tag:blogger.com,1999:blog-9518042.post5276279009318899426..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Carbon BlackUnknownnoreply@blogger.comBlogger13125tag:blogger.com,1999:blog-9518042.post-6147711086556242692016-03-05T08:48:53.165-05:002016-03-05T08:48:53.165-05:00@Harlan: we did not.
I work for an IT company tha...@Harlan: we did not.<br /><br />I work for an IT company that work for that company with CB on their servers, so we did not.<br />But, yes, probably we will need to contact them.<br /><br />Thanks!chuecohttps://www.blogger.com/profile/09303858987282753158noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-70689251658917298832016-03-05T06:48:25.523-05:002016-03-05T06:48:25.523-05:00chueco,
Have you contacted the folks at Cb?chueco,<br /><br />Have you contacted the folks at Cb?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-27713362195912412112016-03-05T04:02:28.375-05:002016-03-05T04:02:28.375-05:00Hi, in our company, all servers have Cb running.
...Hi, in our company, all servers have Cb running.<br /><br />The thing is that sometimes the memory usage is really high.<br /><br />In some cases about 8Gb, that´s a problem, because also is running in some cases the SQL, the only solution is to kill the process and restart it.<br /><br />Do you know if there is any bug with it? or any parameter to change?<br /><br />Thanks.chuecohttps://www.blogger.com/profile/09303858987282753158noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-11731334121602034062011-08-23T05:41:30.146-05:002011-08-23T05:41:30.146-05:00McClintock,
I don't have any information rega...McClintock,<br /><br />I don't have any information regarding pricing, free or otherwise, sorry.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-67766656728894195512011-08-22T21:23:07.328-05:002011-08-22T21:23:07.328-05:00@Harlan,
Ah I get it now. Only the free version se...@Harlan,<br />Ah I get it now. Only the free version sends data to Kyrus. The standalone version is truly standalone. I was thinking their standalone version of CB was similar to Secunia's "standalone" server that still has to be connected to the internet to work.<br /><br />If there enterprise standalone version really is 24/yr per computer then that's awesome. Who wouldn't get it for that price. I watched some of their recent videos and it seems pretty good. <br /><br />Hopefully their network connection reporting includes DNS too.McClintocknoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-79228071882735609572011-08-22T08:44:58.364-05:002011-08-22T08:44:58.364-05:00Jimmy,
Thanks. I thought that there were some va...Jimmy,<br /><br />Thanks. I thought that there were some valid issues to point out in Anonymous's post.<br /><br />One was the issue of privacy...the assumption is clearly that if you're sending anything to Kyrus, your privacy is being violated somehow. Nothing could be further from the truth...after all, if you're sending your monitored data to Kyrus, where is the issue of privacy? <br /><br />In addition, there's the question of what is being sent. Cb monitors execution events and paths, and what gets sent is some of the information from the EProcess block, and the executable itself. No raw contents of virtual memory are apparently sent...so if a system on your infrastructure gets hit by a browser drive-by, the parent process would be the browser, and child process information would appear in the logs, but <i>NOT</i> browser history, passwords from form fields, etc.<br /><br />Then there's the issue of the free version vs the for-pay version. So what? Just because there's a fee associated with something, is that necessarily a bad thing? And before someone starts making comments about free vs for-fee, at least do a little research and find out what that fee or pricing model is...<br /><br /><i>...I want to make sure that it is done with the right intentions</i>. Fine...go do your own research and testing. I mean, really...what makes your intentions the <i>right</i> ones?<br /><br />Besides, I recognize the rhetoric...it's a signature, like a tattoo, a hat or a pair of shoes someone wears all the time.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-3474191267719395912011-08-21T20:52:26.862-05:002011-08-21T20:52:26.862-05:00Harlan, I don't know why you dignified Anonymo...Harlan, I don't know why you dignified Anonymous' comments with any response, let alone one that more than adequately addressed his unsupported remarks. Frankly, I would block all anonymous replies, as it smply provides the cowardly and uniformed a soapbox; a soapbox that they hide behind as opposed to standing upon. Your blog was informative, well reasoned, and should be a starting point for those with opposing veiws or truly knowledgable practitioners to provide valid criticism so that we all can learn.jimmy_wegnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-68408009648998682902011-08-21T15:10:20.299-05:002011-08-21T15:10:20.299-05:00I am quite surprised to see you endorse this comme...<i>I am quite surprised to see you endorse this commercial product so much.</i><br /><br />Why? It works, it works very well, and if folks had it, it would really make their (and my) work SO much more efficient.<br /><br /><i>Based on your responses, you clearly are discussing setting up a server internally to view the data which is their paid version.</i><br /><br />Yes, I'm not hiding that at all. However, regardless of which version you're using, the same data will be seen in the server.