This is another market area that has seen a lot of change over the past few years. The biggest problems facing today’s enterprises with regard to the perimeter is that it is shrinking to the point where it simply does not exist in many large organizations. Defending a perimeter that has all but disappeared is a real challenge and this year’s Innovator has stepped up and met it. However, the way the company approaches it is not intuitively obvious. We took some liberties in this case to look into our crystal ball and envision the future as it is unfolding even now.
Defending today’s perimeter has become a mathematical exercise. The development of complex algorithms to detect attacks and exfiltration attempts has become the stock-in-trade of successful companies in this space. The days of brute-forcing protection are over. With 43 percent of all companies reporting cyberattacks and an increasing number having, at best, a semi-permeable perimeter, new ways to protect organizational assets globally are necessary.
What that means is that bigger is no longer better. Having a huge firewall that can drink from the data fire hose that is the internet won’t help if the direction of information flow is outward on a channel that is supposed to be in use. A phishing attack that exfiltrates data to a port 80 destination poses a real problem.
The Innovator in this year’s section uses the smarter approach to address the perimeter. They take a view that protecting the endpoints is as critical as the perimeter and, when the perimeter disappears, we certainly would argue that the endpoint is the perimeter, especially when the endpoint is on the other side of the world.
The notion of firewalls becoming less and less effective in a perimeterless world is not the only paradigm that seems to be evolving. IDS/IPS in the traditional sense is struggling to survive in an environment that is changing at a rate that is nearly unmanageable. Applying signatures to attacks is becoming less and less effective and the only solution is more sophistication in the way the data stream is processed and analyzed. That sophistication is the earmark of this Innovator and we were, as always, mightily impressed.
There are currently several products for endpoint threat monitoring of an enterprise system. Of the many possibilities, Carbon Black is the most robust solution for performing incident response, endpoint monitoring and threat analysis. This Innovator has allowed us to erase almost completely the need for perimeter management when nearly no perimeter exists.
Vendor: Bit9 + Carbon Black
Flagship product: Carbon Black
Cost: Depends on deployment. Innovation: Continuous endpoint monitoring and instant incident response.
Greatest strength: Fast, easy-to-use user interface and a robust active monitoring platform.
In today’s threatscape, the perimeter of yesterday is disappearing. The endpoints are becoming the new perimeter and thus, the methods of detection and response must change. The Carbon Black system allows constant monitoring of all endpoints where the Carbon Black agent is installed. Each agent collects metadata about the running processes, system calls, registry keys and network connections in the background and sends the metadata to a central collection server. The collection server allows robust searching through process trees using file names, host names or almost anything else you can think of. When you think you may have found a malicious process, you can click over to the binaries tab and download any unique binary found on any of the sensors for further analysis.
Usually, after an attack has happened it is too late. You pull up logs and look at packet captures and hope to find evidence of an attack of which you don’t fully know the details. Carbon Black innovates in this field by always collecting data passively so that after an attack has been detected there is plenty of data to analyze the attack further. The few little facts that may be known about the attack can be searched and the originating processes can be discovered with all of the relating information. The entire startup process is documented and can be traced back to an originating service for a restarting malware process so that it can be tracked down and stopped when there is no knowledge about its persistence methods.
Carbon Black has an advanced data collection method. However, this would be nothing without a solid user interface. The entire process tree can be navigated in a few clicks, and each link on the web GUI brings you to the next logical step in an investigation. The Carbon Black solution revolutionizes the way that endpoint analysis, incident response and perimeter response are performed. It provides a searching suite that allows attacks to be traced back to their source and linked to other attacks that may have arisen from the breach.