You are on page 1of 8


 Bit9  +  Carbon  Black  Can  Empower    An  
Integrated  Cybersecurity  Architecture  for  
Automation  and  Orchestration  
By  Jon  Oltsik,  Senior  Principal  Analyst  
July  2015  
This  ESG  White  Paper  was  commissioned  by  Bit9  
and  is  distributed  under  license  from  ESG.  
©  2015  by  The  Enterprise  Strategy  Group,  Inc.  All  Rights  Reserved.  

............................ Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG.... Inc.......  5   Customer  Use  Case  for  ICOP  Integration  with  Bit9  +  Carbon  Black  ................................  All  Rights  Reserved.....................................  7                                                                                                             All trademark names are property of their respective companies................   ©  2015  by  The  Enterprise  Strategy  Group...... if applicable...................... Any reproduction or redistribution of this publication........  Inc.............482. Should you have any questions.......... in whole or in part. copyright law and will be subject to an action for civil damages and.................0188............. is in violation of U...............................   ..... This publication is copyrighted by The Enterprise Strategy Group.  6   The  Bigger  Truth  ........ which are subject to change from time to time.. This publication may contain opinions of ESG.................. please contact ESG Client Relations at 508............ electronically........................ or otherwise to persons not authorized to receive it...... White  Paper:  Bit9  +  Carbon  Black—Integrated  Cybersecurity  Architecture                                                                                                                            2   Contents   Overview  . criminal prosecution............... Inc..............................S... whether in hard-copy format.......................  3   How  Does  An  Integrated  Cybersecurity  Architecture  Work?  ................................................ without the express consent of The Enterprise Strategy Group.............

  2  Source:  Ibid.  Ominous  cyber-­‐threats  are  top  of  mind  within  the  infosec  community.  too  many   treacherous  threat  landscape  as  the  IT  infrastructure  evolves.  August  2014.  All  Rights  Reserved.  controls.                                                                                                                   1  Source:  ESG  Research  Report.   3  Source:  ESG  Research  Report.       • Existing  security  processes  and  technologies.   “What’s  the  problem?  We  have   • IT  complexity.  38%  of  security  professionals  say  that  network  security  has  grown  more  difficult  as  a  result  of  an   increase  in  sophisticated  malware.   .  including:   • The  dangerous  threat  landscape.  Why?  ESG  research  points  to  a  few  overriding  factors.  Network  Security  Trends  in  the  Era  of  Cloud  and  Mobile  Computing.  making  security  tasks  more   -­‐-­‐Media  Company   difficult.  32%  point  to  an  increase  in  targeted  attacks.  while  21%  claim  that  increasing  use  of  cloud   computing  is  making  security  more  difficult. White  Paper:  Bit9  +  Carbon  Black—Integrated  Cybersecurity  Architecture                                                                                                                            3   Overview   Enterprise  security  professionals  claim  that  all  aspects  of  cybersecurity  have  become  more  difficult  over  the  past   few  years.  IT  adoption  of  cloud  computing  and  mobile  applications  is  making  security  more  complex  and   difficult.3       In  summary.  This  imbalance  is  creating  a  growing  IT  risk  gap  (see  Figure  2)— an  ominous  situation  that  is  getting  more  and  more  attention  in  the  boardroom.1  Increasing  and  sophisticated  cyber-­‐threats  have  a  negative  impact  on  security   tasks.   expanding  the  global  attack  surface.  and  procedures  (TTPs)  while   enterprise  security  defenses  improve  incrementally.”  Clearly.  Enterprise  security  often  depends  upon  an  army  of  point  tools   and  complex  manual  processes.  For  example.  Security  professionals  are  addressing  the   too  many  alerts.   incident  detection  technologies.  This  situation  is   especially  troubling  in  light  of  the  global  cybersecurity  skills  shortage—ESG  research  indicates  that  28%  of   organizations  have  a  “problematic  shortage”  of  IT  security  skills.   ©  2015  by  The  Enterprise  Strategy  Group.  February  2015.  and  25%  equate  malware   volume  with  security  issues.  For   example.  36%  of   organizations  say  they  have  increased  the  number  of  devices   and  not  enough  security  people!”   with  access  to  the  network.  cyber-­‐adversaries  are  rapidly  advancing  their  tactics.  Inc.    This  forces  cybersecurity  professionals  to  mitigate  risk  and  investigate  security   incidents  on  a  tool-­‐by-­‐tool  basis  which  can  be  extremely  time-­‐consuming  and  error-­‐prone.  2015  IT  Spending  Intentions  Survey.2  As  every  security  professional  knows.  and  oversight.  techniques.  “complexity  is  the  enemy  of   security.