<br /><br />Also, I wouldn't suggest poo-poo'ing the paid version until you give the Kyrus guys a call and see what the pricing model looks like.<br /><br /><i>It is apparent either you were not aware of this or you haven't used their free version of the product.</i><br /><br />Very interesting assumptions...I'm not sure where these are coming from. I'm completely aware of this, however.<br /><br /><i>Clearly, there are some privacy concerns by using their free version of the product.</i><br /><br />I'm sure there are...but the issue of having someone else monitoring the data is the same as any other managed security service...in fact, I would suggest that given the data that is sent to Kyrus, even less so that a more traditional SOC.<br /><br /><i>Are you benefiting in any way from pushing the sales of the product? Could you benefit in anyway from CB being sold?</i><br /><br />A very interesting set of questions from someone who refuses to add their name or any other identifying information to their comments. I don't see why it matters, but the answer to both questions is "it depends". I would benefit from the sales of this product if an organization purchased and deployed it, and then I were called to respond to an incident and could have access to the log data.<br /><br />Aside from that, do I gain or benefit from endorsing it? Only in that you're reading the post and thinking about it enough to comment. Beyond that, no, I do not receive an remuneration for my comments. In fact, at the demo in July, I did not partake in any of the snacks or beer provided. <br /><br />I sincerely hope that helps. I do find it very interesting though that someone who refuses to identify him or herself has so much interest in the reasons for me commenting, and so little apparent interest in what I'm commenting on...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-26898553334171752062011-08-21T14:06:26.824-05:002011-08-21T14:06:26.824-05:00First of all, I am quite surprised to see you endo...First of all, I am quite surprised to see you endorse this commercial product so much. Based on your responses, you clearly are discussing setting up a server internally to view the data which is their paid version. <br /><br />Their "free" version, requires you to send the data to Kyrus servers. It is apparent either you were not aware of this or you haven't used their free version of the product. Clearly, there are some privacy concerns by using their free version of the product. <br /><br />Not slamming this post but I want to make sure that it is done with the right intentions. To help answer this, a key question would be: Are you benefiting in any way from pushing the sales of the product? Could you benefit in anyway from CB being sold?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-89863140009418561052011-08-20T17:28:51.088-05:002011-08-20T17:28:51.088-05:00McClintock,
I'm also curious what data is act...McClintock,<br /><br /><i>I'm also curious what data is actually sent to them.</i><br /><br />I don't follow your question...if you're having the sensors send data to Kyrus (or any other off-site location for that matter) then the data being monitored is what is sent. In this case, it's the executable, loaded modules, etc.<br /><br /><i>I really don't see myself using anything but the standalone server version. Can it work on a non-internet connected network?</i><br /><br />Again, I don't really follow. A standalone server on your infrastructure doesn't require an Internet connected network...I can still get data on the server without having the systems connected to the Internet.<br /><br /><i>Do you know when they're adding registry and network connection information?</i><br /><br />No, I don't, sorry.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-11462315083685074892011-08-20T17:06:50.422-05:002011-08-20T17:06:50.422-05:00I'm also curious what data is actually sent to...I'm also curious what data is actually sent to them. I really don't see myself using anything but the standalone server version. Can it work on a non-internet connected network? Do you know when they're adding registry and network connection information?McClintocknoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-55338123060458058562011-08-20T15:37:53.706-05:002011-08-20T15:37:53.706-05:00Anonymous,
...you have to upload your data to a r...Anonymous,<br /><br /><i>...you have to upload your data to a remote server that Kyrus controls.</i><br /><br />What data are you referring to? If you're referring to the actual log data, what about <i>...I installed it on a Windows 7 host system...</i>?<br /><br />None of the data I was looking at was on any server or system owned by Kyrus.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-73485181238667260572011-08-20T09:22:07.147-05:002011-08-20T09:22:07.147-05:00The big issue with Carbon black is you have to upl...The big issue with Carbon black is you have to upload your data to a remote server that Kyrus controls. This not only provides a security risk, but it is simply a very poor idea. I read that it is encrypted and only the correct accounts can get access to it, but honestly in the days of HBGary and Anonymous compromising anyone they desire, this simply places your organization at risk. Until they fix this, CB is a cool concept, but not anything I would use on a real case due to their business model.Anonymousnoreply@blogger.com