The bright lights of Las Vegas are still flashing in my eyes after Black Hat 2018, and I observed a distinct trend: Data security technology vendors increasingly align themselves in one of two categories: threat intelligence or endpoint detection and response (EDR). The most common question I got at Black Hat 2018 was, “How does Code42 fit?” My answer is, quite simply, “Extremely well.”
Threat intelligence and EDR — where Code42 fits
It was easy to tell if you were at a threat intel or EDR vendor booth at Black Hat 2018:
- The threat intelligence vendors wanted to talk to you about their orchestration framework, how many data feeds they pull in and their glitzy dashboards.
- The EDR vendors showed you how easy it is to install their endpoint agent — and told you how they’ll alert your security team every time a hoodie-clad hacker in a basement runs exploits on your endpoints.
Code42 provides separate, complementary value to both threat intelligence and EDR solutions by applying a unique, historical file content and context perspective — as opposed to an action- or event-oriented perspective. Here’s why the combination of Code42 and threat intelligence and/or EDR is so powerful:
Code42 + threat intelligence
Let’s say your journey starts with a threat intelligence solution. You get an alert that a DNS request was initiated from a transient address in your Wi-Fi network to a newly registered domain or domain associated with known malware. How can you act on this alert?
Well, the threat intel report describes the domain in question as associated with a fake ad-blocker Chrome extension. That report also gives you the file name of the Chrome extension. You can then leverage Code42 Forensic File Search to search for that filename. In less than a second, you can build a unique list of all endpoints in your environment that have this undesirable Chrome extension. You can even sort these results and quickly find the first users to “fall” for the malware trick and give them additional training to help avoid this type of fire drill in the future.
Code42 + EDR
Imagine that an EDR solution sends an alert triggered by a maliciously crafted PDF document found on an endpoint. This suspicious file ran some arbitrary and potentially unknown code at an elevated privilege level. How would your organization react?
First, you may want to see who else has this same document. Using Code42 Forensic File Search, you could look for the checksum or filename of that questionable PDF. In less than a second, you have a complete list of your affected devices and users — whether they are online or not and without impact to the user’s machine or the network.
Now let’s say you want to examine the suspicious file — but the malicious payload deleted the PDF after execution. With Code42’s Backup + Restore product, you could pull an archived copy and hand it to forensic investigators.
Providing deeper visibility and context
Threat intel and EDR solutions focus on identifying malicious activity or abnormal application behaviors on an endpoint. They’re really good at detecting things like a process attempting a privilege escalation or scanning memory to pilfer credentials. Alerts to these activities are valuable, but they give only one dimension of insight into a complex problem. Code42 is focused on a much bigger picture — providing comprehensive visibility into every action, movement and revision of every file — while simultaneously securing and preserving valuable digital assets. And our powerful search capability cuts through the noise to give you exactly the information you need without overwhelming you with data.
Our unique approach to providing visibility and ensuring availability means Code42 doesn’t fit neatly into a category created by industry analysts. But that doesn’t diminish its value. Rather, it affirms that the value of Code42 cuts across the entire data security stack, regardless of what you do, or what tools or vendors you may already be working with. In fact, Code42 Forensic File Search, coupled with Code42 Backup + Restore, provide a comprehensive, contextually rich and easily searchable service. Combined, they complement not only threat intel and EDR, but almost any other data security solution, providing clear, direct and authoritative results.
Forensic File Search for Incident Response