The Biden Administration has issued an Executive Order mandating all government agencies to deploy an endpoint detection and response (EDR) program to protect their data. To protect yours, trust only the most-deployed threat hunting tool in the U.S. government: VMware Carbon Black.
Speaker 1: On behalf of VMware and Carahsoft, we would like to welcome you to today’s podcast focused around VMware Carbon Black, where Jared Myers, Sr. Manager - Threat Analysis Unit, Brendon DeMeo, Sr. Solution Engineer at VMware will discuss and how VMware Carbon Black can build a better endpoint detection and response program.
Jared Myers: Thanks, I was gonna let Brendon introduce himself, kind of go over the agenda, and then we'll kind of hop right into the content. So.
Brendon DeMeo: Cool. That's good. So of course, my name is Brendon DeMeo. I've been with VMware while the Carbon Black team specifically for about a half decade now, of course, through the VMware acquisition of Carbon Black. Prior to that I was in the US Army. And, you know, I'll be giving you an overview of the Carbon Black offerings, as well as going over the Executive Order and demoing Carbon, Black EDR, Carbon Black Cloud EDR later. Really to kick things off, we're going to be going over some specific threats facing federal agencies today with Jared Myers, who of course, is a senior manager on our threat analysis unit, and will map basically some of what he says to Carbon Black EDR, and how we can address those things from an EDR standpoint, and also, potentially from a prevention standpoint as well. Jared?
Jared Myers: Yeah, thanks, Brendon. Yeah, as Brendon said, I'm the Senior Manager for towers and threat analysis unit. Brendon and I were talking, he asked me to come on and present some of the threats that we were seeing specifically in kind of the federal agency space. So I've put together, I guess, some of the trends that we've seen, as well as kind of some of the specifics and some of the, like, projects that my group in particular is doing, to try to make sure that we're kind of on top of the latest tactics and techniques and things like that. And then I'll hand it back over to Brendon. So let's get started. So, the first thing we want to talk about is ransomware. In general, ultimately, I think whether you were kind of private sector, you're in the commercial space, you're a government space, whatever it is, ransomware has kind of continued to be like this thorn in everyone's side. And to be honest with you, I feel like the velocity, which, like ransomware, as the service kind of this whole model is going is just ramping up rapidly. Where this comes into play. And we get a lot of questions like is ransomware, targeting any certain, you know, vertical, like any type of specific like state or local, federal level? And the answer is like, to be honest with you, like ransomware actors just kind of targeting everything. To be honest with you. What we've seen kind of specifically in like, the federal or state space, is where some of these actors, sometimes when they're just doing their typical scanner, like, let's just scan everything with spray all the passwords, let's do all the things that we do. And every day, they just come across assets that they can get into whether it's from some known vulnerabilities compromised or weak credentials, whatever it is, and then they try to figure out like, where am I? What am I doing, and they kind of like start to assess what is the value of this target and things like that? And sometimes they find themselves in, you know, like this federal, or other like government space, in which point, it's interesting from some of the IRS that we've had visibility into some of the incidents that people have kind of shared with us and things like that, it's interesting how quickly it can get fairly aggressive. Once I found out there and kind of a high value target versus just kind of a run of the mill like smaller business home in a day, something like that, it may not have kind of as good of a return from them in that standpoint. So typically, when they get in there, we see them we see kind of the actress which very quickly to kind of some secondary kind of third stage malware that we don't typically say, ultimately, like at all this access, a lot of times is sold off. And kind of the bigger, the better it goes for like higher dollar, things like that. But one of the things like I we keep kind of telling people, you know, on this ransomware is kind of starting with the basics, whether you are kind of a very small retail shop, whether you are a commercial entity, whether you are in the government space, like starting with the basics is just the biggest thing with ransomware. Like all the things that you know, you should be doing, but it's hard to keep up with whether it's patching vulnerabilities, making sure that you know, like, there's nothing like hanging off the internet that people can RDP into, or that may have like specific services open, that you didn't intend to kind of those routine checks, ongoing maintenance and checks of that I see is kind of one of the biggest, like, initial steps to just kind of warding this off. A lot of times, what we see in ransomware, at least like this large scale, you know, kind of attacks is it's very opportunistic, they're just throwing out big nets every day, every hour of every day, and they're just pulling back in to see what they get. And sometimes they're in small businesses, sometimes they're in big businesses, sometimes they land right in the middle of you know, like, some type of network segment on you know, some government whether it's state or federal, whatever else, and they can, they can sell it off very quickly, preventing the spread with this and I'll talk more about this kind of as I talk about some of the living off the land and the customer ads that we've been seeing is the biggest thing when it comes to ransomware. Like having a vulnerable server that happens you know, I could that's just it happens. But if you can limit the quickness, the availability, the potential where they can come to move north, south east west, like all those things, but that's a huge point to say like, Yeah, someone got in this like weird segment. It's a legacy segment, we knew there was older, like it was a known risk. However, all they could do is get in there. And it was fairly contained, were able to identify quickly kind of turn around is like a huge piece to that. And let's talk about kind of pivots into the next thing. When we talk about like, some of the like vulnerabilities and things like that, we see a lot of what do we call like advanced attacks, zero days, and I love kind of a lot of things into zero days, whether it is like actual like CVs, whether it's more like, like third party attacks, where they're getting into some kind of other product that you may use inside your environment, and then it gets inside of there. Typically, those are not known, it comes out, it's, it's treated as kind of a zero day. But I mean, we just continue to see this. If all of you remember, like it was basically at this time last