6
PREVENTI O N RE S P ON SE
PREVENTIONRESPONSE
2 3
Visibility
You need to monitor and record every endpoint and server so you can see:
• All file modifications• All file executions
This visibility must be real-time with continuous, gapless recording: most malware does its damage within minutes and then morphs or deletes itself. Scans and snapshots aren’t good enough. You need to know what’s resident and running right now.
• All cross-process events• Copy of every executed binary
• All registry modifications• All network connections
A new generation of threats is attacking your endpoints and servers—you need a modern defense.Today’s attackers are after the data and intellectual property on your endpoints and servers. If you’re only relying on antivirus or network security you’re putting your organization at risk. AV doesn’t see or stop targeted attacks, nor does it help you respond to an incident. And if an attack bypasses your network security, your endpoints will be compromised.
You need to arm your endpoints so that you can easily see and immediately stop advanced threats.
You’re blind on your endpoints and servers
Do you know what’s happening on your endpoints and servers—right now? Most security teams have no way of knowing. If you suspect malware is in your environment, how can you tell what machines it’s on? Is it executing? What is it doing?
You can’t know what’s “bad” ahead of time
Are you still relying on your AV vendor to identify malware and send you signatures? There’s no way AV vendors can keep up with the today’s tidal wave of malware. And they’ll never detect unique attacks targeted at you. You can’t depend on a technology that only detects malware that has been detected before.
Detection
You need to see and record everything, and use big data analytics combined with a threat intelligence service for real-time signature-less detection. Rather than try to detect malware via signatures, you need to look for the indicators of advanced threats.
Incident response is too slow and expensive
You should assume you will be compromised at some point—and what will you do about it? If you suspect a particular malicious hash is in your environment, how long will it take you to figure out what machines it’s on, how it got there, what it did, and where it is now? For most companies this will take weeks or months. And you can’t afford to call in an expensive third party every time you think you’ve been attacked.
Response
You need a recorded history about everything that’s happened on your endpoints and servers combined with a Live Response capability to remotely inspect any machine and intervene with the attack. Instantly see the “kill chain” for the attack: where it started, what it did, where it is now, and what you should do about it. And once you have clearly identified the attack, you need to immediately contain and control it by blocking its execution on every computer at once.
Traditional endpoint security doesn’t stop advanced threats
Traditional endpoint and server protection is reactive and only stops “nuisance malware.” You need to stop advanced attacks targeted at you.
Prevention
You need proactive prevention techniques that are not based on signatures. And because you have different machines and users—servers, domain controllers, fixed-function devices, high-risk users, general users, etc.—you need multiple prevention techniques that you can customize for each group of machines or users. You need to be in charge of your own prevention—not waiting for an AV vendor to provide it.
Your endpoint security doesn’t integrate with your security stack
Most endpoint security tools only expose their alerts and log files. That’s not good enough. You need access to the actual data they collect.
Openness and Extensibility
You need all of your security tools to work together. With open APIs, you can quickly push and pull information and instructions across your security stack to automate alerts for real-time response and remediation.
What’s wrong with traditional endpoint security and what can you do about it?
CHALLENGE ANSWER
Malware threats continue to overwhelm traditional defensive techniques.”—Gartner, “Endpoint Protection in the Age of Tablets and Cloud,” Peter Firstbrook, February 1, 2012
• The relationships between them
4 5
The Bit9 + Carbon Black solution consists of two industry-leading products and the Threat Intelligence Cloud. Independently, each product is a leader in its category. When used together, their integrated capabilities provide unmatched endpoint threat prevention, detection and response.
The Bit9 Security PlatformComprehensive Advanced Endpoint Threat Prevention, Detection and Response
The Bit9 Security Platform is the industry’s most comprehensive endpoint threat protection solution and the world’s most widely deployed whitelisting product. Combining a trust-based and policy-driven approach to application control with real-time threat intelligence, Bit9 continuously monitors and records all endpoint and server activity to prevent, detect and respond to cyber threats that evade traditional security defenses. With open APIs and a broad partner ecosystem, Bit9 provides unmatched flexibility to seamlessly integrate with both in-house and third-party tools.
Carbon BlackOne Solution for Continuous Endpoint Recording, Live Response & Attack recovery
Carbon Black is the first and only endpoint threat detection and response platform that enables SOC and IR teams to prepare for a breach through continuous endpoint recording, customized detection, live response, remediation, and rapid attack recovery with threat banning. Built entirely on open APIs, Carbon Black delivers an unmatched ability for responders to both “pull in” capabilities from other security solutions and threat intelligence feeds as well as expose and “push out” the data captured by Carbon Black and its full feature set to third-party or homegrown security products. This delivers unparalleled security operations development capabilities to integrate with and build on top of Carbon Black for best-of-breed detection and response tailored for your organization. Match your business needs by deploying Carbon Black on your premises or in the cloud. Top IR firms and MSSPs have made Carbon Black a core component of their detection and response services.
