RSA Conference: Carbon Black to introduce Streaming Prevention

Carbon Black is introducing at RSA Conference 2017 next week a new way for its gear to detect attacks that don’t make their way into networks via viruses or malicious files that other endpoint security software can detect.

Called Streaming Prevention, the technology can find both malware and non-malware attacks by analyzing endpoint activities in the context of the sequences in which they unfold.

It does this by having endpoint agents tag events as they occur and streaming them to Carbon Black’s analysis engine in the cloud. There the engine determines whether it falls in a sequence of events that add up to an attack and tells the endpoint to block activity that is deemed malicious.

Streaming Prevention is part of the next scheduled upgrade to the company’s CB Defense endpoint-protection platform and will be available in April. Endpoint security is a major topic at RSA due to the prevalence of attacks that focus on these devices.

The cloud analytics is based on constant analysis of data being sent from tens of millions of endpoints under Carbon Black’s protection. From that data Carbon Black generates statistical models that decide whether possibly innocent endpoint activity is actually malicious.

Analysts cull through the data to find attacks the analytics engine missed and figure out why. They tweak the algorithms that sort through live streaming data from customer endpoints so they won’t miss the same attack the next time.

Non-malware attacks use legitimate tools such as PowerShell, Remote Desktop and Flash to mask malicious activity. It’s perfectly normal for Remote Desktop to connect to other devices, but in combination with other events, that Remote Desktop activity could be an attempt for an attack to move laterally within a network, for example.

That context of these tagged events is what makes it possible to find the bad behavior.

This is different from detection that is based on a single indicator such as a malicious file that has a known signature or reputation. That type of detection does pick up on the bad files, but won’t recognize when PowerShell is up to something bad.

Because the CD Defense cloud gives insight into tens of millions of endpoints, it reduces false positives and the instances of false negatives, the company says. When the analytics in the cloud determine that an event, in the context of other events, means an attack, the cloud sends down a command to block it.

IDG Insider


« Why Intel's Unite software survived last year's brutal product purge


Hacker hijacks thousands of publicly exposed printers to warn owners »
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?