eguide designing continuous response architecture interactive

eGuide: Designing a Continuous Response Architecture


2Designing a Continuous Response Architecture

eGuide

Table of ContentsOverview 3

The Problem 3

Defining the Threat 3

The Network is Not the Target 4

Incident Response is Ad Hoc 5

Incident Response is Not Forensics 5

Limited Threat Intelligence 6

The Solution 6

Prioritize Data Collection Over Detection 6

Highlight Instead of Filter Data Collection 7

Apply Aggregated Threat Intelligence 8

Respond in Seconds with a Recorded History 9

Security As a Process 10

Security Platform Over Product 11

Summary 11


3

eGuide

Designing a Continuous Response Architecture

OverviewData acquisition, threat discovery, incident response and forensics have become arduous and incomplete—with no insight into

the patterns of compromise We’ve focused on detection techniques that filter out actionable visibility, insight into root cause and

lateral movement We’ve relied on solutions that inundate us with too many alerts to prioritize and investigate And we’ve blindly

reimaged machines by focusing on reactive forensic techniques instead of proactive incident response solutions

Response solutions have been developed for use post-breach by the IR consultant, instead of created to enable an enterprise to

proactively prepare for a breach Additionally, responders need to focus on security solutions that can integrate with third-party

solutions whether network security products, threat intelligence providers, SIEMs, SOC tools, or other IR products Businesses need

to view security as a process and focus on solutions that can:

+ Proactively automate the tedious and time-consuming data acquisition process at the endpoint before a breach occurs

+ Layer threat intelligence on top of that continuously recorded visibility to highlight advanced threats to expedite investigations

+ Reduce the cost and complexity of incident response by instantly understanding entire attack processes

+ Evolve, adapt and learn from your investigation by using the right solutions to adjust your detection

and prevention techniques moving forward

This eGuide will cover how a continuous approach to response can resolve these challenges and put your organization in a better

security posture by proactively preparing for a breach

The ProblemDefining the ThreatThere are two types of attackers: opportunistic and advanced The opportunistic attacker finds value in large-scale attacks The

more hosts the attacker compromises, the quicker a signature is generated, making it easier to identify the attack The advanced

attacker, on the other hand, finds value in small-scale and targeted attacks By compromising fewer hosts, it takes significantly

longer to generate a signature (if at all) As a result, traditional endpoint prevention, detection and response solutions are more

likely to miss advanced and targeted attackers who infiltrate their enterprise

Advanced (or zero-day) attacks can take multiple forms:

+ Unknown attack with no patch

+ Known attack with no patch

+ Known attack with available patch not yet applied

HO

STS

CO

MPR

OM

ISED

DETECTION THRESHOLD DETECTION THRESHOLD

SIGNATURE AVAILABLE (if ever)

SIGNATURE AVAILABLE

HO

STS

CO

MPR

OM

ISED

TIMETIME

OPPORTUNISTIC ADVANCED

COMPROMISE AS MANY ENDPOINTS AS POSSIBLE

COMPROMISE AS FEWENDPOINTS AS POSSIBLE


4

eGuide


A response solution should be prepared for all attack phases, whether opportunistic or advanced, because you cannot know

in advance what’s bad Also, many attackers can “live off of the land” by leveraging built-in tools to reduce the number of new

executables introduced into an environment—masking their lateral movement This also enables an attacker to establish approved

user accounts escalating their privileges so they can come and go as they please Threats are only as sophisticated as they need to

be Attackers will never waste a $5 million payload if they do not have to As a result, enterprises need solutions that can identify all

attack types—known or unknown—and respond accordingly

The Network is Not the TargetSixty-five percent of 2013 data breaches happened on company endpoints1 Many enterprises, however, still fail to deploy

response solutions that can deliver actionable visibility and intelligence down to the endpoint—opting instead to sink more

security dollars into their network

“Organizations continue to spend a lot of money on network security solutions, but it’s the endpoint that is the ultimate target of advanced threats and attacks” 2

— 451 Research

Many enterprise security approaches can be viewed as hard on the outside, but soft in the middle—because strong network

defenses and weak endpoint security are a common practice A secure corporate network should be a priority, but not the focus

This is because corporate networks are now unraveling as more employees continue to operate outside of them These

endpoints are connecting to a variety of unknown networks from a diverse set of locations with limited protection from

next-generation firewalls

The endpoint is the target of attackers because this is where the valuable data resides Enterprises must identify key data, assess

the probability of that data being targeted by attackers, estimate the business impact of that data being compromised, and

determine where that data is located The answers to these questions ultimately will bring you back to the endpoint

