Excerpts From “Why Companies Are Replacing AV with Advanced Endpoint Security”

ID CARBONBLACK:FC8B143B84649D81422FAC111784B237
Type carbonblack
Reporter Katie DeMatteis
Modified 2018-09-26T17:00:57


Is legacy antivirus failing to keep your endpoints secure? In Carbon Black's recent webinar, Fulcanelli Chavez, Sr. Security Operations Analyst at D.A. Davidson, shared how switching from McAfee to Cb Defense has improved protection and simplified operations for his team.

Below are excerpts from the Q&A with speakers:

Molly Conway: Senior Manager of Product Marketing focusing on Carbon Black’s Predictive Security Cloud platform. She has more than 13 years of experience in networking, security and software. Molly holds a BA from the University of Michigan and an MBA from Massachusetts Institute of Technology Sloan School of Management.

Fulcanelli “Fuli” Chavez: Sr. Security Operations Analyst for D.A. Davidson Companies, a financial services company based out of Great Falls, Montana. He has over 20 years of experience in Information Technology alongside with over 15 years of experience in Information Security. Additionally to his current position, he has been a consultant, manager, and postsecondary educator. As an educator, Fuli was an instructor and program chair for accredited associate and bachelor level degrees in IT and IS. He has an MS in Engineering and BS in Chemical Engineering from the University of Washington, and holds several IT/IS certifications including CISSP and CISA.

Question: How did you convince your management team that it was time for a change from traditional antivirus***which has been around foreverto a new product like Cb Defense?*

Fuli Chavez: It took a while to get everyone to understand the value of it. We did quite a bit of testing of different solutions. We had to prove that the technology we chose could handle what we needed it to do. We ran zero day malware evaluations in which we would detonate malware samples against a variety of different systems and we would report the results back. A lot of the traditional AV only used signatures to identify malware, which wasn’t good enough. We also had to make sure that the solution we went with wasn’t intrusive to the end user and that users could perform any functions they needed to easily. Cb Defense ran in the background, and the solution was installed without any impact to the end user. It was seamless, quiet, and non-disruptive. We could get reports of potential blocks and whitelist them before users even knew there was an issue.

Question: What was your evaluation process with different vendors and why did you choose Cb Defense?

_Fuli Chavez: Ultimately, we chose it because it met all of our requirements. It gave us an in depth analysis of all the events on our endpoints along with on and off prem protection. We could manage our systems regardless of where they were. When we added something to a blacklist or whitelist, it auto updated on every system connected to the cloud. The overall breadth of what Cb Defense could accomplish was tremendous. _

Question: Is the full functionality of Carbon Black available through a single agent?

Molly Conway: Yes! Carbon Black Defense sits on our predictive security cloud platform (PSC). The beauty of Cb Defense and our other products and services is that they are deployed on a single agent. Cb Defense is our product for next-gen antivirus and endpoint detection and response. And the PSC scales and grows with you. If you want more advanced threat hunting capabilities, for example, you can deploy those services on the same lightweight agent. The cloud allows for a simpler management model. You get all the security services you want, in one agent, with easy to manage workflows—making advanced endpoint security as easy as possible for you.

Question: Since replacing your traditional AV, what’s the biggest change you’ve seen in your organization?

Fuli Chavez: The biggest change is that our model towards endpoint security is much more proactive because we don’t have to spend as much time remediating issues. We can use the time we used to spend on remediation really evaluating process sequences and how particular binaries that we identify as being malicious got into the system. This allows us to further enhance our security layers based on our findings.

Question: You mentioned that Cb Defense gives you visibility that you didn’t have before? What kind of tools and information does it give you when a threat occurs and how does it facilitate threat hunting?

Fuli Chavez: For threat hunting, we have the ability to go back through all our historical endpoint data and decide if a specific behavior is something I might want to block. For example, if there have been several instances of a specific malicious behavior being done with PowerShell, we can block just that behavior across all devices. We don’t have to block the entire PowerShell command itself, but we can limit what it can do within our normal environment. In my case, I was able to identify that a specific behavior should be isolated and blocked on all our systems based on what had happened over the last three months. It’s easy to quickly pair information down and do analysis, which is mind blowing in comparison to what we had before. With traditional AV the only information we had was that something malicious had been found, where it has been found, and that it was quarantined. With Cb Defense, we can see every detail around that behavior and create rules around it.

Question: Do you have any examples of an attack that CbD caught that your previous AV vendor would have missed?

Fuli Chavez: The first example that comes to mind is ransomware where there’s an executable that bypasses defenses at the network layer. These particular files are trying to create a binary within the temp directory. Cb Defense was able to identify that it was malicious behavior and fully block it, even though there was no known signature present.

Question: Does Cb Defense have any integrations with SIEM solutions?

Molly Conway: Yes. We integrate with any SIEM that accepts SysLog format data. The data sent to SIEM can be customized from any and all alerts that are generated in Cb Defense, to specific alerts that need pointed criteria. We have pre-built integrations that you can leverage, as well as open APIs that you can use to build your own custom workflows with other security tools in your stack. You can learn more about this on our website if you search for Cb integration networks. We have over 100 partnerships with security firms where we have pre-built integrations in addition to our open APIs.

Question: We often see problems when users download files trusted by search engines. How would Cb Defense work in that case?

Molly Conway: I think the best way to answer this is to go into a bit of detail about how we predict and prevent attacks. We use a concept called streaming analytics, also known as event stream processing. We look at and analyze the series of behaviors, so while an application might be trusted, we understand that a chain of behaviors may not be normal. We’re looking at patterns to predict and prevent attacks, and noticing that a certain chain of behavior doesn’t make sense. The other key piece that differentiates us, is the way we analyze and collect the full picture of endpoint activity. We’re like a surveillance camera on your endpoint, collecting all that history and analyzing it. It’s the power of those two things combined, the unfiltered complete data set along with streaming analytics, that makes our approach to security totally unique. Other NGAV solutions aren’t giving you the full historical context, they’re only capturing activity that they think is bad—which isn’t enough.

Question: Does Cb Defense require you to set up custom policies, and how easy or difficult are they to set up?

Fuli Chavez: When we first implemented Cb Defense, we utilized the policies that Carbon Black suggested. We went through a series of policies starting with a monitor only policy that was set to evaluate and gather information about all of the systems. At that point we were using Cb Defense in conjunction with traditional AV. Next, we added more functionality. 24 hours after our initial deployment, we went into a second policy level. This was a very basic policy that evaluated any malicious behavior or binaries and blocked them. From there, we went to the standard policy that Cb Defense recommends. Then, I began collecting data and making changes to this policy to enhance it based on our individual scenarios. It was very easy. At this point, I’m very comfortable making the modifications I need and gaining the visibility into how these changes occur. As soon as a change is made, I’m notified about how it impacts our systems. It’s not something I need to do often, but it’s nice to have the option.

Question: What kind of reporting capability exists in Cb Defense today?

Molly Conway: You can export all environmental data for any custom time frame with the click of a button from the Cb Defense dashboard. You can also export data from specific modules for more granular reporting, and all data is is exported as an excel friendly .CSV file. If the specific report isn’t already built into the console, you can use the Cb Defense API to pull customized information from the cloud for use in building out reports, as well.

For more about how you could benefit from replacing your traditional AV solution, check out the full webinar.

Watch Now

The post Excerpts From “Why Companies Are Replacing AV with Advanced Endpoint Security” appeared first on Carbon Black.