Carbon Black EDR’s All-New Live Query Capability and Enhanced Fileless Visibility

VMware Carbon Black is excited to announce that VMware Carbon Black EDR (formerly CB Response), recently named by Gartner as a 2020 Customers’ Choice for Endpoint Detection and Response solutions, now features enhanced insight into fileless activity via Microsoft’s AMSI and a brand new Live Query capability delivering critical current state context for security operations centers in organizations with hosted and on-premises deployments.

Built on osquery, Carbon Black EDR’s Live Query is similar to the robust Audit & Remediation functionality available on the VMware Carbon Black Cloud, but now available for current customers using Carbon Black EDR, particularly for on-premises deployments, at no extra cost. Security teams can now pull crucial current state data from endpoints to help proactively hunt for vulnerabilities, misconfigurations, and indicators of attack, as well as augment our comprehensive EDR telemetry with key security artifacts.

Carbon Black EDR Live Query can collect vital information for forensic investigations on Windows systems such as logged in users, wifi connections, the presence of registry keys, and much more without the need to pivot to another console or another security tool. While EDR data is based on activity in your environment and continuously collected at all times, Carbon Black EDR Live Query allows you to pull back additional data directly from machines on an as-needed basis to get a complete picture of the state of endpoints at scale. Data that previously might only be accessible by an IT team is now readily available on demand to security teams, ensuring all the context necessary to complete an investigation is at analysts’ fingertips, dramatically reducing investigation times.

In addition to Live Query capabilities now being available to hosted and on-premises Carbon Black EDR deployments, we’re also announcing a game-changing new capability to combat increasing attacker use of fileless techniques. Carbon Black EDR now features Microsoft AMSI visibility for Windows systems to expose defense evasion techniques and other fileless behaviors. AMSI is Microsoft’s Anti-Malware Scanning Interface, a new security hook introduced in Windows 10 that endpoint vendors can leverage to inspect in-memory executions of fileless content. Carbon Black EDR now delivers critical visibility into in-memory attacker behaviors, tilting the advantage away from the attackers and back to the defenders.

Uncover Fileless Activity: Enhanced AMSI visibility not only enables the capture of the launch of a PowerShell process, but the commands and script contents that may have been executed from within the terminal as well. Carbon Black EDR continuously records attacker commands and the contents of each script executed through PowerShell to give security professionals maximum visibility into this prevalent attack vector. AMSI data that is recorded can be sent for correlation with other tools in your security stack via the latest version of our Event Forwarder.

Inspect Endpoints On-Demand: Security analysts need immediate answers to critical questions across their entire fleet of endpoints during attacks. Carbon Black EDR’s Live Query provides access to thousands of unique endpoint artifacts to help analysts discover and analyze attacks to respond to incidents at a whole new level. For example, if during an investigation the security team determines that credentials have been stolen, Live Query can query all endpoints to see if, and where, the credentials have been used for attempted logins, and if, and where, these credentials are currently in use.

Verify Patch-Level Compliance: Security teams can use Live Query to run queries of all endpoints and determine if all machines are at the right level of compliance. Additionally, to meet real-time or ongoing reporting needs, teams can use Live Query to pull operational reporting on patch levels, user privileges, disk-encryption status, and more.

By providing administrators with a real-time query capability and enhanced fileless visibility, Carbon Black EDR continues to enable security teams to make quick, confident decisions to harden systems and improve security posture. This latest innovation from Carbon Black EDR further shrinks the gap between security and operations, allowing administrators to perform full investigations and take action to remotely remediate endpoints all from a single solution.

 Carbon Black EDR Live Query and AMSI visibility beta functionality is now available for 7.2.0-svr and endpoints running the latest 7.1.0 Windows sensor.

Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.

The post Carbon Black EDR’s All-New Live Query Capability and Enhanced Fileless Visibility appeared first on VMware Carbon Black.