Carbon Black

“Bit9’s acquisition of Carbon Black has helped fuel interest in modernizing endpoint defenses, which have been relying heavily on signature-based technology to detect malware. New concepts are being introduced that incorporate endpoint agent or sensor technology to increase visibility and give incident responders more context into alerts and control over infected systems.”
– IDC, Worldwide Specialized Threat Analysis and Protection Market Shares, 2014: Rapidly Evolving Security Defenses

IR Analyst
Carbon Black is the number-one endpoint detection and response (EDR) solution according to a SANS survey of IR professionals. The survey asked: “What vendor products are you currently using and evaluating for your incident response efforts, including forensics?” Carbon Black was #1 in Incident Response.


One solution for continuous endpoint recording, live response & attack recovery

Carbon Black is the first and only endpoint threat detection and response platform that enables SOC and incident response (IR) teams to prepare for a data breach through continuous endpoint recording, customized detection, live response, remediation, and threat banning. Carbon Black makes advanced threats easier to see and faster to stop by empowering SOC and IR teams to arm their endpoints against the most advanced and targeted attacks. Top IR firms and MSSPs have made Carbon Black a core component of their detection and response services.

Carbon Black Diagram Continuous monitoring & recording for gapless endpoint visibility

Carbon Black reduces the cost, complexity and time of traditional incident response by replacing reactive “after-the-fact” manual data acquisition with proactive continuous monitoring and recording of all activity on endpoints and servers—dramatically decreasing the dwell time of targeted attacks. Carbon Black provides the most complete and gapless enterprise visibility in the industry, by covering all major operating systems (Windows, Mac OS X, and Linux).

Open and ExtensibleOpen & extensible platform for integrated best-of-breed detection & response

Built entirely on open APIs, Carbon Black delivers an unmatched ability for responders to both “pull in” capabilities from other security solutions and threat intelligence as well as expose and “push out” the data captured by Carbon Black and its full feature set to third-party or homegrown security products. This delivers unparalleled security operations development capabilities to integrate with and build on top of Carbon Black for best-of-breed detection and response tailored for your organization.

TIC_Website-150x150Watchlists for real-time customized detection techniques that go beyond signatures

Through Carbon Black watchlists, responders can build robust and actionable detection by leveraging the combination of its continuous endpoint recording and instant, aggregated threat intelligence—delivered from the Bit9 + Carbon Black Threat Intelligence Cloud. This enables responders to reduce alert fatigue by receiving and designing advanced threat detection optimized for their organization.

Malware Kill ChainRecorded history for instant root cause investigations

Carbon Black delivers an unmatched ability to instantly understand root cause—through a gapless recorded history and visualization of the entire attack kill chain—to respond and recover at the moment of discovery. This enables responders to immediately “roll back the tape” to identify root cause. This empowers security operations personnel to also learn from their investigations to improve future processes, procedures and security.

Endpoint IsolatedOne-click endpoint isolation for immediate threat containment

Responders can instantly contain active intrusions remotely by isolating one or multiple endpoints from communicating with the network. By still maintaining an active connection with the Carbon Black server—even while isolated—IR teams can perform more conclusive and surgical investigations on or off the network.

Live ResponseLive response for endpoint threat inspection, termination & remediation

With live response, responders can understand the current state of an endpoint, perform remote live investigations, intervene with ongoing attacks, and instantly remediate endpoint threats. This enables incident responders to “look” and “touch” endpoints to take immediate action during an investigation—even while the endpoint remains isolated from the rest of the network.

Banning Advanced ThreatEndpoint threat banning for instant attack disruption & recovery

With endpoint threat banning in Carbon Black, responders can instantly stop, contain and disrupt advanced threats as well as block the future execution of similar attacks. This expands Carbon Black’s ability—along with its leading endpoint threat isolation and live response capabilities—to recover from advanced threats faster than any endpoint threat detection and response solution on the market.

Microsoft EMET Integration with Carbon BlackMicrosoft Enhanced Mitigation Experience Toolkit (EMET) Integration for improved detection & kill chain analysis

Carbon Black is the only endpoint threat detection and response solution that integrates with Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). This enables responders to correlate blocked exploitation attempts—from Microsoft EMET—with Carbon Black’s collective intelligence to show key aspects of the attack both before and after the event. This empowers responders to optimize and improve their detection, investigations and patch management efforts by understanding the full kill chain of every exploitation attempt at the moment of compromise.

CarbonBlack-DashboardOn-premises or Software-as-a-Service (SaaS) for flexible deployment options

Carbon Black is the first and only endpoint threat detection and response (ETDR) solution with continuous endpoint recording, live response and attack recovery capabilities in both on-premises deployment or in a Software-as-a-Service (SaaS) model to match any business preference. Use the on-premises deployment option for Carbon Black’s enterprise service bus and integration with other on-premises SIEM and network security devices; or leverage the cloud deployment (SaaS) option for rapid deployments, zero maintenance costs, and frictionless product updates.

KPI DashboardsKPI dashboards for instant endpoint insight

With Carbon Black’s dashboards, security teams gain instant insight into key endpoint and incident response performance indicators across their entire environment. This enables organizations to understand and articulate the state of their endpoint detection and response capabilities.

*SANS Survey

Bit9 + Carbon Black