year, like SolarWinds, was starting to pop off. And since then, we've had kind of a barrage of these attacks kind of ongoing, there's been a lot of CVs that have come out, we still see like proxy shell stuff going on. And we see like some very advanced groups, out of the Middle East out of Iran, things like that. They're still kind of using those. We also see like people targeting just like I think the latest one was like Zoho enterprise password management, and there's just kind of, there's like this constant, steady pace of CVS, and everyone ask us, What are you doing about the CV, you know, how are we going to protect against this, and the thing is, there's always, like, certain limits that come with these CVs, some of them, depending on the types of tools you have the type of disability that you have, you know, all you can say is like, you may or may not be able to see that, you know, like, especially when you get down to like network level, bypasses, and, you know, like RCEs and things like that, you know, ultimately, like, what's going on is happening in the kernel, you know, when it, you know, authenticates to you know, a server on a port that you just have to have open, you know, and what's occurring is in like, some vulnerable driver or something like that, a lot of things just don't have visibility into that level, period. So what we kind of tell people is, you know, focus on everything that happens after that. So, in all these zero day attacks that we see, you know, like, you'll, you'll see it come out, you'll see it being disclosed, and then you just see it run amok, whether it is from kind of advanced adversaries, or whether it is from, you know, just kind of very highly commoditized, you know, whoever's going after, you know, whoever they can get into, but once they leverage the zero days, they kind of go back to the same playbook that we see day in and day out. Like, they got to figure out where they're at, they got to, you know, like Harvest credentials, or escalate privileges, and then they start moving laterally. And time and time again, like they're using the same tools over and over again, like, ultimately, what we're seeing is like, yeah, it's some crazy sexy, cool, new zero day to get in. And then it's the same old tools that we've been talking about for, you know, years, you know, that they're kind of leveraging off of that, or they switch to kind of living off the land. But as long as like you have visibility, trying to chase that zero day, try to chase like everything, like you're just kind of behind the eight ball, if you're always hoping that like whatever comes out, you can address it quick enough that you have, you know, like the ability to patch quick enough. And for a lot of people that that's just not a reality, like, by the time that you get notified, you test it, you know, like you make all the change requests, and you start the process like that can be weeks. I mean, we all know, if not months, you know, for a lot of people. So the biggest thing that I tell people, when I talk about that is just kind of having this visibility is ultimately what happens post exploitation. So whatever CV is hot today, there's gonna be a new one tomorrow, or next week, or whatever it is, but what happens after they exploit that CV? Those are the things where I think most people can really hone in and focus on and say, Alright, yes, they there was some CV, something that we didn't know about, no one knew about until, you know, like it broken crabs, or wherever else, you know, this morning, and we do see it, you know, what we think it was exploiting our environment. But what we do see afterwards is kind of this, this following of everything that we typically see, we see them bringing in additional tools, see them bringing in, you know, additional rats, we see them trying to move laterally, trying to figure out where they are. So a lot of I mean, this is just not going to stop me like I actually kind of see it like increasing I think like 2021, if you look at just the sheer number of like CVs that have been put up this year, like a lot of points have been put up on the CVE board. And I just don't think that that's going to lessen, you know, in 2022, or 2023, or anything like that. Whereas, like understanding what the CVs are patching and everything else, if we have a good enough visibility, and just like we know this environment, we know what happens day in and day out, and we feel comfortable being able to pick out what is on the fringe what you know, stands out what is it normal, that's a huge place to be in for a lot of organizations just be able to say, alright, so they got in because of no one knew that this occurred, but we were able to see it and detect it and kind of stop it very quickly. Cloud based attacks. I feel like kind of a course we're seeing a lot more of these. Just as more people kind of move to different cloud based services, we're seeing a lot more adversaries kind of targeting those. Ultimately, if you've moved a ton of services into the cloud, and you're accessing it remotely like, like everyone does, depending on like, the hurdles, and the pathways that you put to kind of access that, like, there's just a lot of things that have been left open, I believe, CISA put out this like, not too long ago at all. But I mean, it's, it's not that big of a deal that you kind of see like the same things that I would, I would kind of akin to like a lot of the ransomware as a service, like your password spraying, you're looking for vulnerabilities, it's just easier, because now you've kind of put everything into the cloud. I am not like saying people shouldn't put into it. But I think like we need to go in with like open eyes, a lot of times, people look at the benefits of pushing things to the cloud and say, you know, like, we're going to push it to the cloud, and it's going to take so much off our services, we don't have to upkeep the infrastructure, all these things. And that's, that's all correct. And that's great. I would say like the like the caveat that I'm hoping like all the practitioners, the type of people that are on this call, you know, there's someone in the room saying, yes, however, we need to make sure that secured appropriately, that we're putting things in place so that only the right people can go through the right channels to get to, you know, some of the status, some of the services that were home hosting, and things like that. Move on, I got a couple more of these. Now, I'm going to get into some very specific things, phishing living off the land. I mean, we've seen it for a decade, if not longer, and I think we're going to continue to see it, what I will say, impresses me from year to year is not that phishing still occurs, and a lot of what I'm talking about when we see this is I'm not talking about like, you know, like the, the email chain that, you know, your grandmother, your uncle gets that, you know, like ask them to send money, you know, via Western Union. But I mean, like legitimate phishing attacks, where they've compromised family members where they've compromised, you know, other