WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 11, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Updated May 2021
DR solutions offer security tools that serve an integral part of an enterprise’s security posture and without them, an environment is left with many blind spots. That is why so many companies will invest in a reputable Endpoint Detection and Response (EDR) solution such as VMware Carbon Black, SentinelOne, or Crowdstrike. Unfortunately, these tools do not self-manage and are not plug and play solutions to protect your endpoints. Today, we’ll focus on Carbon Black specifically, a top EDR solution. These four tips will help you and your organization get the most value and enhanced security out of your Carbon Black instance.
To be able to detect and proactively identify actions that are abnormal, you need to understand what normal looks like on an endpoint and how the endpoint should be communicating with other endpoints. One major challenge in threat hunting within an EDR security solution is being able to detect and respond to abnormal behaviors and actions on a host that indicate reconnaissance and attacks. To do this, you need to have a solid understanding of the architecture as a whole, as well as at a granular level to identify where potential vulnerabilities could be in the environment and how threat actors can exploit these vulnerabilities.
To gain an understanding of your network’s architecture, the analyst/threat hunter must have a detailed and clear idea of the technical aspects of the environment, such as the applications on hosts, network IoT devices in use, and systems that are currently in production.
In addition to knowing the technical aspects of a company’s environment, it is essential to develop relationships with key personnel inside and outside of the IT and cybersecurity departments to further understand what normal activity looks like as opposed to what anomalous activity looks like.
When threat hunting, it is likely you will come across activity that appears to be malicious; however, this activity could be due to the malpractice of devices, applications, or systems by the users in the network. Without working relationships with key personnel, threat hunters investigating or hardening the enterprise architecture using an EDR instance such as Carbon Black cannot make the needed security improvements in an EDR solution to exclude specific behaviors and binaries that may look and act malicious but are actually benign because they are specific to a group. For example, the development team could have a script created to automate a part of their job but when they run it, your VMware Carbon Black solution observes this file to be malicious. When you have a working relationship with the development team, you can get this information from them and approve the file name and process in a watchlist or approve the hash or file path in a policy so that you do not see alerts for that script in the future.
Previously, we talked about the importance of understanding normalcy in your environment when threat hunting, to ensure you can discern normal from abnormal behavior. That is just as important when tuning your environment, whether you are modifying custom watchlists, enabling/disabling threat feeds in your EDR instance, or carefully crafting sensor groups and policies where your endpoints will reside.
With Carbon Black, you have the unique ability to exempt or block specific behaviors and binaries from triggering alerts using custom watchlists, threat feeds, and sensor policies. Understanding the normal activity occurring in your environment has a huge impact on the tuning capabilities an EDR analyst and administrator can implement to prevent false positive behavior from triggering alerts in Carbon Black.
It is imperative to encourage your security analysts to report false positive behavior/IOCs and to make educated decisions on what needs to be tuned out of future alerts. Then report that information to the necessary personnel to ensure those changes are enacted in your Carbon Black instance. Security is a team sport—you need all hands on deck to drive change and reduce the volume of false positive alerts.
At ReliaQuest, we use a 5-step tuning process to encourage team feedback, which has helped us to be able to efficiently and effectively update and implement new content daily. Implementing and modifying rule logic is incredibly important with EDR because these tend to be very noisy with false positive alerts, and a high volume of false positive alerts will reduce visibility into threats. The 5-step process is as follows:
With this 5-step process you should be able to effectively tune/edit rule logic around an alert that was generated due to a false positive event.
For more guidance on tuning false positives, Carbon Black offers free training for their customers (use your company email address) via VMware Carbon Black Technical Academy. They offer both self-paced and live classes and serve as valuable resources to help your analysts to tune out the false positives.
Carbon Black utilizes and integrates APIs for tool health and endpoint health, and has the ability to ban hashes, isolate hosts, and much more through their integrated API. Leverage these APIs to apply automation across the security lifecycle. APIs can be used to automate the patch lifecycle of the Carbon Black sensors that reside on each host to ensure that all endpoints have the most up to date software that Carbon Black provides. An important feature built-in to the Carbon Black sensor is that it will record the last check-in time of each sensor and report it back to your dashboard to ensure that there is always complete visibility on each host. The same can be done to automate a mass uninstall of sensors. For example, if a group of servers or a department of computers has reached end of life, the script can be configured to uninstall the sensors from the devices, contact the Carbon Black back-end, and remove that host from its respective group, thus returning the sensor license back to the account in order to be used on a different host.
One of the more popular ways to use APIs with Carbon Black is to continuously monitor the overall health of the Carbon Black instance(s) and the endpoints in the network. Using the API to create your own out-of-band monitoring is crucial to the success of your EDR implementation. Some examples of out-of-band health monitoring utilizing the API might include a baseline of the sensors that should report into the cloud. From there, you should be utilizing sensor APIs to consistently check for any deviations from that baseline, looking for any abnormalities in that data to identify potential misconfigurations or any other issue an endpoint might be experiencing causing it to not report in. If your team is not able to create their own out-of-band health monitoring, use what VMware Carbon Black has provided out-of-the-box for some of their products.
