Saturday, October 23, 2010

Bit9 (and a bit of a rant about Infosec Pros!)

I have to tell you, every now and again I get a presentation from a product vendor that just makes me go "Wow. I wish I'd thought of that!" Bit9 was one of those.

During my travels I keep hearing the name Bit9, but hadn't really been exposed to their product. I attended a conference in January where they had a booth, but I hate those things. You can never have a serious talk. I guess they are a good way to get exposed to a lot of things and then circle back, but I always try and take notes on which to circle back on, and then either forget, or end up misplacing the literature.

Anyway, I did see Bit9 during the conference but didn't get to spend any time with them. When I returned, I forgot about them, only to be reminded a couple of months ago. So I set up a time, and offered my staff a lunch 'n learn.

Bit9 is a tool used (I'm sure they have others, but I loved this one) to identify installed malware on a system. More importantly, I was surprised to see that Bit9 is the brains behind some of my other favorite tools like Mandiant's MIR and is delivered by about a dozen others providing services. Interestingly enough (maybe I hadn't looked hard enough) I was under the impression that this space was wide open for exploitation with very little competition and a reasonable barrier to entry... meaning if I went to a VC for money to build the solution, a business case could be made, and I'd have enough of a run on my competition to be able to make a few bucks before they caught up. I still think that... the market for malware identification is still wide open and the AV vendors don't seem to have a clue.

Back to the point. Bit9 backends several malware identification tools with a database in a 'cloud' (marketing speak for two datacenters in Massachusetts). Regardless, the cloud is a massive repository of unique indicators each representing specific pieces of malware. The Bit9 tech is deployed to scan an environment using a client based system which compares files on a system to those in Bit9's database. The management console was, as you'd expect, pretty. Pretty without functional does no good, but in this case, the management console was totally functional. Running in a browser, it can be operated by any SOC or remote worker.

Bottom line: If you're looking for malware identification/remediation and whitelisting tools, save yourself some time. I've heard the name from some of the best companies in the world. Bit9 appears to have something real. I'd look at them first.

[rant]
In sitting with my team (and others I've worked with), it seems vendor presentations are peppered with questions like "You do X, why don't you do Y?"

This case was no different. Scope creep in vendor presentations is easy, and often takes away from the presentation. In this case, Bit9 has some really nice tech. They found their niche, filled it nicely, and are licensing the hell out of it to others who provide services in their space. Well done. What they didn't do was lose focus on their principle value proposition... finding malware on a host.

I'd love for one magic bullet solution. I'd drop it in my environment and turn it loose. It'd solve every problem I have, and those I haven't thought of yet. My users would be happy, it'd be free, and wouldn't require any maintenance... never going to happen.

Bit9 focuses on malware. Other technologies focus on other areas. Good management finds that first thing, with that first customer and puts it out of the park. Bad management finds thousands of customers and delivers mediocre solutions. I'm with Bit9.
[/rant]

Jeff
Post a Comment