businesses where they've, they've done their homework. So when that they send you some of these phishing email attacks, it looks legit. You know, like, it's from people that, you know, it references, you know, recent things that, that you have done or things like that. And we see a lot of this, we see, again, I think Russia, China, there's a lot of people out there doing a lot of things, I think the Middle East right now, in the phishing space are some of the most inventive cutting from what we've seen. And there's so many of these small, smaller countries, smaller kingdoms, that I feel would kind of target a lot of people, whether it is diplomatic entities, business ties, we've seen cases where simply because businessmen were supporting key US officials, senators, congressmen, things like that, that were lobbying for harsher, you know, like, different types of measures against some foreign countries, they were being targeted, probably in an attempt to be explored and things like that. We continually see them to target law enforcement, military gov, I think just recently, it came out that Lazarus was targeting security firms. And a lot of this kind of all goes back to a lot of like, what I would call, like, legit, you know, next level kind of fishing stuff. And kind of hand in hand with that goes, like the living off the land stuff. And like the living off the land, I'm gonna like segue into, like, all the custom rats, but the living off the land that that we see today that we've seen, I'd say, for last couple of years, it just works so well, that, you know, like, everyone uses it, and it muddies the water so much, it's hard to say if you just have kind of a snapshot of like, this came in, then they, you know, did a bunch of basic stuff with PowerShell, or, you know, like AD Find, you know, like, the typical tools that we have in our environment, it's hard to say, that is XYZ or, you know, we think we've been targeted by whoever, it's very easy for them to muddy the water when I say, I mean, like all kinds of attack groups, to where you're left with, like something happened. We're not sure, you know, really who it was. And it's not typically until you get to kind of the later stages like the second third, fourth stage, you know, of the attacks, it's that it really starts to become clear, like, Alright, so now they've switched to a custom rat, and they they're still maintaining their persistence in the network, via you know, like, compromised RDP and kind of, you know, like all the common living off the land techniques. But it's not till you get to some of those kind of secondary rats that it really becomes apparent like who is actually targeting us. One of the other big ones that we've seen, I guess, recently is keychain. I think they're also like fridges nickel, but I, Microsoft just released a report, I think this week actually, where that group has kind of been targeting different military and government entities across like North and South America. Also some other regions, you know, like we're not, you know, special snowflakes that only were being targeted. But it's one of those things that we see this kind of pick up and then time period, especially in like government space, education space, before Thanksgiving through kind of the you know, like traditional holiday break, there's generally a lot of activity, just because a lot of people are taking off, a lot of people aren't being as conscious. A lot more people are just the fast paced of laughter, they're more willing to look over things. And we see just an abundance of phishing emails come in, during that time, whether it was related to like seasonal holidays, whether it's related to shopping, deliveries, because everyone's getting deliveries. I mean, we just kind of see this big influx, and it's hard to say, like, well, this is just your average, you know, random, you know, commoditized, you know, phishing campaign, like, this looks a lot more legitimate. Sometimes, depending on the target the content of them, you can say, like, yeah, like only three people in our, or got this, and this is very kind of tailored. So some of it shows up, and then you know, it depends on like, your abilities to kind of dig into and say, Can we, you know, can we access the links? Can we, you know, execute the documents, whatever else, or get the sense somewhere, so they can tell us like, what, what are the second and third stages that may have popped up because of this. So with that being said, We'll pop into customer ads, living off the land cobalt strike, that's just like everybody, I feel like everyone's first stage right now are first in kind of second stage. But eventually, after, like, people have moved laterally, like they've used some of the modules inside of cobalt strike and things like that. Oftentimes, we see them set up like these, these third and fourth stages, which are these very, kind of highly customizable rats. And this diagram here, I, there's, if you'll notice those outside of like, the, the modules, there's no like, specific, you know, like, you know, it's called this or that this general skeleton represents, I would say, like, 80% of like, the rats that we see now, like, whoever's using them, whatever they're doing, and they all kind of try to follow this, the standard process, like they're trying to get loaded in some legitimate process to help them masquerade, you know, something that's going to be running on all systems, so it doesn't kind of, you know, pop up as ominous, a lot of times to side loading things. There's some encrypted, it's typically shellcode, or something like that, and whether it's encrypted, or it's just, you know, like, some XOR, and Base64 encoded like, ultimately, like, it's just some file sitting on disk, that, you know, if he scans it, or wherever else, it's fine, because it's encrypted, but that gets read into memory gets decrypted, that memory page gets called. And then like, you have kind of your, your CQ comes back and forth. And it's, it's highly modular, so that way, like, even if you do kind of get down to like, what was the shellcode that was sitting on disk, and like you can decrypt and kind of all those things, what you're left with is really kind of like a cradle or a stager where ultimately, it just calls out and its whole job is just to ask for modules to be run, you know, like, it's just kind of the heartbeat side of it, but all and then kind of almost all of them have kind of the same capabilities. It's usually like mimicats there, can download and execute additional files, I can search for files that can, you know, like act as a proxy, so they can start bouncing through, you know, like several servers. Let's say, specifically, if typically, they're after like, a Linux server, they may bounce through, like to Windows servers, using the rat itself is kind of a proxy to then just try to issue commands directly on, you know, like, some Linux server somewhere. And we're seeing this a lot. So like, having kind of this understanding of even what doesn't look legitimate inside of your environment, but what are legitimate processes