Advanced Threat Prevention

How do you stop attacks specifically targeted at your organization?

Blacklisting and signature-based approaches don’t work for unique, targeted threats that have never been seen before.

You need a new generation of proactive endpoint prevention to combat advanced threats.

With Bit9, you can choose from different forms of advanced endpoint prevention to match your business and systems.

2014-Protect-End-Servers“Detonate-and-Deny”

Bit9 is the only company with an automatic “detonate-and-deny” approach, and it’s changing the way security teams think about endpoint and server security.

In this approach, you tell Bit9 to automatically retrieve and send files from your endpoints and servers to FireEye or Palo Alto Networks for analysis (often called “detonation”). Bit9 uses a rules-based approach that enables you to decide what files you want to automatically retrieve and send. For example, you can retrieve and send:

  • Every new file with executable code that lands on an endpoint or server
  • Every new file that lands on an endpoint or server but only the first time it is seen on any of your computers. If the same file later lands on another endpoint or server, Bit9 knows that it has already been analyzed and does not need to resend it.
    This ensures that all new files are analyzed while minimizing computing and network resource consumption
  • Every new file that meets a criteria you define (e.g., it must be above or below a certain size)Bit9 Application Control Forrester Quote

You can also use Bit9 to specifically retrieve and send a file on-demand to FireEye or Palo Alto Networks. For example, let’s say you are concerned about a particular file on a user’s computer in another city. You can tell Bit9 to retrieve and send the file to FireEye or Palo Alto Networks for detonation and analysis.

If FireEye or Palo Alto Networks determine the file is malicious, you have various enforcement options:

  • Report on the malware so you can analyze it further
  • Automatically ban the file from executing on any or all of your computers. This is a closed-loop, automated process.
  • Manually ban the file on any or all of your computers.

“Default-Deny”Bit9 Using Whitelisting to Combat Malware Quote

You can also use Bit9’s proactive “default-deny” approach to ensure only software that you trust can run on your machines; everything else is denied. That stops advanced threats and other forms of malware—including targeted, customized attacks—that evade antivirus.

With Bit9’s “default-deny” prevention you define policies that determine the software you trust. For example:

  • It must come from your trusted software delivery system. Most IT teams have a system to “push” software to users’ desktops. When you tell Bit9 what your software delivery system is, it will allow any software delivered by this system to an endpoint or server to execute without interruption.
  • It must have come from one of your trusted directories.
    IT organizations often have “gold directories” where approved software is located. You can tell Bit9 to always trust-and-allow any software that came from such a directory.
  • Bit9 Default Deny Advanced Threat Protection Quote 1It must come from a trusted publisher. Many software vendors digitally sign their software. You can tell Bit9 to always trust and allow software that is digitally signed by the vendors you choose.
  • It must come from a trusted updater. Today’s software (e.g., browsers, virtual meeting software, etc.) often updates itself on the Internet. You determine the software that you want to automatically update itself and Bit9 will allow it to run.
  • The software must be above a threshold that you set for its trust rating as calculated by Bit9’s Software Reputation Service. This is very useful if you allow your users to install their own software, but you want to be sure Bit9 has first determined it is trustworthy.
  • And more. There many techniques you can use to create your trust policies.

This prevention approach is often called “application control” or “whitelisting.” Early forms of this approach required you to specifically identify the software you trusted (build a “list” of “white” files) –an onerous task that required a lot of work and maintenance.

Bit9 Canadian Govt Application Whitelisting

Not with Bit9’s policy-driven approach.

As noted above, you define the policies for approving software, mostly about where it comes from or how it got to your machines. You don’t have to build a “whitelist” of specific files. This saves you enormous amounts of time and effort.

When untrusted software tries to run, you can decide what you want to do by employing different enforcement levels:

Low enforcement (Detect untrusted). The Bit9 platform will inform your administrator about the suspect software but allow it to run uninterrupted. If you later determine it should not run, you can instantly ban it from further execution on all of your machines. This enforcement level gives you full and instant visibility into what is running on any computer, alerts you to potential issues, but doesn’t block the execution of any software.

Bit9 Default Deny Advanced Threat Protection Quote 2

Medium enforcement (Prompt untrusted). Bit9 will ask the user on the computer where the suspicious software is trying to run if the execution should be allowed. The user’s decision only affects their machine. The Bit9 platform will notify your Bit9 administrator about the user’s decision, and the admin can take further action (e.g., approve the software more broadly for other users, ban it, etc.). This mode informs the local user about suspicious executions but allows them to determine what to do.

High enforcement (Block untrusted). Bit9 will block the execution of any untrusted software until IT formally reviews and approves it. Your Bit9 administrator can decide to approve the software for just that user or more broadly for other groups or the entire organization. This mode provides the highest level of prevention against any form of malware.

Bit9 recommends you always protect your servers, fixed-function devices and high-risk users with high enforcement (Block untrusted) mode.

video
Bit9's Advanced Threat Prevention for Endpoints and Servers
video
Bit9 Whiteboard: 'Detonate-and-Deny' Malware Prevention

Unlock the Power of Bit9′s Advanced Threat Protection for Endpoints and Servers

Request 5-Day Free Trial

Threat Advisor: Blocking CryptoLocker with Advanced Threat Protection

View Now

Whitepaper: Advanced Protection Against Advanced Threats: Trust is Your Best Defense

View Now

Bit9 Corporate Brochure

View Now

Solution Brief: Proactive Prevention: Denying Advanced Attackers Through Policy

View Now

Video: The Future of Cyber Security with Bit9 CTO Harry Sverdlove

View Now