May 30, 2019 Carbon Black
Frank McClain

Through the years: an inside look at Carbon Black technology

An early Carbon Black customer and Red Canary detection engineer provides perspective on CB’s technology evolutions.

Back in 2013, I was one of the first security professionals to deploy Carbon Black. This was in the early days, before there was Carbon Black Response, and as far as I know, it was the only product of its kind. I’d learned about it a couple years earlier, thanks to a blog post by Harlan Carvey. Since I had recently moved from DFIR consulting into corporate work in financial services (mid-market enterprise), I was very interested in the visibility it offered, so that I could improve our detection and response capabilities.

Our enterprise already had a high level of network visibility at that point, from the perimeter all the way to the core. We were segmented, and had several “next-gen” or “advanced” types of platforms providing monitoring and protection; we even had streaming packet capture. However, we always ended up needing to go to the endpoint in the case of an alert, in order to determine whether or not there actually was a compromise, and to what extent. The network simply could not give us granular information from our endpoints.

To that end, we leveraged commercial and open-source forensic tools locally and across the network to investigate endpoints. This included traditional disk imaging and analysis, as well as volatile data from live systems, such as memory dumps. I was the main person performing the work, and I knew how long it took me to get answers—while anxious executives were waiting, this was too long, indeed. So early in 2013 we did a proof of concept on the beta of version 3, purchased, and rolled v3 into production.

The power of deep visibility

Having Carbon Black in place reduced our investigation time by 75% (remember, I was tracking those metrics), and also improved our visibility such that we knew about things that none of our other platforms could tell us about. That was amazing, but with that visibility, it became increasingly difficult to deal with the data volume from human, processing, and storage perspectives. Our server struggled, I had neither the staff nor the time to properly care and feed it, and while we knew about malicious activity, we couldn’t easily automate response actions.

That was around the time I learned about Red Canary and the company’s work with Carbon Black. I became interested in joining the team, excited to apply my passion for security in a way that would help companies around the world use CB’s cutting-edge technology to improve their detection and response capabilities.

Evolving technology: Can we get prevention too?

One thing Carbon Black Response did not have was prevention, which meant we still needed to have traditional antivirus in place in the enterprise. Even though it wasn’t very efficacious, auditors and examiners absolutely needed to see that we had it, to check off that box. Carbon Black Defense came out after I moved to Red Canary, and while it provided prevention, the EDR side of it wasn’t as robust and didn’t provide the same level of visibility CB Response did. This is fairly typical for endpoint platforms—you trade visibility for preventive capabilities.

Enter Carbon Black ThreatHunter

One of the interesting things about CB ThreatHunter is that it provides you the ability to combine the detailed visibility of a dedicated EDR platform with the preventive controls of antivirus. But is CB ThreatHunter a solid platform? Will it work?

One of the little-known facts about Red Canary is the rigorous testing process every endpoint telemetry source goes through before we accept that product within our supported portfolio. Even lesser-known is that our Cyber Incident Response Team (CIRT) is closely involved in said rigorous testing prior to it being given the stamp of approval for onboarding. In other words, detection engineers in the Red Canary CIRT validate that the telemetry from each EDR platform is consistent with our needs, so that after we bring it into the fold, we know we will be able to provide top-tier detections based on the data we receive.

Each EDR platform is different, providing differing levels of visibility, prevention, and response capabilities. There aren’t many EDR platforms that are up to our standards, and CB ThreatHunter is now one of them.

CB ThreatHunter migration considerations

A number of security teams who are currently using CB Response—including many Red Canary customers—are now considering a migration to CB ThreatHunter. Across my career, I have performed in-place major version migrations on multiple endpoint (including CB Response) and network security platforms, and also migrated from one platform to another. I have also seen this play out (good and bad) from both the technical/practitioner and team lead/management side. I have done the work, and also managed the team responsible for doing the work.

Whenever these ventures are undertaken, there are challenges and risks to the business. Migration considerations include things like:

Downtime and performance impact
  • Will we lose data?
  • Will we lose visibility?
  • Will we be exposed and not know it?
Duplicative data sets and costs
  • How do we store data as we migrate?
  • Where do we store data?
  • What is this actually going to cost us?
Time constraints and change windows
  • How am I going to pull this off?
  • How many people do I need?
  • What is the business justification and sign-off?

Improving your migration experience

Let’s face it: security groups are consistently understaffed and overworked; I know mine was. A lot of times we’re left without a lot of options to get the job done when it comes to platform deployment or migration, and we end up shelling out a lot of money for the vendor’s professional services branch to send in people to do the work for us. They don’t know the environment, aren’t vested in the company, and will be gone when the job is done.

This is one of the things I love about being part of Red Canary. (Shameless plug ahead.) From the CIRT (where I work) and throughout the rest of the company, everyone is truly focused on achieving customer success, and we all apply—individually and collectively—our years of security experience to do so. Sometimes this is as simple as sharing information. Other times it’s by helping do a deep dive into a potential threat or providing better understanding of an EDR platform and the telemetry it provides.

If you have CB Response or another EDR platform and are considering migrating to CB ThreatHunter, Red Canary can help. Because of how we operate, we store and process data separately from the individual EDR platform. This means we’re not dependent on storage constraints applied by that system, and we make it a lot easier for you to compare telemetry and detection capability, to better evaluate the fit for your organization. Plus—and this is a big one for technical folks—we help make sense of the huge volume of data that EDR provides, and separate the signal from the noise, to give your team high-fidelity detections and automated response actions.

To learn more, check out our CB solutions or stop by our booth at this year’s CB Connect event in San Diego.

 

7 Essential Questions for Evaluating Carbon Black Response Partners

 

What Makes a Great Security Team? 4 Standout Qualities

 

Operationalizing Carbon Black Response with Splunk (Part 2): Advanced Data Analysis

 

How to Quickly Automate a Response Playbook With Carbon Black

Subscribe to our blog