typically doing and when did they, you know, kind of start doing weird stuff is kind of hugely important. But I bring this up, in me, my team kind of joke about it, but I mean, like, honestly, like, this represents, like, 80% of the customer ads that we come in, like, they all kind of follow this, you know, like a scaffolding, so to speak, we released a report this week on Tiger rat, but if you look out look there on the left, like those are just kind of some like the classes, but those are kind of like some of the modules that they do. And ultimately, if you look on the right, like, that's, that's what I'm talking about, like it's just some encrypted blob that sits on disk, there's like a size of it, there's an XOR key, and then it's just, you know, you basically for decode it, then you export, then it's just code that runs in memory, and it is highly capable after that, you know, so I see, these custom rats, these lightweight, custom rats that don't leave a huge trail, just continuing to be utilized again, and again, and they use them because they work. And they are harder to detect, you know, like, ultimately, like, a lot of people are getting good at kind of picking up you know, weird cobalt strike or, you know, like odd PowerShell commands being run. So they'll use those until they can kind of get an initial, you know, or additional feet in the door. Things like this, which are harder. The communication is typically encrypted, you know, like whether they use RC4 or something like that. It doesn't need to be fancy. It just needs to be quick and lightweight, where they can kind of run with it. So some of the things that my group does, and Ben, I'll kind of talk about the tools and things like that. But we on top of just trying to keep up with all these. We look for a lot of different things. One of the things that we noticed, I would say in the past was a lot of people would run malware. And they would just be like, do you capture this? Yes or no. And a lot of times what people were focusing on was just like that initial thing like the, the installation piece of it, how you know, maybe a dropper would entrench itself, stuff like that. And there's kind of all these unused pieces, because the Saitou was down, the, you know, like, the server wasn't up and couldn't be cut out, like 95% of the functionality of the malware wasn't actually being seen. So the problem was, if we came in, if we were deployed after the malware was already in place, if we miss kind of that initial insurance shipment, if they were doing something neat that we just did not seen before, how would we actually start to understand all these other pieces that kind of happened. So one of the big projects that we've done, and we actually made it public, it's kind of this Moxie to project where we set up a framework. And then we just have all these modules that imitates different malware families, you can go to like Carbon Black's GitHub, that's online, you can download this now. And we have numerous families out there, like dozens of families up there, which acts as kind of the sea to side. So it's basically scripted out, so you can say, hey, we have tiger rat, we're gonna we have a sample, we're gonna, you know, do some networking magic behind the scenes to make a talk to our other, you know, like, tech box, and then it just runs through and it says, like, you know, here's the beacon initiating screen capture process, numeration, keylogging, the reverse shell, you know, send some simple commands, kind of all these things, so that you can actually see, all right, if this malware is using all the pieces that we know, it does, because, you know, some reverse engineer sat down and looked at everything it did, and kind of broke the script up. Do we catch each and every one of these? And that's kind of the process that we take, I mean, ultimately, we want to see like, can we, you know, capture the screen capture, like, if that's a module, if the beacons already there, they deploy us after the same, they issue the screen capture and the key logging thing, can we pick that up, you know, like as the module itself versus like the initial installation. So that's some of the pieces that we look for. The other interesting project that I want to talk about, and this kind of goes more into the product itself, but it's, it's one of these areas in which we're generating Intel, for the product. So scanning for cobalt strike servers, nothing new, like people have been doing it for years, I'd say over the last like year or so like it's gotten hugely popular. But we have kind of a series of different malware that we imitate couple strike seven, Motodocs, we do a lot of ad hoc stuff, we just did like a one for Tiger rat, but we have kind of a whole set of VPS servers that we use, and we kind of set up the scanning. And we're just kind of constantly scanning looking for a lot of these, originally, when we set this up, like this was not a project that when we initiated it, we thought like how are we going to put this in the product? Really, we were like, how can we kind of build up this database of all this important information. So ultimately, we mimic them our however taking it out, we do the handshakes, whatever those are. And then if it sends down configuration information, we put that into a database, you know, like all the information that we can gather, and we kind of mark like, first scene last scene and things like that. Ultimately, like the simplest format, just like the IPS we put into a theme. So we say if it shows up today, let's put it in the feed. And whatever the last day that we see it own, you know, X number of days after that, let's automatically remove it from the feed, like let's decay it so it's not generating noise, because IP is our IPs and they get, you know, use the bad IP today as a good IP in two months. And then it's bad again, three months after that. But a lot of the information that we can kind of pull back from it is telemetry that we then use to kind of build out like, Alright, how are legitimate actors using this, like, what is the configuration information for these different families behind the scene that's been sent down? What are the modules that are being sent down? And how can we actually like build better detections kind of around that. So you know, when we say like, you have X problem, like, here's why we think it's this problem is because it's kind of based off of, you know, us constantly scanning this scene where different modules are being sent down, and things like that. I know, that was a lot very quickly, but I had to condense it down into a couple minutes, because Brendon is kind of talking about some of the cooler stuff. But I really appreciate everybody's time. As you can tell, I can talk for hours and hours on this stuff. And I love being able to get in front of different audiences and share some of this information. So I really appreciate it. Brendon, I will turn it over to you now.
