©2014 Bit9. All Rights Reserved

Endpoint Threat Prevention

Charles Roussey | Sr. Sales Engineer

Detection and Response in Seconds

July 2014

Arm Your Endpoints!

“Organizations continue to spend a lot of money on network security solutions, but

it’s the endpoint that is the ultimate target of advanced threats and attacks.”

Bit9, Inc. : One Company – Two Products

Leader in Endpoint Threat Prevention, Detection, and Response

Large Partner Ecosystem and Integrations

• Founded 2002• 1,200+ customers• 1.5M+ endpoints

• 30+ Fortune 100• Large enterprise and SMB• Single customer deployments

over 100,000 endpoints

Rapidly Detect & Respond to Threats

Reduce Your Attack Surface

21

Network Security SIEM and Analytics IR & MSSP Threat Intelligence

Bit9 + Carbon Black: Arm Your Endpoints

For IT and security teams managing desktops, servers,

and fixed-function devices

+ World’s most widely deployed application control/whitelisting solution

+ Single agent for visibility, detection, response, prevention

+ Trust-based and policy-driven

+ Threat Intelligence Cloud

PROTECTION

For Incident Response teams

+ Detection and response in seconds

+ Rapid deployment, zero admin

+ Real-time visibility and recorded history provides full “kill chain” analysis

+ Customizable detection

+ Threat Intelligence Cloud

RESPONSE

The Bit9 Security Platform

POSITIVE SECURITYA positive security model is one that defines what is allowed, and rejects everything else. This should be contrasted with a negative security model, which defines what is disallowed, while implicitly allowing everything else.

The benefit of using a positive model is that new attacks, not anticipated by the developer, will be prevented…

Definition from OWASP - https://www.owasp.org/index.php/Positive_security_model

CHALLENGE

Advanced Threat Prevention

Stop attacks with proactive prevention customizable for each user and system

Traditional endpoint security doesn’t stop advanced threats

• Detect-and-deny• Detonate-and-

deny

• Default-deny (user approval)

• Default-deny (IT approval)

Low Enforcement

Medium Enforcement

High Enforcement

“Antivirus is fighting a losing battle….”

“Malware threats continue to overwhelm traditional defensive techniques.”

CHALLENGE

Continuous Endpoint Visibility

Know what’s happening on every endpoint and server right now

You’re blind on your endpoints and servers

Fixed-Function Devices

Virtual/Physical Servers

Desktops & LaptopsWhat’s running?

Is malware on my computers?

Which ones?

Did it execute?

What did it do?

Did it delete itself?

Where did it spread?

What machines need cleanup?

How many versions of Java?

All file modifications

All file executions

All registry modifications

All network connections

Copy of every executed binary

• Lightweight, easy to deploy• No sweeps, scans, or polls

Real-time sensor sees and records everything

CHALLENGE

Incident Response in Seconds

Use a recorded history to see an attack’s full kill chain; contain and remediate attacks

Incident response is too slow and expensive

• See entire kill chain• Identify root cause

Don’t react … prepare for the breach!

Reactively collecting data after a breach is difficult and expensive

Proactively collecting data before a breach is automated and efficient Threat Intelligence Cloud

“Kill chain”

All file modifications

All file executions

All registry modifications

All network connections

Copy of every executed binary

1. How did it start?2. Where did it spread?3. What did it do?4. What do I do now?

BREACH

Bit9 + Carbon Black Across the “Kill Chain”

Reconnaissance

Attacker researches potential

victim

Weaponization

Attacker creates

deliverable payload

Delivery

Attacker transmits weapon in

environment

Exploitation

Attacker exploits

vulnerability

Installation

Attacker changes system

configuration

C2

Attacker establishes

control channel

Action

Attacker attempts to

exfiltrate data

Multiple, customizable forms of prevention

PREVENTION

1. How did it start?2. Where did it spread?

3. What did it do?4. What do I do now?

DETECTION AND RESPONSE

Bit9 + Carbon Black: Open and Extensible

Large Partner Ecosystem and Integrations

Network Security SIEM and Analytics IR & MSSP Threat Intelligence

20+ use

technology

Get the most out of your existing security investment

Transfer alerts

Submit files automaticallySubmit files on demand

Incoming files on

network“Detonate” files

for analysis

Advanced Threat Network Security

Prioritize network alerts

Investigate scope of the threat

Remediate endpointsand servers

Advanced ThreatEndpoint and Server Security

Correlate endpoint/server

and network data

Automatic analysis of all suspicious files

On-demand analysis of suspicious files

Endpoint and server files

Integration with Network Security: Automated Alert Analysis and Threat Remediation

What Makes Bit9 + Carbon Black Unique?

On- and off-network protection

Proven reliability and scalability

Real-time integration with network security leaders

Integrates seamlessly into your environment

Open APIs and integrations

• 1,000+ deployments• Windows certified• Largest scalability

Automated alert analysis and threat remediation

Multiple, customizable, signature-less forms of prevention

Choose the forms of prevention for your environment and users

Real-time monitoring and recording of endpoints and servers

Threat detection and response in seconds

Detect-and-DenyDetonate-and-DenyDefault-Deny

Protect all users and servers, including remote and offline

Mac, Windows, and Linux, on- or off-network

Thank You