On the Radar: Carbon Black defends against malware and fileless

Transcription

1 On the Radar: Carbon Black defends against malware and fileless attacks Cb Defense combines next-generation antivirus and endpoint detection and response Publication Date: 21 Jul 2017 Product code: IT Rik Turner

2 Summary Catalyst Carbon Black develops security technology in three areas: endpoint protection, threat hunting/incident response, and application control. This report focuses on Cb Defense, which is the company s endpoint protection platform (EPP). Key messages Cb Defense is an EPP that combines next-generation antivirus (NGAV) and endpoint detection and response (EDR) to detect, prevent, and respond to both malware and file-less attacks. The NGAV component uses static and dynamic code analysis. For the EDR part, Carbon Black has developed a breakthrough technology: streaming prevention. This approach leverages event-stream processing to update a risk profile upon which it makes security decisions Streaming prevention addresses attacks that leverage native operating system tools, such as PowerShell and Windows Management Instrumentation (WMI). Ovum view With threat actors increasingly moving to circumvent anti-malware systems by compromising legitimate on-device tools, there is a growing need for technology that can address malware, file-less attacks, and in-memory attacks. Carbon Black addresses this requirement and is well positioned to grow its market share as a result. Recommendations for enterprises Why put Carbon Black on your radar? Instead of relying on signatures, Carbon Black combines static and dynamic code analysis to detect malicious code. Its approach to file-less attacks relies on a continual risk profile assessment to determine whether a legitimate tool is being misused and, if necessary, block it. The system s heavy lifting is all in the cloud, with a lightweight agent on the endpoint that looks at events but does not scan. Carbon Black is a compelling option for any EPP project, whether greenfield or ripping-and replacing legacy antivirus. Highlights Carbon Black makes no bones about the fact that it is seeking to replace both legacy incumbent products and the other next-generation newcomers in the world of EPP. When it acquired Confer in 2016, the company s press release said it would now be targeting Symantec, Palo Alto Networks, Cylance, and CrowdStrike with disruptive, "zero-gap protection. Another announcement, in February Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 2

3 2017, said its development of streaming prevention leapfrogs Cylance, McAfee, and Symantec by stopping both malware and non-malware attacks. The company notes that 53% of successful breaches do not involve malware, with attackers instead leveraging native endpoint tools and finding new and creative ways to employ them in the pursuit of their goal, a process often referred to as living off the land. In this context, the two favorite tools for are PowerShell and WMI. This type of file-less attack clearly evades anti-malware technology that is based on machine learning, as well as the signature-based variety. This is where Carbon Black leverages its streaming prevention technology. Cb Defense uses a lightweight agent on the endpoint, requiring no more than 1% or 2% of the power of the local processor to look at events and send data up to the system s cloud-based brain. Static and dynamic analysis is performed on the endpoint and in the cloud. This stance differentiates Carbon Black from many of its competitors, which focus on static analysis. Streaming prevention is based on event-stream processing, which is a technology that underpins algorithmic day-trading and fraud detection. It continuously updates a risk profile based on a steady stream of computer activity, and when attack patterns are detected, the attack is blocked. This ability to thwart both traditional malware and file-less attacks is a key capability of Cb Defense. Background Carbon Black is the result of a February 2014 acquisition. Bit9, a provider of application control technology acquired incident response platform developer Carbon Black (founded in 2011). The merged entity officially changed its name to Carbon Black in early Bit9 was founded in 2002, and while all its founders have since moved on, one of the co-founders of the original Carbon Black, Michael Viscuso, is now CTO at the enlarged company. The CEO is Patrick Morley, who has held the position since His prior career includes three years as president and CEO of single sign-on vendor Imprivata. The company has raised a total of $189.68m of VC funding, most recently $14m in a Series G round in February No information about this round was disclosed. In July 2016 Carbon Black announced the acquisition of Confer, an NGAV vendor, with Confer's software product renamed Cb Defense. Current position Carbon Black s portfolio currently has three components: Cb Defense, a cloud-delivered platform, which the company describes as NGAV plus EDR Cb Response, which is a threat hunting and incident response platform for incident response and security operations center (SOC) teams Cb Protection, which provides application control and lockdown security for servers and critical systems. The company says it has about 9 million active licenses across some 3,000 enterprise customers including Coca-Cola, Sunoco, Nissan, and Samsung. The EPP system is primarily cloud-based, with only a lightweight agent on the endpoint to observe events but not to scan traffic. Customers pay a subscription based on the number of endpoints they are protecting. Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 3

4 Data sheet Key facts Table 1: Data sheet: Carbon Black Product name Cb Defense Product classification NGAV and EDR Version number Cloud-based product updated every six weeks. Release date n/a Industries covered Finance, insurance, government, manufacturing, technology, pharma, and others. Geographies covered US, Europe, Middle East, APJ. Relevant company sizes All Licensing options Subscription based on endpoint volume URL Routes to market VARs; MSSPs use the product to deliver a service. Company headquarters Waltham, MA, US Number of employees 750 Source: Ovum Appendix On the Radar On the Radar is a series of research notes about vendors bringing innovative ideas, products, or business models to their markets. Although On the Radar vendors may not be ready for prime time, they bear watching for their potential impact on markets and could be suitable for certain enterprise and public sector IT organizations. Further reading On the Radar: CrowdStrike offers next-generation endpoint protection from the cloud, IT (June 2017) On the Radar: Cylance adds an endpoint detection and response capability, IT (June 2017) On the Radar: Cybereason adds NGAV to compete as a full endpoint protection platform, IT (April 2017) On the Radar: Comodo uses containment to protect endpoints, IT (April 2017) Sophos adds machine learning to its next-gen endpoint skills with Invincea buy, IT (February 2017) Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 4

5 Author Rik Turner, Principal Analyst, Infrastructure Solutions Ovum Consulting We hope that this analysis will help you make informed and imaginative business decisions. If you have further requirements, Ovum s consulting team may be able to help you. For more information about Ovum s consulting capabilities, please contact us directly at consulting@ovum.com. Copyright notice and disclaimer The contents of this product are protected by international copyright laws, database rights and other intellectual property rights. The owner of these rights is Informa Telecoms and Media Limited, our affiliates or other third party licensors. All product and company names and logos contained within or appearing on this product are the trademarks, service marks or trading names of their respective owners, including Informa Telecoms and Media Limited. This product may not be copied, reproduced, distributed or transmitted in any form or by any means without the prior permission of Informa Telecoms and Media Limited. Whilst reasonable efforts have been made to ensure that the information and content of this product was correct as at the date of first publication, neither Informa Telecoms and Media Limited nor any person engaged or employed by Informa Telecoms and Media Limited accepts any liability for any errors, omissions or other inaccuracies. Readers should independently verify any facts and figures as no liability can be accepted in this regard readers assume full responsibility and risk accordingly for their use of such information and content. Any views and/or opinions expressed in this product by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Informa Telecoms and Media Limited. Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 5

6 CONTACT US INTERNATIONAL OFFICES Beijing Dubai Hong Kong Hyderabad Johannesburg London Melbourne New York San Francisco Sao Paulo Tokyo