The information security (infosec) space is for the most part divided into two camps: established players using a combination of old/new tactics for combating cybercrime, and market entrants attempting to rethink security from the ground up. Attack methods are increasingly sophisticated and require novel approaches for detection and remediation—since very little is understood about the next generation of threats, opportunities abound for both incumbent leaders and upstarts alike. And with targeted attacks and advanced persistent threats (APT) on the rise, newer players with innovative approaches to security are seeing ample opportunities for supplanting longstanding market leaders and their aging security products.
One such upstart—Carbon Black—takes a different approach to security that utilizes signature-less threat prevention and application whitelisting. Let’s take a look at how the platform compares with security veteran Symantec’s Endpoint Protection offering.
Bit9 + Carbon Black
Though founded back in 2002, Bit9 came into its own in 2014 with the acquisition of Carbon Black. Bit9’s agent-based platform architecture allows the enforcement of whitelist policies on every endpoint, while Carbon Black enables endpoint file behavior monitoring and real-time threat detection through endpoint-installed sensors and data recorders. The merging of the two effectively combines Bit9’s signature-less, whitelist-based threat protection with Carbon Black’s continuous monitoring and incident response capabilities. In 2016, the company was rebranded to Carbon Black.
Carbon Black’s trust-based security model revolves heavily around its central whitelist database: a registry of trusted, known good software and their classifications/ratings. These trust ratings are provided by the Carbon Black Software Reputation Service—reputedly the world’s largest hash database of software. Additionally, the platform is augmented by the firm’s Threat Intelligence Cloud—a repository containing extended attributes for billions of software executables, as well as threat and trust ratings for published and rogue software.
A distinction should be made between traditional security methods employed by standard IDS/IDPS solutions and whitelisting—the latter of which is employed by Carbon Black. Though both methods use file hashes to track file changes, whitelisting by default assumes a “deny” posture, as opposed to the default “allow” approach used by most IDS/IDPS offerings. In Carbon Black’s case, an application whitelist contains a list of known good applications and their file privileges. Because only trusted software is allowed to execute in one’s IT environment, malicious packages are prevented from making any unauthorized changes . This is especially crucial when dealing with zero-day attacks that use malware unknown or unidentifiable by traditional security tools. With Carbon Black, maliciously altered files can be easily be prevented from execution by checking the application whitelist.
Symantec Endpoint Protection
A recognized name in IT security, Symantec features a full line of solutions for securing and managing information, identities, and infrastructures. Its own answer to endpoint detection is called—appropriately enough—Symantec Endpoint Protection. The platform enables comprehensive infrastructure protection through the following core components:
- Endpoint Protection Manager—a server that manages computers connected to a protected network.
- Endpoint Protection Manager Database—a datastore of security policies and events
- Endpoint Protection Client—endpoint software that protects and scans machines for viruses and malware.
A firewall and IDPS are included with the suite, with paid add-ons available for extending Symantec Endpoint Protection’s capabilities. For example, purchasing the Symantec Protection Suite gives the platform the ability to filter/block email and web threats.
Similar to Carbon Black, Symantec Endpoint Protection utilizes a trusted datastore for identifying files to be scanned—in this case, with data provided by the Symantec Global Intelligence Network (GIN). This network of hundreds of millions of sensors feed data into a massive repository of security data gleaned from the monitoring, analyzing, and processing of more than 10 trillion security events per year worldwide. According to Symantec, this gives its platform significant speed benefits by incorporating scan elimination—instead of scanning every file, it eliminates and deduplicates unnecessary scan jobs for smarter and faster operation.
UpGuard's VendorRisk platform is used by hundreds of companies to automatically monitor their third-party vendors. We ran a quick surface scan on both Carbon Black and Symantec, and found them to have similar scores:
Our quick assessment showed that both companies carry similar risks which include:
- Increased susceptibility to man-in-the-middle attacks through incomplete support for HTTP Strict Transport Security (HSTS). Although, Symantec is in a weaker position here as they do not even enforce HSTS.
- Exposure of their web server details, such as name and version numbers. These can be run against CVE (Common Vulnerability and Exposure) lists by attackers looking for weaknesses.
- DNS being susceptible to man-in-the-middle attacks, as neither enforces DNS Security Extensions (DNSSEC) on their domain.
- Potential for emails to be fraudulently sent from their domain by spammers, as neither company enforces Domain-based Message Authentication, Reporting and Conformance (DMARC).
Based on their score, Carbon Black edged out Symantec. But both companies have work to do in maintaining good security hygiene and best practices for themselves.
Let us automatically measure and monitor the security of Carbon Black, Symantec and your other third-party vendors for you.
Cyber threats are constantly evolving and security tools must follow suit. This cat-and-mouse game often puts many legacy vendors at a disadvantage, as they often lack the agility to reinvent ageing security models and architectures from the ground up. That said, newer security firms developing advanced methodologies for threat protection are essentially building solutions that are unproven against future threats. Symantec Endpoint Protection and Carbon Black are representative cases of each—interestingly enough, both incorporate consolidated threat intelligence datastores as critical components of their respective offering. And despite the apparent similarities, Symantec’s GIN is actually quite different than Carbon Black’s whitelisting mechanism. The latter uses a hash database of software trust ratings— the Carbon Black Software Reputation Service—to determine which files to whitelist. The GIN datastore is used for quick identification of good and bad actors to optimize file scanning efficiency.
Both approaches have their advantages and drawbacks. Symantec Endpoint Protection is comprehensive but lacks integration capabilities with other security tools like an SIEM. And no matter how expansive GIN’s intelligence gathering capabilities, the solution still relies on known threat data to drive its security enforcement model. Also, non-Windows users may be out of luck with Symantec, as the Manager component requires a Windows machine to run on.
Carbon Black’s whitelisting technology seems promising, but needs further refinement—a recent compromise resulted in malware being sent to several of the company’s customers. And just to be fair, Symantec's offering has not been without its own vulnerabilities. Suffice to say, no one solution can effectively protect an organization’s infrastructure against today and tomorrow’s threats. A competent security strategy should consist of best-of-breed tools assembled in a continuous security toolchain, with monitoring layered across them —through deep coverage, organizations can maintain an optimal security posture.