Through the Years: an Inside Look at Carbon Black Technology

An early Carbon Black customer and Red Canary detection engineer provides perspective on Carbon Black’s technology evolutions.

Back in 2013, I was one of the first security professionals to deploy Carbon Black. This was in the early days, before there was CB Response, and as far as I know, it was the only product of its kind. I’d learned about it a couple years earlier thanks to a blog post by Harlan Carvey. Since I had recently moved from DFIR consulting into corporate work in financial services (mid-market enterprise), I was very interested in the visibility it offered, so that I could improve our detection and response capabilities.

Our enterprise already had a high level of network visibility at that point, from the perimeter all the way to the core. We were segmented, and had several “next-gen” or “advanced” types of platforms providing monitoring and protection; we even had streaming packet capture. However, we always ended up needing to go to the endpoint in the case of an alert, in order to determine whether or not there actually was a compromise, and to what extent. The network simply could not give us granular information from our endpoints.

To that end, we leveraged commercial and open-source forensic tools locally and across the network to investigate endpoints. This included traditional disk imaging and analysis, as well as volatile data from live systems, such as memory dumps. I was the main person performing the work, and I knew how long it took me to get answers while anxious executives were waiting, this was too long, indeed. So, early in 2013 we did a proof of concept on the beta of version 3, purchased, and rolled CB Response v3 into production.

The Power of Deep Visibility

Having Carbon Black in place reduced our investigation time by 75% (remember, I was tracking those metrics) and also improved our visibility such that we knew about things that none of our other platforms could tell us about. That was amazing, but with that visibility, it became increasingly difficult to deal with the data volume from human, processing, and storage perspectives. Our server struggled; I had neither the staff nor the time to properly care and feed it, and while we knew about malicious activity, we couldn’t easily automate response actions.

That was around the time I learned about Red Canary and the company’s work with Carbon Black. I became interested in joining the team, excited to apply my passion for security in a way that would help companies around the world use Carbon Black’s cutting-edge technology to improve their detection and response capabilities.

Evolving technology: Can we get prevention, too?

One thing CB Response did not have was prevention, which meant we still needed to have traditional antivirus in place in the enterprise. Even though it wasn’t very efficacious, auditors and examiners absolutely needed to see that we had it – to check off that box. CB Defense came out after I moved to Red Canary, and while it provided prevention, the telemetry side of it wasn’t as robust and didn’t provide the same level of visibility CB Response did. This is fairly typical for endpoint platforms – you trade visibility for preventive capabilities.

Enter CB ThreatHunter

CB ThreatHunter is the next evolution of CB Response; providing the same advanced threat hunting and incident response capabilities on Carbon Black’s cloud platform, the Predictive Security Cloud (PSC). One of the valuable things about having CB ThreatHunter on the PSC is that it provides the ability to combine the detailed visibility of CB Response with the preventive controls of CB Defense through one sensor and one console. But is it a solid platform? Will it work?

One of the little-known facts about Red Canary is the rigorous testing process every endpoint telemetry source goes through before we accept that product within our supported portfolio. Even lesser-known is that our Cyber Incident Response Team (CIRT) is closely involved in said rigorous testing prior to it being given the stamp of approval for on-boarding. In other words, detection engineers in the Red Canary CIRT validate that the telemetry from each endpoint platform is consistent with our needs, so that after we bring it into the fold, we know we will be able to provide top-tier detections based on the data we receive.

Every product is different, providing differing levels of visibility, prevention, and response capabilities. There aren’t many that are up to our standards, and CB ThreatHunter is now one of them.

CB ThreatHunter Migration Considerations

A number of security teams who are currently using CB Response – including many Red Canary customers – are now considering a migration to CB ThreatHunter. Across my career, I have performed in-place major version migrations on multiple endpoint (including CB Response) and network security platforms, and also migrated from one platform to another. I have also seen this play out (good and bad) from both the technical/practitioner and team lead/management side. I have done the work, and also managed the team responsible for doing the work.

Whenever these ventures are undertaken, there are challenges and risks to the business.

Migration considerations include things like:


  • Will we lose data?
  • Will we lose visibility?
  • Will we be exposed and not know it?


  • How do we store data as we migrate?
  • Where do we store data?
  • What is this actually going to cost us?


  • How am I going to pull this off?
  • How many people do I need?
  • What is the business justification and sign-off?

Improving your Migration Experience

Let’s face it: security groups are consistently understaffed and overworked; I know mine was. A lot of times we’re left without a lot of options to get the job done when it comes to platform deployment or migration, and we end up shelling out a lot of money for the vendor’s professional services branch to send in people to do the work for us. They don’t know the environment, aren’t vested in the company, and will be gone when the job is done.

This is one of the things I love about being part of Red Canary. (Shameless plug ahead.) From the CIRT (where I work) and throughout the rest of the company, everyone is truly focused on achieving customer success, and we all apply – individually and collectively – our years of security experience to do so. Sometimes this is as simple as sharing information. Other times it’s by helping do a deep dive into a potential threat or providing better understanding of an endpoint platform and the telemetry it provides.

If you have CB Response or other solution, and are considering migrating to CB ThreatHunter, Red Canary can help. Because of how we operate, we store and process data separately from the individual platform. This means we’re not dependent on storage constraints applied by that system, and we make it a lot easier for you to compare telemetry and detection capability, to better evaluate the fit for your organization. Plus – and this is a big one for technical folks – we help make sense of the huge volume of data that these products provide and separate the signal from the noise, to give your team high-fidelity detections and automated response actions.

The post Through the Years: an Inside Look at Carbon Black Technology appeared first on Carbon Black. This post was originally published by our partner Red Canary on May 30, 2019.

Leave a Reply

Your email address will not be published. Required fields are marked *