Brendon DeMeo: Thanks, Jared. That was great. And I think it gives folks a good glimpse behind some of the, you know, so called secret sauce that we have in the product in terms of how we actually generate some detection, especially considering certain advanced attacks. And since this is mostly focused on MDR I think that or EDR. I'm sorry, I think the most important thing to know hears that we do EDR, both on prem and in the cloud. And as we'll see in a moment, cloud EDR is, is primarily what the White House Executive Order was calling for. But at the same time, most federal agency agencies still have air gap networks, and they always will have air gap networks, you know, it makes sense to keep certain data completely isolated from the internet. And, you know, ultimately, the information and data that you're putting onto air gapped systems is, you know, typically a lot more sensitive than data that you're going to have on internet connected systems. So it doesn't make sense to have a lower security posture. And to be, you know, more blind on those air gap devices. So I think one of the key elements of Carbon Black is that we do EDR on prem. And we also do in the cloud, so you can use Cloud everywhere possible. And then for those air gapped environments, you have Carbon Black EDR, on prem, and you have a very similar experience between the two, right, the sock is going to be able to threat hunt through a very similar data set, very similar console if they if they're leveraging, of course, the console to do their threat hunting. So beyond EDR, what we do, as you can see here, I'm currently also have app control. So you can restrict what can run in your environment in the first place to only the known good software catalog, and only things that are coming from a vector of trust, for example, maybe one of your deployment solutions. So that's half control, very popular in the federal space for meeting a number of mandates, especially around CDM, right software, acid inventory management, of course, only allowing approve software to run, File Integrity Monitoring, device control, and much more. So very popular tool in the federal space. It integrates with Carbon Black, EDR on-premise. And it also integrates with our cloud platform. And in terms of our cloud platform beyond EDR. What we're also doing just going from left to right is audit and remediation, that's the ability to globally, query your systems and pull information off of them on demand that EDR tools don't record in real time, whether it's our EDR, or anyone else's, right. So there's certain information that you might, you might want from your machines, again, that isn't recorded in real time. For example, maybe you want a list of every browser extension installed on every machine, across every browser, that's something that we can get very quickly. Or maybe you want a list of all authorized SSH keys on your Linux servers or, you know, list of, you know, any devices that are that are missing a certain configuration, you know, maybe they have a certain protocol turned on or off. That's all information that you can get quickly via the audit capability, or what we call live query. And the remediation aspect of that tool is the ability to query or I should say, to log into your devices remotely, and perform real time information gathering or even perform real time incident response. So, for example, through the console, you know, you could via a secure reverse shell, access a laptop that's off the Agency Network all together to maybe generate a memory dump and retrieve it, or delete a file or whatever it is, you might need to do from IR perspective. So that's how I didn't remediation. Then we have vulnerability management. And what makes us unique in the field of vulnerability management, is that number one, we're scan lists. So you don't have to worry about running scans, you don't have to worry about scans bogging down your infrastructure, you don't have to worry about devices not getting scanned, because they weren't connected to the VPN, or the scan went off at a certain time. And certain devices weren't hit because they were off the network. Basically, we're continuously collecting the relevant data from each machine. And then we run analysis over that data in the cloud. So takes up nearly no compute from your individual devices. And you know about vulnerabilities typically a lot more rapidly than you would with a traditional scan based vulnerability management solution. That also plugs into VMware SaltStack to do auto remediation, you know, auto patching, and also auto remediation of out of compliance conditions on your devices as well. We also do dynamic risk scoring. So, you know, not only do we show you what's a NIST is scoring a certain vulnerability, but depending on what our threat analysis unit knows, of course, led by Jerry, we can dynamically adjust those risk scores based on several factors. So for example, you know, NIST might give a certain vulnerability of seven before they can update that, you know, say next week, we might say, hey, this vulnerability should be a 9 or 10, because there's a new malware family out there that is heavily exploiting it. That didn't exist, say 12 hours though, or no one was aware of it 12 hours ago. So that's vulnerability management. We also do container security, a lot we can say about container security. There's a lot wrapped up in that, you know, that one heading there. But essentially, we can analyze containers for vulnerabilities. We allow your developers to use the Carbon Black module to analyze containers before they put push them up the chain, to make sure that their containers don't have vulnerabilities. And that they also won't violate any of Carbon Black behavioral prevention rules that are that you can configure in container security, lets you know the state of your containerized environment, what containers are out there, what what's running, what the scope of those containers are. And we have a runtime security module coming in very soon, which will do things like micro segmentation and recording what's happening in in two year containers. And that's important for federal agencies, because EDR vendors that don't do container security are going to cause you a problem over time. As you containerize more and more of your applications, you know, as VMware, if we think back to say 2010. Where are we at now in terms of virtualization, right back in 2010, most servers were actually still physical. At this point, hardly anything is physical, right, everything is virtualized or even containerized. And so, you know, over the next 10 years, we can expect a significant majority of virtual machine workloads to ultimately become containerized, as well. So what you don't want is to lose visibility as your, you know, servers and your applications undergo that containerization process as time goes on. With Carbon Black, we ensure that you're not losing visibility, right, you're, you have visibility, whether it's a virtual machine, a physical device or a container, you get that full spectrum visibility. That's container security. Again, a lot more we can say about it. But you know, moving along, we have next gen antivirus. What makes it next gen is really two things. Number one, it's