The 4 Core Pillars of Endpoint Security

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Cb Connect is always an exciting time for me. At Cb Connect 2017, we unveiled our vision for the Cb Predictive Security Cloud (PSC). Over the past year, this platform has expanded and grown to provide better prevention, detection and response for our global customers.

Today, at #CbConnect18, we unveiled our latest addition to the PSC, Cb ThreatHunter, which delivers advanced threat hunting and incident response, delivered from the cloud – a game changer for security teams looking to find and stop advanced threats.

At the core of Cb ThreatHunter, the PSC, and virtually everything we do at Carbon Black is unfiltered data. From the start, we’ve been dedicated to collecting and analyzing more endpoint data than anyone else because we believe the only way to get a long-term sustainable advantage over the adversary is through data. This data not only solves your endpoint security challenges, but is the foundation for consolidation.

Adversaries are getting more sophisticated, using trusted software and fileless methods to evade defenses and expose the ineffectiveness of legacy AV. The industry has responded with a proliferation of security point solutions, each designed to address a particular problem. This has led to the typical large enterprise deploying an average of 75 different security products.

As a result, security teams now face two major problems:

1) Traditional security products aren’t working as effectively as they should, putting organizations at risk of a potential breach.

2) Filling legacy technology gaps has made the security stack very complex to deploy and manage.

Even security solutions that aren’t classified as “endpoint security” still require an endpoint agent. Vulnerability assessment, patch management, compliance, etc. all require their own endpoint agent, collecting and analyzing their own data, with their own console, and their own backend for to manage.

It doesn’t have to be this way.

What if it was possible to have a single agent, single console, and single platform across all these different use cases?  

Carbon Black has made this a reality.

It took a fundamental change in architecture, but now that we have the core pillars in place, we’ve been able to deliver four new products on the PSC in just 12 months, with plenty more to come.  

If you build the right foundation, supported by strong pillars, the rest becomes much easier:

Core Pillar #1: Unfiltered Data

The first core pillar is unfiltered data, collected regardless of whether an algorithm or threat intelligence source says it’s suspicious or malicious.   

The difference between unfiltered and filtered data collection is incredibly important.  Existing endpoint security products filter activity based on what they think is “normal.”  So, in order to bypass these products, hackers intentionally look ”normal” as they conduct malicious acts. This can be seen in attackers using trusted software such as PowerShell to execute their payloads, or using common social media sites like Twitter and Facebook for command and control of compromised endpoints.  Without the ability to collect unfiltered data, an endpoint security platform is completely blind to these new attacks.

Core Pillar #2: Streaming Analytics

The second pillar is streaming analytics.  Streaming analytics is the technology we developed to identify attacker behavior.  It’s called streaming analytics because it’s based on Event Stream Processing, which is the same same technology that has transformed many other industries, including high frequency trading and credit card fraud detection.

We’ve implemented streaming analytics both on the endpoint to lower false positives, as well as in the cloud for lower false negatives.  Since it focuses on attacker tactics, techniques, and procedures (TTPs), it’s more resilient to future attacks than other endpoint platforms that rely on signatures, domains, and IPs – which are trivially bypassed by today’s attackers.

Core Pillar #3: Real-Time Current State Data

The third pillar is the ability to query the current state of all endpoints on the network in real time.   We’ve found is that our streaming analytics system occasionally needs additional information, potentially from before our agent was installed, in order to confirm or deny a suspicion it has.  

Accessing this type of historical data is critical to both security professionals and algorithms, but it needs to be very flexible. For this reason, we’ve implemented our third pillar by leveraging a powerful technology known as osquery, which was developed and open-sourced by Facebook. By leveraging osquery, this pillar permits easy access to more than 1,500 different endpoint artifacts from all systems on the network in real time.

Any endpoint platform that limits what information can be retrieved in real time will dramatically reduce the number of attacks it can handle as well as the number of additional use cases it can support.

Core Pillar #4: Flexible Enforcement

The fourth and final pillar is the ability to take action on the endpoint in real time and in a flexible manner. As most security professionals will tell you, the way you want to handle a ransomware alert is likely different than the way you handle a malicious outbound network connection.

For this reason, we’ve built an extremely flexible enforcement engine that allows us and our customers to implement the right action for the situation, including behavioral-based prevention rules that block malicious activity but still allow wanted activity to proceed.

Any endpoint platform that only supports limited actions like block a file by hash or quarantine a system will never scale with the types of attacks we need to respond to.

More to Come

When you take a step back and look at these four pillars, it’s clear Carbon Black is building a platform for the long term, one you can depend on not just for the next two or three years, but one that will stand the test of time against attackers for a decade or more.  

These pillars are the foundation for endpoint agent consolidation. As we continue to innovate on the PSC platform, my hope is that the community starts to think of endpoint security not just as a means to protect the endpoint, but more strategically, as a way to measure, manage, and secure your business overall.

The post The 4 Core Pillars of Endpoint Security appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?