Security vendor Carbon Black has unveiled its latest technology to protect endpoint devices, Streaming Prevention. It claims it will protect users against both malware and non-malware attacks. The technology is the foundation of Carbon Black’s Next Generation Anti-Virus (NGAV) product line.
According to Patrick Morley, Carbon Black’s President and Chief Executive Officer: “‘Streaming Prevention’ marks a significant breakthrough in the NGAV market. With Cb Defense, our customers can confidently replace legacy antivirus and achieve a level of endpoint protection that redefines what it means to be ‘safe.'”
What is Streaming Prevention?
In a blog written by Michael Viscuso, Chief Technology Officer, Carbon Black, there is more detail on how Streaming Prevention works. Viscuso says: “In contrast to legacy AV and machine-learning AV, streaming prevention monitors the activity of applications and services, including communications between processes, inbound and outbound network traffic, unauthorized requests to run applications, and changes to credentials or permission levels.”
There are four stages in the Streaming Prevention process:
- Real-time sensor: A real-time, lightweight sensor sitting on the protected system captures and analyses every event on that device. It is not clear what lightweight means or the level of resources is required to do the analysis. It is not designed for mobile devices which suggests it needs a reasonable level of processor and memory.
- Event Tagging: Once analysed, each event is given one or more tags that describe its behaviour. As an attack develops, Viscuso says that IT security will be able to read the tags to see each step an attacker is taking.
- Attack Analytics: Carbon Black is using a number of different analytic engines to examine the tags. It will use these to create a risk profile for an event. At the event level, much of what malware does is identical to other software programmes. It will be interesting to see how effective these new attack analytics are, especially in spotting 0day attacks.
- Enforcement Engine: Each event gets a risk score. The higher that score the more likely the Enforcement Engine will kick in. This will then block the attack. Customers are able to set their own levels at which warnings are issued. It will give users an early opportunity to stop a risky app or process. However, too many warnings and users will ignore them forcing the Enforcement Engine to step in.
Learning from the finance industry
The key to Streaming Prevention is its use of event stream processing (ESP). This means that while events are looked at initially in isolation it is how they are put together that matters. Think of it as a large box of Lego. Each piece has a colour, shape and size. Creating a house, helicopter or spaceship requires a given number of blocks in a set sequence. ESP is looking for those sequences in order to fully identify an attack.
This is where Carbon Black believes it can do a better job that the AI and machine learning AV solutions. Carbon Black and its competitors want to show they can be the first to detect an attack. This is important. Traditional AV relies on detecting malware using a known pattern. Here the “magic” is about detecting possible harmful patterns.
The key will be how many 0day attacks Carbon Black begins to talk about detecting. It will also have to avoid falling into the trap of its key competitors in wrongly identifying behaviour. For example, users of Cylance had major problems with it and Steam. This is because Steam updates itself, a behaviour not unlike some malware. The only solution for almost a year was to mark all the directories used by Steam as safe. Given the amount of malware around gaming this was highly risky.
It will be some months before we know if Carbon Black has managed to get around this problem.
What are non-malware attacks
Malware downloads itself to the local machine before executing. Non-malware attacks takes advantage of legitimate programmes and processes, using them to execute its instructions. As such, AV software does not shut down or sandbox those programmes. This makes it very hard to detect where an attack is coming from.
Phishing emails with infected Office documents can create non-malware attacks. Rather than the macro downloading a malicious programme it uses Windows PowerShell or other operating system utilities. It passes them commands which they execute. As the commands are for legitimate software the AV may warn about the macro but won’t block it or the payload.
Carbon Black is saying that Streaming Prevention will detect and prevent this type of attack. It believes that it is the only vendor, at this time, able to do this. Without third-party AV lab verification this is difficult to substantiate. As the main AV labs do their next set of AV comparisons it will be interesting to see how many include non-malware attacks and defences.
Carbon Black believes it has a jump on the competition. The security industry is heavily focused on behavioural analytics and machine learning/AI. It sees these as enabling it to detect attacks early, especially the more complex attacks. By breaking with the pack Carbon Black is taking a chance. It is not as big a chance as it looks.
It is using event monitoring, an approach well known to system administrators. By tagging each event and then passing it to an ESP tool to see how the events come together it allows the attack to be easily seen and read. The only question is how effective it will be against 0day attacks and new malware.