Bit9 + Carbon Black vs Symantec Endpoint Protection: How Do They Compare?

Posted by UpGuard


The information security (infosec) space is for the most part divided into two camps:  established players using a combination of old/new tactics for combating cybercrime, and market entrants attempting to rethink security from the ground up. Attack methods are increasingly sophisticated and require novel approaches for detection and remediationsince very little is understood about the next generation of threats, opportunities abound for both incumbent leaders and upstarts alike. And with targeted attacks and advanced persistent threats (APT) on the rise, newer players with innovative approaches to security are seeing ample opportunities for supplanting longstanding market leaders and their aging security products.

One such upstartBit9 + Carbon Blacktakes a different approach to security that utilizes signature-less threat prevention and application whitelisting. Let’s take a look at how the platform compares with security veteran Symantec’s Endpoint Protection offering.

Bit9 + Carbon Black

Though founded back in 2002, Bit9 came into its own with last year’s acquisition of Carbon Black. Bit9’s agent-based platform architecture allows the enforcement of whitelist policies on every endpoint, while Carbon Black enables endpoint file behavior monitoring and real-time threat detection through endpoint-installed sensors and data recorders. The merging of the two effectively combines Bit9’s signature-less, whitelist-based threat protection with Carbon Black’s continuous monitoring and incident response capabilities.

Bit9 + Carbon Black’s trust-based security model revolves heavily around its central whitelist database: a registry of trusted, known good software and their classifications/ratings. These trust ratings are provided by the Bit9 + Carbon Black Software Reputation Servicereputedly the world’s largest hash database of software. Additionally, the platform is augmented by the firm’s Threat Intelligence Clouda repository containing extended attributes for billions of software executables, as well as threat and trust ratings for published and rogue software.

A distinction should be made between traditional security methods employed by standard IDS/IDPS solutions and whitelistingthe latter of which is employed by Bit9 + Carbon Black. Though both methods use file hashes to track file changes, whitelisting by default assumes a “deny” posture, as opposed to the default “allow” approach used by most IDS/IDPS offerings. In Bit9 + Carbon Black’s case, an application whitelist contains a list of known good applications and their file privileges. Because only trusted software is allowed to execute in one’s IT environment, malicious packages are prevented from making any unauthorized changes . This is especially crucial when dealing with zero-day attacks that use malware unknown or unidentifiable by traditional security tools. With Bit9 + Carbon Black, maliciously altered files can be easily be prevented from execution by checking the application whitelist.

Symantec Endpoint Protection

A recognized name in IT security, Symantec features a full line of solutions for securing and managing information, identities, and infrastructures. Its own answer to endpoint detection is calledappropriately enoughSymantec Endpoint Protection. The platform enables comprehensive infrastructure protection through the following core components:

  • Endpoint Protection Managera server that manages computers connected to a protected network.

  • Endpoint Protection Manager Databasea datastore of security policies and events

  • Endpoint Protection Clientendpoint software that protects and scans machines for viruses and malware.

A firewall and IDPS are included with the suite, with paid add-ons available for extending Symantec Endpoint Protection’s capabilities. For example, purchasing the Symantec Protection Suite gives the platform the ability to filter/block email and web threats.

Similar to Bit9, Symantec Endpoint Protection utilizes a trusted datastore for identifying files to  be scannedin this case, with data provided by the Symantec Global Intelligence Network (GIN). This network of hundreds of millions of sensors feed data into a massive repository of security data gleaned from the monitoring, analyzing, and processing of more than 10 trillion security events per year worldwide. According to Symantec, this gives its platform significant speed benefits by incorporating scan eliminationinstead of scanning every file, it eliminates and deduplicates unnecessary scan jobs for smarter and faster operation.


Cyber threats are constantly evolving and security tools must follow suit. This cat-and-mouse game often puts many legacy vendors at a disadvantage, as they often lack the agility to reinvent aging security models and architectures from the ground up. That said, newer security firms developing advanced methodologies for threat protection are essentially building solutions that are unproven against future threats. Symantec Endpoint Protection and Bit9 + Carbon Black are representative cases of eachinterestingly enough, both incorporate consolidated threat intelligence datastores as critical components of their respective offering. And despite the apparent similarities, Symantec’s GIN is actually quite different than Bit9 + Carbon Black’s whitelisting mechanism. The latter uses a hash database of software trust ratings— the Bit9 + Carbon Black Software Reputation Serviceto determine which files to whitelist. The GIN datastore is used for quick identification of good and bad actors to optimize file scanning efficiency.

Both approaches have their advantages and drawbacks. Symantec Endpoint Protection is comprehensive but lacks integration capabilities with other security tools like an SIEM. And no matter how expansive GIN’s intelligence gathering capabilities, the solution still relies on known threat data to drive its security enforcement model. Also, non-Windows users may be out of luck with Symantec, as the Manager component requires a Windows machine to run on.

Bit9’s whitelisting technology seems promising, but needs further refinementa recent compromise resulted in malware being sent to several of the company’s customers. And just to be fair, Symantec's offering has not been without its own vulnerabilities. Suffice to say, no one solution can effectively protect an organization’s infrastructure against today and tomorrow’s threats. A competent security strategy should consist of best-of-breed tools assembled in a continuous security toolchainthrough this type of layered coverage, organizations can maintain an optimal security posture.

Free DevOps and Security eBooks



Bit9 + Carbon Black

Symantec Endpoint Protection

Installation & Setup

Single endpoint installation is straightforward

Supports WIndows, MacOS, Red Hat Linux, and CentOS

Enterprise environment require professional services, which can be costly

Installs as a standard Windows application

Manager component only works on Windows platforms


Built entirely on open APIs and features easy integration with other tools

Uses the Bit9 + Carbon Black Software Reputation Service— the world’s largest hash database of software

Powered by the Symantec Global Intelligence Network (GIN), a big data repository of threat intelligence accumulated from one of the largest collection of sensors in the industry

Includes a standard suite of security tools including IDPS, firewall, and anti-virus/malware.


$420/3-year license

$54/1-year license

Documentation & Support

Available on website

Available on website. Community support is fairly extensive



UpGuard customers