Kyrus Tech: Changing the dynamics in incident response and cyber forensics

Bob Gourley April 23, 2011

A few weeks ago I was invited to the offices of Kyrus Tech, which is a start-up company run by a former colleague of mine from government. Kyrus (adapted from Caerus, the Greek deity of luck and opportunity) does both government and commercial work in digital forensics, reverse engineering and vulnerability research, but I was there specifically to hear about a new tool they have developed called Carbon Black, which has many potential uses, but threatens to be particularly disruptive in the incident response space.

When you think about how incident response is performed today, you know there is room for improvement. It is largely a lot of data collection activities that are carried out in order to find out what happened after the fact. Almost all of this activity is designed to try to answer a key question: What sort of evil ran on a given host and what did it do? Numbers vary based on your source, but the cost of dealing with an intrusion can quickly run into six and even seven figures if the scope of the problem is large enough. That doesn’t include the cost of complying with breach notification laws, the expense associated with improving/upgrading/changing your security architecture and solutions and so on.

Carbon Black gets to the heart of the matter by telling you exactly what executes on a host, and if it made any changes to the file system (when the final release candidate is ready it will also tell you if an executable opened up a network connection and if it made any changes to the Registry) . If this approach to identifying suspect activity sounds familiar it is because that’s basically how a lot of malware works: get in, get persistent, phone home and/or exfiltrate data. You can query your systems based on file name, hash or other attributes, bracket your search in a given time period (down to minutes if you need to), and re-order your query – much like an Excel pivot table – to answer different questions with the same subset of data. I’m not describing what they showed me justice, I’d recommend joining the Carbon Black Ning group to view several short use-case-based videos.

There is a lot to like about Carbon Black, but two things stick out in my mind as being important. The first is that it is small and simple. It does a few things very well, which stands in stark contrast to so many tools that seem to want to add just one more feature. In fact the guys at Kyrus made a point to say that they had created a “sensor” not another “agent,” and at 100kb I think that’s a fair description.

The second is that it is not just a security tool. If you know exactly what is happen on your hosts, you know exactly what your software “inventory” is doing (or if it is even being used). You can tell if you are in compliance with a range of regulatory requirements (patches up-to-date? unauthorized software running?). Carbon Black is a tool the entire C-suite can use, not just the CISO.

Those who are interested in testing Carbon Black should join the Carbon Black Ning group and a link to download an executable will be forthcoming. The current Beta version will send host data to Kyrus for storage and processing, so it’s best to use in a lab or virtual machine if your organization has PII issues. The guys at Kyrus tell me that when the Alpha version is ready both a paid model (all logs stay within your network) and free model (logs come back to Kyrus) will be available.

About Bob Gourley

Bob Gourley is the CTO and Co-Founder of the due diligence and cybersecurity consultancy OODA LLC , which publishes CTOvision.com and OODAloop.com. Bob's background is as an all source intelligence analyst and an enterprise CTO.

Gain Powerful Insights Into The Future With OODA Loop’s Technology Tracking

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we have merged our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). CTOvision will focus only on one small niche, a vision for a technology enabled future. […]

CTOvision and OODA: Big Changes Coming Soon

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we are merging our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). This will give our community access to the same technology summaries we currently produce as […]

Give Your Career A Boost By Learning From Experienced Decision Makers

Our video and audio podcast, the OODAcast, provides content that can help accelerate your career and improve your decision making. The series is based on interviews of some of the greatest most accomplished enterprise technologists we can find. We ask questions designed to pull out lessons applicable to accelerating the career of any professional. We […]

Think Twice Before Deciding To Use A Personal VPN: You could be getting some really bad advice

From the 1930s to 1950s (far too long) the medical community just would not wake up to the fact that cigarettes could cause harm (see More Doctors Smoke Camels). Why did they stick with this misperception for so long? When so many good people come to the wrong conclusion it probably means some deeply human […]

Please help spread the word: USNI and NIP Essay Contest: This year’s challenge area a key one for the nation

Please help share the content at this link to any thinker/writer you know: 2020 Information Warfare Essay Contest This contest is open to all contributors, active-duty, military, reservists, veterans, and civilians. Generally the winners have had a solid understanding of the nature of modern conflict, but really any thinkers/writers should look over the contest and […]

Centripetal wins historic $2.6-$3.2 Bil vs. Cisco Systems; largest US patent infringement award to date

Editor’s note: I am proud to say I have a history with Centripetal Networks serving on their board and then later as an advisor. It was horrible to learn that a Tech Titan like Cisco was infringing on their patents. It is good now to see when the facts were reviewed justice was done. -bg […]

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]

All Enterprise Techies Should Watch HBO’s SciFi Epic Westworld: It will help us dialog over shared experiences on what we will not be creating

Westworld season one was a great mix of science fiction and drama and action and it was done in a way that should help people think through many tech ethics questions, like how do we want to treat our robots? Does treating robots with violence change our nature? Can robots become sentient? HBO has a […]

Related