lighter weight than a traditional AV no scanning or polling analysis is done in real time. And it does more advanced prevention than a traditional AV can. The prevention approaches three tiered, the first tier prevention is signature or heuristics based. And that's to weed out the low hanging fruit, the known bad, right. The second tier prevention is a machine learning engine that's analyzing unknown binaries to see if they look similar to any malware we've seen in the past. We do that both within the sensor and we also sandbox on certain unknown files, see how they'll behave in the sandbox. And then the third mechanism of prevention, and I think the most interesting one is a behavioral analytics engine that's analyzing what processes on your computers are doing in real time. And if they're behaving in a way that's malicious, highly suspicious, or simply, you know, a violation of organizational policy, we can apply prevention, again, in real time. So a good way to think of the next gen antivirus is in the context of a specific threat. Let's say, let's say ransomware, right, Jared gave the rant the example of ransomware out of the gate. But if ransomware lands on a system, and we know of it, we're gonna block it right out the gate, right? No need to do any kind of ML analysis. It's known that if ransomware lands on a system. And we've never seen it before. And none of our Threat intelligence providers that feed into the VMware Carbon Black cloud have also seen it, you know, no one's seen it before. Typically, we'll catch it with ml analysis, right, there's going to be some headers in the file, there's going to be some components of the file that indicate that it's ransomware. Or we'll catch it when we get native. But if ransomware lands on a system, and it's able to bypass those ml mechanisms, then it starts running, then we'll still typically block it based on its behavior. For example, it will try to rapidly delete your volume shadow copies on a Windows computer, or it will try to, of course, rapidly encrypt your office documents, the first thing it's generally going to do is try to delete your backups. So based on the behavior of the file itself, or the script, we can of course, also apply prevention. So that's the next gen AV, it's certainly a lot more robust than, you know, your traditional scanner based AV. And of course, certainly a lot lighter weight. It includes device control. So of course, that allows you to determine what external media can interact with your machines in the first place. And in the cloud, we also have EDR, as well as MDR. So, again, EDR is kind of what we're going to be focusing on most today endpoint detection and response. And a good way to define EDR is as a camera for your endpoints, right? We're recording in real time continuously, what's happening on each device, and then we're taking that recording, and we're streaming it either to an on prem Linux server if you have the on prem edition, or we're streaming it to Gov cloud. And then we're running analytics over that recording to spot the needle in the haystack. That is EDR. We also have MDR, or network detection and response in our portfolio as a result of our acquisition of glassline. Last year. That's known as NSX, VMware NSX MDR, specifically, so it's part of our NSX networking platform, and we're combining the two so ultimately, it'll be a unified experience. And that'll be even better, right? Because now you'll have that network context and you'll So the endpoint context if say you're a network engineer, and it might also allow us to spot some threats that you might not be able to detect, if you're analyzing data in a silo, for example, just endpoint data, or just network data alone. And then lastly, as a component of the Carbon Black Cloud, we have a service, our managed detection and response service or MDR. So for folks who want to outsource detection and response to a expert team, that's something we can do. Most federal agencies who go with our MDR offering are augmenting their in house staff, right, they want the 24/7 eyes on glass, from VMware, as well. And, you know, they want our opinion before they perform of mediation, or in some cases, they even want us to perform the remediation. So that's where MDR comes into play. It's especially useful, you know, in an era where it's hard for agencies to basically hire enough qualified cybersecurity personnel, it can be a major augmentation. So that is the overall VMware Carbon Black platform, when it comes to the Executive Order quite a bit we can do around meeting demands, right? One part of the Executive Order calls for adopting and using cloud technology. And the reason why the White House is calling for the adoption of cloud technologies, because of its flexibility, you know, when COVID first hit, and there was a lot of lock downs, and employees had to take their devices off of agency networks, there were issues with visibility and getting certain updates, because the devices weren't, you know, properly connecting back to that government network, right, maybe the VPN was down, maybe they didn't have a VPN, it could be a myriad of issues. But when you have cloud technology, it really doesn't matter where that device is, right? If the person is working from home, if they're on the internet, you have near real time visibility into what's happening on that system. Right? If they're working in the office, likewise, you have that visibility doesn't matter where that end users devices, so you have extreme flexibility there. And that gives the government adopting cloud technologies ultimately makes the government more anti fragile from a tech standpoint. And also, of course, from a cybersecurity standpoint, I Secondly, develop a plan to implement a Zero Trust architecture. But essentially, we have a portfolio of solutions that helps an organization implement a Zero Trust architecture very quickly. So they can get to Zero Trust a lot more quickly than they could if they were trying to sort of adopt a piecemeal solution with multiple vendors. And then finally, we have deploy endpoint detection and response, right, to enable cyber threat hunting and enhanced detection. So one of the things to note about the EO as it pertains to EDR is that the EO doesn't really define EDR. And what it should do, it just says it should enable cyber threat hunting, and enhanced detection. But as we all know, not all EDR solutions are identical. Right? So you know, while you could technically check off the box with, you know, say a cheaper solution, that's not going to, you know, enable your team very well to do threat hunting, or probably won't help them enhance detection very significantly. So, some things to keep in mind when it comes to looking for an EDR solution is number one, does it continuously record data? Number two, does it stream that data to a central location. So if the endpoint is somehow compromised, you don't lose the, you know, history of what happened on that given device, it should be continuously offloading information to a central repository. And number three, what does it feel there? Right, a lot of