NOREX News section will be updated frequently with member alerts, news releases, helpful links, event notices, member gold nuggets, resource additions and helpful community building information. If it's new, you will find it here.
evaluation and implementation of
“NextGen” security tools is a current hot topic among NOREX members and
several favorites seem to be emerging, according to discussion during a recent
Endpoint Security WebForum.
Topic: Traditional A/V vs. NextGen approach
Moderator: Our first topic is from Kurt who is asking if endpoint security is dead. What do you mean by that?
Kurt W: I have been reading a lot about some of the newer practices for security in general. I guess my question is; are people still using antivirus and then layering on top of that their endpoint security? Anything else that they use?
Moderator: OK, so it is a question about the strategic approach?
Kurt W.: Yes, exactly.
Daniel H.: I am the information officer for our bank. That is a great
question. It is certainly one that we are asking all of the time. We are a
highly regulated environment. So of course security is always important and
will continue to be a primary focus. When it comes to some of the next
generation technologies that we are targeting, things like applications
whitelisting and heuristic, behavioral analytics and user monitoring and some
of the other more next generation type protection models we are absolutely
looking at those as a layer on top of the traditional signature based
protections like anti-virus.
I read all of the sound bites and stuff I am sure that you have about antivirus is dead. There is a lot of market techs out there or marketing that says, hey, buy our product and dump the old dinosaurs. Based on our risk assessment we are not willing to do that. We still feel like signature based, just because we are building a taller or a tighter fence doesn’t mean we are going to take down the old fence, I guess, in our mind.
So we don’t see them tripping on each other. We have actually POCed a couple of these next gen products and they can operate next to each other. Currently we might ask the same question but the answer is basically why wouldn’t we, unless in our case the cost of keeping our traditional antivirus alive is very negligible, so there really isn’t a reason. So that is just our take on it.
Rob W.: Every time we have had a virus it is because there wasn’t antivirus on the machine. AV is required from our perspective, at least as a layer to help catch problems.
Moderator: If you are using one of these behavior based products, I
think they also call them heuristic tools, if you are using something like that
please speak up.
Jeff B.: Endpoint security seems a must still, especially with the rise in ransomware.
Mickey S.: The layered approach of maintaining an A/V on the laptop is very important, I believe. In the office we have nextgen such as Wildfire and a couple of different layers. The concern for me is when the employee takes their laptop home. The internet, we require the AV signatures before they are able to VPN back into the office.
Moderator: What was the product you used?
Mickey S.: Palo Alto on the perimeter, we use Wildfire there. We are
looking at Traps at the endpoint.
Todd L.: We use Cisco Advanced Malware Protection (AMP).
Mark A.: Mcafee Endpoint Security and Application control for App White Listing.
Moderator: Any other next gen products that you would like to
Ron D.: I am involved with a lot of different security groups with seminars and so forth. Every security person I talk to says AV is still a necessity; do not get rid of it. Put it on your desktops and you can rest a little easier and then you can focus on these next gen types of tools.
I am in the process of reviewing quite a few actually. We are going to be looking at several. DarkTrace is one that we are going to look at, Cylance, my MSSP recommended to me, Carbon Black plus Bit9, we have Bit Defender. We are probably going to dump it and go with something different. Webroot is another one we are going to look at. Kaspersky, Mimecast, Symantec Data Center.
There are a lot of them out there and it depends on which white paper you look at as to which one is rated higher than the other. Those are just some that we are looking at if you haven’t heard of the. DarkTrace is relative new. I have seen a couple of demos of it. It is pretty impressive. They are going to give it to us for 30-60 days on prem just to test and play with. If we like it we can keep it and if not send it back.
Amy B.: We are just now rolling out Cylance for endpoint protection to replace Symantec. It uses machine/behavior learning.
Seth R.: Checkpoint SandBlast.
Jared H.: Carbon Black Response.
Marc A.: We also use Palo Alto firewall with AV/Malware and WildFire protection.
Jack S.: I would suggest Cylance.
Moderator: Can anyone share actual experience with Cylance?
Michael A.: We use Cylance on a couple of test machines and it seems to
work OK. To be honest with you we don’t know whether it is effective or not. We
haven’t had a malware attack, which is good, but I don’t know if that is
because of Cylance or just prudent browsing, as it were.
Wayne D.: Dell/Cylance ATP. Less than 1% CPU utilization.
Daniel H.: CarbonBlack (previously Bit9) and Cylance
Steven S.: We use Symantec EndPoint Protection. The heuristic layer coexists with the signature based layer. We use both. No particular performance problems.
Michael A.: We use CyberArk for Application whitelisting in addition to traditional AV and testing Cylance.
Jeff N.: We use Trend Micro OfficeScan and Carbon Black with Bit9 Protection.
Joe H.: Were using Sophos Endpoint and looking at intercept X.
Adam G.: Defense in Depth is alive and thriving. We have traditional signature based AV running on the endpoints and added on Cylance (non-sig based) and have been very happy. Also have Wildfire at perimeter.
Jared H.: Highly recommend Mimecast for email security.
Moderator: All right, here is a follow up for Amy. What was the main drive for switching from Symantec to Cylance?
Amy B.: We were noticing that we had a couple instances of viruses
coming through with Symantec so we did a pilot with Cylance with a few people
within the office and noticed that Cylance was capturing or noticing, it was
quarantining some things that went past Symantec so we had both running at the
As someone else mentioned it does run with very little resources on the computer so users don’t even recognize it is there. The one thing that is great about Cylance is that you do not have to be connected to your company’s network in order to be protected by Cylance. Ninety-five percent of our workforce is on laptops and is remote. So that aspect was really important to us.
If you would like to participate in our upcoming
Next Generation Security Tools
WebForum on April 11th, simply click here.
Members may download the Endpoint Security/Protection transcript at any time. For more information, please contact NOREX.