Prob

abili

ty (a

dver

sary

inte

rest

)

Impact (to business)

Low(minor)

Medium(moderate)

High(existential)

High(very likely)

DocumentsUser credentials

Web services

Key IP

CRM

Email Content

Financial Info

Medium(possible)

Physical computers

Employee Personally Identifiable Information

Critical systems

Public website

Customer info

Low(unlikely)

Office access Data center access

1 2014 Verizon Data Breach Investigations Report2 “When worlds collide: post-acquisition, Bit9 + Carbon Black emerges as a combined brand” – Javvad Malik and Adrian Sanabria – 2 Sep, 2014


5

eGuide


However, when securing the endpoint, many rely on antivirus software as the chief component to their endpoint security

strategy—but this hampers the ability of an enterprise to detect, respond or prevent multiple attack forms as they happen

Organizations ultimately need continuous visibility, customizable detection and rapid response solutions at the endpoint

Not only will this expedite response, but it ultimately will improve and complement your network security as well

Incident Response is Ad HocMany enterprises may not invest in incident response solutions because they feel they lack the skilled staff needed to perform

conclusive and confident investigations In addition, many organizations may perceive incident response solutions as far too

complex for them to leverage effectively Without a response plan in place, if an organization is breached, reactively deploying an

incident response solution can be time-consuming and extremely expensive

For an enterprise, the goal should be to build out your security maturity framework This means deploying solutions that

enable enterprises to make the best possible decisions Many organizational approaches to incident response are ad hoc and

unpredictable with no formal security programs Success is usually predicated on luck—and not much else The goal for an

enterprise should be to build a formal incident response plan as well as deploy solutions that can reduce the cost and complexity

of a response Responders also should look to optimize their enterprise’s security so that any response is reliable, predictable and

adaptive to the changing threat landscape

Unpredictable

No formal Security program or organization

No Formal process

Success depends on luck

Not Standardized

Respond to critical alerts only

Process is characterized for projects

Success depends on individual heroics

Formative

Formal security organization, basic auditing

Process is characterized for organization

Success depends on execution

Measured

Comprehensive security program and oversight

Process is measured and controlled

Success is demonstrable

Adaptive

Expand from investigation to hunting

Process is continuously improved

Success is predictable

LEVEL 1AD HOC

LEVEL 2REACTIVE

LEVEL 3PROACTIVE

LEVEL 4MANAGED

LEVEL 5OPTIMIZED

Security Maturity Framework


6

eGuide


Incident Response is Not ForensicsWith forensics, a breach has already happened, data has already been lost, and now you are tasked with the clean up You may

have been alerted to the breach by a third party, but now it is your job to understand what went wrong To add to the problem,

your enterprise may not have proactively collected data before the breach, which means you now will spend the next several

weeks or months collecting the desperately needed data to fully scope and understand the attack Because you are now reactively

collecting data after the breach, unraveling lateral movement—especially if the attacker cleaned up their tracks by deleting prior

payloads—means that understanding the root cause may take months, years—or even longer—to discover

When responding to an incident and discovering a potential compromise, as a responder it is your job to contain the attack before

data is lost When responding, there is still a chance to stop the bleeding and intervene with an ongoing attack This means you

need to leverage response solutions that can expedite this process to detect, respond, isolate and remediate the problem as

quickly as possible

Limited Threat IntelligenceMany organizations lack the necessary threat intelligence to help them fully detect and classify attacks as they happen Threat

intelligence should be a valuable part of any detection or response solution Without threat intelligence, enterprises can lose

valuable insight into threats as they arrive in their environment

SOC analysts and IR teams can also suffer from alert fatigue because they receive too many alerts to prioritize and investigate

With no way to sift through the noise, enterprises are finding it difficult to efficiently respond Organizations need to focus on

solutions that can accelerate the discovery of advanced threats as opposed to those that just produce more detection events

Fixing this will exponentially reduce the dwell time of threats in an environment by accelerating investigations to minimize the

scope of an attack

No one provider has a lock on the world’s threat intelligence, but many organizations still deploy security solutions that only

integrate with a finite number of providers Responders need security solutions that offer the ability to integrate with a wide range

of threat intelligence feeds, as well as enable organizations to add their own custom feeds This affords businesses the opportunity

to incorporate threat intelligence feeds not initially offered by a security solution


