White

Paper


Bit9 + Carbon Black Can Empower An
Integrated Cybersecurity Architecture for
Automation and Orchestration


By Jon Oltsik, Senior Principal Analyst


July 2015













This ESG White Paper was commissioned by Bit9
and is distributed under license from ESG.


2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.
 White Paper: Bit9 + Carbon BlackIntegrated Cybersecurity Architecture 2

Contents
Overview ..................................................................................................................................................... 3
How Does An Integrated Cybersecurity Architecture Work? .................................................................................. 5
Customer Use Case for ICOP Integration with Bit9 + Carbon Black ............................................................ 6
The Bigger Truth ......................................................................................................................................... 7





















































All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The
Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are
subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of
this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the
express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and,
if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Bit9 + Carbon BlackIntegrated Cybersecurity Architecture 3

Overview
Enterprise security professionals claim that all aspects of cybersecurity have become more difficult over the past
few years. Why? ESG research points to a few overriding factors, including:

The dangerous threat landscape. Ominous cyber-threats are top of mind within the infosec community. For
example, 38% of security professionals say that network security has grown more difficult as a result of an
increase in sophisticated malware, 32% point to an increase in targeted attacks, and 25% equate malware
volume with security issues.1 Increasing and sophisticated cyber-threats have a negative impact on security
tasks, controls, and oversight.
Whats the problem? We have
IT complexity. Security professionals are addressing the
too many alerts, too many
treacherous threat landscape as the IT infrastructure evolves,
incident detection technologies,
expanding the global attack surface. For example, 36% of
organizations say they have increased the number of devices
and not enough security people!
with access to the network, making security tasks more --Media Company
difficult, while 21% claim that increasing use of cloud
computing is making security more difficult.2 As every security professional knows, complexity is the enemy of
security. Clearly, IT adoption of cloud computing and mobile applications is making security more complex and
difficult.

Existing security processes and technologies. Enterprise security often depends upon an army of point tools
and complex manual processes. This forces cybersecurity professionals to mitigate risk and investigate security
incidents on a tool-by-tool basis which can be extremely time-consuming and error-prone. This situation is
especially troubling in light of the global cybersecurity skills shortageESG research indicates that 28% of
organizations have a problematic shortage of IT security skills.3

In summary, cyber-adversaries are rapidly advancing their tactics, techniques, and procedures (TTPs) while
enterprise security defenses improve incrementally. This imbalance is creating a growing IT risk gap (see Figure 2)
an ominous situation that is getting more and more attention in the boardroom.

1
Source: ESG Research Report, Network Security Trends in the Era of Cloud and Mobile Computing, August 2014.
2
Source: Ibid.
3
Source: ESG Research Report, 2015 IT Spending Intentions Survey, February 2015.

2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Bit9 + Carbon BlackIntegrated Cybersecurity Architecture 4

Figure 1. The Growing IT Risk Gap

Source: Enterprise Strategy Group, 2015.
Recognizing the problems described above, CISOs are actively creating cybersecurity strategies that bridge the IT
risk gap. In fact, ESG research indicates that 52% of cybersecurity professionals say that prevention and detection of
cybersecurity incidents are the most important strategic priorities at their organizations. To accomplish this, 48%
say that they need to build an integrated cybersecurity architecture featuring central command-and-control (i.e.,
policy management, configuration management, reporting, etc.) and distributed enforcement.4
In the past, this meant ripping and replacing existing security tools with product suites from a single vendor, but
wholesale cybersecurity technology replacement is difficult, if not impossible, as it can be resource-intensive, time-
consuming, and cost-prohibitive.
Fortunately, many enterprises are pursuing an emerging alternative strategy. Organizations are actively integrating
their security tools into a common cybersecurity architecture to accelerate, automate, and orchestrate
cybersecurity processes for incident prevention, detection, and response. In fact, multiple types of integrated
cybersecurity automation and orchestration architectures are emerging, including:
Open source software. In May of this year, media darling Netflix announced the open source release of
FIDO (fully integrated defense operation), its system for automatically analyzing security events and
responding to security incidents. FIDO is available for download on GitHub.
US Federal Government initiatives. Several US Government agencies are engaged in projects similar to
FIDO. For example, the Department of Defense (DoD) is working on an ICOP effort called the Integrated
Active Cyber Defense (IACD) and collaborating with the Department of Homeland Security (DHS) on a
similar project dubbed the Enterprise Automated Security Environment (EASE).

4
Source: ESG Research Report, Network Security Trends in the Era of Cloud and Mobile Computing, August 2014.

2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Bit9 + Carbon BlackIntegrated Cybersecurity Architecture 5

ISV products. Cybersecurity startups such as Hexidite, Invotas, Phantom Cyber, and Resilient Systems are
developing and marketing turnkey ICO architectures.

How Does An Integrated Cybersecurity Architecture Work?

Think of a software architecture that is specifically designed to unify and automate the incident detection, analysis,
and response workflow. At a high level, this type of integrated cybersecurity architecture can be broken into three
components (see Figure 2):
Inputs: Suppose an IDS/IPS or malware analytics technology generates an alert. To gain further context in
the past, the SOC team was forced to examine other cybersecurity telemetry like endpoint/network
forensic, and threat intelligence sequentially and independently. Consequently, correlating security data
was a manual tedious process. An integrated cybersecurity architecture is designed to overcome these
issues by consolidated data collection from assorted detection technologies and threat intelligence feeds.
This integration can be done through product APIs, message buses, or the collection of log files.
Capabilities and activities. An integrated cybersecurity architecture aggregates all inputs and sends them
to a central hub for further action. The architecture can add immense value here by combining,
contextualizing, and enriching assorted telemetry. When an anti-malware sandbox detects a suspicious file,
an integrated cybersecurity architecture can be configured to
We have a wealth of immediately associate this alert with other related data sources
information at our disposal but from endpoint/network forensics tools, IDS/IPS, firewall logs, threat
worry about what our security intelligence feeds, etc. By looking across all of the available
telemetry, an integrated cybersecurity architecture can be
telemetry is not telling us.
instrumented to create risk scores to help the SOC team prioritize
Integrating our detection engines activities. In this way, an integrated cybersecurity architecture can
has helped us contextualize be designed to present security analysts with as much contextual
individual alerts. In this case, the information as possible to streamline investigation and response
whole is definitely greater than processes.
the sum of its parts. Outputs: An integrated cybersecurity architecture can also

