but a
part of me wants to hold on to my old definition based AV. Anyone have
thoughts on this product or approach?





Dr. Shaun L. Gray, GSEC

*Network Engineer*

Medford Township Board of Education

*P* / 609-975-6159

[image: CloudPlus Logo Certified CE]

-- 
Best, -BMV -- Bernardo M. Vasquez Chief Information Security Officer (CISO)
& Director Office of Information Security | NYU IT New York University |
+1-212-992-9235 Sent via mobile device

Current thread:

Cylance Shaun Gray (Jun 07)
- Re: Cylance WALTER KERNER (Jun 07)
- Re: Cylance Shettler, David (Jun 07)
- Re: Cylance Rob Milman (Jun 07)
- Re: Cylance Ladwig, John M (Jun 07)
- Re: Cylance Bernardo Manuel Vasquez (Jun 08)
- <Possible follow-ups>
- Re: Cylance Stefan Wahe (Jun 07)
  - Re: Cylance Baillio, Aaron (Jun 07)
    - Re: Cylance Brian Basgen (Jun 07)
    - Re: Cylance Haas, Mike (Jun 07)