Threat Intelligence CloudInstant, Aggregated Threat Intelligence
The Threat Intelligence Cloud provides three services to help you identify threats:
• Threat Indicator Service: The Bit9 + Carbon Black Threat Research Team analyzes the data from millions of endpoints to design and publish actionable indicators of malicious attack behavior and compromise.
• Reputation Service: The Threat Intelligence Cloud’s Reputation Service delivers unmatched reputation regarding known-good, known-bad and unproven software and domains giving IT and security teams actionable intelligence about the software installed—and network connections made—within their enterprise.
• Attack Classification Service: The Threat Intelligence Cloud’s Attack Classification Service provides comprehensive attack context and attribution by integrating with a robust list of industry-leading third-party sources to assist enterprises in identifying the type of malware and threat actor group behind an attack.
The Bit9 + Carbon Black SolutionMakes advanced threats easier to see and faster to stop
Major Capabilities Visibility. Know what’s happening on every computer—right now.
You will have immediate real-time visibility and a recorded history—without sweeps, scans or polls—into the files, executions, network connections, and critical system resources on every machine, and the relationships between them.
You’ll know how every file got there, what created it, when it arrived, what it did, if it made a network connection, if it deleted itself, if a registry setting was modified, and much more.
Detection. See and record everything; detect attacks in real time without signatures.
With Bit9 + Carbon Black, you can build robust and actionable detection by leveraging the combination a continuous endpoint recording and instant, aggregated threat intelligence—delivered from the Bit9 + Carbon Black Threat Intelligence Cloud. This enables you to reduce alert fatigue by receiving and designing advanced threat detection optimized for your organization. No testing and updating .dat files—just immediate, proactive, signature-less detection.
Response. Combine a recorded history with Live Response capabilities to prepare for a breach, instantly isolate endpoint threats, ban ongoing attacks, and remediate threats.
When you need to respond to an alert or threat, you’ll instantly have the information you need to analyze, scope, contain and remediate the problem. With the recorded details about every machine, you can “go back in time” to see what happened on any of your machines to understand the full “kill chain” of an attack. Carbon Black’s Live Response capabilities enable you to remotely inspect any machine, isolate it, and take remediation actions. You’ll also have a copy of any binary that ever executed so you can analyze it yourself, submit it to a third party, etc. And you can contain and stop attacks by globally blocking the execution of any file automatically or with a single click.
Prevention. Stop attacks with proactive, signature-less prevention techniques.With the Bit9 Security Platform, you can choose from different forms of advanced endpoint protection to match your business and systems. Bit9’s proactive “Default-Deny” approach ensures that only software you trust can run on your machines. Bit9’s “Detect-and-Deny” technology uses ATIs to detect malware and stop its execution, and Bit9’s unique “Detonate-and-Deny” approach automatically sends every new file that arrives on any endpoint or server to leading network security tools for “detonation.” If they find malicious files, Bit9 will automatically stop them from running on all of your machines—instantly.
Open & Extensible. Share and capture data, intelligence and capabilities—across the security stack.
Bit9 + Carbon Black is the most open & extensible endpoint security solution in the market. Use the platform’s open APIs to optimize your security process by quickly integrating endpoint data with your full security stack. You’ll have the freedom to pull in capabilities from other security solutions and threat intelligence feeds as well as extend the data captured by Bit9 + Carbon Black and expose its full feature set to third-party or home-grown security products.
Threat Intelligence CloudAttack Classification
For IT and Security Teams Managing Desktops,Servers and Fixed-function Devices
Single agent for visibility, detection, response,
prevention
World’s most widely deployed application control/
whitelisting solution
Trust-based and policy-driven
For Security Operations Center andIncident Response Teams
Complete kill chain analysis based on recorded history
and attack visualization
+
+
+
Only solution with continuous recording, live response,
remediation and threat banning
+
+
Real-time customizable detection+
THE MOST COMPREHENSIVE ENDPOINT
THREAT PROTECTION SOLUTION
THE LEADING ENDPOINT THREAT
DETECTION AND RESPONSE SOLUTION
Threat Indicators Reputation
OPEN API AND INTEGRATIONS
THREAT INTELLIGENCE
SUPPORTED OPERATING SYSTEMS
NETWORK SECURITY SIEM AND ANALYTICS ENDPOINT SECURITYTHIRD�PARTY AND
HOME�GROWN TOOLS
6 6
Bit9 + Carbon Black Has Solutions For a Variety of Projects Endpoint VisibilityAdvanced Threat ProtectionThreat Hunting & DetectionIncident ResponseCompliance
Audit & Risk ManagementBreach PreparationThreat CorrelationOS Security MaintenanceOS and Application EOL
Application ControlCritical Infrastructure SecurityVirtualization
More than 25 Fortune 100 companies depend on Bit9 + Carbon Black
Leading Incident Response (IR) firms and Managed Security Service Providers (MSSP) use Bit9 + Carbon BlackMore than 50 leading IR firms and MSSPs use Bit9 + Carbon Black’s solution to accelerate their work, improve their accuracy, and offload work from your IT and security teams. Bit9 + Carbon Black only chooses to work with the most skilled teams, selected for their deep security experience. By using Bit9 + Carbon Black’s products, IR firms provide faster, better incident response, and MSSPs can continuously monitor your endpoints and servers so you don’t have to. Here is a sample of the IR firms and MSSPs that use Bit9 + Carbon Black:
68% of IR Professionals choose* Carbon Black
over any other EDR Solution.*using or evaluating
7 7
Only endpoint solution with real-time, complete security lifecycle Real-time visibility, prevention, detection, and response.
