©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture

CONTINUOUS endpoint recorder INSTANT, aggregated threat intel. COMPLETE kill chain analysis CUSTOMIZED detection CONTINUOUS RECORDING IMMEDIATE endpoint threat isolation LIVE endpoint investigation REAL-TIME attack termination COMPREHENSIVE threat remediation LIVE RESPONSE First & only solution with continuous endpoint recording and live response Carbon Black: Industry’s Best ETDR Solution

“There are two kinds of companies: those that have been breached and those that don’t know it yet.” *Sources: Mandiant, Verizon CIO Fortune 100 company Days to discover* 243 Discovered externally* 69 % Average cost* $ 5.4 MILLION “In 2020, enterprises will be in a state of continuous compromise.” The Problem: Advanced Threats = $$$

July 2014 The Network is Not the Target “Organizations continue to spend a lot of money on network security solutions, but it’s the endpoint that is the ultimate target of advanced threats and attacks.” “Firewalls [are] becoming less and less effective in a perimeter-less world ” Dec “When the perimeter disappears, we certainly would argue that the endpoint is the perimeter.” Dec. 2014

Traditional Defenses Were Designed for Opp. Attacks OPPORTUNISTIC ADVANCED Goal for attacker is to compromise as few endpoints as possible Goal for attacker is to compromise as many endpoints as possible Hosts Compromised Time DETECTION THRESHOLD Signature available Hosts Compromised Time Signature available (if ever) ?

DETECTION RESPONSE RECOVERY Reduce Dwell Time By Prioritizing Data Collection Compromised (attacker present) Recovered (attacker expelled) Breach Discovered (attacker identified) DWELL TIME Proactively collecting data here is automated, efficient & conclusive Reactively collecting data here is time consuming, expensive & incomplete DETECTION RESPONSE RECOVERY Compromised (attacker present) Recovered (attacker expelled) Breach Discovered (attacker identified) DWELL TIME Eliminate expensive data collection process Optimize security team Instant answers to complex IR questions Avoid blind reimaging Zero end-user/endpoint impact Reduce dwell time

Expand Detection Beyond the Moment of Compromise Abnormal Behavior Lateral Movement & User Accounts Exfiltration & Data Gathering Weeks to Months (Years) Traditional Focus Missed without continuous data collection Only See Individual Detection Event You can’t know what’s bad ahead of time

Java exploitation User visits website Is sent malicious Java applet Spawns first stage payload Spawns second stage payload Injects code into Windows Explorer Takes malicious actions DETECTED Goal: Understand root cause Detection probability increases over time Investigations seek root cause Traditional detection filters out endpoint visibility missing the full context of the attack Highlight detected activity within continuous recording to understand root cause and scope faster DETECTED Proactive data collection also enables ability to detect entire attack processes Highlight As Opposed to Filter Endpoint Visibility

IT and Company Culture: Is Your Environment Like This?

Or This?

Prioritize Alerts with Data Collection & Threat Intelligence !!! ! !!!!!!!!!!! ALERT FATIGUE Too many alerts to manage & prioritize ACTIONABLE ALERTS Accelerate threat discovery Customize detection for organization Detect every threat vector Narrow focus by understanding data Detection Discovery Threat Intelligence

Respond at the Moment of Discovery Spawns second stage payload Injects code into Windows Explorer Takes malicious actions Instantly “Roll back the tape” with a recorded history to understand scope DISCOVERED Prioritize investigations with applied threat intelligence User visits website Is sent malicious Java applet Spawns first stage payload Spawns second stage payload Injects code into Windows Explorer Takes malicious actions Lateral Movement User visits website Downloads PDF Deleted Payload Spawns second stage payload Injects code into Windows Explorer Takes malicious actions User visits website Is sent malicious Java applet Spawns first stage payload Spawns second stage payload Injects code into Windows Explorer Takes malicious actions Deleted Payload Lateral Movement DISCOVERED Learn from investigation to build detection moving forward ! DISCOVERED

Drive Action on Endpoints with Live Response User visits website Is sent malicious Java applet Spawns first stage payload Spawns second stage payload Injects code into Windows Explorer Takes malicious actions Deleted payload BLOCK NETWORK COMMUNICATION KILL ATTACK PROCESS IDENTIFY ROOT CAUSE & REMEDIATE MACHINE ✓ Responders manage multiple tools for continuous recording & live response MODERN VIEW One comprehensive IR solution ISOLATED Use one IR solution without dropping admin. credentials Built by responders for responders Customize on-sensor actions by executing third-party tools Remove IT out of SecOps equation

Security as a process versus as a solution

CONTINUOUS endpoint recorder INSTANT, aggregated threat intel. COMPLETE kill chain analysis CUSTOMIZED detection CONTINUOUS RECORDING IMMEDIATE endpoint threat isolation LIVE endpoint investigation REAL-TIME attack termination COMPREHENSIVE threat remediation LIVE RESPONSE First & only solution with continuous endpoint recording and live response Carbon Black: Industry’s Best ETDR Solution

Bit9 + Carbon Black: Arm Your Endpoints For IT and Security Teams Managing Desktops, Servers, and Fixed-function Devices +World’s most widely deployed application control/whitelisting solution +Single agent for visibility, detection, response, prevention +Trust-based and policy-driven The Most Comprehensive Endpoint Threat Protection Solution For Security Operations Center and Incident Response Teams +Only solution with continuous recording; live response; threat isolation, termination and remediation +Real-time customizable detection +Complete kill chain analysis based on recorded history and attack visualization The Leading Endpoint Threat Detection and Response Solution Open API and Integrations Threat Intelligence Cloud ReputationThreat IndicatorsAttack Attribution Supported Operating Systems Network Security, Analytics and SIEM, In-House & Custom Tools

Questions?