Building a Continuous
Response Architecture
©2014 Bit9. All Rights Reserved
Carbon Black: Industry’s Best ETDR Solution
First & only solution with continuous endpoint recording and live response
CONTINUOUS RECORDING
LIVE RESPONSE
CONTINUOUS endpoint recorder
IMMEDIATE endpoint threat isolation
INSTANT, aggregated threat intel.
LIVE endpoint investigation
COMPLETE kill chain analysis
REAL-TIME attack termination
CUSTOMIZED detection
COMPREHENSIVE threat remediation
The Problem: Advanced Threats = $$$
“In 2020, enterprises will be in a state of continuous compromise.”
243
Days to discover*
69%
Discovered
externally*
$5.4
MILLION
*Sources: Mandiant, Verizon
Average cost*
“There are two kinds
of companies: those
that have been
breached and those
that don’t know it
yet.”
CIO Fortune 100 company
The Network is Not the Target
“Firewalls [are] becoming less
and less effective in a
perimeter-less world”
Dec. 2014
“Organizations continue to spend a lot of money
on network security solutions, but it’s
the endpoint
that is the ultimate target of advanced
threats and attacks.”
July 2014
“When the perimeter
disappears, we certainly would
argue that the
endpoint
is the perimeter.”
Dec. 2014
Hosts Compromised
Signature
available
DETECTION THRESHOLD
Goal for attacker is to
compromise as many
endpoints as possible
Time
Hosts Compromised
ADVANCED
OPPORTUNISTIC
Traditional Defenses Were Designed for Opp. Attacks
Signature
available (if ever)
DETECTION THRESHOLD
?
Goal for attacker is to
compromise as few
endpoints as possible
Time
Reduce Dwell Time By Prioritizing Data Collection
Breach Discovered
(attacker identified)
Compromised
Compromised
(attackerpresent)
present)
(attacker
Breach
Discovered
Recovered
(attacker
(attacker identified)
expelled)
Proactively collecting data here is
automated, efficient & conclusive
DWELL TIME
Recovered
(attacker expelled)
Reactively collecting data here is time
consuming, expensive & incomplete
Eliminate expensive data collection process
Optimize security team
Instant answers to complex IR questions
Avoid blind reimaging
Zero end-user/endpoint impact
Reduce dwell time
DWELL TIME
Expand Detection Beyond the Moment of Compromise
Traditional
Focus
Only See Individual
Detection Event
Missed without
continuous data
collection
You can’t know what’s
bad ahead of time
Lateral
Movement
& User
Accounts
Exfiltration
& Data
Gathering
Weeks to Months (Years)
Abnormal
Behavior
Highlight As Opposed to Filter Endpoint Visibility
Highlight detected
activity within continuous
recording to understand
root cause and scope
faster
Proactive
datadetection
collection
Traditional
also
enables
ability to
filters
out endpoint
detect entire
attack
visibility
missing
the full
processes
context
of the attack
DETECTED
Java
exploitation
DETECTED
User visits
website
Is sent malicious
Java applet
Spawns first
stage payload
Spawns second
stage payload
Injects code
into Windows
Explorer
Takes malicious
actions
Detection probability increases over time
Investigations seek root cause
Goal:
Understand
root cause
IT and Company Culture: Is Your Environment Like This?
Or This?
Prioritize Alerts with Data Collection & Threat Intelligence
Threat Intelligence
ALERT FATIGUE
ACTIONABLE ALERTS
Too many alerts to
manage & prioritize
Accelerate threat discovery
Customize detection for organization
Detect every threat vector
Narrow focus by understanding data
!
!
!
!
!
!
!
!
!
!
Discovery
!
!
Detection
!
!
Respond at the Moment of Discovery
User visits
website
!
Downloads PDF
Instantly “Roll back the tape” with
a recorded history to understand
Learn from investigation to build
scope
detection moving forward
DISCOVERED
Deleted Payload
Payload
Deleted
User visits
website
Is sent
malicious
Java applet
Spawns first
stage payload
Spawns second
stage payload
Injects code
into Windows
Explorer
Lateral
Movement
Prioritize investigations
with applied threat
intelligence
Takes malicious
actions
DISCOVERED
DISCOVERED
Spawns second
stage payload
Injects code
into Windows
Explorer
Takes
Takesmalicious
malicious
actions
actions
Drive Action on Endpoints with Live Response
✓
IDENTIFY ROOT CAUSE &
REMEDIATE MACHINE
BLOCK NETWORK
COMMUNICATION
KILL ATTACK
Deleted payload
Use one IR solution
without dropping
PROCESS admin. credentials
Built by responders for responders
Customize on-sensor actions by executing third-party tools
Remove IT out of SecOps equation
User visits
website
Is sent malicious
Java applet
Spawns first
stage payload
Spawns second
stage payload
Injects code
into Windows
Explorer
Takes malicious
actions
ISOLATED
MODERN VIEW
Responders manage multiple tools for continuous recording & live response
One comprehensive IR solution
Security
as a
process
versus
as a
solution
Carbon Black: Industry’s Best ETDR Solution
First & only solution with continuous endpoint recording and live response
CONTINUOUS RECORDING
LIVE RESPONSE
CONTINUOUS endpoint recorder
IMMEDIATE endpoint threat isolation
INSTANT, aggregated threat intel.
LIVE endpoint investigation
COMPLETE kill chain analysis
REAL-TIME attack termination
CUSTOMIZED detection
COMPREHENSIVE threat remediation
Bit9 + Carbon Black: Arm Your Endpoints
Threat Intelligence Cloud
Threat Indicators
Attack Attribution
Reputation
The Most Comprehensive Endpoint Threat
Protection Solution
The Leading Endpoint Threat Detection
and Response Solution
For IT and Security Teams Managing Desktops,
Servers, and Fixed-function Devices
For Security Operations Center
and Incident Response Teams
+
+
+
World’s most widely deployed application
control/whitelisting solution
Single agent for visibility, detection, response,
prevention
Trust-based and policy-driven
+
+
+
Only solution with continuous recording; live
response; threat isolation, termination and
remediation
Real-time customizable detection
Complete kill chain analysis based on recorded
history and attack visualization
Supported Operating Systems
Open API and Integrations
Network Security,Supported
Analytics Operating
and SIEM, Systems
In-House & Custom Tools
Questions?