Back in 2013, I was one of the first security professionals to deploy VMware Carbon Black. This was in the early days, before there was Carbon Black Response, and as far as I know, it was the only product of its kind. I’d learned about it a couple years earlier, thanks to a blog post by Harlan Carvey. Since I had recently moved from DFIR consulting into corporate work in financial services (mid-market enterprise), I was very interested in the visibility it offered, so that I could improve our detection and response capabilities.
Our enterprise already had a high level of network visibility at that point, from the perimeter all the way to the core. We were segmented, and had several “next-gen” or “advanced” types of platforms providing monitoring and protection; we even had streaming packet capture. However, we always ended up needing to go to the endpoint in the case of an alert, in order to determine whether or not there actually was a compromise, and to what extent. The network simply could not give us granular information from our endpoints.
To that end, we leveraged commercial and open-source forensic tools locally and across the network to investigate endpoints. This included traditional disk imaging and analysis, as well as volatile data from live systems, such as memory dumps. I was the main person performing the work, and I knew how long it took me to get answers—while anxious executives were waiting, this was too long, indeed. So early in 2013 we did a proof of concept on the beta of version 3, purchased, and rolled v3 into production.
The power of deep visibility
Having Carbon Black Response in place reduced our investigation time by 75% (remember, I was tracking those metrics), and also improved our visibility such that we knew about things that none of our other platforms could tell us about. That was amazing, but with that visibility, it became increasingly difficult to deal with the data volume from human, processing, and storage perspectives. Our server struggled, I had neither the staff nor the time to properly care and feed it, and while we knew about malicious activity, we couldn’t easily automate response actions.
That was around the time I learned about Red Canary and the company’s work with VMware Carbon Black. I became interested in joining the team, excited to apply my passion for security in a way that would help companies around the world use CB’s cutting-edge technology to improve their detection and response capabilities.
Evolving technology: Can we get prevention too?
One thing Carbon Black Response did not have was prevention, which meant we still needed to have traditional antivirus in place in the enterprise. Even though it wasn’t very efficacious, auditors and examiners absolutely needed to see that we had it, to check off that box. Carbon Black Defense came out after I moved to Red Canary, and while it provided prevention, the EDR side of it wasn’t as robust and didn’t provide the same level of visibility CB Response did. This is fairly typical for endpoint platforms—you trade visibility for preventive capabilities.