Re: [EXTERNAL] Re: [SECURITY] AV (AI or otherwise) for older servers?

[William Greg Price <wgprice () TROY EDU>]

+ 1 for Cylance

-Greg

W. Greg Price, Sr., Ph.D.
CSO
Troy University

On Nov 7, 2019, at 1:09 PM, Pete, Andrew <000000d06e28c017-dmarc-request () listserv educause edu> wrote:



Disclaimer:  This email was sent from outside of your organization. Please do not open attachments or click links from 
an unknown or suspicious origin.
I went through vendor comparisons and evaluations earlier this year.  I looked at SentinelOne, Cylance and AMP for 
Endpoint.

SentinelOne had a cumbersome management interface/usability and lacking in maturity.  There were a lot of things we 
asked about that were either coming out soon or on the road map.  While there were some features that the other 
products didn’t have a lot of those features weren’t as important to us.  Overall, the product didn’t align well with 
our needs.  The price point was also much higher than Cylance/AMP.

AMP for endpoint also was a bit cumbersome when it came to the management interface and usability.  They did have the 
best threat hunting ability but the product is essentially just AV with no other big features.

Cylance has a very intuitive interface a number of great features.  While their EDR information (Optics) is a bit 
limited in event information compared to AMP, the “playbooks” you can configure are very powerful and can take a 
variety of actions on the event.  Near the end of the eval we actually had Cylance catch a zero day ransomware 2 hours 
before it even showed up on VirusTotal.

One other big difference between Cylance and SentinelOne/AMP is that all analytics are performed on the endpoint.  With 
SentinelOne, some of the analytics can run without an Internet connection but there are others that need Internet.  AMP 
for endpoint relies entirely on a traditional signature based AV engine when offline.

In the end we found Cylance fit our needs the best.  We purchased Protect (AV) and Optics (EDR) at the end of April.  
We actually wrapped the professional services deployment project this week which I was very impressed by.  They made 
the installation configuration easy and provided great training on the product.

Andrew Pete
Information Security Architect

New England Institute of Technology
One New England Tech Boulevard
East Greenwich, RI 02818-1205
401-780-4460 (Direct)
apete () neit edu<mailto:apete () neit edu>

<image001.png>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kimmitt, Jonathan
Sent: Thursday, November 7, 2019 1:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] AV (AI or otherwise) for older servers?


This message originated outside of New England Institute of Technology. Use caution when opening attachments, clicking 
links or responding to requests for information.
Hi all,

  Does anybody have any recommendations or success stories for any particular AV-ish type product to run on older 
Microsoft Servers (2012, 2008)?  (something like a Cylance, Sentinel One, etc)

Thanks!

-Jonathan


~
Jonathan Kimmitt
CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E
Chief Information Security Officer
Information Technology
The University of Tulsa
918.631.2743



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cwgprice%40TROY.EDU%7C4813ff3413ac4bd7059408d763b60016%7C8de80de86d8a47cbb5bc7fb9b5bf1c64%7C0%7C1%7C637087505651830974&sdata=g%2BIh3Zpz%2BfisE9VY5f9o2kJcEANVjeSzVvrIMsfzMhU%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cwgprice%40TROY.EDU%7C4813ff3413ac4bd7059408d763b60016%7C8de80de86d8a47cbb5bc7fb9b5bf1c64%7C0%7C1%7C637087505651840966&sdata=H0%2B7qDSM%2FTsHh8NgwAbuDp7GCtdIafRjq3IODIbu6%2Fk%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community