In the 2014 Verizon Data Breach Investigations Report, one of the key takeaway messages was “the bad guys are winning.” The DBIR noted that one possible explanation for this imbalance is slow detection time from us, the good guys.
“The bad guys are getting in really fast,” Chris Porter of Verizon Enterprise Solutions told the Los Angeles Times. “And the good guys are only detecting that some of the time. That’s probably one of the most sobering charts in the report. It really shows the gap between our detection capability. We need to figure out how to detect things faster.”
At Bit9 +Carbon Black detection, response and protection are the key priorities of the solution. “Detection” is moving further into the industry spotlight as organizations around the globe come to accept the reality that a data breach WILL hit their organization and the key to surviving it is how well—and how fast—you detect it.
Carbon Black specializes in detecting malicious behavior in seconds. Late last year, before merging with Bit9, carbonblack.com published a blog post demonstrating its detection ability by answering a simple question: “why is notepad.exe connecting to the Internet?”
We are republishing that post here on the #Bit9Blog to show how we continue to value and approach detection and to demonstrate how quickly someone using our software can get answers.
From September 2013: In a recent blog post, Raffi asked “Why is notepad.exe connecting to the Internet?” He pointed out Metasploit and Cobalt Strike use notepad.exe as a default target for process injection. This technique is often required during exploitation that requires user interaction: a flaw in Acrobat Reader may let the attacker run arbitrary code inside acrord32.exe, but that code will disappear as soon as the user closes the window unless the attacker migrates into a new process. Raffi suggested information security teams use the behavior to identify compromise.
“Wow, that’s clever!” I thought. “I wonder how good an indicator that is….”
I love Carbon Black because it lets you test theories like this with zero friction: