Product and SLO Questions

What is the difference between the Managed Security Service Provider (MSSP) and Carbon Black Managed Detection and Response?: MSSP uses outsourced monitoring and management of security devices and systems. MSSP services include managed firewall, intrusion detection, virtual private network, vulnerability scanning and anti-viral services.; Carbon Black Managed Detection and Response is restricted to the Carbon Black Cloud with its sole focus on endpoint security. Through policy changes, Carbon Black Managed Detection and Response can isolate devices and block attacks. The Carbon Black Managed Detection and Response team identifies and contains malicious threats.

What are the benefits of Carbon Black Managed Detection and Carbon Black Managed Detection and Response?

Carbon Black Managed Detection and Carbon Black Managed Detection and Response provide critical insight into attacks by using automated machine learning and algorithms to validate and prioritize alerts and uncover new threats. Security experts monitor alerts in the Carbon Black Cloud. The following products are supported:

Carbon Black Cloud Endpoint Standard
Carbon Black Cloud Workload Advanced

Carbon Black Managed Detection and Carbon Black Managed Detection and Response provide:

Rapid response and threat containment by the Carbon Black Managed Detection and Response team, accompanied by a detailed description of the actions taken by the team (Carbon Black Managed Detection and Response only).
Two-way communication during an incident (Carbon Black Managed Detection and Response only).
Email alert notifications of identified threats, including details of the threat, indicators, and possible actionable recommendations.
A daily summary of the previous day’s alert activities performed by Carbon Black Managed Detection and Response.
A monthly report including a list of top alerts and threats, new suspicious alerts and applications, and sensor deployment.
Recommendations for specific policy changes to address the threat and to harden your organizations' security posture.

What benefits can I expect from Carbon Black Managed Detection and Response?

Carbon Black Managed Detection and Response provides you with the benefit of Live Response and threat containment by Carbon Black Managed Detection and Response analysts during an incident. This includes:

Banning malicious hashes
Analysts can ban malicious hashes to prevent known bad binaries from running on your assets.
Policy modification
Analysts can move impacted devices to cloned policy groups and implement rules to stop an ongoing threat.
Quarantine impacted devices
After an analyst confirms malicious activity on an asset, they can quarantine the impacted asset. Quarantining the asset prevents further executions of malicious actions and lateral movement.

In addition, you can:

Decide on the allowed response actions by Carbon Black Managed Detection and Response on a per policy basis. By default, policy modification and quarantining are disabled.
Access two-way communication with a working analyst through email.
View emails with details about the actions taken by analysts within the audit logs.

What are the main differences between Carbon Black Managed Detection and Carbon Black Managed Detection and Response?

The following table outlines the main differences between Carbon Black Managed Detection and Carbon Black Managed Detection and Response.


Feature	Description	Carbon Black Managed Detection	Carbon Black Managed Detection and Response
Monitoring and Alert Triage	24x7 monitoring of alerts within the Service Level Objective.	Yes	Yes
Incident Investigation and Response Recommendations	Detailed investigation summaries and response. Recommendations	Yes	Yes
Monthly Reporting	Monthly reporting to outline security alerts and posture	Yes	Yes
Outbreak Advisories	Advisories on emerging threats with Indicator of Compromise (IOCs) and policy recommendations	Yes	Yes
Threat Containment	Analysts take actions on your behalf to stop incidents from escalating	No	Yes
Two-way Communication	Communicate directly with our analyst team over email for guidance during a security incident	No	Yes

What benefits does Carbon Black Cloud Enterprise EDR bring to the Carbon Black Managed Detection and Response product?: Carbon Black Managed Detection and Response requires Carbon Black Cloud Endpoint Standard. The Carbon Black Managed Detection and Response team benefits from additional Carbon Black Cloud products, specifically Carbon Black Cloud Enterprise EDR. Carbon Black Cloud Enterprise EDR provides analysts with more data points to help drill deeper into investigations, giving Carbon Black Managed Detection and Response more insight into indicators such as registry edits, fileless scripts, mod loads, and persistence behaviors. Carbon Black Cloud Enterprise EDR provides the visibility to understand the attack in more detail, and to make connections during the investigation.

Is Carbon Black Managed Detection and Response the right solution if my systems are attacked by ransomware?: Carbon Black Managed Detection and Response helps to contain threats, including early stages of ransomware. However, the product does not remediate threats or provide post-encryption assistance. A Carbon Black Incident Response (IR) partner is best for ransomware attacks which have escalated to encryption.

Does Carbon Black Managed Detection and Response aid with remediation and recovery?: Carbon Black does not offer remediation or recovery. Carbon Black Managed Detection and Response provides identification and threat containment: hash banning, policy modification, and device quarantining.

What are the alert severity levels that Carbon Black Managed Detection and Response analysts see?

Carbon Black Managed Detection and Response reviews alerts at level 5 and above.

Alerts at level 8 or higher include ransomware, lateral movement, credential scraping, reverse command shells, and process hollowing.

Level 5 to 7 alerts include generic virus-like behavior, monitoring user input, potential memory scraping, and password theft.

Alert severity level does not indicate that the alert is a true positive. Legitimate activity can have the same behavior as malicious activity.

The Carbon Black Managed Detection and Response team treats all reviewed alerts as time sensitive because a threat can escalate quickly at any stage of the attack. However, the team prioritizes alerts with a higher severity lever within the SLO.

For more information about alert severity and target values, see Alert and Report Severity.

Why did an analyst close a severity level 8 or higher alert as a false positive, unlikely threat, or not a threat?: Alert severity levels are indicative of the type of behavior being seen, not necessarily whether the alerts themselves are true or false positives. Legitimate activity can have the same behavior as malicious activity, which can be the reason why an analyst closes a level 8 alert as a false positive.

What is the Carbon Black Managed Detection and Response SLO and hours of operation?

The Carbon Black Managed Detection and Response SLO is for reviewing alerts with a level 8 or higher within two hours. The SLO does not apply to alerts between levels 5 and 7, however, they are reviewed using best effort. The SLO starts when Carbon Black Managed Detection and Response receives the alert.

If there is a delay with the sensor, for example if it is offline, Carbon Black Managed Detection and Response might take longer than an immediate response. Carbon Black Managed Detection and Response receives the alert when the sensor is back online and sends the events to the Carbon Black Cloud.

Carbon Black Managed Detection and Response analysts review security events 24/7, 365 days a year. The team looks at the SLO and the highest fidelity alerts in order of priority as they come into the queue.

Can I have a tighter service level agreement or SLO?: Carbon Black Managed Detection and Response does not offer service level agreements. The SLO is static.