 its  system  for  automatically  analyzing  security  events  and   responding  to  security  incidents.  CISOs  are  actively  creating  cybersecurity  strategies  that  bridge  the  IT   risk  gap.  In  fact.  the  Department  of  Defense  (DoD)  is  working  on  an  ICOP  effort  called  the  Integrated   Active  Cyber  Defense  (IACD)  and  collaborating  with  the  Department  of  Homeland  Security  (DHS)  on  a   similar  project  dubbed  the  Enterprise  Automated  Security  Environment  (EASE).  2015.  Inc.  including:   • Open  source  software.  configuration  management.  as  it  can  be  resource-­‐intensive.  media  darling  Netflix  announced  the  open  source  release  of   FIDO  (fully  integrated  defense  operation).  multiple  types  of  integrated   cybersecurity  automation  and  orchestration  architectures  are  emerging.  and  response.  Organizations  are  actively  integrating   their  security  tools  into  a  common  cybersecurity  architecture  to  accelerate.       Fortunately.  48%   say  that  they  need  to  build  an  integrated  cybersecurity  architecture  featuring  central  command-­‐and-­‐control  (i. White  Paper:  Bit9  +  Carbon  Black—Integrated  Cybersecurity  Architecture                                                                                                                            4   Figure  1.   ©  2015  by  The  Enterprise  Strategy  Group.  ESG  research  indicates  that  52%  of  cybersecurity  professionals  say  that  prevention  and  detection  of   cybersecurity  incidents  are  the  most  important  strategic  priorities  at  their  organizations.  Network  Security  Trends  in  the  Era  of  Cloud  and  Mobile  Computing.  August  2014.       • US  Federal  Government  initiatives.  this  meant  “ripping  and  replacing”  existing  security  tools  with  product  suites  from  a  single  vendor.  In  fact.  All  Rights  Reserved.                                                                                                                   4  Source:  ESG  Research  Report.  and  cost-­‐prohibitive.  For  example.  automate.   policy  management.)  and  distributed  enforcement.  many  enterprises  are  pursuing  an  emerging  alternative  strategy.  time-­‐ consuming.  reporting.4       In  the  past.   Recognizing  the  problems  described  above.  detection.  Several  US  Government  agencies  are  engaged  in  projects  similar  to   FIDO.  To  accomplish  this.  In  May  of  this  year.  The  Growing  IT  Risk  Gap     Source:  Enterprise  Strategy  Group.  but   wholesale  cybersecurity  technology  replacement  is  difficult.   .  if  not  impossible.e.  FIDO  is  available  for  download  on  GitHub..  etc.  and  orchestrate   cybersecurity  processes  for  incident  prevention.

