©2014 Bit9. All Rights Reserved
Endpoint Threat Prevention
Charles Roussey | Sr. Sales Engineer
Detection and Response in Seconds
July 2014
Arm Your Endpoints!
“Organizations continue to spend a lot of money on network security solutions, but
it’s the endpoint that is the ultimate target of advanced threats and attacks.”
Bit9, Inc. : One Company – Two Products
Leader in Endpoint Threat Prevention, Detection, and Response
Large Partner Ecosystem and Integrations
• Founded 2002• 1,200+ customers• 1.5M+ endpoints
• 30+ Fortune 100• Large enterprise and SMB• Single customer deployments
over 100,000 endpoints
Rapidly Detect & Respond to Threats
Reduce Your Attack Surface
21
Network Security SIEM and Analytics IR & MSSP Threat Intelligence
Bit9 + Carbon Black: Arm Your Endpoints
For IT and security teams managing desktops, servers,
and fixed-function devices
+ World’s most widely deployed application control/whitelisting solution
+ Single agent for visibility, detection, response, prevention
+ Trust-based and policy-driven
+ Threat Intelligence Cloud
PROTECTION
For Incident Response teams
+ Detection and response in seconds
+ Rapid deployment, zero admin
+ Real-time visibility and recorded history provides full “kill chain” analysis
+ Customizable detection
+ Threat Intelligence Cloud
RESPONSE
The Bit9 Security Platform
POSITIVE SECURITYA positive security model is one that defines what is allowed, and rejects everything else. This should be contrasted with a negative security model, which defines what is disallowed, while implicitly allowing everything else.
The benefit of using a positive model is that new attacks, not anticipated by the developer, will be prevented…
Definition from OWASP - https://www.owasp.org/index.php/Positive_security_model
CHALLENGE
Advanced Threat Prevention
Stop attacks with proactive prevention customizable for each user and system
Traditional endpoint security doesn’t stop advanced threats
• Detect-and-deny• Detonate-and-
deny
• Default-deny (user approval)
• Default-deny (IT approval)
Low Enforcement
Medium Enforcement
High Enforcement
“Antivirus is fighting a losing battle….”
“Malware threats continue to overwhelm traditional defensive techniques.”
CHALLENGE
Continuous Endpoint Visibility
Know what’s happening on every endpoint and server right now
You’re blind on your endpoints and servers
Fixed-Function Devices
Virtual/Physical Servers
Desktops & LaptopsWhat’s running?
Is malware on my computers?
Which ones?
Did it execute?
What did it do?
Did it delete itself?
Where did it spread?
What machines need cleanup?
How many versions of Java?
All file modifications
All file executions
All registry modifications
All network connections
Copy of every executed binary
• Lightweight, easy to deploy• No sweeps, scans, or polls
Real-time sensor sees and records everything
CHALLENGE
Incident Response in Seconds
Use a recorded history to see an attack’s full kill chain; contain and remediate attacks
Incident response is too slow and expensive
• See entire kill chain• Identify root cause
Don’t react … prepare for the breach!
Reactively collecting data after a breach is difficult and expensive
Proactively collecting data before a breach is automated and efficient Threat Intelligence Cloud
“Kill chain”
All file modifications
All file executions
All registry modifications
All network connections
Copy of every executed binary
1. How did it start?2. Where did it spread?3. What did it do?4. What do I do now?
BREACH
Bit9 + Carbon Black Across the “Kill Chain”
Reconnaissance
Attacker researches potential
victim
Weaponization
Attacker creates
deliverable payload
Delivery
Attacker transmits weapon in
environment
Exploitation
Attacker exploits
vulnerability
Installation
Attacker changes system
configuration
C2
Attacker establishes
control channel
Action
Attacker attempts to
exfiltrate data
Multiple, customizable forms of prevention
PREVENTION
1. How did it start?2. Where did it spread?
3. What did it do?4. What do I do now?
DETECTION AND RESPONSE
Bit9 + Carbon Black: Open and Extensible
Large Partner Ecosystem and Integrations
Network Security SIEM and Analytics IR & MSSP Threat Intelligence
20+ use
technology
Get the most out of your existing security investment
Transfer alerts
Submit files automaticallySubmit files on demand
Incoming files on
network“Detonate” files
for analysis
Advanced Threat Network Security
Prioritize network alerts
Investigate scope of the threat
Remediate endpointsand servers
Advanced ThreatEndpoint and Server Security
Correlate endpoint/server
and network data
Automatic analysis of all suspicious files
On-demand analysis of suspicious files
Endpoint and server files
Integration with Network Security: Automated Alert Analysis and Threat Remediation
What Makes Bit9 + Carbon Black Unique?
On- and off-network protection
Proven reliability and scalability
Real-time integration with network security leaders
Integrates seamlessly into your environment
Open APIs and integrations
• 1,000+ deployments• Windows certified• Largest scalability
Automated alert analysis and threat remediation
Multiple, customizable, signature-less forms of prevention
Choose the forms of prevention for your environment and users
Real-time monitoring and recording of endpoints and servers
Threat detection and response in seconds
Detect-and-DenyDetonate-and-DenyDefault-Deny
Protect all users and servers, including remote and offline
Mac, Windows, and Linux, on- or off-network
Thank You