EDR tools out there do a heavy amount of filtering, for example, they'll say, Well, these websites are important to record. But you know, these other websites say Microsoft websites, they're not important. But as you know, we saw in Dan's presentation, it's important to even record the benign, that way you can understand no normal, which will help you better the tech deviations from normal. Those are some things to keep in mind when it comes to looking for an EDR solution. What makes us very strong in the field of EDR is number one, we invented EDR, the first market EDR solution was Carbon Black response roughly a decade ago. So we have the most mature solution on the market, we record data in an unbiased manner. So you don't have to worry about filtering, you know, washing away any kind of critical information or even benign information. And of course, we do continuous centralized storage. So with VMware Intrinsic Security, you have a consolidated platform spanning endpoint security as well as network security. You have less consoles, right, we have integrated consoles, whereas if you use multiple vendors to say try to implement something like Zero Trust, of course, you're going to have a lot of dashboards to log into. You're also going to have an abundance of agents which means and the abundance of things to patch whereas with VMware, we have a single agent, that's a single agent not only for Carbon Black, but also for other capabilities, such as workspace one, which is our MDM solution. So you have one thing, both to secure and manage the device. And also we can be agentless in certain environments, for example, vSphere environments, Horizon VDI environments VMC on AWS or AWS. Gov cloud, those types of environments don't even require an agent with Carbon Black, which makes rollouts extremely smooth, even better performance on each system. Although we're lightweight, you know, even if you do use an agent to deploy to a physical device, for example, and, you know, simple ease of management, right, you don't have to worry about, you know, installing anything, or patching anything or managing anything, you know, cross every individual device, then, of course, with VMware, you have savings, because you're not gonna have multiple POs and renewals with multiple vendors, we can put everything on one ELA if wanted, you have consistency, right, all the consoles have a similar look and feel and they're united. And then finally have one location for support. And that can be a massive benefit, right? Because if you have something go wrong, you know, multiple vendors can blame one another. And then you have to ultimately figure out you know, what vendor and you know, specifically what tool is at fault. But ultimately, through VMware, you have one location for support, and it's easy for us to route it, basically take it to the proper team, depending on what exactly the issue is. So just some things to keep in mind when it comes to, you know, evaluating endpoint security and cybersecurity tools in general. VMware has a very broad portfolio scanning endpoint and network, you know, IDS, IPS systems, next gen firewalls, next gen antivirus, EDR, MDR. And much more. So this point, we'll go ahead and dive into the console. And take a look at EDR. So you know, what most folks think when they hear about EDR is they think process trees, right? They think the ability to analyze what happened on a system historically not at the gate, that's definitely something you can do. So here, I just ran a simple search, I could open up a process tree, and here we can see servers hosts ran run DLL 32. Right. And I can rewind from here, if I want to this is a rather benign and I guess I would say somewhat boring event. But the point being is we can pivot from one event to another right, we can see that something called support assist agent that exe was running, that's from Dell. And if I click on it and click on the plus symbol here, it will open up a sub process tree showing what that was doing what that was interacting with, which in this case was net sh. And of course, I can click on that and learn more about what net sh was doing in both instances. And if I scroll down a bit here, I can see the individual things these processes were doing. So for example, this instance of net sh, loaded 67 DLL files into memory had to cross process events and one child process as well. And I can see what all those things are. And I can pick it from here, right? So for example, say it, it spawned con host as a child process, I can then of course, click on Khan Host. And I'll be taken over to a page for that instance of say, Conoce, running. I can see what that was doing as well. Now, if I am threat hunting, or if I am performing incident response, and I do find something that I want to take action on, there's a lot I can do, just from this screen, right, of course, I wouldn't be in run DLL 32. But, you know, I could add something to a banned list. Or if Carbon Black, you know, was blocking something that was legitimate. So you did get a false positive. Because you ever nection antivirus turned on as well, you could add something to the approval list, you can look up any given file in your environment in the dashboard and VirusTotal. So that way, you can see what every AV vendor out there has to say about it, always great to have, you know, 66 second opinions right on hand. And of course, you can quarantine an asset, there's multiple ways where we can do that automatically, through things like playbooks or tools, etc. But we can quarantine the asset prevent any kind of lateral movement right on the part of an attacker and that keeps open a connection to your EDR server or to Carbon Black cloud. That way, you can still communicate with the device to Carbon Black. And you can also share the process tree. So if you want other members of your team to see exactly what it is you're looking at, we generate, you know, very specific link that you can send along to them that when they authenticate into the console, they can of course view the thing that you specifically wanted to share with them. So that is, you know, EDR from an event perspective, and when it comes to searching for events and what you can see, it's extremely broad, right? For example, if I wanted to see everyone who went to facebook.com, say, over the past month, because that's what this environments, data retention is set to 30 days. I can easily run a query that goes out and gets that information for me. You know, here we can see some people going to Facebook using Chrome, some folks using edge some folks even using the brave browser, I believe in this environment. And I can filter down things even further if I want to write if I only want to see people who went to facebook.com using Chrome, I could go and curl. But know that it was really easy for me to run that query, right, I didn't need to define any syntax, the only time where you really need to define syntax is if maybe you're getting some unintended results in here. Or if you want to turn a query into a watch list, so one cool capability of Carbon Black EDR is anything