Carbon Black Brings Event Stream Processing to Security Platform

Security vendor uses technology approach used by high-frequency financial trading systems in an effort to detect malicious activities.

Carbon Black security

For much of the history of anti-virus technology, the focus has been on determining if certain files, embedded in documents or downloaded from the internet, are malicious.

Security vendor Carbon Black is now moving beyond just looking at files with a new event streaming processing approach in its Cb Defense Next Generation Anti-Virus (NGAV) platform that aims to better detect advanced threats that might not necessarily be file-based malware.

"We don't focus on the file, we focus on the activity," Carbon Black Co-Founder and CTO Mike Viscuso told eWEEK.

Non-file based malware, which executes in memory and is able to move laterally across a network, is increasingly being used by attackers, according to Viscuso. Carbon Black's latest innovation is being branded as 'Streaming Prevention' as it looks at activities as they stream across an endpoint. The core idea behind Streaming Prevention is event stream processing technology that has been used in high-frequency algorithmic financial trading platforms.

With event stream processing, organizations can ingest and analyze large volumes of data rapidly to make real-time decisions. In the security context, Viscuso noted that there are always lots of things going on both inside and outside of an organization that can impact security. With Streaming Processing in Cb Defense, events are analyzed by the system to make active decisions about whether to allow or deny actions.

From a technical perspective, Viscuso explained that Carbon Black has multiple steps as part of its event stream processing capability. The first step is capturing the right data on the endpoint to provide full visibility into events. The next step involves Carbon Black tagging data to help identify items and events. Following that, an analysis is made across the tagged events to make security decisions. Viscuso added that the analysis occurs in a continuous loop.

"As we are looking at each new event and tagging it, we also see all the history attached to a particular system or process," Viscuso explained.

As such, when a new event is tagged, it is analyzed in the context of all the other tags that have been applied to the same system in the past to help identify potential risks. In so doing, the Cb Defense platform builds a profile over time about endpoints and whether or not a given event is part of an advanced attack.

Carbon Black is using a hybrid cloud model to enable the event stream processing capability in Cb Defense. The analysis is done in the cloud, while the resulting decisions about access are sent to the endpoint client to block threats.

The Cb Defense technology comes to Carbon Black by way of the company's acquisition of security vendor Confer in July 2016. Viscuso explained that the majority of the analytics capabilities come from Confer, with Carbon Black providing additional data collection capabilities to tag and identify data from endpoints. Carbon Black had previously released a pair of incremental updates to Cb Defense, following the Confer acquisition.

"This is the release that really doubles-down on the prevention model," Viscuso said. "We had done some things in past releases that were more focused on operational efficiency and user interface."

"This is the first release of Cb Defense that we're really emphasizing a breakthrough on the prevention side," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.