Only the Bit9 + Carbon Black solution provides integrated coverage for every aspect of endpoint threat protection: continuous monitoring and recording for real-time visibility into every endpoint, multiple forms of signature-less threat prevention, instant and customizable detection, and the industry’s only incident response solution that combines continuous recording with live response and remediation capabilities.
Audit and compliance controlsBuilt-in toolset for PCI, HIPAA, NERC and SOX compliance.
The Bit9 + Carbon Black solution addresses numerous compliance standards and audit requirements with a complete built-in toolset for critical data classification, file integrity monitoring & control, change
management monitoring, and leading anti-malware protection.
Broadest multi-platform deployment optionsCloud or on-premises; Mac, Windows, and Linux; on- or off-network; in-house or outsourced.
Bit9 + Carbon Black offers the broadest deployment options to cover all your machines and deployment preferences.
Cloud or on-premises. Deploy the “back end” infrastructure in the cloud or on-premises to match your corporate preferences.
Mac, Windows, and Linux. Deploy the “front end” agents on Windows, Mac and Linux so all your endpoints and servers are covered.
On- or off-network. Because the agent is resident on each user’s machine, it constantly monitors and protects them even when they are disconnected from your corporate network.
MSSPs. Dozens of leading MSSPs offer the Bit9 + Carbon Black solution as part of their service so you can outsource the daily monitoring to them if you want.
The most open endpoint securityOpen APIs for seamless integration with network security, SIEMs, analytics, and home-grown or custom tools.
Bit9 + Carbon Black offers more open APIs and specific integrations to enable you to use your endpoint data any way you want—integrate and correlate it with network security products, analytics and SIEMs, and even your own home-grown tools.
Proven reliability and scalabilityMore deployments than any other solution of its type.
Bit9 + Carbon Black is a proven success, with more than a 1,400 deployments spanning 4M+ endpoints across major organizations, far more than any comparable offering. We understand what it takes to scale to hundreds of thousands of users to handle the largest of environments. Over 50 IR and MSSP firms use the Bit9 + Carbon Black solution, clear evidence of its market leadership. Bit9 has stopped the most advanced attacks, including Flame, Gauss and the malware responsible for the RSA breach. Organizations of all sizes—from 25 Fortune 100 companies to small businesses—use Bit9 + Carbon Black.
What Makes Bit9 + Carbon Black Unique?
It’s no mystery that antivirus technologies are fighting a losing battle….”
— Forrester Research, Inc., “Application Control: An Essential Endpoint Security
Component,” Chenxi Wang and Chris Sherman, September 7, 2012
We consider the combination of Bit9 and Carbon Black on an endpoint to be one of the most comprehensive in the anti-malware space.”
— 451 Research report, “Bit9 continues to bet on (Carbon) Black,” Feb. 11, 2015
8 8
ABOUT BIT9 + CARBON BLACK
Bit9 + Carbon Black is the market leader in next-generation endpoint security. The company expects that by the end of 2015 it will achieve $70M+ in annual revenue, 70 percent growth, 7 million+ software licenses sold, almost 2,000 customers worldwide, partnerships with 60+ leading managed security service providers and incident response companies, and integrations with 30+ leading security technology providers. Bit9 + Carbon Black was voted Best Endpoint Protection by security professionals in the SANS Institute’s Best of 2014 Awards, and a 2015 SANS survey found that Carbon Black is being used or evaluated by 68 percent of IR professionals. Companies of all sizes and industries, including more than 25 of the Fortune 100, use Bit9 + Carbon Black to increase security and compliance.
2015 © Bit9 is a registered trademark of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.
20150903 JPS
Bit9 + Carbon Black Open and Extensible PlatformLeverage Bit9 + Carbon Black’s open platform to share and capture data, intelligence and capabilities—across your entire security stack.
1100 Winter Street, Waltham, MA 02451 USAP 617.393.7400 F 617.393.7499 www.bit9.com