be designed with automation and workflow in mind to help CISOs
--Technology Company expedite incident response and remediation. Integrated
cybersecurity architectures can be instrumented to execute an
automated action such as quarantining a zombie PC to a remediation VLAN when they encounter an
incident with a high risk score. Integrated cybersecurity architectures can also be instrumented to
orchestrate remediation actions like creating a firewall rule to block a malicious IP address, or blacklisting a
particular application or file on endpoints and web security gateways.

2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Bit9 + Carbon BlackIntegrated Cybersecurity Architecture 6

Figure 2. An Integrated Cybersecurity Architecture

Source: Enterprise Strategy Group, 2015.

With the ability to automate, integrate, and orchestrate cybersecurity tools, processes, and workflows, an
integrated cybersecurity architecture represents a potential cybersecurity game changer. In fact, ESG believes
that an integrated cybersecurity architecture can be valuable for all three CISO priorities represented in the CISO
triad:
1. Security efficacy. By aggregating, enriching, and contextualizing cybersecurity telemetry, CISOs can use an
integrated cybersecurity architecture to fine-tune security controls for incident prevention, and fast-track
incident detection and response. This can greatly decrease the dwell time of typical malware kill chains and
thus lower the risk associated with cyber-attacks.
2. Operational efficiency. An integrated cybersecurity architecture can help the security team work smarter
rather than harder by automating manual processes and workflows as part of security investigations, analysis,
and remediation activities.
3. Business enablement. Armed with the automation, integration, and orchestration capabilities of an integrated
cybersecurity architecture, CISOs can improve incident prevention, detection, and response. This puts
organizations in a better position to capitalize on cloud- and mobile-based business processes that can increase
IT attack surfaces.

Customer Use Case for ICOP Integration with Bit9 + Carbon Black
ESG is extremely bullish on the rise of integrated cybersecurity architectures, especially since the technology is
available today and being implemented at a growing number of organizations. ESG recently spoke with several
enterprise cybersecurity professionals whose organizations are rolling out integrated cybersecurity architectures
using Bit9 + Carbon Black technologies as part of these projects in the following ways:

2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Bit9 + Carbon BlackIntegrated Cybersecurity Architecture 7

Carbon Black as a detection input. One organization used

Carbon Black for endpoint forensics and another anti-malware
gateway deployed on its network. Using an integrated Our initial metric was response
cybersecurity architecture, the security team aggregated time. By automating and
telemetry from both systems, enabling it to improve the orchestrating security processes,
quality and timeliness of its security investigation and response we were able to cut the time
while decreasing false positive alerts significantly. The security necessary for detection and
manager commented that the Carbon Black RESTful API made mitigation from days or weeks to
architectural integration a relatively easy process. minutes or hours.
Process automation and orchestration innovation. The input --Media Company
telemetry and output capabilities of Bit9 + Carbon Black
provided a lot of flexibility to innovate around things like security policies, policy enforcement options, and
automated remediation opportunities.

Security controls and remediation. Security professionals really liked the flexibility of using Bit9 to improve
prevention and Carbon Black for response. For example, one organization was able to use Carbon Black to
remediate systems without requiring a full system reimaging while another used Bit9 to blacklist malicious
applications and files.

Security professionals were also quick to say that Bit9 + Carbon Black tools were built for integration. This seems
to be the case as the products feature open APIs and a message bus that are easily accessible through things like
JavaScript controls. In fact, the company offers a version of its RabbitMQ message bus free for download so
customers can experiment with integration as part of their proof-of-concept projects.
In summary, Bit9 + Carbon Black is focused in two valuable areas: 1) creating best-of-breed endpoint security
technologies, and 2) designing its endpoint security products for ICOP integration. Given this, CISOs looking to
modernize endpoint security and implement an integrated cybersecurity architecture would be wise to contact Bit9
+ Carbon Black to explore how its products align with their cybersecurity strategies and objectives.

The Bigger Truth

Albert Einstein defined insanity as doing the same thing over and over again and expecting different results.
Unfortunately, this is exactly what many organizations do with regard to cybersecurity. They add new point tools
believing that they will improve incident detection but they end up generating more alerts, creating more noise,
and making it even more difficult for security analysts to mitigate risk or accelerate processes.
While there is no silver bullet solution, the cybersecurity community is finally responding with a promising
technology architecture. ESG believes that because integrated cybersecurity architectures are designed for
automation, integration, and orchestration, they have the potential to greatly improve incident prevention,
detection, and response. Not surprisingly, many organizations are building their own ICOP systems, using open
source tools, or purchasing commercial ICOP products.
Recognizing this trend, Bit9 + Carbon Black designs its products for integration with open APIs, message buses, and
open source for download. And after speaking with several Bit9 + Carbon Black customers, ESG believes that the
company is adding cybersecurity value with its products and its integration prowess. The result? Improved security
efficacy, better operational efficiency, and a cybersecurity commitment toward business enablement.

2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.
















































20 Asylum Street | Milford, MA 01757 | Tel: 508.482.0188 Fax: 508.482.0218 | www.esg-global.com