Security Experts:

Carbon Black, IBM Partner on Attack Remediation

Endpoint security firm Carbon Black announced a new partnership with IBM Security that will allow Carbon Black endpoint threat data to feed into IBM's BigFix for instant attack remediation.

Announced today, the partnership addresses a major problem for the enterprise: vulnerability management. According to Gartner, "Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year." Rapid patching can help this problem; but enterprises have so many endpoints with so many vulnerabilities that prioritizing patches is difficult if not impossible.

The Carbon Black / Big Fix approach is to focus vulnerability management onto the most pressing need -- the endpoint vulnerabilities that are actually being exploited right now. With Carbon Black detecting the attack, Big Fix is able to prioritize patch remediation to all endpoints that contain the vulnerability, and all can be patched automatically. This process responds to the most pressing need while dramatically reducing the attack surface for the entire enterprise.

The process is conceptually simple. "We have an agent on every endpoint," explained Tom Barsi, Carbon Black's SVP business development. "That agent collects all relevant data from every endpoint and sends it to a central server. It's like a video recorder of events. We record all file modifications, registry modifications, executed binaries and more -- but we're looking at executables so we don't collect any personal information."

At the central server, Carbon Black's threat detection algorithms, driven by machine learning, can detect malicious activity in real time. "Once we detect that something has been hit," he continued, "we send that data directly through the new automated integration with Big Fix; and Big Fix immediately patches all of the endpoints with the same application and therefore the same vulnerability -- so it gives the user the ability to prioritize patching across the enterprise and reduce the attack surface."

Carbon Black claims to be the market leader in endpoint threat detection. Although it is next-gen technology, it was founded 14 years ago (as Bit9) in 2002. Bit9 acquired Carbon Black in 2014, and changed its own name to Carbon Black earlier this year. It has more than 2,000 customers including 30 of the Fortune 100, and has more than 7 million endpoints under management. With such a solid foundation in large enterprises, it makes sense to integrate its own threat detection with the vulnerability remediation available from IBM. IBM acquired BigFix in 2010.

The potential weakness in machine learning-based threat detection is that although it is good at detecting new and unknown threats, it does not itself include automatic threat removal capabilities. Traditional anti-virus, which built its reputation on detecting known threats, could also remove those threats because they were known. It is less easy to develop threat removal for unknown threats. For this reason, Barsi suggested two additional approaches. The first is that he does not believe that next-gen endpoint security should be seen as a replacement for traditional anti-virus. 

"You still need a solution, such as traditional anti-virus, for known bad attacks. AV can detect, stop, and clean known bads. That need doesn't go away. So now you need the ability to address known bads (AV), and the ability to address the new unknown bads (next-gen machine learning)." The solution to the latter problem, he suggests, is the Carbon Black integration with IBM's QRadar SIEM, which can isolate compromised endpoints for investigation and cleaning.

"We've also integrated with the QRadar SIEM platform," he said, "and customized the ability to ingest our data into that SIEM. On top of QRadar," he added, "we've built a new app that allows the user to take action on Carbon Black data directly from the QRadar console. QRadar has analytics and orchestration capabilities backed by IBM's Watson technology, so while it is collecting data from Carbon Black, QRadar can apply Watson capabilities -- and the user can take action directly on the endpoint from the QRadar console. The Carbon Black app on QRadar has the ability to quarantine suspect endpoints automatically, depending on the enterprise's security policy and posture."

The key feature of this new announcement from Carbon Black is that the IBM partnership allows speedy and targeted threat remediation and vulnerability management to precisely where it is needed, in almost real time. Part of the agreement is that IBM customers will be able to purchase Carbon Black directly from IBM.

Last week The Wall Street Journal reported that Carbon Black has made a confidential IPO filing under the JOBS Act.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.