   The  architecture  can  add  immense  value  here  by  combining.     This  integration  can  be  done  through  product  APIs.  an  integrated  cybersecurity  architecture  can  be   telemetry  is  not  telling  us.  In  this  way.  and  Resilient  Systems  are   developing  and  marketing  turnkey  ICO  architectures.  Invotas.  By  looking  across  all  of  the  available   telemetry.  this  type  of  integrated  cybersecurity  architecture  can  be  broken  into  three   components  (see  Figure  2):   • Inputs:  Suppose  an  IDS/IPS  or  malware  analytics  technology  generates  an  alert.               ©  2015  by  The  Enterprise  Strategy  Group.   and  response  workflow.  At  a  high  level.  All  Rights  Reserved.  When  an  anti-­‐malware  sandbox  detects  a  suspicious  file.  firewall  logs.  To  gain  further  context  in   the  past.   • Capabilities  and  activities.  or  blacklisting  a   particular  application  or  file  on  endpoints  and  web  security  gateways.  or  the  collection  of  log  files.  threat   worry  about  what  our  security   intelligence  feeds.  Consequently.  An  integrated  cybersecurity  architecture  is  designed  to  overcome  these   issues  by  consolidated  data  collection  from  assorted  detection  technologies  and  threat  intelligence  feeds.  IDS/IPS.  Cybersecurity  startups  such  as  Hexidite.  the   information  as  possible  to  streamline  investigation  and  response   whole  is  definitely  greater  than   processes.  Integrated   cybersecurity  architectures  can  be  instrumented  to  execute  an   automated  action  such  as  quarantining  a  zombie  PC  to  a  remediation  VLAN  when  they  encounter  an   incident  with  a  high  risk  score.  Phantom  Cyber.  correlating  security  data   was  a  manual  tedious  process.  and  threat  intelligence  sequentially  and  independently.  an  integrated  cybersecurity  architecture  can   has  helped  us  contextualize   be  designed  to  present  security  analysts  with  as  much  contextual   individual  alerts.  etc.  and  enriching  assorted  telemetry.  Inc.  An  integrated  cybersecurity  architecture  aggregates  all  inputs  and  sends  them   to  a  central  hub  for  further  action.   an  integrated  cybersecurity  architecture  can  be  configured  to   “We  have  a  wealth  of   immediately  associate  this  alert  with  other  related  data  sources   information  at  our  disposal  but   from  endpoint/network  forensics  tools.   .       How  Does  An  Integrated  Cybersecurity  Architecture  Work?   Think  of  a  software  architecture  that  is  specifically  designed  to  unify  and  automate  the  incident  detection.       the  sum  of  its  parts. White  Paper:  Bit9  +  Carbon  Black—Integrated  Cybersecurity  Architecture                                                                                                                            5   • ISV  products.  message  buses.  Integrated  cybersecurity  architectures  can  also  be  instrumented  to   orchestrate  remediation  actions  like  creating  a  firewall  rule  to  block  a  malicious  IP  address.”   Outputs:  An  integrated  cybersecurity  architecture  can  also   • be  designed  with  automation  and  workflow  in  mind  to  help  CISOs   -­‐-­‐Technology  Company   expedite  incident  response  and  remediation.   instrumented  to  create  risk  scores  to  help  the  SOC  team  prioritize   Integrating  our  detection  engines   activities.  the  SOC  team  was  forced  to  examine  other  cybersecurity  telemetry  like  endpoint/network   forensic.  analysis.   contextualizing.  In  this  case.

 integrate.  enriching.”  In  fact.  Inc.  and  contextualizing  cybersecurity  telemetry.  Armed  with  the  automation.  and  fast-­‐track   incident  detection  and  response.  an   integrated  cybersecurity  architecture  represents  a  potential  cybersecurity  “game  changer. Business  enablement.  ESG  believes   that  an  integrated  cybersecurity  architecture  can  be  valuable  for  all  three  CISO  priorities  represented  in  the  CISO   triad:   1.  integration.  and  orchestrate  cybersecurity  tools. Operational  efficiency.  and  workflows.  especially  since  the  technology  is   available  today  and  being  implemented  at  a  growing  number  of  organizations.  By  aggregating.  An  integrated  cybersecurity  architecture  can  help  the  security  team  work  smarter   rather  than  harder  by  automating  manual  processes  and  workflows  as  part  of  security  investigations.  This  puts   organizations  in  a  better  position  to  capitalize  on  cloud-­‐  and  mobile-­‐based  business  processes  that  can  increase   IT  attack  surfaces.   3.   2.  and  response.  analysis.  ESG  recently  spoke  with  several   enterprise  cybersecurity  professionals  whose  organizations  are  rolling  out  integrated  cybersecurity  architectures   using  Bit9  +  Carbon  Black  technologies  as  part  of  these  projects  in  the  following  ways:   ©  2015  by  The  Enterprise  Strategy  Group.   and  remediation  activities.  This  can  greatly  decrease  the  dwell  time  of  typical  malware  “kill  chains”  and   thus  lower  the  risk  associated  with  cyber-­‐attacks.       Customer  Use  Case  for  ICOP  Integration  with  Bit9  +  Carbon  Black   ESG  is  extremely  bullish  on  the  rise  of  integrated  cybersecurity  architectures. Security  efficacy.  detection.  and  orchestration  capabilities  of  an  integrated   cybersecurity  architecture.  CISOs  can  use  an   integrated  cybersecurity  architecture  to  fine-­‐tune  security  controls  for  incident  prevention. White  Paper:  Bit9  +  Carbon  Black—Integrated  Cybersecurity  Architecture                                                                                                                            6   Figure  2.  All  Rights  Reserved.  processes.   .  CISOs  can  improve  incident  prevention.     With  the  ability  to  automate.  2015.  An  Integrated  Cybersecurity  Architecture     Source:  Enterprise  Strategy  Group.

