Articles / Cloud-Enabled Predictive Endpoint Security

on 28 Nov 2018

I always thought Carbon Black was a cool name for a security company. It’s so much better than that equation, Bit9 + Carbon Black. After a technical review with their team last week, I dug deeper into the origins of the name, and I found that ‘Carbon Black’ is a hazardous, powdery black soot made by partially burning tar. It’s apparently used as a filler for rubber tires. That is the best metaphor for a cyber security company I’ve ever heard.

The Carbon Black team offered a tidier explanation for their interesting name. They reminded me that Carbon is the foundational element of life, and that the Carbon Black product produces a carbon copy of everything occurring on a computer. They explained that Carbon has Atomic Number Six and that the hexagon, with its six sides, is one of the strongest shapes in nature. Hence, the name. (That sounded great, but I prefer the soot.)

In any event, Carbon Black is a large public company CBLK (NASDAQ) with over a thousand employees, several thousand customers, and a hundred patents. So, this was a big gulp for a humble analyst like me, and it took time to digest my nine pages of dense notes and drawings into a summary useful for you. I’m glad I took the time, however, because Carbon Black has built an impressive solution suite. Here is what I learned:

“As our business customers have shifted to virtualized cloud workloads and services, we’ve evolved our endpoint security platform toward what we now refer to as the Cb Predictive Security Cloud,” explained Paul Morville, SVP of Product Management. “This advanced security platform supports cyber protection, incident response, live operational support, and threat hunting enablement. And we do this using a single agent and console.”

As Morville took me through the configuration and operation of their platform, I created a hand-sketch (see picture above). As you can see, the Cb Predictive Security Cloud serves as a centralized, virtual hub for their range of security products and services. This seems a sensible arrangement to support advanced analytics, automated workflow, and support for progression to cloud. Let’s go through each of the supported functions:

Cb Defense. This is Carbon Black’s modern, next-generation antivirus solution. “We employ advanced predictive analytics and models to detect exploits such as ransomware and other malware,” explained Morville. I was glad to see Carbon Black continuing to innovate their antivirus; too many security teams have tossed the proverbial baby out with the bathwater regarding signature and behavioral tools. These still offer value.

Cb ThreatSight. ThreatSight is a managed alert monitoring and triage service, where Carbon Black expert teams support enterprise threat management. All the right elements appeared present in this service, from alert prioritization toward effective action, to early warnings based on observed indicators. ThreatSight also provides strong support for root cause analysis during and after a cyber security breach.

Cb Defense for VMware. This solution is developed with VMware AppDefense to support the evolving secure virtualized data center. “We see so many of our customers driving toward full virtualization in the data center,” said Morville, “so it made so much sense for us to partner with VMware on this protection solution.” My prediction is that this will be a winner for Carbon Black, since VMware capabilities in the modern data center are so strong.

Cb LiveOps. This capability enables customers to gather information from endpoints at scale. Leveraging osquery (an open source project from Facebook), security analysts can access point-in-time data and ask useful questions such as: “What users are logged in across my environment?” or “What’s the oldest version of a particular application?” Osquery enables a common language across major operating systems to support this functionality.

Cb ThreatHunter. This new product provides advanced support for the threat hunter and security operations center (SOC) team working cases and investigations from collected security alarms, alerts, and network telemetry. The idea is to provide visibility so that correlation, management, and investigation can be done accurately and quickly. Morville suggested that manual analysis times can be reduced from days to minutes.

Cb Protection. This function provides white list application control and critical infrastructure protection for servers, systems, and devices. The emphasis here is on compliance and regulatory support for frameworks such as PCI DSS. The scaling looks good to me, and a security administrator would have little trouble managing the security and compliance environment for many thousands of enterprise and infrastructure systems.

Cb Response. The “original” Carbon Black offering, this product helped create the so-called EDR market, and quickly become a mainstay for threat hunters and incident responders. Available both on-premise and as a cloud offering, Cb Response provides access to what Morville described as “unfiltered data,” which includes centralized access and the ability to visualize complete historical endpoint activity, regardless of malicious intent.

All these offerings are supported by the Cb Predictive Security Cloud which is designed to provide three functions: First, the platform enables predictive analytics using collected security telemetry; second, it supports both traditional and machine learning-based detection of indicators to drive action; and third, it serves as a platform for the Carbon Black expert team to curate and guide the overall security ecosystem for its customers.

As with any analyst, I have a few concerns. First, something trivial: The Carbon Black product names seemed to me to be a bit too similar and tough to differentiate. I know this has nothing to do with the functional capability of the platform, but I found myself trying to remember the differences between Cb Protection, Cb Defense, Cb Response, and so on. Perhaps others might have a different experience, but I felt obliged to mention it here.

My second concern is more substantive, and it stems from the evolution of the Carbon Black offering from an endpoint detection and response (EDR) product to an analytics platform for enterprise. With such evolution comes the inevitable collision with the enterprise SIEM – and I believe Carbon Black must address this adjacency. The Cb Predictive Security Cloud looks close enough to a SIEM that perhaps it should slide into that role. I guess we’ll see.

If you are an existing Carbon Black customer, then make sure you’ve been briefed on all the new features and functions supported by this predictive cloud platform. And if you are not a current Carbon Black customer, then it would be an excellent idea, even just to learn, for you to be in contact with Paul Morville and his fine product team at Carbon Black to gain an understanding of their approach and their overall philosophy. It’ll be worth your time.

And as always, please share your learnings with all of us.