SOLUTION BRIEF

&

SOAR + EDR
Automate investigation, response, and threat hunting
across the VMware Carbon Black Cloud platform

Challenge
Overworked security operations teams, who are already drowning Joint Solution Benefits
in alerts and multiple disparate tools, must effectively bridge and
orchestrate cloud and on-prem security tools to effectively detect and
Slash Investigation Time and Effort
respond to threats at scale. Manual investigation and response activities
are nearly impossible to keep up with and are impediments to effective Run playbooks that automate data collection using VMware
threat detection and response. Carbon Black Cloud telemetry to limit the amount of time
spent manually cross-referencing information before
making decisions.
Automate Response and Enable Threat Hunting
Solution Overview Leverage the VMware Carbon Black Cloud API for
remediation actions such as isolating hosts or killing
processes with VMware Carbon Black Cloud Live
The right combination of SOAR and EDR is a dynamic duo for inundated
Response, without having to pivot between systems.
security teams. Siemplify and VMware Carbon Black have joined forces
to create a powerfully simple solution to reduce analyst workload by Unify Case Management
automating the ability to prevent, detect, hunt and respond to endpoint-
Ingest VMware Carbon Black Cloud alerts directly or via
based threats.
SIEM into the Siemplify Security Operations Platform.
Siemplify’s patented threat-centric technology
Siemplify integrates your VMware Carbon Black Cloud endpoint protection
automatically groups related alerts into threat-centric
platform telemetry with metadata from your other tools to efficiently
cases.
manage cases and automate response. Siemplify’s intelligent case
management groups alerts from your stack of tools and provides visibility
into the who, what, when, and where of a suspicious endpoint activity
without having to pivot between consoles. Playbooks are configured to
Joint Playbook Example
trigger automatic investigation and remediation of your most common
VMware Carbon Black Cloud alerts at machine speed. • Ingest alert from VMware Carbon Black Cloud Endpoint Standard

• Enrich the alert with endpoint and file metadata from the unified
binary store (UBS) in VMware Carbon Black Cloud Enterprise EDR

Product Integrations • Enrich the alert using third-party threat intelligence data

As a vendor-agnostic SOAR platform, Siemplify integrates with the
broadest range of the VMware Carbon Black Cloud platform. This
includes the latest offerings such as:
• VMware Carbon Black Cloud Endpoint Standard,
• Automatically close the alert as a false positive if all enrichment
data comes back negative
• Present the information to an analyst if a remediation sequence of
actions needs to be executed

• VMware Carbon Black Cloud Enterprise EDR, and • Execute a series of VMware Carbon Black Cloud mitigation
activities such as a policy update, isolating a host, or quarantining
• VMware Carbon Black Cloud Live Response. a machine

• Note: Siemplify also integrates with legacy VMware Carbon Black • Activate VMware Carbon Black Cloud Live Response to hunt and
products such as CB Protect, CB Response, and CB Defense. kill a process based on the original process ID (PID)

&
Joint Use Case
Part 1: Integrate the VMware Carbon Black
Cloud Platform to Automate Investigation
This two-part use case effectively integrates four products in the VMware
Carbon Black Cloud endpoint protection platform to automate investigation
and response activities. These include the VMware Carbon Black Cloud
console, VMware Carbon Black Cloud Endpoint Standard, VMware Carbon
Black Cloud Enterprise EDR, and VMware Carbon Black Cloud Live Response.
Siemplify’s cloud-native SOAR platform receives a behavioral-based alert
created from a user’s abnormal activity detected by VMware Carbon Black
Cloud Endpoint Standard. The detection is based on correlation with an
Indicators of Compromise (IoCs) watchlist in the VMware Carbon Black Cloud.
Once an alert is received by Siemplify, it is placed within a threat-centric case
that uses patented technology to group it with any related-entity alerts.
A playbook is then triggered and begins to enrich the case with device
information from the VMware Carbon Black Cloud console. The playbook then
collects file metadata from a unified binary store (UBS) in VMware Carbon
Black Cloud Enterprise EDR. This allows an analyst to reference file metadata
as well as determine if the host is a critical asset of interest. For an extra layer
of analysis, a third-party threat intelligence source is automatically called
after this file metadata is collected.
About Siemplify
The Siemplify Security Operations Platform is an intuitive, holistic workbench
that makes security operations smarter, more efficient and more effective.
Siemplify combines security orchestration, automation and response (SOAR)
with context-driven case management, investigation, and machine learning
to make analysts more productive, security engineers more effective, and
managers more informed about SOC performance.
Experience the Siemplify Platform with ready-to-
deploy use cases that leverage VMware Carbon Black.
siemplify.co
SOLUTION BRIEF
Part 2: Automate Response Actions and
Enable Threat Hunting
After the process of automatically investigating all details possible about the
file, device, and user, it’s time to respond and eliminate the threat. Playbooks
can automatically close the case as a false positive, make a policy update, or
engage the analyst for an approval to trigger remediation activities.
A policy update action will control network communications from the host to
restrict any movement of malware to other hosts across the environment.
As a next step, the playbook pauses to ask the analyst “Do you want to
quarantine the device?” If the analyst confirms, then that action is taken
and the case can be automatically closed with notes added. Otherwise, the
case stage is automatically updated and integration with Carbon Black Live
Response is activated.
Live Response is a VMware Carbon Black product that allows a connection
to the host to initiate a shell session via a sensor. This allows an analyst to
automatically hunt for and kill the malicious process identified in the original
alert. This will kill the process ID (PID) without having to disrupt the host which
is a useful security operations technique. The net result is a successful,
automatic elimination of a threat in rapid time and with much greater
accuracy.
About VMware Carbon Black
VMware software powers the world’s complex digital infrastructure. The
company’s cloud, app modernization, networking, security, and digital
workspace offerings help customers deliver any application on any cloud across
any device. Headquartered in Palo Alto, California, VMware is committed to
being a force for good, from its breakthrough technology innovations to its
global impact.
For more information, please visit https://www.vmware.com/company.html
Download the
Free Community Edition
Try it for free at:
siemplify.co/community
siemplify.co/partners/vmwarecarbonblack
© Copyright 2020 Siemplify