Automate, or Die
Building a Continuous Response Architecture
Alon Sadeh
System Engineer
Mary Ann Fitzsimmons
Sales Director
©2014 Bit9. All Rights Reserved
Compromise is Inevitable
Breaches up
Days to
Discover*
Total cost of US
breaches
Discovered
Externally**
Attacker only has to be successful
once…but defender has to stop
of attacks
Million
Average Cost***
* M-Trends
** VDBIR
***Ponemon, Verizon
Hosts Compromised
Signature
available
DETECTION THRESHOLD
Goal for attacker is to
compromise as many
endpoints as possible
Time
Hosts Compromised
ADVANCED
OPPORTUNISTIC
Traditional Defenses Were Designed for Opp. Attacks
Signature
available (if ever)
DETECTION THRESHOLD
Goal for attacker is to
compromise as few
endpoints as possible
Time
?
70%
of Malware is
Used Only Once
Tailored Attacks Require
Tailored Defenses
Tailored Defenses Require Integration
AUTOMATE,
INTEGRATE, or DIE
Security
as a
unified process
vs
a collection of
solutions
Arm Your Endpoints!
Organizations continue to
spend a lot of money on
network security solutions, but
it’s the endpoint that is the
ultimate target of advanced
threats and attacks.
July 2014
Carbon Black: Industry’s Best ETDR Solution
First & only solution with continuous endpoint recording and live response
CONTINUOUS RECORDING
LIVE RESPONSE
CONTINUOUS endpoint recorder
IMMEDIATE endpoint threat isolation
INSTANT, aggregated threat intel.
LIVE endpoint investigation
COMPLETE kill chain analysis
REAL-TIME attack termination
CUSTOMIZED detection
COMPREHENSIVE threat remediation
Reduce Dwell Time By Prioritizing Data Collection
Breach Discovered
(attacker identified)
Compromised
Compromised
(attackerpresent)
present)
(attacker
Breach
Discovered
Recovered
(attacker
(attacker identified)
expelled)
Proactively collecting data here is
automated, efficient & conclusive
DWELL TIME
Recovered
(attacker expelled)
Reactively collecting data here is time
consuming, expensive & incomplete
Eliminate expensive data collection process
Optimize security team
Instant answers to complex IR questions
Avoid blind reimaging
Zero end-user/endpoint impact
Reduce dwell time
DWELL TIME
Expand Detection Beyond the Moment of Compromise
Traditional
Focus
Only See Individual
Detection Event
Missed without
continuous data
collection
You can’t know what’s
bad ahead of time
Lateral
Movement
& User
Accounts
Exfiltration
& Data
Gathering
Weeks to Months (Years)
Abnormal
Behavior
Prioritize Alerts with Data Collection & Threat Intelligence
Threat Intelligence
ALERT FATIGUE
ACTIONABLE ALERTS
Too many alerts to
manage & prioritize
Accelerate threat discovery
Customize detection for organization
Detect every threat vector
Narrow focus by understanding data
!
!
!
!
!
!
!
!
!
!
Discovery
!
!
Detection
!
!
Respond at the Moment of Discovery
User visits
website
!
Downloads PDF
Instantly “Roll back the tape” with
a recorded history to understand
Learn from investigation to build
scope
detection moving forward
DISCOVERED
Deleted Payload
Payload
Deleted
User visits
website
Is sent
malicious
Java applet
Spawns first
stage payload
Spawns second
stage payload
Injects code
into Windows
Explorer
Lateral
Movement
Prioritize investigations
with applied threat
intelligence
Takes malicious
actions
DISCOVERED
DISCOVERED
Spawns second
stage payload
Injects code
into Windows
Explorer
Takes
Takesmalicious
malicious
actions
actions
Drive Action on Endpoints with Live Response
✓
IDENTIFY ROOT CAUSE &
REMEDIATE MACHINE
BLOCK NETWORK
COMMUNICATION
KILL ATTACK
Deleted payload
Use one IR solution
without dropping
PROCESS admin. credentials
Built by responders for responders
Customize on-sensor actions by executing third-party tools
Remove IT out of SecOps equation
User visits
website
Is sent malicious
Java applet
Spawns first
stage payload
Spawns second
stage payload
Injects code
into Windows
Explorer
Takes malicious
actions
ISOLATED
MODERN VIEW
Responders manage multiple tools for continuous recording & live response
One comprehensive IR solution
Security
as a
unified process
vs
a collection of
solutions
Tailored Defenses Require Automation
AUTOMATE, or DIE
Connect: Integrate & Automate the Entire Security Stack
Open APIs to integrate
with third-party
and in-house tools
We’ve integrated Bit9 + Carbon Black
into our entire security stack.
– Senior Architect, Leading Internet Entertainment Provider
Public API; User Community; Developer Relations
Moving from Integration to Automation
Alert Generated
CROSS CHECK
For context
Alert Enriched
Blocks IPs
Remediation
Actions
Kill Process,
Gathers Forensics
User Profile &
Behaviors
Threat Intelligence
Device History
Enrolls User in
Education Training
Bit9 + Carbon Black: Arm Your Endpoints
Threat Intelligence Cloud
Threat Indicators
Attack Attribution
Reputation
The Most Comprehensive Endpoint Threat
Protection Solution
The Leading Endpoint Threat Detection
and Response Solution
For IT and Security Teams Managing Desktops,
Servers, and Fixed-function Devices
For Security Operations Center
and Incident Response Teams
+
+
+
World’s most widely deployed application
control/whitelisting solution
Single agent for visibility, detection, response,
prevention
Trust-based and policy-driven
+
+
+
Only solution with continuous recording; live
response; threat isolation, termination and
remediation
Real-time customizable detection
Complete kill chain analysis based on recorded
history and attack visualization
Supported Operating Systems
Open API and Integrations
Network Security,Supported
Analytics Operating
and SIEM, Systems
In-House & Custom Tools
Thank you
We’re at hole 15
Win gift card and golf shirts and setup
your demo of Bit9 + Carbon Black