“Traditional incident response is difficult. You’re performing the equivalent of dusting doorknobs for fingerprints and sweeping the floor for hair follicles. It’s more of an art than a science sometimes, which is why it requires a seasoned expert, takes a long time, and most often results in just a likely hypothesis.”
None of this is true with Carbon Black. Carbon Black acts like a surveillance camera, always recording the key data that incident responders need, so when a breach does occur, you can simply “rewind the tape” to figure out precisely what happened and where.
Think about how often your original Indicator of Compromise (IOC) is one of the following:
An IP-address or domain name
A registry key
A file location
A suspicious or unknown binary
Since Carbon Black is always recording, even if the IOC you’re looking for has long since passed, you’ll be able to find it. And when you do find it, Carbon Black will show you all related activity so you can immediately determine what process caused this activity, and any other activity it performed.
This level of insight allows you to be confident in your response because you’re no longer dealing with secondary or tertiary data sources to derive a hypothesis – you have the original source. And when you uncover the root cause of the incident – patient zero – you’ll have all the information you need to ensure this type of attack doesn’t happen again.
And for those companies who haven’t installed Carbon Black, don’t worry, the data Carbon Black collects is useful during an investigation as well. Once you identify a suspicious, malicious, or unwanted event, you can create a watchlist to ensure that while you’re focused on one area of the network, another area doesn’t get reinfected without you knowing it. And if it does, you’ll know immediately how it’s occurring so you can prevent it from occurring again.
With Carbon Black, any incident response can end with confidence.
Ready to get started? Join our Community for your 30-day free trial.