7

eGuide


The SolutionPrioritize Data Collection Over DetectionIf you are not prepared for a breach by prioritizing data collection before the moment of compromise, you are likely leveraging

forensic tools to collect data during an investigation Collecting data takes time, money and effort Not to mention that reactively

collecting data usually produces incomplete data sets with no way of scoping the full breadth of an attack All of this prolongs

the dwell time of the attacker and potentially magnifies the number of impacted machines in your organization—extending

time to recovery

Carbon Black enables enterprises to prepare for a breach by proactively automating and continuously recording the critical data

before the moment of compromise so you can instantly leverage data during an investigation when a threat is discovered This

reduces the dwell time of attackers exponentially by enabling you to dive into your response immediately and recover faster

Proactively collecting data here is automated and e�cient

DWELL TIME

Reactively collecting data here is time consuming and expensive

DETECTION

RESPONSE

RECOVERY

Compromised (attacker present)

Breach Discovered (attacker identified)

Recovered (attacker expelled)


8

eGuide


Highlight Instead of Filter Data CollectionMost detection solutions filter out endpoint visibility when detecting threats in an environment They typically provide the specific

instance of the attack and its compromised host, but by filtering out endpoint visibility, they lose sight of lateral movement, root

cause and the entire scope of the attack during an investigation As a responder, your goal should be to understand the scope and

root cause as confidently and quickly as possible

Instead of filtering out visibility, Carbon Black highlights detected activity over its continuously recorded endpoint data to enable

you to instantly “roll back the tape” from the detection event all the way to root cause By proactively recording and maintaining

the relationships of every file execution, file modification, registry modification, network connection and executed binary Carbon

Black delivers conclusive and confident insight into the full scope of an attack—enabling you to respond rapidly

All Registry Modi�cations

All Network Connections

All File Modi�cations

Continuously Record

Copy of Every Executed Binary

All File Executions

Discovered

Carbon Black highlights detected activity within endpoint visibility to understand root cause and scope

Detection probablility increases overtime

Investigations seek root causeGOAL:

Understand Root Cause

User Visits Website

Is sent malicious Java applet

Spawns first stage payload

Spawns second stage payload

Injects code into Windows Explorer

Takes malicious actions


9

eGuide


Apply Aggregated Threat IntelligenceProactively collecting critical data is a starting point, but it’s not the finish line It’s what you do with that data that’s important

Many detection and response solutions have either visibility or threat intelligence, but rarely have both Applying threat

intelligence on top of continuous endpoint visibility enables responders to detect attacks in real time and prioritize investigations

With Carbon Black, not only is the data acquisition process automated and continuously recorded, but comprehensive threat

intelligence also is simultaneously applied on top of that visibility This delivers instant attack classification and reputation of

recorded endpoint activity that’s immediately accessible and consumable during an investigation This enables responders to drive

purposeful investigations and inquiries across their entire organization

Carbon Black applies threat intelligence through the Bit9 + Carbon Black Threat Intelligence Cloud service, which offers a robust

offering of third-party and proprietary threat feeds and reputation services Carbon Black integrates with network security

providers such as Check Point, Fidelis, FireEye and Palo Alto Networks and extends to offer you the flexibility to integrate and apply

your own custom feeds as well

The combination of visibility and threat intelligence also enables responders to design and save complex queries as real-time

detection alerts within Carbon Black (known as watchlists) This offers the ability to detect based on entire attack processes,

network activity, threat intelligence, attack behaviors and more—not just individual events This powerful combination also

enhances your detection capabilities by delivering actionable alerts to reduce alert fatigue By automating both the data collection

and applied threat intelligence process responders also gain instant insight when diving into an investigation

Threat Intelligence CloudThreat Indicators Reputation Attack Classi�cation

Continuous Data Collection

CONSOLE

ENDPOINT

ENDPOINT

ENDPOINT

Instantly Classify Data Collectionwith Applied Threat Intelligence

!

!

!

!


10

eGuide


Respond in Seconds with a Recorded HistoryBy automating the tedious and time-consuming data acquisition process and layering threat intelligence on top of that visibility,

responders can “roll back the tape” in Carbon Black to understand the root cause the instant compromise is discovered By

understanding the context and relationships within the collected data, Carbon Black also can perform surgical investigations

to identify deleted payloads, lateral movement, malicious outbound connections, and more to identify every step, move and

behavior of an attack This enables responders to see the entire kill chain of an attack in seconds to fully scope the environment

and instantly isolate, contain and remediate impacted machines

By understanding root cause and the entire attack scope during an investigation, Carbon Black can reduce the cost of blind

reimaging by only responding to affected endpoints By leveraging a recorded history, Carbon Black also can help enterprises

immediately learn from their investigations to improve their threat prevention, detection and response in the future

