Cb Connect 2018 | Power of You | Register Now


Streaming Prevention: Powering NGAV to Stop Both Malware and Non-Malware Attacks

February 6, 2017 / Michael Viscuso

This is an exciting time for Carbon Black and for security teams everywhere. Today, we launched a breakthrough technology, streaming prevention.

By collecting, correlating and analyzing endpoint events in real time, streaming prevention can identify and stop an attack while it builds. It does this by assessing the risk of each event in a sequence or cluster, with each new event triggering a new assessment. When the risk level exceeds an acceptable threshold, streaming prevention stops the attack automatically.

Streaming prevention offers a fundamentally new approach to identifying and preventing cyberattacks. Current approaches used by legacy AV and machine-learning AV focus exclusively on files and do nothing to target an attacker’s behaviors.

In contrast to legacy AV and machine-learning AV, streaming prevention monitors the activity of applications and services, including communications between processes, inbound and outbound network traffic, unauthorized requests to run applications, and changes to credentials or permission levels.

How Streaming Prevention Works


Event Stream Processing (ESP)

As noted in the graphic above, streaming prevention leverages event stream processing (ESP), the same technology that revolutionized algorithmic day-trading. Similar to algorithmic day-trading applications, streaming prevention continuously updates a risk profile based on a steady stream of computer activity. When multiple, potentially malicious events occur in succession, or are clustered together, our software blocks the attack.

Streaming Prevention vs. Non-Malware Attacks

Streaming prevention is the core technology powering Cb Defense, Carbon Black’s Next-Generation Antivirus (NGAV) solution, which can prevent, detect and respond to the most advanced cyberattacks, including non-malware attacks.

Non-malware attacks gain control of computers without downloading malicious software. Instead, they exploit running applications, such as browsers, and use trusted, native operating system tools, such as PowerShell to “live off the land.” These attacks pose a bigger risk than malware attacks because they are harder to detect and cause more damage. Virtually every organization was targeted by such an attack in 2016, according to Carbon Black research. Our research also found that over the next 90 days, 1 in 3 organizations are likely to be targeted by a non-malware attack. That’s because these attacks are working. In fact, according to the 2016 Verizon Data Breach Report, 53% of breaches today are the result of “hacking” and use no malware at all.


For the last 30 years, signature-based antivirus (AV) has been the defacto standard for prevention. However, traditional AV and machine-learning AV are really only good at one thing – stopping known malware. Legacy AV and machine-learning AV focus on detecting malware at the point-in-time it is written or executes. In contrast, streaming prevention empowers security teams to see and stop a cyberattack at any point during the attack cycle, regardless whether the attacker chooses to use malware or not.

Market Requires Convergence of Prevention, Detection and Response

“By 2019, EPP and EDR capabilities will have merged into a single offering, eliminating the need to buy best-of-breed products for all but the most specialized environments,” notes the Gartner “Magic Quadrant for Endpoint Protection Platforms,” by Eric Ouellet, Avivah Litan and Ian McShane on Jan. 30, 2017.

The market is clearly asking for a converged solution. By leveraging event stream processing, Cb Defense combines prevention, detection and response into a single, lightweight, powerful offering. Many competing solutions attempt to provide prevention, detection and response into a single product, but utilize separate models for all three facets.


Since Carbon Black’s detection engine is built on the same technology as our prevention and response engines, the flow among prevention, detection and response is seamless.

To learn more about streaming prevention and Cb Defense, click here.

TAGS: Carbon Black / NGAV / Streaming Prevention