New Streaming Prevention Technology Collects, Correlates and Analyzes Endpoint Events in Real-time to Detect and Stop Attacks In Progress
Malicious attacks are increasingly leveraging non-malware methodologies. Already, 53% of attacks do not use malware; and it is estimated that over the next 90 days, one-third of organizations will face a non-malware attack. It is claimed that these attacks will likely succeed because current AV technology, whether first-gen or second-gen machine learning technology, is focused almost entirely on detecting a malicious file dropped on the endpoint.
To combat this new attack vector, Carbon Black has today announced its new Streaming Prevention technology. Carbon Black CTO Mike Viscuso talked to SecurityWeek to explain why this new approach is necessary, and how it works.
Viscuso described standard AV as ‘point-in-time’ prevention; and illustrated it with an example from the NSA. Since the NSA is offensive as well as defensive, it checks its own tools against standard defenses. When a new McAfee product was launched, it was tested against NSA tools — and it succeeded in blocking one of them. This tool spun up a command shell that could be used remotely. To get by it, the NSA operatives simply renamed the command shell to something else; and it worked.
The point, explained Viscuso, is that most anti-malware products look for ‘points’, usually files. They do not look for behavior in context. If the attacker does not drop a file that can be analyzed, or if it involves something not recognized by the defense, it is simply allowed. “Many of the big breaches in recent years, Yahoo, Oracle and DNC, for example, all resulted from a non-malware attack.”
This new attack approach leverages the existing power of the operating system. It uses trusted OS tools such as PowerShell and WMI to do the work. He gave an example: “A compromised website could require Flash. Flash could be exploited to run PowerShell. PowerShell would conduct the attack.” There is, he says, nothing in this process for contemporary anti-malware products to detect and prevent.
“Anti-malware products,” he explained, “are very focused on malicious software; that is, malware. When a new file gets put onto your system, anti-malware will scan it to determine whether it thinks it is malicious or not. It is very point-in-time. But the reality is that attackers are increasingly not using malware. They’ve got much more sophisticated — but so has technology. We’re leveraging new technology that has been very successful in other industries — called event stream processing — to look at the full history of what this system or process or set of processes has been doing.”
Carbon Black’s Streaming Prevention has grown out of the event stream processing developed for algorithmic trading. A simple algorithm could tell a trader to buy a particular stock at one price and to sell at another price. But if the entire market is moving, those point-in-time instructions could be bad advice. What is necessary for the algorithm is a deeper understanding of the entire market.
“It needs more data,” said Viscuso. “So, a technology called event stream processing was developed which allowed the consumption of millions and millions of data points, and had the ability to analyze them very rapidly in order to make the right decision; and to further allow the algorithm to update itself, in milliseconds, over and over again in a loop, so that it can make better and better decisions over time.”
This, he said, is the basis of Streaming Prevention. It applies machine learning and network anomaly techniques to the endpoint. It examines and tags TTPs (tactics, techniques and procedures) used in malicious activities, and analyzes them in context. “It is continuously learning from what it sees, and has seen in the past, when a certain sequence of events could lead to a breach. It can then apply a risk decision on that sequence of events to determine whether it is an attack or not. Over time, this risk decision gets more and more accurate and perceptive; and over time it will learn how to prevent all non-malware attacks.”
Streaming Prevention is a cloud service. The analysis is conducted in the cloud and the result of the analyses pushed down to the endpoint so the endpoint acts independently. But data is gathered from all client endpoints and streamed up to the cloud. “The results are then shared with all customers so they are protected against local attacks and also new attacks happening elsewhere.” Endpoints, he added, can now be protected against both malware and non-malware attacks.
In October 2016, Carbon Black announced a partnership with IBM Security that will allow Carbon Black endpoint threat data to feed into IBM’s BigFix for instant attack remediation.
As a company, Carbon Black has more than 600 employees and is a result of Bit9 merging with Carbon Black in February 2014. In October 2016, The Wall Street Journal reported that Carbon Black has made a confidential IPO filing under the JOBS Act.
Related: Inside The Competitive Testing Battlefield of Endpoint Security