Carbon Black is introducing at RSA Conference 2017 next week a new way for its gear to detect attacks that don’t make their way into networks via viruses or malicious files that other endpoint security software can detect.
Called Streaming Prevention, the technology can find both malware and non-malware attacks by analyzing endpoint activities in the context of the sequences in which they unfold.
It does this by having endpoint agents tag events as they occur and streaming them to Carbon Black’s analysis engine in the cloud. There the engine determines whether it falls in a sequence of events that add up to an attack and tells the endpoint to block activity that is deemed malicious.
Streaming Prevention is part of the next scheduled upgrade to the company’s CB Defense endpoint-protection platform and will be available in April. Endpoint security is a major topic at RSA due to the prevalence of attacks that focus on these devices.
The cloud analytics is based on constant analysis of data being sent from tens of millions of endpoints under Carbon Black’s protection. From that data Carbon Black generates statistical models that decide whether possibly innocent endpoint activity is actually malicious.
Analysts cull through the data to find attacks the analytics engine missed and figure out why. They tweak the algorithms that sort through live streaming data from customer endpoints so they won’t miss the same attack the next time.
Non-malware attacks use legitimate tools such as PowerShell, Remote Desktop and Flash to mask malicious activity. It’s perfectly normal for Remote Desktop to connect to other devices, but in combination with other events, that Remote Desktop activity could be an attempt for an attack to move laterally within a network, for example.
That context of these tagged events is what makes it possible to find the bad behavior.
This is different from detection that is based on a single indicator such as a malicious file that has a known signature or reputation. That type of detection does pick up on the bad files, but won’t recognize when PowerShell is up to something bad.
Because the CD Defense cloud gives insight into tens of millions of endpoints, it reduces false positives and the instances of false negatives, the company says. When the analytics in the cloud determine that an event, in the context of other events, means an attack, the cloud sends down a command to block it.