Sunday, May 22, 2011

Carbon Black

I've had the opportunity to test a new-comer to the forensic market, and while young, I like this product.

Carbon Black is developed by a company called Kyrus. Can't tell you where these guys came up with the name, other than it's taken from Greek mythology for luck and opportunity. In this case, I'm not convinced there's any luck involved, but more opportunity and simple smarts.

Carbon Black is a two piece application --client and server; the server currently hosted and operating in beta as a SaaS with the client loaded on my Bambi Windows 7 machine in my lab. Push a client to your machine, and CB identifies the host, reads running processes, and begins to look for file changes and modifications. It took an initial reading from Bambi for an upload of about 30Mb, but after the company realized I was pushing a thick milkshake through a tiny straw (their rate limiting) and opened up the bandwidth, all went well.

So it's been running for a couple of weeks. I just rechecked and yes, lots of files modified --many I'm sure from the AV running on the machine, but what's nice is it auto generates the hash values of the modified files, libraries, etc., to allow fast correlation to known bad guy files. While not perfect, it shows promise. There's no noticeable performance hit from the client and the server side operates quickly and without glitches.

I've got a few invitations left. If you're interested, leave me a comment or shoot a note over. I'll push one out.

Good stuff. I'm not a real fan of SaaS for security tools. Can't wait to see the final enterprise product where everything resides inside the environment.

Any questions, leave me a comment.