 the  company  offers  a  version  of  its  RabbitMQ  message  bus  free  for  download  so   customers  can  experiment  with  integration  as  part  of  their  proof-­‐of-­‐concept  projects.   quality  and  timeliness  of  its  security  investigation  and  response   we  were  able  to  cut  the  time   while  decreasing  false  positive  alerts  significantly.       ©  2015  by  The  Enterprise  Strategy  Group.  enabling  it  to  improve  the   orchestrating  security  processes.   detection.   .”   Unfortunately.  the  cybersecurity  community  is  finally  responding  with  a  promising   technology  architecture.”  This  seems   to  be  the  case  as  the  products  feature  open  APIs  and  a  message  bus  that  are  easily  accessible  through  things  like   JavaScript  controls.   While  there  is  no  “silver  bullet”  solution.  All  Rights  Reserved.  and  2)  designing  its  endpoint  security  products  for  ICOP  integration.       • Security  controls  and  remediation.”   • Process  automation  and  orchestration  innovation.  Bit9  +  Carbon  Black  designs  its  products  for  integration  with  open  APIs.       Security  professionals  were  also  quick  to  say  that  Bit9  +  Carbon  Black  tools  were  “built  for  integration. White  Paper:  Bit9  +  Carbon  Black—Integrated  Cybersecurity  Architecture                                                                                                                            7   • Carbon  Black  as  a  detection  input.  Inc.  Given  this.  they  have  the  potential  to  greatly  improve  incident  prevention.  or  purchasing  commercial  ICOP  products.  The  input   -­‐-­‐Media  Company   telemetry  and  output  capabilities  of  Bit9  +  Carbon  Black   provided  a  lot  of  flexibility  to  innovate  around  things  like  security  policies.  and   open  source  for  download.  the  security  team  aggregated   time.  They  add  new  point  tools   believing  that  they  will  improve  incident  detection  but  they  end  up  generating  more  alerts.  Bit9  +  Carbon  Black  is  focused  in  two  valuable  areas:  1)  creating  best-­‐of-­‐breed  endpoint  security   technologies.  The  security   necessary  for  detection  and   manager  commented  that  the  Carbon  Black  RESTful  API  made   mitigation  from  days  or  weeks  to   architectural  integration  a  relatively  easy  process.  message  buses.       The  Bigger  Truth   Albert  Einstein  defined  insanity  as  “doing  the  same  thing  over  and  over  again  and  expecting  different  results.  ESG  believes  that  because  integrated  cybersecurity  architectures  are  designed  for   automation.       minutes  or  hours.  and  response.  many  organizations  are  building  their  own  ICOP  systems.  and   automated  remediation  opportunities.  One  organization  used   Carbon  Black  for  endpoint  forensics  and  another  anti-­‐malware   gateway  deployed  on  its  network.   and  making  it  even  more  difficult  for  security  analysts  to  mitigate  risk  or  accelerate  processes.  one  organization  was  able  to  use  Carbon  Black  to   remediate  systems  without  requiring  a  full  system  reimaging  while  another  used  Bit9  to  blacklist  malicious   applications  and  files.  using  open   source  tools.  Security  professionals  really  liked  the  flexibility  of  using  Bit9  to  improve   prevention  and  Carbon  Black  for  response.  better  operational  efficiency.  ESG  believes  that  the   company  is  adding  cybersecurity  value  with  its  products  and  its  integration  prowess.  By  automating  and   telemetry  from  both  systems.  and  orchestration.       Recognizing  this  trend.  policy  enforcement  options.  creating  more  noise.  The  result?  Improved  security   efficacy.  integration.  In  fact.  For  example.  Using  an  integrated   “Our  initial  metric  was  response   cybersecurity  architecture.  this  is  exactly  what  many  organizations  do  with  regard  to  cybersecurity.  CISOs  looking  to   modernize  endpoint  security  and  implement  an  integrated  cybersecurity  architecture  would  be  wise  to  contact  Bit9   +  Carbon  Black  to  explore  how  its  products  align  with  their  cybersecurity  strategies  and  objectives.  and  a  cybersecurity  commitment  toward  business  enablement.  And  after  speaking  with  several  Bit9  +  Carbon  Black  customers.       In  summary.  Not  surprisingly.     .esg-­‐global.                                                                                               20  Asylum  Street    |    Milford.482.0188    Fax:  508.0218    |    www.  MA  01757    |    Tel:  508.