Incident Response

How do you rapidly analyze and respond to security alerts and incidents?

Bit9 gives you the cyber forensics information you need to rapidly:

  • Prioritize and triage alerts
  • Analyze and remediate incidents

Bit9 Rapid Incident Response Using Cyber Forensics

When you receive an alert from any of your security systems, how do you know if it is actionable? How do you prioritize alerts? How do you scope the issue?

Bit9’s real-time sensor continuously monitors your endpoints, servers and fixed-function devices and maintains a full recording of all key activities on each system, providing you with the following cyber forensics features:

Understand what is happening on any of your computers—right now. Bit9 can instantly tell you what executable code resides on any computer. For example:

  • A network device alerts you to a malicious file entering your network—Bit9 can tell you if that file is on any endpoint, if it ran, what it did, etc.
  • You have the hash of a suspected malicious file—Bit9 can tell you all of the computers that file is on—right now.

“Go back in time” to understand what happened with cyber forensics. From a central console, Bit9 can tell you:

  • What software arrived on any computer
  • What created it
  • If it executed
  • What it did
  • If it deleted itself
  • And more

Isolate untrusted software. If you’ve already defined the software you trust in your Bit9 trust policies, you can instantly filter out the “trusted” software to isolate the “untrusted” software. Other tools require you to sift through all your software to find any bad files, which is like trying to find a needle in a haystack. With Bit9, you can zero in on just the untrusted, suspicious software.

Determine if a file is malicious. Use the Bit9 Cloud-based Software Reputation Service or Bit9 for Cyber Forensics to obtain Bit9’s detailed information about a file’s trust rating, which is based on attributes such as age, prevalence, source, etc.

Retrieve any file from any computer for analysis. You can “remotely grab” any file from any computer so you can analyze it, send it to a third party, etc. You can do this manually or use Bit9’s rules engine to automatically retrieve files:

  • Every new file with executable code that lands on an endpoint or server.
  • Every new file that lands on an endpoint or server, but only the first time it is seen on any of your computers. If the same file later lands on another endpoint or server, Bit9 knows that it has already been analyzed and does not need to resend it. This ensures that all new files are analyzed while minimizing computing and network resource consumption.
  • Every new file that meets a criteria you define (e.g., it must be above or below a certain size).

Are you using FireEye or Palo Alto Networks?

You can prioritize alerts automatically and instantly

Bit9 automatically correlates security alerts from FireEye or Palo Alto Networks with Bit9’s real-time endpoint data to tell you if malware has reached any of your endpoints, exactly which ones are affected, if the malware executed, and more.

Security operations centers (SOC) find Bit9’s incident response capabilities extremely valuable for forensics: analyzing, containing and remediating cyber security incidents.

At endpoints and servers, users deploy an agent that Bit9 refers to as its real-time sensor and recorder. Although Bit9 touts it as being lightweight, the capabilities it claims are anything but lightweight. It is part malware detection, part anti-malware and part forensics. The advanced threat-detection capabilities of the agent monitor and record executable files and critical system resources, allowing it to track and alert on suspicious activities such as application behavior, process injection, file properties, registry and so on.
451 Research, Bit9 touts real-time forensics on endpoints and servers, by Javvad Malik, May 21, 2013

Once the Bit9 agent is deployed on enterprise endpoints and servers, proactive protection against future malware and threats, along with ongoing forensics capabilities, is provided. There is a clear requirement for the type of proactive security controls that Bit9 offers. The company has got to where it is today by addressing software security issues and by delivering solutions that can either improve situations by working alongside existing protection technology or as a replacement for redundant technology.
Ovum, On the Radar: Bit9, Andrew Kellett, July 26, 2013


Video: Bit9's Incident Response Capabilities with Cyber Forensics for Endpoints and Servers

Unlock the Power of Bit9′s Advanced Threat Protection for Endpoints and Servers

Request 5-Day Free Trial

Solution Brief: Real-time Cyber Forensics for Incident Response

View Now

Datasheet: Cyber Forensics

View Now

Whitepaper: Digital Forensics and Incident Response (SANS)

View Now