eTrust v McAfee on the desktop

While it is interesting to see peoples thoughts on other products I was really only looking for comparisons between those 2 specific products.

I'm curious now that a couple of people have mentioned eTrust's lack of detection ability..

 

Sorry, thought rather than just saying "It's rubbish" we'd say "here's something much better"

http://www.av-comparatives.org/seiten/ergebnisse/CA07.pdf

65% detection rate... says it all..

 

Mcafee lack in the detection space, though IMO EPO comes in at first place. Its simple to get things done quickly, once you know how. EPO4 is a massive step in the right direction. Sure there's a lot of functionality missing, though you can use your buying power to correct that

VSE8.5 is also worthwhile, forget the focus on dats, look at the access protection rules. You can get a lot of good data from those results to then action. Depends how you monitor the security of the network really.

We have a couple of EPO servers managing 150k machines.

 

I do appreciate the comments, but unfortunately in this scenario everything that is not those 2 is 'unimportant' to me. :-(

Thats an excellent site though Iceman, very very good!

McCrappy has around 95% which is pretty decent.

biglolz - I really like ePO as well

 

How many machines do you manage? Are you running anything past VSE?

 

Running some thousands of machines, but not 100K+ of them like yourself.

Currently we are having a rather large bitchfest/indepth discussion on which of the 2 products to head towards.

I would like to shoot them for even considering eTrust.. I also think I mentioned something about them not taking security seriously and if they choose it I will quit... or something alleduing to that fact.

Access protection rules are great, so many different ways to secure/screw your machine Every one running VSE should really try them out.

 

eTrust is currently our biggest pain! We have trojans which are not being detected by it. We submitted samples and we were assured that a definition will be provided very quickly to resolve this. It has now been 6 months and we still have Trojans on our network. They are the similar USB jumping ones at the Uni mentioned above.

We have funding to replace eTrust at the end of its license period which is at the end of this year. As an interim measure we have placed Kaspersky on all of our servers plus a small pod of computers which are set up specifically for cleaning our users USB keys before they go home with them. Unfortunately our 250 clients will have to stick with eTrust until the changeover as we don't have the funding to change it now.

I will admit for many years I had been an eTrust 'Supporter' for corporate environments but over the last 5 years I have been turned away by a lot of CA's products due to poor quality software which does not do what it is supposed to do reliably.

eTrust is the last CA product on our network and I can't wait for the day when I remove it.

 

oh i clicked candy! using trend

 

That serious eh? Happy to act as a ref for Mcafee if you think it will make a difference. Coming from a large bank may help tilt the scales.

Access rules is where it's at. The rules they have in place now are riddled with holes but it's a step in the right direction. I've been pushing them to add enhancements but doing so starts to eat their HIDS space so interesting to see what they put into VSE 8.7 which will go into beta in the next few weeks AFAIK. The real pull comes from the rules when you have an actual outbreak. Being able to block segments of the reg or files being created eg C:\windows\*.exe is going to be much faster than submitting a sample and waiting for an extra.dat/new release. Of course as you said, you need to understand what you're doing else you're probably going to do more damage than the outbreak

Given your network is much smaller I'm sure you can run with much heavier AP rules in place. having 100k+ machines with so many custom apps triggers a huge amount of FPs

Rules also suck that you cannot configure any triggers, ie only alert me once per week/blah. We seem to get a lot of applications that only impact one machine, though will send through 100k events in no time at all.

 

Its probably something transported by RAVMON and dropped. Get the trojan (SVCHOSTS.exe??)
and send it to this site it will tell you what it is, and highlight how poor it (eTrust) is.

http://virscan.org/

that and other things... they need me more than I need them

Sounds like you a rather nice setup, if your annoyed about FP's direct your alerts into a SIEM, then you can correlate the events with other activities (network traffic, IDS events, user login, etc) we are building our SIEM atm, what we have looked at so far is amazing.

Intent is to implement it thusly:
ie.. you go to this website its blocked, you try again. It prompts you with a page saying 'please request this "enter reason here"' request goes to the relevant person. Person denies the request, user is informed via email.

Other users in the same department attempt to access the site. User keeps trying. SIEM gets 'pissed' disables initial (or all department) user, logs user off, emails manager. Manager smacks user for being an idiot, tells system user has been smacked, system lets user back on. Each and every event is the happily logged into the SIEM for later. lovely.