you query, you can turn it into a detection going forward. So if for some reason I wanted to be alerted, every time somebody went to facebook.com, using Chrome, I would add some syntax to this easy thing to do, we have the search guide in here to show you exactly what syntax you need for any given situation. And then I would add it to a threat report, right and going forward, I would be able to simply alert on that thing. But certainly quite a bit, we can query. For example, we can do geolocation. For example, if I wanted to see every network connection to or from China, I would go Netcom, location, China, right. And so this is going to show me in the past 30 days, one process did indeed ultimately connect to a Chinese IP address and the Chinese domain. And I can click into this learn more if I wanted to. But I could also narrow this down further, I could say show me every time there was a network connection to China, and somebody was trying to monitor user input, or maybe even monitor webcam. So here, I can team up that parameter with a behavior. TTP stands for tactic technique or procedure. And that includes the endpoint related MITRE TIDs as well. So for folks who like to use the MITRE attack framework to do threat hunting, which I believe is, is most at this point, most or hundreds at this point, maybe the significant majority, you know, you're indeed able to do so pretty easily using Carbon Black EDR, both cloud and on prem. But again, if I wanted to turn this into a detection going forward, I would just save this. And so Datadog mentioned earlier knowing, you know, the known good, the known normal, and then you're able to detect deviations from the new normal in your environment. What our EDR enables you to do, really better than other EDR solutions is build the Texans around the no normal, right? Once you know normal, you can build the detection around what would be a deviation from that, that unique to your environment, which makes it significantly more likely that you're going to detect things like zero day or a malicious adversary just poking around in your environment. So that is investigate page here, right? Certainly quite a bit we can search on, we're really only scratching the surface, we could do things like search by a file, a script load command line arguments, script load content, child processes, parent processes, a myriad of binary information, device and user name information, operating system, operating system version, you know, domain, IP, ipv6, whether something was blocked or not behavior so much more. The final thing I really want to show on this page is the enriched events page. So just going back to our previous query facebook.com. If I click on enriched events, that's going to show me not only the raw data, but it's going to show me the narrative behind what happened. So for example, here, we can see that Chrome ran from this location on this specific device by this user. And it established a UDP connection over 443 to a Facebook server located in Denver. So that's interesting. It tells me that this person was on Chrome, and they were watching probably a video on Facebook, right. And it was coming from this IP and the device was off the corporate network using this address, and it was located in Broomfield, Colorado at the time. This is excellent. I'm a threat Hunter. If I'm any kind of incident responder, I just get everything spelled out for me right out of the gate. I don't have to take that IP address and Google it and figure out hey, it's associated with Facebook today. And, you know, try to figure out what protocol they were using over 443 was that, you know, UDP was a TCP. I just know that right away. Where was the device located? I don't have to geolocate that IP address Carbon Black did it for me. So everything is done much more quickly. The behavioral analytics on the back end will take those raw events, and it will format them in a very human readable way that can just drastically cut down on the amount of time you spend researching what exactly the raw data indicates occurred on a device. When it comes to EDR. We can also create watch lists and NES watch lists so with the tool comes several threat intelligence feeds out of the box for example, the US Cyber con malware alert threat intelligence feed, the MITRE attack framework feed the AT&T AlienVault feed several feeds beat that provide threat intel beyond what VMware provides our Threat intelligence is typically the most popular and the tool but being able to use those third parties is also very useful and you can also plug in your own threat intelligence feeds, drones, six TAXII server, whatever it might be, you know, if you subscribe something like Recorded Future, you can plug that into Carbon Black EDR as well. And then we can, of course, generate detections based on it. But again, you're able to create your own detections, that will by saving them as watch lists from the investigate page so that you can tune the text and specific to your own environment. And really, what we've gone over today is just the EDR capabilities of Carbon Black, right? You know, the, the highlights of the fact that for any given process in the environment, you can see when it started, what it did, what it spawned, you know, models, cross process events, file modifications, etc. It's easy for you to query information in the dashboard, the threat Hunter, find specific events. At specific times, it's easy for you to see exactly what the raw data indicates on the enriched Events tab. And, of course, easy for you to sort and organize your own custom watch lists and detection as well. But this is also just scratching the surface of Carbon Black, because again, we could go into next generation antivirus. And that we can prevent a lot of things that we would typically just attacked, if you only had EDR, on how we can replace a traditional antivirus, how we can query devices directly to pull other information off of them, right, which devices don't have either encryption enabled today, I could run a query to get that information or schedule a query to get that information. We could discuss vulnerability detection and how we do that in a scandalous way. And, of course, we could discuss container security as well. So whether you're interested in EDR, or any of the other capabilities of the Carbon Black platform, please reach out to us in Carahsoft, we'd be definitely happy to give you a deeper dive on either EDR or really any component of the solution. And of course, we can bundle those offerings and it's ala carte. So for organizations that just need EDR we can definitely do just EDR that's the need. And then you know, with that single agent that you already deployed, if you wanted to add something on to that in the future like antivirus, it would be a simple PO right. You wouldn't have to deploy anything additional.
Speaker 1: Thanks for listening. If you would like more information on how Carahsoft or VMware can assist your educational institution, please visit www.carahsoft.com or email us at vmware@carahsoft.com. Thanks again for listening and have a great day!