Bit9: A DVR for Your Endpoints

Benjamin Franklin once said: “In this world, nothing can be said to be certain, except death and taxes.” If Ben were alive today, I think he might have added one more thing to that list: “malicious applications executing.” Which brings me to the point of this blog: comparing the detection and analysis capabilities of Bit9’s trust-based solution vs. traditional detection and analysis methods. First let me clarify what I mean by “traditional.” This refers to a solution not built on trust, such as signature-based antivirus, as well as other manual methods like log analysis, system forensics, and then correlating all of these in order to reconstruct what happened.

It should come as no surprise that malicious applications and sophisticated cyberattacks are commonplace for any organization operating in today’s threat landscape. Increasingly, the topic of protection is quickly expanding into detection methods, and for good reason – because today’s threats are more advanced and dynamic, and traditional protection methods are no longer effective against them. Having a comprehensive detection and analytics tool that is running in real-time is not only the best way to prevent malicious applications from executing, it’s the ONLY way.


I come from a computer forensics background, and have worked on a lot of security breaches where I’ve analyzed compromised machines and malicious files to figure out what happened. In all the investigations I’ve done, time has always been the biggest obstacle. It takes time to answer the questions raised in an investigation and to meet the customer’s objectives. I recently realized why time has always been an obstacle and it’s because I have always been part of an incident that only had a traditional approach to rely on. It took time (sometimes days) to analyze all the events and antivirus logs, XOR the quarantine files, and then correlate that data with the host forensic analysis results. It took time (again sometimes days) to figure out how and when a malicious application first arrived on the machine and what it did after executing.

Fortunately, with the Bit9 trust-based solution’s DVR-like capabilities, time is no longer an obstacle. The tasks that used to take days now take hours and sometimes even minutes. What is most impressive though, is I no longer need to determine when a malicious application executed and what it did afterward because—are you ready for this?—the malicious file did NOT even have a chance to execute since it was untrusted. Yes, it’s true you can have your cake and eat it too (not sure if Ben Franklin said that one or not).

Scope and Analysis

Does it get any better than this? Why yes, yes it does. Remember that DVR-like capability I mentioned above? Well this feature essentially acts as a surveillance camera that continuously monitors your endpoints. When police realize there is a video camera at a crime scene, usually there is elation, followed by conclusive evidence of who performed a crime and when it took place. Well, that’s the same feeling I’d get if I were asked to do a forensic investigation for a customer running Bit9’s trust-based solution. Not only do I have the warm and fuzzy feeling that the malicious application did not execute because of Bit9, but now I can actually go back and easily answer the list of questions I would have needed to answer during a forensic investigation had the customer been using a traditional approach. The DVR-like capability of Bit9 will tell me when that malicious file “tried” to execute on my system as well as provide me with a full audit trail including what processes it spawned, as well as what files, directories, and registry keys it attempted to modify. I can then search this file or one of its artifacts to see if it exists on any of my other endpoints, and if it tried to execute there as well. Using a traditional approach, I would first have to either perform static or behavioral analysis on the malicious application, gather all of the characteristics of what happened once it executed, and note the indicators of compromise before I could even begin searching where else in my environment this malicious application may have traveled and executed.

The detection and analysis capability isn’t just an amazing benefit for a forensic analyst or an incident response team, it’s a benefit for any company’s IT environment.

Bit9 is the only company to stop Flame, Gauss, and the malware that caused the RSA breach.

Sign-up for a free 5-day trial

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: