Pivot Automatically from the Network into the Endpoint with DFLabs and Carbon Black

Back to all articles

dflabs and carbon black

The time it takes attackers to progress from initial infection to establishing multiple beachheads and beginning data exfiltration is often measured in minutes. Responding effectively under these adverse conditions requires complete network visibility, actionable intelligence and intelligent automation to augment human analysts.

The level of complete network visibility required to respond effectively under these conditions most often requires more information than a single solution can provide. While the initial alert may come from a single solution, such as an Intrusion Detection System (IDS) or Web Application Firewall (WAF) on the network or an antivirus solution on the endpoint, understanding the complete context of the event usually requires correlation and enrichment from other sources.

For example, a WAF alert on malicious traffic from an internal endpoint to a known-bad external host by itself leaves many unanswered questions. What is this internal endpoint? How critical is the endpoint? Why is this external host “known-bad”? Why was the endpoint communicating with this host? What other activity was taking place on the endpoint? What data was sent? Answering these critical questions will almost certainly require correlation and enrichment from other sources, and without a Security Orchestration, Automation and Response (SOAR) solution, this will be a time-consuming manual process.

Carbon Black has long been recognized as the industry leader in endpoint detection and response, providing unmatched visibility into all endpoint activity. By incorporating actionable intelligence into their suite of tools, Carbon Black allows enterprises to respond effectively to both known and unknown threats. Carbon Black Defense brings Carbon Black’s extensive Endpoint Detection and Response (EDR) experience together with their cutting-edge next-generation antivirus technology to provide protection against even the most advanced threats.

The endpoint data collected by Carbon Black’s suite of solutions can provide unparalleled context for network-based alerts, providing context to network-based alerts and answering questions which otherwise could never be answered. Using one of Carbon Black’s solutions, analysts can seamlessly pivot from a network-based alert to determine what activity was taking place on the endpoint, determine the risk to the enterprise posed by this activity, and quickly contain the threat before additional damage is done.

Using a SOAR solution such as IncMan SOAR from DFLabs, enterprises can automate this pivot into the endpoint, quickly gathering endpoint data to understand the full scope of the attack. Enterprises can even perform automated or semi-automated containment actions, banning a hash value, isolating a host, or blocking an IP address, immediately stopping the attack until human analysts can fully investigate the threat and place long term containment and remediation controls in place.

In our upcoming webinar “Dive Head First into the Endpoint (Without Hitting Your Head)” with Carbon Black taking place on April 2nd at 12pm EDT, we will explore DFLabs’ Security Orchestration, Automation and Response (SOAR) solution, IncMan SOAR, and Carbon Black Defense, to show how these industry-leading solutions can work seamlessly together to automatically pivot from the network into the endpoint, automatically identifying and containing unknown threats to immediately reduce the risk to the enterprise.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo