By Carolyn Crandall, Attivo CMO
Integration between detection and prevention solutions is key to providing the critical infrastructure required for continuous response and protection against cyber attackers. The average dwell time of an attacker currently stands at 201 days, which is then compounded by another 70 days to contain the breach once it has been identified.
Attivo Networks and Carbon Black are partnering to provide customers with a powerful integrated solution for advanced continuous threat management and response. Integrating these solutions empowers organizations to reduce time-to-detection and the time required to respond to incidents, ultimately reducing the attacker’s ability to complete their mission.
The integrated solution combines the Attivo ThreatMatrix™ Deception and Response Platform with Carbon Black (Cb) Response for early detection of in-network threats, automated response actions based on deception server engagement, and the ability to query Cb Response for additional forensic artifacts on other infected systems. Initial integrations will include:
– Quarantining of infected systems.
– Full attack techniques, tactics, and processes (TTP) and identification of infected endpoint information, which are all automatically shared with Cb Response so that infected endpoints can automatically be isolated from the network without causing additional infection or harm. As the ThreatMatrix Platform detects the infected systems, it can automatically push the infected IP addresses to the Carbon Black server for quarantine. Alternatively, the quarantining action can be initiated manually as well.
– Carbon Black upload of binaries to Attivo for analysis. As part of Attivo and Carbon Black’s commitment to provide continuous threat management and visibility, the solution is designed to not only isolate and block attacks, but also enable Carbon Black to upload binaries to the ThreatMatrix deception platform for additional attack analysis, correlation and reporting.
Through the integration, the ThreatMatrix Platform will accept binaries from the Carbon Black Server to analyze. Since Carbon Black is deployed broadly across the enterprise, when any endpoint detects a suspicious binary and forwards it to the Carbon Black Server, the server can then send it to the ThreatMatrix platform for deep analysis. Once analyzed, the ThreatMatrix Platform captures the md5 signature of the dropper and any payload it downloads. In the case of polymorphic malware, it can capture the signatures of all the variants as well as capture the full TTP of the malware.
The integration between the Attivo ThreatMatrix Deception and Response Platform and Carbon Black Security Platforms will provide joint customers significant improvement in continuous response. As customer demand for better detection of advanced threats increases, the need to quickly and easily tie that information back to the source of an infection, the endpoint, is critical. By automating the quarantine and blocking of attackers, automated analysis and incident response operations organizations will benefit from immense time and efficiency savings, and improved protection against cyber attackers.