User Visits Website

Is sent malicious Java applet

Spawns first stage payload

Lateral movement

Deleted Payload







With Carbon Black, instantly “Roll back the tape” with a recorded history to understand the full attack scope

Discovered


11

eGuide


Security As a Process

When developing an incident response plan security should never be viewed as static Everything should work as an ongoing

process and lifecycle with the goal of ensuring that any response can evolve, adapt and learn from the investigation after it is

concluded Without continuous endpoint visibility and threat intelligence at the core of your enterprise’s response plan this can be

extremely difficult

IT hires staff to support technology Security operations buys technology to support staff

With proactive endpoint visibility at the backbone of Carbon Black, responders can detect, respond and remediate in seconds

However, the goal should be to evolve, adapt and strengthen your prevention and detection solutions moving forward as well

With Carbon Black, any investigation can be saved as a watchlist to detect in real time moving forward Additionally, both Carbon

and Bit9 now work together to automate Carbon Black’s real-time detection capabilities with Bit9’s leading advanced threat

prevention solution Bit9 can now pull in Carbon Black watchlists and drive prevention policy off of those detection events as they

occur—providing the most comprehensive protection against advanced threats

RESPONSE PREVENTION

VISIBILITYKnow what’s happening on every computer right now

Stop attacks with proactive,customizable techniques

DETECTIONDetect attacks in real time

without signatures

Use a recorded history to seean attack’s full kill chain

Define watchlists in Carbon Black

Automate watchlist alerts from Carbon Black in Bit9

Instantly dive back into Carbon Black for deeper analysis

and investigations

Leverage Bit9 event rules to automate prevention policy off

Carbon Black watchlist alerts

eGuide: Designing a Continuous Response ArchitectureeGuide

266 Second Avenue Waltham, MA 02451 USAP 6173937400 F 6173937499www.bit9.com

ABOUT BIT9 + CARBON BLACK

The combination of Bit9 + Carbon Black offers the most complete answer to the newer, more advanced threats and targeted attacks intent on breaching an organization’s endpoints This comprehensive approach makes it easier for organizations to see—and immediately stop—advanced threats Our solution combines Carbon Black’s lightweight endpoint sensor, which can be rapidly deployed with no configuration to deliver “incident response in seconds,” and Bit9’s industry-leading prevention technologies Benefits include:

+ Continuous, real-time visibility into what’s happening on every computer+ Real-time threat detection, without relying on signatures+ Instant response by seeing the full “kill chain” of any attack+ Protection that is proactive and customizable

Bit9 + Carbon Black delivers a comprehensive solution for continuous endpoint threat security This is why thousands of organizations worldwide—from 25 Fortune 100 companies to small businesses—use our proven solution The result is increased security, reduced operational costs and improved compliance

© 2014 Bit9 is a registered trademark of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.20140930

Security Platform Over ProductMost security solutions lock you into their ecosystem Part of the challenge when leveraging multiple security products is getting

them to work together and collaborate to give you the level of protection you desire This could be integrating your existing

endpoint security with network security products, pulling in third-party threat intelligence providers, combining multiple security

products, or other challenges

Carbon Black is a security platform, not a product We understand that it’s your data to use how you want By leveraging Carbon

Black’s open API, you can easily and seamlessly integrate all endpoint sensor data and threat intelligence with custom, proprietary

or third-party security solutions Also, you can easily pull network providers and custom threat feeds into Carbon Black to tailor

your detection and response capabilities for your specific enterprise IT hires staff to support technology Security operations buys

technology to support staff Invest in solutions that enable your people to make the best possible decisions

SummaryEnterprises are in a state of continuous compromise To combat this, organizations need to prepare for a breach so you can

instantly respond at the moment a threat is discovered This means deploying solutions that can again:

+ Automate the tedious and time-consuming data acquisition process

+ Aggregate and apply comprehensive threat intelligence

+ Leverage recorded history to surgically investigate across entire attack processes

+ Evolve and learn from your response to adapt detection and prevention solutions

Unlike scan-based data collection tools that only deliver the current state of your environment, Carbon Black can expand detection

beyond the moment of compromise to detect and respond to attacks across the entire kill chain As a result, Carbon Black makes

advanced threats easier to see and faster to contain by empowering SOC and IR teams to arm their endpoints against the most

advanced and targeted threats

eguide designing continuous response architecture interactive

Documents

security solutions

thirdparty solutions

right solutions

detection techniques

advanced attacker

threat intelligence

aggregated threat intelligence

limited threat intelligence