Carbon Blacking your sensitive data it’s what the agents normally do

Carbon Blacking your sensitive data it’s what the agents normally do. But usually without such consequences. In this situation with Carbon Black, I am most interested in the actual reasons of all this media noise. From what point business as usual becomes a scandal. Ok, when you see Carbon Black customer’s private files in public access at Virus Total it’s a 100% epic fail. But what about other options.

Carbon Black and DirectDefense Illustration from investigation by DirectDefense 

  1. Agent makes file analysis by himself on user’s host. It’s probably ok. Some paranoid person, like me, may say that it’s possible that data may leak during the update process, like in case of M.E.Doc. But it probably can be detected it in traffic somehow.
  2. Agent sends file to the vendor’s cloud for further analysis in some private multiscanner. Vendor will have copy of your private data. What if this data will leak? Are you sure that vendor will bear responsibility for this?
  3. Agent sends file to vendor’s cloud, vendor than sends it to some third-party for analysis. Are you sure vendors that you use doesn’t do this? How can you investigate this? What will be your next actions if you figure out that they do it without your permission?
  4. Agent sends file to the vendor’s cloud, vendor then sends it to some third-party for analysis, third-party opens access to this file for a wide range of people.

Well, apparently everybody outraged by the 4th option. And only if it was by default and end-users could not disable this feature (in fact in the case of Carbon Black there were all the warnings and settings to switch it off). Are the rest options ok? Well, I would not say so. When a file or any sensitive information leaves the corporate network outside this is a reason to start worrying.

Anti-virus and end point protection systems are not actually my topics. I’m more in vulnerability Management. However, all these niches in become closer to each other. For example, VM vendors begin to detect malicious files (Nessus and Qualys malware detection).

If we talk about cloud agents for vulnerability Management solutions (see “Nessus Manager and Agents” and “What’s actually new in Tenable.io VM application“, “Dealing with Qualys Cloud Agents“), there will be all the same problems. You have to install some binary to all the hosts in the organization and hope that this will not lead to troubles. Some data from your internal network will be sent directly to the cloud of these vendors. This does not mean that they will grab all the files they can reach, but some critical information will be stored in vendor’s cloud. And you should consider this when choosing a Vulnerability Management solution (or other agent based or even any scanning solution). How much do you trust your vendor?

Well, in my opinion, to somehow protect your organisation against such stupid leaks, it is necessary to understand what data exactly the agent will collect and send to the cloud. It’s good for such agent to have minimum size and open code. So, you could analyse it if you want to. For example, as “Vulners Cloud Agents for Vulnerability Management” 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.