For instance, Carbon Black EDR (formerly CB Response) offers out-of-the-box sensor health monitoring, which will gather data metrics from the endpoint, ranging in severity from low to high, where a low health event could be a sign of error 879 (AgentStrongSSLUnavailable) which indicates an agent is unable to connect to server using Strong SSL, and a high severity health alert could be error 161 (AgentDatabaseIsCorrupt) indicating a corrupt database has been detected.
A common API your company should use to measure the overall health of the Carbon Black instance is monitoring the logging efficiency of the data that is coming in and out of your Carbon Black instance. Endpoints are constantly reporting back to the Carbon Black Predictive Security Cloud (PSE), a massive data and analytics based cloud platform that processes and analyzes customers’ unfiltered data for threats based on known malicious binaries and suspicious behavior from observed patterns, with unfiltered data. This data gets stored for a set amount of time and is monitored and made readily available to users who need to access that data. If the communication of data between one or all endpoints is broken, all visibility and data for the duration of the broken connection are lost. Endpoints are able to store a small, set amount of data in the agent cache on the host, but if the cache memory fills up on the hosts, then no more logging will be performed until the cache memory is pulled or the connection between endpoints and the Carbon Black backend is reconnected.
ReliaQuest GreyMatter, our security operations platform for delivering security confidence, utilizes our own out-of-band health monitoring to create baselines of your environment and track for any deviations from those established baselines that out-of-the-box health content would not catch, resulting in more endpoint uptime. GreyMatter uses APIs to monitor your endpoints’ health, which does not require anything additional to be deployed to your endpoints. We maximize your investment in EDR by applying automation across the security lifecycle through the use of APIs to gather and enrich data from your EDR, ban hashes, isolate hosts from the internal network, delete files on a host, and much more – providing analysts with all of the information they need, in one place, to detect, investigate, and respond all within the GreyMatter UI.
The Carbon Black User Exchange (CB UE) will provide useful information, whether you are an administrator troubleshooting an issue with your Carbon Black instance or an analyst investigating an alert that triggered on a host in your environment. In the user exchange, you will find a variety of knowledge pertaining to all areas of the Carbon Black toolset. Effectively utilizing the CB UE will be a big step in the right direction when striving to get the most out of your EDR tool.
The user exchange was built so that both Carbon Black employees and partners of Carbon Black who use or resell the tool, have a platform to gain new knowledge and share threat intelligence in one central location. With the user exchange, you have the opportunity to learn the best practices to secure your environment by learning from other security professionals who have walked in your shoes on the path to maximizing the potential of your EDR instance, all documented into organized knowledge base articles.
On the CB UE, there is information for every type of security professional. For EDR administrators, the CB UE offers step-by-step instructions for tasks like integrating your Carbon Black instance with an API to create a custom dashboard for your Carbon Black data. While the CB UE has a massive amount of information regarding implementing, fixing, and maintaining various types of configurations and different services Carbon Black uses, it also has updated information on enhancing your enterprise’s security posture. There is a wide range of behavioral threat feeds, custom watchlists, updated lists of known binaries for common malware families, and more to ensure you’re using your Carbon Black tool to its maximum potential.
The CB UE is not just a place for EDR administrators. Threat hunters will find the knowledge they need to conduct thorough and complete investigations by searching for updated search queries, investigations, and general information regarding a specific malware class or family. An example situation that a threat hunter may pivot into the User Exchange for is during an investigation of an alert where one internal host sent traffic to another internal host, and the traffic was analyzed by one of the IDS/IPS systems in the network as an Emotet infection attempting to infect another host. For this scenario, the alert did not generate in your Carbon Black instance; however, you can use the UE to gather custom search queries. In the User Exchange, there is a large knowledge base on what Emotet is, common binaries associated with it, common behavioral patterns, and custom search queries that were created to find indicators of compromise that are specific to an infection of Emotet. An example of a custom search query specific is:
ipaddr:10.141.153.49 OR ipaddr:10.131.91.65 cmdline:–* AND netconn_count:[2 TO *] AND modload:”c:\windows\syswow64\bcrypt.dll” AND digsig_result:”Untrusted Root”.
Lastly, the CB UE is a great resource when wanting to be proactive and read up on current malware trends so that you can begin to build your next custom watchlist tailored to what type of attack is most common among threat actors. Additionally, you can visit the User Exchange to stay up-to-date on recent updates to your sensors or threat feeds.
An account on the Carbon Black User Exchange can be created with your company email if they have an account with Carbon Black.
With these four tips, you should now have the knowledge to leverage different resources and processes to get more value out of a VMware Carbon Black EDR solution. To recap, start by:
These tips paired with the integration of ReliaQuest GreyMatter will maximize the time spent on investigations and remediation of compromised hosts and will serve as a gateway to the information of your endpoints’ health.