Cb Connect 2018 | Power of You | Register Now


Carbon Black 5.0 Changes the Endpoint Security Game with Live Response

January 27, 2015 / Ben Johnson

Today, we announced the immediate availability of Carbon Black 5.0. As we have now heard several times from our early access customers, Carbon Black 5.0 is a “game changer.” Why? Let’s dive in and see.

The root problem in cyber security today is a lack of qualified security professionals. A big part of the reason for talent shortage is that triaging day-to-day detection events is too slow and inconclusive. It’s alert fatigue. Valid alerts are just noise if you can’t respond to them.

In recent posts, you’ve heard us talk about OODA and feedback loops. Ultimately, the operational aspect of security needs to be both more efficient and more effective. You need to prioritize data collection over detection, meaning you should already have the cyber-security equivalent of an endpoint surveillance camera installed before compromise so you’re not scrambling to collect data during the fire drill.

Enter Carbon Black, especially with the new 5.0 capabilities we now are shipping.

Until now, security pros had to respond to alerts without the necessary recorded history and visibility to allow for fast, efficient triage. That SOC analyst, the jack-of-all-trades security guy…whomever is looking at that information security alert, was often reduced to guessing what and where the problem was. That individual (and his or her team) needed to be better equipped. That’s why Carbon Black continuously records endpoint activity on Windows, Mac and Linux systems to enable the responder to rewind the tape and actually see what happened.

Furthermore, it’s a numbers game. With proper visibility comes the true power—the ability to focus your team on fixing the root cause of suspicious and malicious activity, and quickly understanding an attack’s scope.

Beyond response and root cause, you can add your own detection capabilities or use applied threat intelligence that leverages reputation and other information to score endpoint activity. You might not want to respond to every instance where a network connection is made to dropbox.com, but you would probably want to be notified when an application other than a browser or dropbox.exe makes that connection.

It’s about data understanding, not data volume, and having that clear visibility is critical to stronger detection. Carbon Black 5.0 enhances its threat intelligence component with the ability to create feeds for indicators of attack—going beyond its already strong support of matching event activity with known indicators of compromise. Also new in 5.0, are detection feeds from Bit9 that help customers find and prioritize suspicious or malicious behavior.

Enter Live Response


The most exciting part of Carbon Black 5.0 are its “Live Response” capabilities. What does this mean? Carbon Black has been great at endpoint threat detection and response. But once you’ve determined scope, once you’ve walked up and down the process tree to find root cause, once you’ve quickly triaged and validated that alert, you want to do something about it.

Now, with Carbon Black 5.0, in the same console (and programmatically via our API), you can perform endpoint isolation to quarantine that endpoint from the network, and connect to it to do further investigation, preserve state, and take action.

The Carbon Black sensor is already there, so you don’t have to scramble to get IT to install a post-mortem toolset, and you don’t have to login locally using privileged credentials that the attacker might be hoping for. The workflow, all within the Carbon Black 5.0 console, enables you to quickly triage your alert, isolate that endpoint from all others, and drop into a powerful shell that connects you to that system to pull files, kill processes, dump memory, and run any additional tools that your response workflow includes.

From here you can easily create new watchlists so that as soon as those TTPs (or some part of that attack) occur again anywhere else in the enterprise, you’ll be notified. This gives your security team true endpoint visibility and control.

Carbon Black 5.0 includes other new features, such as cross-process memory events, a new dashboard, and more. See our product page for more detailed information about the features in 5.0.

Your most junior folks now have a tool that gives them great visibility and quick triage capabilities, and your more experienced security professionals can incorporate Carbon Black programmatically into your overall cyber defense orchestration. Blend this with dwell-time statistics, system hygiene, event prevalence, frequency, root cause, and applied threat intelligence, and you get, as the first users of Carbon Black 5.0 have told us, a true “game changer.”

TAGS: Carbon Black / Carbon Black 5.0 / continuous recording / detection / incident response / live response