Can also do that with your AV events, correlate events from a given user over time, after they infect 2-3 machines over a week, you disable them, or email them, or set a policy to disable USB on the machines they login to. Alternatively you can do the same to the machine - if it has > x events over y time, or n types of events, shutdown the machine, or enable the host firewall to block everything, display a warning to the user and email desktop support.

brilliant

 

Yeah exactly what we're doing. When you say 'building' are you taking the custom inhouse path or rather looking at what the vendors are offering? We're probably looking at moving towards a vendor solution in the near future. Still kicking off this process but arcsight looks 'nice'

Perfect world I guess on a smaller network you may be able to get away with that, though when you hitting 100k+ employees you need to factor in a lot of idiots

We're almost there with something very similar, though its a shame epo itself has utterly no brains...its good for simply passing events in this instance and thats it. I guess by EPO 7 etc this logic may be present, though really, unless you have a flexible sim in place you're limited.

 

By Building, I mean deploying, and building our rule set and configuring it all for us. We have a product (not nessicarly any mentioned in this post), and have our first test environment done, just adding UAT, QA, and PROD.

We just farm out the idiots to their managers and don't deal with it at all.. spread the load. Once the idiots cause enough trouble for the managers, they just get demoted, or given the kick.

Make sure you add Sentinel to your eval list. Arcsight is 'nice' I agree, and know a S level org that runs it, go look at Sentinel IMHO its better than 'nice'. Just make sure it suits your requirements.Runs on Windows, Linux, Solaris, Oracle, MSSQL, built in data archiving and partitioning. If you don't have something to interpret your logs... write one in javascript, reuse your existing programers skills.

If you just want a log archiving solution, Sentinel isn't the right tool, although it will do it. RSA and Symatec have better or cheaper products to do just that

Have it intergrate with your Vuln scanners as well, happy happy!

Tier3 also has a local product, RSA, Symantec, Oracle another. Sentinel to me wins, it would do your network with no problems, they are running systems with 100,000-300,000 events per second....18million a minute, and this was on 6 Dual Xeons, so its pretty efficient too

Many of the big military orgs and secret places in the US run it. One place i spoke with does 6-7TB of logs a month through the system.
One place, this was the first product to be allowed to traverse certain security enclaves.

What im getting at is user size isn't a problem - it will cope, and from a licencing perspective its actually device licenced based anyway. save $$

I know one ~100K user place in Aust that is looking to do the same.....

This product gets me 'excited' in fact there is only 3 products that get my nerd security juices flowing at the moment, this is one..

 

Out of interest, what are the other two?

This is probably a pointless question as i will never be expose to them, or you may not be in a position to divulge, however i'm interested all the same.

 

These are my fav little apps of the moment... so we don't nessicarily use them, or intend to use them, but they are what I like for the moment.

IBM Appscan (was Watchfire Appscan)
http://www.ibm.com/software/awdtools/appscan/

because so many web vulnerability tools are crap, they spit out huges amounts of logs and errors and problems. Done.
Appscan, spits it all out as well. BUT, it then tells you what causes it, and how to fix it, it can then spit all that out into some really excellent pre-canned reports, or your own custom reports.

The reason I like it so much atm, is that it tells you whats wrong and how to fix it. From a security and app testing perspective its annoying telling develpers they caused another XSS or SQL injection problem in the latest version. Then explain what it is... Then rinse and repeat for each developer on each project.
What appscan does for me, is lets the developers learn themselves, after the first few they work out what they need to do to not introduce the problems. Because appscan explains it all to them without me/others having to.

Its a web based vulnerability scanner and secure development training tool in one. At ~$50K a user its not cheap, but its cheaper than training 100 developers in training, especially given developers tend to move employment alot.

Novell IDM (Identity Manager)
http://www.novell.com/identitymanager

Runs on Linux, Windows, Solaris, NetWare, HPUX, AIX etc.. well different bits run on different bits. Cross platform is very important. I would hate to see life without it. user accounts, just happen like magic, access magically given, access magically removed, email made, access to apps done, mainframe access, network access, VPN access, unix access, internet access, all magically happy. All awesome RBAC with DAC when needed. The pre-defined rules determine what access you get without any input from staff.

I could not see such a complex organistion without an Identity Management system, and we have a great one. Its something that is so flexible. Whatever people want, we (as the custodians of the directories and User info) can do it. I just forsee my life fixing user account issues without a decent IAM (Identity and Access Management) solution... which is not really a very good role for highly paid security personell to be undertaking.

Other products in the End-Point security space are nice, but there is no one real stand out product to me, same as full disk encryption. To me the 3 products listed, are real stand out products.


To reiterate my point before, Arcsight is good, and I would be really happy to have such a product on 'my' network, but if I had a choice I would choose Sentinel.